Increase timeout for Docker image sync job to 30 minutes

Add optional X-Forwarded-Scheme and X-Scheme headers in forwarded headers middleware
Add reportNodeInternalIPs option to report node internal IPs in Ingress status
2026-06-21 00:27:06 +00:00 · 2026-06-12 17:12:06 +02:00 · 2026-06-12 11:16:07 +02:00 · 2026-06-12 10:26:07 +02:00 · 2026-06-11 10:10:07 +02:00 · 2026-06-10 17:05:29 +02:00
632 changed files with 55812 additions and 9748 deletions
@@ -3,11 +3,13 @@ PLEASE READ THIS MESSAGE.

 Documentation:
 - for Traefik v2: use branch v2.11 (fixes only)
- for Traefik v3: use branch v3.6
+- for Traefik v3.6: use branch v3.6
+- for Traefik v3.7: use branch v3.7

 Bug:
 - for Traefik v2: use branch v2.11 (security fixes only)
- for Traefik v3: use branch v3.6
+- for Traefik v3.6: use branch v3.6
+- for Traefik v3.7: use branch v3.7

 Enhancements:
 - use branch master
@@ -19,6 +19,7 @@ jobs:

  build:
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    strategy:
      matrix:
@@ -12,6 +12,7 @@ jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
+    timeout-minutes: 30
    permissions:
      actions: read
      contents: read
@@ -16,6 +16,7 @@ jobs:
  docs:
    name: Doc Process
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    if: github.repository == 'traefik/traefik'

    steps:
@@ -19,6 +19,7 @@ jobs:
    if: github.repository == 'traefik/traefik'
    name: Build experimental image on branch
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    steps:
      - name: Check out code
@@ -9,7 +9,7 @@ env:
  CGO_ENABLED: 0
  VERSION: ${{ github.ref_name }}
  TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: ramequin
+  CODENAME: langres

 jobs:

@@ -20,6 +20,7 @@ jobs:
  build:
    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
    runs-on: ubuntu-latest
+    timeout-minutes: 45

    strategy:
      matrix:
@@ -82,6 +83,7 @@ jobs:
  release:
    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
    runs-on: ubuntu-latest
+    timeout-minutes: 45

    needs:
      - build
@@ -8,6 +8,7 @@ on:
 jobs:
  sync:
    runs-on: ubuntu-latest
+    timeout-minutes: 30
    permissions:
      packages: write
      contents: read
@@ -7,6 +7,7 @@ jobs:

  build-webui:
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    steps:
      - name: Check out code
@@ -18,6 +18,7 @@ jobs:

  test-gateway-api-conformance:
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    steps:
      - name: Check out code
@@ -16,6 +16,7 @@ jobs:

  build:
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    steps:
      - name: Check out code
@@ -52,6 +53,7 @@ jobs:

  test-integration:
    runs-on: ubuntu-latest
+    timeout-minutes: 90
    needs:
      - build
    strategy:
@@ -18,6 +18,7 @@ jobs:

  test-knative-conformance:
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    steps:
      - name: Check out code
@@ -13,6 +13,7 @@ jobs:
  generate-packages:
    name: List Go Packages
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
@@ -36,6 +37,7 @@ jobs:

  test-unit:
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    needs: generate-packages
    strategy:
      matrix:
@@ -59,6 +61,7 @@ jobs:

  test-ui-unit:
    runs-on: ubuntu-latest
+    timeout-minutes: 15

    steps:
      - name: Check out code
@@ -13,6 +13,7 @@ jobs:

  lint:
    runs-on: ubuntu-latest
+    timeout-minutes: 15

    steps:
      - name: Check out code
@@ -33,6 +34,7 @@ jobs:

  validate:
    runs-on: ubuntu-latest
+    timeout-minutes: 15

    steps:
      - name: Check out code
@@ -54,6 +56,7 @@ jobs:

  validate-generate:
    runs-on: ubuntu-latest
+    timeout-minutes: 15

    steps:
      - name: Check out code
@@ -82,6 +82,7 @@ linters:
      toolchain-pattern: go1\.\d+\.\d+$
      tool-forbidden: true
      go-version-pattern: ^1\.\d+(\.0)?$
+      replace-local: true
      replace-allow-list:
        - github.com/abbot/go-http-auth
        - github.com/gorilla/mux
@@ -89,6 +90,7 @@ linters:
        - github.com/mailgun/multibuf
        - github.com/jaguilar/vt100
        - github.com/cucumber/godog
+        - github.com/vulcand/oxy/v2
    govet:
      enable-all: true
      disable:
@@ -1,3 +1,14 @@
+## [v3.7.5](https://github.com/traefik/traefik/tree/v3.7.5) (2026-06-10)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.4...v3.7.5)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Skip ingress when auth-secret resolution fails ([#13323](https://github.com/traefik/traefik/pull/13323) @gndz07)
+- **[k8s/ingress-nginx]** Pass endpointslice fencing on ingress-nginx provider ([#13290](https://github.com/traefik/traefik/pull/13290) @Learloj)
+- **[k8s/gatewayapi]** Reject cross-provider references with backendRefs.namespace ([#13322](https://github.com/traefik/traefik/pull/13322) @youkoulayley)
+- **[server]** Bump to github.com/pires/go-proxyproto v0.12.0 ([#13313](https://github.com/traefik/traefik/pull/13313) @timschumi)
+- **[tls]** Fix routers with same host, different tlsoptions on different entryPoint ([#13329](https://github.com/traefik/traefik/pull/13329) @juliens)
+- **[tls]** Fix snicheck for routers with no hosts ([#13333](https://github.com/traefik/traefik/pull/13333) @rtribotte)
+
 ## [v3.6.21](https://github.com/traefik/traefik/tree/v3.6.21) (2026-06-10)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.20...v3.6.21)

@@ -14,6 +25,17 @@
 - **[tls]** Fix routers with same host, different tlsoptions on different entryPoint ([#13329](https://github.com/traefik/traefik/pull/13329) @juliens)
 - **[tls]** Fix snicheck for routers with no hosts ([#13333](https://github.com/traefik/traefik/pull/13333) @rtribotte)

+## [v3.7.4](https://github.com/traefik/traefik/tree/v3.7.4) (2026-06-05)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.3...v3.7.4)
+
+**Bug fixes:**
+- **[middleware]** Fix redis write timeout option configuration ([#13273](https://github.com/traefik/traefik/pull/13273) @bzyy1024)
+- **[webui]** Bump react-router and jsdom ([#13301](https://github.com/traefik/traefik/pull/13301) @gndz07)
+- **[k8s/gatewayapi]** Fix BackendTLSPolicy status update ([#13306](https://github.com/traefik/traefik/pull/13306) @AnatoleLucet)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.59.1 ([#13300](https://github.com/traefik/traefik/pull/13300) @rtribotte)
+- **[webui]** Bump axios to v1.17.0 ([#13299](https://github.com/traefik/traefik/pull/13299) @gndz07)
+- **[tls]** Fix snicheck with keepalive ([#13305](https://github.com/traefik/traefik/pull/13305) @juliens)
+
 ## [v3.6.20](https://github.com/traefik/traefik/tree/v3.6.20) (2026-06-05)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.19...v3.6.20)

@@ -33,6 +55,40 @@
 - **[webui]** Bump axios to v1.17.0 ([#13299](https://github.com/traefik/traefik/pull/13299) @gndz07)
 - **[tls]** Fix snicheck with keepalive ([#13305](https://github.com/traefik/traefik/pull/13305) @juliens)

+## [v3.7.3](https://github.com/traefik/traefik/tree/v3.7.3) (2026-06-04)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.1...v3.7.3)
+
+**Bug fixes:**
+- **[tls]** Compute resolved tlsOptions after applying models ([#13291](https://github.com/traefik/traefik/pull/13291) @rtribotte)
+- **[webui, tcp]** Fix TCP router service resolution in dashboard flow diagram ([#13155](https://github.com/traefik/traefik/pull/13155) @aliamerj)
+- **[k8s/ingress-nginx]** Trim quotes from proxy_set_header header name ([#13203](https://github.com/traefik/traefik/pull/13203) @crisbal)
+- **[accesslogs]** Escape double quotes in quoted log fields ([#13180](https://github.com/traefik/traefik/pull/13180) @KaanSimsek)
+- **[k8s/gatewayapi]** Escape exact gRPC method matches ([#13201](https://github.com/traefik/traefik/pull/13201) @nickmnt)
+- **[logs, middleware]** Allow query parameters to be dropped from RequestPath in access log ([#13091](https://github.com/traefik/traefik/pull/13091) @calinelson)
+- **[k8s/ingress-nginx]** Clear Ssl-Client-* headers when no client certificate is present ([#13260](https://github.com/traefik/traefik/pull/13260) @gndz07)
+- **[k8s/gatewayapi]** Bump github.com/moby/spdystream to v0.5.1 ([#13252](https://github.com/traefik/traefik/pull/13252) @kevinpollet)
+- **[file]** Improve file provider behavior regarding dangling symlinks ([#12449](https://github.com/traefik/traefik/pull/12449) @fh-yuxiao-zeng)
+- **[server]** Bump github.com/bytedance/sonic to v1.15.1 ([#13254](https://github.com/traefik/traefik/pull/13254) @kevinpollet)
+- **[middleware, authentication]** Add error on basic auth build if users is empty ([#13195](https://github.com/traefik/traefik/pull/13195) @rtribotte)
+- **[k8s/ingress]** Avoid ingress path matcher injection and backport 11d251415 ([#13227](https://github.com/traefik/traefik/pull/13227) @rtribotte)
+- **[server]** Move snicheck to ctx instead of simulated routing ([#13214](https://github.com/traefik/traefik/pull/13214) @juliens)
+- **[middleware]** Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation ([#13215](https://github.com/traefik/traefik/pull/13215) @rtribotte)
+- **[server]** Bump golang.org/x/net to v0.55.0 ([#13251](https://github.com/traefik/traefik/pull/13251) @kevinpollet)
+- **[k8s/gatewayapi]** Change default values and expose configuration for Kubernetes client QPS and Burst ([#13277](https://github.com/traefik/traefik/pull/13277) @kevinpollet)
+- **[server]** Bump golang.org/x/crypto to v0.52.0 ([#13276](https://github.com/traefik/traefik/pull/13276) @rtribotte)
+
+**Documentation:**
+- **[k8s]** Document new chart behavior on Gateway API ([#13167](https://github.com/traefik/traefik/pull/13167) @mloiseleur)
+- **[file]** Replace generated File routing reference page ([#13170](https://github.com/traefik/traefik/pull/13170) @sheddy-traefik)
+- **[k8s/crd]** Fix typo in accesslogs field name ([#13177](https://github.com/traefik/traefik/pull/13177) @PlayMTL)
+- **[k8s/ingress-nginx]** Surface the Ingress status race condition during NGINX coexistence ([#13205](https://github.com/traefik/traefik/pull/13205) @emilevauge)
+- Polish grammar in migration guides ([#13174](https://github.com/traefik/traefik/pull/13174) @quyentonndbs)
+- **[middleware]** Remove whitespace in HTML tag ([#13160](https://github.com/traefik/traefik/pull/13160) @marbon87)
+- Add @LBF38 as a current maintainer ([#13225](https://github.com/traefik/traefik/pull/13225) @emilevauge)
+- Add ingressClassName to Kubernetes CRD provider migration guide ([#13248](https://github.com/traefik/traefik/pull/13248) @kevinpollet)
+- **[k8s/ingress-nginx]** Add nginx.ingress.kubernetes.io/enable-global-auth to the list of supported annotations ([#13219](https://github.com/traefik/traefik/pull/13219) @filip2mac)
+- **[k8s/ingress-nginx]** Capitalize NGINX in kubernetesIngressNGINX ([#13236](https://github.com/traefik/traefik/pull/13236) @smellems)
+
 ## [v3.6.19](https://github.com/traefik/traefik/tree/v3.6.19) (2026-06-04)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.17...v3.6.19)

@@ -72,6 +128,11 @@
 - **[middleware]** Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation ([#13215](https://github.com/traefik/traefik/pull/13215) @rtribotte)
 - **[server]** Bump golang.org/x/net to v0.55.0 ([#13251](https://github.com/traefik/traefik/pull/13251) @kevinpollet)
 - **[server]** Bump golang.org/x/crypto to v0.52.0 ([#13276](https://github.com/traefik/traefik/pull/13276) @rtribotte)
+- 
+## [v3.7.2](https://github.com/traefik/traefik/tree/v3.7.2) (2026-06-03)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.1...v3.7.2)
+
+Release canceled.

 ## [v3.6.18](https://github.com/traefik/traefik/tree/v3.6.18) (2026-06-03)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.17...v3.6.18)
@@ -83,6 +144,13 @@ Release canceled.

 Release canceled.

+## [v3.7.1](https://github.com/traefik/traefik/tree/v3.7.1) (2026-05-11)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0...v3.7.1)
+
+**Bug fixes:**
+- **[k8s/ingress, k8s/crd, k8s/gatewayapi]** Add CrossProviderNamespaces option  ([#13094](https://github.com/traefik/traefik/pull/13094) @rtribotte)
+- **[k8s/crd]** Fix cross-provider ref check for Kubernetes CRD provider ([#13121](https://github.com/traefik/traefik/pull/13121) @rtribotte)
+
 ## [v3.6.17](https://github.com/traefik/traefik/tree/v3.6.17) (2026-05-11)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.16...v3.6.17)

@@ -97,6 +165,300 @@ Release canceled.
 - **[k8s/ingress, k8s/crd, k8s/gatewayapi]** Add CrossProviderNamespaces option  ([#13094](https://github.com/traefik/traefik/pull/13094) @rtribotte)
 - **[k8s/crd]** Fix cross-provider ref check for Kubernetes CRD provider ([#13121](https://github.com/traefik/traefik/pull/13121) @rtribotte)

+##  [v3.7.0](https://github.com/traefik/traefik/tree/v3.7.0) (2026-05-05)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.0-rc1...v3.7.0)
+
+**Enhancements:**
+- **[k8s/ingress-nginx]** Use a metamodel to generate dynamic configuration in ingress-nginx ([#13062](https://github.com/traefik/traefik/pull/13062) @juliens)
+- **[k8s/ingress-nginx]** Add limit-connections support ([#13030](https://github.com/traefik/traefik/pull/13030) @amazon7737)
+- **[webui]** Display server weight in service detail view ([#12325](https://github.com/traefik/traefik/pull/12325) @murataslan1)
+- **[webui, tls]** Add certificates menu and overview ([#12628](https://github.com/traefik/traefik/pull/12628) @holomekc)
+- **[provider]** Add providers routing precedence configuration ([#12895](https://github.com/traefik/traefik/pull/12895) @juliens)
+- **[k8s/ingress-nginx]** Support NGINX global auth annotation ([#12893](https://github.com/traefik/traefik/pull/12893) @foxcool)
+- **[k8s/ingress-nginx]** Add limit-burst-multiplier annotation support ([#12899](https://github.com/traefik/traefik/pull/12899) @amazon7737)
+- **[k8s/ingress-nginx, k8s/ingress, rules]** Add wildcard host in Host and HostSNI matchers ([#12884](https://github.com/traefik/traefik/pull/12884) @juliens)
+- **[k8s/gatewayapi]** Support multiple certificateRefs on gateway listeners ([#12590](https://github.com/traefik/traefik/pull/12590) @mortennordbye)
+- **[k8s/gatewayapi]** Add secret support for BackendTLSPolicy caCertificateRefs ([#12927](https://github.com/traefik/traefik/pull/12927) @kevinpollet)
+- **[accesslogs, k8s/ingress-nginx]** Support nginx.ingress.kubernetes.io/enable-access-log annotation ([#12908](https://github.com/traefik/traefik/pull/12908) @ris-tlp)
+- **[accesslogs, k8s/ingress-nginx, k8s/ingress]** Add Kubernetes Ingress logs fields ([#12913](https://github.com/traefik/traefik/pull/12913) @rtribotte)
+- **[k8s/knative]** Support knative v1.20.0 ([#12441](https://github.com/traefik/traefik/pull/12441) @idurgakalyan)
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.5.1 ([#12768](https://github.com/traefik/traefik/pull/12768) @mmatur)
+- **[k8s/ingress-nginx, middleware, authentication]** Add support for auth-snippet ([#12778](https://github.com/traefik/traefik/pull/12778) @juliens)
+- **[accesslogs, otel]** Allow Stdio access logs alongsige OTLP logging ([#12307](https://github.com/traefik/traefik/pull/12307) @Mulgish)
+- **[acme]** Add CertificateTimeout ACME configuration option ([#12278](https://github.com/traefik/traefik/pull/12278) @ceko)
+- **[k8s/ingress-nginx]** Support nginx.ingress.kubernetes.io/allowlist-source-range ([#12659](https://github.com/traefik/traefik/pull/12659) @ris-tlp)
+- **[k8s/crd]** Add ingressClassName field to the CRDs spec ([#12313](https://github.com/traefik/traefik/pull/12313) @kkrypt0nn)
+- **[k8s/crd]** Service failover support in TraefikService CRD ([#12733](https://github.com/traefik/traefik/pull/12733) @jspdown)
+- **[k8s/crd, service]** Support cipher suites configuration with ServersTransport ([#11965](https://github.com/traefik/traefik/pull/11965) @NEwa-05)
+- **[k8s/ingress, middleware, k8s/crd, service, k8s/gatewayapi]** Services middleware and Gateway API filters on HTTP backends ([#12544](https://github.com/traefik/traefik/pull/12544) @juliens)
+- **[k8s/ingress-nginx]** Add nginx.ingress.kubernetes.io/proxy-connect-timeout annotation ([#12572](https://github.com/traefik/traefik/pull/12572) @gndz07)
+- **[k8s/ingress-nginx]** Add rewrite-target nginx annotations support ([#12534](https://github.com/traefik/traefik/pull/12534) @LBF38)
+- **[k8s/ingress-nginx]** Add support for app-root nginx annotation ([#12576](https://github.com/traefik/traefik/pull/12576) @LBF38)
+- **[k8s/ingress-nginx]** Add support for auth-signin annotation ([#12502](https://github.com/traefik/traefik/pull/12502) @DesalLama)
+- **[k8s/ingress-nginx]** Add support for from-to-www-redirect NGINX annotation ([#12610](https://github.com/traefik/traefik/pull/12610) @LBF38)
+- **[k8s/ingress-nginx]** Add support for proxy-read-timeout and proxy-send-timeout NGINX annotations ([#12630](https://github.com/traefik/traefik/pull/12630) @LBF38)
+- **[k8s/ingress-nginx]** Add support for session-cookie-expires nginx annotation ([#12558](https://github.com/traefik/traefik/pull/12558) @LBF38)
+- **[k8s/ingress-nginx]** Add support for upstream-hash-by NGINX annotation ([#12749](https://github.com/traefik/traefik/pull/12749) @LBF38)
+- **[k8s/ingress-nginx]** Allow entry points to be specified on Nginx Ingresses ([#12727](https://github.com/traefik/traefik/pull/12727) @ajacques)
+- **[k8s/ingress-nginx]** Implement proxy-http-version annotation ([#12743](https://github.com/traefik/traefik/pull/12743) @KshitijBharde)
+- **[k8s/ingress-nginx]** Nginx x-forwarded-prefix annotation ([#12697](https://github.com/traefik/traefik/pull/12697) @nandorKollar)
+- **[k8s/ingress-nginx]** Support auth-tls-secret and auth-tls-verify-client annotations ([#12595](https://github.com/traefik/traefik/pull/12595) @gndz07)
+- **[k8s/ingress-nginx]** Support limit-rpm annotation for ingress-nginx ([#12703](https://github.com/traefik/traefik/pull/12703) @Ph4rell)
+- **[k8s/ingress-nginx]** Support limit-rps annotation for Ingress NGINX ([#12709](https://github.com/traefik/traefik/pull/12709) @amazon7737)
+- **[k8s/ingress-nginx]** Support NGINX buffering annotations ([#12459](https://github.com/traefik/traefik/pull/12459) @blasko03)
+- **[k8s/ingress-nginx]** Support NGINX canary annotations ([#12739](https://github.com/traefik/traefik/pull/12739) @kevinpollet)
+- **[k8s/ingress-nginx]** Support NGINX custom-headers annotation ([#12414](https://github.com/traefik/traefik/pull/12414) @nandorKollar)
+- **[k8s/ingress-nginx]** Support NGINX upstream-vhost annotation ([#12412](https://github.com/traefik/traefik/pull/12412) @nandorKollar)
+- **[k8s/ingress-nginx]** Support NGINX whitelist-source-range annotation ([#12423](https://github.com/traefik/traefik/pull/12423) @blasko03)
+- **[k8s/ingress-nginx]** Support permanent-redirect and temporal-redirect annotations ([#12561](https://github.com/traefik/traefik/pull/12561) @LBF38)
+- **[k8s/ingress-nginx]** Support proxy-next-upstream* annotations ([#12710](https://github.com/traefik/traefik/pull/12710) @gndz07)
+- **[k8s/ingress-nginx]** Support server-alias annotation for Ingress NGINX ([#12707](https://github.com/traefik/traefik/pull/12707) @amazon7737)
+- **[k8s/ingress-nginx]** Support upstream-keepalive-timeout ([#12708](https://github.com/traefik/traefik/pull/12708) @jcob-sikorski)
+- **[k8s/ingress-nginx]** Add support for variable interpolation in auth-signin NGINX annotation ([#12640](https://github.com/traefik/traefik/pull/12640) @LBF38)
+- **[k8s/ingress-nginx]** Implement server-snippet and configuration-snippet annotations ([#12715](https://github.com/traefik/traefik/pull/12715) @juliens)
+- **[k8s/ingress-nginx]** Add custom-http-errors and default-backend annotations ([#12637](https://github.com/traefik/traefik/pull/12637) @juliens)
+- **[k8s/ingress-nginx]** Support auth-tls-pass-certificate-to-upstream annotation ([#12629](https://github.com/traefik/traefik/pull/12629) @gndz07)
+- **[metrics]** Support file path for metrics.influxdb2.token option ([#12458](https://github.com/traefik/traefik/pull/12458) @barhun)
+- **[middleware]** Add encodedCharacters middleware ([#12555](https://github.com/traefik/traefik/pull/12555) @gndz07)
+- **[middleware]** Enable retries based on HTTP response status codes, timeout, and non-idempotent methods ([#12667](https://github.com/traefik/traefik/pull/12667) @LBF38)
+- **[middleware, authentication]** Add authSignInURL in forward auth middleware ([#12293](https://github.com/traefik/traefik/pull/12293) @kyounghunJang)
+- **[server]** Add global option to disable X-Forwarded-For appending ([#12374](https://github.com/traefik/traefik/pull/12374) @lbenguigui)
+- **[server]** Replace Split in loops with more efficient SplitSeq ([#12316](https://github.com/traefik/traefik/pull/12316) @boqishan)
+- **[service]** Failover according to response status code ([#12596](https://github.com/traefik/traefik/pull/12596) @lbenguigui)
+- **[tls]** Make TLSStore gracefully handle missing secrets ([#12522](https://github.com/traefik/traefik/pull/12522) @david-garcia-garcia)
+- **[webui]** Add dashboard name configuration ([#12410](https://github.com/traefik/traefik/pull/12410) @gndz07)
+- **[webui]** Web UI dashboard improvements ([#12236](https://github.com/traefik/traefik/pull/12236) @gndz07)
+- **[webui]** Details pages UI improvement ([#12377](https://github.com/traefik/traefik/pull/12377) @gndz07)
+- Use unicode.MaxASCII for clearer ASCII check ([#12741](https://github.com/traefik/traefik/pull/12741) @1911860538)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Add ipAllowListStrategy option for allowlist/whitelist annotations ([#12932](https://github.com/traefik/traefik/pull/12932) @mathieuherbert)
+- **[k8s/ingress-nginx]** Fix regressions after refacto of the ingress-nginx provider ([#13086](https://github.com/traefik/traefik/pull/13086) @juliens)
+- **[k8s/ingress-nginx]** Fix typo in default CORS allowed headers ([#13088](https://github.com/traefik/traefik/pull/13088) @mliang2)
+- **[docker, ecs]** Migrate to github.com/moby/moby modules ([#12672](https://github.com/traefik/traefik/pull/12672) @thaJeztah)
+- **[logs, metrics, tracing]** Bump go.opentelemetry.io/otel ([#13100](https://github.com/traefik/traefik/pull/13100) @juliens)
+- **[k8s/crd]** Remove cross-provider sanitization for Kubernetes service loading ([#13087](https://github.com/traefik/traefik/pull/13087) @rtribotte)
+- **[docker, ecs]** Migrate to github.com/moby/moby modules ([#13053](https://github.com/traefik/traefik/pull/13053) @mmatur)
+- **[k8s/ingress-nginx]** Fix SSL redirect behavior for ingress-nginx provider ([#13028](https://github.com/traefik/traefik/pull/13028) @gndz07)
+- **[k8s/ingress-nginx]** Do not require a port for ExternalName services ([#13033](https://github.com/traefik/traefik/pull/13033) @kevinpollet)
+- **[k8s, k8s/ingress-nginx]** Add regression test for ingress default backend without rules ([#13066](https://github.com/traefik/traefik/pull/13066) @mmatur)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.35.1 ([#13027](https://github.com/traefik/traefik/pull/13027) @ldez)
+- **[server]** Bump github.com/vulcand/oxy to v2.1.0 ([#13046](https://github.com/traefik/traefik/pull/13046) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.35.2 ([#13043](https://github.com/traefik/traefik/pull/13043) @ldez)
+- **[middleware]** Add errorRequestHeaders option to Errors middleware ([#13034](https://github.com/traefik/traefik/pull/13034) @gndz07)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.34.0 ([#12993](https://github.com/traefik/traefik/pull/12993) @ldez)
+- **[docker]** Downgrade log level for missing container on inspect ([#12900](https://github.com/traefik/traefik/pull/12900) @Otoru)
+- **[k8s/crd, k8s]** Honor allowCrossNamespace with chain middleware CRD ([#12976](https://github.com/traefik/traefik/pull/12976) @rtribotte)
+- **[k8s/ingress-nginx]** Avoid 302 redirect when rewrite-target value is not an absolute URL for ingress-nginx provider ([#12977](https://github.com/traefik/traefik/pull/12977) @gndz07)
+- **[k8s/ingress-nginx]** Fix custom headers annotation with 503 Service Unavailable ([#12969](https://github.com/traefik/traefik/pull/12969) @LBF38)
+- **[k8s/ingress-nginx]** Fix service unavailable on ingress-nginx ([#12996](https://github.com/traefik/traefik/pull/12996) @LBF38)
+- **[k8s/ingress-nginx]** Handle duplicate server-alias on ingress-nginx provider ([#13019](https://github.com/traefik/traefik/pull/13019) @gndz07)
+- **[k8s/ingress-nginx]** Use QuoteMeta for cookie name when building canary rules ([#12973](https://github.com/traefik/traefik/pull/12973) @kevinpollet)
+- **[middleware, authentication]** Cleanup and make ForwardAuth logs consistent ([#13013](https://github.com/traefik/traefik/pull/13013) @kevinpollet)
+- **[middleware, authentication]** Fix trustForwardHeader on forward auth middleware ([#12994](https://github.com/traefik/traefik/pull/12994) @juliens)
+- **[middleware, authentication]** Remove map lookup making the basic auth notFoundSecret empty ([#12960](https://github.com/traefik/traefik/pull/12960) @rtribotte)
+- **[middleware, k8s/ingress-nginx]** Fix app-root with query params redirect ([#12986](https://github.com/traefik/traefik/pull/12986) @LBF38)
+- **[middleware, k8s/ingress-nginx]** Fix rewrite target with full URL and no regex in ingress path ([#12992](https://github.com/traefik/traefik/pull/12992) @LBF38)
+- **[middleware, k8s/ingress-nginx]** Preserve request query on absolute-URL redirect ([#13020](https://github.com/traefik/traefik/pull/13020) @SAY-5)
+- **[middleware, k8s/ingress-nginx]** Resolve NGINX variables in ingress-nginx upstream-vhost annotation ([#12978](https://github.com/traefik/traefik/pull/12978) @mmatur)
+- **[middleware]** Deprecate ForwardAuth.TrustForwardHeader option ([#13012](https://github.com/traefik/traefik/pull/13012) @kevinpollet)
+- **[middleware]** Remove untrusted X headers with underscores ([#12961](https://github.com/traefik/traefik/pull/12961) @rtribotte)
+- **[middleware]** Sanitize the request URL after stripping the prefix ([#12990](https://github.com/traefik/traefik/pull/12990) @kevinpollet)
+- **[sticky-session, k8s/crd]** Make SameSite cookie value case-insensitive ([#12922](https://github.com/traefik/traefik/pull/12922) @murataslan1)
+- **[tls]** Restore default cipher suites when serversTransport has no explicit cipherSuites ([#12974](https://github.com/traefik/traefik/pull/12974) @mmatur)
+- **[webui]** Bump lodash version ([#12954](https://github.com/traefik/traefik/pull/12954) @gndz07)
+- **[webui]** Upgrade form-data to 2.5.4, 3.0.4, 4.0.4 ([#12958](https://github.com/traefik/traefik/pull/12958) @orbisai0security)
+- **[k8s/ingress-nginx]** Fix rewrite-target annotation handling with empty path and non-regex path ([#12905](https://github.com/traefik/traefik/pull/12905) @LBF38)
+- **[middleware]** Bump github.com/klauspost/compress v1.18.4 ([#12937](https://github.com/traefik/traefik/pull/12937) @thaJeztah)
+- **[k8s/crd]** Fix panic with Failover services in Kubernetes ([#12853](https://github.com/traefik/traefik/pull/12853) @juliens)
+- **[k8s/ingress-nginx]** Fix rewrite directive in configuration-snippet to trim quotes ([#12855](https://github.com/traefik/traefik/pull/12855) @gndz07)
+- **[k8s/ingress-nginx]** Fix rewrite-target to handle full URL ([#12854](https://github.com/traefik/traefik/pull/12854) @gndz07)
+- **[k8s/ingress-nginx]** Handle empty rewrite-target like unset rewrite-target ([#12832](https://github.com/traefik/traefik/pull/12832) @sathieu)
+- **[k8s/ingress-nginx]** Fix TLS behavior in ingress-nginx provider ([#12831](https://github.com/traefik/traefik/pull/12831) @LBF38)
+- **[k8s/ingress-nginx]** Fix auth-response-headers whitespace trimming in ingress-nginx provider ([#12856](https://github.com/traefik/traefik/pull/12856) @mmatur)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.33.0 ([#12840](https://github.com/traefik/traefik/pull/12840) @ldez)
+- **[server, tcp]** Fix postgres STARTTLS with TLS termination ([#12847](https://github.com/traefik/traefik/pull/12847) @mmatur)
+- **[api]** Fix allow colons and tildes in api.basePath validation ([#12857](https://github.com/traefik/traefik/pull/12857) @mmatur)
+- **[server]** Fix comment and unnecessary allocation in withRoutingPath ([#12880](https://github.com/traefik/traefik/pull/12880) @boinger)
+- **[grpc]** Bump google.golang.org/grpc to v1.79.3 ([#12845](https://github.com/traefik/traefik/pull/12845) @mmatur)
+- **[middleware, authentication]** Prevent duplicate user headers in basic and digest auth middleware ([#12851](https://github.com/traefik/traefik/pull/12851) @juliens)
+- **[middleware]** Fix StripPrefix and StripPrefixRegex to slice the prefix using encoded prefix length ([#12863](https://github.com/traefik/traefik/pull/12863) @gndz07)
+- **[k8s/ingress-nginx]** Fix use-regex annotation behavior and add strictValidatePathType config for ingress-nginx provider ([#12773](https://github.com/traefik/traefik/pull/12773) @gndz07)
+- **[logs, otel]** Add OTel-conformant trace context attributes to access logs ([#12801](https://github.com/traefik/traefik/pull/12801) @mmatur)
+- **[k8s/gatewayapi]** Fix incorrect hostname matching between listener and route ([#12599](https://github.com/traefik/traefik/pull/12599) @TheColorman)
+- **[k8s/ingress]** Fix ingress router's rule ([#12808](https://github.com/traefik/traefik/pull/12808) @gndz07)
+- **[webui]** Remove AGPL license in code ([#12799](https://github.com/traefik/traefik/pull/12799) @Desel72)
+- **[k8s/ingress-nginx]** Fix proxy-ssl-verify annotation ([#12825](https://github.com/traefik/traefik/pull/12825) @LBF38)
+- **[http]** Add maxResponseBodySize configuration on HTTP provider ([#12788](https://github.com/traefik/traefik/pull/12788) @gndz07)
+- **[tls]** Support fragmented TLS client hello ([#12787](https://github.com/traefik/traefik/pull/12787) @rtribotte)
+- **[middleware, authentication]** Make basic auth check timing constant ([#12803](https://github.com/traefik/traefik/pull/12803) @rtribotte)
+- **[acme]** Add missing renew options ([#12467](https://github.com/traefik/traefik/pull/12467) @ldez)
+- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) @LBF38)
+- **[acme]** Alter TLS renewal period ([#12479](https://github.com/traefik/traefik/pull/12479) @LtHummus)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.28.0 ([#12218](https://github.com/traefik/traefik/pull/12218) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.29.0 ([#12333](https://github.com/traefik/traefik/pull/12333) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.30.1 ([#12432](https://github.com/traefik/traefik/pull/12432) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.31.0 ([#12529](https://github.com/traefik/traefik/pull/12529) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.32.0 ([#12702](https://github.com/traefik/traefik/pull/12702) @ldez)
+- **[acme]** Remove invalid private key in log ([#12574](https://github.com/traefik/traefik/pull/12574) @juliens)
+- **[acme]** Replace hardcoded references to LetsEncrypt in log messages ([#12464](https://github.com/traefik/traefik/pull/12464) @schildbach)
+- **[cli]** Fix health check ping ([#12512](https://github.com/traefik/traefik/pull/12512) @olamilekan000)
+- **[docker]** Auto-negotiate Docker API Version ([#12256](https://github.com/traefik/traefik/pull/12256) @felixbuenemann)
+- **[docker]** Bump Docker and OpenTelemetry dependencies ([#12761](https://github.com/traefik/traefik/pull/12761) @mmatur)
+- **[docker, docker/swarm]** Auto-negotiate Docker API version ([#12262](https://github.com/traefik/traefik/pull/12262) @kevinpollet)
+- **[fastproxy]** Bump github.com/valyala/fasthttp to v1.69.0 ([#12763](https://github.com/traefik/traefik/pull/12763) @kevinpollet)
+- **[healthcheck]** Reject absolute URL in healthcheck path configuration ([#12653](https://github.com/traefik/traefik/pull/12653) @rtribotte)
+- **[healthcheck]** Validate healthcheck path configuration ([#12642](https://github.com/traefik/traefik/pull/12642) @rtribotte)
+- **[healthcheck, grpc]** Remove path parsing with grpc healthcheck ([#12760](https://github.com/traefik/traefik/pull/12760) @rtribotte)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.0 ([#12308](https://github.com/traefik/traefik/pull/12308) @GreyXor)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.1 ([#12319](https://github.com/traefik/traefik/pull/12319) @GreyXor)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.58.0 ([#12448](https://github.com/traefik/traefik/pull/12448) @GreyXor)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.59.0 ([#12553](https://github.com/traefik/traefik/pull/12553) @jnoordsij)
+- **[k8s]** Fix condition used for serving and fenced endpoints ([#12521](https://github.com/traefik/traefik/pull/12521) @LBF38)
+- **[k8s/gatewayapi]** Fix Gateway API router's rules ([#12753](https://github.com/traefik/traefik/pull/12753) @rtribotte)
+- **[k8s/ingress]** Fix panic for empty defaultBackend and defaultBackend without resources ([#12509](https://github.com/traefik/traefik/pull/12509) @gndz07)
+- **[k8s/ingress-nginx]** Add AllowCrossNamespaceResources and GlobalAllowedResponseHeader options to control custom headers annotations ([#12680](https://github.com/traefik/traefik/pull/12680) @rtribotte)
+- **[k8s/ingress-nginx]** Deprecate Kubernetes Ingress NGINX provider experimental flag ([#12286](https://github.com/traefik/traefik/pull/12286) @rtribotte)
+- **[k8s/ingress-nginx]** Fix nginx rewrite target ([#12730](https://github.com/traefik/traefik/pull/12730) @mmatur)
+- **[k8s/ingress-nginx]** Fix NGINX sslredirect annotation support ([#12387](https://github.com/traefik/traefik/pull/12387) @rtribotte)
+- **[k8s/ingress-nginx]** Fix nginx.ingress.kubernetes.io/proxy-ssl-verify annotation support ([#12351](https://github.com/traefik/traefik/pull/12351) @rtribotte)
+- **[k8s/ingress-nginx]** Fix SSL redirect to match NGINX behavior ([#12361](https://github.com/traefik/traefik/pull/12361) @mmatur)
+- **[k8s/ingress-nginx]** Fix the service name for ingress-nginx provider ([#12352](https://github.com/traefik/traefik/pull/12352) @mmatur)
+- **[k8s/ingress-nginx]** Fix use-regex nginx annotation ([#12531](https://github.com/traefik/traefik/pull/12531) @LBF38)
+- **[k8s/ingress-nginx]** Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS ([#12528](https://github.com/traefik/traefik/pull/12528) @rtribotte)
+- **[metrics, tracing, accesslogs]** Fix ObservabilityConfig SetDefaults  ([#12636](https://github.com/traefik/traefik/pull/12636) @mmatur)
+- **[middleware]** Fix case sensitivity on x-forwarded headers for Connection ([#12690](https://github.com/traefik/traefik/pull/12690) @LBF38)
+- **[middleware]** Fix HasSecureHeadersDefined returning false when stsSeconds is 0 ([#12684](https://github.com/traefik/traefik/pull/12684) @veeceey)
+- **[middleware, authentication]** Add maxResponseBodySize configuration to forwardAuth middleware ([#12694](https://github.com/traefik/traefik/pull/12694) @gndz07)
+- **[middleware, authentication]** Change ForwardAuth error log level from DEBUG to ERROR ([#12324](https://github.com/traefik/traefik/pull/12324) @murataslan1)
+- **[middleware, authentication]** Handle empty/missing User-Agent header ([#12545](https://github.com/traefik/traefik/pull/12545) @a-stangl)
+- **[middleware, k8s, k8s/ingress-nginx]** Fix from to www nginx annotation ([#12736](https://github.com/traefik/traefik/pull/12736) @mmatur)
+- **[middleware, k8s/ingress-nginx]** Fix custom error pages behavior for ingress-nginx provider ([#12738](https://github.com/traefik/traefik/pull/12738) @mmatur)
+- **[otel]** Bump go.opentelemetry.io/otel dependencies ([#12754](https://github.com/traefik/traefik/pull/12754) @rtribotte)
+- **[plugins]** Validate plugin module name ([#12291](https://github.com/traefik/traefik/pull/12291) @kevinpollet)
+- **[redis]** Fix mutually exclusive verification for Redis ([#12442](https://github.com/traefik/traefik/pull/12442) @juliens)
+- **[server]** Bump golang.org/x/crypto to v0.45.0 ([#12296](https://github.com/traefik/traefik/pull/12296) @kevinpollet)
+- **[server]** Bump golang.org/x/net to v0.51.0 ([#12756](https://github.com/traefik/traefik/pull/12756) @kevinpollet)
+- **[server]** Filter unknown nodes with file and env for the deprecation loader ([#12227](https://github.com/traefik/traefik/pull/12227) @rtribotte)
+- **[server]** Fix deny encoded characters ([#12454](https://github.com/traefik/traefik/pull/12454) @rtribotte)
+- **[server]** Fix deny encoded characters ([#12457](https://github.com/traefik/traefik/pull/12457) @rtribotte)
+- **[server]** Fix multi-layer routing with models ([#12258](https://github.com/traefik/traefik/pull/12258) @juliens)
+- **[server]** Fix TLS handshake error handling ([#12692](https://github.com/traefik/traefik/pull/12692) @juliens)
+- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) @gndz07)
+- **[server]** Make the aggregator compute provider namespace for router's parentRefs ([#12235](https://github.com/traefik/traefik/pull/12235) @rtribotte)
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12424](https://github.com/traefik/traefik/pull/12424) @kevinpollet)
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12426](https://github.com/traefik/traefik/pull/12426) @rtribotte)
+- **[server]** Reject suspicious encoded characters ([#12360](https://github.com/traefik/traefik/pull/12360) @rtribotte)
+- **[server]** Remove conn deadline after STARTTLS negociation ([#12639](https://github.com/traefik/traefik/pull/12639) @rtribotte)
+- **[service]** Avoid recursion with services ([#12591](https://github.com/traefik/traefik/pull/12591) @juliens)
+- **[tls]** Fix verifyServerCertMatchesURI function behavior ([#12575](https://github.com/traefik/traefik/pull/12575) @kevinpollet)
+- **[tls, server]** Cap TLS record length to RFC 8446 limit in ClientHello peeking ([#12638](https://github.com/traefik/traefik/pull/12638) @mmatur)
+- **[tracing, otel]** Use ParentBased sampler to respect parent span sampling decision ([#12403](https://github.com/traefik/traefik/pull/12403) @xe-leon)
+- **[udp]** Revert "Avoid allocations in readLoop by using sync.Pool" ([#12267](https://github.com/traefik/traefik/pull/12267) @kevinpollet)
+- **[webui]** Bump dependencies of documentation and webui ([#12581](https://github.com/traefik/traefik/pull/12581) @gndz07)
+- **[webui]** Fix basePath validation for dashboard template ([#12729](https://github.com/traefik/traefik/pull/12729) @gndz07)
+- **[webui]** Fix blocked navigation on Safari ([#12231](https://github.com/traefik/traefik/pull/12231) @gndz07)
+- **[webui]** Fix missing type definition ([#12780](https://github.com/traefik/traefik/pull/12780) @gndz07)
+- **[webui]** Fix priority display in dashboard and ACME bypass redirect ([#12740](https://github.com/traefik/traefik/pull/12740) @mmatur)
+- **[webui]** Restore remote Upgrade to Hub button web component ([#12219](https://github.com/traefik/traefik/pull/12219) @gndz07)
+- **[webui]** Use url.Parse to validate X-Forwarded-Prefix value ([#12643](https://github.com/traefik/traefik/pull/12643) @kevinpollet)
+- **[webui]** Validate X-Forwarded-Prefix value for dashboard redirect ([#12514](https://github.com/traefik/traefik/pull/12514) @LBF38)
+
+**Documentation:**
+- **[service]** Service-level Middleware Documentation ([#13095](https://github.com/traefik/traefik/pull/13095) @nmengin)
+- **[k8s/gatewayapi]** Update Helm chart values link for Kubernetes Gateway ([#13063](https://github.com/traefik/traefik/pull/13063) @0054)
+- **[k8s/ingress-nginx]** Add ingress-nginx ConfigMap migration step ([#12963](https://github.com/traefik/traefik/pull/12963) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Delete the coming soon section from the ingress-nginx documentation ([#13037](https://github.com/traefik/traefik/pull/13037) @nmengin)
+- **[k8s]** Fix yaml indentation ([#12957](https://github.com/traefik/traefik/pull/12957) @isayme)
+- **[k8s]** Clarify install config watchNamespace watches only one namespace ([#12962](https://github.com/traefik/traefik/pull/12962) @parkerfath)
+- **[k8s/crd]** Update ingressroute.md ([#12916](https://github.com/traefik/traefik/pull/12916) @Rajakavitha1)
+- **[k8s/ingress-nginx]** Document the rd parameter behavior for the auth-signin annotation ([#13017](https://github.com/traefik/traefik/pull/13017) @kevinpollet)
+- Reverse versions order in migration guide ([#12959](https://github.com/traefik/traefik/pull/12959) @nmengin)
+- Update vulnerability submission guidelines ([#12968](https://github.com/traefik/traefik/pull/12968) @emilevauge)
+- **[docker]** Fix docker-compose.yaml location in Docker setup page ([#12860](https://github.com/traefik/traefik/pull/12860) @ScottA38)
+- **[docker, consul, ecs, k8s]** Fix documentation on how to restrict the scope of service discovery ([#12645](https://github.com/traefik/traefik/pull/12645) @mloiseleur)
+- **[k8s/gatewayapi]** Update gateway-api link in getting-started to v1.5.1 ([#12930](https://github.com/traefik/traefik/pull/12930) @isayme)
+- **[k8s/ingress-nginx]** Add OVHcloud (OpenStack Octavia) to Cloud-Specific IP Management ([#12759](https://github.com/traefik/traefik/pull/12759) @antonin-a)
+- **[k8s/ingress-nginx]** Clarify IngressClass selection logic ([#12926](https://github.com/traefik/traefik/pull/12926) @kevinpollet)
+- Add redirects for deleted pages ([#12889](https://github.com/traefik/traefik/pull/12889) @sheddy-traefik)
+- Fix default value of http.sanitizePath ([#12904](https://github.com/traefik/traefik/pull/12904) @iTob191)
+- **[acme]** Clarify CNAME explanation in ACME Documentation ([#12818](https://github.com/traefik/traefik/pull/12818) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Add ingress-nginx migration banner on documentation pages ([#12872](https://github.com/traefik/traefik/pull/12872) @gndz07)
+- **[k8s/ingress]** Improve Kubernetes Ingress Routing Documentation ([#12876](https://github.com/traefik/traefik/pull/12876) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Clarify that NGINX Ingress watchNamespace watches only one namespace ([#12873](https://github.com/traefik/traefik/pull/12873) @parkerfath)
+- **[k8s]** Improve the multi tenant security note ([#12822](https://github.com/traefik/traefik/pull/12822) @nmengin)
+- Fix unnecessary escaping of pipe in regexp examples ([#12784](https://github.com/traefik/traefik/pull/12784) @diegmonti)
+- Add vulnerability submission quality guidelines ([#12807](https://github.com/traefik/traefik/pull/12807) @emilevauge)
+- Fix start up message format ([#12806](https://github.com/traefik/traefik/pull/12806) @mloiseleur)
+- Remove unsupported servers[n].address from TCP label examples ([#12817](https://github.com/traefik/traefik/pull/12817) @sheddy-traefik)
+- Bump mkdocs-traefiklabs to use consent mode ([#12804](https://github.com/traefik/traefik/pull/12804) @darkweaver87)
+- **[acme]** Add missing ACME options and clean up table for more visibility ([#12208](https://github.com/traefik/traefik/pull/12208) @sheddy-traefik)
+- **[api]** Fix typo in API dashboard configuration instructions ([#12335](https://github.com/traefik/traefik/pull/12335) @NAICOLAS)
+- **[docker]** Add documentation for loadbalancer.server.url in Docker and Swarm providers ([#12289](https://github.com/traefik/traefik/pull/12289) @webash)
+- **[docker]** Update docker in-depth setup guide ([#12682](https://github.com/traefik/traefik/pull/12682) @mdevino)
+- **[docker/swarm]** Update swarm.md traefik version ([#12508](https://github.com/traefik/traefik/pull/12508) @DBouraoui)
+- **[k8s]** Fix Gateway API version and the list of features supported ([#12254](https://github.com/traefik/traefik/pull/12254) @nmengin)
+- **[k8s]** Fix Kubernetes reference yml file ([#12406](https://github.com/traefik/traefik/pull/12406) @mmatur)
+- **[k8s]** Fix kubernetes.md with correct http redirections ([#12603](https://github.com/traefik/traefik/pull/12603) @MartenM)
+- **[k8s]** Fix Nginx provider documentation ([#12266](https://github.com/traefik/traefik/pull/12266) @nmengin)
+- **[k8s]** Improve the K8S multi-tenancy security note ([#12444](https://github.com/traefik/traefik/pull/12444) @nmengin)
+- **[k8s]** Make labelSelector option casing more consistent ([#12658](https://github.com/traefik/traefik/pull/12658) @holysoles)
+- **[k8s, k8s/ingress-nginx]** Add configmaps right to Ingress NGINX RBAC ([#12557](https://github.com/traefik/traefik/pull/12557) @kevinpollet)
+- **[k8s/gatewayapi]** Fix links of Helm chart values reference to providers.kubernetesGateway.enabled ([#12315](https://github.com/traefik/traefik/pull/12315) @shouhei)
+- **[k8s/ingress, k8s]** Fix Kubernetes Ingress provider documentation ([#12443](https://github.com/traefik/traefik/pull/12443) @nmengin)
+- **[k8s/ingress-nginx]** Add auth-signin to unsupported nginx annotations list ([#12370](https://github.com/traefik/traefik/pull/12370) @fibsifan)
+- **[k8s/ingress-nginx]** Add RBAC documentation for Ingress NGINX provider ([#12445](https://github.com/traefik/traefik/pull/12445) @nmn3m)
+- **[k8s/ingress-nginx]** Add temporary note to advertise the incoming NGINX annotations ([#12699](https://github.com/traefik/traefik/pull/12699) @nmengin)
+- **[k8s/ingress-nginx]** Fix default value of ingress-nginx provider in documentation ([#12328](https://github.com/traefik/traefik/pull/12328) @mloiseleur)
+- **[k8s/ingress-nginx]** Fix ingress-nginx annotations documentation ([#12510](https://github.com/traefik/traefik/pull/12510) @nmengin)
+- **[k8s/ingress-nginx]** Improve ingress-nginx provider documentation ([#12288](https://github.com/traefik/traefik/pull/12288) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Improve the configuration options display of the Kubernetes ingress-nginx provider ([#12297](https://github.com/traefik/traefik/pull/12297) @mloiseleur)
+- **[k8s/ingress-nginx]** NGINX Ingress Controller to Traefik Migration Guide ([#12318](https://github.com/traefik/traefik/pull/12318) @sheddy-traefik)
+- **[middleware]** Correct documentation for Digest auth ([#12651](https://github.com/traefik/traefik/pull/12651) @Zash)
+- **[middleware]** Fix default encodings in compress middleware ([#12216](https://github.com/traefik/traefik/pull/12216) @Belphemur)
+- **[middleware, k8s/crd]** Fix the errors middleware's document for Kubernetes CRD ([#12600](https://github.com/traefik/traefik/pull/12600) @yuito-it)
+- **[service]** Fix loadbalancer doc for highest random weight ([#12283](https://github.com/traefik/traefik/pull/12283) @ozon2)
+- **[tls]** Clarify SNI selection ([#12482](https://github.com/traefik/traefik/pull/12482) @AnuragEkkati)
+- Add @gndz07 as a current maintainer ([#12594](https://github.com/traefik/traefik/pull/12594) @emilevauge)
+- Add a Breaking change note to the changelog ([#12398](https://github.com/traefik/traefik/pull/12398) @nmengin)
+- Add documentation about checkNewVersion ([#12298](https://github.com/traefik/traefik/pull/12298) @darkweaver87)
+- Add missing `.http` to TOML table names ([#12713](https://github.com/traefik/traefik/pull/12713) @Darsstar)
+- Add product comparison matrix and features page ([#12037](https://github.com/traefik/traefik/pull/12037) @sheddy-traefik)
+- Bring back security section on API & Dashboard documentation page ([#12507](https://github.com/traefik/traefik/pull/12507) @gndz07)
+- Clarify doc about encoded characters rejection ([#12391](https://github.com/traefik/traefik/pull/12391) @rtribotte)
+- Clean Up Menu Entries & Update Expose Overview ([#12405](https://github.com/traefik/traefik/pull/12405) @sheddy-traefik)
+- Correct encoded characters allowance in entrypoints.md ([#12679](https://github.com/traefik/traefik/pull/12679) @Apflkuacha)
+- Correctly Format the HTTP Service Documentation ([#12311](https://github.com/traefik/traefik/pull/12311) @sheddy-traefik)
+- Document negative priority support for routers ([#12505](https://github.com/traefik/traefik/pull/12505) @understood-the-assignment)
+- Document Path matcher placeholder removal in v3 migration guide ([#12570](https://github.com/traefik/traefik/pull/12570) @sheddy-traefik)
+- Fix API basepath option documentation ([#12744](https://github.com/traefik/traefik/pull/12744) @nmengin)
+- Fix broken links in TCP Service and HTTP Router documentation ([#12215](https://github.com/traefik/traefik/pull/12215) @sheddy-traefik)
+- Fix code copy button positioning ([#12520](https://github.com/traefik/traefik/pull/12520) @AnuragEkkati)
+- Fix encoded characters entryPoint option documentation ([#12384](https://github.com/traefik/traefik/pull/12384) @rtribotte)
+- Fix encoded characters option documentation ([#12373](https://github.com/traefik/traefik/pull/12373) @kevinpollet)
+- Fix encodedCharacters entryPoint option documentation ([#12385](https://github.com/traefik/traefik/pull/12385) @rtribotte)
+- Fix incorrect TOML example in entrypoints docs ([#12711](https://github.com/traefik/traefik/pull/12711) @mfmfuyu)
+- Fix link description in Traefik Proxy documentation ([#12488](https://github.com/traefik/traefik/pull/12488) @schaerfo)
+- Fix Menu Item Naming ([#12431](https://github.com/traefik/traefik/pull/12431) @sheddy-traefik)
+- Fix migration guide indentation ([#12365](https://github.com/traefik/traefik/pull/12365) @kevinpollet)
+- Fix migration guide URLs in deprecation notice ([#12430](https://github.com/traefik/traefik/pull/12430) @alexmar07)
+- Fix typo in kubernetes.md ([#12515](https://github.com/traefik/traefik/pull/12515) @EdwardSalkeld)
+- Fix typo in v3.6 migration guide ([#12212](https://github.com/traefik/traefik/pull/12212) @jnoordsij)
+- Fix typo on JWT documentation ([#12616](https://github.com/traefik/traefik/pull/12616) @mdevino)
+- Improve Service Reference page ([#12541](https://github.com/traefik/traefik/pull/12541) @sheddy-traefik)
+- Improve the structure of the routing reference pages ([#12429](https://github.com/traefik/traefik/pull/12429) @sheddy-traefik)
+- Increased content width in documentation ([#12632](https://github.com/traefik/traefik/pull/12632) @tobiasge)
+- Remove extra dots in migration guide ([#12573](https://github.com/traefik/traefik/pull/12573) @rtribotte)
+- Remove extraneous dots in migration guide ([#12571](https://github.com/traefik/traefik/pull/12571) @dathbe)
+- Restore documentation on http.maxHeaderBytes ([#12440](https://github.com/traefik/traefik/pull/12440) @mloiseleur)
+- Split Expose User Guides & Add Multi-Layer Routing Section ([#12238](https://github.com/traefik/traefik/pull/12238) @sheddy-traefik)
+- Update Configuration Overview Page ([#12202](https://github.com/traefik/traefik/pull/12202) @sheddy-traefik)
+- Update SECURITY.md ([#12304](https://github.com/traefik/traefik/pull/12304) @cwayne18)
+- Update SECURITY.md to streamline information ([#12310](https://github.com/traefik/traefik/pull/12310) @emilevauge)
+
+**Misc:**
+- Make FLAGS Make variable usable ([#13009](https://github.com/traefik/traefik/pull/13009) @twz123)
+
 ## [v3.6.16](https://github.com/traefik/traefik/tree/v3.6.16) (2026-05-05)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.15...v3.6.16)

@@ -117,6 +479,29 @@ Release canceled.
 - **[k8s/crd]** Remove cross-provider sanitization for Kubernetes service loading ([#13087](https://github.com/traefik/traefik/pull/13087) @rtribotte)
 - **[docker, ecs]** Migrate to github.com/moby/moby modules ([#13053](https://github.com/traefik/traefik/pull/13053) @mmatur)

+## [v3.7.0-rc.3](https://github.com/traefik/traefik/tree/v3.7.0-rc.3) (2026-04-29)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0-rc.2...v3.7.0-rc.3)
+
+**Enhancements:**
+- **[k8s/ingress-nginx]** Use a metamodel to generate dynamic configuration in ingress-nginx ([#13062](https://github.com/traefik/traefik/pull/13062) @juliens)
+- **[k8s/ingress-nginx]** Add limit-connections support ([#13030](https://github.com/traefik/traefik/pull/13030) @amazon7737)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Fix SSL redirect behavior for ingress-nginx provider ([#13028](https://github.com/traefik/traefik/pull/13028) @gndz07)
+- **[k8s/ingress-nginx]** Do not require a port for ExternalName services ([#13033](https://github.com/traefik/traefik/pull/13033) @kevinpollet)
+- **[k8s, k8s/ingress-nginx]** Add regression test for ingress default backend without rules ([#13066](https://github.com/traefik/traefik/pull/13066) @mmatur)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.35.1 ([#13027](https://github.com/traefik/traefik/pull/13027) @ldez)
+- **[server]** Bump github.com/vulcand/oxy to v2.1.0 ([#13046](https://github.com/traefik/traefik/pull/13046) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.35.2 ([#13043](https://github.com/traefik/traefik/pull/13043) @ldez)
+- **[middleware]** Add errorRequestHeaders option to Errors middleware ([#13034](https://github.com/traefik/traefik/pull/13034) @gndz07)
+
+**Documentation:**
+- **[k8s/ingress-nginx]** Add ingress-nginx ConfigMap migration step ([#12963](https://github.com/traefik/traefik/pull/12963) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Delete the coming soon section from the ingress-nginx documentation ([#13037](https://github.com/traefik/traefik/pull/13037) @nmengin)
+
+**Misc:**
+- Make FLAGS Make variable usable ([#13009](https://github.com/traefik/traefik/pull/13009) @twz123)
+
 ## [v3.6.15](https://github.com/traefik/traefik/tree/v3.6.15) (2026-04-29)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.14...v3.6.15)

@@ -140,6 +525,41 @@ Release canceled.
 **Misc:**
 - Make FLAGS Make variable usable ([#13009](https://github.com/traefik/traefik/pull/13009) @twz123)

+## [v3.7.0-rc.2](https://github.com/traefik/traefik/tree/v3.7.0-rc.2) (2026-04-22)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0-rc.1...v3.7.0-rc.2)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.34.0 ([#12993](https://github.com/traefik/traefik/pull/12993) @ldez)
+- **[docker]** Downgrade log level for missing container on inspect ([#12900](https://github.com/traefik/traefik/pull/12900) @Otoru)
+- **[k8s/crd, k8s]** Honor allowCrossNamespace with chain middleware CRD ([#12976](https://github.com/traefik/traefik/pull/12976) @rtribotte)
+- **[k8s/ingress-nginx]** Avoid 302 redirect when rewrite-target value is not an absolute URL for ingress-nginx provider ([#12977](https://github.com/traefik/traefik/pull/12977) @gndz07)
+- **[k8s/ingress-nginx]** Fix custom headers annotation with 503 Service Unavailable ([#12969](https://github.com/traefik/traefik/pull/12969) @LBF38)
+- **[k8s/ingress-nginx]** Fix service unavailable on ingress-nginx ([#12996](https://github.com/traefik/traefik/pull/12996) @LBF38)
+- **[k8s/ingress-nginx]** Handle duplicate server-alias on ingress-nginx provider ([#13019](https://github.com/traefik/traefik/pull/13019) @gndz07)
+- **[k8s/ingress-nginx]** Use QuoteMeta for cookie name when building canary rules ([#12973](https://github.com/traefik/traefik/pull/12973) @kevinpollet)
+- **[middleware, authentication]** Cleanup and make ForwardAuth logs consistent ([#13013](https://github.com/traefik/traefik/pull/13013) @kevinpollet)
+- **[middleware, authentication]** Fix trustForwardHeader on forward auth middleware ([#12994](https://github.com/traefik/traefik/pull/12994) @juliens)
+- **[middleware, authentication]** Remove map lookup making the basic auth notFoundSecret empty ([#12960](https://github.com/traefik/traefik/pull/12960) @rtribotte)
+- **[middleware, k8s/ingress-nginx]** Fix app-root with query params redirect ([#12986](https://github.com/traefik/traefik/pull/12986) @LBF38)
+- **[middleware, k8s/ingress-nginx]** Fix rewrite target with full URL and no regex in ingress path ([#12992](https://github.com/traefik/traefik/pull/12992) @LBF38)
+- **[middleware, k8s/ingress-nginx]** Preserve request query on absolute-URL redirect ([#13020](https://github.com/traefik/traefik/pull/13020) @SAY-5)
+- **[middleware, k8s/ingress-nginx]** Resolve NGINX variables in ingress-nginx upstream-vhost annotation ([#12978](https://github.com/traefik/traefik/pull/12978) @mmatur)
+- **[middleware]** Deprecate ForwardAuth.TrustForwardHeader option ([#13012](https://github.com/traefik/traefik/pull/13012) @kevinpollet)
+- **[middleware]** Remove untrusted X headers with underscores ([#12961](https://github.com/traefik/traefik/pull/12961) @rtribotte)
+- **[middleware]** Sanitize the request URL after stripping the prefix ([#12990](https://github.com/traefik/traefik/pull/12990) @kevinpollet)
+- **[sticky-session, k8s/crd]** Make SameSite cookie value case-insensitive ([#12922](https://github.com/traefik/traefik/pull/12922) @murataslan1)
+- **[tls]** Restore default cipher suites when serversTransport has no explicit cipherSuites ([#12974](https://github.com/traefik/traefik/pull/12974) @mmatur)
+- **[webui]** Bump lodash version ([#12954](https://github.com/traefik/traefik/pull/12954) @gndz07)
+- **[webui]** Upgrade form-data to 2.5.4, 3.0.4, 4.0.4 ([#12958](https://github.com/traefik/traefik/pull/12958) @orbisai0security)
+
+**Documentation:**
+- **[k8s]** Fix yaml indentation ([#12957](https://github.com/traefik/traefik/pull/12957) @isayme)
+- **[k8s]** Clarify install config watchNamespace watches only one namespace ([#12962](https://github.com/traefik/traefik/pull/12962) @parkerfath)
+- **[k8s/crd]** Update ingressroute.md ([#12916](https://github.com/traefik/traefik/pull/12916) @Rajakavitha1)
+- **[k8s/ingress-nginx]** Document the rd parameter behavior for the auth-signin annotation ([#13017](https://github.com/traefik/traefik/pull/13017) @kevinpollet)
+- Reverse versions order in migration guide ([#12959](https://github.com/traefik/traefik/pull/12959) @nmengin)
+- Update vulnerability submission guidelines ([#12968](https://github.com/traefik/traefik/pull/12968) @emilevauge)
+
 ## [v3.6.14](https://github.com/traefik/traefik/tree/v3.6.14) (2026-04-22)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.13...v3.6.14)

@@ -174,6 +594,34 @@ Release canceled.
 - **[middleware]** Sanitize the request URL after stripping the prefix ([#12990](https://github.com/traefik/traefik/pull/12990) @kevinpollet)
 - **[k8s/crd, k8s]** Honor allowCrossNamespace with chain middleware CRD ([#12976](https://github.com/traefik/traefik/pull/12976) @rtribotte)

+## [v3.7.0-rc.1](https://github.com/traefik/traefik/tree/v3.7.0-rc.1) (2026-04-07)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0-ea.3...v3.7.0-rc.1)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Fix rewrite-target annotation handling with empty path and non-regex path ([#12905](https://github.com/traefik/traefik/pull/12905) @LBF38)
+- **[middleware]** Bump github.com/klauspost/compress v1.18.4 ([#12937](https://github.com/traefik/traefik/pull/12937) @thaJeztah)
+
+**Enhancement:**
+- **[webui]** Display server weight in service detail view ([#12325](https://github.com/traefik/traefik/pull/12325) @murataslan1)
+- **[webui, tls]** Add certificates menu and overview ([#12628](https://github.com/traefik/traefik/pull/12628) @holomekc)
+- **[provider]** Add providers routing precedence configuration ([#12895](https://github.com/traefik/traefik/pull/12895) @juliens)
+- **[k8s/ingress-nginx]** Support NGINX global auth annotation ([#12893](https://github.com/traefik/traefik/pull/12893) @foxcool)
+- **[k8s/ingress-nginx]** Add limit-burst-multiplier annotation support ([#12899](https://github.com/traefik/traefik/pull/12899) @amazon7737)
+- **[k8s/ingress-nginx, k8s/ingress, rules]** Add wildcard host in Host and HostSNI matchers ([#12884](https://github.com/traefik/traefik/pull/12884) @juliens)
+- **[k8s/gatewayapi]** Support multiple certificateRefs on gateway listeners ([#12590](https://github.com/traefik/traefik/pull/12590) @mortennordbye)
+- **[k8s/gatewayapi]** Add secret support for BackendTLSPolicy caCertificateRefs ([#12927](https://github.com/traefik/traefik/pull/12927) @kevinpollet)
+- **[accesslogs, k8s/ingress-nginx]** Support nginx.ingress.kubernetes.io/enable-access-log annotation ([#12908](https://github.com/traefik/traefik/pull/12908) @ris-tlp)
+- **[accesslogs, k8s/ingress-nginx, k8s/ingress]** Add Kubernetes Ingress logs fields ([#12913](https://github.com/traefik/traefik/pull/12913) @rtribotte)
+
+**Documentation:**
+- **[docker]** Fix docker-compose.yaml location in Docker setup page ([#12860](https://github.com/traefik/traefik/pull/12860) @ScottA38)
+- **[docker, consul, ecs, k8s]** Fix documentation on how to restrict the scope of service discovery ([#12645](https://github.com/traefik/traefik/pull/12645) @mloiseleur)
+- **[k8s/gatewayapi]** Update gateway-api link in getting-started to v1.5.1 ([#12930](https://github.com/traefik/traefik/pull/12930) @isayme)
+- **[k8s/ingress-nginx]** Add OVHcloud (OpenStack Octavia) to Cloud-Specific IP Management ([#12759](https://github.com/traefik/traefik/pull/12759) @antonin-a)
+- **[k8s/ingress-nginx]** Clarify IngressClass selection logic ([#12926](https://github.com/traefik/traefik/pull/12926) @kevinpollet)
+- Add redirects for deleted pages ([#12889](https://github.com/traefik/traefik/pull/12889) @sheddy-traefik)
+- Fix default value of http.sanitizePath ([#12904](https://github.com/traefik/traefik/pull/12904) @iTob191)
+
 ## [v3.6.13](https://github.com/traefik/traefik/tree/v3.6.13) (2026-04-07)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.12...v3.6.13)

@@ -189,6 +637,30 @@ Release canceled.
 - Add redirects for deleted pages ([#12889](https://github.com/traefik/traefik/pull/12889) @sheddy-traefik)
 - Fix default value of http.sanitizePath ([#12904](https://github.com/traefik/traefik/pull/12904) @iTob191)

+## [v3.7.0-ea.3](https://github.com/traefik/traefik/tree/v3.7.0-ea.3) (2026-03-26)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0-ea.2...v3.7.0-ea.3)
+
+**Bug fixes:**
+- **[k8s/crd]** Fix panic with Failover services in Kubernetes ([#12853](https://github.com/traefik/traefik/pull/12853) @juliens)
+- **[k8s/ingress-nginx]** Fix rewrite directive in configuration-snippet to trim quotes ([#12855](https://github.com/traefik/traefik/pull/12855) @gndz07)
+- **[k8s/ingress-nginx]** Fix rewrite-target to handle full URL ([#12854](https://github.com/traefik/traefik/pull/12854) @gndz07)
+- **[k8s/ingress-nginx]** Handle empty rewrite-target like unset rewrite-target ([#12832](https://github.com/traefik/traefik/pull/12832) @sathieu)
+- **[k8s/ingress-nginx]** Fix TLS behavior in ingress-nginx provider ([#12831](https://github.com/traefik/traefik/pull/12831) @LBF38)
+- **[k8s/ingress-nginx]** Fix auth-response-headers whitespace trimming in ingress-nginx provider ([#12856](https://github.com/traefik/traefik/pull/12856) @mmatur)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.33.0 ([#12840](https://github.com/traefik/traefik/pull/12840) @ldez)
+- **[server, tcp]** Fix postgres STARTTLS with TLS termination ([#12847](https://github.com/traefik/traefik/pull/12847) @mmatur)
+- **[api]** Fix allow colons and tildes in api.basePath validation ([#12857](https://github.com/traefik/traefik/pull/12857) @mmatur)
+- **[server]** Fix comment and unnecessary allocation in withRoutingPath ([#12880](https://github.com/traefik/traefik/pull/12880) @boinger)
+- **[grpc]** Bump google.golang.org/grpc to v1.79.3 ([#12845](https://github.com/traefik/traefik/pull/12845) @mmatur)
+- **[middleware, authentication]** Prevent duplicate user headers in basic and digest auth middleware ([#12851](https://github.com/traefik/traefik/pull/12851) @juliens)
+- **[middleware]** Fix StripPrefix and StripPrefixRegex to slice the prefix using encoded prefix length ([#12863](https://github.com/traefik/traefik/pull/12863) @gndz07)
+
+**Documentation:**
+- **[acme]** Clarify CNAME explanation in ACME Documentation ([#12818](https://github.com/traefik/traefik/pull/12818) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Add ingress-nginx migration banner on documentation pages ([#12872](https://github.com/traefik/traefik/pull/12872) @gndz07)
+- **[k8s/ingress]** Improve Kubernetes Ingress Routing Documentation ([#12876](https://github.com/traefik/traefik/pull/12876) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Clarify that NGINX Ingress watchNamespace watches only one namespace ([#12873](https://github.com/traefik/traefik/pull/12873) @parkerfath)
+
 ## [v3.6.12](https://github.com/traefik/traefik/tree/v3.6.12) (2026-03-26)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.11...v3.6.12)

@@ -208,6 +680,33 @@ Release canceled.
 - **[k8s/ingress-nginx]** Clarify that NGINX Ingress watchNamespace watches only one namespace ([#12873](https://github.com/traefik/traefik/pull/12873) @parkerfath)
 - **[k8s/ingress]** Improve Kubernetes Ingress Routing Documentation ([#12876](https://github.com/traefik/traefik/pull/12876) @sheddy-traefik)

+## [v3.7.0-ea.2](https://github.com/traefik/traefik/tree/v3.7.0-ea.2) (2026-03-19)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0-ea.1...v3.7.0-ea.2)
+
+**Enhancement:**
+- **[k8s/knative]** Support knative v1.20.0 ([#12441](https://github.com/traefik/traefik/pull/12441) @idurgakalyan)
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.5.1 ([#12768](https://github.com/traefik/traefik/pull/12768) @mmatur)
+- **[k8s/ingress-nginx, middleware, authentication]** Add support for auth-snippet ([#12778](https://github.com/traefik/traefik/pull/12778) @juliens)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Fix use-regex annotation behavior and add strictValidatePathType config for ingress-nginx provider ([#12773](https://github.com/traefik/traefik/pull/12773) @gndz07)
+- **[logs, otel]** Add OTel-conformant trace context attributes to access logs ([#12801](https://github.com/traefik/traefik/pull/12801) @mmatur)
+- **[k8s/gatewayapi]** Fix incorrect hostname matching between listener and route ([#12599](https://github.com/traefik/traefik/pull/12599) @TheColorman)
+- **[k8s/ingress]** Fix ingress router's rule ([#12808](https://github.com/traefik/traefik/pull/12808) @gndz07)
+- **[webui]** Remove AGPL license in code ([#12799](https://github.com/traefik/traefik/pull/12799) @Desel72)
+- **[k8s/ingress-nginx]** Fix proxy-ssl-verify annotation ([#12825](https://github.com/traefik/traefik/pull/12825) @LBF38)
+- **[http]** Add maxResponseBodySize configuration on HTTP provider ([#12788](https://github.com/traefik/traefik/pull/12788) @gndz07)
+- **[tls]** Support fragmented TLS client hello ([#12787](https://github.com/traefik/traefik/pull/12787) @rtribotte)
+- **[middleware, authentication]** Make basic auth check timing constant ([#12803](https://github.com/traefik/traefik/pull/12803) @rtribotte)
+
+  **Documentation:**
+- **[k8s]** Improve the multi tenant security note ([#12822](https://github.com/traefik/traefik/pull/12822) @nmengin)
+- Fix unnecessary escaping of pipe in regexp examples ([#12784](https://github.com/traefik/traefik/pull/12784) @diegmonti)
+- Add vulnerability submission quality guidelines ([#12807](https://github.com/traefik/traefik/pull/12807) @emilevauge)
+- Fix start up message format ([#12806](https://github.com/traefik/traefik/pull/12806) @mloiseleur)
+- Remove unsupported servers[n].address from TCP label examples ([#12817](https://github.com/traefik/traefik/pull/12817) @sheddy-traefik)
+- Bump mkdocs-traefiklabs to use consent mode ([#12804](https://github.com/traefik/traefik/pull/12804) @darkweaver87)
+
 ## [v3.6.11](https://github.com/traefik/traefik/tree/v3.6.11) (2026-03-19)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.10...v3.6.11)

@@ -248,10 +747,199 @@ Release canceled.
 **Documentation:**
 - Bump mkdocs-traefiklabs to use consent mode ([#12804](https://github.com/traefik/traefik/pull/12804) @darkweaver87)

+## [v3.7.0-ea.1](https://github.com/traefik/traefik/tree/v3.7.0-ea.1) (2026-03-11)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.0-rc1...v3.7.0-ea.1)
+
+**Enhancements:**
+- **[accesslogs, otel]** Allow Stdio access logs alongsige OTLP logging ([#12307](https://github.com/traefik/traefik/pull/12307) by [Mulgish](https://github.com/Mulgish))
+- **[acme]** Add CertificateTimeout ACME configuration option ([#12278](https://github.com/traefik/traefik/pull/12278) by [ceko](https://github.com/ceko))
+- **[k8s/ingress-nginx]** Support nginx.ingress.kubernetes.io/allowlist-source-range ([#12659](https://github.com/traefik/traefik/pull/12659) by [ris-tlp](https://github.com/ris-tlp))
+- **[k8s/crd]** Add ingressClassName field to the CRDs spec ([#12313](https://github.com/traefik/traefik/pull/12313) by [kkrypt0nn](https://github.com/kkrypt0nn))
+- **[k8s/crd]** Service failover support in TraefikService CRD ([#12733](https://github.com/traefik/traefik/pull/12733) by [jspdown](https://github.com/jspdown))
+- **[k8s/crd, service]** Support cipher suites configuration with ServersTransport ([#11965](https://github.com/traefik/traefik/pull/11965) by [NEwa-05](https://github.com/NEwa-05))
+- **[k8s/ingress, middleware, k8s/crd, service, k8s/gatewayapi]** Services middleware and Gateway API filters on HTTP backends ([#12544](https://github.com/traefik/traefik/pull/12544) by [juliens](https://github.com/juliens))
+- **[k8s/ingress-nginx]** Add nginx.ingress.kubernetes.io/proxy-connect-timeout annotation ([#12572](https://github.com/traefik/traefik/pull/12572) by [gndz07](https://github.com/gndz07))
+- **[k8s/ingress-nginx]** Add rewrite-target nginx annotations support ([#12534](https://github.com/traefik/traefik/pull/12534) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Add support for app-root nginx annotation ([#12576](https://github.com/traefik/traefik/pull/12576) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Add support for auth-signin annotation ([#12502](https://github.com/traefik/traefik/pull/12502) by [DesalLama](https://github.com/DesalLama))
+- **[k8s/ingress-nginx]** Add support for from-to-www-redirect NGINX annotation ([#12610](https://github.com/traefik/traefik/pull/12610) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Add support for proxy-read-timeout and proxy-send-timeout NGINX annotations ([#12630](https://github.com/traefik/traefik/pull/12630) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Add support for session-cookie-expires nginx annotation ([#12558](https://github.com/traefik/traefik/pull/12558) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Add support for upstream-hash-by NGINX annotation ([#12749](https://github.com/traefik/traefik/pull/12749) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Allow entry points to be specified on Nginx Ingresses ([#12727](https://github.com/traefik/traefik/pull/12727) by [ajacques](https://github.com/ajacques))
+- **[k8s/ingress-nginx]** Implement proxy-http-version annotation ([#12743](https://github.com/traefik/traefik/pull/12743) by [KshitijBharde](https://github.com/KshitijBharde))
+- **[k8s/ingress-nginx]** Nginx x-forwarded-prefix annotation ([#12697](https://github.com/traefik/traefik/pull/12697) by [nandorKollar](https://github.com/nandorKollar))
+- **[k8s/ingress-nginx]** Support auth-tls-secret and auth-tls-verify-client annotations ([#12595](https://github.com/traefik/traefik/pull/12595) by [gndz07](https://github.com/gndz07))
+- **[k8s/ingress-nginx]** Support limit-rpm annotation for ingress-nginx ([#12703](https://github.com/traefik/traefik/pull/12703) by [Ph4rell](https://github.com/Ph4rell))
+- **[k8s/ingress-nginx]** Support limit-rps annotation for Ingress NGINX ([#12709](https://github.com/traefik/traefik/pull/12709) by [amazon7737](https://github.com/amazon7737))
+- **[k8s/ingress-nginx]** Support NGINX buffering annotations ([#12459](https://github.com/traefik/traefik/pull/12459) by [blasko03](https://github.com/blasko03))
+- **[k8s/ingress-nginx]** Support NGINX canary annotations ([#12739](https://github.com/traefik/traefik/pull/12739) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/ingress-nginx]** Support NGINX custom-headers annotation ([#12414](https://github.com/traefik/traefik/pull/12414) by [nandorKollar](https://github.com/nandorKollar))
+- **[k8s/ingress-nginx]** Support NGINX upstream-vhost annotation ([#12412](https://github.com/traefik/traefik/pull/12412) by [nandorKollar](https://github.com/nandorKollar))
+- **[k8s/ingress-nginx]** Support NGINX whitelist-source-range annotation ([#12423](https://github.com/traefik/traefik/pull/12423) by [blasko03](https://github.com/blasko03))
+- **[k8s/ingress-nginx]** Support permanent-redirect and temporal-redirect annotations ([#12561](https://github.com/traefik/traefik/pull/12561) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Support proxy-next-upstream* annotations ([#12710](https://github.com/traefik/traefik/pull/12710) by [gndz07](https://github.com/gndz07))
+- **[k8s/ingress-nginx]** Support server-alias annotation for Ingress NGINX ([#12707](https://github.com/traefik/traefik/pull/12707) by [amazon7737](https://github.com/amazon7737))
+- **[k8s/ingress-nginx]** Support upstream-keepalive-timeout ([#12708](https://github.com/traefik/traefik/pull/12708) by [jcob-sikorski](https://github.com/jcob-sikorski))
+- **[k8s/ingress-nginx]** Add support for variable interpolation in auth-signin NGINX annotation ([#12640](https://github.com/traefik/traefik/pull/12640) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Implement server-snippet and configuration-snippet annotations ([#12715](https://github.com/traefik/traefik/pull/12715) by [juliens](https://github.com/juliens))
+- **[k8s/ingress-nginx]** Add custom-http-errors and default-backend annotations ([#12637](https://github.com/traefik/traefik/pull/12637) by [juliens](https://github.com/juliens))
+- **[k8s/ingress-nginx]** Support auth-tls-pass-certificate-to-upstream annotation ([#12629](https://github.com/traefik/traefik/pull/12629) by [gndz07](https://github.com/gndz07))
+- **[metrics]** Support file path for metrics.influxdb2.token option ([#12458](https://github.com/traefik/traefik/pull/12458) by [barhun](https://github.com/barhun))
+- **[middleware]** Add encodedCharacters middleware ([#12555](https://github.com/traefik/traefik/pull/12555) by [gndz07](https://github.com/gndz07))
+- **[middleware]** Enable retries based on HTTP response status codes, timeout, and non-idempotent methods ([#12667](https://github.com/traefik/traefik/pull/12667) by [LBF38](https://github.com/LBF38))
+- **[middleware, authentication]** Add authSignInURL in forward auth middleware ([#12293](https://github.com/traefik/traefik/pull/12293) by [kyounghunJang](https://github.com/kyounghunJang))
+- **[server]** Add global option to disable X-Forwarded-For appending ([#12374](https://github.com/traefik/traefik/pull/12374) by [lbenguigui](https://github.com/lbenguigui))
+- **[server]** Replace Split in loops with more efficient SplitSeq ([#12316](https://github.com/traefik/traefik/pull/12316) by [boqishan](https://github.com/boqishan))
+- **[service]** Failover according to response status code ([#12596](https://github.com/traefik/traefik/pull/12596) by [lbenguigui](https://github.com/lbenguigui))
+- **[tls]** Make TLSStore gracefully handle missing secrets ([#12522](https://github.com/traefik/traefik/pull/12522) by [david-garcia-garcia](https://github.com/david-garcia-garcia))
+- **[webui]** Add dashboard name configuration ([#12410](https://github.com/traefik/traefik/pull/12410) by [gndz07](https://github.com/gndz07))
+- **[webui]** Web UI dashboard improvements ([#12236](https://github.com/traefik/traefik/pull/12236) by [gndz07](https://github.com/gndz07))
+- **[webui]** Details pages UI improvement ([#12377](https://github.com/traefik/traefik/pull/12377) by [gndz07](https://github.com/gndz07))
+- Use unicode.MaxASCII for clearer ASCII check ([#12741](https://github.com/traefik/traefik/pull/12741) by [1911860538](https://github.com/1911860538))
+
+**Bug fixes:**
+- **[acme]** Add missing renew options ([#12467](https://github.com/traefik/traefik/pull/12467) by [ldez](https://github.com/ldez))
+- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) by [LBF38](https://github.com/LBF38))
+- **[acme]** Alter TLS renewal period ([#12479](https://github.com/traefik/traefik/pull/12479) by [LtHummus](https://github.com/LtHummus))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.28.0 ([#12218](https://github.com/traefik/traefik/pull/12218) by [ldez](https://github.com/ldez))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.29.0 ([#12333](https://github.com/traefik/traefik/pull/12333) by [ldez](https://github.com/ldez))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.30.1 ([#12432](https://github.com/traefik/traefik/pull/12432) by [ldez](https://github.com/ldez))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.31.0 ([#12529](https://github.com/traefik/traefik/pull/12529) by [ldez](https://github.com/ldez))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.32.0 ([#12702](https://github.com/traefik/traefik/pull/12702) by [ldez](https://github.com/ldez))
+- **[acme]** Remove invalid private key in log ([#12574](https://github.com/traefik/traefik/pull/12574) by [juliens](https://github.com/juliens))
+- **[acme]** Replace hardcoded references to LetsEncrypt in log messages ([#12464](https://github.com/traefik/traefik/pull/12464) by [schildbach](https://github.com/schildbach))
+- **[cli]** Fix health check ping ([#12512](https://github.com/traefik/traefik/pull/12512) by [olamilekan000](https://github.com/olamilekan000))
+- **[docker]** Auto-negotiate Docker API Version ([#12256](https://github.com/traefik/traefik/pull/12256) by [felixbuenemann](https://github.com/felixbuenemann))
+- **[docker]** Bump Docker and OpenTelemetry dependencies ([#12761](https://github.com/traefik/traefik/pull/12761) by [mmatur](https://github.com/mmatur))
+- **[docker, docker/swarm]** Auto-negotiate Docker API version ([#12262](https://github.com/traefik/traefik/pull/12262) by [kevinpollet](https://github.com/kevinpollet))
+- **[fastproxy]** Bump github.com/valyala/fasthttp to v1.69.0 ([#12763](https://github.com/traefik/traefik/pull/12763) by [kevinpollet](https://github.com/kevinpollet))
+- **[healthcheck]** Reject absolute URL in healthcheck path configuration ([#12653](https://github.com/traefik/traefik/pull/12653) by [rtribotte](https://github.com/rtribotte))
+- **[healthcheck]** Validate healthcheck path configuration ([#12642](https://github.com/traefik/traefik/pull/12642) by [rtribotte](https://github.com/rtribotte))
+- **[healthcheck, grpc]** Remove path parsing with grpc healthcheck ([#12760](https://github.com/traefik/traefik/pull/12760) by [rtribotte](https://github.com/rtribotte))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.0 ([#12308](https://github.com/traefik/traefik/pull/12308) by [GreyXor](https://github.com/GreyXor))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.1 ([#12319](https://github.com/traefik/traefik/pull/12319) by [GreyXor](https://github.com/GreyXor))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.58.0 ([#12448](https://github.com/traefik/traefik/pull/12448) by [GreyXor](https://github.com/GreyXor))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.59.0 ([#12553](https://github.com/traefik/traefik/pull/12553) by [jnoordsij](https://github.com/jnoordsij))
+- **[k8s]** Fix condition used for serving and fenced endpoints ([#12521](https://github.com/traefik/traefik/pull/12521) by [LBF38](https://github.com/LBF38))
+- **[k8s/gatewayapi]** Fix Gateway API router's rules ([#12753](https://github.com/traefik/traefik/pull/12753) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** Fix panic for empty defaultBackend and defaultBackend without resources ([#12509](https://github.com/traefik/traefik/pull/12509) by [gndz07](https://github.com/gndz07))
+- **[k8s/ingress-nginx]** Add AllowCrossNamespaceResources and GlobalAllowedResponseHeader options to control custom headers annotations ([#12680](https://github.com/traefik/traefik/pull/12680) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress-nginx]** Deprecate Kubernetes Ingress NGINX provider experimental flag ([#12286](https://github.com/traefik/traefik/pull/12286) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress-nginx]** Fix nginx rewrite target ([#12730](https://github.com/traefik/traefik/pull/12730) by [mmatur](https://github.com/mmatur))
+- **[k8s/ingress-nginx]** Fix NGINX sslredirect annotation support ([#12387](https://github.com/traefik/traefik/pull/12387) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress-nginx]** Fix nginx.ingress.kubernetes.io/proxy-ssl-verify annotation support ([#12351](https://github.com/traefik/traefik/pull/12351) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress-nginx]** Fix SSL redirect to match NGINX behavior ([#12361](https://github.com/traefik/traefik/pull/12361) by [mmatur](https://github.com/mmatur))
+- **[k8s/ingress-nginx]** Fix the service name for ingress-nginx provider ([#12352](https://github.com/traefik/traefik/pull/12352) by [mmatur](https://github.com/mmatur))
+- **[k8s/ingress-nginx]** Fix use-regex nginx annotation ([#12531](https://github.com/traefik/traefik/pull/12531) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS ([#12528](https://github.com/traefik/traefik/pull/12528) by [rtribotte](https://github.com/rtribotte))
+- **[metrics, tracing, accesslogs]** Fix ObservabilityConfig SetDefaults  ([#12636](https://github.com/traefik/traefik/pull/12636) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Fix case sensitivity on x-forwarded headers for Connection ([#12690](https://github.com/traefik/traefik/pull/12690) by [LBF38](https://github.com/LBF38))
+- **[middleware]** Fix HasSecureHeadersDefined returning false when stsSeconds is 0 ([#12684](https://github.com/traefik/traefik/pull/12684) by [veeceey](https://github.com/veeceey))
+- **[middleware, authentication]** Add maxResponseBodySize configuration to forwardAuth middleware ([#12694](https://github.com/traefik/traefik/pull/12694) by [gndz07](https://github.com/gndz07))
+- **[middleware, authentication]** Change ForwardAuth error log level from DEBUG to ERROR ([#12324](https://github.com/traefik/traefik/pull/12324) by [murataslan1](https://github.com/murataslan1))
+- **[middleware, authentication]** Handle empty/missing User-Agent header ([#12545](https://github.com/traefik/traefik/pull/12545) by [a-stangl](https://github.com/a-stangl))
+- **[middleware, k8s, k8s/ingress-nginx]** Fix from to www nginx annotation ([#12736](https://github.com/traefik/traefik/pull/12736) by [mmatur](https://github.com/mmatur))
+- **[middleware, k8s/ingress-nginx]** Fix custom error pages behavior for ingress-nginx provider ([#12738](https://github.com/traefik/traefik/pull/12738) by [mmatur](https://github.com/mmatur))
+- **[otel]** Bump go.opentelemetry.io/otel dependencies ([#12754](https://github.com/traefik/traefik/pull/12754) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Validate plugin module name ([#12291](https://github.com/traefik/traefik/pull/12291) by [kevinpollet](https://github.com/kevinpollet))
+- **[redis]** Fix mutually exclusive verification for Redis ([#12442](https://github.com/traefik/traefik/pull/12442) by [juliens](https://github.com/juliens))
+- **[server]** Bump golang.org/x/crypto to v0.45.0 ([#12296](https://github.com/traefik/traefik/pull/12296) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Bump golang.org/x/net to v0.51.0 ([#12756](https://github.com/traefik/traefik/pull/12756) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Filter unknown nodes with file and env for the deprecation loader ([#12227](https://github.com/traefik/traefik/pull/12227) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Fix deny encoded characters ([#12454](https://github.com/traefik/traefik/pull/12454) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Fix deny encoded characters ([#12457](https://github.com/traefik/traefik/pull/12457) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Fix multi-layer routing with models ([#12258](https://github.com/traefik/traefik/pull/12258) by [juliens](https://github.com/juliens))
+- **[server]** Fix TLS handshake error handling ([#12692](https://github.com/traefik/traefik/pull/12692) by [juliens](https://github.com/juliens))
+- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) by [gndz07](https://github.com/gndz07))
+- **[server]** Make the aggregator compute provider namespace for router's parentRefs ([#12235](https://github.com/traefik/traefik/pull/12235) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12424](https://github.com/traefik/traefik/pull/12424) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12426](https://github.com/traefik/traefik/pull/12426) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Reject suspicious encoded characters ([#12360](https://github.com/traefik/traefik/pull/12360) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Remove conn deadline after STARTTLS negociation ([#12639](https://github.com/traefik/traefik/pull/12639) by [rtribotte](https://github.com/rtribotte))
+- **[service]** Avoid recursion with services ([#12591](https://github.com/traefik/traefik/pull/12591) by [juliens](https://github.com/juliens))
+- **[tls]** Fix verifyServerCertMatchesURI function behavior ([#12575](https://github.com/traefik/traefik/pull/12575) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls, server]** Cap TLS record length to RFC 8446 limit in ClientHello peeking ([#12638](https://github.com/traefik/traefik/pull/12638) by [mmatur](https://github.com/mmatur))
+- **[tracing, otel]** Use ParentBased sampler to respect parent span sampling decision ([#12403](https://github.com/traefik/traefik/pull/12403) by [xe-leon](https://github.com/xe-leon))
+- **[udp]** Revert "Avoid allocations in readLoop by using sync.Pool" ([#12267](https://github.com/traefik/traefik/pull/12267) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Bump dependencies of documentation and webui ([#12581](https://github.com/traefik/traefik/pull/12581) by [gndz07](https://github.com/gndz07))
+- **[webui]** Fix basePath validation for dashboard template ([#12729](https://github.com/traefik/traefik/pull/12729) by [gndz07](https://github.com/gndz07))
+- **[webui]** Fix blocked navigation on Safari ([#12231](https://github.com/traefik/traefik/pull/12231) by [gndz07](https://github.com/gndz07))
+- **[webui]** Fix missing type definition ([#12780](https://github.com/traefik/traefik/pull/12780) by [gndz07](https://github.com/gndz07))
+- **[webui]** Fix priority display in dashboard and ACME bypass redirect ([#12740](https://github.com/traefik/traefik/pull/12740) by [mmatur](https://github.com/mmatur))
+- **[webui]** Restore remote Upgrade to Hub button web component ([#12219](https://github.com/traefik/traefik/pull/12219) by [gndz07](https://github.com/gndz07))
+- **[webui]** Use url.Parse to validate X-Forwarded-Prefix value ([#12643](https://github.com/traefik/traefik/pull/12643) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Validate X-Forwarded-Prefix value for dashboard redirect ([#12514](https://github.com/traefik/traefik/pull/12514) by [LBF38](https://github.com/LBF38))
+
+**Documentation:**
+- **[acme]** Add missing ACME options and clean up table for more visibility ([#12208](https://github.com/traefik/traefik/pull/12208) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[api]** Fix typo in API dashboard configuration instructions ([#12335](https://github.com/traefik/traefik/pull/12335) by [NAICOLAS](https://github.com/NAICOLAS))
+- **[docker]** Add documentation for loadbalancer.server.url in Docker and Swarm providers ([#12289](https://github.com/traefik/traefik/pull/12289) by [webash](https://github.com/webash))
+- **[docker]** Update docker in-depth setup guide ([#12682](https://github.com/traefik/traefik/pull/12682) by [mdevino](https://github.com/mdevino))
+- **[docker/swarm]** Update swarm.md traefik version ([#12508](https://github.com/traefik/traefik/pull/12508) by [DBouraoui](https://github.com/DBouraoui))
+- **[k8s]** Fix Gateway API version and the list of features supported ([#12254](https://github.com/traefik/traefik/pull/12254) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Fix Kubernetes reference yml file ([#12406](https://github.com/traefik/traefik/pull/12406) by [mmatur](https://github.com/mmatur))
+- **[k8s]** Fix kubernetes.md with correct http redirections ([#12603](https://github.com/traefik/traefik/pull/12603) by [MartenM](https://github.com/MartenM))
+- **[k8s]** Fix Nginx provider documentation ([#12266](https://github.com/traefik/traefik/pull/12266) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Improve the K8S multi-tenancy security note ([#12444](https://github.com/traefik/traefik/pull/12444) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Make labelSelector option casing more consistent ([#12658](https://github.com/traefik/traefik/pull/12658) by [holysoles](https://github.com/holysoles))
+- **[k8s, k8s/ingress-nginx]** Add configmaps right to Ingress NGINX RBAC ([#12557](https://github.com/traefik/traefik/pull/12557) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/gatewayapi]** Fix links of Helm chart values reference to providers.kubernetesGateway.enabled ([#12315](https://github.com/traefik/traefik/pull/12315) by [shouhei](https://github.com/shouhei))
+- **[k8s/ingress, k8s]** Fix Kubernetes Ingress provider documentation ([#12443](https://github.com/traefik/traefik/pull/12443) by [nmengin](https://github.com/nmengin))
+- **[k8s/ingress-nginx]** Add auth-signin to unsupported nginx annotations list ([#12370](https://github.com/traefik/traefik/pull/12370) by [fibsifan](https://github.com/fibsifan))
+- **[k8s/ingress-nginx]** Add RBAC documentation for Ingress NGINX provider ([#12445](https://github.com/traefik/traefik/pull/12445) by [nmn3m](https://github.com/nmn3m))
+- **[k8s/ingress-nginx]** Add temporary note to advertise the incoming NGINX annotations ([#12699](https://github.com/traefik/traefik/pull/12699) by [nmengin](https://github.com/nmengin))
+- **[k8s/ingress-nginx]** Fix default value of ingress-nginx provider in documentation ([#12328](https://github.com/traefik/traefik/pull/12328) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s/ingress-nginx]** Fix ingress-nginx annotations documentation ([#12510](https://github.com/traefik/traefik/pull/12510) by [nmengin](https://github.com/nmengin))
+- **[k8s/ingress-nginx]** Improve ingress-nginx provider documentation ([#12288](https://github.com/traefik/traefik/pull/12288) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[k8s/ingress-nginx]** Improve the configuration options display of the Kubernetes ingress-nginx provider ([#12297](https://github.com/traefik/traefik/pull/12297) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s/ingress-nginx]** NGINX Ingress Controller to Traefik Migration Guide ([#12318](https://github.com/traefik/traefik/pull/12318) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[middleware]** Correct documentation for Digest auth ([#12651](https://github.com/traefik/traefik/pull/12651) by [Zash](https://github.com/Zash))
+- **[middleware]** Fix default encodings in compress middleware ([#12216](https://github.com/traefik/traefik/pull/12216) by [Belphemur](https://github.com/Belphemur))
+- **[middleware, k8s/crd]** Fix the errors middleware's document for Kubernetes CRD ([#12600](https://github.com/traefik/traefik/pull/12600) by [yuito-it](https://github.com/yuito-it))
+- **[service]** Fix loadbalancer doc for highest random weight ([#12283](https://github.com/traefik/traefik/pull/12283) by [ozon2](https://github.com/ozon2))
+- **[tls]** Clarify SNI selection ([#12482](https://github.com/traefik/traefik/pull/12482) by [AnuragEkkati](https://github.com/AnuragEkkati))
+- Add @gndz07 as a current maintainer ([#12594](https://github.com/traefik/traefik/pull/12594) by [emilevauge](https://github.com/emilevauge))
+- Add a Breaking change note to the changelog ([#12398](https://github.com/traefik/traefik/pull/12398) by [nmengin](https://github.com/nmengin))
+- Add documentation about checkNewVersion ([#12298](https://github.com/traefik/traefik/pull/12298) by [darkweaver87](https://github.com/darkweaver87))
+- Add missing `.http` to TOML table names ([#12713](https://github.com/traefik/traefik/pull/12713) by [Darsstar](https://github.com/Darsstar))
+- Add product comparison matrix and features page ([#12037](https://github.com/traefik/traefik/pull/12037) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Bring back security section on API & Dashboard documentation page ([#12507](https://github.com/traefik/traefik/pull/12507) by [gndz07](https://github.com/gndz07))
+- Clarify doc about encoded characters rejection ([#12391](https://github.com/traefik/traefik/pull/12391) by [rtribotte](https://github.com/rtribotte))
+- Clean Up Menu Entries & Update Expose Overview ([#12405](https://github.com/traefik/traefik/pull/12405) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Correct encoded characters allowance in entrypoints.md ([#12679](https://github.com/traefik/traefik/pull/12679) by [Apflkuacha](https://github.com/Apflkuacha))
+- Correctly Format the HTTP Service Documentation ([#12311](https://github.com/traefik/traefik/pull/12311) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Document negative priority support for routers ([#12505](https://github.com/traefik/traefik/pull/12505) by [understood-the-assignment](https://github.com/understood-the-assignment))
+- Document Path matcher placeholder removal in v3 migration guide ([#12570](https://github.com/traefik/traefik/pull/12570) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix API basepath option documentation ([#12744](https://github.com/traefik/traefik/pull/12744) by [nmengin](https://github.com/nmengin))
+- Fix broken links in TCP Service and HTTP Router documentation ([#12215](https://github.com/traefik/traefik/pull/12215) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix code copy button positioning ([#12520](https://github.com/traefik/traefik/pull/12520) by [AnuragEkkati](https://github.com/AnuragEkkati))
+- Fix encoded characters entryPoint option documentation ([#12384](https://github.com/traefik/traefik/pull/12384) by [rtribotte](https://github.com/rtribotte))
+- Fix encoded characters option documentation ([#12373](https://github.com/traefik/traefik/pull/12373) by [kevinpollet](https://github.com/kevinpollet))
+- Fix encodedCharacters entryPoint option documentation ([#12385](https://github.com/traefik/traefik/pull/12385) by [rtribotte](https://github.com/rtribotte))
+- Fix incorrect TOML example in entrypoints docs ([#12711](https://github.com/traefik/traefik/pull/12711) by [mfmfuyu](https://github.com/mfmfuyu))
+- Fix link description in Traefik Proxy documentation ([#12488](https://github.com/traefik/traefik/pull/12488) by [schaerfo](https://github.com/schaerfo))
+- Fix Menu Item Naming ([#12431](https://github.com/traefik/traefik/pull/12431) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix migration guide indentation ([#12365](https://github.com/traefik/traefik/pull/12365) by [kevinpollet](https://github.com/kevinpollet))
+- Fix migration guide URLs in deprecation notice ([#12430](https://github.com/traefik/traefik/pull/12430) by [alexmar07](https://github.com/alexmar07))
+- Fix typo in kubernetes.md ([#12515](https://github.com/traefik/traefik/pull/12515) by [EdwardSalkeld](https://github.com/EdwardSalkeld))
+- Fix typo in v3.6 migration guide ([#12212](https://github.com/traefik/traefik/pull/12212) by [jnoordsij](https://github.com/jnoordsij))
+- Fix typo on JWT documentation ([#12616](https://github.com/traefik/traefik/pull/12616) by [mdevino](https://github.com/mdevino))
+- Improve Service Reference page ([#12541](https://github.com/traefik/traefik/pull/12541) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Improve the structure of the routing reference pages ([#12429](https://github.com/traefik/traefik/pull/12429) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Increased content width in documentation ([#12632](https://github.com/traefik/traefik/pull/12632) by [tobiasge](https://github.com/tobiasge))
+- Remove extra dots in migration guide ([#12573](https://github.com/traefik/traefik/pull/12573) by [rtribotte](https://github.com/rtribotte))
+- Remove extraneous dots in migration guide ([#12571](https://github.com/traefik/traefik/pull/12571) by [dathbe](https://github.com/dathbe))
+- Restore documentation on http.maxHeaderBytes ([#12440](https://github.com/traefik/traefik/pull/12440) by [mloiseleur](https://github.com/mloiseleur))
+- Split Expose User Guides & Add Multi-Layer Routing Section ([#12238](https://github.com/traefik/traefik/pull/12238) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Update Configuration Overview Page ([#12202](https://github.com/traefik/traefik/pull/12202) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Update SECURITY.md ([#12304](https://github.com/traefik/traefik/pull/12304) by [cwayne18](https://github.com/cwayne18))
+- Update SECURITY.md to streamline information ([#12310](https://github.com/traefik/traefik/pull/12310) by [emilevauge](https://github.com/emilevauge))
+
 ## [v3.6.10](https://github.com/traefik/traefik/tree/v3.6.10) (2026-03-06)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.9...v3.6.10)

-  **Bug fixes:**
+**Bug fixes:**
 - **[docker]** Bump Docker and OpenTelemetry dependencies ([#12761](https://github.com/traefik/traefik/pull/12761) by [mmatur](https://github.com/mmatur))
 - **[fastproxy]** Bump github.com/valyala/fasthttp to v1.69.0 ([#12763](https://github.com/traefik/traefik/pull/12763) by [kevinpollet](https://github.com/kevinpollet))
 - **[healthcheck, grpc]** Remove path parsing with grpc healthcheck ([#12760](https://github.com/traefik/traefik/pull/12760) by [rtribotte](https://github.com/rtribotte))
@@ -103,7 +103,7 @@ test-integration:
 #? test-gateway-api-conformance: Run the Gateway API conformance tests
 test-gateway-api-conformance: build-image-dirty
 	# In case of a new Minor/Major version, the traefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -tags gatewayAPIConformance -test.run GatewayAPIConformanceSuite -traefikVersion="v3.6" $(TESTFLAGS)
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -tags gatewayAPIConformance -test.run GatewayAPIConformanceSuite -traefikVersion="v3.7" $(TESTFLAGS)

 .PHONY: test-knative-conformance
 #? test-knative-conformance: Run the Knative conformance tests
@@ -61,7 +61,12 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 		return nil, fmt.Errorf("ping: missing %s entry point", ep)
 	}

-	client := &http.Client{Timeout: 5 * time.Second}
+	client := &http.Client{
+		Timeout: 5 * time.Second,
+		Transport: &http.Transport{
+			Proxy: nil,
+		},
+	}
 	protocol := "http"

 	// TODO Handle TLS on ping etc...
@@ -97,10 +97,10 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		return fmt.Errorf("setting up logger: %w", err)
 	}

-	log.Warn().Msg("Traefik can reject some encoded characters in the request path. " +
-		"When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986), " +
-		"it is recommended to set these options to `false` to avoid split-view situation. " +
-		"Refer to the documentation for more details: https://doc.traefik.io/traefik/v3.6/migrate/v3/#encoded-characters-configuration-default-values")
+	log.Warn().Msg("Traefik can reject some encoded characters in the request path." +
+		"When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986)," +
+		"it is recommended to set these options to `false` to avoid split-view situation." +
+		"Refer to the documentation for more details: https://doc.traefik.io/traefik/v3.7/migrate/v3/#encoded-characters-configuration-default-values")

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

@@ -231,6 +231,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	if staticConfiguration.API != nil {
 		version.DisableDashboardAd = staticConfiguration.API.DisableDashboardAd
+		version.DashboardName = staticConfiguration.API.DashboardName
 	}

 	// Plugins
@@ -302,7 +303,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	dialerManager := tcp.NewDialerManager(spiffeX509Source)
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, transportManager, proxyBuilder, acmeHTTPHandler)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, transportManager, proxyBuilder, acmeHTTPHandler, tlsManager)

 	// Router factory

@@ -1,4 +1,4 @@
 /* Use a wider grid to accommodate table content and code blocks. */
 .md-grid {
-  max-width: 1650px;
+  max-width: 1800px;
 }
@@ -8,6 +8,7 @@ In this advanced guide, you'll learn how to enhance your Traefik deployment with
 - **Let's Encrypt** for automated certificate management
 - **Sticky sessions** for stateful applications
 - **Multi-layer routing** for hierarchical routing with a complex authentication based routing example
+- **Service middlewares** for applying middleware at the service level

 ## Prerequisites

@@ -382,6 +383,71 @@ You should see the response from the admin-backend service when authenticating a

 For more details about multi-layer routing, see the [Multi-Layer Routing documentation](../../reference/routing-configuration/http/routing/multi-layer-routing.md).

+## Service Middlewares
+
+Service middlewares allow you to apply middleware to a service rather than to individual routers. This means the middleware takes effect for all requests handled by the service, regardless of which router forwards the request.
+
+This is useful when you want to apply the same middleware (like headers, rate limiting, or authentication) to all traffic reaching a service without having to configure it on each router.
+
+### When to Use Service Middlewares
+
+Use service middlewares when:
+
+- Multiple routers forward traffic to the same service, and all should have the same middleware applied
+- You want to ensure a middleware is always applied to a service regardless of how traffic reaches it
+- You're centralizing middleware configuration at the service level for easier management
+
+### Add Service Middleware Labels
+
+Add the following labels to your whoami service in `docker-compose.yml`:
+
+```yaml
+services:
+  whoami:
+    image: traefik/whoami
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
+      - "traefik.http.routers.whoami.entrypoints=websecure"
+      - "traefik.http.routers.whoami.tls=true"
+      # Define the middleware
+      - "traefik.http.middlewares.service-headers.headers.customRequestHeaders.X-Service-Middleware=applied"
+      # Attach middleware at the SERVICE level (not the router level)
+      - "traefik.http.services.whoami.middlewares=service-headers"
+      - "traefik.http.services.whoami.loadbalancer.server.port=80"
+```
+
+!!! info "Service-Level vs Router-Level Middlewares"
+
+    - **Router-level middleware** (`traefik.http.routers.<name>.middlewares`): Applied only when traffic matches that specific router's rule
+    - **Service-level middleware** (`traefik.http.services.<name>.middlewares`): Applied to all traffic reaching the service, regardless of which router forwarded it
+
+    When both are configured, router middlewares execute first, followed by service middlewares.
+
+Apply the changes:
+
+```bash
+docker compose up -d
+```
+
+### Test Service Middleware
+
+Verify the service middleware is working:
+
+```bash
+curl -k -H "Host: whoami.docker.localhost" https://localhost/
+```
+
+In the response from whoami, you should see the custom header that was added by the service middleware:
+
+```text
+X-Service-Middleware: applied
+```
+
+For more details on service middlewares, see the [reference documentation](../../reference/routing-configuration/http/load-balancing/service.md#middlewares).
+
 ## Conclusion

 In this advanced guide, you've learned how to:
@@ -390,6 +456,7 @@ In this advanced guide, you've learned how to:
 - Automate certificate management with Let's Encrypt
 - Implement sticky sessions for stateful applications
 - Setup multi-layer routing for authentication-based routing
+- Apply middlewares at the service level for centralized middleware management

 These advanced capabilities allow you to build production-ready Traefik deployments with Docker. Each of these can be further customized to meet your specific requirements.

@@ -9,6 +9,7 @@ In this advanced guide, you'll learn how to enhance your Traefik deployment with
 - **cert-manager** for automated certificate management (Gateway API)
 - **Sticky sessions** for stateful applications
 - **Multi-layer routing** for hierarchical routing with complex authentication scenarios (IngressRoute only)
+- **Service middlewares** for applying middleware at the service level

 ## Prerequisites

@@ -806,6 +807,182 @@ spec:

 For more details about multi-layer routing, see the [Multi-Layer Routing documentation](../../reference/routing-configuration/http/routing/multi-layer-routing.md).

+## Service Middlewares
+
+Service middlewares allow you to apply middleware to a service rather than to individual routers. This means the middleware takes effect for all requests handled by the service, regardless of which router forwards the request.
+
+This is useful when you want to apply the same middleware (like headers, rate limiting, or authentication) to all traffic reaching a service without having to configure it on each router.
+
+### When to Use Service Middlewares
+
+Use service middlewares when:
+
+- Multiple routers forward traffic to the same service, and all should have the same middleware applied
+- You want to ensure a middleware is always applied to a service regardless of how traffic reaches it
+- You're centralizing middleware configuration at the service level for easier management
+
+!!! info "Service-Level vs Router-Level Middlewares"
+
+    - **Router-level middleware**: Applied only when traffic matches that specific router's rule
+    - **Service-level middleware**: Applied to all traffic reaching the service, regardless of which router forwarded it
+
+    When both are configured, router middlewares execute first, followed by service middlewares.
+
+### Using IngressRoute with Service Middlewares
+
+With IngressRoute, you can attach middlewares directly to a service reference within a route:
+
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: service-headers
+  namespace: default
+spec:
+  headers:
+    customRequestHeaders:
+      X-Service-Middleware: "applied"
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: whoami
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`whoami.docker.localhost`)
+    kind: Rule
+    services:
+    - name: whoami
+      port: 80
+      middlewares:
+        - name: service-headers
+  tls: {}
+```
+
+Save this as `service-middleware-ingressroute.yaml` and apply it:
+
+```bash
+kubectl apply -f service-middleware-ingressroute.yaml
+```
+
+### Using Gateway API with Backend Filters
+
+Gateway API supports applying filters directly to individual backends through the `backendRefs[].filters` field. This enables backend-level request modifications.
+
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: service-headers
+  namespace: default
+spec:
+  headers:
+    customRequestHeaders:
+      X-Service-Middleware: "applied"
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: whoami
+  namespace: default
+spec:
+  parentRefs:
+  - name: traefik-gateway
+    sectionName: websecure
+  hostnames:
+  - "whoami.docker.localhost"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    backendRefs:
+    - name: whoami
+      port: 80
+      filters:
+      - type: ExtensionRef
+        extensionRef:
+          group: traefik.io
+          kind: Middleware
+          name: service-headers
+```
+
+Gateway API also supports the native `RequestHeaderModifier` filter type for simpler header modifications:
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: whoami
+  namespace: default
+spec:
+  parentRefs:
+  - name: traefik-gateway
+    sectionName: websecure
+  hostnames:
+  - "whoami.docker.localhost"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    backendRefs:
+    - name: whoami
+      port: 80
+      filters:
+      - type: RequestHeaderModifier
+        requestHeaderModifier:
+          add:
+          - name: X-Backend-Header
+            value: "gateway-api-filter"
+```
+
+Save and apply:
+
+```bash
+kubectl apply -f service-middleware-gateway.yaml
+```
+
+### Using Kubernetes Ingress with Service Annotation
+
+For standard Kubernetes Ingress, you can apply middlewares to a service using annotations:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+  namespace: default
+  annotations:
+    traefik.ingress.kubernetes.io/service.middlewares: default-service-headers@kubernetescrd
+spec:
+  selector:
+    app: whoami
+  ports:
+    - port: 80
+```
+
+The annotation value follows the format `<namespace>-<middleware-name>@kubernetescrd`.
+
+### Test Service Middleware
+
+Verify the service middleware is working:
+
+```bash
+curl -k -H "Host: whoami.docker.localhost" https://localhost/
+```
+
+In the response from whoami, you should see the custom header that was added by the service middleware:
+
+```text
+X-Service-Middleware: applied
+```
+
+For more details on service middlewares, see the [reference documentation](../../reference/routing-configuration/http/load-balancing/service.md#middlewares).
+
 ## Conclusion

 In this advanced guide, you've learned how to:
@@ -814,6 +991,7 @@ In this advanced guide, you've learned how to:
 - Automate certificate management with Let's Encrypt (IngressRoute) and cert-manager (Gateway API)
 - Implement sticky sessions for stateful applications
 - Setup multi-layer routing for authentication-based routing (IngressRoute only)
+- Apply middlewares at the service level for centralized middleware management

 These advanced capabilities allow you to build production-ready Traefik deployments with Kubernetes. Each of these can be further customized to meet your specific requirements.

@@ -8,6 +8,7 @@ In this advanced guide, you'll learn how to enhance your Traefik deployment with
 - **Let's Encrypt** for automated certificate management
 - **Sticky sessions** for stateful applications
 - **Multi-layer routing** for complex authentication scenarios
+- **Service middlewares** for applying middleware at the service level

 ## Prerequisites

@@ -382,6 +383,73 @@ You should see the response from the admin-backend service when authenticating a

 For more details about multi-layer routing, see the [Multi-Layer Routing documentation](../../reference/routing-configuration/http/routing/multi-layer-routing.md).

+## Service Middlewares
+
+Service middlewares allow you to apply middleware to a service rather than to individual routers. This means the middleware takes effect for all requests handled by the service, regardless of which router forwards the request.
+
+This is useful when you want to apply the same middleware (like headers, rate limiting, or authentication) to all traffic reaching a service without having to configure it on each router.
+
+### When to Use Service Middlewares
+
+Use service middlewares when:
+
+- Multiple routers forward traffic to the same service, and all should have the same middleware applied
+- You want to ensure a middleware is always applied to a service regardless of how traffic reaches it
+- You're centralizing middleware configuration at the service level for easier management
+
+### Add Service Middleware Labels
+
+Add the following labels to your whoami service deployment section in `docker-compose.yml`:
+
+```yaml
+services:
+  whoami:
+    image: traefik/whoami
+    networks:
+      - traefik_proxy
+    deploy:
+      replicas: 2
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.whoami.rule=Host(`whoami.swarm.localhost`)"
+        - "traefik.http.routers.whoami.entrypoints=websecure"
+        - "traefik.http.routers.whoami.tls=true"
+        # Define the middleware
+        - "traefik.http.middlewares.service-headers.headers.customRequestHeaders.X-Service-Middleware=applied"
+        # Attach middleware at the SERVICE level (not the router level)
+        - "traefik.http.services.whoami.middlewares=service-headers"
+        - "traefik.http.services.whoami.loadbalancer.server.port=80"
+```
+
+!!! info "Service-Level vs Router-Level Middlewares"
+
+    - **Router-level middleware** (`traefik.http.routers.<name>.middlewares`): Applied only when traffic matches that specific router's rule
+    - **Service-level middleware** (`traefik.http.services.<name>.middlewares`): Applied to all traffic reaching the service, regardless of which router forwarded it
+
+    When both are configured, router middlewares execute first, followed by service middlewares.
+
+Deploy the stack:
+
+```bash
+docker stack deploy -c docker-compose.yml traefik
+```
+
+### Test Service Middleware
+
+Verify the service middleware is working:
+
+```bash
+curl -k -H "Host: whoami.swarm.localhost" https://localhost/
+```
+
+In the response from whoami, you should see the custom header that was added by the service middleware:
+
+```text
+X-Service-Middleware: applied
+```
+
+For more details on service middlewares, see the [reference documentation](../../reference/routing-configuration/http/load-balancing/service.md#middlewares).
+
 ## Conclusion

 In this advanced guide, you've learned how to:
@@ -390,6 +458,7 @@ In this advanced guide, you've learned how to:
 - Automate certificate management with Let's Encrypt
 - Implement sticky sessions for stateful applications
 - Setup multi-layer routing for authentication-based routing
+- Apply middlewares at the service level for centralized middleware management

 These advanced capabilities allow you to build production-ready Traefik deployments with Docker Swarm. Each of these can be further customized to meet your specific requirements.

@@ -77,7 +77,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v3.6 --help
+# ex: docker run traefik:v3.7 --help
 ```

 Check the [CLI reference](../reference/install-configuration/configuration-options.md "Link to CLI reference overview") for an overview about all available arguments.
@@ -36,7 +36,7 @@ This configuration:
 # docker-compose.yml
 services:
  traefik:
-    image: traefik:v3.6
+    image: traefik:v3.7
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
@@ -84,7 +84,7 @@ docker run -d \
  -p 8080:8080 \
  -v $PWD/traefik.yml:/etc/traefik/traefik.yml \
  -v /var/run/docker.sock:/var/run/docker.sock \
-  traefik:v3.6
+  traefik:v3.7
 ```

 ## Expose the Dashboard
@@ -250,7 +250,7 @@ To use the Gateway API:
 Install the Gateway API CRDs in your cluster:

 ```bash
-kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
 ```

 Create an HTTPRoute. This configuration:
@@ -50,8 +50,9 @@ spec:
                name: whoami
                port:
                  number: 80
+```

---
+```yaml tab="Service & Deployment"
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -92,6 +93,12 @@ For a complete list of supported annotations and behavioral differences, see the

    The Kubernetes Ingress NGINX provider requires **Traefik v3.6.2 or later**.

+!!! info "Legacy Scheme Headers"
+
+    If your applications still depend on ingress-nginx's legacy `X-Forwarded-Scheme` or `X-Scheme` headers,
+    enable `entryPoints.<name>.forwardedHeaders.addXForwardedSchemeHeaders=true` on the entrypoints that receive this traffic.
+    This keeps `X-Forwarded-Proto` unchanged and restores the compatibility headers at the entrypoint level for every provider.
+
 ---

 ## Prerequisites
@@ -132,10 +139,85 @@ Final:       DNS → LoadBalancer → Traefik → Your Services

 **Migration Flow:**

-1. Install Traefik alongside NGINX (both serving traffic in parallel)
-2. Add Traefik LoadBalancer to DNS (if you choose DNS option; cf. step 3)
-3. Progressively shift traffic from NGINX to Traefik
-4. Remove NGINX from DNS, preserve the IngressClass, and uninstall
+- **Step 0** - Review your ingress-nginx ConfigMap and translate cluster-wide defaults to Traefik
+- **Step 1** - Install Traefik alongside NGINX
+- **Step 2** - Verify Traefik is handling traffic
+- **Step 3** - Progressively shift traffic from NGINX to Traefik
+- **Step 4** - Remove NGINX from DNS, preserve the IngressClass, and uninstall
+
+---
+
+## Step 0: Migrate Your Global ConfigMap Settings
+
+Before you install Traefik, review the global defaults currently set in the `ingress-nginx` ConfigMap.
+In ingress-nginx, the controller ConfigMap acts as a cluster-wide configuration layer.
+In Traefik, the same behavior is split across:
+
+- the `providers.kubernetesIngressNGINX` static configuration for ingress-nginx compatibility defaults
+- entryPoints for listener behavior such as HTTP-to-HTTPS redirection and PROXY protocol
+- dynamic `tls.options` and HTTP middlewares for TLS policy, HSTS, and other header behavior
+- Traefik access log configuration for request logging
+
+Start by exporting the ConfigMap you use today and reviewing the keys you have customized:
+
+```bash
+kubectl get configmap --all-namespaces -l app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/component=controller -o yaml
+```
+
+This label selector locates the controller ConfigMap regardless of the namespace or release name you used when installing ingress-nginx.
+
+!!! tip "Convert NGINX units before copying values"
+
+    Several ingress-nginx ConfigMap keys use NGINX-style values such as `16k`, `1m`, or `30s`.
+    In Traefik, the matching `providers.kubernetesIngressNGINX` options below expect:
+
+    - raw byte values for body-size and buffer settings
+    - integer seconds for `proxyConnectTimeout` and `proxyNextUpstreamTimeout`
+    - booleans for `proxyRequestBuffering` and `proxyBuffering`
+
+### ConfigMap to Traefik Mapping
+
+| ingress-nginx ConfigMap key | Traefik equivalent <br/> (provider options) | Notes |
+|---|---|---|
+| `proxy-connect-timeout` | `proxyConnectTimeout` | Use integer seconds. |
+| `proxy-request-buffering` | `proxyRequestBuffering` | Translate `on` / `off` to `true` / `false`. ingress-nginx enables request buffering by default, while Traefik defaults to `false`. |
+| `client-body-buffer-size` | `clientBodyBufferSize` | Convert values such as `16k` to bytes. |
+| `proxy-buffering` | `proxyBuffering` | Translate `on` / `off` to `true` / `false`. |
+| `proxy-body-size` | `proxyBodySize` | Convert values such as `1m` to bytes. |
+| `proxy-buffer-size` | `proxyBufferSize` | Convert values such as `8k` to bytes. |
+| `proxy-buffers-number` | `proxyBuffersNumber` | Keep the integer value. |
+| `proxy-next-upstream` | `proxyNextUpstream` | Use a space-separated list of retry conditions such as `error timeout http_502`. |
+| `proxy-next-upstream-timeout` | `proxyNextUpstreamTimeout` | Use integer seconds. |
+| `proxy-next-upstream-tries` | `proxyNextUpstreamTries` | Keep the integer value. |
+| `custom-http-errors` | `customHTTPErrors` | Also configure `providers.kubernetesIngressNGINX.defaultBackendService` if you want a global error page service. |
+| `global-allowed-response-headers` | `globalAllowedResponseHeaders` | Required for `nginx.ingress.kubernetes.io/custom-headers` annotations to take effect. |
+| `allow-cross-namespace-resources` | `allowCrossNamespaceResources` | Use when migrated ingresses must reference supported resources in other namespaces. |
+| `strict-validate-path-type` | `strictValidatePathType` | Traefik v3.7 defaults this option to `true`. |
+| `ssl-redirect` / `force-ssl-redirect` | `nginx.ingress.kubernetes.io/ssl-redirect` and `nginx.ingress.kubernetes.io/force-ssl-redirect` annotations, or cluster-wide [entryPoint redirection](../reference/install-configuration/entrypoints.md#configuration-example) | Traefik translates the annotations when they are present. For a global default, configure HTTP-to-HTTPS redirection on the `web` entryPoint and set `providers.kubernetesIngressNGINX.httpEntryPoint` / `httpsEntryPoint` if you need explicit entryPoint selection. |
+| `ssl-protocols` / `ssl-ciphers` | [TLS options](../reference/routing-configuration/http/tls/tls-options.md) | Apply them globally through an entryPoint TLS option, or per Ingress via `traefik.ingress.kubernetes.io/router.tls.options`. |
+| `hsts`, `hsts-max-age`, `hsts-include-subdomains`, `hsts-preload` | [Headers middleware](../reference/routing-configuration/http/middlewares/headers.md) | Use `stsSeconds`, `stsIncludeSubdomains`, `stsPreload`, and `forceSTSHeader`. Attach the middleware on an entryPoint for a cluster-wide default. |
+| `use-proxy-protocol` | [EntryPoint `proxyProtocol` configuration](../reference/install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) | Configure it on every entryPoint that sits behind a load balancer speaking PROXY protocol. |
+| `access-log-path` | `accessLog.filePath` | Static configuration. |
+| `log-format-upstream` | `accessLog.format` | Use Traefik's built-in `common`, `genericCLF`, or `json` formats. Custom NGINX log format strings do not have a 1:1 equivalent. |
+
+### ConfigMap Keys Without a Direct Equivalent
+
+Some ingress-nginx ConfigMap keys are NGINX-specific and can be dropped during migration because Traefik does not expose raw NGINX internals.
+Common examples include:
+
+- worker tuning such as `worker-processes`, `worker-cpu-affinity`, and Lua shared dict settings
+- snippet-style keys such as `main-snippet`, `http-snippet`, `server-snippet`, `location-snippet`, and `stream-snippet`
+- custom NGINX log format templates beyond Traefik's built-in access log formats
+
+When you find one of these keys, translate the underlying intent rather than trying to copy the directive verbatim.
+
+### Reference Pages
+
+- [Kubernetes Ingress NGINX provider configuration](../reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md)
+- [Traefik TLS Options](../reference/routing-configuration/http/tls/tls-options.md)
+- [Traefik Headers Middleware](../reference/routing-configuration/http/middlewares/headers.md)
+- [Traefik EntryPoints configuration](../reference/install-configuration/entrypoints.md)
+- [ingress-nginx ConfigMap reference](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/)

 ---

@@ -470,14 +552,14 @@ kubectl get svc -n ingress-nginx ingress-nginx-controller -o go-template='{{ $in
    
    ```bash
    NGINX_IP=$(kubectl get svc -n ingress-nginx ingress-nginx-controller \
-  -o go-template='{{ $ing := index .status.loadBalancer.ingress 0 }}{{ if $ing.ip }}{{ $ing.ip }}{{ else }}{{ $ing.hostname }}{{ end }}')
-     
+      -o go-template='{{ $ing := index .status.loadBalancer.ingress 0 }}{{ if $ing.ip }}{{ $ing.ip }}{{ else }}{{ $ing.hostname }}{{ end }}')
+
    echo "NGINX IP: $NGINX_IP"
    ```
-    
+
    **Edit your existing NGINX LoadBalancer service to ensure that the floating IP is not released when the loadbalancer service is deleted:**
-    
-    
+
+    ```bash
    kubectl annotate svc my-lb-svc loadbalancer.openstack.org/keep-floatingip=true
    ```
    
@@ -9,6 +9,141 @@ This guide provides detailed migration steps for upgrading between different Tra

 ---

+## v3.7.3
+
+### Kubernetes Gateway API Provider
+
+Starting with `v3.7.3`, the QPS and Burst values of the Kubernetes client used by the Kubernetes Gateway API provider have been increased to `50` and `100` respectively (10x the default values of the Kubernetes client).
+
+The Kubernetes Gateway API provider writes status updates intensively to comply with the Kubernetes Gateway API specification.
+This change helps avoid performance issues related to Kubernetes API rate limiting, which can increase the setup time when a new routing configuration is built.
+
+These values are configurable through the [`kubernetesGateway.qps`](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md#opt-providers-kubernetesgateway-qps)
+and [`kubernetesGateway.burst`](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md#opt-providers-kubernetesgateway-burst) provider options.
+
+### BasicAuth Middleware
+
+From version `v3.7.3` onwards, the BasicAuth middleware requires a non-empty users configuration in order to be built successfully.
+Previously, the middleware would be built successfully but always return a 401 status code for any request.
+Now, an error occurs and any routers using it will be unmounted. For the same request, a 404 status code is served instead of a 401 status code.
+
+### StripPrefix and StripPrefixRegex Middleware
+
+From version `v3.7.3` onwards, the StripPrefix middleware and the StripPrefixRegex middleware reject requests (`400 Bad Request`)
+when stripping the configured prefix produces a path that differs from its normalised form
+(i.e. a path containing `.` or `..` segments that would be collapsed by normalisation).
+
+This prevents the stripped path from being interpreted as a different resource by the upstream service.
+
+Examples with a configured prefix of `/api`:
+
+| Request path | Path after strip | Normalised path | Result       |
+|--------------|------------------|-----------------|--------------|
+| `/api/foo`   | `/foo`           | `/foo`          | `200` (sent) |
+| `/api/`      | `/`              | `/`             | `200` (sent) |
+| `/api./foo`  | `/./foo`         | `/foo`          | `400`        |
+| `/api../foo` | `/../foo`        | `/foo`          | `400`        |
+
+---
+
+## v3.7.1
+
+### Kubernetes providers: `crossProviderNamespaces`
+
+In `v3.7.1`, a new `crossProviderNamespaces` option is available on the Kubernetes CRD, Ingress, and Gateway providers.
+
+Traefik offers the possibility to reference resources from one provider to another (cross-provider references).
+
+However, in the context of Kubernetes providers,
+those references (e.g. `myservice@kubernetescrd`) allow a user to cross namespace boundaries,
+as well as exposing `@internal` services, that only the operator should be able to expose.
+
+This new `crossProviderNamespaces` option restricts in which namespaces Kubernetes resources are allowed to use cross-provider references.
+
+The behavior is as follows:
+
+| Value      | Behavior                                                                                  |
+|------------|-------------------------------------------------------------------------------------------|
+| not set    | All Kubernetes resources can declare cross-provider references.                           |
+| `[]`       | Every Kubernetes resource declaring a cross-provider reference is rejected.               |
+| `["ns-a"]` | Only Kubernetes resources in the listed namespaces can declare cross-provider references. |
+
+Please check out the [Kubernetes CRD](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md#opt-providers-kubernetesCRD-crossProviderNamespaces), [Kubernetes Ingress](../reference/install-configuration/providers/kubernetes/kubernetes-ingress.md#opt-providers-kubernetesIngress-crossProviderNamespaces),
+and [Kubernetes Gateway](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md#opt-providers-kubernetesGateway-crossProviderNamespaces) provider documentation for more details.
+
+---
+
+## v3.7.0
+
+### Ingress NGINX Provider
+
+Starting with `v3.7.0`, the Ingress NGINX provider now supports the `nginx.ingress.kubernetes.io/custom-headers` annotation to add custom headers to the response forwarded to the client.
+
+Therefore, in the corresponding RBACs (see [KubernetesIngressNGINX](../reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml) provider RBACs) the `configmaps` right has been added.
+
+**Required RBAC Updates:**
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - list
+      - watch  
+  ...
+```
+
+### Kubernetes Gateway API Provider
+
+Starting with `v3.7.0`, the Kubernetes Gateway API provider supports version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the specification,
+which requires the Gateway API CRDs to be updated.
+
+`TLSRoute` has graduated to the Standard channel and no longer requires the `experimentalChannel` option.
+The `experimentalChannel` option is now only needed for `TCPRoute`.
+
+**Apply Updated CRDs:**
+
+```shell
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
+```
+
+For the experimental channel:
+
+```shell
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/experimental-install.yaml
+```
+
+### Kubernetes CRD Provider
+
+To use the new options of the `retry` middleware or the new `ingressClassName` field with the Kubernetes CRD provider, you need to update your CRDs.
+
+**Apply Updated CRDs:**
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+### Wildcard Host and HostSNI
+
+Since `v3.7.0`, the `Host` and `HostSNI` matchers support wildcard subdomain matching (e.g., `*.example.com`).
+This allows matching any direct subdomain of a domain with a single-level wildcard prefix.
+For example, `*.example.com` matches `foo.example.com` but not `foo.bar.example.com` or `example.com` itself.
+
+This feature is only available with the v3 rule syntax (the default).
+
+#### TLSOptions with Wildcard Domains
+
+Since `v3.7.0`, TLSOptions can now be associated with routers using wildcard `Host` and `HostSNI` matchers (e.g., `Host(`*.example.com`)`).
+This enables configuring different TLS options for wildcard domains.
+
+Previously, TLSOptions selection was limited to exact `Host` matches, and using `HostRegexp` or wildcards would fall back to the default TLS options with a warning message like: `No domain found in rule HostRegexp(...) the TLS option foo cannot be applied`.
+
+Note: TLSOptions for `HostRegexp` matchers remains unsupported. Use wildcard `Host` matchers as an alternative.
+
+---
+
 ## v3.6.19

 ### Kubernetes Gateway API Provider
@@ -44,6 +179,8 @@ Examples with a configured prefix of `/api`:
 | `/api./foo`  | `/./foo`         | `/foo`          | `400`        |
 | `/api../foo` | `/../foo`        | `/foo`          | `400`        |

+---
+
 ## v3.6.17

 ### Kubernetes providers: `crossProviderNamespaces`
@@ -380,6 +380,9 @@
      serverName = "foobar"
      insecureSkipVerify = true
      rootCAs = ["foobar", "foobar"]
+      cipherSuites = ["foobar", "foobar"]
+      minVersion = "foobar"
+      maxVersion = "foobar"
      maxIdleConnsPerHost = 42
      disableHTTP2 = true
      peerCertURI = "foobar"
@@ -404,6 +407,9 @@
      serverName = "foobar"
      insecureSkipVerify = true
      rootCAs = ["foobar", "foobar"]
+      cipherSuites = ["foobar", "foobar"]
+      minVersion = "foobar"
+      maxVersion = "foobar"
      maxIdleConnsPerHost = 42
      disableHTTP2 = true
      peerCertURI = "foobar"
@@ -441,6 +441,11 @@ http:
          keyFile: foobar
        - certFile: foobar
          keyFile: foobar
+      cipherSuites:
+        - foobar
+        - foobar
+      minVersion: foobar
+      maxVersion: foobar
      maxIdleConnsPerHost: 42
      forwardingTimeouts:
        dialTimeout: 42s
@@ -466,6 +471,11 @@ http:
          keyFile: foobar
        - certFile: foobar
          keyFile: foobar
+      cipherSuites:
+        - foobar
+        - foobar
+      minVersion: foobar
+      maxVersion: foobar
      maxIdleConnsPerHost: 42
      forwardingTimeouts:
        dialTimeout: 42s
@@ -24,7 +24,7 @@ spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
-          image: traefik:v3.6
+          image: traefik:v3.7
          args:
            - --entryPoints.web.address=:80
            - --entryPoints.websecure.address=:443
@@ -8,6 +8,7 @@ rules:
    resources:
      - services
      - secrets
+      - configmaps
    verbs:
      - list
      - watch
@@ -43,16 +43,20 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/entrypoints/
                  Default: all.
                items:
                  type: string
                type: array
+              ingressClassName:
+                description: IngressClassName defines the name of the IngressClass
+                  cluster resource.
+                type: string
              parentRefs:
                description: |-
                  ParentRefs defines references to parent IngressRoute resources for multi-layer routing.
                  When set, this IngressRoute's routers will be children of the referenced parent IngressRoute's routers.
-                  More info: https://doc.traefik.io/traefik/v3.6/routing/routers/#parentrefs
+                  More info: https://doc.traefik.io/traefik/v3.7/routing/routers/#parentrefs
                items:
                  description: IngressRouteRef is a reference to an IngressRoute resource.
                  properties:
@@ -84,12 +88,12 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/rules-and-priority/
                      type: string
                    middlewares:
                      description: |-
                        Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/middleware/
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/middleware/
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -109,7 +113,7 @@ spec:
                    observability:
                      description: |-
                        Observability defines the observability configuration for a router.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/observability/
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/observability/
                      properties:
                        accessLogs:
                          description: AccessLogs enables access logs for this router.
@@ -132,7 +136,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#priority
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/rules-and-priority/#priority
                      maximum: 9223372036854775000
                      type: integer
                    services:
@@ -219,6 +223,25 @@ spec:
                            - Service
                            - TraefikService
                            type: string
+                          middlewares:
+                            description: Middlewares defines the list of references
+                              to Middleware resources to apply to the service.
+                            items:
+                              description: MiddlewareRef is a reference to a Middleware
+                                resource.
+                              properties:
+                                name:
+                                  description: Name defines the name of the referenced
+                                    Middleware resource.
+                                  type: string
+                                namespace:
+                                  description: Namespace defines the namespace of
+                                    the referenced Middleware resource.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
                          name:
                            description: |-
                              Name defines the name of the referenced Kubernetes Service or TraefikService.
@@ -302,7 +325,7 @@ spec:
                          sticky:
                            description: |-
                              Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -376,7 +399,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax

                        Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                      type: string
@@ -387,18 +410,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/router/#tls
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/router/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/tls/certificate-resolvers/acme/
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/tls/certificate-resolvers/acme/
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#domains
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -417,17 +440,17 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-options/
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-options/
                    properties:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsoption/
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsoption/
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsoption/
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsoption/
                        type: string
                    required:
                    - name
@@ -444,12 +467,12 @@ spec:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsstore/
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsstore/
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsstore/
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsstore/
                        type: string
                    required:
                    - name
@@ -43,11 +43,15 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/entrypoints/
                  Default: all.
                items:
                  type: string
                type: array
+              ingressClassName:
+                description: IngressClassName defines the name of the IngressClass
+                  cluster resource.
+                type: string
              routes:
                description: Routes defines the list of routes.
                items:
@@ -56,7 +60,7 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/rules-and-priority/
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +84,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#priority
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/rules-and-priority/#priority
                      maximum: 9223372036854775000
                      type: integer
                    services:
@@ -122,7 +126,7 @@ spec:
                          proxyProtocol:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/service/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/service/#proxy-protocol

                              Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
                            properties:
@@ -166,7 +170,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax

                        Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                      enum:
@@ -180,18 +184,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/router/#tls
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/router/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/tls/certificate-resolvers/acme/
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/tls/certificate-resolvers/acme/
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/tls/#domains
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/tls/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -210,7 +214,7 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/tls/#tls-options
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
@@ -43,11 +43,15 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/entrypoints/
                  Default: all.
                items:
                  type: string
                type: array
+              ingressClassName:
+                description: IngressClassName defines the name of the IngressClass
+                  cluster resource.
+                type: string
              routes:
                description: Routes defines the list of routes.
                items:
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -45,7 +45,7 @@ spec:
                description: |-
                  AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/addprefix/
                properties:
                  prefix:
                    description: |-
@@ -60,12 +60,12 @@ spec:
                description: |-
                  BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/basicauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -86,7 +86,7 @@ spec:
                description: |-
                  Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/buffering/#maxrequestbodybytes
                properties:
                  maxRequestBodyBytes:
                    description: |-
@@ -118,14 +118,14 @@ spec:
                    description: |-
                      RetryExpression defines the retry conditions.
                      It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/buffering/#retryexpression
                    type: string
                type: object
              chain:
                description: |-
                  Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/chain/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/chain/
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -188,7 +188,7 @@ spec:
                description: |-
                  Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/compress/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/compress/
                properties:
                  defaultEncoding:
                    description: DefaultEncoding specifies the default encoding if
@@ -239,12 +239,12 @@ spec:
                description: |-
                  DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/digestauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/digestauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/digestauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -260,11 +260,44 @@ spec:
                      containing user credentials.
                    type: string
                type: object
+              encodedCharacters:
+                description: EncodedCharacters configures which encoded characters
+                  are allowed in the request path.
+                properties:
+                  allowEncodedBackSlash:
+                    description: AllowEncodedBackSlash defines whether requests with
+                      encoded back slash characters in the path are allowed.
+                    type: boolean
+                  allowEncodedHash:
+                    description: AllowEncodedHash defines whether requests with encoded
+                      hash characters in the path are allowed.
+                    type: boolean
+                  allowEncodedNullCharacter:
+                    description: AllowEncodedNullCharacter defines whether requests
+                      with encoded null characters in the path are allowed.
+                    type: boolean
+                  allowEncodedPercent:
+                    description: AllowEncodedPercent defines whether requests with
+                      encoded percent characters in the path are allowed.
+                    type: boolean
+                  allowEncodedQuestionMark:
+                    description: AllowEncodedQuestionMark defines whether requests
+                      with encoded question mark characters in the path are allowed.
+                    type: boolean
+                  allowEncodedSemicolon:
+                    description: AllowEncodedSemicolon defines whether requests with
+                      encoded semicolon characters in the path are allowed.
+                    type: boolean
+                  allowEncodedSlash:
+                    description: AllowEncodedSlash defines whether requests with encoded
+                      slash characters in the path are allowed.
+                    type: boolean
+                type: object
              errors:
                description: |-
                  ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/errorpages/
                properties:
                  query:
                    description: |-
@@ -276,7 +309,7 @@ spec:
                  service:
                    description: |-
                      Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/errorpages/#service
                    properties:
                      healthCheck:
                        description: Healthcheck defines health checks for ExternalName
@@ -354,6 +387,25 @@ spec:
                        - Service
                        - TraefikService
                        type: string
+                      middlewares:
+                        description: Middlewares defines the list of references to
+                          Middleware resources to apply to the service.
+                        items:
+                          description: MiddlewareRef is a reference to a Middleware
+                            resource.
+                          properties:
+                            name:
+                              description: Name defines the name of the referenced
+                                Middleware resource.
+                              type: string
+                            namespace:
+                              description: Namespace defines the namespace of the
+                                referenced Middleware resource.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
                      name:
                        description: |-
                          Name defines the name of the referenced Kubernetes Service or TraefikService.
@@ -437,7 +489,7 @@ spec:
                      sticky:
                        description: |-
                          Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -529,7 +581,7 @@ spec:
                description: |-
                  ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/forwardauth/
                properties:
                  addAuthCookiesToResponse:
                    description: AddAuthCookiesToResponse defines the list of cookies
@@ -557,7 +609,11 @@ spec:
                  authResponseHeadersRegex:
                    description: |-
                      AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/forwardauth/#authresponseheadersregex
+                    type: string
+                  authSigninURL:
+                    description: AuthSigninURL specifies the URL to redirect to when
+                      the authentication server returns 401 Unauthorized.
                    type: string
                  forwardBody:
                    description: ForwardBody defines whether to send the request body
@@ -566,7 +622,7 @@ spec:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/forwardauth/#headerfield
                    type: string
                  maxBodySize:
                    description: MaxBodySize defines the maximum body size in bytes
@@ -635,7 +691,7 @@ spec:
                description: |-
                  Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/headers/#customrequestheaders
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -807,7 +863,7 @@ spec:
                description: |-
                  InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/inflightreq/
                properties:
                  amount:
                    description: |-
@@ -821,12 +877,12 @@ spec:
                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
                      If several strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/inflightreq/#sourcecriterion
                    properties:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -862,12 +918,12 @@ spec:
                description: |-
                  IPAllowList holds the IP allowlist middleware configuration.
                  This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/ipallowlist/
                properties:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -905,7 +961,7 @@ spec:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -936,7 +992,7 @@ spec:
                description: |-
                  PassTLSClientCert holds the pass TLS client cert middleware configuration.
                  This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/passtlsclientcert/
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -1039,13 +1095,13 @@ spec:
                  x-kubernetes-preserve-unknown-fields: true
                description: |-
                  Plugin defines the middleware plugin configuration.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/overview/#community-middlewares
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/overview/#community-middlewares
                type: object
              rateLimit:
                description: |-
                  RateLimit holds the rate limit configuration.
                  This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/ratelimit/
                properties:
                  average:
                    description: |-
@@ -1164,7 +1220,7 @@ spec:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1200,7 +1256,7 @@ spec:
                description: |-
                  RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/redirectregex/#regex
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1219,7 +1275,7 @@ spec:
                description: |-
                  RedirectScheme holds the redirect scheme middleware configuration.
                  This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/redirectscheme/
                properties:
                  permanent:
                    description: |-
@@ -1237,7 +1293,7 @@ spec:
                description: |-
                  ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/replacepath/
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -1248,7 +1304,7 @@ spec:
                description: |-
                  ReplacePathRegex holds the replace path regex middleware configuration.
                  This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/replacepathregex/
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -1264,13 +1320,18 @@ spec:
                  Retry holds the retry middleware configuration.
                  This middleware reissues requests a given number of times to a backend server if that server does not reply.
                  As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/retry/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/retry/
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
                      be retried.
                    minimum: 0
                    type: integer
+                  disableRetryOnNetworkError:
+                    description: DisableRetryOnNetworkError defines whether to disable
+                      the retry if an error occurs when transmitting the request to
+                      the server.
+                    type: boolean
                  initialInterval:
                    anyOf:
                    - type: integer
@@ -1283,12 +1344,40 @@ spec:
                      see https://pkg.go.dev/time#ParseDuration.
                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                    x-kubernetes-int-or-string: true
+                  maxRequestBodyBytes:
+                    description: |-
+                      MaxRequestBodyBytes defines the maximum size for the request body.
+                      Default is `-1`, which means no limit.
+                    format: int64
+                    minimum: -1
+                    type: integer
+                  retryNonIdempotentMethod:
+                    description: RetryNonIdempotentMethod activates the retry for
+                      non-idempotent methods (POST, LOCK, PATCH)
+                    type: boolean
+                  status:
+                    description: Status defines the range of HTTP status codes to
+                      retry on.
+                    items:
+                      pattern: ^([1-5][0-9]{2}[,-]?)+$
+                      type: string
+                    type: array
+                  timeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: |-
+                      Timeout defines how much time the middleware is allowed to retry the request.
+                      The value of timeout should be provided in seconds or as a valid duration format,
+                      see https://pkg.go.dev/time#ParseDuration.
+                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
+                    x-kubernetes-int-or-string: true
                type: object
              stripPrefix:
                description: |-
                  StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/stripprefix/
                properties:
                  forceSlash:
                    description: |-
@@ -1307,7 +1396,7 @@ spec:
                description: |-
                  StripPrefixRegex holds the strip prefix regex middleware configuration.
                  This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/stripprefixregex/
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -56,7 +56,7 @@ spec:
                description: |-
                  IPAllowList defines the IPAllowList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/middlewares/ipallowlist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -69,7 +69,7 @@ spec:
                description: |-
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/middlewares/ipwhitelist/

                  Deprecated: please use IPAllowList instead.
                properties:
@@ -21,7 +21,7 @@ spec:
          ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/serverstransport/
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/serverstransport/
        properties:
          apiVersion:
            description: |-
@@ -49,6 +49,12 @@ spec:
                items:
                  type: string
                type: array
+              cipherSuites:
+                description: CipherSuites defines the cipher suites to use when contacting
+                  backend servers.
+                items:
+                  type: string
+                type: array
              disableHTTP2:
                description: DisableHTTP2 disables HTTP/2 for connections with backend
                  servers.
@@ -109,6 +115,14 @@ spec:
                  to keep per-host.
                minimum: -1
                type: integer
+              maxVersion:
+                description: MaxVersion defines the maximum TLS version to use when
+                  contacting backend servers.
+                type: string
+              minVersion:
+                description: MinVersion defines the minimum TLS version to use when
+                  contacting backend servers.
+                type: string
              peerCertURI:
                description: PeerCertURI defines the peer cert URI used to match against
                  SAN URI during the peer certificate verification.
@@ -21,7 +21,7 @@ spec:
          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
          If no tcpServersTransport is specified, a default one named default@internal will be used.
          The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/serverstransport/
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/serverstransport/
        properties:
          apiVersion:
            description: |-
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#tls-options
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#tls-options
        properties:
          apiVersion:
            description: |-
@@ -44,14 +44,14 @@ spec:
              alpnProtocols:
                description: |-
                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#alpn-protocols
                items:
                  type: string
                type: array
              cipherSuites:
                description: |-
                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#cipher-suites
                items:
                  type: string
                type: array
@@ -79,7 +79,7 @@ spec:
              curvePreferences:
                description: |-
                  CurvePreferences defines the preferred elliptic curves.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#curve-preferences
                items:
                  type: string
                type: array
@@ -21,7 +21,7 @@ spec:
          TLSStore is the CRD implementation of a Traefik TLS Store.
          For the time being, only the TLSStore named default is supported.
          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#certificates-stores
        properties:
          apiVersion:
            description: |-
@@ -22,7 +22,7 @@ spec:
          TraefikService object allows to:
          - Apply weight to Services on load-balancing
          - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/traefikservice/
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/traefikservice/
        properties:
          apiVersion:
            description: |-
@@ -44,6 +44,532 @@ spec:
          spec:
            description: TraefikServiceSpec defines the desired state of a TraefikService.
            properties:
+              failover:
+                description: Failover defines the Failover service configuration.
+                properties:
+                  errors:
+                    description: Errors defines which errors should trigger the use
+                      of the fallback service.
+                    properties:
+                      maxRequestBodyBytes:
+                        description: |-
+                          MaxRequestBodyBytes defines the maximum size allowed for the body of the request.
+                          Default value is -1, which means unlimited size.
+                        format: int64
+                        type: integer
+                      status:
+                        description: Status defines the list of status code ranges
+                          for which the fallback service should be used.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  fallback:
+                    description: Fallback defines the fallback service to use when
+                      the main service returns an error.
+                    properties:
+                      healthCheck:
+                        description: Healthcheck defines health checks for ExternalName
+                          services.
+                        properties:
+                          followRedirects:
+                            description: |-
+                              FollowRedirects defines whether redirects should be followed during the health check calls.
+                              Default: true
+                            type: boolean
+                          headers:
+                            additionalProperties:
+                              type: string
+                            description: Headers defines custom headers to be sent
+                              to the health check endpoint.
+                            type: object
+                          hostname:
+                            description: Hostname defines the value of hostname in
+                              the Host header of the health check request.
+                            type: string
+                          interval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Interval defines the frequency of the health check calls for healthy targets.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
+                          method:
+                            description: Method defines the healthcheck method.
+                            type: string
+                          mode:
+                            description: |-
+                              Mode defines the health check mode.
+                              If defined to grpc, will use the gRPC health check protocol to probe the server.
+                              Default: http
+                            type: string
+                          path:
+                            description: Path defines the server URL path for the
+                              health check endpoint.
+                            type: string
+                          port:
+                            description: Port defines the server URL port for the
+                              health check endpoint.
+                            type: integer
+                          scheme:
+                            description: Scheme replaces the server URL scheme for
+                              the health check endpoint.
+                            type: string
+                          status:
+                            description: Status defines the expected HTTP status code
+                              of the response to the health check request.
+                            type: integer
+                          timeout:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                              Default: 5s
+                            x-kubernetes-int-or-string: true
+                          unhealthyInterval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                              When UnhealthyInterval is not defined, it defaults to the Interval value.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
+                        type: object
+                      kind:
+                        description: Kind defines the kind of the Service.
+                        enum:
+                        - Service
+                        - TraefikService
+                        type: string
+                      middlewares:
+                        description: Middlewares defines the list of references to
+                          Middleware resources to apply to the service.
+                        items:
+                          description: MiddlewareRef is a reference to a Middleware
+                            resource.
+                          properties:
+                            name:
+                              description: Name defines the name of the referenced
+                                Middleware resource.
+                              type: string
+                            namespace:
+                              description: Namespace defines the namespace of the
+                                referenced Middleware resource.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      name:
+                        description: |-
+                          Name defines the name of the referenced Kubernetes Service or TraefikService.
+                          The differentiation between the two is specified in the Kind field.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Kubernetes Service or TraefikService.
+                        type: string
+                      nativeLB:
+                        description: |-
+                          NativeLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                          The Kubernetes Service itself does load-balance to the pods.
+                          By default, NativeLB is false.
+                        type: boolean
+                      nodePortLB:
+                        description: |-
+                          NodePortLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                          It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                          By default, NodePortLB is false.
+                        type: boolean
+                      passHostHeader:
+                        description: |-
+                          PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+                          By default, passHostHeader is true.
+                        type: boolean
+                      passiveHealthCheck:
+                        description: PassiveHealthCheck defines passive health checks
+                          for ExternalName services.
+                        properties:
+                          failureWindow:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: FailureWindow defines the time window during
+                              which the failed attempts must occur for the server
+                              to be marked as unhealthy. It also defines for how long
+                              the server will be considered unhealthy.
+                            x-kubernetes-int-or-string: true
+                          maxFailedAttempts:
+                            description: MaxFailedAttempts is the number of consecutive
+                              failed attempts allowed within the failure window before
+                              marking the server as unhealthy.
+                            type: integer
+                        type: object
+                      port:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          Port defines the port of a Kubernetes Service.
+                          This can be a reference to a named port.
+                        x-kubernetes-int-or-string: true
+                      responseForwarding:
+                        description: ResponseForwarding defines how Traefik forwards
+                          the response from the upstream Kubernetes Service to the
+                          client.
+                        properties:
+                          flushInterval:
+                            description: |-
+                              FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+                              A negative value means to flush immediately after each write to the client.
+                              This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+                              for such responses, writes are flushed to the client immediately.
+                              Default: 100ms
+                            type: string
+                        type: object
+                      scheme:
+                        description: |-
+                          Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+                          It defaults to https when Kubernetes Service port is 443, http otherwise.
+                        type: string
+                      serversTransport:
+                        description: |-
+                          ServersTransport defines the name of ServersTransport resource to use.
+                          It allows to configure the transport between Traefik and your servers.
+                          Can only be used on a Kubernetes Service.
+                        type: string
+                      sticky:
+                        description: |-
+                          Sticky defines the sticky sessions configuration.
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                        properties:
+                          cookie:
+                            description: Cookie defines the sticky cookie configuration.
+                            properties:
+                              domain:
+                                description: |-
+                                  Domain defines the host to which the cookie will be sent.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                                type: string
+                              httpOnly:
+                                description: HTTPOnly defines whether the cookie can
+                                  be accessed by client-side APIs, such as JavaScript.
+                                type: boolean
+                              maxAge:
+                                description: |-
+                                  MaxAge defines the number of seconds until the cookie expires.
+                                  When set to a negative number, the cookie expires immediately.
+                                  When set to zero, the cookie never expires.
+                                type: integer
+                              name:
+                                description: Name defines the Cookie name.
+                                type: string
+                              path:
+                                description: |-
+                                  Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                  When not provided the cookie will be sent on every request to the domain.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                type: string
+                              sameSite:
+                                description: |-
+                                  SameSite defines the same site policy.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                enum:
+                                - none
+                                - lax
+                                - strict
+                                - None
+                                - Lax
+                                - Strict
+                                type: string
+                              secure:
+                                description: Secure defines whether the cookie can
+                                  only be transmitted over an encrypted connection
+                                  (i.e. HTTPS).
+                                type: boolean
+                            type: object
+                        type: object
+                      strategy:
+                        description: |-
+                          Strategy defines the load balancing strategy between the servers.
+                          Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
+                          RoundRobin value is deprecated and supported for backward compatibility.
+                        enum:
+                        - wrr
+                        - p2c
+                        - hrw
+                        - leasttime
+                        - RoundRobin
+                        type: string
+                      weight:
+                        description: |-
+                          Weight defines the weight and should only be specified when Name references a TraefikService object
+                          (and to be precise, one that embeds a Weighted Round Robin).
+                        minimum: 0
+                        type: integer
+                    required:
+                    - name
+                    type: object
+                  service:
+                    description: Service defines the main service to use.
+                    properties:
+                      healthCheck:
+                        description: Healthcheck defines health checks for ExternalName
+                          services.
+                        properties:
+                          followRedirects:
+                            description: |-
+                              FollowRedirects defines whether redirects should be followed during the health check calls.
+                              Default: true
+                            type: boolean
+                          headers:
+                            additionalProperties:
+                              type: string
+                            description: Headers defines custom headers to be sent
+                              to the health check endpoint.
+                            type: object
+                          hostname:
+                            description: Hostname defines the value of hostname in
+                              the Host header of the health check request.
+                            type: string
+                          interval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Interval defines the frequency of the health check calls for healthy targets.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
+                          method:
+                            description: Method defines the healthcheck method.
+                            type: string
+                          mode:
+                            description: |-
+                              Mode defines the health check mode.
+                              If defined to grpc, will use the gRPC health check protocol to probe the server.
+                              Default: http
+                            type: string
+                          path:
+                            description: Path defines the server URL path for the
+                              health check endpoint.
+                            type: string
+                          port:
+                            description: Port defines the server URL port for the
+                              health check endpoint.
+                            type: integer
+                          scheme:
+                            description: Scheme replaces the server URL scheme for
+                              the health check endpoint.
+                            type: string
+                          status:
+                            description: Status defines the expected HTTP status code
+                              of the response to the health check request.
+                            type: integer
+                          timeout:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                              Default: 5s
+                            x-kubernetes-int-or-string: true
+                          unhealthyInterval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                              When UnhealthyInterval is not defined, it defaults to the Interval value.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
+                        type: object
+                      kind:
+                        description: Kind defines the kind of the Service.
+                        enum:
+                        - Service
+                        - TraefikService
+                        type: string
+                      middlewares:
+                        description: Middlewares defines the list of references to
+                          Middleware resources to apply to the service.
+                        items:
+                          description: MiddlewareRef is a reference to a Middleware
+                            resource.
+                          properties:
+                            name:
+                              description: Name defines the name of the referenced
+                                Middleware resource.
+                              type: string
+                            namespace:
+                              description: Namespace defines the namespace of the
+                                referenced Middleware resource.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      name:
+                        description: |-
+                          Name defines the name of the referenced Kubernetes Service or TraefikService.
+                          The differentiation between the two is specified in the Kind field.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Kubernetes Service or TraefikService.
+                        type: string
+                      nativeLB:
+                        description: |-
+                          NativeLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                          The Kubernetes Service itself does load-balance to the pods.
+                          By default, NativeLB is false.
+                        type: boolean
+                      nodePortLB:
+                        description: |-
+                          NodePortLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                          It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                          By default, NodePortLB is false.
+                        type: boolean
+                      passHostHeader:
+                        description: |-
+                          PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+                          By default, passHostHeader is true.
+                        type: boolean
+                      passiveHealthCheck:
+                        description: PassiveHealthCheck defines passive health checks
+                          for ExternalName services.
+                        properties:
+                          failureWindow:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: FailureWindow defines the time window during
+                              which the failed attempts must occur for the server
+                              to be marked as unhealthy. It also defines for how long
+                              the server will be considered unhealthy.
+                            x-kubernetes-int-or-string: true
+                          maxFailedAttempts:
+                            description: MaxFailedAttempts is the number of consecutive
+                              failed attempts allowed within the failure window before
+                              marking the server as unhealthy.
+                            type: integer
+                        type: object
+                      port:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          Port defines the port of a Kubernetes Service.
+                          This can be a reference to a named port.
+                        x-kubernetes-int-or-string: true
+                      responseForwarding:
+                        description: ResponseForwarding defines how Traefik forwards
+                          the response from the upstream Kubernetes Service to the
+                          client.
+                        properties:
+                          flushInterval:
+                            description: |-
+                              FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+                              A negative value means to flush immediately after each write to the client.
+                              This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+                              for such responses, writes are flushed to the client immediately.
+                              Default: 100ms
+                            type: string
+                        type: object
+                      scheme:
+                        description: |-
+                          Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+                          It defaults to https when Kubernetes Service port is 443, http otherwise.
+                        type: string
+                      serversTransport:
+                        description: |-
+                          ServersTransport defines the name of ServersTransport resource to use.
+                          It allows to configure the transport between Traefik and your servers.
+                          Can only be used on a Kubernetes Service.
+                        type: string
+                      sticky:
+                        description: |-
+                          Sticky defines the sticky sessions configuration.
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                        properties:
+                          cookie:
+                            description: Cookie defines the sticky cookie configuration.
+                            properties:
+                              domain:
+                                description: |-
+                                  Domain defines the host to which the cookie will be sent.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                                type: string
+                              httpOnly:
+                                description: HTTPOnly defines whether the cookie can
+                                  be accessed by client-side APIs, such as JavaScript.
+                                type: boolean
+                              maxAge:
+                                description: |-
+                                  MaxAge defines the number of seconds until the cookie expires.
+                                  When set to a negative number, the cookie expires immediately.
+                                  When set to zero, the cookie never expires.
+                                type: integer
+                              name:
+                                description: Name defines the Cookie name.
+                                type: string
+                              path:
+                                description: |-
+                                  Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                  When not provided the cookie will be sent on every request to the domain.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                type: string
+                              sameSite:
+                                description: |-
+                                  SameSite defines the same site policy.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                enum:
+                                - none
+                                - lax
+                                - strict
+                                - None
+                                - Lax
+                                - Strict
+                                type: string
+                              secure:
+                                description: Secure defines whether the cookie can
+                                  only be transmitted over an encrypted connection
+                                  (i.e. HTTPS).
+                                type: boolean
+                            type: object
+                        type: object
+                      strategy:
+                        description: |-
+                          Strategy defines the load balancing strategy between the servers.
+                          Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
+                          RoundRobin value is deprecated and supported for backward compatibility.
+                        enum:
+                        - wrr
+                        - p2c
+                        - hrw
+                        - leasttime
+                        - RoundRobin
+                        type: string
+                      weight:
+                        description: |-
+                          Weight defines the weight and should only be specified when Name references a TraefikService object
+                          (and to be precise, one that embeds a Weighted Round Robin).
+                        minimum: 0
+                        type: integer
+                    required:
+                    - name
+                    type: object
+                required:
+                - errors
+                - fallback
+                - service
+                type: object
              highestRandomWeight:
                description: HighestRandomWeight defines the highest random weight
                  service configuration.
@@ -131,6 +657,25 @@ spec:
                          - Service
                          - TraefikService
                          type: string
+                        middlewares:
+                          description: Middlewares defines the list of references
+                            to Middleware resources to apply to the service.
+                          items:
+                            description: MiddlewareRef is a reference to a Middleware
+                              resource.
+                            properties:
+                              name:
+                                description: Name defines the name of the referenced
+                                  Middleware resource.
+                                type: string
+                              namespace:
+                                description: Namespace defines the namespace of the
+                                  referenced Middleware resource.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          type: array
                        name:
                          description: |-
                            Name defines the name of the referenced Kubernetes Service or TraefikService.
@@ -214,7 +759,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -371,6 +916,24 @@ spec:
                      Default value is -1, which means unlimited size.
                    format: int64
                    type: integer
+                  middlewares:
+                    description: Middlewares defines the list of references to Middleware
+                      resources to apply to the service.
+                    items:
+                      description: MiddlewareRef is a reference to a Middleware resource.
+                      properties:
+                        name:
+                          description: Name defines the name of the referenced Middleware
+                            resource.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Middleware resource.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
                  mirrorBody:
                    description: |-
                      MirrorBody defines whether the body of the request should be mirrored.
@@ -458,6 +1021,25 @@ spec:
                          - Service
                          - TraefikService
                          type: string
+                        middlewares:
+                          description: Middlewares defines the list of references
+                            to Middleware resources to apply to the service.
+                          items:
+                            description: MiddlewareRef is a reference to a Middleware
+                              resource.
+                            properties:
+                              name:
+                                description: Name defines the name of the referenced
+                                  Middleware resource.
+                                type: string
+                              namespace:
+                                description: Namespace defines the namespace of the
+                                  referenced Middleware resource.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          type: array
                        name:
                          description: |-
                            Name defines the name of the referenced Kubernetes Service or TraefikService.
@@ -546,7 +1128,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -698,7 +1280,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -852,6 +1434,25 @@ spec:
                          - Service
                          - TraefikService
                          type: string
+                        middlewares:
+                          description: Middlewares defines the list of references
+                            to Middleware resources to apply to the service.
+                          items:
+                            description: MiddlewareRef is a reference to a Middleware
+                              resource.
+                            properties:
+                              name:
+                                description: Name defines the name of the referenced
+                                  Middleware resource.
+                                type: string
+                              namespace:
+                                description: Namespace defines the namespace of the
+                                  referenced Middleware resource.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          type: array
                        name:
                          description: |-
                            Name defines the name of the referenced Kubernetes Service or TraefikService.
@@ -935,7 +1536,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -1008,7 +1609,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/traefikservice/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/traefikservice/#stickiness-and-load-balancing
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -10,6 +10,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-accesslog" href="#opt-accesslog" title="#opt-accesslog">accesslog</a> | Access log settings. | false |
 | <a id="opt-accesslog-addinternals" href="#opt-accesslog-addinternals" title="#opt-accesslog-addinternals">accesslog.addinternals</a> | Enables access log for internal services (ping, dashboard, etc...). | false |
 | <a id="opt-accesslog-bufferingsize" href="#opt-accesslog-bufferingsize" title="#opt-accesslog-bufferingsize">accesslog.bufferingsize</a> | Number of access log lines to process in a buffered way. | 0 |
+| <a id="opt-accesslog-dualoutput" href="#opt-accesslog-dualoutput" title="#opt-accesslog-dualoutput">accesslog.dualoutput</a> | Enables access log output alongside OTLP. By default, this output is disabled when OTLP is configured. | false |
 | <a id="opt-accesslog-fields-defaultmode" href="#opt-accesslog-fields-defaultmode" title="#opt-accesslog-fields-defaultmode">accesslog.fields.defaultmode</a> | Default mode for fields: keep | drop | keep |
 | <a id="opt-accesslog-fields-headers-defaultmode" href="#opt-accesslog-fields-headers-defaultmode" title="#opt-accesslog-fields-headers-defaultmode">accesslog.fields.headers.defaultmode</a> | Default mode for fields: keep | drop | redact | drop |
 | <a id="opt-accesslog-fields-headers-names-name" href="#opt-accesslog-fields-headers-names-name" title="#opt-accesslog-fields-headers-names-name">accesslog.fields.headers.names._name_</a> | Override mode for headers | |
@@ -41,6 +42,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-api" href="#opt-api" title="#opt-api">api</a> | Enable api/dashboard. | false |
 | <a id="opt-api-basepath" href="#opt-api-basepath" title="#opt-api-basepath">api.basepath</a> | Defines the base path where the API and Dashboard will be exposed. | / |
 | <a id="opt-api-dashboard" href="#opt-api-dashboard" title="#opt-api-dashboard">api.dashboard</a> | Activate dashboard. | true |
+| <a id="opt-api-dashboardname" href="#opt-api-dashboardname" title="#opt-api-dashboardname">api.dashboardname</a> | Custom name for the dashboard. | |
 | <a id="opt-api-debug" href="#opt-api-debug" title="#opt-api-debug">api.debug</a> | Enable additional endpoints for debugging and profiling. | false |
 | <a id="opt-api-disabledashboardad" href="#opt-api-disabledashboardad" title="#opt-api-disabledashboardad">api.disabledashboardad</a> | Disable ad in the dashboard. | false |
 | <a id="opt-api-insecure" href="#opt-api-insecure" title="#opt-api-insecure">api.insecure</a> | Activate API directly on the entryPoint named traefik. | false |
@@ -50,6 +52,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-certificatesresolvers-name-acme-caservername" href="#opt-certificatesresolvers-name-acme-caservername" title="#opt-certificatesresolvers-name-acme-caservername">certificatesresolvers._name_.acme.caservername</a> | Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | |
 | <a id="opt-certificatesresolvers-name-acme-casystemcertpool" href="#opt-certificatesresolvers-name-acme-casystemcertpool" title="#opt-certificatesresolvers-name-acme-casystemcertpool">certificatesresolvers._name_.acme.casystemcertpool</a> | Define if the certificates pool must use a copy of the system cert pool. | false |
 | <a id="opt-certificatesresolvers-name-acme-certificatesduration" href="#opt-certificatesresolvers-name-acme-certificatesduration" title="#opt-certificatesresolvers-name-acme-certificatesduration">certificatesresolvers._name_.acme.certificatesduration</a> | Certificates' duration in hours. | 2160 |
+| <a id="opt-certificatesresolvers-name-acme-certificatetimeout" href="#opt-certificatesresolvers-name-acme-certificatetimeout" title="#opt-certificatesresolvers-name-acme-certificatetimeout">certificatesresolvers._name_.acme.certificatetimeout</a> | Timeout for obtaining the certificate during the finalization request. | 30 |
 | <a id="opt-certificatesresolvers-name-acme-clientresponseheadertimeout" href="#opt-certificatesresolvers-name-acme-clientresponseheadertimeout" title="#opt-certificatesresolvers-name-acme-clientresponseheadertimeout">certificatesresolvers._name_.acme.clientresponseheadertimeout</a> | Timeout for receiving the response headers when communicating with the ACME server. | 30 |
 | <a id="opt-certificatesresolvers-name-acme-clienttimeout" href="#opt-certificatesresolvers-name-acme-clienttimeout" title="#opt-certificatesresolvers-name-acme-clienttimeout">certificatesresolvers._name_.acme.clienttimeout</a> | Timeout for a complete HTTP transaction with the ACME server. | 120 |
 | <a id="opt-certificatesresolvers-name-acme-disablecommonname" href="#opt-certificatesresolvers-name-acme-disablecommonname" title="#opt-certificatesresolvers-name-acme-disablecommonname">certificatesresolvers._name_.acme.disablecommonname</a> | Disable the common name in the CSR. | false |
@@ -82,8 +85,10 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-entrypoints-name-address" href="#opt-entrypoints-name-address" title="#opt-entrypoints-name-address">entrypoints._name_.address</a> | Entry point address. | |
 | <a id="opt-entrypoints-name-allowacmebypass" href="#opt-entrypoints-name-allowacmebypass" title="#opt-entrypoints-name-allowacmebypass">entrypoints._name_.allowacmebypass</a> | Enables handling of ACME TLS and HTTP challenges with custom routers. | false |
 | <a id="opt-entrypoints-name-asdefault" href="#opt-entrypoints-name-asdefault" title="#opt-entrypoints-name-asdefault">entrypoints._name_.asdefault</a> | Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. | false |
+| <a id="opt-entrypoints-name-forwardedheaders-addxforwardedschemeheaders" href="#opt-entrypoints-name-forwardedheaders-addxforwardedschemeheaders" title="#opt-entrypoints-name-forwardedheaders-addxforwardedschemeheaders">entrypoints._name_.forwardedheaders.addxforwardedschemeheaders</a> | Add the X-Forwarded-Scheme and X-Scheme headers. | false |
 | <a id="opt-entrypoints-name-forwardedheaders-connection" href="#opt-entrypoints-name-forwardedheaders-connection" title="#opt-entrypoints-name-forwardedheaders-connection">entrypoints._name_.forwardedheaders.connection</a> | List of Connection headers that are allowed to pass through the middleware chain before being removed. | |
 | <a id="opt-entrypoints-name-forwardedheaders-insecure" href="#opt-entrypoints-name-forwardedheaders-insecure" title="#opt-entrypoints-name-forwardedheaders-insecure">entrypoints._name_.forwardedheaders.insecure</a> | Trust all forwarded headers. | false |
+| <a id="opt-entrypoints-name-forwardedheaders-notappendxforwardedfor" href="#opt-entrypoints-name-forwardedheaders-notappendxforwardedfor" title="#opt-entrypoints-name-forwardedheaders-notappendxforwardedfor">entrypoints._name_.forwardedheaders.notappendxforwardedfor</a> | Disable appending RemoteAddr to X-Forwarded-For header. Defaults to false (appending is enabled). | false |
 | <a id="opt-entrypoints-name-forwardedheaders-trustedips" href="#opt-entrypoints-name-forwardedheaders-trustedips" title="#opt-entrypoints-name-forwardedheaders-trustedips">entrypoints._name_.forwardedheaders.trustedips</a> | Trust only forwarded headers from selected IPs. | |
 | <a id="opt-entrypoints-name-http" href="#opt-entrypoints-name-http" title="#opt-entrypoints-name-http">entrypoints._name_.http</a> | HTTP configuration. | |
 | <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash">entrypoints._name_.http.encodedcharacters.allowencodedbackslash</a> | Defines whether requests with encoded back slash characters in the path are allowed. | true |
@@ -149,6 +154,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-experimental-plugins-name-settings-useunsafe" href="#opt-experimental-plugins-name-settings-useunsafe" title="#opt-experimental-plugins-name-settings-useunsafe">experimental.plugins._name_.settings.useunsafe</a> | Allow the plugin to use unsafe and syscall packages. | false |
 | <a id="opt-experimental-plugins-name-version" href="#opt-experimental-plugins-name-version" title="#opt-experimental-plugins-name-version">experimental.plugins._name_.version</a> | plugin's version. | |
 | <a id="opt-global-checknewversion" href="#opt-global-checknewversion" title="#opt-global-checknewversion">global.checknewversion</a> | Periodically check if a new version has been released. | true |
+| <a id="opt-global-notappendxforwardedfor" href="#opt-global-notappendxforwardedfor" title="#opt-global-notappendxforwardedfor">global.notappendxforwardedfor</a> | Disable appending RemoteAddr to X-Forwarded-For header. Defaults to false (appending is enabled). | false |
 | <a id="opt-global-sendanonymoususage" href="#opt-global-sendanonymoususage" title="#opt-global-sendanonymoususage">global.sendanonymoususage</a> | Periodically send anonymous usage statistics. If the option is not specified, it will be disabled by default. | false |
 | <a id="opt-hostresolver" href="#opt-hostresolver" title="#opt-hostresolver">hostresolver</a> | Enable CNAME Flattening. | false |
 | <a id="opt-hostresolver-cnameflattening" href="#opt-hostresolver-cnameflattening" title="#opt-hostresolver-cnameflattening">hostresolver.cnameflattening</a> | A flag to enable/disable CNAME flattening | false |
@@ -198,7 +204,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-metrics-influxdb2-bucket" href="#opt-metrics-influxdb2-bucket" title="#opt-metrics-influxdb2-bucket">metrics.influxdb2.bucket</a> | InfluxDB v2 bucket ID. | |
 | <a id="opt-metrics-influxdb2-org" href="#opt-metrics-influxdb2-org" title="#opt-metrics-influxdb2-org">metrics.influxdb2.org</a> | InfluxDB v2 org ID. | |
 | <a id="opt-metrics-influxdb2-pushinterval" href="#opt-metrics-influxdb2-pushinterval" title="#opt-metrics-influxdb2-pushinterval">metrics.influxdb2.pushinterval</a> | InfluxDB v2 push interval. | 10 |
-| <a id="opt-metrics-influxdb2-token" href="#opt-metrics-influxdb2-token" title="#opt-metrics-influxdb2-token">metrics.influxdb2.token</a> | InfluxDB v2 access token. | |
+| <a id="opt-metrics-influxdb2-token" href="#opt-metrics-influxdb2-token" title="#opt-metrics-influxdb2-token">metrics.influxdb2.token</a> | InfluxDB v2 access token. It accepts either a token value or a file path to the token. | |
 | <a id="opt-metrics-otlp" href="#opt-metrics-otlp" title="#opt-metrics-otlp">metrics.otlp</a> | OpenTelemetry metrics exporter type. | false |
 | <a id="opt-metrics-otlp-addentrypointslabels" href="#opt-metrics-otlp-addentrypointslabels" title="#opt-metrics-otlp-addentrypointslabels">metrics.otlp.addentrypointslabels</a> | Enable metrics on entry points. | true |
 | <a id="opt-metrics-otlp-addrouterslabels" href="#opt-metrics-otlp-addrouterslabels" title="#opt-metrics-otlp-addrouterslabels">metrics.otlp.addrouterslabels</a> | Enable metrics on routers. | false |
@@ -352,7 +358,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-providers-kubernetescrd-crossprovidernamespaces" href="#opt-providers-kubernetescrd-crossprovidernamespaces" title="#opt-providers-kubernetescrd-crossprovidernamespaces">providers.kubernetescrd.crossprovidernamespaces</a> | List of namespaces from which IngressRoute, IngressRouteTCP, IngressRouteUDP, and TraefikService are allowed to declare cross-provider references. | |
 | <a id="opt-providers-kubernetescrd-disableclusterscoperesources" href="#opt-providers-kubernetescrd-disableclusterscoperesources" title="#opt-providers-kubernetescrd-disableclusterscoperesources">providers.kubernetescrd.disableclusterscoperesources</a> | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
 | <a id="opt-providers-kubernetescrd-endpoint" href="#opt-providers-kubernetescrd-endpoint" title="#opt-providers-kubernetescrd-endpoint">providers.kubernetescrd.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
-| <a id="opt-providers-kubernetescrd-ingressclass" href="#opt-providers-kubernetescrd-ingressclass" title="#opt-providers-kubernetescrd-ingressclass">providers.kubernetescrd.ingressclass</a> | Value of kubernetes.io/ingress.class annotation to watch for. | |
+| <a id="opt-providers-kubernetescrd-ingressclass" href="#opt-providers-kubernetescrd-ingressclass" title="#opt-providers-kubernetescrd-ingressclass">providers.kubernetescrd.ingressclass</a> | Value of ingressClassName field or kubernetes.io/ingress.class annotation to watch for. | |
 | <a id="opt-providers-kubernetescrd-labelselector" href="#opt-providers-kubernetescrd-labelselector" title="#opt-providers-kubernetescrd-labelselector">providers.kubernetescrd.labelselector</a> | Kubernetes label selector to use. | |
 | <a id="opt-providers-kubernetescrd-namespaces" href="#opt-providers-kubernetescrd-namespaces" title="#opt-providers-kubernetescrd-namespaces">providers.kubernetescrd.namespaces</a> | Kubernetes namespaces. | |
 | <a id="opt-providers-kubernetescrd-nativelbbydefault" href="#opt-providers-kubernetescrd-nativelbbydefault" title="#opt-providers-kubernetescrd-nativelbbydefault">providers.kubernetescrd.nativelbbydefault</a> | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
@@ -390,21 +396,46 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-providers-kubernetesingress-labelselector" href="#opt-providers-kubernetesingress-labelselector" title="#opt-providers-kubernetesingress-labelselector">providers.kubernetesingress.labelselector</a> | Kubernetes Ingress label selector to use. | |
 | <a id="opt-providers-kubernetesingress-namespaces" href="#opt-providers-kubernetesingress-namespaces" title="#opt-providers-kubernetesingress-namespaces">providers.kubernetesingress.namespaces</a> | Kubernetes namespaces. | |
 | <a id="opt-providers-kubernetesingress-nativelbbydefault" href="#opt-providers-kubernetesingress-nativelbbydefault" title="#opt-providers-kubernetesingress-nativelbbydefault">providers.kubernetesingress.nativelbbydefault</a> | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
+| <a id="opt-providers-kubernetesingress-reportnodeinternalips" href="#opt-providers-kubernetesingress-reportnodeinternalips" title="#opt-providers-kubernetesingress-reportnodeinternalips">providers.kubernetesingress.reportnodeinternalips</a> | Report node internal IPs in Ingress status. | false |
 | <a id="opt-providers-kubernetesingress-strictprefixmatching" href="#opt-providers-kubernetesingress-strictprefixmatching" title="#opt-providers-kubernetesingress-strictprefixmatching">providers.kubernetesingress.strictprefixmatching</a> | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). | false |
 | <a id="opt-providers-kubernetesingress-throttleduration" href="#opt-providers-kubernetesingress-throttleduration" title="#opt-providers-kubernetesingress-throttleduration">providers.kubernetesingress.throttleduration</a> | Ingress refresh throttle duration | 0 |
 | <a id="opt-providers-kubernetesingress-token" href="#opt-providers-kubernetesingress-token" title="#opt-providers-kubernetesingress-token">providers.kubernetesingress.token</a> | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
 | <a id="opt-providers-kubernetesingressnginx" href="#opt-providers-kubernetesingressnginx" title="#opt-providers-kubernetesingressnginx">providers.kubernetesingressnginx</a> | Enables Kubernetes Ingress NGINX provider. | false |
+| <a id="opt-providers-kubernetesingressnginx-allowcrossnamespaceresources" href="#opt-providers-kubernetesingressnginx-allowcrossnamespaceresources" title="#opt-providers-kubernetesingressnginx-allowcrossnamespaceresources">providers.kubernetesingressnginx.allowcrossnamespaceresources</a> | Allow Ingress to reference resources (e.g. ConfigMaps, Secrets) in different namespaces. | false |
+| <a id="opt-providers-kubernetesingressnginx-allowsnippetannotations" href="#opt-providers-kubernetesingressnginx-allowsnippetannotations" title="#opt-providers-kubernetesingressnginx-allowsnippetannotations">providers.kubernetesingressnginx.allowsnippetannotations</a> | Enables to parse and add -snippet annotations/directives. | false |
 | <a id="opt-providers-kubernetesingressnginx-certauthfilepath" href="#opt-providers-kubernetesingressnginx-certauthfilepath" title="#opt-providers-kubernetesingressnginx-certauthfilepath">providers.kubernetesingressnginx.certauthfilepath</a> | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| <a id="opt-providers-kubernetesingressnginx-clientbodybuffersize" href="#opt-providers-kubernetesingressnginx-clientbodybuffersize" title="#opt-providers-kubernetesingressnginx-clientbodybuffersize">providers.kubernetesingressnginx.clientbodybuffersize</a> | Default buffer size for reading client request body. | 16384 |
 | <a id="opt-providers-kubernetesingressnginx-controllerclass" href="#opt-providers-kubernetesingressnginx-controllerclass" title="#opt-providers-kubernetesingressnginx-controllerclass">providers.kubernetesingressnginx.controllerclass</a> | Ingress Class Controller value this controller satisfies. | k8s.io/ingress-nginx |
+| <a id="opt-providers-kubernetesingressnginx-customhttperrors" href="#opt-providers-kubernetesingressnginx-customhttperrors" title="#opt-providers-kubernetesingressnginx-customhttperrors">providers.kubernetesingressnginx.customhttperrors</a> | Defines which status should result in calling the default backend to return an error page. | |
 | <a id="opt-providers-kubernetesingressnginx-defaultbackendservice" href="#opt-providers-kubernetesingressnginx-defaultbackendservice" title="#opt-providers-kubernetesingressnginx-defaultbackendservice">providers.kubernetesingressnginx.defaultbackendservice</a> | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | |
 | <a id="opt-providers-kubernetesingressnginx-disablesvcexternalname" href="#opt-providers-kubernetesingressnginx-disablesvcexternalname" title="#opt-providers-kubernetesingressnginx-disablesvcexternalname">providers.kubernetesingressnginx.disablesvcexternalname</a> | Disable support for Services of type ExternalName. | false |
 | <a id="opt-providers-kubernetesingressnginx-endpoint" href="#opt-providers-kubernetesingressnginx-endpoint" title="#opt-providers-kubernetesingressnginx-endpoint">providers.kubernetesingressnginx.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
+| <a id="opt-providers-kubernetesingressnginx-globalallowedresponseheaders" href="#opt-providers-kubernetesingressnginx-globalallowedresponseheaders" title="#opt-providers-kubernetesingressnginx-globalallowedresponseheaders">providers.kubernetesingressnginx.globalallowedresponseheaders</a> | List of allowed response headers inside the custom headers annotations. | |
+| <a id="opt-providers-kubernetesingressnginx-globalauthurl" href="#opt-providers-kubernetesingressnginx-globalauthurl" title="#opt-providers-kubernetesingressnginx-globalauthurl">providers.kubernetesingressnginx.globalauthurl</a> | URL to the service that provides authentication for all the locations. Per ingress auth-url annotation has precedence over this option. | |
+| <a id="opt-providers-kubernetesingressnginx-httpentrypoint" href="#opt-providers-kubernetesingressnginx-httpentrypoint" title="#opt-providers-kubernetesingressnginx-httpentrypoint">providers.kubernetesingressnginx.httpentrypoint</a> | Defines the EntryPoint to use for HTTP requests. | |
+| <a id="opt-providers-kubernetesingressnginx-httpsentrypoint" href="#opt-providers-kubernetesingressnginx-httpsentrypoint" title="#opt-providers-kubernetesingressnginx-httpsentrypoint">providers.kubernetesingressnginx.httpsentrypoint</a> | Defines the EntryPoint to use for HTTPS requests. | |
 | <a id="opt-providers-kubernetesingressnginx-ingressclass" href="#opt-providers-kubernetesingressnginx-ingressclass" title="#opt-providers-kubernetesingressnginx-ingressclass">providers.kubernetesingressnginx.ingressclass</a> | Name of the ingress class this controller satisfies. | nginx |
 | <a id="opt-providers-kubernetesingressnginx-ingressclassbyname" href="#opt-providers-kubernetesingressnginx-ingressclassbyname" title="#opt-providers-kubernetesingressnginx-ingressclassbyname">providers.kubernetesingressnginx.ingressclassbyname</a> | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false |
+| <a id="opt-providers-kubernetesingressnginx-ipallowliststrategy-depth" href="#opt-providers-kubernetesingressnginx-ipallowliststrategy-depth" title="#opt-providers-kubernetesingressnginx-ipallowliststrategy-depth">providers.kubernetesingressnginx.ipallowliststrategy.depth</a> |  | 0 |
+| <a id="opt-providers-kubernetesingressnginx-ipallowliststrategy-excludedips" href="#opt-providers-kubernetesingressnginx-ipallowliststrategy-excludedips" title="#opt-providers-kubernetesingressnginx-ipallowliststrategy-excludedips">providers.kubernetesingressnginx.ipallowliststrategy.excludedips</a> |  | |
+| <a id="opt-providers-kubernetesingressnginx-ipallowliststrategy-ipv6subnet" href="#opt-providers-kubernetesingressnginx-ipallowliststrategy-ipv6subnet" title="#opt-providers-kubernetesingressnginx-ipallowliststrategy-ipv6subnet">providers.kubernetesingressnginx.ipallowliststrategy.ipv6subnet</a> |  | 0 |
+| <a id="opt-providers-kubernetesingressnginx-proxybodysize" href="#opt-providers-kubernetesingressnginx-proxybodysize" title="#opt-providers-kubernetesingressnginx-proxybodysize">providers.kubernetesingressnginx.proxybodysize</a> | Default maximum size of a client request body in bytes. | 1048576 |
+| <a id="opt-providers-kubernetesingressnginx-proxybuffering" href="#opt-providers-kubernetesingressnginx-proxybuffering" title="#opt-providers-kubernetesingressnginx-proxybuffering">providers.kubernetesingressnginx.proxybuffering</a> | Defines whether to enable response buffering. | false |
+| <a id="opt-providers-kubernetesingressnginx-proxybuffersize" href="#opt-providers-kubernetesingressnginx-proxybuffersize" title="#opt-providers-kubernetesingressnginx-proxybuffersize">providers.kubernetesingressnginx.proxybuffersize</a> | Default buffer size for reading the response body. | 8192 |
+| <a id="opt-providers-kubernetesingressnginx-proxybuffersnumber" href="#opt-providers-kubernetesingressnginx-proxybuffersnumber" title="#opt-providers-kubernetesingressnginx-proxybuffersnumber">providers.kubernetesingressnginx.proxybuffersnumber</a> | Default number of buffers for reading a response. | 4 |
+| <a id="opt-providers-kubernetesingressnginx-proxyconnecttimeout" href="#opt-providers-kubernetesingressnginx-proxyconnecttimeout" title="#opt-providers-kubernetesingressnginx-proxyconnecttimeout">providers.kubernetesingressnginx.proxyconnecttimeout</a> | Amount of time to wait until a connection to a server can be established. Timeout value is unitless and in seconds. | 60 |
+| <a id="opt-providers-kubernetesingressnginx-proxynextupstream" href="#opt-providers-kubernetesingressnginx-proxynextupstream" title="#opt-providers-kubernetesingressnginx-proxynextupstream">providers.kubernetesingressnginx.proxynextupstream</a> | Defines in which cases a request should be retried. | error timeout |
+| <a id="opt-providers-kubernetesingressnginx-proxynextupstreamtimeout" href="#opt-providers-kubernetesingressnginx-proxynextupstreamtimeout" title="#opt-providers-kubernetesingressnginx-proxynextupstreamtimeout">providers.kubernetesingressnginx.proxynextupstreamtimeout</a> | Limits the total elapsed time to retry the request if the backend server does not reply. Timeout value is unitless and in seconds. | 0 |
+| <a id="opt-providers-kubernetesingressnginx-proxynextupstreamtries" href="#opt-providers-kubernetesingressnginx-proxynextupstreamtries" title="#opt-providers-kubernetesingressnginx-proxynextupstreamtries">providers.kubernetesingressnginx.proxynextupstreamtries</a> | Limits the number of possible tries if the backend server does not reply. | 3 |
+| <a id="opt-providers-kubernetesingressnginx-proxyreadtimeout" href="#opt-providers-kubernetesingressnginx-proxyreadtimeout" title="#opt-providers-kubernetesingressnginx-proxyreadtimeout">providers.kubernetesingressnginx.proxyreadtimeout</a> | Amount of time between two successive read operations. Timeout value is unitless and in seconds. | 60 |
+| <a id="opt-providers-kubernetesingressnginx-proxyrequestbuffering" href="#opt-providers-kubernetesingressnginx-proxyrequestbuffering" title="#opt-providers-kubernetesingressnginx-proxyrequestbuffering">providers.kubernetesingressnginx.proxyrequestbuffering</a> | Defines whether to enable request buffering. | false |
+| <a id="opt-providers-kubernetesingressnginx-proxysendtimeout" href="#opt-providers-kubernetesingressnginx-proxysendtimeout" title="#opt-providers-kubernetesingressnginx-proxysendtimeout">providers.kubernetesingressnginx.proxysendtimeout</a> | Amount of time between two successive write operations. Timeout value is unitless and in seconds. | 60 |
 | <a id="opt-providers-kubernetesingressnginx-publishservice" href="#opt-providers-kubernetesingressnginx-publishservice" title="#opt-providers-kubernetesingressnginx-publishservice">providers.kubernetesingressnginx.publishservice</a> | Service fronting the Ingress controller. Takes the form 'namespace/name'. | |
 | <a id="opt-providers-kubernetesingressnginx-publishstatusaddress" href="#opt-providers-kubernetesingressnginx-publishstatusaddress" title="#opt-providers-kubernetesingressnginx-publishstatusaddress">providers.kubernetesingressnginx.publishstatusaddress</a> | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | |
+| <a id="opt-providers-kubernetesingressnginx-strictvalidatepathtype" href="#opt-providers-kubernetesingressnginx-strictvalidatepathtype" title="#opt-providers-kubernetesingressnginx-strictvalidatepathtype">providers.kubernetesingressnginx.strictvalidatepathtype</a> | Defines whether to reject the entire ingress when any path contains regex characters and pathType is Prefix or Exact. | true |
 | <a id="opt-providers-kubernetesingressnginx-throttleduration" href="#opt-providers-kubernetesingressnginx-throttleduration" title="#opt-providers-kubernetesingressnginx-throttleduration">providers.kubernetesingressnginx.throttleduration</a> | Ingress refresh throttle duration. | 0 |
 | <a id="opt-providers-kubernetesingressnginx-token" href="#opt-providers-kubernetesingressnginx-token" title="#opt-providers-kubernetesingressnginx-token">providers.kubernetesingressnginx.token</a> | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
+| <a id="opt-providers-kubernetesingressnginx-upstreamkeepalivetimeout" href="#opt-providers-kubernetesingressnginx-upstreamkeepalivetimeout" title="#opt-providers-kubernetesingressnginx-upstreamkeepalivetimeout">providers.kubernetesingressnginx.upstreamkeepalivetimeout</a> | Defines the idle timeout for keep-alive connections to upstream servers. Timeout value is unitless and in seconds. | 60 |
 | <a id="opt-providers-kubernetesingressnginx-watchingresswithoutclass" href="#opt-providers-kubernetesingressnginx-watchingresswithoutclass" title="#opt-providers-kubernetesingressnginx-watchingresswithoutclass">providers.kubernetesingressnginx.watchingresswithoutclass</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. | false |
 | <a id="opt-providers-kubernetesingressnginx-watchnamespace" href="#opt-providers-kubernetesingressnginx-watchnamespace" title="#opt-providers-kubernetesingressnginx-watchnamespace">providers.kubernetesingressnginx.watchnamespace</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. | |
 | <a id="opt-providers-kubernetesingressnginx-watchnamespaceselector" href="#opt-providers-kubernetesingressnginx-watchnamespaceselector" title="#opt-providers-kubernetesingressnginx-watchnamespaceselector">providers.kubernetesingressnginx.watchnamespaceselector</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects. | |
@@ -428,6 +459,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-providers-nomad-throttleduration" href="#opt-providers-nomad-throttleduration" title="#opt-providers-nomad-throttleduration">providers.nomad.throttleduration</a> | Watch throttle duration. | 0 |
 | <a id="opt-providers-nomad-watch" href="#opt-providers-nomad-watch" title="#opt-providers-nomad-watch">providers.nomad.watch</a> | Watch Nomad Service events. | false |
 | <a id="opt-providers-plugin-name" href="#opt-providers-plugin-name" title="#opt-providers-plugin-name">providers.plugin._name_</a> | Plugins configuration. | |
+| <a id="opt-providers-precedence" href="#opt-providers-precedence" title="#opt-providers-precedence">providers.precedence</a> | Defines the routing precedence between providers. | kubernetesgateway, kubernetescrd, kubernetes, kubernetesingressnginx, swarm, docker, file, redis, knative, consul, consulcatalog, nomad, etcd, ecs, http, zookeeper, rest |
 | <a id="opt-providers-providersthrottleduration" href="#opt-providers-providersthrottleduration" title="#opt-providers-providersthrottleduration">providers.providersthrottleduration</a> | Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. | 2 |
 | <a id="opt-providers-redis" href="#opt-providers-redis" title="#opt-providers-redis">providers.redis</a> | Enables Redis provider. | false |
 | <a id="opt-providers-redis-db" href="#opt-providers-redis-db" title="#opt-providers-redis-db">providers.redis.db</a> | Database to be selected after connecting to the server. | 0 |
@@ -89,8 +89,10 @@ additionalArguments:
 | <a id="opt-asDefault" href="#opt-asDefault" title="#opt-asDefault">`asDefault`</a> | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault).                                                                                                                                                                                                                                                                                                                                                                                                                                       | false                   | No       |
 | <a id="opt-allowACMEByPass" href="#opt-allowACMEByPass" title="#opt-allowACMEByPass">`allowACMEByPass`</a> | Enables handling of ACME TLS and HTTP challenges with custom routers instead of the internal ACME router.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | false                   | No       |
 | <a id="opt-forwardedHeaders-connection" href="#opt-forwardedHeaders-connection" title="#opt-forwardedHeaders-connection">`forwardedHeaders.`<br />`connection`</a> | List of Connection headers that are allowed to pass through the middleware chain before being removed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
+| <a id="opt-forwardedHeaders-addXForwardedSchemeHeaders" href="#opt-forwardedHeaders-addXForwardedSchemeHeaders" title="#opt-forwardedHeaders-addXForwardedSchemeHeaders">`forwardedHeaders.`<br />`addXForwardedSchemeHeaders`</a> | Add the compatibility headers `X-Forwarded-Scheme` and `X-Scheme`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | false                   | No       |
 | <a id="opt-forwardedHeaders-insecure" href="#opt-forwardedHeaders-insecure" title="#opt-forwardedHeaders-insecure">`forwardedHeaders.`<br />`insecure`</a> | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
 | <a id="opt-forwardedHeaders-trustedIPs" href="#opt-forwardedHeaders-trustedIPs" title="#opt-forwardedHeaders-trustedIPs">`forwardedHeaders.`<br />`trustedIPs`</a> | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | -                       | No       |
+| <a id="opt-forwardedHeaders-notAppendXForwardedFor" href="#opt-forwardedHeaders-notAppendXForwardedFor" title="#opt-forwardedHeaders-notAppendXForwardedFor">`forwardedHeaders.`<br />`notAppendXForwardedFor`</a> | When set to `true`, Traefik will not append the client's `RemoteAddr` to the `X-Forwarded-For` header. The existing header is preserved as-is. If no `X-Forwarded-For` header exists, none will be added.                                                                                                                                                                                                                                                                                                                                    | false                   | No       |
 | <a id="opt-http-redirections-entryPoint-to" href="#opt-http-redirections-entryPoint-to" title="#opt-http-redirections-entryPoint-to">`http.redirections.`<br />`entryPoint.to`</a> | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | -                       | Yes      |
 | <a id="opt-http-redirections-entryPoint-scheme" href="#opt-http-redirections-entryPoint-scheme" title="#opt-http-redirections-entryPoint-scheme">`http.redirections.`<br />`entryPoint.scheme`</a> | The target scheme to use for (permanent) redirection of all incoming requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | https                   | No       |
 | <a id="opt-http-redirections-entryPoint-permanent" href="#opt-http-redirections-entryPoint-permanent" title="#opt-http-redirections-entryPoint-permanent">`http.redirections.`<br />`entryPoint.permanent`</a> | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
@@ -391,6 +393,37 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
    --entryPoints.web.forwardedHeaders.connection=foobar
    ```

+??? info "`forwardedHeaders.addXForwardedSchemeHeaders`"
+
+    Add the compatibility headers `X-Forwarded-Scheme` and `X-Scheme` next to `X-Forwarded-Proto`.
+    This is primarily useful when migrating from ingress-nginx and your applications still rely on these legacy headers.
+    When enabled, these compatibility headers follow the same value as `X-Forwarded-Proto`.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      websecure:
+        address: ":443"
+        forwardedHeaders:
+          addXForwardedSchemeHeaders: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.websecure]
+        address = ":443"
+
+        [entryPoints.websecure.forwardedHeaders]
+          addXForwardedSchemeHeaders = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.websecure.address=:443
+    --entryPoints.websecure.forwardedHeaders.addXForwardedSchemeHeaders=true
+    ```
+
 ### HTTP3

 As HTTP/3 actually uses UDP, when Traefik is configured with a TCP `entryPoint`
@@ -141,6 +141,9 @@ Traefik also supports the `OTEL_RESOURCE_ATTRIBUTES` env variable to set up the

 Access logs concern everything that happens to the requests handled by Traefik.

+!!! note "Stdio logs are not enabled by default alongside OTLP exports"
+    If you would like Stdio access logs to be available, use [accessLog.dualOutput](#opt-accesslog-dualOutput) option.
+
 ### Configuration Example

 ```yaml tab="File (YAML)"
@@ -201,6 +204,7 @@ accessLog:

 ```sh tab="CLI"
 --accesslog=true
+--accesslog.dualoutput=true
 --accesslog.format=json
 --accesslog.filters.statuscodes=200,300-302
 --accesslog.filters.retryattempts
@@ -220,6 +224,7 @@ The section below describes how to configure Traefik access logs using the stati
 | Field      | Description    | Default | Required |
 |:-----------|:--------------------------|:--------|:---------|
 | <a id="opt-accesslog-filePath" href="#opt-accesslog-filePath" title="#opt-accesslog-filePath">`accesslog.filePath`</a> | By default, the access logs are written to the standard output.<br />You can configure a file path instead using the `filePath` option.|  | No      |
+| <a id="opt-accesslog-dualOutput" href="#opt-accesslog-dualOutput" title="#opt-accesslog-dualOutput">`accesslog.dualOutput`</a> | Force Stdio logging, even if OTLP is configured. By default, Stdio logging is disabled when OTLP is enabled for performance reasons. | false      | No      |
 | <a id="opt-accesslog-format" href="#opt-accesslog-format" title="#opt-accesslog-format">`accesslog.format`</a> | By default, logs are written using the Traefik Common Log Format (CLF).<br />Available formats: [`common`](#traefik-clf-format-fields) (Traefik extended CLF), [`genericCLF`](#generic-clf-format-fields) (standard CLF compatible with analyzers), or [`json`](#json-format-fields).<br />If the given format is unsupported, the default (`common`) is used instead. | "common" | No      |
 | <a id="opt-accesslog-bufferingSize" href="#opt-accesslog-bufferingSize" title="#opt-accesslog-bufferingSize">`accesslog.bufferingSize`</a> | To write the logs in an asynchronous fashion, specify a  `bufferingSize` option.<br />This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.<br />In some cases, this option can greatly help performances.| 0 | No      |
 | <a id="opt-accesslog-addInternals" href="#opt-accesslog-addInternals" title="#opt-accesslog-addInternals">`accesslog.addInternals`</a> | Enables access logs for internal resources (e.g.: `ping@internal`). | false  | No      |
@@ -260,6 +265,8 @@ experimental:
  otlpLogs: true

 accesslog:
+  # Keep Stdio logs alongside OTEL logging
+  dualOutput: true
  otlp:
    http:
      endpoint: https://collector:4318/v1/logs
@@ -271,6 +278,9 @@ accesslog:
 [experimental]
  otlpLogs = true

+[accessLog]
+  dualOutput = true
+
 [accesslog.otlp]
  http.endpoint = "https://collector:4318/v1/logs"
  http.headers.Authorization = "Bearer auth_asKXRhIMplM7El1JENjrotGouS1LYRdL"
@@ -382,6 +392,10 @@ Below the fields displayed with the generic CLF format:
 | <a id="opt-TLSVersion" href="#opt-TLSVersion" title="#opt-TLSVersion">`TLSVersion`</a> | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS).   |
 | <a id="opt-TLSCipher" href="#opt-TLSCipher" title="#opt-TLSCipher">`TLSCipher`</a> | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS).      |
 | <a id="opt-TLSClientSubject" href="#opt-TLSClientSubject" title="#opt-TLSClientSubject">`TLSClientSubject`</a> | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`).  |
+| <a id="opt-KubernetesIngressNamespace" href="#opt-KubernetesIngressNamespace" title="#opt-KubernetesIngressNamespace">`KubernetesIngressNamespace`</a> | The namespace of the Kubernetes Ingress resource the router handles. Only available with the Kubernetes Ingress and Kubernetes Ingress Nginx providers. |
+| <a id="opt-KubernetesIngressName" href="#opt-KubernetesIngressName" title="#opt-KubernetesIngressName">`KubernetesIngressName`</a> | The name of the Kubernetes Ingress resource the router handles. Only available with the Kubernetes Ingress and Kubernetes Ingress Nginx providers. |
+| <a id="opt-KubernetesServiceName" href="#opt-KubernetesServiceName" title="#opt-KubernetesServiceName">`KubernetesServiceName`</a> | The name of the Kubernetes Service associated with the Ingress the router handles. Only available with the Kubernetes Ingress and Kubernetes Ingress Nginx providers. |
+| <a id="opt-KubernetesServicePort" href="#opt-KubernetesServicePort" title="#opt-KubernetesServicePort">`KubernetesServicePort`</a> | The port of the Kubernetes Service associated with the Ingress the router handles. Only available with the Kubernetes Ingress and Kubernetes Ingress Nginx providers. |

 ### Log Rotation

@@ -405,7 +419,7 @@ Example utilizing Docker Compose:
 ```yaml
 services:
  traefik:
-    image: traefik:v3.6
+    image: traefik:v3.7
    environment:
      - TZ=US/Alaska
    command:
@@ -20,13 +20,13 @@ enabling seamless integration between Traefik's networking capabilities and Knat
 1. Install/update the Knative CRDs.

    ```bash
-    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-crds.yaml
+    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.20.0/serving-crds.yaml
    ```

 2. Install the Knative Serving core components.

    ```bash
-    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-core.yaml
+    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.20.0/serving-core.yaml
    ```

 3. Update the config-network configuration to use the Traefik ingress class.
@@ -50,7 +50,7 @@ enabling seamless integration between Traefik's networking capabilities and Knat
 5. Install/update the Traefik [RBAC](../../../dynamic-configuration/kubernetes-knative-rbac.yml).

    ```bash
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
    ```

 ## Configuration Example
@@ -20,10 +20,10 @@ When you install Traefik without using the Helm Chart, or when you are upgrading

 ```bash
 # Install Traefik Resource Definitions:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

 # Install RBAC for Traefik:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 ```

 ## Configuration Example
@@ -60,7 +60,7 @@ providers:
 | <a id="opt-providers-kubernetesCRD-certAuthFilePath" href="#opt-providers-kubernetesCRD-certAuthFilePath" title="#opt-providers-kubernetesCRD-certAuthFilePath">`providers.kubernetesCRD.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | ""      | No |
 | <a id="opt-providers-kubernetesCRD-namespaces" href="#opt-providers-kubernetesCRD-namespaces" title="#opt-providers-kubernetesCRD-namespaces">`providers.kubernetesCRD.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces. | []      | No |
 | <a id="opt-providers-kubernetesCRD-labelSelector" href="#opt-providers-kubernetesCRD-labelSelector" title="#opt-providers-kubernetesCRD-labelSelector">`providers.kubernetesCRD.labelSelector`</a> | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](#routing-configuration) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | ""      | No |
-| <a id="opt-providers-kubernetesCRD-ingressClass" href="#opt-providers-kubernetesCRD-ingressClass" title="#opt-providers-kubernetesCRD-ingressClass">`providers.kubernetesCRD.ingressClass`</a> | Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed. | ""      | No |
+| <a id="opt-providers-kubernetesCRD-ingressClass" href="#opt-providers-kubernetesCRD-ingressClass" title="#opt-providers-kubernetesCRD-ingressClass">`providers.kubernetesCRD.ingressClass`</a> | Value of `spec.ingressClassName` field (or the deprecated `kubernetes.io/ingress.class` annotation) that identifies resource objects to be processed.<br />If empty, resources missing the field/annotation, having an empty value, or the value `traefik` are processed.<br />The `spec.ingressClassName` field takes precedence over the annotation. | ""      | No |
 | <a id="opt-providers-kubernetesCRD-throttleDuration" href="#opt-providers-kubernetesCRD-throttleDuration" title="#opt-providers-kubernetesCRD-throttleDuration">`providers.kubernetesCRD.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s      | No |
 | <a id="opt-providers-kubernetesCRD-allowEmptyServices" href="#opt-providers-kubernetesCRD-allowEmptyServices" title="#opt-providers-kubernetesCRD-allowEmptyServices">`providers.kubernetesCRD.allowEmptyServices`</a> | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status.  | false   | No |
 | <a id="opt-providers-kubernetesCRD-allowCrossNamespace" href="#opt-providers-kubernetesCRD-allowCrossNamespace" title="#opt-providers-kubernetesCRD-allowCrossNamespace">`providers.kubernetesCRD.allowCrossNamespace`</a> | Allows the `IngressRoutes` to reference resources in namespaces other than theirs. | false   | No |
@@ -8,16 +8,15 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specification from the Kubernetes Special Interest Groups (SIGs).

-This provider supports Standard version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the Gateway API specification.
+This provider supports Standard version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the Gateway API specification.

-It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, and `GRPCRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute`, and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels). 
+It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, `GRPCRoute`, and `TLSRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute` from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).

-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.4.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.5.1/traefik-traefik).

 !!! info "Using The Helm Chart"

-    When using the Traefik [Helm Chart](../../../../getting-started/kubernetes.md#install-traefik), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
-    The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml).
+    When using the Traefik [Helm Chart](../../../../getting-started/kubernetes.md#install-traefik), the RBAC (Role-Based Access Control) are automatically managed for you.

 ## Requirements

@@ -27,14 +26,14 @@ For more details, check out the conformance [report](https://github.com/kubernet

    ```bash
    # Install Gateway API CRDs from the Standard channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
    ```

-2. Install/update the Traefik [RBAC](../../../dynamic-configuration/kubernetes-gateway-rbac.yml).
+2. If you are not using the Helm Chart, install/update the Traefik [RBAC](../../../dynamic-configuration/kubernetes-gateway-rbac.yml) for Gateway API.

    ```bash
-    # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    # Install Traefik RBACs for Gateway API.
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
    ```

 ## Configuration Example
@@ -71,7 +70,7 @@ providers:
 |:----------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
 | <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No       |
 | <a id="opt-providers-kubernetesGateway-endpoint" href="#opt-providers-kubernetesGateway-endpoint" title="#opt-providers-kubernetesGateway-endpoint">`providers.kubernetesGateway.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                        | ""      | No       |
-| <a id="opt-providers-kubernetesGateway-experimentalChannel" href="#opt-providers-kubernetesGateway-experimentalChannel" title="#opt-providers-kubernetesGateway-experimentalChannel">`providers.kubernetesGateway.experimentalChannel`</a> | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).<br />(ex: `TCPRoute` and `TLSRoute`)                                                                                                                                                                   | false   | No       |
+| <a id="opt-providers-kubernetesGateway-experimentalChannel" href="#opt-providers-kubernetesGateway-experimentalChannel" title="#opt-providers-kubernetesGateway-experimentalChannel">`providers.kubernetesGateway.experimentalChannel`</a> | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).<br />(ex: `TCPRoute`)                                                                                                                                                                   | false   | No       |
 | <a id="opt-providers-kubernetesGateway-token" href="#opt-providers-kubernetesGateway-token" title="#opt-providers-kubernetesGateway-token">`providers.kubernetesGateway.token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                           | ""      | No       |
 | <a id="opt-providers-kubernetesGateway-certAuthFilePath" href="#opt-providers-kubernetesGateway-certAuthFilePath" title="#opt-providers-kubernetesGateway-certAuthFilePath">`providers.kubernetesGateway.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           | ""      | No       |
 | <a id="opt-providers-kubernetesGateway-namespaces" href="#opt-providers-kubernetesGateway-namespaces" title="#opt-providers-kubernetesGateway-namespaces">`providers.kubernetesGateway.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces.                                                                                                                                                                                                                                                                                                              | []      | No       |
@@ -19,8 +19,8 @@ It also supports many of the [ingress-nginx](https://kubernetes.github.io/ingres

 ## Requirements

-When you install Traefik without using the Helm Chart, 
-ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik Kubernetes Ingress NGINX provider. 
+When you install Traefik without using the Helm Chart,
+ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik Kubernetes Ingress NGINX provider.

 !!! note "Additional RBAC for Namespace Selector"

@@ -29,7 +29,7 @@ ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/acces

 ```bash
 # Install RBAC for Traefik Ingress NGINX provider:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
 ```

 ## Ingress Discovery
@@ -65,6 +65,28 @@ providers:
    controllerClass: "k8s.io/ingress-nginx"
    watchIngressWithoutClass: false
    ingressClassByName: false
+    globalAuthURL: "http://foo.com/auth"
+    proxyConnectTimeout: 60
+    proxyReadTimeout: 60
+    proxySendTimeout: 60
+    proxyRequestBuffering: false
+    clientBodyBufferSize: "16384" # 16k
+    proxyBuffering: false
+    proxyBodySize: "1048576"      # 1m
+    proxyBufferSize: "8192"       # 8k
+    proxyBuffersNumber: 4
+    upstreamKeepaliveTimeout: 60
+    customHTTPErrors:
+      - "404"
+      - "503"
+    allowCrossNamespaceResources: true
+    allowSnippetAnnotations: false
+    globalAllowedResponseHeaders:
+      - "X-Custom-Header1"
+      - "X-Custom-Header2"
+    ipAllowListStrategy:
+      depth: 2
+    strictValidatePathType: false
 ```

 ```toml tab="File (TOML)"
@@ -79,6 +101,25 @@ providers:
  controllerClass = "k8s.io/ingress-nginx"
  watchIngressWithoutClass = false
  ingressClassByName = false
+  globalAuthURL = "http://foo.com/auth"
+  proxyConnectTimeout = 60
+  proxyReadTimeout = 60
+  proxySendTimeout = 60
+  proxyRequestBuffering = false
+  clientBodyBufferSize = "16384" # 16k
+  proxyBuffering = false
+  proxyBodySize = "1048576"      # 1m
+  proxyBufferSize = "8192"       # 8k
+  proxyBuffersNumber = 4
+  upstreamKeepaliveTimeout = 60
+  customHTTPErrors = ["404", "503"]
+  allowCrossNamespaceResources = true
+  allowSnippetAnnotations = false
+  globalAllowedResponseHeaders = ["X-Custom-Header1", "X-Custom-Header2"]
+  strictValidatePathType = false
+
+[providers.kubernetesIngressNGINX.ipAllowListStrategy]
+  depth = 2
 ```

 ```bash tab="CLI"
@@ -88,6 +129,23 @@ providers:
 --providers.kubernetesingressnginx.controllerclass=k8s.io/ingress-nginx
 --providers.kubernetesingressnginx.watchingresswithoutclass=false
 --providers.kubernetesingressnginx.ingressclassbyname=false
+--providers.kubernetesingressnginx.globalauthurl=http://foo.com/auth
+--providers.kubernetesingressnginx.proxyconnecttimeout=60
+--providers.kubernetesingressnginx.proxyreadtimeout=60
+--providers.kubernetesingressnginx.proxysendtimeout=60
+--providers.kubernetesingressnginx.proxyrequestbuffering=false
+--providers.kubernetesingressnginx.clientbodybuffersize=16384 # 16k
+--providers.kubernetesingressnginx.proxybuffering=false
+--providers.kubernetesingressnginx.proxybodysize=1048576      # 1m
+--providers.kubernetesingressnginx.proxybuffersize=8192       # 8k
+--providers.kubernetesingressnginx.proxybuffersnumber=4
+--providers.kubernetesingressnginx.upstreamkeepalimetimeout=60
+--providers.kubernetesingressnginx.customhttperrors=404,503
+--providers.kubernetesingressnginx.allowCrossNamespaceResources=true
+--providers.kubernetesingressnginx.allowsnippetannotations=false
+--providers.kubernetesingressnginx.globalAllowedResponseHeaders=X-Custom-Header1,X-Custom-Header2
+--providers.kubernetesingressnginx.ipallowliststrategy.depth=2
+--providers.kubernetesingressnginx.strictvalidatepathtype=false
 ```

 ```yaml tab="Helm Chart Values"
@@ -120,23 +178,47 @@ This provider watches for incoming Ingress events and automatically translates N
 ## Configuration Options
 <!-- markdownlint-disable MD013 -->

-| Field                                                                                                                                                                                                                                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                          | Default | Required |
-|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| <a id="opt-providers-providers-ThrottleDuration" href="#opt-providers-providers-ThrottleDuration" title="#opt-providers-providers-ThrottleDuration">`providers.providers`<br/>`ThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-endpoint" href="#opt-providers-kubernetesIngressNGINX-endpoint" title="#opt-providers-kubernetesIngressNGINX-endpoint">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                        | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-token" href="#opt-providers-kubernetesIngressNGINX-token" title="#opt-providers-kubernetesIngressNGINX-token">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                           | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-certAuthFilePath" href="#opt-providers-kubernetesIngressNGINX-certAuthFilePath" title="#opt-providers-kubernetesIngressNGINX-certAuthFilePath">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-throttleDuration" href="#opt-providers-kubernetesIngressNGINX-throttleDuration" title="#opt-providers-kubernetesIngressNGINX-throttleDuration">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                           | 0s      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-watchNamespace" href="#opt-providers-kubernetesIngressNGINX-watchNamespace" title="#opt-providers-kubernetesIngressNGINX-watchNamespace">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespace`</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.                                                                                                                                                                                                                                                      | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" href="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" title="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespaceSelector`</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects.                                                                                                                                                                                                                                                                                                | ""      | No       |
+| Field                                                                                                                                                                                                                                                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Default | Required |
+|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------|:---------|
+| <a id="opt-providers-providers-ThrottleDuration" href="#opt-providers-providers-ThrottleDuration" title="#opt-providers-providers-ThrottleDuration">`providers.providers`<br/>`ThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.**                                                                                                                                                                            | 2s     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-endpoint" href="#opt-providers-kubernetesIngressNGINX-endpoint" title="#opt-providers-kubernetesIngressNGINX-endpoint">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-token" href="#opt-providers-kubernetesIngressNGINX-token" title="#opt-providers-kubernetesIngressNGINX-token">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-certAuthFilePath" href="#opt-providers-kubernetesIngressNGINX-certAuthFilePath" title="#opt-providers-kubernetesIngressNGINX-certAuthFilePath">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-throttleDuration" href="#opt-providers-kubernetesIngressNGINX-throttleDuration" title="#opt-providers-kubernetesIngressNGINX-throttleDuration">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                                                                                                                                                                                                      | 0s     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-globalAuthURL" href="#opt-providers-kubernetesIngressNGINX-globalAuthURL" title="#opt-providers-kubernetesIngressNGINX-globalAuthURL">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`globalAuthURL`</a> | URL to the service that provides authentication for all the locations. Per-ingress `auth-url` annotation has precedence over this option.                                                                                                                                                                                                                                                                                                                                                                                                                        | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-watchNamespace" href="#opt-providers-kubernetesIngressNGINX-watchNamespace" title="#opt-providers-kubernetesIngressNGINX-watchNamespace">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespace`</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" href="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" title="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespaceSelector`</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects.                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | ""     | No       |
 | <a id="opt-providers-kubernetesIngressNGINX-ingressClass" href="#opt-providers-kubernetesIngressNGINX-ingressClass" title="#opt-providers-kubernetesIngressNGINX-ingressClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ingressClass`</a> | Name of the IngressClass this controller handles. When `ingressClassByName` is `true`, IngressClasses with this name are included in discovery regardless of their `spec.controller` value.                                                                                                                                                                                          | "nginx"      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-controllerClass" href="#opt-providers-kubernetesIngressNGINX-controllerClass" title="#opt-providers-kubernetesIngressNGINX-controllerClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`controllerClass`</a> | Ingress Class Controller value this controller satisfies.                                                                                                                                                                                                                                                                                                                            | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" href="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" title="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchIngressWithoutClass`</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified.                                                                                                                                                                                                                                                                    | false   | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-controllerClass" href="#opt-providers-kubernetesIngressNGINX-controllerClass" title="#opt-providers-kubernetesIngressNGINX-controllerClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`controllerClass`</a> | Ingress Class Controller value this controller satisfies.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" href="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" title="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchIngressWithoutClass`</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified.                                                                                                                                                                                                                                                                                                                                                                                                                                               | false  | No       |
 | <a id="opt-providers-kubernetesIngressNGINX-ingressClassByName" href="#opt-providers-kubernetesIngressNGINX-ingressClassByName" title="#opt-providers-kubernetesIngressNGINX-ingressClassByName">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ingressClassByName`</a> | When `true`, any IngressClass whose **name** matches `ingressClass` is include in discovery, even if its `spec.controller` does not match `controllerClass`. This is evaluated alongside the controller-based selection, not instead of it.                                                                                                                                          | false   | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-publishService" href="#opt-providers-kubernetesIngressNGINX-publishService" title="#opt-providers-kubernetesIngressNGINX-publishService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishService`</a> | Service fronting the Ingress controller. Takes the form `namespace/name`.                                                                                                                                                                                                                                                                                                            | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-publishStatusAddress" href="#opt-providers-kubernetesIngressNGINX-publishStatusAddress" title="#opt-providers-kubernetesIngressNGINX-publishStatusAddress">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishStatusAddress`</a> | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.                                                                                                                                                                                                                                               | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-defaultBackendService" href="#opt-providers-kubernetesIngressNGINX-defaultBackendService" title="#opt-providers-kubernetesIngressNGINX-defaultBackendService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`defaultBackendService`</a> | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.                                                                                                                                                                                                                                                                 | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-disableSvcExternalName" href="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName" title="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`disableSvcExternalName`</a> | Disable support for Services of type ExternalName.                                                                                                                                                                                                                                                                                                                                   | false   | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-publishService" href="#opt-providers-kubernetesIngressNGINX-publishService" title="#opt-providers-kubernetesIngressNGINX-publishService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishService`</a> | Service fronting the Ingress controller. Takes the form `namespace/name`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-publishStatusAddress" href="#opt-providers-kubernetesIngressNGINX-publishStatusAddress" title="#opt-providers-kubernetesIngressNGINX-publishStatusAddress">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishStatusAddress`</a> | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.                                                                                                                                                                                                                                                                                                                                                                                                                          | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-defaultBackendService" href="#opt-providers-kubernetesIngressNGINX-defaultBackendService" title="#opt-providers-kubernetesIngressNGINX-defaultBackendService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`defaultBackendService`</a> | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.                                                                                                                                                                                                                                                                                                                                                                                                                                            | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-disableSvcExternalName" href="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName" title="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`disableSvcExternalName`</a> | Disable support for Services of type ExternalName.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | false  | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyConnectTimeout" href="#opt-providers-kubernetesIngressNGINX-proxyConnectTimeout" title="#opt-providers-kubernetesIngressNGINX-proxyConnectTimeout">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyConnectTimeout`</a> | Amount of time to wait until a connection to a server can be established. The value is unitless and in seconds. This is used as the global connection timeout when no ingress-specific timeout is configured. An ingress-specific timeout can be configured using [`nginx.ingress.kubernetes.io/proxy-connect-timeout`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout) annotation.                                                                                                           | 60     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyReadTimeout" href="#opt-providers-kubernetesIngressNGINX-proxyReadTimeout" title="#opt-providers-kubernetesIngressNGINX-proxyReadTimeout">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyReadTimeout`</a> | Amount of time between two successive read operations. The value is unitless and in seconds. This is used as the global read timeout when no ingress-specific timeout is configured. An ingress-specific timeout can be configured using [`nginx.ingress.kubernetes.io/proxy-read-timeout`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-read-timeout) annotation.                                                                                                                                         | 60     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxySendTimeout" href="#opt-providers-kubernetesIngressNGINX-proxySendTimeout" title="#opt-providers-kubernetesIngressNGINX-proxySendTimeout">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxySendTimeout`</a> | Amount of time between two successive write operations. The value is unitless and in seconds. This is used as the global send timeout when no ingress-specific timeout is configured. An ingress-specific timeout can be configured using [`nginx.ingress.kubernetes.io/proxy-send-timeout`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-send-timeout) annotation.                                                                                                                                         | 60     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyrequestbuffering" href="#opt-providers-kubernetesIngressNGINX-proxyrequestbuffering" title="#opt-providers-kubernetesIngressNGINX-proxyrequestbuffering">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyrequestbuffering`</a> | Defines whether request buffering is enabled by default for all ingresses.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | false  | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-clientBodyBufferSize" href="#opt-providers-kubernetesIngressNGINX-clientBodyBufferSize" title="#opt-providers-kubernetesIngressNGINX-clientBodyBufferSize">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`clientBodyBufferSize`</a> | Default buffer size for reading client request body in bytes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 16384  | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxybuffering" href="#opt-providers-kubernetesIngressNGINX-proxybuffering" title="#opt-providers-kubernetesIngressNGINX-proxybuffering">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxybuffering`</a> | Defines whether response buffering is enabled by default for all ingresses.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | false  | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyBodySize" href="#opt-providers-kubernetesIngressNGINX-proxyBodySize" title="#opt-providers-kubernetesIngressNGINX-proxyBodySize">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyBodySize`</a> | Default maximum size of a client request body in bytes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 1048576 | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyBufferSize" href="#opt-providers-kubernetesIngressNGINX-proxyBufferSize" title="#opt-providers-kubernetesIngressNGINX-proxyBufferSize">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyBufferSize`</a> | Default buffer size for reading the response body in bytes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 8192   | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyBuffersNumber" href="#opt-providers-kubernetesIngressNGINX-proxyBuffersNumber" title="#opt-providers-kubernetesIngressNGINX-proxyBuffersNumber">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyBuffersNumber`</a> | Default number of buffers for reading a response.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 4               | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyNextUpstreama" href="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreama" title="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreama">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyNextUpstream`</a></a> | Defines in which cases a request should be retried. Accepted values are a space-separated list of: `error`, `timeout`, `http_XXX` (e.g. http_502), `non_idempotent`, and `off` (disables retry). This is used as the global proxy-next-upstream configuration when no ingress-specific value is configured. An ingress-specific configuration can be set using [`nginx.ingress.kubernetes.io/proxy-next-upstream`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-next-upstream) annotation.                  | "error timeout" | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTriesa" href="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTriesa" title="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTriesa">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyNextUpstreamTries`</a></a> | Limits the number of possible tries if the backend server does not reply. 0 means unlimited tries, which is capped to the number of available servers. This is used as the global retry count configuration when no ingress-specific value is configured. An ingress-specific retry limit can be set using [`nginx.ingress.kubernetes.io/proxy-next-upstream-tries`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries) annotation.                                                          | 3               | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTimeouta" href="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTimeouta" title="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTimeouta">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyNextUpstreamTimeout`</a></a> | Limits the total elapsed time to retry the request if the backend server does not reply. Timeout value is unitless and in seconds. 0 means no timeout. This is used as the global retry timeout when no ingress-specific value is configured. An ingress-specific retry timeout can be set using [`nginx.ingress.kubernetes.io/proxy-next-upstream-timeout`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout) annotation.                                                                | 0               | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-upstreamKeepaliveTimeout" href="#opt-providers-kubernetesIngressNGINX-upstreamKeepaliveTimeout" title="#opt-providers-kubernetesIngressNGINX-upstreamKeepaliveTimeout">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`upstreamKeepaliveTimeout`</a> | Defines the idle timeout for keep-alive connections to upstream servers. The value is unitless and in seconds.                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 60              | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-customHTTPErrors" href="#opt-providers-kubernetesIngressNGINX-customHTTPErrors" title="#opt-providers-kubernetesIngressNGINX-customHTTPErrors">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`customHTTPErrors`<br/></a> | Defines which status should result in calling the default backend to return an error page.                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | []              | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-allowCrossNamespaceResources" href="#opt-providers-kubernetesIngressNGINX-allowCrossNamespaceResources" title="#opt-providers-kubernetesIngressNGINX-allowCrossNamespaceResources">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`allowCrossNamespaceResources`</a> | Allow Ingress to reference resources (e.g. ConfigMaps, Secrets) in different namespaces.                                                                                                                                                                                                                                                                                                                                                              | false   | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-globalAllowedResponseHeaders" href="#opt-providers-kubernetesIngressNGINX-globalAllowedResponseHeaders" title="#opt-providers-kubernetesIngressNGINX-globalAllowedResponseHeaders">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`globalAllowedResponseHeaders`</a> | List of allowed response headers inside the custom headers annotations. It is required to configure it for the custom headers annotations to take effect.                                                                                                                                                                                                                                                                                                                                                                                                       | []      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-ipAllowListStrategy" href="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy" title="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ipAllowListStrategy`</a> | Defines the IP strategy to determine the client IP for `allowlist-source-range` and `whitelist-source-range` annotations. When set, the strategy is applied to every generated IPAllowList middleware.                                                                                                                                                                                                                                                                                                                                                            | -       | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-depth" href="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-depth" title="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-depth">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ipAllowListStrategy.`<br/>`depth`</a> | Number of trusted proxy hops to skip when extracting the client IP from the `X-Forwarded-For` header. 0 disables depth-based extraction.                                                                                                                                                                                                                                                                                                                                                                                                                         | 0       | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-excludedIPs" href="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-excludedIPs" title="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-excludedIPs">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ipAllowListStrategy.`<br/>`excludedIPs`</a> | List of IPs to exclude when scanning the `X-Forwarded-For` header to find the client IP.                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | []      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-ipv6Subnet" href="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-ipv6Subnet" title="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-ipv6Subnet">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ipAllowListStrategy.`<br/>`ipv6Subnet`</a> | IPv6 subnet size used to group IPv6 addresses when checking the allow list. 0 disables subnet grouping.                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 0       | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-httpentrypoint" href="#opt-providers-kubernetesIngressNGINX-httpentrypoint" title="#opt-providers-kubernetesIngressNGINX-httpentrypoint">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`httpentrypoint`</a> | Defines the EntryPoint to use for HTTP requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-httpsentrypoint" href="#opt-providers-kubernetesIngressNGINX-httpsentrypoint" title="#opt-providers-kubernetesIngressNGINX-httpsentrypoint">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`httpsentrypoint`</a> | Defines the EntryPoint to use for HTTPS requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-strictValidatePathType" href="#opt-providers-kubernetesIngressNGINX-strictValidatePathType" title="#opt-providers-kubernetesIngressNGINX-strictValidatePathType">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`strictValidatePathType`</a> | Defines whether to reject the entire ingress when any path contains regex characters and pathType is Prefix or Exact.                                                                                                                                                                                                                                                                                                                                                                                                                                          | true            | No       |

 <!-- markdownlint-enable MD013 -->

@@ -58,12 +58,13 @@ which in turn creates the resulting routers, services, handlers, etc.
 | <a id="opt-providers-kubernetesIngress-ingressEndpoint-hostname" href="#opt-providers-kubernetesIngress-ingressEndpoint-hostname" title="#opt-providers-kubernetesIngress-ingressEndpoint-hostname">`providers.kubernetesIngress.`<br />`ingressEndpoint.hostname`</a> | Hostname used for Kubernetes Ingress endpoints.                                                                                                                                                                                                                                                                                                                                                                                                                       | ""      | No       |
 | <a id="opt-providers-kubernetesIngress-ingressEndpoint-ip" href="#opt-providers-kubernetesIngress-ingressEndpoint-ip" title="#opt-providers-kubernetesIngress-ingressEndpoint-ip">`providers.kubernetesIngress.`<br />`ingressEndpoint.ip`</a> | This IP will get copied to the Ingress `status.loadbalancer.ip`, and currently only supports one IP value (IPv4 or IPv6).                                                                                                                                                                                                                                                                                                                                             | ""      | No       |
 | <a id="opt-providers-kubernetesIngress-ingressEndpoint-publishedService" href="#opt-providers-kubernetesIngress-ingressEndpoint-publishedService" title="#opt-providers-kubernetesIngress-ingressEndpoint-publishedService">`providers.kubernetesIngress.`<br />`ingressEndpoint.publishedService`</a> | The Kubernetes service to copy status from.<br />More information [here](#ingressendpointpublishedservice).                                                                                                                                                                                                                                                                                                                                                           | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-reportNodeInternalIPs" href="#opt-providers-kubernetesIngress-reportNodeInternalIPs" title="#opt-providers-kubernetesIngress-reportNodeInternalIPs">`providers.kubernetesIngress.reportNodeInternalIPs`</a> | Report node internal IPs in Ingress status.<br />Incompatible with `ingressEndpoint` and `disableClusterScopeResources`.<br />More information [here](#reportnodeinternalips).                                                                                                                                                                                                                                                                                       | false   | No       |
 | <a id="opt-providers-kubernetesIngress-throttleDuration" href="#opt-providers-kubernetesIngress-throttleDuration" title="#opt-providers-kubernetesIngress-throttleDuration">`providers.kubernetesIngress.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                                                                                                            | 0s      | No       |
 | <a id="opt-providers-kubernetesIngress-allowEmptyServices" href="#opt-providers-kubernetesIngress-allowEmptyServices" title="#opt-providers-kubernetesIngress-allowEmptyServices">`providers.kubernetesIngress.allowEmptyServices`</a> | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status.                                                                                                                                                                                                                 | false   | No       |
 | <a id="opt-providers-kubernetesIngress-allowExternalNameServices" href="#opt-providers-kubernetesIngress-allowExternalNameServices" title="#opt-providers-kubernetesIngress-allowExternalNameServices">`providers.kubernetesIngress.allowExternalNameServices`</a> | Allows the `Ingress` to reference ExternalName services.                                                                                                                                                                                                                                                                                                                                                                                                              | false   | No       |
 | <a id="opt-providers-kubernetesIngress-crossProviderNamespaces" href="#opt-providers-kubernetesIngress-crossProviderNamespaces" title="#opt-providers-kubernetesIngress-crossProviderNamespaces">`providers.kubernetesIngress.crossProviderNamespaces`</a> | List of namespaces from which Ingresses or Services are allowed to use `traefik.ingress.kubernetes.io/router.middlewares`, `traefik.ingress.kubernetes.io/router.tls.options`, or `traefik.ingress.kubernetes.io/service.serverstransport` annotations.<br />When unset, all namespaces are allowed. When set to `[]`, every cross-provider reference is rejected.                                                                                                          | []      | No       |
 | <a id="opt-providers-kubernetesIngress-nativeLBByDefault" href="#opt-providers-kubernetesIngress-nativeLBByDefault" title="#opt-providers-kubernetesIngress-nativeLBByDefault">`providers.kubernetesIngress.nativeLBByDefault`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `Ingress` by default.<br />It can be overridden in the [`Service`](../../../../reference/routing-configuration/kubernetes/crd/http/service.md#opt-nativeLB)                                                                                                                                                                                       | false   | No       |
-| <a id="opt-providers-kubernetesIngress-disableClusterScopeResources" href="#opt-providers-kubernetesIngress-disableClusterScopeResources" title="#opt-providers-kubernetesIngress-disableClusterScopeResources">`providers.kubernetesIngress.disableClusterScopeResources`</a> | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false   | No       |
+| <a id="opt-providers-kubernetesIngress-disableClusterScopeResources" href="#opt-providers-kubernetesIngress-disableClusterScopeResources" title="#opt-providers-kubernetesIngress-disableClusterScopeResources">`providers.kubernetesIngress.disableClusterScopeResources`</a> | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services and is incompatible with `reportNodeInternalIPs`. | false   | No       |
 | <a id="opt-providers-kubernetesIngress-strictPrefixMatching" href="#opt-providers-kubernetesIngress-strictPrefixMatching" title="#opt-providers-kubernetesIngress-strictPrefixMatching">`providers.kubernetesIngress.strictPrefixMatching`</a> | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). For example, a PathPrefix of `/foo` will match `/foo`, `/foo/`, and `/foo/bar` but not `/foobar`.                                                                                                                                                                                                      | false   | No       |

 <!-- markdownlint-enable MD013 -->
@@ -138,6 +139,31 @@ providers:
 --providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service
 ```

+### `reportNodeInternalIPs`
+
+When set to `true`, Traefik reports the internal IPs of all nodes in the cluster into the `status.loadBalancer.ingress` field of each managed Ingress resource.
+
+This is the equivalent of ingress-nginx's `--report-node-internal-ip-address` flag and is the recommended approach for bare-metal Kubernetes deployments where Traefik runs as a DaemonSet without a cloud LoadBalancer or MetalLB.
+
+This option requires cluster-scope access to Node resources and is mutually exclusive with `ingressEndpoint` and `disableClusterScopeResources`.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    reportNodeInternalIPs: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  reportNodeInternalIPs = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.reportnodeinternalips=true
+```
+
 ## Routing Configuration

 See the dedicated section in [routing](../../../../reference/routing-configuration/kubernetes/ingress.md).
@@ -165,4 +165,62 @@ you can do so in two different ways:
    - [Kubernetes Gateway API](./kubernetes/kubernetes-gateway.md#opt-providers-kubernetesGateway-labelselector)
    - [Kubernetes Ingress](./kubernetes/kubernetes-ingress.md#opt-providers-kubernetesIngress-labelselector)

+## Providers Precedence
+
+### `providers.precedence`
+
+_Optional_
+
+When two routers from **different providers** define the same rule with equal numeric [priority](../../routing-configuration/http/routing/rules-and-priority.md#priority-calculation),
+the `precedence` option determines which provider's route takes precedence.
+
+The list is ordered from highest to lowest precedence: a provider listed first wins over providers listed later.
+
+```yaml tab="File (YAML)"
+providers:
+  precedence:
+    - kubernetescrd
+    - kubernetes
+    - file
+```
+
+```toml tab="File (TOML)"
+[providers]
+  precedence = ["kubernetescrd", "kubernetes", "file"]
+```
+
+```bash tab="CLI"
+--providers.precedence=kubernetescrd,kubernetes,file
+```
+
+#### Default precedence
+
+When `precedence` is not set, Traefik uses the following default order (highest precedence first):
+
+| Position | Provider name            |
+|----------|--------------------------|
+| <a id="opt-1" href="#opt-1" title="#opt-1">1</a> | `kubernetesgateway`      |
+| <a id="opt-2" href="#opt-2" title="#opt-2">2</a> | `kubernetescrd`          |
+| <a id="opt-3" href="#opt-3" title="#opt-3">3</a> | `kubernetes`             |
+| <a id="opt-4" href="#opt-4" title="#opt-4">4</a> | `kubernetesingressnginx` |
+| <a id="opt-5" href="#opt-5" title="#opt-5">5</a> | `swarm`                  |
+| <a id="opt-6" href="#opt-6" title="#opt-6">6</a> | `docker`                 |
+| <a id="opt-7" href="#opt-7" title="#opt-7">7</a> | `file`                   |
+| <a id="opt-8" href="#opt-8" title="#opt-8">8</a> | `redis`                  |
+| <a id="opt-9" href="#opt-9" title="#opt-9">9</a> | `knative`                |
+| <a id="opt-10" href="#opt-10" title="#opt-10">10</a> | `consul`                 |
+| <a id="opt-11" href="#opt-11" title="#opt-11">11</a> | `consulcatalog`          |
+| <a id="opt-12" href="#opt-12" title="#opt-12">12</a> | `nomad`                  |
+| <a id="opt-13" href="#opt-13" title="#opt-13">13</a> | `etcd`                   |
+| <a id="opt-14" href="#opt-14" title="#opt-14">14</a> | `ecs`                    |
+| <a id="opt-15" href="#opt-15" title="#opt-15">15</a> | `http`                   |
+| <a id="opt-16" href="#opt-16" title="#opt-16">16</a> | `zookeeper`              |
+| <a id="opt-17" href="#opt-17" title="#opt-17">17</a> | `rest`                   |
+
+!!! note
+
+    - `precedence` only acts as a **tiebreaker**: it is applied only when two routes from different providers share the same numeric `priority` value. An explicit router priority always takes precedence.
+    - A provider absent from `precedence` loses to any listed provider.
+    - Provider names are case-insensitive.
+
 {% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -91,6 +91,7 @@ ACME certificate resolvers have the following configuration options:
 | <a id="opt-acme-certificatesDuration" href="#opt-acme-certificatesDuration" title="#opt-acme-certificatesDuration">`acme.certificatesDuration`</a> | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No |
 | <a id="opt-acme-clientTimeout" href="#opt-acme-clientTimeout" title="#opt-acme-clientTimeout">`acme.clientTimeout`</a> | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No |
 | <a id="opt-acme-clientResponseHeaderTimeout" href="#opt-acme-clientResponseHeaderTimeout" title="#opt-acme-clientResponseHeaderTimeout">`acme.clientResponseHeaderTimeout`</a> | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No |
+| <a id="opt-acme-certificateTimeout" href="#opt-acme-certificateTimeout" title="#opt-acme-certificateTimeout">`acme.certificateTimeout`</a> | Timeout for obtaining the certificate during the finalization request. Set this if the ACME server is slow to issue a certificate. | 30s | No |
 | <a id="opt-acme-dnsChallenge" href="#opt-acme-dnsChallenge" title="#opt-acme-dnsChallenge">`acme.dnsChallenge`</a> | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No |
 | <a id="opt-acme-dnsChallenge-provider" href="#opt-acme-dnsChallenge-provider" title="#opt-acme-dnsChallenge-provider">`acme.dnsChallenge.provider`</a> | DNS provider to use. | "" | No |
 | <a id="opt-acme-dnsChallenge-resolvers" href="#opt-acme-dnsChallenge-resolvers" title="#opt-acme-dnsChallenge-resolvers">`acme.dnsChallenge.resolvers`</a> | DNS servers to resolve the FQDN authority. | [] | No |
@@ -35,6 +35,11 @@ http:
          - "spiffe://example.org/id1"
          - "spiffe://example.org/id2"
        trustDomain: "example.org"
+      cipherSuites: 
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      minVersion: VersionTLS12
+      maxVersion: VersionTLS12
 ```

 ```toml tab="Structured (TOML)"
@@ -46,6 +51,9 @@ http:
  maxIdleConnsPerHost = 100
  disableHTTP2 = true
  peerCertURI = "spiffe://example.org/peer"
+  cipherSuites = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]
+  minVersion = "VersionTLS12"
+  maxVersion = "VersionTLS12"

  [http.serversTransports.mytransport.forwardingTimeouts]
    dialTimeout = "30s"
@@ -100,6 +108,9 @@ labels:
 | <a id="opt-certificates" href="#opt-certificates" title="#opt-certificates">`certificates`</a> | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS.                        | []      | No       |
 | <a id="opt-insecureSkipVerify" href="#opt-insecureSkipVerify" title="#opt-insecureSkipVerify">`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified.                                                               | false   | No       |
 | <a id="opt-rootcas" href="#opt-rootcas" title="#opt-rootcas">`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections).                                   | []      | No       |
+| <a id="opt-cipherSuites" href="#opt-cipherSuites" title="#opt-cipherSuites">`cipherSuites`</a> | Defines the cipher suites to use when contacting backend servers. | [] | No |
+| <a id="opt-minVersion" href="#opt-minVersion" title="#opt-minVersion">`minVersion`</a> | Defines the minimum TLS version to use when contacting backend servers. | "" | No |
+| <a id="opt-maxVersion" href="#opt-maxVersion" title="#opt-maxVersion">`maxVersion`</a> | Defines the maximum TLS version to use when contacting backend servers. | "" | No |
 | <a id="opt-maxIdleConnsPerHost" href="#opt-maxIdleConnsPerHost" title="#opt-maxIdleConnsPerHost">`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host.                                                                                  | 200     | No       |
 | <a id="opt-disableHTTP2" href="#opt-disableHTTP2" title="#opt-disableHTTP2">`disableHTTP2`</a> | Disables HTTP/2 for connections with servers.                                                                                            | false   | No       |
 | <a id="opt-peerCertURI" href="#opt-peerCertURI" title="#opt-peerCertURI">`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification.                                             | ""      | No       |
@@ -483,6 +483,67 @@ Below are the available options for the passive health check mechanism:
 | <a id="opt-failureWindow" href="#opt-failureWindow" title="#opt-failureWindow">`failureWindow`</a> | Defines the time window during which the failed attempts must occur for the server to be marked as unhealthy. It also defines for how long the server will be considered unhealthy. | 10s     | No       |
 | <a id="opt-maxFailedAttempts" href="#opt-maxFailedAttempts" title="#opt-maxFailedAttempts">`maxFailedAttempts`</a> | Defines the number of consecutive failed attempts allowed within the failure window before marking the server as unhealthy.                                                         | 1       | No       |

+### Middlewares
+
+You can attach a list of [middlewares](../middlewares/overview.md) to each HTTP service.
+The middlewares will take effect for all requests handled by the service, regardless of which router forwards the request.
+
+!!! info "Middlewares Execution Order"
+
+    When both a router and a service have middlewares configured, the router middlewares are applied first, followed by the service middlewares.
+    This means the request passes through router middlewares before reaching service middlewares.
+
+!!! info "Supported Providers"
+
+    Service-level middlewares can be configured with the [File](../../../install-configuration/providers/others/file.md), [Docker](../../other-providers/docker.md), [Swarm](../../other-providers/docker.md), [Kubernetes IngressRoute](../../kubernetes/crd/http/ingressroute.md), [Kubernetes Ingress](../../kubernetes/ingress.md), and [Kubernetes Gateway API](../../kubernetes/gateway-api.md) providers.
+
+??? example "Attaching Middlewares to a Service -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="Structured (YAML)"
+    ## Dynamic configuration
+    http:
+      services:
+        my-service:
+          middlewares:
+            - add-header
+          loadBalancer:
+            servers:
+              - url: "http://127.0.0.1:8080"
+
+      middlewares:
+        add-header:
+          headers:
+            customRequestHeaders:
+              X-Custom-Header: "service-middleware"
+    ```
+
+    ```toml tab="Structured (TOML)"
+    ## Dynamic configuration
+    [http.services]
+      [http.services.my-service]
+        middlewares = ["add-header"]
+        [http.services.my-service.loadBalancer]
+          [[http.services.my-service.loadBalancer.servers]]
+            url = "http://127.0.0.1:8080"
+
+    [http.middlewares]
+      [http.middlewares.add-header.headers]
+        [http.middlewares.add-header.headers.customRequestHeaders]
+          X-Custom-Header = "service-middleware"
+    ```
+
+??? example "Attaching Middlewares to a Service -- Using [Docker Labels](../../other-providers/docker.md)"
+
+    ```yaml
+    labels:
+      # Define the middleware
+      - "traefik.http.middlewares.add-header.headers.customRequestHeaders.X-Custom-Header=service-middleware"
+      # Attach middleware to the service (at service level, not loadBalancer level)
+      - "traefik.http.services.my-service.middlewares=add-header"
+      # Configure the service
+      - "traefik.http.services.my-service.loadbalancer.server.port=8080"
+    ```
+
 ## Advanced Service Types

 Advanced service types allow you to compose multiple services together for weighted distribution, consistent hashing, mirroring, or failover scenarios.
@@ -760,7 +821,7 @@ The `mirroring` service type mirrors requests sent to a service to other service
 !!! info "Supported Providers"

    This service type can be defined currently with the [File](../../../install-configuration/providers/others/file.md) provider or [IngressRoute](../../../routing-configuration/kubernetes/crd/http/ingressroute.md).
-    
+
 ```yaml tab="Structured (YAML)"
 ## Routing configuration
 http:
@@ -887,15 +948,19 @@ http:
        url = "http://private-ip-server-2/"
 ```

-### Failover 
+### Failover

-The `failover` service type forwards all requests to a fallback service when the main service becomes unreachable.
+The `failover` service type forwards requests to a fallback service when the main service is unavailable.
+Failover can be triggered in two ways:
+
+- **Health check-based**: When the main service becomes unreachable based on [health checks](#health-check).
+- **Status code-based**: When the main service responds with specific HTTP status codes defined in the [errors](#errors) configuration.

 !!! info "Relation to HealthCheck"
    The failover service relies on the HealthCheck system to get notified when its main service becomes unreachable, which means HealthCheck needs to be enabled and functional on the main service. However, HealthCheck does not need to be enabled on the failover service itself for it to be functional. It is only required in order to propagate upwards the information when the failover itself becomes down (i.e. both its main and its fallback are down too).

-!!! info "Supported Provider"
-    This service type can currently only be defined with the [File](../../../install-configuration/providers/others/file.md) provider.
+!!! info "Supported Providers"
+    This service type can be defined with the [File](../../../install-configuration/providers/others/file.md) and [Kubernetes CRD](../../../install-configuration/providers/kubernetes/kubernetes-crd.md) providers.

 #### HealthCheck

@@ -905,7 +970,7 @@ HealthCheck enables automatic self-healthcheck for this service, i.e. if the mai

    If HealthCheck is enabled for a given service and any of its descendants does not have it enabled, the creation of the service will fail.

-    HealthCheck on a Failover service can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md).  
+    HealthCheck on a Failover service can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md). 

 ```yaml tab="Structured (YAML)"
 ## Routing configuration
@@ -940,15 +1005,15 @@ http:
 ## Routing configuration
 [http.services]
  [http.services.app]
-    [http.services.app.failover.healthCheck]
    [http.services.app.failover]
      service = "main"
      fallback = "backup"
+      [http.services.app.failover.healthCheck]

  [http.services.main]
    [http.services.main.loadBalancer]
      [http.services.main.loadBalancer.healthCheck]
-        path = "/health"
+        path = "/status"
        interval = "10s"
        timeout = "3s"
      [[http.services.main.loadBalancer.servers]]
@@ -957,9 +1022,163 @@ http:
  [http.services.backup]
    [http.services.backup.loadBalancer]
      [http.services.backup.loadBalancer.healthCheck]
-        path = "/health"
+        path = "/status"
        interval = "10s"
        timeout = "3s"
      [[http.services.backup.loadBalancer.servers]]
        url = "http://private-ip-server-2/"
 ```
+
+#### Errors
+
+The `errors` option enables status code-based failover.
+When the main service responds with an HTTP status code matching one of the configured ranges, Traefik automatically retries the request on the fallback service.
+
+To support request replay, the request body is buffered up to `maxRequestBodyBytes`.
+Requests with bodies larger than this limit receive a `413 Request Entity Too Large` response.
+
+Below is a list of options available for the `errors` option and an example of how to configure it for a failover service:
+
+| Field                 | Description                                                                                                       | Default |
+|-----------------------|-------------------------------------------------------------------------------------------------------------------|---------|
+| <a id="opt-status-2" href="#opt-status-2" title="#opt-status-2">`status`</a> | List of HTTP status code ranges that trigger failover. Supports single codes (`"500"`) and ranges (`"500-504"`).  | None    |
+| <a id="opt-maxRequestBodyBytes" href="#opt-maxRequestBodyBytes" title="#opt-maxRequestBodyBytes">`maxRequestBodyBytes`</a> | Maximum request body size (in bytes) to buffer for replay to the fallback service. Set to `-1` for no limit.      | `-1`    |
+
+```yaml tab="Structured (YAML)"
+## Routing configuration
+http:
+  services:
+    app:
+      failover:
+        service: main
+        fallback: backup
+        errors:
+          status:
+            - "500-504"
+          maxRequestBodyBytes: 1048576
+
+    main:
+      loadBalancer:
+        servers:
+          - url: "http://private-ip-server-1/"
+
+    backup:
+      loadBalancer:
+        servers:
+          - url: "http://private-ip-server-2/"
+```
+
+```toml tab="Structured (TOML)"
+## Routing configuration
+[http.services]
+  [http.services.app]
+    [http.services.app.failover]
+      service = "main"
+      fallback = "backup"
+      [http.services.app.failover.errors]
+        status = ["500-504"]
+        maxRequestBodyBytes = 1048576
+
+  [http.services.main]
+    [http.services.main.loadBalancer]
+      [[http.services.main.loadBalancer.servers]]
+        url = "http://private-ip-server-1/"
+
+  [http.services.backup]
+    [http.services.backup.loadBalancer]
+      [[http.services.backup.loadBalancer.servers]]
+        url = "http://private-ip-server-2/"
+```
+
+#### Chaining Failover Services
+
+Failover services can be chained together for multi-level redundancy.
+In the following example, if the primary service fails, traffic goes to the secondary service.
+If both primary and secondary fail, traffic goes to the tertiary service.
+
+```yaml tab="Structured (YAML)"
+## Routing configuration
+http:
+  services:
+    app:
+      failover:
+        healthCheck: {}
+        service: primary-failover
+        fallback: tertiary
+
+    primary-failover:
+      failover:
+        healthCheck: {}
+        service: primary
+        fallback: secondary
+
+    primary:
+      loadBalancer:
+        healthCheck:
+          path: /health
+          interval: 10s
+          timeout: 3s
+        servers:
+          - url: "http://primary-server/"
+
+    secondary:
+      loadBalancer:
+        healthCheck:
+          path: /health
+          interval: 10s
+          timeout: 3s
+        servers:
+          - url: "http://secondary-server/"
+
+    tertiary:
+      loadBalancer:
+        healthCheck:
+          path: /health
+          interval: 10s
+          timeout: 3s
+        servers:
+          - url: "http://tertiary-server/"
+```
+
+```toml tab="Structured (TOML)"
+## Routing configuration
+[http.services]
+  [http.services.app]
+    [http.services.app.failover]
+      service = "primary-failover"
+      fallback = "tertiary"
+      [http.services.app.failover.healthCheck]
+
+  [http.services.primary-failover]
+    [http.services.primary-failover.failover]
+      service = "primary"
+      fallback = "secondary"
+      [http.services.primary-failover.failover.healthCheck]
+
+  [http.services.primary]
+    [http.services.primary.loadBalancer]
+      [http.services.primary.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.primary.loadBalancer.servers]]
+        url = "http://primary-server/"
+
+  [http.services.secondary]
+    [http.services.secondary.loadBalancer]
+      [http.services.secondary.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.secondary.loadBalancer.servers]]
+        url = "http://secondary-server/"
+
+  [http.services.tertiary]
+    [http.services.tertiary.loadBalancer]
+      [http.services.tertiary.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.tertiary.loadBalancer.servers]]
+        url = "http://tertiary-server/"
+```
@@ -0,0 +1,62 @@
+---
+title: "Traefik EncodedCharacters Documentation"
+description: "In Traefik Proxy, the EncodedCharacters middleware controls which ambiguous reserved encoded characters are allowed in the request path. Read the technical documentation."
+---
+
+The EncodedCharacters middleware controls which ambiguous reserved encoded characters are allowed in the request path.
+
+When you use this middleware, by default, potentially dangerous encoded characters are rejected for security enhancement.
+
+## Configuration Examples
+
+```yaml tab="Docker & Swarm"
+# Allow encoded slash in the request path.
+labels:
+  - "traefik.http.middlewares.test-encodedchars.encodedcharacters.allowencodedslash=true"
+```
+
+```yaml tab="Kubernetes"
+# Allow encoded slash in the request path.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-encodedchars
+spec:
+  encodedCharacters:
+    allowEncodedSlash: true
+```
+
+```yaml tab="Consul Catalog"
+# Allow encoded slash in the request path.
+- "traefik.http.middlewares.test-encodedchars.encodedcharacters.allowencodedslash=true"
+```
+
+```yaml tab="File (YAML)"
+# Allow encoded slash in the request path.
+http:
+  middlewares:
+    test-encodedchars:
+      encodedCharacters:
+        allowEncodedSlash: true
+```
+
+```toml tab="File (TOML)"
+# Allow encoded slash in the request path.
+[http.middlewares]
+  [http.middlewares.test-encodedchars.encodedCharacters]
+    allowEncodedSlash = true
+```
+
+## Configuration Options
+
+When you are configuring these options, check if your backend is fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986).
+This helps avoid split-view situation, where Traefik and your backend interpret the same URL differently.
+
+| Field                   | Description                                                        | Default | Required |
+|-------------------------|--------------------------------------------------------------------|---------| -------- |
+| <a id="opt-allowEncodedSlash" href="#opt-allowEncodedSlash" title="#opt-allowEncodedSlash">`allowEncodedSlash`</a> | Allow encoded slash (`%2F` and `%2f`) in the request path.         | `false` | No |
+| <a id="opt-allowEncodedBackSlash" href="#opt-allowEncodedBackSlash" title="#opt-allowEncodedBackSlash">`allowEncodedBackSlash`</a> | Allow encoded backslash (`%5C` and `%5c`) in the request path.     | `false` | No |
+| <a id="opt-allowEncodedSemicolon" href="#opt-allowEncodedSemicolon" title="#opt-allowEncodedSemicolon">`allowEncodedSemicolon`</a> | Allow encoded semicolon (`%3B` and `%3b`) in the request path.     | `false` | No |
+| <a id="opt-allowEncodedPercent" href="#opt-allowEncodedPercent" title="#opt-allowEncodedPercent">`allowEncodedPercent`</a> | Allow encoded percent (`%25`) in the request path.                 | `false` | No |
+| <a id="opt-allowEncodedQuestionMark" href="#opt-allowEncodedQuestionMark" title="#opt-allowEncodedQuestionMark">`allowEncodedQuestionMark`</a> | Allow encoded question mark (`%3F` and `%3f`) in the request path. | `false` | No |
+| <a id="opt-allowEncodedHash" href="#opt-allowEncodedHash" title="#opt-allowEncodedHash">`allowEncodedHash`</a> | Allow encoded hash (`%23`) in the request path. | `false` | No |
@@ -53,26 +53,27 @@ spec:

 ## Configuration Options

-| Field      | Description                                                                                                                                                                                                                                                                                                                                     | Default | Required |
-|:-----------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| <a id="opt-address" href="#opt-address" title="#opt-address">`address`</a> | Authentication server address.                                                                                                                                                                                                                                                                                                                  | "" | Yes      |
-| <a id="opt-trustForwardHeader" href="#opt-trustForwardHeader" title="#opt-trustForwardHeader">`trustForwardHeader`</a> | Trust all `X-Forwarded-*` headers. <br/>The trustForwardHeader option is deprecated and will be removed in the next major version. <br/>More information [here](#trustforwardheader)                                                                                                                                                            | false | No      |
-| <a id="opt-authResponseHeaders" href="#opt-authResponseHeaders" title="#opt-authResponseHeaders">`authResponseHeaders`</a> | List of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.                                                                                                                                                                                                       | [] | No      |
-| <a id="opt-authResponseHeadersRegex" href="#opt-authResponseHeadersRegex" title="#opt-authResponseHeadersRegex">`authResponseHeadersRegex`</a> | Regex to match by the headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.<br /> More information [here](#authresponseheadersregex).                                                                                                                         | "" | No      |
-| <a id="opt-authRequestHeaders" href="#opt-authRequestHeaders" title="#opt-authRequestHeaders">`authRequestHeaders`</a> | List of the headers to copy from the request to the authentication server. <br /> It allows filtering headers that should not be passed to the authentication server. <br /> If not set or empty, then all request headers are passed.                                                                                                          | [] | No      |
-| <a id="opt-addAuthCookiesToResponse" href="#opt-addAuthCookiesToResponse" title="#opt-addAuthCookiesToResponse">`addAuthCookiesToResponse`</a> | List of cookies to copy from the authentication server to the response, replacing any existing conflicting cookie from the forwarded response.<br /> Please note that all backend cookies matching the configured list will not be added to the response.                                                                                       | [] | No      |
-| <a id="opt-forwardBody" href="#opt-forwardBody" title="#opt-forwardBody">`forwardBody`</a> | Sets the `forwardBody` option to `true` to send the Body. As body is read inside Traefik before forwarding, this breaks streaming.                                                                                                                                                                                                              | false | No      |
-| <a id="opt-maxBodySize" href="#opt-maxBodySize" title="#opt-maxBodySize">`maxBodySize`</a> | Set the `maxBodySize` to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized). If left unset, the request body size is unrestricted which can have performance or security implications. <br/>More information [here](#maxbodysize).                                                                     | -1 | No      |
-| <a id="opt-maxResponseBodySize" href="#opt-maxResponseBodySize" title="#opt-maxResponseBodySize">`maxResponseBodySize`</a> | Set the `maxResponseBodySize` to limit the response body size from the authentication server in bytes. If the response body exceeds this limit, it returns a 401 (unauthorized). If left unset, the response body size is unrestricted which can have performance or security implications. <br/>More information [here](#maxresponsebodysize). | -1 | No      |
-| <a id="opt-headerField" href="#opt-headerField" title="#opt-headerField">`headerField`</a> | Defines a header field to store the authenticated user.                                                                                                                                                                                                                                                                                         | "" | No      |
-| <a id="opt-preserveLocationHeader" href="#opt-preserveLocationHeader" title="#opt-preserveLocationHeader">`preserveLocationHeader`</a> | Defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server.                                                                                                                                                                                                              | false | No      |
-| <a id="opt-preserveRequestMethod" href="#opt-preserveRequestMethod" title="#opt-preserveRequestMethod">`preserveRequestMethod`</a> | Defines whether to preserve the original request method while forwarding the request to the authentication server.                                                                                                                                                                                                                              | false | No      |
-| <a id="opt-tls-ca" href="#opt-tls-ca" title="#opt-tls-ca">`tls.ca`</a> | Sets the path to the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle.                                                                                                                                                                                                      | "" | No |
-| <a id="opt-tls-cert" href="#opt-tls-cert" title="#opt-tls-cert">`tls.cert`</a> | Sets the path to the public certificate used for the secure connection to the authentication server. When using this option, setting the key option is required.                                                                                                                                                                                | "" | No |
-| <a id="opt-tls-key" href="#opt-tls-key" title="#opt-tls-key">`tls.key`</a> | Sets the path to the private key used for the secure connection to the authentication server. When using this option, setting the `cert` option is required.                                                                                                                                                                                    | "" | No |
-| <a id="opt-tls-caSecret" href="#opt-tls-caSecret" title="#opt-tls-caSecret">`tls.caSecret`</a> | Defines the secret that contains the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. **This option is only available for the Kubernetes CRD**.                                                                                                                            | | No |
-| <a id="opt-tls-certSecret" href="#opt-tls-certSecret" title="#opt-tls-certSecret">`tls.certSecret`</a> | Defines the secret that contains both the private and public certificates used for the secure connection to the authentication server. **This option is only available for the Kubernetes CRD**.                                                                                                                                                |  | No |
-| <a id="opt-tls-insecureSkipVerify" href="#opt-tls-insecureSkipVerify" title="#opt-tls-insecureSkipVerify">`tls.insecureSkipVerify`</a> | During TLS connections, if this option is set to `true`, the authentication server will accept any certificate presented by the server regardless of the host names it covers.                                                                                                                                                                  | false | No |
+| Field                                                                                                                                          | Description                                                                                                                                                                                                                                                                 | Default | Required |
+|:-----------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| <a id="opt-address" href="#opt-address" title="#opt-address">`address`</a> | Authentication server address.                                                                                                                                                                                                                                              | "" | Yes      |
+| <a id="opt-trustForwardHeader" href="#opt-trustForwardHeader" title="#opt-trustForwardHeader">`trustForwardHeader`</a> | Trust all `X-Forwarded-*` headers.                                                                                                                                                                                                                                          <br/>The trustForwardHeader option is deprecated and will be removed in the next major version. <br/>More information [here](#trustforwardheader)| false | No      |
+| <a id="opt-authResponseHeaders" href="#opt-authResponseHeaders" title="#opt-authResponseHeaders">`authResponseHeaders`</a> | List of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.                                                                                                                                   | [] | No      |
+| <a id="opt-authResponseHeadersRegex" href="#opt-authResponseHeadersRegex" title="#opt-authResponseHeadersRegex">`authResponseHeadersRegex`</a> | Regex to match by the headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.<br /> More information [here](#authresponseheadersregex).                                                     | "" | No      |
+| <a id="opt-authRequestHeaders" href="#opt-authRequestHeaders" title="#opt-authRequestHeaders">`authRequestHeaders`</a> | List of the headers to copy from the request to the authentication server. <br /> It allows filtering headers that should not be passed to the authentication server. <br /> If not set or empty, then all request headers are passed.                                      | [] | No      |
+| <a id="opt-addAuthCookiesToResponse" href="#opt-addAuthCookiesToResponse" title="#opt-addAuthCookiesToResponse">`addAuthCookiesToResponse`</a> | List of cookies to copy from the authentication server to the response, replacing any existing conflicting cookie from the forwarded response.<br /> Please note that all backend cookies matching the configured list will not be added to the response.                   | [] | No      |
+| <a id="opt-forwardBody" href="#opt-forwardBody" title="#opt-forwardBody">`forwardBody`</a> | Sets the `forwardBody` option to `true` to send the Body. As body is read inside Traefik before forwarding, this breaks streaming.                                                                                                                                          | false | No      |
+| <a id="opt-maxBodySize" href="#opt-maxBodySize" title="#opt-maxBodySize">`maxBodySize`</a> | Set the `maxBodySize` to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized). If left unset, the request body size is unrestricted which can have performance or security implications. <br/>More information [here](#maxbodysize). | -1 | No      |
+| <a id="opt-maxResponseBodySize" href="#opt-maxResponseBodySize" title="#opt-maxResponseBodySize">`maxResponseBodySize`</a> | Set the `maxResponseBodySize` to limit the response body size from the authentication server in bytes. If the response body exceeds this limit, it returns a 401 (unauthorized). If left unset, the response body size is unrestricted which can have performance or security implications. <br/>More information [here](#maxresponsebodysize).| -1 | No      |
+| <a id="opt-headerField" href="#opt-headerField" title="#opt-headerField">`headerField`</a> | Defines a header field to store the authenticated user.                                                                                                                                                                                                                     | "" | No      |
+| <a id="opt-preserveLocationHeader" href="#opt-preserveLocationHeader" title="#opt-preserveLocationHeader">`preserveLocationHeader`</a> | Defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server.                                                                                                                                          | false | No      |
+| <a id="opt-preserveRequestMethod" href="#opt-preserveRequestMethod" title="#opt-preserveRequestMethod">`preserveRequestMethod`</a> | Defines whether to preserve the original request method while forwarding the request to the authentication server.                                                                                                                                                          | false | No      |
+| <a id="opt-authSigninURL" href="#opt-authSigninURL" title="#opt-authSigninURL">`authSigninURL`</a> | Specifies the URL to redirect to when the authentication server returns 401 Unauthorized.                                                                                                                                                                                   | "" | No      |
+| <a id="opt-tls-ca" href="#opt-tls-ca" title="#opt-tls-ca">`tls.ca`</a> | Sets the path to the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle.                                                                                                                                  | "" | No |
+| <a id="opt-tls-cert" href="#opt-tls-cert" title="#opt-tls-cert">`tls.cert`</a> | Sets the path to the public certificate used for the secure connection to the authentication server. When using this option, setting the key option is required.                                                                                                            | "" | No |
+| <a id="opt-tls-key" href="#opt-tls-key" title="#opt-tls-key">`tls.key`</a> | Sets the path to the private key used for the secure connection to the authentication server. When using this option, setting the `cert` option is required.                                                                                                                | "" | No |
+| <a id="opt-tls-caSecret" href="#opt-tls-caSecret" title="#opt-tls-caSecret">`tls.caSecret`</a> | Defines the secret that contains the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. **This option is only available for the Kubernetes CRD**.                                                        | | No |
+| <a id="opt-tls-certSecret" href="#opt-tls-certSecret" title="#opt-tls-certSecret">`tls.certSecret`</a> | Defines the secret that contains both the private and public certificates used for the secure connection to the authentication server. **This option is only available for the Kubernetes CRD**.                                                                            |  | No |
+| <a id="opt-tls-insecureSkipVerify" href="#opt-tls-insecureSkipVerify" title="#opt-tls-insecureSkipVerify">`tls.insecureSkipVerify`</a> | During TLS connections, if this option is set to `true`, the authentication server will accept any certificate presented by the server regardless of the host names it covers.                                                                                              | false | No |

 ### authResponseHeadersRegex

@@ -54,12 +54,12 @@ spec:

 ## Configuration Options

-| Field      | Description     | Default | Required |
-|:-----------|:------------------------------|:--------|:---------|
-| <a id="opt-sourceRange" href="#opt-sourceRange" title="#opt-sourceRange">`sourceRange`</a> | List of allowed IPs (or ranges of allowed IPs by using CIDR notation). |      | Yes      |
-| <a id="opt-ipStrategy-depth" href="#opt-ipStrategy-depth" title="#opt-ipStrategy-depth">`ipStrategy.depth`</a> | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br /> If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`ipStrategy](#ipstrategy), and [`depth`](#example-of-depth--x-forwarded-for) below. | 0      | No      |
-| <a id="opt-ipStrategy-excludedIPs" href="#opt-ipStrategy-excludedIPs" title="#opt-ipStrategy-excludedIPs">`ipStrategy.excludedIPs`</a> | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`ipStrategy](#ipstrategy), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. |       | No      |
-| <a id="opt-ipStrategy-ipv6Subnet" href="#opt-ipStrategy-ipv6Subnet" title="#opt-ipStrategy-ipv6Subnet">`ipStrategy.ipv6Subnet`</a> |  If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. |       | No      |
+| Field      | Description                                                                                                                                                                                                                                                                                                                                                                                                         | Default | Required |
+|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| <a id="opt-sourceRange" href="#opt-sourceRange" title="#opt-sourceRange">`sourceRange`</a> | List of allowed IPs (or ranges of allowed IPs by using CIDR notation).                                                                                                                                                                                                                                                                                                                                              |      | Yes      |
+| <a id="opt-ipStrategy-depth" href="#opt-ipStrategy-depth" title="#opt-ipStrategy-depth">`ipStrategy.depth`</a> | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br /> If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`ipStrategy`](#ipstrategy), and [`depth`](#example-of-depth-x-forwarded-for) below.      | 0      | No      |
+| <a id="opt-ipStrategy-excludedIPs" href="#opt-ipStrategy-excludedIPs" title="#opt-ipStrategy-excludedIPs">`ipStrategy.excludedIPs`</a> | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`ipStrategy`](#ipstrategy), and [`excludedIPs`](#example-of-excludedips-x-forwarded-for) below.                                                                                                                                  |       | No      |
+| <a id="opt-ipStrategy-ipv6Subnet" href="#opt-ipStrategy-ipv6Subnet" title="#opt-ipStrategy-ipv6Subnet">`ipStrategy.ipv6Subnet`</a> | If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips-x-forwarded-for) below.                                                                                                                                    |       | No      |

 ### ipStrategy

@@ -5,7 +5,14 @@ description: "There are several available middleware in Traefik Proxy used to mo

 # HTTP Middleware Overview

-Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service (or before the answer from the services are sent to the clients).
+Attached to [routers](../routing/router.md) or [services](../load-balancing/service.md), pieces of middleware are a means of tweaking the requests before they are sent to your backend servers (or before the answer is sent to the clients).
+
+Middlewares can be attached at two levels:
+
+- **Router-level:** Applied to all requests matching the router's rule, before forwarding to the service.
+- **Service-level:** Applied to all requests handled by the service, regardless of which router forwards the request. See [service middlewares](../load-balancing/service.md#middlewares).
+
+When both are configured, router middlewares execute first, followed by service middlewares.

 There are several available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.

@@ -18,8 +25,8 @@ Middlewares that use the same protocol can be combined into chains to fit every

 ## Available HTTP Middlewares

-| Middleware                                | Purpose                                           | Area                        |
-|-------------------------------------------|---------------------------------------------------|-----------------------------|
+| Middleware                                                                                                                               | Purpose                                           | Area                        |
+|------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|-----------------------------|
 | <a id="opt-AddPrefix" href="#opt-AddPrefix" title="#opt-AddPrefix">[AddPrefix](addprefix.md)</a> | Adds a Path Prefix                                | Path Modifier               |
 | <a id="opt-BasicAuth" href="#opt-BasicAuth" title="#opt-BasicAuth">[BasicAuth](basicauth.md)</a> | Adds Basic Authentication                         | Security, Authentication    |
 | <a id="opt-Buffering" href="#opt-Buffering" title="#opt-Buffering">[Buffering](buffering.md)</a> | Buffers the request/response                      | Request Lifecycle           |
@@ -28,6 +35,7 @@ Middlewares that use the same protocol can be combined into chains to fit every
 | <a id="opt-Compress" href="#opt-Compress" title="#opt-Compress">[Compress](compress.md)</a> | Compresses the response                           | Content Modifier            |
 | <a id="opt-ContentType" href="#opt-ContentType" title="#opt-ContentType">[ContentType](contenttype.md)</a> | Handles Content-Type auto-detection               | Misc                        |
 | <a id="opt-DigestAuth" href="#opt-DigestAuth" title="#opt-DigestAuth">[DigestAuth](digestauth.md)</a> | Adds Digest Authentication                        | Security, Authentication    |
+| <a id="opt-EncodedCharacters" href="#opt-EncodedCharacters" title="#opt-EncodedCharacters">[EncodedCharacters](encodedcharacters.md)</a> | Defines allowed reserved encoded characters in the request path | Security, Request Lifecycle           |
 | <a id="opt-Errors" href="#opt-Errors" title="#opt-Errors">[Errors](errorpages.md)</a> | Defines custom error pages                        | Request Lifecycle           |
 | <a id="opt-ForwardAuth" href="#opt-ForwardAuth" title="#opt-ForwardAuth">[ForwardAuth](forwardauth.md)</a> | Delegates Authentication                          | Security, Authentication    |
 | <a id="opt-GrpcWeb" href="#opt-GrpcWeb" title="#opt-GrpcWeb">[GrpcWeb](grpcweb.md)</a> | Converts gRPC Web requests to HTTP/2 gRPC requests.                           | Request                   |
@@ -18,6 +18,13 @@ http:
      retry:
        attempts: 4
        initialInterval: 100ms
+        timeout: 60s
+        maxRequestBodyBytes: 1024
+        status: 
+          - "400"
+          - "500-599"
+        disableRetryOnNetworkError: true
+        retryNonIdempotentMethod: true
 ```

 ```toml tab="Structured (TOML)"
@@ -26,6 +33,11 @@ http:
  [http.middlewares.test-retry.retry]
    attempts = 4
    initialInterval = "100ms"
+    timeout = "60s"
+    maxRequestBodyBytes = 1024
+    status = ["400","500-599"]
+    disableRetryOnNetworkError = true
+    retryNonIdempotentMethod = true
 ```

 ```yaml tab="Labels"
@@ -33,6 +45,11 @@ http:
 labels:
  - "traefik.http.middlewares.test-retry.retry.attempts=4"
  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
+  - "traefik.http.middlewares.test-retry.retry.timeout=60s"
+  - "traefik.http.middlewares.test-retry.retry.maxrequestbodybytes=1024"
+  - "traefik.http.middlewares.test-retry.retry.status=400,500-599"
+  - "traefik.http.middlewares.test-retry.retry.disableretryonnetworkerror=true"
+  - "traefik.http.middlewares.test-retry.retry.retrynonidempotentmethod=true"
 ```

 ```json tab="Tags"
@@ -42,7 +59,12 @@ labels:
  // ...
  "Tags" : [
    "traefik.http.middlewares.test-retry.retry.attempts=4",
-    "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
+    "traefik.http.middlewares.test-retry.retry.initialinterval=100ms",
+    "traefik.http.middlewares.test-retry.retry.timeout=60s",
+    "traefik.http.middlewares.test-retry.retry.maxrequestbodybytes=1024",
+    "traefik.http.middlewares.test-retry.retry.status=400,500-599",
+    "traefik.http.middlewares.test-retry.retry.disableretryonnetworkerror=true",
+    "traefik.http.middlewares.test-retry.retry.retrynonidempotentmethod=true"
  ]
 }

@@ -58,6 +80,13 @@ spec:
  retry:
    attempts: 4
    initialInterval: 100ms
+    timeout: 60s
+    maxRequestBodyBytes: 1024
+    status: 
+      - "400"
+      - "500-599"
+    disableRetryOnNetworkError: true
+    retryNonIdempotentMethod: true
 ```

 ## Configuration Options
@@ -66,3 +95,49 @@ spec:
 |:------|:------------|:--------|:---------|
 | <a id="opt-attempts" href="#opt-attempts" title="#opt-attempts">`attempts`</a> | number of times the request should be retried. |  | Yes |
 | <a id="opt-initialInterval" href="#opt-initialInterval" title="#opt-initialInterval">`initialInterval`</a> | First wait time in the exponential backoff series. <br />The maximum interval is calculated as twice the `initialInterval`. <br /> If unspecified, requests will be retried immediately.<br /> Defined in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). | 0 | No |
+| <a id="opt-timeout" href="#opt-timeout" title="#opt-timeout">`timeout`</a> | How much time the middleware is allowed to retry the request. <br /> Defined in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). | 0 | No |
+| <a id="opt-maxRequestBodyBytes" href="#opt-maxRequestBodyBytes" title="#opt-maxRequestBodyBytes">`maxRequestBodyBytes`</a> | Defines the maximum size for the request body. <br/>More information [here](#maxrequestbodybytes). | 2MB | No |
+| <a id="opt-status" href="#opt-status" title="#opt-status">`status`</a> | Defines the range of HTTP status codes to retry on. <br/>More information [here](#disableretryonnetworkerror-and-status). | [] | No |
+| <a id="opt-disableRetryOnNetworkError" href="#opt-disableRetryOnNetworkError" title="#opt-disableRetryOnNetworkError">`disableRetryOnNetworkError`</a> | This option disables the retry if an error occurs when transmitting the request to the server. <br/>More information [here](#disableretryonnetworkerror-and-status).  | false | No |
+| <a id="opt-retryNonIdempotentMethod" href="#opt-retryNonIdempotentMethod" title="#opt-retryNonIdempotentMethod">`retryNonIdempotentMethod`</a> | Activates the retry for non-idempotent methods (`POST`, `LOCK`, `PATCH`) | false | No |
+
+### maxRequestBodyBytes
+
+The `maxRequestBodyBytes` option controls the maximum size of request bodies that will be sent to the server.
+
+**⚠️ Important Security Consideration**
+
+When `maxRequestBodyBytes` is set to `-1`, it means there is no limit for request body size. This can have significant security and performance implications:
+
+- **Security Risk**: Attackers can send extremely large request bodies, potentially causing DoS attacks or memory exhaustion
+- **Performance Impact**: Large request bodies consume memory and processing resources, affecting overall system performance
+- **Resource Consumption**: Unlimited body size can lead to unexpected resource usage patterns
+
+**Recommended Configuration**
+
+It is strongly recommended to set an appropriate `maxRequestBodyBytes` value for your use case:
+
+```yaml
+# For most web applications (1MB limit)
+maxRequestBodyBytes: 1048576  # 1MB in bytes
+
+# For API endpoints expecting larger payloads (10MB limit)  
+maxRequestBodyBytes: 10485760  # 10MB in bytes
+
+# For file upload authentication (100MB limit)
+maxRequestBodyBytes: 104857600  # 100MB in bytes
+```
+
+**Guidelines for Setting `maxRequestBodyBytes`**
+
+- **Web Forms**: 1-5MB is typically sufficient for most form submissions
+- **API Endpoints**: Consider your largest expected JSON/XML payload + buffer
+- **File Uploads**: Set based on your maximum expected file size
+- **High-Traffic Services**: Use smaller limits to prevent resource exhaustion
+
+## disableRetryOnNetworkError and status
+
+The `disableRetryOnNetworkError` option disables the retry if an error occurs when transmitting the request to the server, at the TCP layer.
+However, if you want to retry only for specific HTTP status codes, you can configure the `status` option with the relevant status codes to retry on.
+
+If `disableRetryOnNetworkError` is set to `true`, you must define the `status` option. Otherwise, the middleware will raise a configuration error.
@@ -24,7 +24,7 @@ The table below lists all the available matchers:
 |-----------------------------------------------------------------|:-------------------------------------------------------------------------------|
 | <a id="opt-Headerkey-value" href="#opt-Headerkey-value" title="#opt-Headerkey-value">[```Header(`key`, `value`)```](#header-and-headerregexp)</a> | Matches requests containing a header named `key` set to `value`.               |
 | <a id="opt-HeaderRegexpkey-regexp" href="#opt-HeaderRegexpkey-regexp" title="#opt-HeaderRegexpkey-regexp">[```HeaderRegexp(`key`, `regexp`)```](#header-and-headerregexp)</a> | Matches requests containing a header named `key` matching `regexp`.            |
-| <a id="opt-Hostdomain" href="#opt-Hostdomain" title="#opt-Hostdomain">[```Host(`domain`)```](#host-and-hostregexp)</a> | Matches requests host set to `domain`.                                         |
+| <a id="opt-Hostdomain" href="#opt-Hostdomain" title="#opt-Hostdomain">[```Host(`domain`)```](#host-and-hostregexp)</a> | Matches requests host set to `domain`. Supports wildcard subdomain matching (e.g. `*.example.com`). |
 | <a id="opt-HostRegexpregexp" href="#opt-HostRegexpregexp" title="#opt-HostRegexpregexp">[```HostRegexp(`regexp`)```](#host-and-hostregexp)</a> | Matches requests host matching `regexp`.                                       |
 | <a id="opt-Methodmethod" href="#opt-Methodmethod" title="#opt-Methodmethod">[```Method(`method`)```](#method)</a> | Matches requests method set to `method`.                                       |
 | <a id="opt-Pathpath" href="#opt-Pathpath" title="#opt-Pathpath">[```Path(`path`)```](#path-pathprefix-and-pathregexp)</a> | Matches requests path set to `path`.                                           |
@@ -54,6 +54,15 @@ If no `Host` is set in the request URL (for example, it's an IP address), these

 These matchers will match the request's host in lowercase.

+!!! info "Wildcard subdomain matching"
+
+    The `Host` matcher supports a single-level wildcard prefix (`*.example.com`) to match any direct subdomain of `example.com`.
+    It should be preferred over the `HostRegexp` matcher as it allows attaching a TLS option and is more efficient.
+
+    A wildcard matches exactly one subdomain label: `*.example.com` matches `foo.example.com` but not `foo.bar.example.com` or `example.com` itself.    
+
+    This is only available with the **v3 rule syntax** (the default).
+
 | Behavior                                                        | Rule                                                                    |
 |-----------------------------------------------------------------|:------------------------------------------------------------------------|
 | <a id="opt-Match-requests-with-Host-set-to-example-com" href="#opt-Match-requests-with-Host-set-to-example-com" title="#opt-Match-requests-with-Host-set-to-example-com">Match requests with `Host` set to `example.com`.</a> | ```Host(`example.com`)``` |
@@ -232,6 +241,12 @@ Traefik reserves a range of priorities for its internal routers, the maximum use
 - `(MaxInt32 - 1000)` = `2147482647` for 32-bit platforms,
 - `(MaxInt64 - 1000)` = `9223372036854774807` for 64-bit platforms.

+!!! info "Providers Precedence"
+
+    When two routes from **different providers** share the same numeric priority,
+    Traefik uses the [`providers.precedence`](../../../install-configuration/providers/overview.md#providers-precedence) install configuration option to determine which route takes precedence.
+    The provider listed first in `precedence` wins the tie.
+
 ### Example

 ```yaml tab="Structured (YAML)"
@@ -21,6 +21,7 @@ metadata:
  namespace: apps

 spec:
+  ingressClassName: traefik-lb
  entryPoints:
    - web
  parentRefs:
@@ -79,6 +80,7 @@ spec:

 | Field                                                                                                                                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                      | Default | Required |
 |:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| <a id="opt-ingressClassName" href="#opt-ingressClassName" title="#opt-ingressClassName">`ingressClassName`</a> | Defines the [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) cluster resource to use. It replaces the deprecated `kubernetes.io/ingress.class` annotation.<br />The spec field takes precedence over the annotation.                                                                                                               |         | No       |
 | <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of [entry points](../../../../install-configuration/entrypoints.md) names.<br />If not specified, HTTP routers will accept requests from all EntryPoints in the list of default EntryPoints.                                                                                                                                                                                |         | No       |
 | <a id="opt-parentRefs" href="#opt-parentRefs" title="#opt-parentRefs">`parentRefs`</a> | List of references to parent IngressRoute resources for multi-layer routing. When specified, this IngressRoute's routers become children of the referenced parent IngressRoute's routers. See [Multi-Layer Routing](#multi-layer-routing-with-ingressroutes) section for details.                                                                                                |         | No       |
 | <a id="opt-parentRefsn-name" href="#opt-parentRefsn-name" title="#opt-parentRefsn-name">`parentRefs[n].name`</a> | Name of the referenced parent IngressRoute resource.                                                                                                                                                                                                                                                                                                                             |         | Yes      |
@@ -67,6 +67,21 @@ spec:
 | <a id="opt-serverstransport-forwardingTimeouts-idleConnTimeout" href="#opt-serverstransport-forwardingTimeouts-idleConnTimeout" title="#opt-serverstransport-forwardingTimeouts-idleConnTimeout">`serverstransport.`<br />`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />Zero means no timeout. | 90s  | No |
 | <a id="opt-serverstransport-spiffe-ids" href="#opt-serverstransport-spiffe-ids" title="#opt-serverstransport-spiffe-ids">`serverstransport.`<br />`spiffe.ids`</a> | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. |  | No |
 | <a id="opt-serverstransport-spiffe-trustDomain" href="#opt-serverstransport-spiffe-trustDomain" title="#opt-serverstransport-spiffe-trustDomain">`serverstransport.`<br />`spiffe.trustDomain`</a> | Allow SPIFFE trust domain. | ""  | No |
+| <a id="opt-serverstransport-serverName-2" href="#opt-serverstransport-serverName-2" title="#opt-serverstransport-serverName-2">`serverstransport.`<br />`serverName`</a> | Defines the server name that will be used for SNI. |  | No |
+| <a id="opt-serverstransport-insecureSkipVerify-2" href="#opt-serverstransport-insecureSkipVerify-2" title="#opt-serverstransport-insecureSkipVerify-2">`serverstransport.`<br />`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified. | false  | No |
+| <a id="opt-serverstransport-rootcas-2" href="#opt-serverstransport-rootcas-2" title="#opt-serverstransport-rootcas-2">`serverstransport.`<br />`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). |  | No |
+| <a id="opt-serverstransport-certificatesSecrets-2" href="#opt-serverstransport-certificatesSecrets-2" title="#opt-serverstransport-certificatesSecrets-2">`serverstransport.`<br />`certificatesSecrets`</a> | Certificates to present to the server for mTLS. |  | No |
+| <a id="opt-serverstransport-cipherSuites" href="#opt-serverstransport-cipherSuites" title="#opt-serverstransport-cipherSuites">`serverstransport.`<br />`cipherSuites`</a> | Defines the cipher suites to use when contacting backend servers. | [] | No |
+| <a id="opt-serverstransport-minVersion" href="#opt-serverstransport-minVersion" title="#opt-serverstransport-minVersion">`serverstransport.`<br />`minVersion`</a> | Defines the minimum TLS version to use when contacting backend servers. | "" | No |
+| <a id="opt-serverstransport-maxVersion" href="#opt-serverstransport-maxVersion" title="#opt-serverstransport-maxVersion">`serverstransport.`<br />`maxVersion`</a> | Defines the maximum TLS version to use when contacting backend servers. | "" | No |
+| <a id="opt-serverstransport-maxIdleConnsPerHost-2" href="#opt-serverstransport-maxIdleConnsPerHost-2" title="#opt-serverstransport-maxIdleConnsPerHost-2">`serverstransport.`<br />`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
+| <a id="opt-serverstransport-disableHTTP2-2" href="#opt-serverstransport-disableHTTP2-2" title="#opt-serverstransport-disableHTTP2-2">`serverstransport.`<br />`disableHTTP2`</a> | Disables HTTP/2 for connections with servers. | false | No |
+| <a id="opt-serverstransport-peerCertURI-2" href="#opt-serverstransport-peerCertURI-2" title="#opt-serverstransport-peerCertURI-2">`serverstransport.`<br />`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
+| <a id="opt-serverstransport-forwardingTimeouts-dialTimeout-2" href="#opt-serverstransport-forwardingTimeouts-dialTimeout-2" title="#opt-serverstransport-forwardingTimeouts-dialTimeout-2">`serverstransport.`<br />`forwardingTimeouts.dialTimeout`</a> | Amount of time to wait until a connection to a server can be established.<br />Zero means no timeout. | 30s  | No |
+| <a id="opt-serverstransport-forwardingTimeouts-responseHeaderTimeout-2" href="#opt-serverstransport-forwardingTimeouts-responseHeaderTimeout-2" title="#opt-serverstransport-forwardingTimeouts-responseHeaderTimeout-2">`serverstransport.`<br />`forwardingTimeouts.responseHeaderTimeout`</a> | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />Zero means no timeout | 0s  | No |
+| <a id="opt-serverstransport-forwardingTimeouts-idleConnTimeout-2" href="#opt-serverstransport-forwardingTimeouts-idleConnTimeout-2" title="#opt-serverstransport-forwardingTimeouts-idleConnTimeout-2">`serverstransport.`<br />`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />Zero means no timeout. | 90s  | No |
+| <a id="opt-serverstransport-spiffe-ids-2" href="#opt-serverstransport-spiffe-ids-2" title="#opt-serverstransport-spiffe-ids-2">`serverstransport.`<br />`spiffe.ids`</a> | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. |  | No |
+| <a id="opt-serverstransport-spiffe-trustDomain-2" href="#opt-serverstransport-spiffe-trustDomain-2" title="#opt-serverstransport-spiffe-trustDomain-2">`serverstransport.`<br />`spiffe.trustDomain`</a> | Allow SPIFFE trust domain. | ""  | No |

 !!! note "CA Secret"
    The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.
@@ -48,6 +48,10 @@ spec:
          name: cookie
          secure: true
      strategy: wrr
+      # Attach middlewares to this service
+      middlewares:
+        - name: my-middleware
+          namespace: apps
 ```

 ```yaml tab="TraefikService"
@@ -80,36 +84,39 @@ spec:

 ## Configuration Options

-| Field                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Default                                                              | Required |
-|:---------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
-| <a id="opt-kind" href="#opt-kind" title="#opt-kind">`kind`</a> | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> **TraefikService**: Traefik Service.<br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                             | "Service"                                                            | No       |
-| <a id="opt-name" href="#opt-name" title="#opt-name">`name`</a> | Service name.<br />The character `@` is not authorized. <br />More information [here](#middleware).                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                      | Yes      |
-| <a id="opt-namespace" href="#opt-namespace" title="#opt-namespace">`namespace`</a> | Service namespace.<br />Can be empty if the service belongs to the same namespace as the IngressRoute. <br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                                              |                                                                      | No       |
-| <a id="opt-port" href="#opt-port" title="#opt-port">`port`</a> | Service port (number or port name).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                      | No       |
-| <a id="opt-responseForwarding-flushInterval" href="#opt-responseForwarding-flushInterval" title="#opt-responseForwarding-flushInterval">`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                               | 100ms                                                                | No       |
-| <a id="opt-scheme" href="#opt-scheme" title="#opt-scheme">`scheme`</a> | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                         | "http"<br />"https" if `port` is 443 or contains the string *https*. | No       |
-| <a id="opt-serversTransport" href="#opt-serversTransport" title="#opt-serversTransport">`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                     | ""                                                                   | No       |
-| <a id="opt-passHostHeader" href="#opt-passHostHeader" title="#opt-passHostHeader">`passHostHeader`</a> | Forward client Host header to server.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | true                                                                 | No       |
-| <a id="opt-healthCheck-scheme" href="#opt-healthCheck-scheme" title="#opt-healthCheck-scheme">`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
-| <a id="opt-healthCheck-mode" href="#opt-healthCheck-mode" title="#opt-healthCheck-mode">`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                             | "http"                                                               | No       |
-| <a id="opt-healthCheck-path" href="#opt-healthCheck-path" title="#opt-healthCheck-path">`healthCheck.path`</a> | Server URL path for the health check endpoint. <br />The configured path must be relative URL. <br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                             | ""                                                                   | No       |
-| <a id="opt-healthCheck-interval" href="#opt-healthCheck-interval" title="#opt-healthCheck-interval">`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                              | "100ms"                                                              | No       |
-| <a id="opt-healthCheck-unhealthyInterval" href="#opt-healthCheck-unhealthyInterval" title="#opt-healthCheck-unhealthyInterval">`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                | "100ms"                                                              | No       |
-| <a id="opt-healthCheck-method" href="#opt-healthCheck-method" title="#opt-healthCheck-method">`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                            | "GET"                                                                | No       |
-| <a id="opt-healthCheck-status" href="#opt-healthCheck-status" title="#opt-healthCheck-status">`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                   |                                                                      | No       |
-| <a id="opt-healthCheck-port" href="#opt-healthCheck-port" title="#opt-healthCheck-port">`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                               |                                                                      | No       |
-| <a id="opt-healthCheck-timeout" href="#opt-healthCheck-timeout" title="#opt-healthCheck-timeout">`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                     | "5s"                                                                 | No       |
-| <a id="opt-healthCheck-hostname" href="#opt-healthCheck-hostname" title="#opt-healthCheck-hostname">`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                 | ""                                                                   | No       |
-| <a id="opt-healthCheck-followRedirect" href="#opt-healthCheck-followRedirect" title="#opt-healthCheck-followRedirect">`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                      | true                                                                 | No       |
-| <a id="opt-healthCheck-headers" href="#opt-healthCheck-headers" title="#opt-healthCheck-headers">`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)).                                                                                                                                                                                                                                                                                                   |                                                                      | No       |
-| <a id="opt-sticky-cookie-name" href="#opt-sticky-cookie-name" title="#opt-sticky-cookie-name">`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**. | ""                                                                   | No       |
-| <a id="opt-sticky-cookie-httpOnly" href="#opt-sticky-cookie-httpOnly" title="#opt-sticky-cookie-httpOnly">`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                 | false                                                                | No       |
-| <a id="opt-sticky-cookie-secure" href="#opt-sticky-cookie-secure" title="#opt-sticky-cookie-secure">`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                       | false                                                                | No       |
-| <a id="opt-sticky-cookie-sameSite" href="#opt-sticky-cookie-sameSite" title="#opt-sticky-cookie-sameSite">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                              | ""                                                                   | No       |
-| <a id="opt-sticky-cookie-maxAge" href="#opt-sticky-cookie-maxAge" title="#opt-sticky-cookie-maxAge">`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                       | 0                                                                    | No       |
-| <a id="opt-strategy" href="#opt-strategy" title="#opt-strategy">`strategy`</a> | Strategy defines the load balancing strategy between the servers.<br />Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                              | "RoundRobin"                                                         | No       |
-| <a id="opt-nativeLB" href="#opt-nativeLB" title="#opt-nativeLB">`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                               | false                                                                | No       |
-| <a id="opt-nodePortLB" href="#opt-nodePortLB" title="#opt-nodePortLB">`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                 | false                                                                | No       |
+| Field                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Default                                                              | Required |
+|:---------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
+| <a id="opt-kind" href="#opt-kind" title="#opt-kind">`kind`</a> | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> **TraefikService**: Traefik Service.<br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                  | "Service"                                                            | No       |
+| <a id="opt-name" href="#opt-name" title="#opt-name">`name`</a> | Service name.<br />The character `@` is not authorized. <br />More information [here](#middleware).                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                      | Yes      |
+| <a id="opt-namespace" href="#opt-namespace" title="#opt-namespace">`namespace`</a> | Service namespace.<br />Can be empty if the service belongs to the same namespace as the IngressRoute. <br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                                                   |                                                                      | No       |
+| <a id="opt-port" href="#opt-port" title="#opt-port">`port`</a> | Service port (number or port name).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                      | No       |
+| <a id="opt-responseForwarding-flushInterval" href="#opt-responseForwarding-flushInterval" title="#opt-responseForwarding-flushInterval">`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                    | 100ms                                                                | No       |
+| <a id="opt-scheme" href="#opt-scheme" title="#opt-scheme">`scheme`</a> | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                              | "http"<br />"https" if `port` is 443 or contains the string *https*. | No       |
+| <a id="opt-serversTransport" href="#opt-serversTransport" title="#opt-serversTransport">`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                          | ""                                                                   | No       |
+| <a id="opt-passHostHeader" href="#opt-passHostHeader" title="#opt-passHostHeader">`passHostHeader`</a> | Forward client Host header to server.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | true                                                                 | No       |
+| <a id="opt-healthCheck-scheme" href="#opt-healthCheck-scheme" title="#opt-healthCheck-scheme">`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                           | ""                                                                   | No       |
+| <a id="opt-healthCheck-mode" href="#opt-healthCheck-mode" title="#opt-healthCheck-mode">`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                  | "http"                                                               | No       |
+| <a id="opt-healthCheck-path" href="#opt-healthCheck-path" title="#opt-healthCheck-path">`healthCheck.path`</a> | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                             | ""                                                                   | No       |
+| <a id="opt-healthCheck-interval" href="#opt-healthCheck-interval" title="#opt-healthCheck-interval">`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                   | "100ms"                                                              | No       |
+| <a id="opt-healthCheck-unhealthyInterval" href="#opt-healthCheck-unhealthyInterval" title="#opt-healthCheck-unhealthyInterval">`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                     | "100ms"                                                              | No       |
+| <a id="opt-healthCheck-method" href="#opt-healthCheck-method" title="#opt-healthCheck-method">`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                 | "GET"                                                                | No       |
+| <a id="opt-healthCheck-status" href="#opt-healthCheck-status" title="#opt-healthCheck-status">`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                        |                                                                      | No       |
+| <a id="opt-healthCheck-port" href="#opt-healthCheck-port" title="#opt-healthCheck-port">`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                    |                                                                      | No       |
+| <a id="opt-healthCheck-timeout" href="#opt-healthCheck-timeout" title="#opt-healthCheck-timeout">`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                          | "5s"                                                                 | No       |
+| <a id="opt-healthCheck-hostname" href="#opt-healthCheck-hostname" title="#opt-healthCheck-hostname">`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
+| <a id="opt-healthCheck-followRedirect" href="#opt-healthCheck-followRedirect" title="#opt-healthCheck-followRedirect">`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                           | true                                                                 | No       |
+| <a id="opt-healthCheck-headers" href="#opt-healthCheck-headers" title="#opt-healthCheck-headers">`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)).                                                                                                                                                                                                                                                                                                        |                                                                      | No       |
+| <a id="opt-sticky-cookie-name" href="#opt-sticky-cookie-name" title="#opt-sticky-cookie-name">`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**.      | ""                                                                   | No       |
+| <a id="opt-sticky-cookie-httpOnly" href="#opt-sticky-cookie-httpOnly" title="#opt-sticky-cookie-httpOnly">`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                      | false                                                                | No       |
+| <a id="opt-sticky-cookie-secure" href="#opt-sticky-cookie-secure" title="#opt-sticky-cookie-secure">`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                            | false                                                                | No       |
+| <a id="opt-sticky-cookie-sameSite" href="#opt-sticky-cookie-sameSite" title="#opt-sticky-cookie-sameSite">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                   | ""                                                                   | No       |
+| <a id="opt-sticky-cookie-maxAge" href="#opt-sticky-cookie-maxAge" title="#opt-sticky-cookie-maxAge">`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                            | 0                                                                    | No       |
+| <a id="opt-strategy" href="#opt-strategy" title="#opt-strategy">`strategy`</a> | Strategy defines the load balancing strategy between the servers.<br />Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                   | "RoundRobin"                                                         | No       |
+| <a id="opt-nativeLB" href="#opt-nativeLB" title="#opt-nativeLB">`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                    | false                                                                | No       |
+| <a id="opt-nodePortLB" href="#opt-nodePortLB" title="#opt-nodePortLB">`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                      | false                                                                | No       |
+| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | List of references to [Middleware](./middleware.md) resources to apply to the service.<br />The middlewares will take effect for all requests handled by the service, regardless of which router forwards the request.<br />Evaluated only if the kind is **Service**.<br />More information [here](#middlewares).                                                                                                                                                                                                                                             |                                                                      | No       |
+| <a id="opt-middlewaresn-name" href="#opt-middlewaresn-name" title="#opt-middlewaresn-name">`middlewares[n].name`</a> | Middleware name.<br />The character `@` is not authorized.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                      | Yes      |
+| <a id="opt-middlewaresn-namespace" href="#opt-middlewaresn-namespace" title="#opt-middlewaresn-namespace">`middlewares[n].namespace`</a> | Middleware namespace.<br />Can be empty if the middleware belongs to the same namespace as the IngressRoute.                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                      | No       |


 ### ExternalName Service
@@ -419,6 +426,61 @@ spec:
          ...
        ```

+### Middlewares
+
+You can attach a list of [middlewares](./middleware.md) to each service.
+The middlewares will take effect for all requests handled by the service, regardless of which router forwards the request.
+
+For more information on service-level middlewares, see [service middlewares](../../../http/load-balancing/service.md#middlewares).
+
+??? example "Attaching Middlewares to a Service"
+
+    ```yaml tab="IngressRoute"
+    apiVersion: traefik.io/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: test-name
+      namespace: default
+    spec:
+      entryPoints:
+        - web
+      routes:
+        - kind: Rule
+          match: Host(`example.com`)
+          services:
+            - kind: Service
+              name: whoami
+              port: 80
+              middlewares:
+                - name: add-header
+                  namespace: default
+    ```
+
+    ```yaml tab="Middleware"
+    apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: add-header
+      namespace: default
+    spec:
+      headers:
+        customRequestHeaders:
+          X-Custom-Header: "service-middleware"
+    ```
+
+    ```yaml tab="Whoami Service"
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: whoami
+      namespace: default
+    spec:
+      ports:
+        - port: 80
+      selector:
+        app: whoami
+    ```
+
 ### Configuring Backend Protocol

 There are 3 ways to configure the backend protocol for communication between Traefik and your pods:
@@ -3,13 +3,14 @@ title: "Traefik Kubernetes Services Documentation"
 description: "Learn how to configure routing and load balancing in Traefik Proxy to reach Services, which handle incoming requests. Read the technical documentation."
 --- 

-A `TraefikService` is a custom resource that sits on top of the Kubernetes Services. It enables advanced load-balancing features such as a [Weighted Round Robin](#weighted-round-robin) load balancing, a [Highest Random Weight](#highest-random-weight) load balancing, or a [Mirroring](#mirroring) between your Kubernetes Services.
+A `TraefikService` is a custom resource that sits on top of the Kubernetes Services. It enables advanced load-balancing features such as a [Weighted Round Robin](#weighted-round-robin) load balancing, a [Highest Random Weight](#highest-random-weight) load balancing, a [Mirroring](#mirroring), or a [Failover](#failover) between your Kubernetes Services.

 Services configure how to reach the actual endpoints that will eventually handle incoming requests. In Traefik, the target service can be either a standard [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)—which exposes a pod—or a TraefikService. The latter allows you to combine advanced load-balancing options like:

 - [Weighted Round Robin load balancing](#weighted-round-robin).
 - [Highest Random Weight load balancing](#highest-random-weight).
- [Mirroring](#mirroring). 
+- [Mirroring](#mirroring).
+- [Failover](#failover).

 ## Weighted Round Robin

@@ -507,3 +508,143 @@ The mirrorerd service dedicated option are described below.
 | Field                                                         | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Default                                                              | Required |
 |:--------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
 | <a id="opt-mirrorsm-percent" href="#opt-mirrorsm-percent" title="#opt-mirrorsm-percent">`mirrors[m].percent`</a> | Traffic percentage to route to the service.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 0                                                                   | No       |
+
+## Failover
+
+The failover service forwards all requests to a fallback service when the main service responds with specific HTTP status codes defined in the `errors` configuration.
+
+!!! Failover on Heathcheck Status
+
+    HealthCheck on a Failover service can be defined currently only with the [File provider](../../../../install-configuration/providers/others/file.md).
+
+### Configuration Examples
+
+```yaml tab="IngressRoute"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: test-name
+  namespace: apps
+
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: Host(`example.com`) && PathPrefix(`/foo`)
+    kind: Rule
+    services:
+    # Set a Failover TraefikService
+    - name: failover1
+      namespace: apps
+      kind: TraefikService
+```
+
+```yaml tab="Failover from Kubernetes Services"
+apiVersion: traefik.io/v1alpha1
+kind: TraefikService
+metadata:
+  name: failover1
+  namespace: apps
+
+spec:
+  failover:
+    service:
+      name: svc1
+      port: 80
+    fallback:
+      name: svc2
+      port: 80
+    errors:
+      status:
+        - "500-503"
+        - "429"
+```
+
+```yaml tab="Failover from TraefikService (WRR)"
+apiVersion: traefik.io/v1alpha1
+kind: TraefikService
+metadata:
+  name: failover1
+  namespace: apps
+
+spec:
+  failover:
+    service:
+      name: wrr1
+      kind: TraefikService
+    fallback:
+      name: wrr2
+      kind: TraefikService
+    errors:
+      status:
+        - "500-503"
+```
+
+```yaml tab="Failover with maxRequestBodyBytes"
+apiVersion: traefik.io/v1alpha1
+kind: TraefikService
+metadata:
+  name: failover1
+  namespace: apps
+
+spec:
+  failover:
+    service:
+      name: svc1
+      port: 80
+    fallback:
+      name: svc2
+      port: 80
+    errors:
+      status:
+        - "500-503"
+        - "429"
+      maxRequestBodyBytes: 1048576
+```
+
+```yaml tab="Kubernetes Services"
+apiVersion: v1
+kind: Service
+metadata:
+  name: svc1
+  namespace: apps
+
+spec:
+  ports:
+  - name: http
+    port: 80
+  selector:
+    app: traefiklabs
+    task: app1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: svc2
+  namespace: apps
+
+spec:
+  ports:
+  - name: http
+    port: 80
+  selector:
+    app: traefiklabs
+    task: app2
+```
+
+### Configuration Options
+
+#### Main Service and Fallback Options
+
+The `service` and `fallback` fields each define a target service using the same options as a [`Service`](./service.md).
+
+The exhaustive list of the service options is described in the [`Service`](./service.md#configuration-options) documentation.
+
+#### Failover Dedicated Options
+
+| Field                                                          | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Default                                                              | Required |
+|:---------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
+| <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | Main service to forward requests to. Provides the same options as a [`Service`](./service.md).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                                      | Yes      |
+| <a id="opt-fallback" href="#opt-fallback" title="#opt-fallback">`fallback`</a> | Fallback service to use when the main service returns matching error status codes. Provides the same options as a [`Service`](./service.md).                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                      | Yes      |
+| <a id="opt-errors-status" href="#opt-errors-status" title="#opt-errors-status">`errors.status`</a> | List of HTTP status code ranges for which the fallback service should be used.<br />Each entry can be a single code (e.g. `"429"`) or a range (e.g. `"500-503"`).                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                                      | No       |
+| <a id="opt-errors-maxRequestBodyBytes" href="#opt-errors-maxRequestBodyBytes" title="#opt-errors-maxRequestBodyBytes">`errors.`<br />`maxRequestBodyBytes`</a> | Maximum size allowed for the body of the request.<br />If the body is larger, the request is not replayed to the fallback service.<br />-1 means unlimited size.                                                                                                                                                                                                                                                                                                                                                                                                                                                    | -1                                                                   | No       |
@@ -24,6 +24,7 @@ metadata:
  namespace: apps

 spec:
+  ingressClassName: traefik-lb
  entryPoints:
    - footcp
  routes:
@@ -58,6 +59,7 @@ spec:

 | Field                                | Description                                                                                                                                                                                                                                                                                  | Default                                   | Required |
 |-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------|-----------------------|
+| <a id="opt-ingressClassName" href="#opt-ingressClassName" title="#opt-ingressClassName">`ingressClassName`</a> | Defines the [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) cluster resource to use. It replaces the deprecated `kubernetes.io/ingress.class` annotation.<br />The spec field takes precedence over the annotation. | | No |
 | <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of entrypoints names.                                                                                                                                                                                                                                                                   | | No |
 | <a id="opt-routes" href="#opt-routes" title="#opt-routes">`routes`</a> | List of routes.                                                                                                                                                                                                                                                                              | | Yes |
 | <a id="opt-routesn-match" href="#opt-routesn-match" title="#opt-routesn-match">`routes[n].match`</a> | Defines the [rule](../../../tcp/routing/rules-and-priority.md#rules) of the underlying router.                                                                                                                                                                                               | | Yes |
@@ -18,6 +18,7 @@ metadata:
  name: ingressrouteudpfoo
  namespace: apps
 spec:
+  ingressClassName: traefik-lb
  entryPoints:
    - fooudp  # The entry point where Traefik listens for incoming traffic.
  routes:
@@ -32,6 +33,7 @@ spec:

 | Field  |  Description | Default  | Required |
 |------------------------------------|-----------------------------|-------------------------------------------|-----------------------|
+| <a id="opt-ingressClassName" href="#opt-ingressClassName" title="#opt-ingressClassName">`ingressClassName`</a> | Defines the [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) cluster resource to use. It replaces the deprecated `kubernetes.io/ingress.class` annotation.<br />The spec field takes precedence over the annotation. | | No |
 | <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of entrypoints names.  | | No |
 | <a id="opt-routes" href="#opt-routes" title="#opt-routes">` routes `</a> | List of routes.  | | Yes |
 | <a id="opt-routesn-services" href="#opt-routesn-services" title="#opt-routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. See [here](#externalname-service) for `ExternalName Service` setup. | | No |
@@ -8,11 +8,11 @@ description: "The Kubernetes Gateway API can be used as a provider for routing a
 When using the Kubernetes Gateway API provider, Traefik leverages the Gateway API Custom Resource Definitions (CRDs) to obtain its routing configuration. 
 For detailed information on the Gateway API concepts and resources, refer to the official [documentation](https://gateway-api.sigs.k8s.io/).

-The Kubernetes Gateway API provider supports version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the specification.
+The Kubernetes Gateway API provider supports version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the specification.

-It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, and `GRPCRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute`, and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels). 
+It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, `GRPCRoute`, and `TLSRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute` from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).

-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.4.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.5.1/traefik-traefik).


 ## Deploying a Gateway
@@ -110,6 +110,36 @@ data:
    LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRUUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Nzd2dna25BZ0VBQW9JQ0FRQ1pNNm1WNUJkV2V0QzYKbXZ6dGFQaGxTY2dJY253emdzbDhBcXp3RDJNOVJWVkZwRUxBbTh2OTNlRWtMZEY2ZnNkY0FhUXQxWlFDSFdYbwovZkxwUTVVa1B4dXY2TVArdjRtSjB2OGRLRlo3UjcwaTVud1lCMkVlVkw2RUNZaWlxNmZ6VEtsa3F6U0QvNW93CnpTdy96amtHVGEwSXcvdkg5YXNINzRIajNXdEE3RythenZjaVlhQTZxK1dWYlZxNlBIanF6em9obEFuMkh1anoKNmhEamFpZXN2TGx3QS9CL3JoRHNBS2graTByOEFKUTFqM0JiTGJuYkJyWmZqYnBJUjNhYVh5amkwK3RQWENnVQo5M0JlOXZtS2U2U2NHUjcvNk9ubWJrU3NMY2RXaFpVNzcrL2c4WllsZGhwS01nczc4ekJYUlh4bHlzSThHRUtqClNYbnd5OVpmTU9kSTRKQU1jbU9JTmlZQWNtWm5JTUJIa0xacFl3aUl0eFdseXVJcWxoZFpkSHNrTFdNSjBSTHUKMUZoUzJwRVdDTmUzN1QwYjlobTRYNDlydUFiekl1M01xSmczcXFIdGRMNGRkZ1JZRHNjMXd0cDJrR2dBZGxDaQpySHJReitZeDBCTU9WbGRHM2htUlFIeWRxMkhyWW0xeEFDNWpMZ3FvaVZhY09wd0xKY21PcGsrZWVNQkNZNVo0CnpDWDdYV3l3YVZjbTJzdmhpTzE4QmRSK2g5aFliMkRNZDFCendDbE95endQcUlvQy9uNGRURG96Ry9GT3NySzgKLzRGeHc2NkNWZjNxODMwTVB3UndsQ0sxQ0I3RjNQK3lKWkpPelRuK05QZ2dGQW9NaGZUYXBQWTFhUGlWajBzVApvb0IwWjhjRVdUZE5ycUFObVBrOWgzaEIycG44SndJREFRQUJBb0lDQUVCa2dKRXA3ODAvamVBQktQSTR2cjhFCkJmblc5UEZKdFpwVUhaQkJSM3NIVzFJTU9xcHVVWTJBNXhLbjEzWmZOemdxMEhFYlpqeUZVc0pkaXU0VW8razYKUlU3b3pRaVVSU0VTK0h1dTZycWlhcEx5d1pIditCZ2hrbm80NzU4Lyt6VytNU3pJOFNmU0ZXTVJ1ZG1QdWxRMQo3ZGJUV1U2d3FaU0tUTlFUeXZMYzdnUHBuZUpybWtkTzNRNnppZ0RoVGdtVDFHRXNzZ3NxN3NzbXhMWnhkZithCnkyNlRtVkJ4UDFlUzV6OVpHTWxYRFBSK044RjdOTFVrMng3S21WT3NCZVBZdjN5bmlpNHZGQUhNQndWRFZadXAKWUlUajRpMjZIaVhtanlLM2t5T0F2anNWSElRMXh1QTBCZFROdC84WXRtYllJL005QitydVg0UDJiRFNUMktRKwo4TlN2Uk9wbVppcnBHZkY3bExMSGpJUjlTMFhCWDd6VDRoWnBRWnpqK3NEWnhDM2Y3TGIwRFlKYkp0TmlDYTQxCmNpTjhNUlNldzNneHZ0RVk0RzdnN3hjbkJNdjdNT3RwQTE3d2gvMHdLd0h0amYzSWh2TmIzdkZwT0k5d1FqSzYKSlRQMng4bENJV0tyalpObVN0UksreHJTN3hTOUZVdnBhSVlyclRLQkZWSmcyMURCYWI1L3hqRlBlQWxXejczSwpvVkhsa0hLdXNMSjZLczZzcXo0ZG9mbzg3dkFsUFJzTXRkZ1ZnZFIzNXhLTGtEWXNIbGxML3Z5dE9oSkNieXB5CkJqQm1TR0RMdzBDdWplaHVtU2czYjdSUGVTNk5rbHNqUEIrMVpzRjhpVGdCcjMyM1hvTmNha2dhWWVYQlg4NFAKaE1WZHUxWk1rbXJZMWhXTzEydnhBb0lCQVFEWU5Vb2xCMkhsdWlDcVFqdmU4UFNhV0YxRmhwNUlOMGJIZEppeApIdkhqMkplVHJ6V1pUZFlIdFNJR2RzalhTOTBESXo2bXJhMW9YZXFRYlgrODVlOUFQQkZnRTJmNU5uTzBCSVVJCk5hMXRiVGpIOUhjRGRzQmJKUkZwYnk1ODZUb3lhdFY3bS9zcjVpQUZlZFMyenFOTm1XUmZOdllZS2xselZoSEUKdUd4ZjZxMHJTWktVQUhja2s1bU5Yais3WFhZaTgyemErVEE3ZjBDVm5OamR3OXFpd3B2aTJKTFB2SnA0bWt6KwpyMEN1RW9yV2NhMUdTL2hTVWdXemw3NzhQdlRpZFI2RW4zMDB2ZlIyTE84aG1xRjhVL3Bpb2UrTDVjSllRNnNKCk1YMngrYThzWFFpZ3dwdG02aUNxQ2FuS3ExN3NUZS9RTmQ1czdwb3ZOaHVKOHd3dEFvSUJBUUMxWmM5ZktPUFgKVzZSN1VoaHRRcmhIc3htQnRIQ1BuNWRLbjN5MElNNWRBaEFSdFZDV1U0M0hOTHpCNW1LbjU2dnZrSVNFaXdBbAoxTGhuY2I3YXQ2cHpTSlZtMm5oTDhjeUZrdGQrNzVyL1FHNFlpNnZQbHNBODV5ZXZpZDhZcWswaHdaZXExY05xCmxETUN3NWsrV0drckM2VW5jZXNIc2FWbDJTUGdZV1c1L3I1NnVxUnBsaVFka1EyZmlEYWRyblVueU8ycHg3bFMKVG1HemZaNmtzTWh2MlZFR1NPRm05aUo0dWlPb0xyZVhoU1RQRmxTdjdZUTZSWWtSaGgwT0tqdXM5bXZacEIxWApjcytYN0UyVTNlM0RZelpCR0NFdmxxaFNWTFRScjdIN21pMWxUMEozR0RzbDdiUk9xOE50WVdQa3hhSlNCUnQ5Ck9TcTlkTm9CcGRvakFvSUJBQ2lQdnN3NW1WVW0yUS80QXhGdE5RWnJ3M3ZTcUlrMXpaS0h2a21rVzQ3NlNGMk4KaGttdmY1TE1tWWlLNmx6eHY1SGlIOVBYUzJ3RUNvaHo4bjMyeVM3TTFobW5LbDlucHNkRC9jMHZmTXpGcTl4ZgpjYUIxdTlxZGxxbW9FUm1nQzZuL3Z2TkVyUmRzUWQrbEhwSDVMRXZYbGl3Q3ZLS0Y5MmdhNHBSOFlPQ1J2MUVhCnFXUVl2a0ZmYTNSSkZUM0taK3BncnJCYUJZRnoreUxXWFIwbHJEUFN2TG9QRldQaHB6MHUvWGplV2cwT0wzdlIKc2NjNVkybldOM21jNDFpaFd3SE5KUitPYUVmbnh5QVFpQUJPNlRMUThtMWtvZk1sOUpMb2h3TGZoUXhKb21KNQpSYkFiTWxwWlhDMXFTSzliL1IvcDh5NmxuSWZsTDRuaDVjSzRsVFVDZ2dFQUpSSHVSQU1tTksrTXVJcjVaUEs2Cm1DUjR0UEg4QXMzWmJDMlZuWFlLMWlVQ3hhdXBFVjkzM05yaExEcjV0Rmg2NFpWR0Q1UWNicDYvSkp5eEpSOWQKblB1YlZJNlhBT1lrSnJQd2lBZE5SSmFWS1R6NTJvMXpNYjhIZEM4WHdZR2tDNTcxY0xzSW1YSTV6bm5NaWxvaworK0FBVzBSRGhLb0FKQVV3K0x6T3ZpamFJbGljR3R2TSs2SFdCK0VkVURJRHpTS1p0eFdTd01nMTNTbHh6elExCmNlNFdTZE9CQkxxT0p0L2JRNVp3ZkcyQUxUWGlEcVhhWE5JekJickRtMDUwTFkrYVVMcmlLQ25WVkxXODBReGQKZDQyQjIrR2pmb2NxVk5Ec3R1RlIzUm9QNXVGQXN2Zm50b09TVW5WMWxaZk9nMFVFUEFEQk1tRUpZL2hLU1FYcwp3d0tDQVFBNWQya2hFQ1c1V3QrMzRYWnl1b3NFTjZ4UDExbC96VDRBZjhGSWtQLzlkb0JXRnBhc28zbG1NcXZHCmhPeFErbnZBSjFhNzhZRjA4N3p1UC9DZkQ0UElOUTV4YzZHMDNQdG5JOVNVT0dpMDB4Zlg5MU5NMHBHYWJqb0QKZ0RqVzJxSkJDaVB5N0RIR1RlZkU5eUNUbkhrY1NBbWllVGc3aGFyeEZPOUREZTJKbzhKQXV2SHI1aGVxazVIcgpLYlgzTy9vNUMwcWVnYW1rWVRLcHZzV2VFdXhkY2l5LzFQd3NnV3BuV1JPWllQNENrSkJweEx1bDNVamVSY3dkCnRhcjBJYU52WlV2NFd4U0JZdWVHMDFyYUd2SDZtTTcyTEExR3MrMytwTnZwUVo3bGo2S09tcFlhQUlhemVxY2MKTjJjT2R5U1RqZmQ5OFlNVFAxbmIyK3N1Yy91VAotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
 ```

+### Multiple TLS Certificates
+
+Traefik supports multiple secret `certificateRefs` per Gateway listener.
+If one of the certificates is invalid or cannot be loaded, the listener will be considered invalid and will not be able to serve traffic until the issue is resolved.
+
+For example, the following `Gateway` listener references two different certificates:
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: multi-cert-gateway
+  namespace: default
+spec:
+  gatewayClassName: traefik
+  listeners:
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: example-com-tls
+          - name: example-org-tls
+      allowedRoutes:
+        namespaces:
+          from: Same
+```
+
 ## Exposing a Route

 Once a `Gateway` is deployed (see [Deploying a Gateway](#deploying-a-gateway)) `HTTPRoute`, `TCPRoute`, 
@@ -399,6 +429,106 @@ Once everything is deployed, sending a `GET` request should return the following
    X-Real-Ip: 10.42.2.1
    ```

+#### Backend-Level Filters
+
+In addition to route-level filters, the Gateway API also supports applying filters directly to individual backends through the `backendRefs[].filters` field.
+This allows request modifications to be applied to specific backends, enabling the `HTTPRouteBackendRequestHeaderModification` extended feature.
+
+!!! info "Supported Filter Types"
+
+    Backend-level filters support the same filter types as route-level filters:
+
+    - `RequestHeaderModifier`: Add, set, or remove HTTP request headers before forwarding to the backend.
+    - `ResponseHeaderModifier`: Add, set, or remove HTTP response headers.
+    - `RequestRedirect`: Redirect the request to a different URL.
+    - `URLRewrite`: Rewrite the request URL path and/or hostname.
+    - `ExtensionRef`: Reference a Traefik [Middleware](../kubernetes/crd/http/middleware.md) resource.
+
+!!! info "Middlewares Execution Order"
+
+    When both route-level and backend-level filters are configured, route-level filters are applied first, followed by backend-level filters.
+
+For more information on service-level middlewares, see [service middlewares](../http/load-balancing/service.md#middlewares).
+
+??? example "Using RequestHeaderModifier on a Backend"
+
+    ```yaml tab="HTTPRoute"
+    ---
+    apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      name: whoami-http
+      namespace: default
+    spec:
+      parentRefs:
+        - name: traefik
+          sectionName: http
+          kind: Gateway
+
+      hostnames:
+        - whoami.localhost
+
+      rules:
+        - matches:
+            - path:
+                type: PathPrefix
+                value: /
+
+          backendRefs:
+            - name: whoami
+              namespace: default
+              port: 80
+              filters:
+                - type: RequestHeaderModifier
+                  requestHeaderModifier:
+                    set:
+                      - name: X-Backend-Header
+                        value: "backend-filter"
+    ```
+
+??? example "Using ExtensionRef (Traefik Middleware) on a Backend"
+
+    ```yaml tab="HTTPRoute"
+    ---
+    apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      name: whoami-http
+      namespace: default
+    spec:
+      parentRefs:
+        - name: traefik
+          sectionName: http
+          kind: Gateway
+
+      hostnames:
+        - whoami.localhost
+
+      rules:
+        - backendRefs:
+            - name: whoami
+              namespace: default
+              port: 80
+              filters:
+                - type: ExtensionRef
+                  extensionRef:
+                    group: traefik.io
+                    kind: Middleware
+                    name: add-prefix
+    ```
+
+    ```yaml tab="AddPrefix Middleware"
+    ---
+    apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: add-prefix
+      namespace: default
+    spec:
+      addPrefix:
+        prefix: /api
+    ```
+
 ### GRPC

 The `GRPCRoute` is an extended resource in the Gateway API specification, designed to define how GRPC traffic should be routed within a Kubernetes cluster. 
@@ -19,7 +19,8 @@ Enable seamless migration from NGINX Ingress Controller to Traefik with NGINX an

 ## Ingress Discovery

-This provider discovers all Ingresses in the cluster by default, which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.
+This provider discovers all Ingresses in the cluster by default,
+which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.

 **Best Practices:**

@@ -29,7 +30,22 @@ This provider discovers all Ingresses in the cluster by default, which may lead

 ## Routing Configuration

-This provider watches for incoming Ingress events and automatically translates NGINX annotations into Traefik's dynamic configuration, creating the corresponding routers, services, middlewares, and other components needed to handle your traffic.
+This provider watches for incoming Ingress events and automatically translates NGINX annotations into Traefik's dynamic configuration,
+creating the corresponding routers, services, middlewares, and other components needed to handle your traffic.
+
+!!! warning "ConfigMap Configuration and Default Behaviors"
+
+    Routing annotations take precedence over provider-level defaults,
+    but they don't control all behaviors that NGINX Ingress Controller's ConfigMap configuration would handle globally.
+
+    Important differences in default behaviors:
+    
+    - **Request buffering**: NGINX enables `proxy-request-buffering` by default, while Traefik requires explicit opt-in via the provider's `proxyRequestBuffering` option.
+    - **Legacy scheme headers**: If your applications depend on `X-Forwarded-Scheme` or `X-Scheme`, enable `entryPoints.<name>.forwardedHeaders.addXForwardedSchemeHeaders=true` on the relevant entrypoints.
+
+    To ensure consistent behavior during migration,
+    review and configure Traefik's provider-level options to match your current NGINX ConfigMap settings.
+    See the [provider configuration options](../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md) for available settings.

 ## Configuration Example

@@ -148,7 +164,7 @@ This provider watches for incoming Ingress events and automatically translates N
            serviceAccountName: traefik-ingress-controller
            containers:
              - name: traefik
-                image: traefik:v3.6
+                image: traefik:v3.7
                args:
                  - --entryPoints.web.address=:80
                  - --providers.kubernetesingressnginx
@@ -252,59 +268,72 @@ This provider watches for incoming Ingress events and automatically translates N
 This section lists all known NGINX Ingress annotations.
 The following annotations are organized by category for easier navigation.

-### Coming Soon: More Annotations in Active Development
-
- Several annotations currently listed as unsupported are actively being implemented and will become available in upcoming release.
-
-!!! tip "Preview upcoming annotation support"
-    You can follow the progress and explore annotations that are already available in the next version of Traefik by visiting the **[experimental documentation (master branch)](https://doc.traefik.io/traefik/master/reference/routing-configuration/kubernetes/ingress-nginx/)**.
-
-    The experimental page reflects the state of the `master` branch and may include annotations not yet available in the current stable release. Features shown there are subject to change before the final release.
-
 ### Authentication

-| Annotation                                            | Limitations / Notes                                                                        |
-|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-ioauth-type" href="#opt-nginx-ingress-kubernetes-ioauth-type" title="#opt-nginx-ingress-kubernetes-ioauth-type">`nginx.ingress.kubernetes.io/auth-type`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-secret" href="#opt-nginx-ingress-kubernetes-ioauth-secret" title="#opt-nginx-ingress-kubernetes-ioauth-secret">`nginx.ingress.kubernetes.io/auth-secret`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-secret-type" href="#opt-nginx-ingress-kubernetes-ioauth-secret-type" title="#opt-nginx-ingress-kubernetes-ioauth-secret-type">`nginx.ingress.kubernetes.io/auth-secret-type`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-realm" href="#opt-nginx-ingress-kubernetes-ioauth-realm" title="#opt-nginx-ingress-kubernetes-ioauth-realm">`nginx.ingress.kubernetes.io/auth-realm`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-url" href="#opt-nginx-ingress-kubernetes-ioauth-url" title="#opt-nginx-ingress-kubernetes-ioauth-url">`nginx.ingress.kubernetes.io/auth-url`</a> | Only URL and response headers copy supported. Forward auth behaves differently than NGINX. |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-method" href="#opt-nginx-ingress-kubernetes-ioauth-method" title="#opt-nginx-ingress-kubernetes-ioauth-method">`nginx.ingress.kubernetes.io/auth-method`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-response-headers" href="#opt-nginx-ingress-kubernetes-ioauth-response-headers" title="#opt-nginx-ingress-kubernetes-ioauth-response-headers">`nginx.ingress.kubernetes.io/auth-response-headers`</a> |                                                                                            |
+| Annotation                                            | Limitations / Notes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+|-------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioauth-type" href="#opt-nginx-ingress-kubernetes-ioauth-type" title="#opt-nginx-ingress-kubernetes-ioauth-type">`nginx.ingress.kubernetes.io/auth-type`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-secret" href="#opt-nginx-ingress-kubernetes-ioauth-secret" title="#opt-nginx-ingress-kubernetes-ioauth-secret">`nginx.ingress.kubernetes.io/auth-secret`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-secret-type" href="#opt-nginx-ingress-kubernetes-ioauth-secret-type" title="#opt-nginx-ingress-kubernetes-ioauth-secret-type">`nginx.ingress.kubernetes.io/auth-secret-type`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-realm" href="#opt-nginx-ingress-kubernetes-ioauth-realm" title="#opt-nginx-ingress-kubernetes-ioauth-realm">`nginx.ingress.kubernetes.io/auth-realm`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-url" href="#opt-nginx-ingress-kubernetes-ioauth-url" title="#opt-nginx-ingress-kubernetes-ioauth-url">`nginx.ingress.kubernetes.io/auth-url`</a> | Only URL and response headers copy supported. Forward auth behaves differently than NGINX. It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`.                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-signin" href="#opt-nginx-ingress-kubernetes-ioauth-signin" title="#opt-nginx-ingress-kubernetes-ioauth-signin">`nginx.ingress.kubernetes.io/auth-signin`</a> | Redirects to signin URL on 401 response. It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`. <br/><br/>Like ingress-nginx, Traefik automatically appends `rd=$scheme://$best_http_host$escaped_request_uri` so the auth service can redirect back after sign-in; pass an empty `rd` to disable it. On routes without a `Host` matcher, the request's `Host` header feeds the interpolation and can be abused for open redirects. Scoping routers with a `Host` rule is strongly recommended when relying on this behavior.  |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-snippet" href="#opt-nginx-ingress-kubernetes-ioauth-snippet" title="#opt-nginx-ingress-kubernetes-ioauth-snippet">`nginx.ingress.kubernetes.io/auth-snippet`</a> | Supported directives: `proxy_method`, `more_set_headers`, `proxy_set_header`, `more_set_input_headers`, `set`, `if`, `return code [text]`. It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`.                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-method" href="#opt-nginx-ingress-kubernetes-ioauth-method" title="#opt-nginx-ingress-kubernetes-ioauth-method">`nginx.ingress.kubernetes.io/auth-method`</a> | This annotation uses the `proxy_method` directive in Nginx. Thus, it can't be defined on an ingress that already have an `auth-snippet` annotation with the `proxy_method` directive.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-response-headers" href="#opt-nginx-ingress-kubernetes-ioauth-response-headers" title="#opt-nginx-ingress-kubernetes-ioauth-response-headers">`nginx.ingress.kubernetes.io/auth-response-headers`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioenable-global-auth" href="#opt-nginx-ingress-kubernetes-ioenable-global-auth" title="#opt-nginx-ingress-kubernetes-ioenable-global-auth">`nginx.ingress.kubernetes.io/enable-global-auth`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

 ### SSL/TLS

-| Annotation                                            | Limitations / Notes                                                                        |
-|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-iossl-redirect" href="#opt-nginx-ingress-kubernetes-iossl-redirect" title="#opt-nginx-ingress-kubernetes-iossl-redirect">`nginx.ingress.kubernetes.io/ssl-redirect`</a> | Cannot opt-out per route if enabled globally.                                              |
-| <a id="opt-nginx-ingress-kubernetes-ioforce-ssl-redirect" href="#opt-nginx-ingress-kubernetes-ioforce-ssl-redirect" title="#opt-nginx-ingress-kubernetes-ioforce-ssl-redirect">`nginx.ingress.kubernetes.io/force-ssl-redirect`</a> | Cannot opt-out per route if enabled globally.                                              |
-| <a id="opt-nginx-ingress-kubernetes-iossl-passthrough" href="#opt-nginx-ingress-kubernetes-iossl-passthrough" title="#opt-nginx-ingress-kubernetes-iossl-passthrough">`nginx.ingress.kubernetes.io/ssl-passthrough`</a> | Some differences in SNI/default backend handling.                                          |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name">`nginx.ingress.kubernetes.io/proxy-ssl-server-name`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-name" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-name" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-name">`nginx.ingress.kubernetes.io/proxy-ssl-name`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-verify" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify">`nginx.ingress.kubernetes.io/proxy-ssl-verify`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-secret" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-secret" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-secret">`nginx.ingress.kubernetes.io/proxy-ssl-secret`</a> |                                                                                            |
+| Annotation                                                                                                                                                                                                                                          | Limitations / Notes                                                                                            |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-iossl-redirect" href="#opt-nginx-ingress-kubernetes-iossl-redirect" title="#opt-nginx-ingress-kubernetes-iossl-redirect">`nginx.ingress.kubernetes.io/ssl-redirect`</a> | Cannot opt-out per route if enabled globally.                                                                  |
+| <a id="opt-nginx-ingress-kubernetes-ioforce-ssl-redirect" href="#opt-nginx-ingress-kubernetes-ioforce-ssl-redirect" title="#opt-nginx-ingress-kubernetes-ioforce-ssl-redirect">`nginx.ingress.kubernetes.io/force-ssl-redirect`</a> | Cannot opt-out per route if enabled globally.                                                                  |
+| <a id="opt-nginx-ingress-kubernetes-iossl-passthrough" href="#opt-nginx-ingress-kubernetes-iossl-passthrough" title="#opt-nginx-ingress-kubernetes-iossl-passthrough">`nginx.ingress.kubernetes.io/ssl-passthrough`</a> | Some differences in SNI/default backend handling.                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name">`nginx.ingress.kubernetes.io/proxy-ssl-server-name`</a> |                                                                                                                |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-name" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-name" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-name">`nginx.ingress.kubernetes.io/proxy-ssl-name`</a> |                                                                                                                |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-verify" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify">`nginx.ingress.kubernetes.io/proxy-ssl-verify`</a> |                                                                                                                |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-secret" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-secret" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-secret">`nginx.ingress.kubernetes.io/proxy-ssl-secret`</a> |                                                                                                                |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-secret" href="#opt-nginx-ingress-kubernetes-ioauth-tls-secret" title="#opt-nginx-ingress-kubernetes-ioauth-tls-secret">`nginx.ingress.kubernetes.io/auth-tls-secret`</a> | When validation fails, the rejection happens during the TLS handshake rather than returning a 400 Bad Request. |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-verify-client" href="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-client" title="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-client">`nginx.ingress.kubernetes.io/auth-tls-verify-client`</a> | When validation fails, the rejection happens during the TLS handshake rather than returning a 400 Bad Request. |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream" href="#opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream" title="#opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream">`nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream`</a> |       |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth" href="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth" title="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth">`nginx.ingress.kubernetes.io/auth-tls-verify-depth`</a> | Go has no configurable depth limit. It will accept any valid chain regardless of how many intermediates it contains.|

 ### Session Affinity

-| Annotation                                            | Limitations / Notes                                                                        |
-|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-ioaffinity" href="#opt-nginx-ingress-kubernetes-ioaffinity" title="#opt-nginx-ingress-kubernetes-ioaffinity">`nginx.ingress.kubernetes.io/affinity`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioaffinity-mode" href="#opt-nginx-ingress-kubernetes-ioaffinity-mode" title="#opt-nginx-ingress-kubernetes-ioaffinity-mode">`nginx.ingress.kubernetes.io/affinity-mode`</a> | Only persistent mode supported; balanced/canary not supported.                             |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-name" href="#opt-nginx-ingress-kubernetes-iosession-cookie-name" title="#opt-nginx-ingress-kubernetes-iosession-cookie-name">`nginx.ingress.kubernetes.io/session-cookie-name`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-secure" href="#opt-nginx-ingress-kubernetes-iosession-cookie-secure" title="#opt-nginx-ingress-kubernetes-iosession-cookie-secure">`nginx.ingress.kubernetes.io/session-cookie-secure`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-path" href="#opt-nginx-ingress-kubernetes-iosession-cookie-path" title="#opt-nginx-ingress-kubernetes-iosession-cookie-path">`nginx.ingress.kubernetes.io/session-cookie-path`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-domain" href="#opt-nginx-ingress-kubernetes-iosession-cookie-domain" title="#opt-nginx-ingress-kubernetes-iosession-cookie-domain">`nginx.ingress.kubernetes.io/session-cookie-domain`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-samesite" href="#opt-nginx-ingress-kubernetes-iosession-cookie-samesite" title="#opt-nginx-ingress-kubernetes-iosession-cookie-samesite">`nginx.ingress.kubernetes.io/session-cookie-samesite`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-max-age" href="#opt-nginx-ingress-kubernetes-iosession-cookie-max-age" title="#opt-nginx-ingress-kubernetes-iosession-cookie-max-age">`nginx.ingress.kubernetes.io/session-cookie-max-age`</a> |                                                                                            |
+| Annotation                                            | Limitations / Notes                                                     |
+|-------------------------------------------------------|-------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioaffinity" href="#opt-nginx-ingress-kubernetes-ioaffinity" title="#opt-nginx-ingress-kubernetes-ioaffinity">`nginx.ingress.kubernetes.io/affinity`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-ioaffinity-mode" href="#opt-nginx-ingress-kubernetes-ioaffinity-mode" title="#opt-nginx-ingress-kubernetes-ioaffinity-mode">`nginx.ingress.kubernetes.io/affinity-mode`</a> | Only persistent mode supported; balanced not supported.           |
+| <a id="opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior" href="#opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior" title="#opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior">`nginx.ingress.kubernetes.io/affinity-canary-behavior`</a> | Only the sticky behavior is supported; legacy behavior is not supported. |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-name" href="#opt-nginx-ingress-kubernetes-iosession-cookie-name" title="#opt-nginx-ingress-kubernetes-iosession-cookie-name">`nginx.ingress.kubernetes.io/session-cookie-name`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-secure" href="#opt-nginx-ingress-kubernetes-iosession-cookie-secure" title="#opt-nginx-ingress-kubernetes-iosession-cookie-secure">`nginx.ingress.kubernetes.io/session-cookie-secure`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-path" href="#opt-nginx-ingress-kubernetes-iosession-cookie-path" title="#opt-nginx-ingress-kubernetes-iosession-cookie-path">`nginx.ingress.kubernetes.io/session-cookie-path`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-domain" href="#opt-nginx-ingress-kubernetes-iosession-cookie-domain" title="#opt-nginx-ingress-kubernetes-iosession-cookie-domain">`nginx.ingress.kubernetes.io/session-cookie-domain`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-samesite" href="#opt-nginx-ingress-kubernetes-iosession-cookie-samesite" title="#opt-nginx-ingress-kubernetes-iosession-cookie-samesite">`nginx.ingress.kubernetes.io/session-cookie-samesite`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-max-age" href="#opt-nginx-ingress-kubernetes-iosession-cookie-max-age" title="#opt-nginx-ingress-kubernetes-iosession-cookie-max-age">`nginx.ingress.kubernetes.io/session-cookie-max-age`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-expires" href="#opt-nginx-ingress-kubernetes-iosession-cookie-expires" title="#opt-nginx-ingress-kubernetes-iosession-cookie-expires">`nginx.ingress.kubernetes.io/session-cookie-expires`</a> |                                                                         |

 ### Load Balancing & Backend

-| Annotation                                            | Limitations / Notes                                                                        |
-|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-ioload-balance" href="#opt-nginx-ingress-kubernetes-ioload-balance" title="#opt-nginx-ingress-kubernetes-ioload-balance">`nginx.ingress.kubernetes.io/load-balance`</a> | Only round_robin supported; ewma and IP hash not supported.                                |
-| <a id="opt-nginx-ingress-kubernetes-iobackend-protocol" href="#opt-nginx-ingress-kubernetes-iobackend-protocol" title="#opt-nginx-ingress-kubernetes-iobackend-protocol">`nginx.ingress.kubernetes.io/backend-protocol`</a> | FCGI and AUTO_HTTP not supported.                                                          |
-| <a id="opt-nginx-ingress-kubernetes-ioservice-upstream" href="#opt-nginx-ingress-kubernetes-ioservice-upstream" title="#opt-nginx-ingress-kubernetes-ioservice-upstream">`nginx.ingress.kubernetes.io/service-upstream`</a> |                                                                                            |
+| Annotation                                                                                                                                                                                                                  | Limitations / Notes                                                                                                                                                                                                                                                                                                                |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioload-balance" href="#opt-nginx-ingress-kubernetes-ioload-balance" title="#opt-nginx-ingress-kubernetes-ioload-balance">`nginx.ingress.kubernetes.io/load-balance`</a> | Only round_robin supported; ewma and IP hash not supported.                                                                                                                                                                                                                                                                        |
+| <a id="opt-nginx-ingress-kubernetes-iobackend-protocol" href="#opt-nginx-ingress-kubernetes-iobackend-protocol" title="#opt-nginx-ingress-kubernetes-iobackend-protocol">`nginx.ingress.kubernetes.io/backend-protocol`</a> | FCGI and AUTO_HTTP not supported.                                                                                                                                                                                                                                                                                                  |
+| <a id="opt-nginx-ingress-kubernetes-ioservice-upstream" href="#opt-nginx-ingress-kubernetes-ioservice-upstream" title="#opt-nginx-ingress-kubernetes-ioservice-upstream">`nginx.ingress.kubernetes.io/service-upstream`</a> |                                                                                                                                                                                                                                                                                                                                    |
+| <a id="opt-nginx-ingress-kubernetes-ioupstream-hash-by" href="#opt-nginx-ingress-kubernetes-ioupstream-hash-by" title="#opt-nginx-ingress-kubernetes-ioupstream-hash-by">`nginx.ingress.kubernetes.io/upstream-hash-by`</a> | It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`. |
+| <a id="opt-nginx-ingress-kubernetes-ioupstream-vhost" href="#opt-nginx-ingress-kubernetes-ioupstream-vhost" title="#opt-nginx-ingress-kubernetes-ioupstream-vhost">`nginx.ingress.kubernetes.io/upstream-vhost`</a> | Supports NGINX variable interpolation. Request-time variables (`$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`) and the provider-resolved per-location variables (`$namespace`, `$ingress_name`, `$service_name`, `$service_port`, `$location_path`) are supported. The NGINX-internal variable `$proxy_upstream_name` is not available. |
+| <a id="opt-nginx-ingress-kubernetes-iocustom-headers" href="#opt-nginx-ingress-kubernetes-iocustom-headers" title="#opt-nginx-ingress-kubernetes-iocustom-headers">`nginx.ingress.kubernetes.io/custom-headers`</a> | Header whitelisting, similar to `global-allowed-response-headers` NGINX config is not supported.                                                                                                                                                                                                                                   |
+| <a id="opt-nginx-ingress-kubernetes-iodefault-backend" href="#opt-nginx-ingress-kubernetes-iodefault-backend" title="#opt-nginx-ingress-kubernetes-iodefault-backend">`nginx.ingress.kubernetes.io/default-backend`</a> | Specifies a fallback service within the same namespace as the Ingress resource used to handle requests when the primary backend service has no active endpoints. If the specified service exposes multiple ports, the first port will receive the traffic.                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-http-version" href="#opt-nginx-ingress-kubernetes-ioproxy-http-version" title="#opt-nginx-ingress-kubernetes-ioproxy-http-version">`nginx.ingress.kubernetes.io/proxy-http-version`</a> | Controls HTTP protocol version for backend communication. Supported value: `"1.1"` (disables HTTP/2 to backend). Value `"1.0"` is not supported and will log a warning.                                                                                                                                                            |
+| <a id="opt-nginx-ingress-kubernetes-iocanary" href="#opt-nginx-ingress-kubernetes-iocanary" title="#opt-nginx-ingress-kubernetes-iocanary">`nginx.ingress.kubernetes.io/canary`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header" href="#opt-nginx-ingress-kubernetes-iocanary-by-header" title="#opt-nginx-ingress-kubernetes-iocanary-by-header">`nginx.ingress.kubernetes.io/canary-by-header`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header-value" href="#opt-nginx-ingress-kubernetes-iocanary-by-header-value" title="#opt-nginx-ingress-kubernetes-iocanary-by-header-value">`nginx.ingress.kubernetes.io/canary-by-header-value`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header-pattern" href="#opt-nginx-ingress-kubernetes-iocanary-by-header-pattern" title="#opt-nginx-ingress-kubernetes-iocanary-by-header-pattern">`nginx.ingress.kubernetes.io/canary-by-header-pattern`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-by-cookie" href="#opt-nginx-ingress-kubernetes-iocanary-by-cookie" title="#opt-nginx-ingress-kubernetes-iocanary-by-cookie">`nginx.ingress.kubernetes.io/canary-by-cookie`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-weight" href="#opt-nginx-ingress-kubernetes-iocanary-weight" title="#opt-nginx-ingress-kubernetes-iocanary-weight">`nginx.ingress.kubernetes.io/canary-weight`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-weight-total" href="#opt-nginx-ingress-kubernetes-iocanary-weight-total" title="#opt-nginx-ingress-kubernetes-iocanary-weight-total">`nginx.ingress.kubernetes.io/canary-weight-total`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iox-forwarded-prefix" href="#opt-nginx-ingress-kubernetes-iox-forwarded-prefix" title="#opt-nginx-ingress-kubernetes-iox-forwarded-prefix">`nginx.ingress.kubernetes.io/x-forwarded-prefix`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                      |

 ### CORS

@@ -320,9 +349,76 @@ The following annotations are organized by category for easier navigation.

 ### Routing

-| Annotation                                            | Limitations / Notes                                                                        |
-|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-iouse-regex" href="#opt-nginx-ingress-kubernetes-iouse-regex" title="#opt-nginx-ingress-kubernetes-iouse-regex">`nginx.ingress.kubernetes.io/use-regex`</a> |                                                                                            |
+| Annotation                                                                                                                                                                                                                                              | Limitations / Notes                                                                                                                                                                                                                                                                                                                                                                                       |
+|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioapp-root" href="#opt-nginx-ingress-kubernetes-ioapp-root" title="#opt-nginx-ingress-kubernetes-ioapp-root">`nginx.ingress.kubernetes.io/app-root`</a> |                                                                                                                                                                                                                                                                                                                                                                                                           |
+| <a id="opt-nginx-ingress-kubernetes-iofrom-to-www-redirect" href="#opt-nginx-ingress-kubernetes-iofrom-to-www-redirect" title="#opt-nginx-ingress-kubernetes-iofrom-to-www-redirect">`nginx.ingress.kubernetes.io/from-to-www-redirect`</a> | Doesn't support wildcard hosts.                                                                                                                                                                                                                                                                                                                                                                           |
+| <a id="opt-nginx-ingress-kubernetes-iouse-regex" href="#opt-nginx-ingress-kubernetes-iouse-regex" title="#opt-nginx-ingress-kubernetes-iouse-regex">`nginx.ingress.kubernetes.io/use-regex`</a> |                                                                                                                                                                                                                                                                                                                                                                                                           |
+| <a id="opt-nginx-ingress-kubernetes-iorewrite-target" href="#opt-nginx-ingress-kubernetes-iorewrite-target" title="#opt-nginx-ingress-kubernetes-iorewrite-target">`nginx.ingress.kubernetes.io/rewrite-target`</a> |                                                                                                                                                                                                                                                                                                                                                                                                           |
+| <a id="opt-nginx-ingress-kubernetes-iopermanent-redirect" href="#opt-nginx-ingress-kubernetes-iopermanent-redirect" title="#opt-nginx-ingress-kubernetes-iopermanent-redirect">`nginx.ingress.kubernetes.io/permanent-redirect`</a> | Defaults to a 301 Moved Permanently status code.                                                                                                                                                                                                                                                                                                                                                          |
+| <a id="opt-nginx-ingress-kubernetes-iopermanent-redirect-code" href="#opt-nginx-ingress-kubernetes-iopermanent-redirect-code" title="#opt-nginx-ingress-kubernetes-iopermanent-redirect-code">`nginx.ingress.kubernetes.io/permanent-redirect-code`</a> | Only valid 3XX HTTP Status Codes are accepted.                                                                                                                                                                                                                                                                                                                                                            |
+| <a id="opt-nginx-ingress-kubernetes-iotemporal-redirect" href="#opt-nginx-ingress-kubernetes-iotemporal-redirect" title="#opt-nginx-ingress-kubernetes-iotemporal-redirect">`nginx.ingress.kubernetes.io/temporal-redirect`</a> | Takes precedence over the `permanent-redirect` annotation. Defaults to a 302 Found status code.                                                                                                                                                                                                                                                                                                           |
+| <a id="opt-nginx-ingress-kubernetes-iotemporal-redirect-code" href="#opt-nginx-ingress-kubernetes-iotemporal-redirect-code" title="#opt-nginx-ingress-kubernetes-iotemporal-redirect-code">`nginx.ingress.kubernetes.io/temporal-redirect-code`</a> | Only valid 3XX HTTP Status Codes are accepted.                                                                                                                                                                                                                                                                                                                                                            |
+| <a id="opt-nginx-ingress-kubernetes-iocustom-http-errors" href="#opt-nginx-ingress-kubernetes-iocustom-http-errors" title="#opt-nginx-ingress-kubernetes-iocustom-http-errors">`nginx.ingress.kubernetes.io/custom-http-errors`</a> | Specifies a comma-separated list of HTTP status codes that should be intercepted and served by an error page backend. When any of these status codes occur, the request is forwarded to the global default backend, or to the backend defined by the [default-backend](#opt-nginx-ingress-kubernetes-iodefault-backend) annotation if specified. |
+| <a id="opt-nginx-ingress-kubernetes-ioserver-alias" href="#opt-nginx-ingress-kubernetes-ioserver-alias" title="#opt-nginx-ingress-kubernetes-ioserver-alias">`nginx.ingress.kubernetes.io/server-alias`</a> | Ignored if the alias conflicts with an existing Ingress Host rule. Ingress Host rules always take precedence.                                                                                                                                                                                                                                    |
+| <a id="opt-nginx-ingress-kubernetes-ioserver-snippet" href="#opt-nginx-ingress-kubernetes-ioserver-snippet" title="#opt-nginx-ingress-kubernetes-ioserver-snippet">`nginx.ingress.kubernetes.io/server-snippet`</a> | Supported directives: `add_header`, `proxy_method`, `more_set_headers`, `proxy_set_header`, `more_set_input_headers`, `set`, `if`, `return code [text]`. It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`. |
+| <a id="opt-nginx-ingress-kubernetes-ioconfiguration-snippet" href="#opt-nginx-ingress-kubernetes-ioconfiguration-snippet" title="#opt-nginx-ingress-kubernetes-ioconfiguration-snippet">`nginx.ingress.kubernetes.io/configuration-snippet`</a> | Supported directives: `add_header`, `proxy_method`, `more_set_headers`, `proxy_set_header`, `more_set_input_headers`, `set`, `if`, `return code [text]`. It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`. |
+
+### IP Whitelist
+
+!!! info "Client IP Strategy"
+
+    By default, the client IP is determined from the remote address of the incoming request.
+    When Traefik is behind a reverse proxy, the actual client IP is often found in the `X-Forwarded-For` header instead.
+    This can be configured globally using the provider option [`ipAllowListStrategy`](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy).
+
+| Annotation                                                                                                                                                                                                                                          | Limitations / Notes                                                                        |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-iowhitelist-source-range" href="#opt-nginx-ingress-kubernetes-iowhitelist-source-range" title="#opt-nginx-ingress-kubernetes-iowhitelist-source-range">`nginx.ingress.kubernetes.io/whitelist-source-range`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-ioallowlist-source-range" href="#opt-nginx-ingress-kubernetes-ioallowlist-source-range" title="#opt-nginx-ingress-kubernetes-ioallowlist-source-range">`nginx.ingress.kubernetes.io/allowlist-source-range`</a> |                                                      |
+
+### Rate Limiting
+
+| Annotation                                                                                                                                                                                      | Limitations / Notes                                                                                       |
+| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |-----------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-iolimit-rps" href="#opt-nginx-ingress-kubernetes-iolimit-rps" title="#opt-nginx-ingress-kubernetes-iolimit-rps">`nginx.ingress.kubernetes.io/limit-rps`</a> | Exceeding the limit returns `429 Too Many Requests` instead of NGINX's default `503 Service Unavailable`. |
+| <a id="opt-nginx-ingress-kubernetes-iolimit-rpm" href="#opt-nginx-ingress-kubernetes-iolimit-rpm" title="#opt-nginx-ingress-kubernetes-iolimit-rpm">`nginx.ingress.kubernetes.io/limit-rpm`</a> | Exceeding the limit returns `429 Too Many Requests` instead of NGINX's default `503 Service Unavailable`. |
+| <a id="opt-nginx-ingress-kubernetes-iolimit-burst-multiplier" href="#opt-nginx-ingress-kubernetes-iolimit-burst-multiplier" title="#opt-nginx-ingress-kubernetes-iolimit-burst-multiplier">`nginx.ingress.kubernetes.io/limit-burst-multiplier`</a> | Default to a multiplier of 5 if the configured value is less than 1. Exceeding the limit returns `429 Too Many Requests` instead of NGINX's default `503 Service Unavailable`. |
+| <a id="opt-nginx-ingress-kubernetes-iolimit-connections" href="#opt-nginx-ingress-kubernetes-iolimit-connections" title="#opt-nginx-ingress-kubernetes-iolimit-connections">`nginx.ingress.kubernetes.io/limit-connections`</a> | Exceeding the limit returns `429 Too Many Requests` instead of NGINX's default `503 Service Unavailable`. The concurrent connection limit is evaluated per client IP address. Values less than or equal to `0` are safely ignored. |
+
+### Buffering
+
+| Annotation                                                                                                                                                                                                                                                  | Limitations / Notes                                                                                           |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-request-buffering" href="#opt-nginx-ingress-kubernetes-ioproxy-request-buffering" title="#opt-nginx-ingress-kubernetes-ioproxy-request-buffering">`nginx.ingress.kubernetes.io/proxy-request-buffering`</a> |                                                                                                               |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-body-size" href="#opt-nginx-ingress-kubernetes-ioproxy-body-size" title="#opt-nginx-ingress-kubernetes-ioproxy-body-size">`nginx.ingress.kubernetes.io/proxy-body-size`</a> |                                                                                                               |
+| <a id="opt-nginx-ingress-kubernetes-ioclient-body-buffer-size" href="#opt-nginx-ingress-kubernetes-ioclient-body-buffer-size" title="#opt-nginx-ingress-kubernetes-ioclient-body-buffer-size">`nginx.ingress.kubernetes.io/client-body-buffer-size`</a> |                                                                                                               |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffering" href="#opt-nginx-ingress-kubernetes-ioproxy-buffering" title="#opt-nginx-ingress-kubernetes-ioproxy-buffering">`nginx.ingress.kubernetes.io/proxy-buffering`</a> |                                                                                                               |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffer-size" href="#opt-nginx-ingress-kubernetes-ioproxy-buffer-size" title="#opt-nginx-ingress-kubernetes-ioproxy-buffer-size">`nginx.ingress.kubernetes.io/proxy-buffer-size`</a> |                                                                                                               |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffers-number" href="#opt-nginx-ingress-kubernetes-ioproxy-buffers-number" title="#opt-nginx-ingress-kubernetes-ioproxy-buffers-number">`nginx.ingress.kubernetes.io/proxy-buffers-number`</a> | With Traefik, `proxy-buffer-numbers` is actually used to compute the size of a single buffer (size * number). |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size" href="#opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size" title="#opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size">`nginx.ingress.kubernetes.io/proxy-max-temp-file-size`</a> |                                                                                                               |
+
+### Observability
+
+| Annotation                                                                                                                                                                                                                                      | Limitations / Notes                                                                                                                                                                                                                                                                                                                  |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioenable-access-log" href="#opt-nginx-ingress-kubernetes-ioenable-access-log" title="#opt-nginx-ingress-kubernetes-ioenable-access-log">`nginx.ingress.kubernetes.io/enable-access-log`</a> | Access logs must first be enabled in the [install configuration](../../../install-configuration/observability/logs-and-accesslogs/#access-logs) (globally or per entrypoint) for this annotation to take effect. When access logs are enabled, this annotation allows opting out specific Ingresses by setting it to `"false"`. Conversely, when access logs are disabled on an entrypoint, setting this annotation to `"true"` allows opting in specific Ingresses. |
+
+### Timeout
+
+| Annotation                                          | Limitations / Notes                                                                                                                                                                                                                     |
+|-----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-connect-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout">`nginx.ingress.kubernetes.io/proxy-connect-timeout`</a> | Timeout can be defined globally at the provider level using the [`proxyConnectTimeout` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxyConnectTimeout). |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-send-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-send-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-send-timeout">`nginx.ingress.kubernetes.io/proxy-send-timeout`</a> | Timeout can be defined globally at the provider level using the [`proxySendTimeout` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxySendTimeout).  |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-read-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-read-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-read-timeout">`nginx.ingress.kubernetes.io/proxy-read-timeout`</a> | Timeout can be defined globally at the provider level using the [`proxyReadTimeout` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxyReadTimeout). |
+
+### Retry
+
+| Annotation                                                | Limitations / Notes                                                                                                                                                                                                                                                                                                                                                                                                           |
+|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream">`nginx.ingress.kubernetes.io/proxy-next-upstream`</a> | Unlike NGINX, Traefik does not guarantee that retries are sent to a different server. There is no difference between `error` and `timeout`, both are treated as TCP level failure. This configuration can be defined globally at the provider level using the [`proxyNextUpstream` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxyNextUpstream). |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries">`nginx.ingress.kubernetes.io/proxy-next-upstream-tries`</a> | Unlimited retry (0) will be capped to the number of available servers to avoid infinite retries. The value can be defined globally at the provider level using the [`proxyNextUpstreamTries` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTries).                                                                                 |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout">`nginx.ingress.kubernetes.io/proxy-next-upstream-timeout`</a> | The timeout can be defined globally at the provider level using the [`proxyNextUpstreamTimeout` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTimeout).                                                                                                                                                                         |

 ## Limitations

@@ -331,11 +427,14 @@ The following annotations are organized by category for easier navigation.
 - **Authentication**: Forward auth behaves differently and session caching is not supported. NGINX supports sub-request based auth, while Traefik forwards the original request.
 - **Session Affinity**: Only persistent mode is supported.
 - **Leader Election**: Not supported; no cluster mode with leader election.
- **Default Backend**: Only defaultBackend in Ingress spec is supported; the annotation is ignored.
 - **Load Balancing**: Only round_robin is supported; EWMA and IP hash are not supported.
 - **CORS**: NGINX responds with all configured headers unconditionally; Traefik handles headers differently between pre-flight and regular requests.
 - **TLS/Backend Protocols**: AUTO_HTTP, FCGI and some TLS options are not supported in Traefik.
- **Path Handling**: Traefik preserves trailing slashes by default; NGINX removes them unless configured otherwise
+- **Path Handling**: Traefik preserves trailing slashes by default; NGINX removes them unless configured otherwise.
+- **Retry**: NGINX guarantee that the next retry will be passed to the next server, while on Traefik there is a possibility that the retry would be passed to the same server.
+- **Rate Limiting**: NGINX uses the **Leaky Bucket** algorithm, where requests are queued and drained at a fixed rate. Once the queue (burst) is full, excess requests are rejected immediately with `503`.
+Traefik uses the **Token Bucket** algorithm, where the bucket starts full at `burst` tokens, each request consumes one token, and tokens refill at the `limit-rps` rate. When the bucket is empty, the request is either delayed until more tokens are available or rejected with `429` if the delay would be too long.
+In practice, Traefik is slightly more lenient under bursty load, as it smooths out burst traffic rather than dropping it, but the steady-state throughput cap is similar.

 ### Unsupported Annotations

@@ -350,14 +449,7 @@ The following annotations are organized by category for easier navigation.

 | Annotation                                                                  | Notes                                                |
 |-----------------------------------------------------------------------------|------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-ioapp-root" href="#opt-nginx-ingress-kubernetes-ioapp-root" title="#opt-nginx-ingress-kubernetes-ioapp-root">`nginx.ingress.kubernetes.io/app-root`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior" href="#opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior" title="#opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior">`nginx.ingress.kubernetes.io/affinity-canary-behavior`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-signin" href="#opt-nginx-ingress-kubernetes-ioauth-signin" title="#opt-nginx-ingress-kubernetes-ioauth-signin">`nginx.ingress.kubernetes.io/auth-signin`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-secret" href="#opt-nginx-ingress-kubernetes-ioauth-tls-secret" title="#opt-nginx-ingress-kubernetes-ioauth-tls-secret">`nginx.ingress.kubernetes.io/auth-tls-secret`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth" href="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth" title="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth">`nginx.ingress.kubernetes.io/auth-tls-verify-depth`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-verify-client" href="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-client" title="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-client">`nginx.ingress.kubernetes.io/auth-tls-verify-client`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-tls-error-page" href="#opt-nginx-ingress-kubernetes-ioauth-tls-error-page" title="#opt-nginx-ingress-kubernetes-ioauth-tls-error-page">`nginx.ingress.kubernetes.io/auth-tls-error-page`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream" href="#opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream" title="#opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream">`nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-tls-match-cn" href="#opt-nginx-ingress-kubernetes-ioauth-tls-match-cn" title="#opt-nginx-ingress-kubernetes-ioauth-tls-match-cn">`nginx.ingress.kubernetes.io/auth-tls-match-cn`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-cache-key" href="#opt-nginx-ingress-kubernetes-ioauth-cache-key" title="#opt-nginx-ingress-kubernetes-ioauth-cache-key">`nginx.ingress.kubernetes.io/auth-cache-key`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-cache-duration" href="#opt-nginx-ingress-kubernetes-ioauth-cache-duration" title="#opt-nginx-ingress-kubernetes-ioauth-cache-duration">`nginx.ingress.kubernetes.io/auth-cache-duration`</a> |                                                      |
@@ -366,62 +458,29 @@ The following annotations are organized by category for easier navigation.
 | <a id="opt-nginx-ingress-kubernetes-ioauth-keepalive-requests" href="#opt-nginx-ingress-kubernetes-ioauth-keepalive-requests" title="#opt-nginx-ingress-kubernetes-ioauth-keepalive-requests">`nginx.ingress.kubernetes.io/auth-keepalive-requests`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-keepalive-timeout" href="#opt-nginx-ingress-kubernetes-ioauth-keepalive-timeout" title="#opt-nginx-ingress-kubernetes-ioauth-keepalive-timeout">`nginx.ingress.kubernetes.io/auth-keepalive-timeout`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-proxy-set-headers" href="#opt-nginx-ingress-kubernetes-ioauth-proxy-set-headers" title="#opt-nginx-ingress-kubernetes-ioauth-proxy-set-headers">`nginx.ingress.kubernetes.io/auth-proxy-set-headers`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-snippet" href="#opt-nginx-ingress-kubernetes-ioauth-snippet" title="#opt-nginx-ingress-kubernetes-ioauth-snippet">`nginx.ingress.kubernetes.io/auth-snippet`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioenable-global-auth" href="#opt-nginx-ingress-kubernetes-ioenable-global-auth" title="#opt-nginx-ingress-kubernetes-ioenable-global-auth">`nginx.ingress.kubernetes.io/enable-global-auth`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary" href="#opt-nginx-ingress-kubernetes-iocanary" title="#opt-nginx-ingress-kubernetes-iocanary">`nginx.ingress.kubernetes.io/canary`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header" href="#opt-nginx-ingress-kubernetes-iocanary-by-header" title="#opt-nginx-ingress-kubernetes-iocanary-by-header">`nginx.ingress.kubernetes.io/canary-by-header`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header-value" href="#opt-nginx-ingress-kubernetes-iocanary-by-header-value" title="#opt-nginx-ingress-kubernetes-iocanary-by-header-value">`nginx.ingress.kubernetes.io/canary-by-header-value`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header-pattern" href="#opt-nginx-ingress-kubernetes-iocanary-by-header-pattern" title="#opt-nginx-ingress-kubernetes-iocanary-by-header-pattern">`nginx.ingress.kubernetes.io/canary-by-header-pattern`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-by-cookie" href="#opt-nginx-ingress-kubernetes-iocanary-by-cookie" title="#opt-nginx-ingress-kubernetes-iocanary-by-cookie">`nginx.ingress.kubernetes.io/canary-by-cookie`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-weight" href="#opt-nginx-ingress-kubernetes-iocanary-weight" title="#opt-nginx-ingress-kubernetes-iocanary-weight">`nginx.ingress.kubernetes.io/canary-weight`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-weight-total" href="#opt-nginx-ingress-kubernetes-iocanary-weight-total" title="#opt-nginx-ingress-kubernetes-iocanary-weight-total">`nginx.ingress.kubernetes.io/canary-weight-total`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioclient-body-buffer-size" href="#opt-nginx-ingress-kubernetes-ioclient-body-buffer-size" title="#opt-nginx-ingress-kubernetes-ioclient-body-buffer-size">`nginx.ingress.kubernetes.io/client-body-buffer-size`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioconfiguration-snippet" href="#opt-nginx-ingress-kubernetes-ioconfiguration-snippet" title="#opt-nginx-ingress-kubernetes-ioconfiguration-snippet">`nginx.ingress.kubernetes.io/configuration-snippet`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocustom-http-errors" href="#opt-nginx-ingress-kubernetes-iocustom-http-errors" title="#opt-nginx-ingress-kubernetes-iocustom-http-errors">`nginx.ingress.kubernetes.io/custom-http-errors`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iodisable-proxy-intercept-errors" href="#opt-nginx-ingress-kubernetes-iodisable-proxy-intercept-errors" title="#opt-nginx-ingress-kubernetes-iodisable-proxy-intercept-errors">`nginx.ingress.kubernetes.io/disable-proxy-intercept-errors`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iodefault-backend" href="#opt-nginx-ingress-kubernetes-iodefault-backend" title="#opt-nginx-ingress-kubernetes-iodefault-backend">`nginx.ingress.kubernetes.io/default-backend`</a> | Use `defaultBackend` in Ingress spec. |
 | <a id="opt-nginx-ingress-kubernetes-iolimit-rate-after" href="#opt-nginx-ingress-kubernetes-iolimit-rate-after" title="#opt-nginx-ingress-kubernetes-iolimit-rate-after">`nginx.ingress.kubernetes.io/limit-rate-after`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iolimit-rate" href="#opt-nginx-ingress-kubernetes-iolimit-rate" title="#opt-nginx-ingress-kubernetes-iolimit-rate">`nginx.ingress.kubernetes.io/limit-rate`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iolimit-whitelist" href="#opt-nginx-ingress-kubernetes-iolimit-whitelist" title="#opt-nginx-ingress-kubernetes-iolimit-whitelist">`nginx.ingress.kubernetes.io/limit-whitelist`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iolimit-rps" href="#opt-nginx-ingress-kubernetes-iolimit-rps" title="#opt-nginx-ingress-kubernetes-iolimit-rps">`nginx.ingress.kubernetes.io/limit-rps`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iolimit-rpm" href="#opt-nginx-ingress-kubernetes-iolimit-rpm" title="#opt-nginx-ingress-kubernetes-iolimit-rpm">`nginx.ingress.kubernetes.io/limit-rpm`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iolimit-burst-multiplier" href="#opt-nginx-ingress-kubernetes-iolimit-burst-multiplier" title="#opt-nginx-ingress-kubernetes-iolimit-burst-multiplier">`nginx.ingress.kubernetes.io/limit-burst-multiplier`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iolimit-connections" href="#opt-nginx-ingress-kubernetes-iolimit-connections" title="#opt-nginx-ingress-kubernetes-iolimit-connections">`nginx.ingress.kubernetes.io/limit-connections`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioglobal-rate-limit" href="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit" title="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit">`nginx.ingress.kubernetes.io/global-rate-limit`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioglobal-rate-limit-window" href="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-window" title="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-window">`nginx.ingress.kubernetes.io/global-rate-limit-window`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioglobal-rate-limit-key" href="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-key" title="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-key">`nginx.ingress.kubernetes.io/global-rate-limit-key`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioglobal-rate-limit-ignored-cidrs" href="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-ignored-cidrs" title="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-ignored-cidrs">`nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iopermanent-redirect" href="#opt-nginx-ingress-kubernetes-iopermanent-redirect" title="#opt-nginx-ingress-kubernetes-iopermanent-redirect">`nginx.ingress.kubernetes.io/permanent-redirect`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iopermanent-redirect-code" href="#opt-nginx-ingress-kubernetes-iopermanent-redirect-code" title="#opt-nginx-ingress-kubernetes-iopermanent-redirect-code">`nginx.ingress.kubernetes.io/permanent-redirect-code`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iotemporal-redirect" href="#opt-nginx-ingress-kubernetes-iotemporal-redirect" title="#opt-nginx-ingress-kubernetes-iotemporal-redirect">`nginx.ingress.kubernetes.io/temporal-redirect`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iopreserve-trailing-slash" href="#opt-nginx-ingress-kubernetes-iopreserve-trailing-slash" title="#opt-nginx-ingress-kubernetes-iopreserve-trailing-slash">`nginx.ingress.kubernetes.io/preserve-trailing-slash`</a> | Traefik preserves trailing slash by default.         |
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-cookie-domain" href="#opt-nginx-ingress-kubernetes-ioproxy-cookie-domain" title="#opt-nginx-ingress-kubernetes-ioproxy-cookie-domain">`nginx.ingress.kubernetes.io/proxy-cookie-domain`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-cookie-path" href="#opt-nginx-ingress-kubernetes-ioproxy-cookie-path" title="#opt-nginx-ingress-kubernetes-ioproxy-cookie-path">`nginx.ingress.kubernetes.io/proxy-cookie-path`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-connect-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout">`nginx.ingress.kubernetes.io/proxy-connect-timeout`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-send-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-send-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-send-timeout">`nginx.ingress.kubernetes.io/proxy-send-timeout`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-read-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-read-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-read-timeout">`nginx.ingress.kubernetes.io/proxy-read-timeout`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream">`nginx.ingress.kubernetes.io/proxy-next-upstream`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout">`nginx.ingress.kubernetes.io/proxy-next-upstream-timeout`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries">`nginx.ingress.kubernetes.io/proxy-next-upstream-tries`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-request-buffering" href="#opt-nginx-ingress-kubernetes-ioproxy-request-buffering" title="#opt-nginx-ingress-kubernetes-ioproxy-request-buffering">`nginx.ingress.kubernetes.io/proxy-request-buffering`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-cookie-path" href="#opt-nginx-ingress-kubernetes-ioproxy-cookie-path" title="#opt-nginx-ingress-kubernetes-ioproxy-cookie-path">`nginx.ingress.kubernetes.io/proxy-cookie-path`</a> | 
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-redirect-from" href="#opt-nginx-ingress-kubernetes-ioproxy-redirect-from" title="#opt-nginx-ingress-kubernetes-ioproxy-redirect-from">`nginx.ingress.kubernetes.io/proxy-redirect-from`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-redirect-to" href="#opt-nginx-ingress-kubernetes-ioproxy-redirect-to" title="#opt-nginx-ingress-kubernetes-ioproxy-redirect-to">`nginx.ingress.kubernetes.io/proxy-redirect-to`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-http-version" href="#opt-nginx-ingress-kubernetes-ioproxy-http-version" title="#opt-nginx-ingress-kubernetes-ioproxy-http-version">`nginx.ingress.kubernetes.io/proxy-http-version`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-ciphers" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-ciphers" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-ciphers">`nginx.ingress.kubernetes.io/proxy-ssl-ciphers`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-verify-depth" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify-depth" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify-depth">`nginx.ingress.kubernetes.io/proxy-ssl-verify-depth`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-protocols" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-protocols" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-protocols">`nginx.ingress.kubernetes.io/proxy-ssl-protocols`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioenable-rewrite-log" href="#opt-nginx-ingress-kubernetes-ioenable-rewrite-log" title="#opt-nginx-ingress-kubernetes-ioenable-rewrite-log">`nginx.ingress.kubernetes.io/enable-rewrite-log`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iorewrite-target" href="#opt-nginx-ingress-kubernetes-iorewrite-target" title="#opt-nginx-ingress-kubernetes-iorewrite-target">`nginx.ingress.kubernetes.io/rewrite-target`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iosatisfy" href="#opt-nginx-ingress-kubernetes-iosatisfy" title="#opt-nginx-ingress-kubernetes-iosatisfy">`nginx.ingress.kubernetes.io/satisfy`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioserver-alias" href="#opt-nginx-ingress-kubernetes-ioserver-alias" title="#opt-nginx-ingress-kubernetes-ioserver-alias">`nginx.ingress.kubernetes.io/server-alias`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioserver-snippet" href="#opt-nginx-ingress-kubernetes-ioserver-snippet" title="#opt-nginx-ingress-kubernetes-ioserver-snippet">`nginx.ingress.kubernetes.io/server-snippet`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iosession-cookie-conditional-samesite-none" href="#opt-nginx-ingress-kubernetes-iosession-cookie-conditional-samesite-none" title="#opt-nginx-ingress-kubernetes-iosession-cookie-conditional-samesite-none">`nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-expires" href="#opt-nginx-ingress-kubernetes-iosession-cookie-expires" title="#opt-nginx-ingress-kubernetes-iosession-cookie-expires">`nginx.ingress.kubernetes.io/session-cookie-expires`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iosession-cookie-change-on-failure" href="#opt-nginx-ingress-kubernetes-iosession-cookie-change-on-failure" title="#opt-nginx-ingress-kubernetes-iosession-cookie-change-on-failure">`nginx.ingress.kubernetes.io/session-cookie-change-on-failure`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iossl-ciphers" href="#opt-nginx-ingress-kubernetes-iossl-ciphers" title="#opt-nginx-ingress-kubernetes-iossl-ciphers">`nginx.ingress.kubernetes.io/ssl-ciphers`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iossl-prefer-server-ciphers" href="#opt-nginx-ingress-kubernetes-iossl-prefer-server-ciphers" title="#opt-nginx-ingress-kubernetes-iossl-prefer-server-ciphers">`nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioconnection-proxy-header" href="#opt-nginx-ingress-kubernetes-ioconnection-proxy-header" title="#opt-nginx-ingress-kubernetes-ioconnection-proxy-header">`nginx.ingress.kubernetes.io/connection-proxy-header`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioenable-access-log" href="#opt-nginx-ingress-kubernetes-ioenable-access-log" title="#opt-nginx-ingress-kubernetes-ioenable-access-log">`nginx.ingress.kubernetes.io/enable-access-log`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioenable-opentracing" href="#opt-nginx-ingress-kubernetes-ioenable-opentracing" title="#opt-nginx-ingress-kubernetes-ioenable-opentracing">`nginx.ingress.kubernetes.io/enable-opentracing`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioopentracing-trust-incoming-span" href="#opt-nginx-ingress-kubernetes-ioopentracing-trust-incoming-span" title="#opt-nginx-ingress-kubernetes-ioopentracing-trust-incoming-span">`nginx.ingress.kubernetes.io/opentracing-trust-incoming-span`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioenable-opentelemetry" href="#opt-nginx-ingress-kubernetes-ioenable-opentelemetry" title="#opt-nginx-ingress-kubernetes-ioenable-opentelemetry">`nginx.ingress.kubernetes.io/enable-opentelemetry`</a> |                                                      |
@@ -433,15 +492,7 @@ The following annotations are organized by category for easier navigation.
 | <a id="opt-nginx-ingress-kubernetes-iomirror-request-body" href="#opt-nginx-ingress-kubernetes-iomirror-request-body" title="#opt-nginx-ingress-kubernetes-iomirror-request-body">`nginx.ingress.kubernetes.io/mirror-request-body`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iomirror-target" href="#opt-nginx-ingress-kubernetes-iomirror-target" title="#opt-nginx-ingress-kubernetes-iomirror-target">`nginx.ingress.kubernetes.io/mirror-target`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iomirror-host" href="#opt-nginx-ingress-kubernetes-iomirror-host" title="#opt-nginx-ingress-kubernetes-iomirror-host">`nginx.ingress.kubernetes.io/mirror-host`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iox-forwarded-prefix" href="#opt-nginx-ingress-kubernetes-iox-forwarded-prefix" title="#opt-nginx-ingress-kubernetes-iox-forwarded-prefix">`nginx.ingress.kubernetes.io/x-forwarded-prefix`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioupstream-hash-by" href="#opt-nginx-ingress-kubernetes-ioupstream-hash-by" title="#opt-nginx-ingress-kubernetes-ioupstream-hash-by">`nginx.ingress.kubernetes.io/upstream-hash-by`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioupstream-vhost" href="#opt-nginx-ingress-kubernetes-ioupstream-vhost" title="#opt-nginx-ingress-kubernetes-ioupstream-vhost">`nginx.ingress.kubernetes.io/upstream-vhost`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iodenylist-source-range" href="#opt-nginx-ingress-kubernetes-iodenylist-source-range" title="#opt-nginx-ingress-kubernetes-iodenylist-source-range">`nginx.ingress.kubernetes.io/denylist-source-range`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iowhitelist-source-range" href="#opt-nginx-ingress-kubernetes-iowhitelist-source-range" title="#opt-nginx-ingress-kubernetes-iowhitelist-source-range">`nginx.ingress.kubernetes.io/whitelist-source-range`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffering" href="#opt-nginx-ingress-kubernetes-ioproxy-buffering" title="#opt-nginx-ingress-kubernetes-ioproxy-buffering">`nginx.ingress.kubernetes.io/proxy-buffering`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffers-number" href="#opt-nginx-ingress-kubernetes-ioproxy-buffers-number" title="#opt-nginx-ingress-kubernetes-ioproxy-buffers-number">`nginx.ingress.kubernetes.io/proxy-buffers-number`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffer-size" href="#opt-nginx-ingress-kubernetes-ioproxy-buffer-size" title="#opt-nginx-ingress-kubernetes-ioproxy-buffer-size">`nginx.ingress.kubernetes.io/proxy-buffer-size`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size" href="#opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size" title="#opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size">`nginx.ingress.kubernetes.io/proxy-max-temp-file-size`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iostream-snippet" href="#opt-nginx-ingress-kubernetes-iostream-snippet" title="#opt-nginx-ingress-kubernetes-iostream-snippet">`nginx.ingress.kubernetes.io/stream-snippet`</a> |                                                      |

 ### Global Configuration
@@ -85,6 +85,14 @@ spec:
 | <a id="opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-maxage" href="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-maxage" title="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-maxage">`traefik.ingress.kubernetes.io/service.sticky.cookie.maxage`</a> | Sets the Max-Age attribute (in seconds) on the sticky session cookie.<br/>See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `42` |
 | <a id="opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-path" href="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-path" title="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-path">`traefik.ingress.kubernetes.io/service.sticky.cookie.path`</a> | Sets the Path attribute on the sticky session cookie, defining the path that must exist in the requested URL.<br/>See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `/foobar` |

+??? info "`traefik.ingress.kubernetes.io/service.middlewares`"
+
+    See [service middlewares](../http/load-balancing/service.md#middlewares) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/service.middlewares: auth@file,prefix@kubernetescrd
+    ```
+
 ## TLS

 ### Enabling TLS via HTTP Options on Entrypoint
@@ -231,7 +239,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v3.6
+              image: traefik:v3.7
              args:
                - --entryPoints.websecure.address=:443
                - --entryPoints.websecure.http.tls
@@ -8,7 +8,7 @@ description: "The Knative provider can be used for routing and load balancing in
 When using the Knative provider, Traefik leverages Knative's Custom Resource Definitions (CRDs) to obtain its routing configuration. 
 For detailed information on Knative concepts and resources, refer to the official [documentation](https://knative.dev/docs/).

-The Knative provider supports version [v1.19.0](https://github.com/knative/serving/releases/tag/knative-v1.19.0) of the specification.
+The Knative provider supports versions [v1.19.0](https://github.com/knative/serving/releases/tag/knative-v1.19.0) and [v1.20.0](https://github.com/knative/serving/releases/tag/knative-v1.20.0) of the specification.

 ## Deploying a Knative Service

@@ -18,7 +18,7 @@ The table below lists all the available matchers:

 | Rule                                                        | Description                                                                                      |
 |-------------------------------------------------------------|:-------------------------------------------------------------------------------------------------|
-| <a id="opt-HostSNIdomain" href="#opt-HostSNIdomain" title="#opt-HostSNIdomain">[```HostSNI(`domain`)```](#hostsni-and-hostsniregexp)</a> | Checks if the connection's Server Name Indication is equal to `domain`.<br /> More information [here](#hostsni-and-hostsniregexp).                          |
+| <a id="opt-HostSNIdomain" href="#opt-HostSNIdomain" title="#opt-HostSNIdomain">[```HostSNI(`domain`)```](#hostsni-and-hostsniregexp)</a> | Checks if the connection's Server Name Indication is equal to `domain`. Supports wildcard subdomain matching (e.g. `*.example.com`).<br /> More information [here](#hostsni-and-hostsniregexp). |
 | <a id="opt-HostSNIRegexpregexp" href="#opt-HostSNIRegexpregexp" title="#opt-HostSNIRegexpregexp">[```HostSNIRegexp(`regexp`)```](#hostsni-and-hostsniregexp)</a> | Checks if the connection's Server Name Indication matches `regexp`.<br />Use a [Go](https://golang.org/pkg/regexp/) flavored syntax.<br /> More information [here](#hostsni-and-hostsniregexp). |
 | <a id="opt-ClientIPip" href="#opt-ClientIPip" title="#opt-ClientIPip">[```ClientIP(`ip`)```](#clientip)</a> | Checks if the connection's client IP correspond to `ip`. It accepts IPv4, IPv6 and CIDR formats.<br /> More information [here](#clientip). |
 | <a id="opt-ALPNprotocol" href="#opt-ALPNprotocol" title="#opt-ALPNprotocol">[```ALPN(`protocol`)```](#alpn)</a> | Checks if the connection's ALPN protocol equals `protocol`.<br /> More information [here](#alpn).          |
@@ -59,6 +59,15 @@ These matchers do not support non-ASCII characters, use punycode encoded values
    when one wants a non-TLS router that matches all (non-TLS) requests,
    one should use the specific ```HostSNI(`*`)``` syntax.

+!!! info "Wildcard subdomain matching"
+
+    The `HostSNI` matcher supports a single-level wildcard prefix (`*.example.com`) to match any direct subdomain of `example.com`.
+    It should be preferred over the `HostSNIRegexp` matcher as it allows attaching a TLS option and is more efficient.
+
+    A wildcard matches exactly one subdomain label: `*.example.com` matches `foo.example.com` but not `foo.bar.example.com` or `example.com` itself.    
+
+    This is only available with the **v3 rule syntax** (the default).
+
 #### Examples

 Match all connections:
@@ -77,7 +86,13 @@ Match TCP connections sent to `example.com`:
 HostSNI(`example.com`)
 ```

-Match TCP connections opened on any subdomain of `example.com`:
+Match TCP connections opened on any direct subdomain of `example.com` (e.g. `foo.example.com`):
+
+```yaml
+HostSNI(`*.example.com`)
+```
+
+Match TCP connections opened on any subdomain of `example.com` (including nested subdomains), using a regular expression:

 ```yaml
 HostSNIRegexp(`^.+\.example\.com$`)
@@ -201,3 +216,9 @@ Traefik reserves a range of priorities for its internal routers, the maximum use

 - `(MaxInt32 - 1000)` for 32-bit platforms,
 - `(MaxInt64 - 1000)` for 64-bit platforms.
+
+!!! info "Providers Precedence"
+
+    When two routes from **different providers** share the same numeric priority,
+    Traefik uses the [`providers.precedence`](../../../install-configuration/providers/overview.md#providers-precedence) install configuration option to determine which route takes precedence.
+    The provider listed first in `precedence` wins the tie.
@@ -50,6 +50,7 @@
      insecure = true
      trustedIPs = ["foobar", "foobar"]
      connection = ["foobar", "foobar"]
+      addXForwardedSchemeHeaders = true
    [entryPoints.EntryPoint0.http]
      middlewares = ["foobar", "foobar"]
      encodeQuerySemicolons = true
@@ -61,6 +61,7 @@ entryPoints:
      connection:
        - foobar
        - foobar
+      addXForwardedSchemeHeaders: true
    http:
      redirections:
        entryPoint:
@@ -133,3 +133,8 @@ entryPoints:
 --entryPoints.websecure.http.encodedCharacters.allowEncodedQuestionMark=false
 --entryPoints.websecure.http.encodedCharacters.allowEncodedHash=false
 ```
+
+!!! info "Encoded Characters filtering on a per-route basis"
+
+    If you need to configure encoded character filtering on a per-route basis, you can use the `EncodedCharacters` middleware.
+    Refer to the documentation for the [`EncodedCharacter` middleware](../reference/routing-configuration/http/middlewares/encodedcharacters.md) for detailed implementation instructions and configuration options.
@@ -64,7 +64,7 @@ In your project root folder (the parent folder to the `dynamic/tls.yaml` file),
 ```yaml
 services:
  traefik:
-    image: traefik:v3.6
+    image: traefik:v3.7
    container_name: traefik
    restart: unless-stopped
    security_opt:
@@ -61,7 +61,7 @@ In the same directory, create `docker‑compose‑swarm.yaml`:
 ```yaml
 services:
  traefik:
-    image: traefik:v3.6
+    image: traefik:v3.7
    
    networks:
    # Connect to the 'traefik_proxy' overlay network for inter-container communication across nodes
@@ -1,7 +1,7 @@
 services:

  traefik:
-    image: "traefik:v3.6"
+    image: "traefik:v3.7"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
@@ -11,7 +11,7 @@ secrets:
 services:

  traefik:
-    image: "traefik:v3.6"
+    image: "traefik:v3.7"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
@@ -1,7 +1,7 @@
 services:

  traefik:
-    image: "traefik:v3.6"
+    image: "traefik:v3.7"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
@@ -1,7 +1,7 @@
 services:

  traefik:
-    image: "traefik:v3.6"
+    image: "traefik:v3.7"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
@@ -1,7 +1,7 @@
 services:

  traefik:
-    image: "traefik:v3.6"
+    image: "traefik:v3.7"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
@@ -318,6 +318,7 @@ nav:
              - 'ContentType': 'reference/routing-configuration/http/middlewares/contenttype.md'
              - 'DigestAuth': 'reference/routing-configuration/http/middlewares/digestauth.md'
              - '<span class="nav-link-with-icon">Distributed RateLimit <img src="https://doc.traefik.io/traefik-hub/img/ps-traefik-hub-logo-light.svg" class="menu-icon" alt="Traefik Hub API Gateway"></span>' : 'reference/routing-configuration/http/middlewares/distributed-ratelimit.md'
+              - 'EncodedCharacters': 'reference/routing-configuration/http/middlewares/encodedcharacters.md'
              - 'Errors': 'reference/routing-configuration/http/middlewares/errorpages.md'
              - 'ForwardAuth': 'reference/routing-configuration/http/middlewares/forwardauth.md'
              - 'GrpcWeb': 'reference/routing-configuration/http/middlewares/grpcweb.md'
@@ -0,0 +1,58 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1778036283,
+        "narHash": "sha256-GW2cEd/cLcVbbCes8iQuoY2qGIeCA7UiaD351hpkXfI=",
+        "rev": "ed67bc86e84e51d4a88e73c7fd36006dc876476f",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre993032.ed67bc86e84e/nixexprs.tar.xz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz"
+      }
+    },
+    "nixpkgs-golangci": {
+      "locked": {
+        "lastModified": 1771861243,
+        "narHash": "sha256-mz05b1VyLWoTkNg8iJr3yXFJF7HDlwIUKI3ln39RacY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "80d901ec0377e19ac3f7bb8c035201e2e098cc97",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "80d901ec0377e19ac3f7bb8c035201e2e098cc97",
+        "type": "github"
+      }
+    },
+    "nixpkgs-kct": {
+      "locked": {
+        "lastModified": 1763934636,
+        "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-golangci": "nixpkgs-golangci",
+        "nixpkgs-kct": "nixpkgs-kct"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
@@ -0,0 +1,45 @@
+{
+  description = "Dev shell for dev environment";
+
+  inputs = {
+    # Main nixpkgs (used for gnused)
+    nixpkgs.url = "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz";
+
+    # Pinned nixpkgs for kubernetes-controller-tools
+    # Search: https://www.nixhub.io/packages/kubernetes-controller-tools
+    nixpkgs-kct.url = "github:NixOS/nixpkgs/ee09932cedcef15aaf476f9343d1dea2cb77e261";
+
+    # Pinned nixpkgs for golangci-lint
+    # Search: https://www.nixhub.io/packages/golangci-lint
+    nixpkgs-golangci.url = "github:NixOS/nixpkgs/80d901ec0377e19ac3f7bb8c035201e2e098cc97";
+  };
+
+  outputs =
+    {
+      nixpkgs,
+      nixpkgs-kct,
+      nixpkgs-golangci,
+      ...
+    }:
+    let
+      inherit (nixpkgs.lib) genAttrs;
+      forEachSystem = genAttrs nixpkgs.lib.systems.flakeExposed;
+
+      pkgsForEach = nixpkgs.legacyPackages;
+      pkgsKctForEach = nixpkgs-kct.legacyPackages;
+      pkgsGolangCiForEach = nixpkgs-golangci.legacyPackages;
+    in
+    {
+      devShells = forEachSystem (system: {
+        default = pkgsForEach.${system}.mkShell {
+          packages = [
+            pkgsForEach.${system}.gnused
+            pkgsKctForEach.${system}.kubernetes-controller-tools
+            pkgsGolangCiForEach.${system}.golangci-lint
+          ];
+        };
+      });
+
+      formatter = forEachSystem (system: pkgsForEach.${system}.nixfmt);
+    };
+}
@@ -36,6 +36,7 @@ require (
 	github.com/hashicorp/go-version v1.9.0
 	github.com/hashicorp/nomad/api v0.0.0-20231213195942-64e3dca9274b // No tag on the repo.
 	github.com/http-wasm/http-wasm-host-go v0.7.0
+	github.com/huandu/xstrings v1.5.0
 	github.com/influxdata/influxdb-client-go/v2 v2.7.0
 	github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab // No tag on the repo.
 	github.com/klauspost/compress v1.18.5
@@ -54,7 +55,7 @@ require (
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pires/go-proxyproto v0.12.0
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // No tag on the repo.
-	github.com/prometheus/client_golang v1.23.0
+	github.com/prometheus/client_golang v1.23.2
 	github.com/prometheus/client_model v0.6.2
 	github.com/quic-go/quic-go v0.59.1
 	github.com/redis/go-redis/v9 v9.8.0
@@ -72,7 +73,9 @@ require (
 	github.com/tidwall/gjson v1.17.0
 	github.com/traefik/grpc-web v0.16.0
 	github.com/traefik/paerser v0.2.2
+	github.com/traefik/traefik/dynamic/ext v0.0.0-00010101000000-000000000000
 	github.com/traefik/yaegi v0.16.1
+	github.com/tufanbarisyildirim/gonginx v0.0.0-20250620092546-c3e307e36701 // latest tag is too old.
 	github.com/unrolled/render v1.0.2
 	github.com/unrolled/secure v1.0.9
 	github.com/valyala/fasthttp v1.69.0
@@ -107,17 +110,18 @@ require (
 	google.golang.org/grpc v1.80.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.34.3
-	k8s.io/apiextensions-apiserver v0.34.3
-	k8s.io/apimachinery v0.34.3
-	k8s.io/client-go v0.34.3
-	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // No tag on the repo.
-	knative.dev/networking v0.0.0-20241022012959-60e29ff520dc
-	knative.dev/pkg v0.0.0-20241021183759-9b9d535af5ad
+	k8s.io/api v0.35.2
+	k8s.io/apiextensions-apiserver v0.35.2
+	k8s.io/apimachinery v0.35.2
+	k8s.io/client-go v0.35.2
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // No tag on the repo.
+	knative.dev/networking v0.0.0-20251217020127-11890a5dabea
+	knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1
 	mvdan.cc/xurls/v2 v2.5.0
-	sigs.k8s.io/controller-runtime v0.22.1
-	sigs.k8s.io/gateway-api v1.4.0
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.1
+	sigs.k8s.io/controller-runtime v0.23.3
+	sigs.k8s.io/gateway-api v1.5.1
+	sigs.k8s.io/gateway-api/conformance v1.5.1
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.2
 	sigs.k8s.io/yaml v1.6.0
 )

@@ -147,7 +151,7 @@ require (
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
 	github.com/HdrHistogram/hdrhistogram-go v1.2.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/VividCortex/gohistogram v1.0.0 // indirect
 	github.com/akamai/AkamaiOPEN-edgegrid-golang/v13 v13.1.0 // indirect
@@ -233,11 +237,9 @@ require (
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
@@ -257,7 +259,6 @@ require (
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/hashicorp/serf v0.10.1 // indirect
-	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.192 // indirect
 	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
@@ -286,7 +287,7 @@ require (
 	github.com/mailgun/minheap v0.0.0-20170619185613-3dbe6c6bf55f // indirect
 	github.com/mailgun/multibuf v0.2.0 // indirect
 	github.com/mailgun/timetools v0.0.0-20141028012446-7e6055773c51 // indirect
-	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/mailru/easyjson v0.9.1 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.21 // indirect
 	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
@@ -325,7 +326,6 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b // indirect
-	github.com/openzipkin/zipkin-go v0.4.3 // indirect
 	github.com/ovh/go-ovh v1.9.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterhellberg/link v1.2.0 // indirect
@@ -333,8 +333,8 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/pquerna/otp v1.5.0 // indirect
-	github.com/prometheus/common v0.65.0 // indirect
-	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/prometheus/common v0.67.4 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
 	github.com/rs/cors v1.7.0 // indirect
@@ -356,7 +356,7 @@ require (
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
-	github.com/spf13/pflag v1.0.7 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/spf13/viper v1.18.2 // indirect
 	github.com/stretchr/objx v0.5.3 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
@@ -379,11 +379,10 @@ require (
 	github.com/yandex-cloud/go-sdk/v2 v2.92.0 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
 	go.mongodb.org/mongo-driver v1.17.9 // indirect
-	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/collector/featuregate v1.41.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
@@ -395,14 +394,14 @@ require (
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/ratelimit v0.3.1 // indirect
-	go.uber.org/zap v1.27.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.uber.org/zap v1.27.1 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/arch v0.4.0 // indirect
 	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
 	golang.org/x/term v0.43.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	google.golang.org/api v0.276.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
@@ -413,12 +412,15 @@ require (
 	gopkg.in/ns1/ns1-go.v2 v2.17.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	nhooyr.io/websocket v1.8.7 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 )

+// Dynamic config extension.
+replace github.com/traefik/traefik/dynamic/ext => ./pkg/config/dynamic/ext
+
 // Containous forks
 replace (
 	github.com/abbot/go-http-auth => github.com/containous/go-http-auth v0.4.1-0.20200324110947-a37a7636d23e
@@ -598,10 +598,6 @@ cloud.google.com/go/workflows v1.7.0/go.mod h1:JhSrZuVZWuiDfKEFxU0/F1PQjmpnpcoIS
 cloud.google.com/go/workflows v1.8.0/go.mod h1:ysGhmEajwZxGn1OhGOGKsTXc5PyxOc0vfKf5Af+to4M=
 cloud.google.com/go/workflows v1.9.0/go.mod h1:ZGkj1aFIOd9c8Gerkjjq7OW7I5+l6cSvT3ujaO/WwSA=
 cloud.google.com/go/workflows v1.10.0/go.mod h1:fZ8LmRmZQWacon9UCX1r/g/DfAXx5VcPALq2CxzdePw=
-contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d h1:LblfooH1lKOpp1hIhukktmSAxFkqMPFk9KR6iZ0MJNI=
-contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d/go.mod h1:IshRmMJBhDfFj5Y67nVhMYTTIze91RUeT73ipWKs/GY=
-contrib.go.opencensus.io/exporter/prometheus v0.4.2 h1:sqfsYl5GIY/L570iT+l93ehxaWJs2/OwXtiWwew3oAg=
-contrib.go.opencensus.io/exporter/prometheus v0.4.2/go.mod h1:dvEHbiKmgvbr5pjaF9fpw1KeYcjrnC1J8B+JKjsZyRQ=
 dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
@@ -674,8 +670,8 @@ github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
-github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4=
-github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
 github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
@@ -856,7 +852,6 @@ github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1x
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
 github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -1109,8 +1104,8 @@ github.com/go-playground/validator/v10 v10.23.0/go.mod h1:dbuPbCMFw/DrkbEynArYaC
 github.com/go-resty/resty/v2 v2.17.2 h1:FQW5oHYcIlkCNrMD2lloGScxcHJ0gkjshV3qcQAyHQk=
 github.com/go-resty/resty/v2 v2.17.2/go.mod h1:kCKZ3wWmwJaNc7S29BRtUhJwy7iqmn+2mLtQrOyQlVA=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 h1:p104kn46Q8WdvHunIJ9dAyjPVtrBPhSr3KT2yUst43I=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
@@ -1158,7 +1153,6 @@ github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4er
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -1248,8 +1242,8 @@ github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
-github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
+github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc=
+github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
 github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
@@ -1401,6 +1395,8 @@ github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df/go.mod h1:QMZY7/J/KSQEhK
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/imega/luaformatter v0.0.0-20211025140405-86b0a68d6bef h1:RC993DdTIHNItsyLj79fgZNLzrf9tBN0GR6W5ZPms6s=
+github.com/imega/luaformatter v0.0.0-20211025140405-86b0a68d6bef/go.mod h1:i2XCfvmO94HrEOQWllihhtPrkvNfuB2R2p/o6+OVnRU=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/influxdata/influxdb-client-go/v2 v2.7.0 h1:QgP5mlBE9sGnzplpnf96pr+p7uqlIlL4W2GAP3n+XZg=
@@ -1547,8 +1543,8 @@ github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f h1:ZZYhg16XocqSKPGN
 github.com/mailgun/ttlmap v0.0.0-20170619185759-c1c17f74874f/go.mod h1:8heskWJ5c0v5J9WH89ADhyal1DOZcayll8fSbhB+/9A=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
-github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
-github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
+github.com/mailru/easyjson v0.9.1 h1:LbtsOm5WAswyWbvTEOqhypdPeZzHavpZx96/n553mR8=
+github.com/mailru/easyjson v0.9.1/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
 github.com/matryer/moq v0.0.0-20190312154309-6cfb0558e1bd/go.mod h1:9ELz6aaclSIGnZBoaSLZ3NAl1VTufbOrXBPvtcy6WiQ=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -1712,16 +1708,16 @@ github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/ginkgo/v2 v2.0.0/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
 github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
-github.com/onsi/ginkgo/v2 v2.23.3 h1:edHxnszytJ4lD9D5Jjc4tiDkPBZ3siDeJJkUZJJVkp0=
-github.com/onsi/ginkgo/v2 v2.23.3/go.mod h1:zXTP6xIp3U8aVuXN8ENK9IXRaTjFnpVB9mGmaSRvxnM=
+github.com/onsi/ginkgo/v2 v2.28.0 h1:Rrf+lVLmtlBIKv6KrIGJCjyY8N36vDVcutbGJkyqjJc=
+github.com/onsi/ginkgo/v2 v2.28.0/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
-github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
-github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28=
+github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -1731,8 +1727,6 @@ github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b h1:it0YPE/evO6/m8
 github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b/go.mod h1:tNrEB5k8SI+g5kOlsCmL2ELASfpqEofI0+FLBgBdN08=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/openzipkin/zipkin-go v0.2.5/go.mod h1:KpXfKdgRDnnhsxw4pNIH9Md5lyFqKUa4YDFlwRYAMyE=
-github.com/openzipkin/zipkin-go v0.4.3 h1:9EGwpqkgnwdEIJ+Od7QVSEIH+ocmm5nPat0G7sjsSdg=
-github.com/openzipkin/zipkin-go v0.4.3/go.mod h1:M9wCJZFWCo2RiY+o1eBCEMe0Dp2S5LDHcMZmk3RmK7c=
 github.com/ovh/go-ovh v1.9.0 h1:6K8VoL3BYjVV3In9tPJUdT7qMx9h0GExN9EXx1r2kKE=
 github.com/ovh/go-ovh v1.9.0/go.mod h1:cTVDnl94z4tl8pP1uZ/8jlVxntjSIf09bNcQ5TJSC7c=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
@@ -1785,8 +1779,8 @@ github.com/prometheus/client_golang v1.4.0/go.mod h1:e9GMxYsXl05ICDXkRhurwBS4Q3O
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
-github.com/prometheus/client_golang v1.23.0 h1:ust4zpdl9r4trLY/gSjlm07PuiBq2ynaXXlptpfy8Uc=
-github.com/prometheus/client_golang v1.23.0/go.mod h1:i/o0R9ByOnHX0McrTMTyhYvKE4haaf2mW08I+jGAjEE=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -1802,8 +1796,8 @@ github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8b
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.30.0/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
-github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
+github.com/prometheus/common v0.67.4 h1:yR3NqWO1/UyO1w2PhUvXlGQs/PtFmoveVO0KZ4+Lvsc=
+github.com/prometheus/common v0.67.4/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@@ -1812,10 +1806,8 @@ github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+Gx
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
-github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
-github.com/prometheus/statsd_exporter v0.22.7 h1:7Pji/i2GuhK6Lu7DHrtTkFmNBCudCPT1pX2CziuyQR0=
-github.com/prometheus/statsd_exporter v0.22.7/go.mod h1:N/TevpjkIh9ccs6nuzY3jQn9dFqnUakOjnEuMPJJJnI=
+github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
+github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
@@ -1921,8 +1913,8 @@ github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb6
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
-github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.16.0/go.mod h1:yg78JgCJcbrQOvV9YLXgkLaZqUidkY9K+Dd1FofRzQg=
@@ -1986,6 +1978,10 @@ github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JT
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
 github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/timtadh/data-structures v0.5.3 h1:F2tEjoG9qWIyUjbvXVgJqEOGJPMIiYn7U5W5mE+i/vQ=
+github.com/timtadh/data-structures v0.5.3/go.mod h1:9R4XODhJ8JdWFEI8P/HJKqxuJctfBQw6fDibMQny2oU=
+github.com/timtadh/lexmachine v0.2.2 h1:g55RnjdYazm5wnKv59pwFcBJHOyvTPfDEoz21s4PHmY=
+github.com/timtadh/lexmachine v0.2.2/go.mod h1:GBJvD5OAfRn/gnp92zb9KTgHLB7akKyxmVivoYCcjQI=
 github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=
 github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=
 github.com/tjfoc/gmsm v1.4.1/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
@@ -2002,6 +1998,8 @@ github.com/traefik/yaegi v0.16.1 h1:f1De3DVJqIDKmnasUF6MwmWv1dSEEat0wcpXhD2On3E=
 github.com/traefik/yaegi v0.16.1/go.mod h1:4eVhbPb3LnD2VigQjhYbEJ69vDRFdT2HQNrXx8eEwUY=
 github.com/transip/gotransip/v6 v6.26.2 h1:pnbDXrkFevOngpi6ertLw6e57lOW+Rk3djJ9AewmJ94=
 github.com/transip/gotransip/v6 v6.26.2/go.mod h1:x0/RWGRK/zob817O3tfO2xhFoP1vu8YOHORx6Jpk80s=
+github.com/tufanbarisyildirim/gonginx v0.0.0-20250620092546-c3e307e36701 h1:JgeHIJzRSEdcuLXufZrni5+a4yDnBhQG+DdKhqCFhq0=
+github.com/tufanbarisyildirim/gonginx v0.0.0-20250620092546-c3e307e36701/go.mod h1:ALbEe81QPWOZjDKCKNWodG2iqCMtregG8+ebQgjx2+4=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
@@ -2076,19 +2074,19 @@ go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/api/v3 v3.5.7/go.mod h1:9qew1gCdDDLu+VwmeG+iFpL+QlpHTo7iubavdVDgCAA=
 go.etcd.io/etcd/api/v3 v3.5.9/go.mod h1:uyAal843mC8uUVSLWz6eHa/d971iDGnCRpmKd2Z+X8k=
-go.etcd.io/etcd/api/v3 v3.6.4 h1:7F6N7toCKcV72QmoUKa23yYLiiljMrT4xCeBL9BmXdo=
-go.etcd.io/etcd/api/v3 v3.6.4/go.mod h1:eFhhvfR8Px1P6SEuLT600v+vrhdDTdcfMzmnxVXXSbk=
+go.etcd.io/etcd/api/v3 v3.6.5 h1:pMMc42276sgR1j1raO/Qv3QI9Af/AuyQUW6CBAWuntA=
+go.etcd.io/etcd/api/v3 v3.6.5/go.mod h1:ob0/oWA/UQQlT1BmaEkWQzI0sJ1M0Et0mMpaABxguOQ=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/pkg/v3 v3.5.7/go.mod h1:o0Abi1MK86iad3YrWhgUsbGx1pmTS+hrORWc2CamuhY=
 go.etcd.io/etcd/client/pkg/v3 v3.5.9/go.mod h1:y+CzeSmkMpWN2Jyu1npecjB9BBnABxGM4pN8cGuJeL4=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4 h1:9HBYrjppeOfFjBjaMTRxT3R7xT0GLK8EJMVC4xg6ok0=
-go.etcd.io/etcd/client/pkg/v3 v3.6.4/go.mod h1:sbdzr2cl3HzVmxNw//PH7aLGVtY4QySjQFuaCgcRFAI=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5 h1:Duz9fAzIZFhYWgRjp/FgNq2gO1jId9Yae/rLn3RrBP8=
+go.etcd.io/etcd/client/pkg/v3 v3.6.5/go.mod h1:8Wx3eGRPiy0qOFMZT/hfvdos+DjEaPxdIDiCDUv/FQk=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
 go.etcd.io/etcd/client/v2 v2.305.7/go.mod h1:GQGT5Z3TBuAQGvgPfhR7VPySu/SudxmEkRq9BgzFU6s=
 go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0=
 go.etcd.io/etcd/client/v3 v3.5.9/go.mod h1:i/Eo5LrZ5IKqpbtpPDuaUnDOUv471oDg8cjQaUr2MbA=
-go.etcd.io/etcd/client/v3 v3.6.4 h1:YOMrCfMhRzY8NgtzUsHl8hC2EBSnuqbR3dh84Uryl7A=
-go.etcd.io/etcd/client/v3 v3.6.4/go.mod h1:jaNNHCyg2FdALyKWnd7hxZXZxZANb0+KGY+YQaEMISo=
+go.etcd.io/etcd/client/v3 v3.6.5 h1:yRwZNFBx/35VKHTcLDeO7XVLbCBFbPi+XV4OC3QJf2U=
+go.etcd.io/etcd/client/v3 v3.6.5/go.mod h1:ZqwG/7TAFZ0BJ0jXRPoJjKQJtbFo/9NIY8uoFFKcCyo=
 go.mongodb.org/mongo-driver v1.13.1/go.mod h1:wcDf1JBCXy2mOW0bWHwO/IOYqdca1MPCwDtFu/Z9+eo=
 go.mongodb.org/mongo-driver v1.17.9 h1:IexDdCuuNJ3BHrELgBlyaH9p60JXAvdzWR128q+U5tU=
 go.mongodb.org/mongo-driver v1.17.9/go.mod h1:LlOhpH5NUEfhxcAwG0UEkMqwYcc4JU18gtCdGudk/tQ=
@@ -2099,7 +2097,6 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
-go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
@@ -2189,10 +2186,10 @@ go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 go.uber.org/zap v1.19.1/go.mod h1:j3DNczoxDZroyBnOT1L/Q79cfUMGZxlv/9dzN7SM1rI=
 go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
-go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
-go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.uber.org/zap v1.27.1 h1:08RqriUEv8+ArZRYSTXy1LeBScaMpVSTBhCeaZYfMYc=
+go.uber.org/zap v1.27.1/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/arch v0.4.0 h1:A8WCeEWhLwPBKNbFi5Wv5UTCBx5zzubnXDlMOFAzFMc=
@@ -2719,8 +2716,8 @@ golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
-gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
+gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0=
+gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 gonum.org/v1/gonum v0.0.0-20180816165407-929014505bf4/go.mod h1:Y+Yx5eoAFn32cQvJDxZx5Dpnq+c3wtXuadVZAcxbbBo=
 gonum.org/v1/gonum v0.8.2/go.mod h1:oe/vMfY3deqTw+1EZJhuvEW2iwGF1bW9wwu7XCu0+v0=
 gonum.org/v1/gonum v0.9.3/go.mod h1:TZumC3NeyVQskjXqmyWt4S3bINhy7B4eYwW69EbyX+0=
@@ -3054,24 +3051,24 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
-k8s.io/api v0.34.3 h1:D12sTP257/jSH2vHV2EDYrb16bS7ULlHpdNdNhEw2S4=
-k8s.io/api v0.34.3/go.mod h1:PyVQBF886Q5RSQZOim7DybQjAbVs8g7gwJNhGtY5MBk=
-k8s.io/apiextensions-apiserver v0.34.3 h1:p10fGlkDY09eWKOTeUSioxwLukJnm+KuDZdrW71y40g=
-k8s.io/apiextensions-apiserver v0.34.3/go.mod h1:aujxvqGFRdb/cmXYfcRTeppN7S2XV/t7WMEc64zB5A0=
-k8s.io/apimachinery v0.34.3 h1:/TB+SFEiQvN9HPldtlWOTp0hWbJ+fjU+wkxysf/aQnE=
-k8s.io/apimachinery v0.34.3/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
-k8s.io/client-go v0.34.3 h1:wtYtpzy/OPNYf7WyNBTj3iUA0XaBHVqhv4Iv3tbrF5A=
-k8s.io/client-go v0.34.3/go.mod h1:OxxeYagaP9Kdf78UrKLa3YZixMCfP6bgPwPwNBQBzpM=
+k8s.io/api v0.35.2 h1:tW7mWc2RpxW7HS4CoRXhtYHSzme1PN1UjGHJ1bdrtdw=
+k8s.io/api v0.35.2/go.mod h1:7AJfqGoAZcwSFhOjcGM7WV05QxMMgUaChNfLTXDRE60=
+k8s.io/apiextensions-apiserver v0.35.2 h1:iyStXHoJZsUXPh/nFAsjC29rjJWdSgUmG1XpApE29c0=
+k8s.io/apiextensions-apiserver v0.35.2/go.mod h1:OdyGvcO1FtMDWQ+rRh/Ei3b6X3g2+ZDHd0MSRGeS8rU=
+k8s.io/apimachinery v0.35.2 h1:NqsM/mmZA7sHW02JZ9RTtk3wInRgbVxL8MPfzSANAK8=
+k8s.io/apimachinery v0.35.2/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/client-go v0.35.2 h1:YUfPefdGJA4aljDdayAXkc98DnPkIetMl4PrKX97W9o=
+k8s.io/client-go v0.35.2/go.mod h1:4QqEwh4oQpeK8AaefZ0jwTFJw/9kIjdQi0jpKeYvz7g=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 h1:liMHz39T5dJO1aOKHLvwaCjDbf07wVh6yaUlTpunnkE=
-k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d h1:wAhiDyZ4Tdtt7e46e9M5ZSAJ/MnPGPs+Ki1gHw4w1R0=
-k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/networking v0.0.0-20241022012959-60e29ff520dc h1:0d9XXRLlyuHfINZLlYqo/BYe/+chqqNBMLKJldjTbtw=
-knative.dev/networking v0.0.0-20241022012959-60e29ff520dc/go.mod h1:G56j6VCLzfaN9yZ4IqfNyN4c3U1czvhUmKeZX4UjQ8Q=
-knative.dev/pkg v0.0.0-20241021183759-9b9d535af5ad h1:Nrjtr2H168rJeamH4QdyLMV1lEKHejNhaj1ymgQMfLk=
-knative.dev/pkg v0.0.0-20241021183759-9b9d535af5ad/go.mod h1:StJI72GWcm/iErmk4RqFJiOo8RLbVqPbHxUqeVwAzeo=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY=
+k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
+knative.dev/networking v0.0.0-20251217020127-11890a5dabea h1:CsVi1M+NbPIfvBPWI9DQOwlzBG6+w+mAfhUDqw1jeXM=
+knative.dev/networking v0.0.0-20251217020127-11890a5dabea/go.mod h1:gPzztUiSYDSB3yHx85xr4j2ZccEdiZDWlLsYHr7fQtg=
+knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1 h1:pSZ4sRKm/Kq1ec+7Yhow6jUH0FKZjzrUHpPsy6Lu8pE=
+knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1/go.mod h1:jU9OxeX3zL4W6aHpdMjMA/B7kgkm5JQv6PGMod2Qu/M=
 lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
 lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
 modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
@@ -3116,16 +3113,18 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/controller-runtime v0.22.1 h1:Ah1T7I+0A7ize291nJZdS1CabF/lB4E++WizgV24Eqg=
-sigs.k8s.io/controller-runtime v0.22.1/go.mod h1:FwiwRjkRPbiN+zp2QRp7wlTCzbUXxZ/D4OzuQUDwBHY=
-sigs.k8s.io/gateway-api v1.4.0 h1:ZwlNM6zOHq0h3WUX2gfByPs2yAEsy/EenYJB78jpQfQ=
-sigs.k8s.io/gateway-api v1.4.0/go.mod h1:AR5RSqciWP98OPckEjOjh2XJhAe2Na4LHyXD2FUY7Qk=
+sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4iqwZ80=
+sigs.k8s.io/controller-runtime v0.23.3/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0=
+sigs.k8s.io/gateway-api v1.5.1 h1:RqVRIlkhLhUO8wOHKTLnTJA6o/1un4po4/6M1nRzdd0=
+sigs.k8s.io/gateway-api v1.5.1/go.mod h1:GvCETiaMAlLym5CovLxGjS0NysqFk3+Yuq3/rh6QL2o=
+sigs.k8s.io/gateway-api/conformance v1.5.1 h1:5eruSMKcwKnkX42PFek8oO6BgPNBD5FbWbTcRV76KIw=
+sigs.k8s.io/gateway-api/conformance v1.5.1/go.mod h1:mcvYR0Zll1i5hmcKn+jNbWdZTBls6s5GU+FPUFIceXw=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.1 h1:JrhdFMqOd/+3ByqlP2I45kTOZmTRLBUm5pvRjeheg7E=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.1/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
@@ -0,0 +1,53 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[api]
+  insecure = true
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.router1]
+    entrypoints = ["web"]
+    service = "failover-service"
+    rule = "Path(`/whoami`)"
+
+[http.services]
+  # Failover service with health check
+  [http.services.failover-service]
+    [http.services.failover-service.failover]
+      service = "main-service"
+      fallback = "fallback-service"
+      [http.services.failover-service.failover.healthCheck]
+
+  # Main service with health check enabled
+  [http.services.main-service]
+    [http.services.main-service.loadBalancer]
+      [http.services.main-service.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "1s"
+        timeout = "0.9s"
+      [[http.services.main-service.loadBalancer.servers]]
+        url = "http://{{ .MainServer }}:80"
+
+  # Fallback service with health check enabled
+  [http.services.fallback-service]
+    [http.services.fallback-service.loadBalancer]
+      [http.services.fallback-service.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "1s"
+        timeout = "0.9s"
+      [[http.services.fallback-service.loadBalancer.servers]]
+        url = "http://{{ .FallbackServer }}:80"
@@ -0,0 +1,47 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[api]
+  insecure = true
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.router1]
+    entrypoints = ["web"]
+    service = "failover-service"
+    rule = "PathPrefix(`/`)"
+
+[http.services]
+  # Failover service with error-based failover (status codes)
+  [http.services.failover-service]
+    [http.services.failover-service.failover]
+      service = "main-service"
+      fallback = "fallback-service"
+      [http.services.failover-service.failover.errors]
+        status = ["500-504"]
+        maxRequestBodyBytes = 1048576  # 1MB
+
+  # Main service (no health check - failover based on status codes only)
+  [http.services.main-service]
+    [http.services.main-service.loadBalancer]
+      [[http.services.main-service.loadBalancer.servers]]
+        url = "{{ .MainServer }}"
+
+  # Fallback service
+  [http.services.fallback-service]
+    [http.services.fallback-service.loadBalancer]
+      [[http.services.fallback-service.loadBalancer.servers]]
+        url = "{{ .FallbackServer }}"
@@ -49,6 +49,8 @@ spec:
            - --entrypoints.web.address=:80
            - --entrypoints.websecure.address=:443
            - --entrypoints.web8080.address=:8080
+            - --entrypoints.tls8443.address=:8443
+            - --entrypoints.tls8883.address=:8883
            - --entrypoints.traefik.address=:9000
            - --providers.kubernetesgateway.experimentalChannel
            - --providers.kubernetesgateway.statusaddress.service.namespace=traefik
@@ -60,6 +62,10 @@ spec:
              containerPort: 443
            - name: web8080
              containerPort: 8080
+            - name: tls8443
+              containerPort: 8443
+            - name: tls8883
+              containerPort: 8883
            - name: traefik
              containerPort: 9000

@@ -83,6 +89,12 @@ spec:
    - port: 8080
      name: web8080
      targetPort: web8080
+    - port: 8443
+      name: tls8443
+      targetPort: tls8443
+    - port: 8883
+      name: tls8883
+      targetPort: tls8883
    - port: 9000
      name: traefik
      targetPort: traefik
@@ -0,0 +1,36 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.websecure]
+    address = ":4443"
+
+[api]
+  insecure = true
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  # Wildcard router: routes any *.snitest.com subdomain to service1.
+  [http.routers.wildcard]
+    service = "service1"
+    rule = "Host(`*.snitest.com`)"
+    [http.routers.wildcard.tls]
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://127.0.0.1:9040"
+
+[[tls.certificates]]
+  certFile = "fixtures/https/wildcard.snitest.com.cert"
+  keyFile = "fixtures/https/wildcard.snitest.com.key"
@@ -0,0 +1,64 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.websecure]
+    address = ":4443"
+
+[api]
+  insecure = true
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  # Wildcard router covering all *.snitest.com subdomains with TLS option "foo" (minTLS12).
+  [http.routers.wildcard]
+    service = "service1"
+    rule = "Host(`*.snitest.com`)"
+    [http.routers.wildcard.tls]
+      options = "foo"
+
+  # foo.snitest.com uses TLS option "bar" (minTLS13)
+  [http.routers.bar]
+    service = "service1"
+    rule = "Host(`foo.snitest.com`)"
+    [http.routers.bar.tls]
+      options = "bar"
+
+# minTLS11
+[http.routers.other]
+  service = "service1"
+  rule = "Host(`other.snitest.com`)"
+  [http.routers.other.tls]
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+      [[http.services.service1.loadBalancer.servers]]
+        url = "{{ .BackendURL }}"
+
+[[tls.certificates]]
+  certFile = "fixtures/https/wildcard.snitest.com.cert"
+  keyFile = "fixtures/https/wildcard.snitest.com.key"
+
+[tls.options]
+  [tls.options.foo]
+    minVersion = "VersionTLS12"
+    maxVersion = "VersionTLS12"
+
+
+  [tls.options.bar]
+    minVersion = "VersionTLS13"
+    maxVersion = "VersionTLS13"
+
+  [tls.options.default]
+    minVersion = "VersionTLS11"
+    maxVersion = "VersionTLS11"
@@ -19,7 +19,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: networking
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: networking.internal.knative.dev
@@ -205,7 +205,7 @@ metadata:
  name: configurations.serving.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
    duck.knative.dev/podspecable: "true"
 spec:
@@ -1761,7 +1761,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: networking
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: networking.internal.knative.dev
@@ -1838,7 +1838,7 @@ metadata:
  name: domainmappings.serving.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: serving.knative.dev
@@ -2050,7 +2050,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: networking
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: networking.internal.knative.dev
@@ -2438,7 +2438,7 @@ metadata:
  name: metrics.autoscaling.internal.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: autoscaling.internal.knative.dev
@@ -2582,7 +2582,7 @@ metadata:
  name: podautoscalers.autoscaling.internal.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: autoscaling.internal.knative.dev
@@ -2783,7 +2783,7 @@ metadata:
  name: revisions.serving.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: serving.knative.dev
@@ -4353,7 +4353,7 @@ metadata:
  name: routes.serving.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
    duck.knative.dev/addressable: "true"
 spec:
@@ -4624,7 +4624,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: networking
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: networking.internal.knative.dev
@@ -4848,7 +4848,7 @@ metadata:
  name: services.serving.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
    duck.knative.dev/addressable: "true"
    duck.knative.dev/podspecable: "true"
@@ -6551,7 +6551,7 @@ metadata:
  name: images.caching.internal.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: caching.internal.knative.dev
@@ -18,7 +18,7 @@ metadata:
  name: knative-serving
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"

 ---
 # Copyright 2023 The Knative Authors
@@ -42,7 +42,7 @@ metadata:
  namespace: knative-serving
  labels:
    serving.knative.dev/controller: "true"
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
 rules:
  - apiGroups: [""]
@@ -59,7 +59,7 @@ metadata:
  name: knative-serving-activator-cluster
  labels:
    serving.knative.dev/controller: "true"
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
 rules:
  - apiGroups: [""]
@@ -92,7 +92,7 @@ metadata:
  # (which should be identical, but isn't guaranteed to be installed alongside serving).
  name: knative-serving-aggregated-addressable-resolver
  labels:
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
 aggregationRule:
  clusterRoleSelectors:
@@ -104,7 +104,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: knative-serving-addressable-resolver
  labels:
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
    # Labeled to facilitate aggregated cluster roles that act on Addressables.
    duck.knative.dev/addressable: "true"
@@ -143,7 +143,7 @@ metadata:
  name: knative-serving-namespaced-admin
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
 rules:
  - apiGroups: ["serving.knative.dev"]
@@ -159,7 +159,7 @@ metadata:
  name: knative-serving-namespaced-edit
  labels:
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
 rules:
  - apiGroups: ["serving.knative.dev"]
@@ -175,7 +175,7 @@ metadata:
  name: knative-serving-namespaced-view
  labels:
    rbac.authorization.k8s.io/aggregate-to-view: "true"
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
 rules:
  - apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev", "caching.internal.knative.dev"]
@@ -203,7 +203,7 @@ metadata:
  name: knative-serving-core
  labels:
    serving.knative.dev/controller: "true"
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
 rules:
  - apiGroups: [""]
@@ -267,7 +267,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: knative-serving-podspecable-binding
  labels:
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
    # Labeled to facilitate aggregated cluster roles that act on PodSpecables.
    duck.knative.dev/podspecable: "true"
@@ -306,7 +306,7 @@ metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -314,7 +314,7 @@ metadata:
  name: knative-serving-admin
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
@@ -327,7 +327,7 @@ metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 subjects:
  - kind: ServiceAccount
    name: controller
@@ -344,7 +344,7 @@ metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 subjects:
  - kind: ServiceAccount
    name: controller
@@ -362,7 +362,7 @@ metadata:
  labels:
    app.kubernetes.io/component: activator
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -372,7 +372,7 @@ metadata:
  labels:
    app.kubernetes.io/component: activator
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 subjects:
  - kind: ServiceAccount
    name: activator
@@ -389,7 +389,7 @@ metadata:
  labels:
    app.kubernetes.io/component: activator
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 subjects:
  - kind: ServiceAccount
    name: activator
@@ -420,7 +420,7 @@ metadata:
  name: images.caching.internal.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: caching.internal.knative.dev
@@ -596,7 +596,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: networking
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: networking.internal.knative.dev
@@ -782,7 +782,7 @@ metadata:
  name: configurations.serving.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
    duck.knative.dev/podspecable: "true"
 spec:
@@ -2338,7 +2338,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: networking
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: networking.internal.knative.dev
@@ -2415,7 +2415,7 @@ metadata:
  name: domainmappings.serving.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: serving.knative.dev
@@ -2627,7 +2627,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: networking
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: networking.internal.knative.dev
@@ -3015,7 +3015,7 @@ metadata:
  name: metrics.autoscaling.internal.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: autoscaling.internal.knative.dev
@@ -3159,7 +3159,7 @@ metadata:
  name: podautoscalers.autoscaling.internal.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: autoscaling.internal.knative.dev
@@ -3360,7 +3360,7 @@ metadata:
  name: revisions.serving.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: serving.knative.dev
@@ -4930,7 +4930,7 @@ metadata:
  name: routes.serving.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
    duck.knative.dev/addressable: "true"
 spec:
@@ -5201,7 +5201,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: networking
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
 spec:
  group: networking.internal.knative.dev
@@ -5425,7 +5425,7 @@ metadata:
  name: services.serving.knative.dev
  labels:
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    knative.dev/crd-install: "true"
    duck.knative.dev/addressable: "true"
    duck.knative.dev/podspecable: "true"
@@ -7130,11 +7130,11 @@ metadata:
  labels:
    app.kubernetes.io/component: queue-proxy
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 spec:
  # This is the Go import path for the binary that is containerized
  # and substituted here.
-  image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:1310917822086a5d8daa6328f6014001d5ea7ccfb0afc1a4e74b1b6a2eadc5ba
+  image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:b78cfa015872b12cf64f01fc21f29190c6f2fa69aadbb90162fa98e843781777

 ---
 # Copyright 2018 The Knative Authors
@@ -7159,7 +7159,7 @@ metadata:
  labels:
    app.kubernetes.io/component: autoscaler
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  annotations:
    knative.dev/example-checksum: "47c2487f"
 data:
@@ -7370,7 +7370,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: controller
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    networking.knative.dev/certificate-provider: cert-manager
  annotations:
    knative.dev/example-checksum: "b7a9a602"
@@ -7440,7 +7440,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: controller
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  annotations:
    knative.dev/example-checksum: "5b64ff5c"
 data:
@@ -7595,13 +7595,13 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: controller
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  annotations:
    knative.dev/example-checksum: "720ddb97"
 data:
  # This is the Go import path for the binary that is containerized
  # and substituted here.
-  queue-sidecar-image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:1310917822086a5d8daa6328f6014001d5ea7ccfb0afc1a4e74b1b6a2eadc5ba
+  queue-sidecar-image: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:b78cfa015872b12cf64f01fc21f29190c6f2fa69aadbb90162fa98e843781777
  _example: |-
    ################################
    #                              #
@@ -7722,7 +7722,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: controller
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  annotations:
    knative.dev/example-checksum: "26c09de5"
 data:
@@ -7787,9 +7787,9 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: controller
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  annotations:
-    knative.dev/example-checksum: "0f9b4ade"
+    knative.dev/example-checksum: "9553535b"
 data:
  _example: |-
    ################################
@@ -7810,8 +7810,11 @@ data:
    # Default SecurityContext settings to secure-by-default values
    # if unset.
    #
-    # This value will default to "enabled" in a future release,
-    # probably Knative 1.10
+    # Disabled - do nothing; no security options are applied
+    # AllowRootBounded - Applies secure defaults without enforcing strict policies; sets seccompProfile
+    # to RuntimeDefault and drops all capabilities
+    # Enabled - Enforces security defaults; sets seccompProfile to RuntimeDefault, drops all capabilities,
+    # and sets runAsNonRoot to true if not already specified.
    secure-pod-defaults: "disabled"

    # Indicates whether multi container support is enabled
@@ -7941,15 +7944,6 @@ data:
    # For a list of possible capabilities, see https://man7.org/linux/man-pages/man7/capabilities.7.html
    kubernetes.containerspec-addcapabilities: "disabled"

-    # This feature validates PodSpecs from the validating webhook
-    # against the K8s API Server.
-    #
-    # When "enabled", the server will always run the extra validation.
-    # When "allowed", the server will not run the dry-run validation by default.
-    #   However, clients may enable the behavior on an individual Service by
-    #   attaching the following metadata annotation: "features.knative.dev/podspec-dryrun":"enabled".
-    # See: https://knative.dev/docs/serving/feature-flags/#kubernetes-dry-run
-    kubernetes.podspec-dryrun: "allowed"

    # Controls whether tag header based routing feature are enabled or not.
    # 1. Enabled: enabling tag header based routing
@@ -8048,7 +8042,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: controller
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  annotations:
    knative.dev/example-checksum: "aa3813a8"
 data:
@@ -8148,7 +8142,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: controller
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  annotations:
    knative.dev/example-checksum: "f4b71f57"
 data:
@@ -8208,7 +8202,7 @@ metadata:
  name: config-logging
  namespace: knative-serving
  labels:
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/component: logging
    app.kubernetes.io/name: knative-serving
  annotations:
@@ -8291,7 +8285,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: networking
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  annotations:
    knative.dev/example-checksum: "0573e07d"
 data:
@@ -8496,9 +8490,9 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: observability
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  annotations:
-    knative.dev/example-checksum: "6bc8b73d"
+    knative.dev/example-checksum: "f183bbc6"
 data:
  _example: |
    ################################
@@ -8606,9 +8600,8 @@ data:
    # The HTTP context root for profiling is then /debug/pprof/.
    runtime-profiling: enabled

-
-    # tracing-protocol field specifies the protocol used when exporting metrics
-    # It supports either 'none' (the default), 'prometheus', 'http/protobuf' (OTLP HTTP), 'grpc' (OTLP gRPC)
+    # tracing-protocol field specifies the protocol used when exporting traces
+    # It supports either 'none' (the default), 'http/protobuf' (OTLP HTTP), 'grpc' (OTLP gRPC)
    # or `stdout` for debugging purposes
    tracing-protocol: http/protobuf

@@ -8645,7 +8638,7 @@ metadata:
  labels:
    app.kubernetes.io/name: knative-serving
    app.kubernetes.io/component: tracing
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  annotations:
    knative.dev/example-checksum: "04c7e9a3"
 data:
@@ -8679,7 +8672,7 @@ metadata:
  labels:
    app.kubernetes.io/component: activator
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 spec:
  minReplicas: 1
  maxReplicas: 20
@@ -8707,7 +8700,7 @@ metadata:
  labels:
    app.kubernetes.io/component: activator
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 spec:
  minAvailable: 80%
  selector:
@@ -8736,7 +8729,7 @@ metadata:
  namespace: knative-serving
  labels:
    app.kubernetes.io/component: activator
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
 spec:
  selector:
@@ -8750,7 +8743,7 @@ spec:
        role: activator
        app.kubernetes.io/component: activator
        app.kubernetes.io/name: knative-serving
-        app.kubernetes.io/version: "1.19.0"
+        app.kubernetes.io/version: "1.20.0"
    spec:
      # To avoid node becoming SPOF, spread our replicas to different nodes.
      affinity:
@@ -8767,7 +8760,7 @@ spec:
        - name: activator
          # This is the Go import path for the binary that is containerized
          # and substituted here.
-          image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:3e81e0b0e2ead666c131a17b437b1759e59ec2b066db49c493e4663e42fa4452
+          image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:701507d9c480ff87dcfa4755ca7d3d6b727438cc78c21a32164750654aa08e67
          # The numbers are based on performance test results from
          # https://github.com/knative/serving/issues/1625#issuecomment-511930023
          resources:
@@ -8797,9 +8790,6 @@ spec:
              value: config-logging
            - name: CONFIG_OBSERVABILITY_NAME
              value: config-observability
-            # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
-            - name: METRICS_DOMAIN
-              value: knative.dev/internal/serving
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
@@ -8846,7 +8836,7 @@ metadata:
  labels:
    app: activator
    app.kubernetes.io/component: activator
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
 spec:
  selector:
@@ -8893,7 +8883,7 @@ metadata:
  labels:
    app.kubernetes.io/component: autoscaler
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 spec:
  replicas: 1
  selector:
@@ -8909,7 +8899,7 @@ spec:
        app: autoscaler
        app.kubernetes.io/component: autoscaler
        app.kubernetes.io/name: knative-serving
-        app.kubernetes.io/version: "1.19.0"
+        app.kubernetes.io/version: "1.20.0"
    spec:
      # To avoid node becoming SPOF, spread our replicas to different nodes.
      affinity:
@@ -8926,7 +8916,7 @@ spec:
        - name: autoscaler
          # This is the Go import path for the binary that is containerized
          # and substituted here.
-          image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:998a790f7f74caec6e7fc9084d7b85f25b6c011e753b26076c7db766587b3e08
+          image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:485c0a009cede9138a7ec1e5ab5a5ef22ff9ddbbc7f278571211f33c505ca596
          resources:
            requests:
              cpu: 100m
@@ -8951,9 +8941,6 @@ spec:
              value: config-logging
            - name: CONFIG_OBSERVABILITY_NAME
              value: config-observability
-            # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
-            - name: METRICS_DOMAIN
-              value: knative.dev/serving
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
@@ -8985,7 +8972,7 @@ metadata:
    app: autoscaler
    app.kubernetes.io/component: autoscaler
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  name: autoscaler
  namespace: knative-serving
 spec:
@@ -9026,7 +9013,7 @@ metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 spec:
  selector:
    matchLabels:
@@ -9037,7 +9024,7 @@ spec:
        app: controller
        app.kubernetes.io/component: controller
        app.kubernetes.io/name: knative-serving
-        app.kubernetes.io/version: "1.19.0"
+        app.kubernetes.io/version: "1.20.0"
    spec:
      # To avoid node becoming SPOF, spread our replicas to different nodes.
      affinity:
@@ -9054,7 +9041,7 @@ spec:
        - name: controller
          # This is the Go import path for the binary that is containerized
          # and substituted here.
-          image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:d9f40097903d1d9f4108723d2e41dfc21039ff380671ab80723fc861d81b8071
+          image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:3718bf2e2f135ac70699db930145b22e52fb49bdd47a613b58cd0732853576da
          resources:
            requests:
              cpu: 100m
@@ -9075,9 +9062,6 @@ spec:
              value: config-logging
            - name: CONFIG_OBSERVABILITY_NAME
              value: config-observability
-            # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
-            - name: METRICS_DOMAIN
-              value: knative.dev/internal/serving
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
@@ -9116,7 +9100,7 @@ metadata:
    app: controller
    app.kubernetes.io/component: controller
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
  name: controller
  namespace: knative-serving
 spec:
@@ -9154,7 +9138,7 @@ metadata:
  labels:
    app.kubernetes.io/component: webhook
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 spec:
  minReplicas: 1
  maxReplicas: 5
@@ -9180,7 +9164,7 @@ metadata:
  labels:
    app.kubernetes.io/component: webhook
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 spec:
  minAvailable: 80%
  selector:
@@ -9209,7 +9193,7 @@ metadata:
  namespace: knative-serving
  labels:
    app.kubernetes.io/component: webhook
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
 spec:
  selector:
@@ -9222,7 +9206,7 @@ spec:
        app: webhook
        role: webhook
        app.kubernetes.io/component: webhook
-        app.kubernetes.io/version: "1.19.0"
+        app.kubernetes.io/version: "1.20.0"
        app.kubernetes.io/name: knative-serving
    spec:
      # To avoid node becoming SPOF, spread our replicas to different nodes.
@@ -9240,7 +9224,7 @@ spec:
        - name: webhook
          # This is the Go import path for the binary that is containerized
          # and substituted here.
-          image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:deb7f4ff25b854c6a1f58c2435fe0799731eba974d50dd012b534b6daf8eebf3
+          image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:0d9c4d4971d9b67eaf5ce1359f6ff334145d32b3c0cb9e650ab9fab687396696
          resources:
            requests:
              cpu: 100m
@@ -9265,9 +9249,6 @@ spec:
              value: webhook
            - name: WEBHOOK_PORT
              value: "8443"
-            # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config
-            - name: METRICS_DOMAIN
-              value: knative.dev/internal/serving
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
@@ -9307,7 +9288,7 @@ metadata:
    app: webhook
    role: webhook
    app.kubernetes.io/component: webhook
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
    app.kubernetes.io/name: knative-serving
  name: webhook
  namespace: knative-serving
@@ -9349,7 +9330,7 @@ metadata:
  labels:
    app.kubernetes.io/component: webhook
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 webhooks:
  - admissionReviewVersions: ["v1", "v1beta1"]
    clientConfig:
@@ -9391,7 +9372,7 @@ metadata:
  labels:
    app.kubernetes.io/component: webhook
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 webhooks:
  - admissionReviewVersions: ["v1", "v1beta1"]
    clientConfig:
@@ -9448,7 +9429,7 @@ metadata:
  labels:
    app.kubernetes.io/component: webhook
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 webhooks:
  - admissionReviewVersions: ["v1", "v1beta1"]
    clientConfig:
@@ -9507,7 +9488,7 @@ metadata:
  labels:
    app.kubernetes.io/component: webhook
    app.kubernetes.io/name: knative-serving
-    app.kubernetes.io/version: "1.19.0"
+    app.kubernetes.io/version: "1.20.0"
 # The data is populated at install time.

 ---
@@ -0,0 +1,48 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[api]
+  insecure = true
+
+[providers]
+  precedence = {{ .Precedence }}
+
+  [providers.file]
+    filename = "{{ .SelfFilename }}"
+
+  [providers.docker]
+    endpoint = "{{ .DockerHost }}"
+    exposedByDefault = false
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.file-router]
+    rule = "PathPrefix(`/http`)"
+    service = "file-service"
+    entryPoints = ["web"]
+
+[http.services]
+  [http.services.file-service.loadBalancer]
+    [[http.services.file-service.loadBalancer.servers]]
+      url = "http://{{ .FileBackendAddress }}"
+
+[tcp.routers]
+  [tcp.routers.file-router]
+    rule = "HostSNI(`*`)"
+    service = "file-service"
+    entryPoints = ["web"]
+
+[tcp.services]
+  [tcp.services.file-service.loadBalancer]
+    [[tcp.services.file-service.loadBalancer.servers]]
+      address = "{{ .FileBackendAddress }}"
@@ -0,0 +1,35 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[api]
+  insecure = true
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.router1]
+    service = "service1"
+    rule = "Path(`/whoami`)"
+
+[http.middlewares]
+  [http.middlewares.add-header.headers.customRequestHeaders]
+    X-Custom-Header = "service-middleware-test"
+
+[http.services]
+  [http.services.service1]
+    middlewares = ["add-header"]
+    [http.services.service1.loadBalancer]
+      [[http.services.service1.loadBalancer.servers]]
+        url = "{{ .Server }}"
@@ -0,0 +1,65 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.tcp]
+    address = ":8093"
+
+[api]
+  insecure = true
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[tcp]
+  [tcp.routers]
+    # Wildcard router covering *.snitest.com with TLS option "foo" (minTLS12).
+    [tcp.routers.wildcard]
+      rule = "HostSNI(`*.snitest.com`)"
+      service = "backend"
+      entryPoints = ["tcp"]
+      [tcp.routers.wildcard.tls]
+        options = "foo"
+
+    # Override: bar.snitest.com uses TLS option "bar" (minTLS13), stricter than the wildcard.
+    [tcp.routers.bar]
+      rule = "HostSNI(`bar.snitest.com`)"
+      service = "backend"
+      entryPoints = ["tcp"]
+      [tcp.routers.bar.tls]
+        options = "bar"
+
+    [tcp.routers.default]
+      rule = "HostSNI(`other.snitest.com`)"
+      service = "backend"
+      entryPoints = ["tcp"]
+      [tcp.routers.default.tls]
+
+  [tcp.services]
+    [tcp.services.backend.loadBalancer]
+      [[tcp.services.backend.loadBalancer.servers]]
+        address = "{{ .Backend }}"
+
+[[tls.certificates]]
+  certFile = "fixtures/https/wildcard.snitest.com.cert"
+  keyFile = "fixtures/https/wildcard.snitest.com.key"
+
+[tls.options]
+  [tls.options.default]
+    minVersion = "VersionTLS11"
+    maxVersion = "VersionTLS11"
+
+  [tls.options.foo]
+    minVersion = "VersionTLS12"
+    maxVersion = "VersionTLS12"
+
+  [tls.options.bar]
+    minVersion = "VersionTLS13"
+    maxVersion = "VersionTLS13"
@@ -0,0 +1,12 @@
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+    [entryPoints.web.forwardedHeaders]
+      insecure = true
+      notAppendXForwardedFor = true
+
+[api]
+  insecure = true
+
+[providers.file]
+  filename = "{{ .DynamicConfPath }}"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jenthe Noordsij	ec80d1145c	Increase timeout for Docker image sync job to 30 minutes	2026-06-12 17:12:06 +02:00
qwerty8811	2391520b50	Add optional X-Forwarded-Scheme and X-Scheme headers in forwarded headers middleware	2026-06-12 11:16:07 +02:00
qwerty8811	6cc3dd8d40	Add reportNodeInternalIPs option to report node internal IPs in Ingress status	2026-06-12 10:26:07 +02:00
Anatole Lucet	bcf768ee09	Update Gateway API statuses once routing config is built Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-06-11 10:10:07 +02:00
kevinpollet	51b9a37615	Merge branch v3.7 into master	2026-06-10 17:05:29 +02:00
Kevin Pollet	26c96a3935	Prepare release v3.7.5	2026-06-10 16:46:07 +02:00
kevinpollet	cb9e8ab510	Merge branch v3.6 into v3.7	2026-06-10 16:16:05 +02:00
Kevin Pollet	e043982244	Support BackendTLSPolicy for TLSRoute	2026-06-10 12:10:05 +02:00
Learloj	d5ad3eb63b	Pass endpointslice fencing on ingress-nginx provider	2026-06-09 16:28:05 +02:00
KirylJazzSax	dc4b6fe2c6	Support Backend TLS policy for gRPC backends	2026-06-09 16:22:05 +02:00
Gina A.	15ecff2bbd	Skip ingress when auth-secret resolution fails	2026-06-08 14:08:05 +02:00
kevinpollet	8773d7ead4	Merge branch v3.7 into master	2026-06-05 16:01:41 +02:00
Romain	74b6408475	Prepare release v3.7.4	2026-06-05 15:56:04 +02:00
kevinpollet	708aa38f36	Merge branch v3.6 into v3.7	2026-06-05 15:26:12 +02:00
Romain	5ea71f1c3a	Prepare release v3.7.3	2026-06-04 15:14:05 +02:00
romain	48ba249ba7	Merge branch v3.6 into v3.7	2026-06-04 14:06:26 +02:00
Romain	e38281d8ad	Prepare release v3.7.2	2026-06-03 15:34:05 +02:00
romain	4aa82efc76	Merge branch v3.6 into v3.7	2026-06-03 14:53:03 +02:00
Gina A.	a669522eca	Clear Ssl-Client-* headers when no client certificate is present	2026-06-02 10:40:06 +02:00
filip2mac	9a276c3aeb	Add nginx.ingress.kubernetes.io/enable-global-auth to the list of supported annotations	2026-06-01 09:56:05 +02:00
Kevin Pollet	83b36871c3	Add ingressClassName to Kubernetes CRD provider migration guide	2026-05-28 17:10:15 +02:00
romain	29406d4289	Merge current branch v3.7 into master	2026-05-27 14:51:50 +02:00
romain	6e0198ca1e	Merge current branch v3.6 into v3.7	2026-05-27 14:20:33 +02:00
Cristian Baldi	743a63369c	Trim quotes from proxy_set_header header name	2026-05-22 10:06:05 +02:00
Ali Amer	d58fd9ac89	Fix TCP router service resolution in dashboard flow diagram	2026-05-22 09:40:06 +02:00
faukah	eec68dce06	flake.nix: cleanup, refactor	2026-05-20 15:44:06 +02:00
Michel Loiseleur	f3c6d14caa	Document new chart behavior on Gateway API	2026-05-18 15:32:07 +02:00
Kevin Pollet	fa49e2bcad	Prepare release v3.7.1	2026-05-11 15:10:05 +02:00
kevinpollet	e116b8b859	Merge branch v3.6 into v3.7	2026-05-11 14:46:31 +02:00
kevinpollet	1337363cf6	Merge branch v3.6 into v3.7	2026-05-11 12:01:00 +02:00
Romain	ff824c2333	Rework contributor references in the v3.7.0 changelog	2026-05-06 09:48:05 +02:00
Romain	04aa6bb4f9	Prepare release v3.7.0	2026-05-05 17:32:05 +02:00
kevinpollet	2861d0efe1	Merge branch v3.6 into v3.7	2026-05-05 16:20:16 +02:00
Julien Salleyron	961c383a88	Fix regressions after refacto of the ingress-nginx provider	2026-05-05 09:24:05 +02:00
Nicolas Mengin	ead1c84fae	Service-level Middleware Documentation	2026-05-04 14:10:05 +02:00
Sheddy	edd7d2eb33	Service-level Middleware Documentation	2026-05-04 13:56:05 +02:00
Mathieu Herbert	3854630763	Add ipAllowListStrategy option for allowlist/whitelist annotations	2026-04-30 17:16:11 +02:00
mmatur	f7c0fdea57	Merge branch v3.7 into master	2026-04-30 16:47:39 +02:00
Kevin Pollet	47851c212f	Prepare release v3.7.0-rc.3	2026-04-29 16:44:05 +02:00
Kangmin Kim	2433b18fef	Add limit-connections support	2026-04-29 16:22:06 +02:00
Julien Salleyron	c1d3c08390	Use a metamodel to generate dynamic configuration in ingress-nginx Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-04-29 16:02:06 +02:00
mmatur	de40e88d31	Merge branch v3.6 into v3.7	2026-04-29 15:25:50 +02:00
Gina A.	53b9a314b8	Add test for ingress with default backend and other annotations for ingress-nginx provider	2026-04-29 15:00:07 +02:00
Michael	23513cff14	Add regression test for ingress default backend without rules	2026-04-29 10:28:06 +02:00
Nicolas Mengin	08ecb17a36	Delete the coming soon section from the ingress-nginx documentation	2026-04-24 16:06:11 +02:00
Sheddy	9560f0d815	Add ingress-nginx ConfigMap migration step	2026-04-24 12:02:06 +02:00
kevinpollet	590429d821	Merge branch v3.6 into v3.7	2026-04-24 11:36:19 +02:00
Gina A.	7ccaa0b420	Fix SSL redirect behavior for ingress-nginx provider	2026-04-23 09:48:05 +02:00
mmatur	9893e89628	Merge branch v3.7 into master	2026-04-22 14:40:14 +02:00
Michael	a47e15f129	Prepare release v3.7.0-rc.2	2026-04-22 11:56:05 +02:00
mmatur	da808bda43	Merge branch v3.6 into v3.7	2026-04-22 11:27:30 +02:00
Gina A.	42e69bcd67	Handle duplicate server-alias on ingress-nginx provider	2026-04-22 10:42:05 +02:00
Sai Asish Y	a6141798f2	Preserve request query on absolute-URL redirect	2026-04-22 10:24:05 +02:00
Kevin Pollet	6161e3040c	Document the rd parameter behavior for the auth-signin annotation	2026-04-21 16:26:08 +02:00
LBF38	332f5a929f	Fix rewrite target with full URL and no regex in ingress path	2026-04-20 16:42:06 +02:00
LBF38	4262cb5466	Fix service unavailable on ingress-nginx	2026-04-17 15:40:05 +02:00
Michael	211ec53661	Restore default cipher suites when serversTransport has no explicit cipherSuites	2026-04-17 10:40:06 +02:00
Michael	eb22d72b48	Resolve NGINX variables in ingress-nginx upstream-vhost annotation	2026-04-16 12:14:10 +02:00
Gina A.	7cacf027a1	Avoid 302 redirect when rewrite-target value is not an absolute URL for ingress-nginx provider	2026-04-16 11:54:07 +02:00
LBF38	036114bf17	Fix custom headers annotation with 503 Service Unavailable	2026-04-16 11:34:05 +02:00
LBF38	4b678ce9fd	Fix app-root with query params redirect	2026-04-16 10:40:10 +02:00
Kevin Pollet	2b9ffc4261	Use QuoteMeta for cookie name when building canary rules	2026-04-14 09:48:05 +02:00
romain	786f7192e1	Merge branch v3.7 into master	2026-04-09 11:46:50 +02:00
Gina A.	7c5b3e8853	Bump lodash version	2026-04-09 11:46:08 +02:00
Romain	1db00b974b	Prepare release v3.7.0-rc.1	2026-04-07 16:38:05 +02:00
romain	5ab893f01d	Merge current branch v3.6 into v3.7	2026-04-07 12:12:01 +02:00
LBF38	081818f537	Fix rewrite-target annotation handling of empty path and non-regex path	2026-04-07 12:00:09 +02:00
Romain	64495e424c	Add Kubernetes Ingress logs fields Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-04-07 11:23:10 +02:00
Morten Victor Nordbye	d31ce5df13	Support multiple certificateRefs in Gateway API listeners	2026-04-07 10:46:07 +02:00
holomekc	8b17fc1667	Add certificates menu and overview	2026-04-07 10:10:05 +02:00
isayme	e24a61c14c	Update gateway-api link in getting-started to v1.5.1	2026-04-03 15:34:04 +02:00
Kevin Pollet	0cbb4a99bb	Add secret support for BackendTLSPolicy caCertificateRefs Co-authored-by: Steven Goodstein <sgoodstein@medallia.com>	2026-04-03 09:00:08 +02:00
Omar	f964291f02	Support nginx.ingress.kubernetes.io/enable-access-log	2026-04-02 11:50:07 +02:00
Julien Salleyron	9d9f0d465d	Add providers routing precedence configuration Co-authored-by: Mathis Urien <contact.lbf38@gmail.com>	2026-04-02 09:08:05 +02:00
Kangmin Kim	ea7f300c85	feat(provider/k8s/ingress-nginx): add limit-burst-multiplier annotation support	2026-03-31 17:24:07 +02:00
Julien Salleyron	ea92a3e150	Add wildcard host in Host and HostSNI matchers	2026-03-31 16:14:06 +02:00
Murat Aslan	9a8ff969ac	Display server weight in service detail view	2026-03-30 16:58:22 +02:00
Alexander Babenko	f15b836c86	Support NGINX global auth annotation	2026-03-27 14:42:06 +01:00
kevinpollet	174e5d8111	Merge branch v3.7 into master	2026-03-26 14:05:54 +01:00
Kevin Pollet	9990cfc613	Prepare release v3.7.0-ea.3	2026-03-26 11:56:04 +01:00
kevinpollet	b4aa35e0fb	Merge branch v3.6 into v3.7	2026-03-26 11:19:51 +01:00
LBF38	30b442a363	Fix TLS behavior in ingress-nginx provider Co-authored-by: Gina A. <70909035+gndz07@users.noreply.github.com>	2026-03-26 09:38:05 +01:00
Mathieu Parent	28fc23d656	Handle empty rewrite-target like unset rewrite-target	2026-03-25 09:18:07 +01:00
Gina A.	6a61ff5965	Fix rewrite-target to handle full URL	2026-03-24 17:50:06 +01:00
Gina A.	14c489b77c	Fix rewrite directive in configuration-snippet to trim quotes	2026-03-24 17:34:05 +01:00
Julien Salleyron	2ab0514034	Fix panic with Failover services in Kubernetes	2026-03-20 15:02:04 +01:00
Romain	d7de8ee4f3	Prepare release v3.7.0-ea.2	2026-03-19 16:10:04 +01:00
LBF38	444e096d3c	Change default maxRequestBodyBytes option value of retry middleware	2026-03-19 15:52:06 +01:00
Harold Ozouf	6c7c056b28	Preserve health check status updater when service has middlewares	2026-03-19 14:16:07 +01:00
kevinpollet	86db5c2777	Merge branch v3.6 into v3.7	2026-03-19 11:29:37 +01:00
Julien Salleyron	a06eca2b99	Add support for auth-snippet Co-authored-by: Mathis Urien <contact.lbf38@gmail.com>	2026-03-18 09:06:05 +01:00
Michael	4fe0bea069	Bump sigs.k8s.io/gateway-api to v1.5.1	2026-03-17 17:10:12 +01:00
romain	d1a6841275	Merge branch v3.6 into v3.7	2026-03-16 16:44:07 +01:00
idurgakalyan	f66b616aeb	Support knative v1.20.0	2026-03-16 14:12:06 +01:00
Gina A.	c16988ebf3	Fix use-regex annotation behavior and add strictValidatePathType config for ingress-nginx provider	2026-03-16 11:38:06 +01:00
Michael	67c64ed9b2	Prepare release v3.7.0-ea.1	2026-03-12 07:26:04 -03:00
Julien Salleyron	b9739c20f9	Add an extension point for mod-sec annotations	2026-03-11 05:58:10 -03:00
mmatur	1122842ca3	Merge branch v3.6 into master	2026-03-09 17:20:35 +01:00
Gina A.	2033a2e8b6	Fix missing type definition	2026-03-09 13:20:04 -03:00
Harold Ozouf	d82bcf3c74	Service failover support in TraefikService CRD	2026-03-09 12:54:05 -03:00
Adam Jacques	b8132e00ad	Allow entry points to be specified on Nginx Ingresses	2026-03-09 07:52:10 -03:00
Nándor Kollár	ee07a31ae3	Nginx x-forwarded-prefix annotation	2026-03-06 13:16:04 -03:00
mmatur	efcc60fbdb	Merge branch v3.6 into master	2026-03-06 16:13:25 +01:00
Pierre Porée	469ee709d1	Support limit-rpm annotation for ingress-nginx	2026-03-06 11:42:04 -03:00
Kangmin Kim	f3413f840a	Support limit-rps annotation for Ingress NGINX	2026-03-05 12:58:05 -03:00
Kevin Pollet	b29c804c25	Support NGINX canary annotations Co-authored-by: Mathis Urien <contact.lbf38@gmail.com>	2026-03-05 11:54:04 -03:00
LBF38	b643cd1508	Add support for upstream-hash-by NGINX annotation	2026-03-04 11:10:05 -03:00
Julien Salleyron	d680fef7f1	Implement server-snippet and configuration-snippet annotations Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-03-04 06:24:05 -03:00
Jakub Siekiera	6163601db0	Support upstream-keepalive-timeout	2026-03-03 12:22:05 -03:00
Name	cd0763170a	refactor: use unicode.MaxASCII for clearer ASCII check	2026-03-03 05:22:05 -03:00
Kshitij Bharde	27095a3365	Implement proxy-http-version annotation	2026-03-02 12:26:05 -03:00
Kangmin Kim	2329de1f62	Support server-alias annotation for Ingress NGINX	2026-03-02 11:48:05 -03:00
Michael	3872ea8d18	Fix custom error pages behavior for ingress-nginx provider	2026-03-02 10:12:05 -03:00
Romain	f5efe1e69b	Add AllowCrossNamespaceResources and GlobalAllowedResponseHeader options to control custom headers annotations	2026-02-26 12:16:04 +01:00
Michael	fc65ec8839	Fix from to www nginx annotation	2026-02-26 09:56:04 +01:00
Michael	1ee0c8b4f0	Fix nginx rewrite target	2026-02-25 17:26:05 +01:00
Gina A.	24ac779a5c	Support proxy-next-upstream* annotations	2026-02-25 14:34:05 +01:00
Julien Salleyron	0aedf85236	Add custom-http-errors and default-backend annotations	2026-02-25 12:06:05 +01:00
LBF38	b9525e53a8	Add support for proxy-read-timeout and proxy-send-timeout NGINX annotations Co-authored-by: Romain Tribotte <rtribotte@users.noreply.github.com>	2026-02-24 14:38:05 +01:00
Gina A.	0664dadfbd	Support auth-tls-pass-certificate-to-upstream annotation	2026-02-24 11:34:05 +01:00
mmatur	ff1a6786cd	Merge branch v3.6 into master	2026-02-23 19:24:54 +01:00
David	3d8373b944	Make TlsStore gracefully handle missing secrets	2026-02-20 16:10:05 +01:00
LBF38	827f5ca8c7	Enable retries based on HTTP response status codes, timeout, and non-idempotent methods Co-authored-by: Romain Tribotte <rtribotte@users.noreply.github.com>	2026-02-20 11:04:05 +01:00
blasko03	cdd28169d3	Support NGINX buffering annotations	2026-02-17 12:30:07 +01:00
Omar	3d3aff10eb	Support nginx.ingress.kubernetes.io/allowlist-source-range	2026-02-17 11:46:06 +01:00
LBF38	4c9c70b7f5	Add support for variable interpolation in auth-signin NGINX annotation	2026-02-13 16:36:05 +01:00
kevinpollet	f0da74e641	Merge branch v3.6 into master	2026-02-13 16:04:04 +01:00
mmatur	4a4be524bb	Merge v3.6 into master	2026-02-10 09:07:34 +01:00
Landry Benguigui	34ae66b9ab	Failover according to response status code Co-authored-by: juliens <julien.salleyron@gmail.com>	2026-02-09 14:10:06 +01:00
Harold Ozouf	a4a91344ed	Add routing configuration extension points	2026-01-29 17:38:06 +01:00
Julien Salleyron	8425e09806	Services middleware and Gateway API filters on HTTP backends	2026-01-29 17:16:04 +01:00
LBF38	5969d1680d	Add support for from-to-www-redirect NGINX annotation	2026-01-29 16:08:05 +01:00
kevinpollet	b19e4a435b	Merge branch v3.6 into master	2026-01-29 15:08:34 +01:00
Gina A.	1bc9569399	Support auth-tls-secret and auth-tls-verify-client annotations	2026-01-29 11:10:04 +01:00
Burhan Del Rey	54fca86901	Enhance the option metrics.influxdb2.token	2026-01-28 15:10:06 +01:00
Gina A.	dd8045ad4e	Add nginx.ingress.kubernetes.io/proxy-connect-timeout annotation	2026-01-28 14:54:04 +01:00
Simon Delicata	f4f129a279	Add configuration transformer mechanism to the ConfigurationWatcher	2026-01-28 11:44:05 +01:00
DesalLama	2c47d71666	Add support for auth-signin annotation	2026-01-27 16:00:05 +01:00
mmatur	50faaf298a	Merge v3.6 into master	2026-01-27 15:00:25 +01:00
mmatur	731d8c0ba7	Merge v3.6 into master	2026-01-26 17:52:19 +01:00
LBF38	a9c5a3828b	Add support for app-root nginx annotation	2026-01-26 17:44:04 +01:00
kyounghoonJang	27912e3849	Add authSignInURL in forward auth middleware	2026-01-26 10:12:05 +01:00
Gina A.	94eba471f1	Add encodedCharacters middleware	2026-01-21 10:24:12 +01:00
LBF38	954eaab5f7	Support permanent-redirect and temporal-redirect annotations	2026-01-20 16:48:06 +01:00
LBF38	82c756006b	Add support for session-cookie-expires nginx annotation	2026-01-20 15:26:05 +01:00
mmatur	08b1336af0	Merge current v3.6 into master	2026-01-16 11:43:56 +01:00
Kevin Pollet	77af7e4dea	Add configmaps right to Ingress NGINX RBAC	2026-01-15 18:58:07 +01:00
boqishan	97158ac770	Replace Split in loops with more efficient SplitSeq	2026-01-14 17:40:07 +01:00
Krypton	a6516d36eb	Add ingressClassName field to the CRDs spec	2026-01-14 15:30:05 +01:00
Juri Duval	5492079915	Add a new option to allow Stdio access logs alongsige OTLP logging	2026-01-13 16:36:05 +01:00
Ọlámilékan	5d3706468d	Fix health check ping	2026-01-13 11:58:05 +01:00
LBF38	dc6d54532d	Add rewrite-target nginx annotations support Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>	2026-01-13 11:18:04 +01:00
Dave	93f7cb1082	Added CertificateTimeout ACME configuration option.	2026-01-12 16:58:05 +01:00
mmatur	df50421b53	Merge current v3.6 into master	2026-01-09 20:45:30 +01:00
NEwa	12d792cdef	Add the option to define custom cipher suites for backend serversTransport	2026-01-08 18:22:04 +01:00
mmatur	f7280439e6	Merge current v3.6' into master	2026-01-02 10:35:20 +01:00
mmatur	0e360966a0	Merge current v3.6 into master	2025-12-29 16:43:41 +01:00
Gina A.	6af404b9da	Add dashboard name configuration	2025-12-23 15:58:04 +01:00
kevinpollet	50c254a522	Merge branch v3.6 into master	2025-12-23 14:45:38 +01:00
luo jiyin	a16c2326b3	Optimize GitHub Actions workflows	2025-12-22 15:30:05 +01:00
Nándor Kollár	b4abd8dc2c	Support NGINX custom-headers annotation	2025-12-22 10:44:08 +01:00
blasko03	f71b941995	Support NGINX whitelist-source-range annotation	2025-12-22 09:52:04 +01:00
Landry Benguigui	78e2dab155	feat: add global option to disable X-Forwarded-For appending	2025-12-19 11:18:04 +01:00
Nándor Kollár	704f69272c	Support Nginx upstream-vhost annotation	2025-12-17 16:42:04 +01:00
Gina A.	4854dee208	Details pages UI improvement	2025-12-16 16:30:05 +01:00
mmatur	34b91218f4	Merge v3.6 into master	2025-12-01 16:28:00 +01:00
Gina A.	8bdcd72042	Web UI dashboard improvements	2025-11-21 09:00:05 +01:00
kevinpollet	2ad42cd0ec	Merge branch v3.6 into master	2025-11-07 16:47:21 +01:00