Increase timeout for Docker image sync job to 30 minutes

Add optional X-Forwarded-Scheme and X-Scheme headers in forwarded headers middleware
Add reportNodeInternalIPs option to report node internal IPs in Ingress status
2026-06-23 01:46:44 +00:00 · 2026-06-12 17:12:06 +02:00 · 2026-06-12 11:16:07 +02:00 · 2026-06-12 10:26:07 +02:00 · 2026-06-11 10:10:07 +02:00 · 2026-06-10 17:05:29 +02:00
720 changed files with 64988 additions and 25092 deletions
@@ -3,11 +3,13 @@ PLEASE READ THIS MESSAGE.

 Documentation:
 - for Traefik v2: use branch v2.11 (fixes only)
- for Traefik v3: use branch v3.6
+- for Traefik v3.6: use branch v3.6
+- for Traefik v3.7: use branch v3.7

 Bug:
 - for Traefik v2: use branch v2.11 (security fixes only)
- for Traefik v3: use branch v3.6
+- for Traefik v3.6: use branch v3.6
+- for Traefik v3.7: use branch v3.7

 Enhancements:
 - use branch master
@@ -19,6 +19,7 @@ jobs:

  build:
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    strategy:
      matrix:
@@ -12,6 +12,7 @@ jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
+    timeout-minutes: 30
    permissions:
      actions: read
      contents: read
@@ -16,6 +16,7 @@ jobs:
  docs:
    name: Doc Process
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    if: github.repository == 'traefik/traefik'

    steps:
@@ -19,6 +19,7 @@ jobs:
    if: github.repository == 'traefik/traefik'
    name: Build experimental image on branch
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    steps:
      - name: Check out code
@@ -9,7 +9,7 @@ env:
  CGO_ENABLED: 0
  VERSION: ${{ github.ref_name }}
  TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: ramequin
+  CODENAME: langres

 jobs:

@@ -20,6 +20,7 @@ jobs:
  build:
    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
    runs-on: ubuntu-latest
+    timeout-minutes: 45

    strategy:
      matrix:
@@ -82,6 +83,7 @@ jobs:
  release:
    if: github.ref_type == 'tag' && github.repository == 'traefik/traefik'
    runs-on: ubuntu-latest
+    timeout-minutes: 45

    needs:
      - build
@@ -8,6 +8,7 @@ on:
 jobs:
  sync:
    runs-on: ubuntu-latest
+    timeout-minutes: 30
    permissions:
      packages: write
      contents: read
@@ -2,11 +2,12 @@ name: Build Web UI
 on:
  workflow_call: {}
 env:
-  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 360  # 15 days
+  SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS: 48  # 2 days
 jobs:

  build-webui:
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    steps:
      - name: Check out code
@@ -18,6 +18,7 @@ jobs:

  test-gateway-api-conformance:
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    steps:
      - name: Check out code
@@ -16,6 +16,7 @@ jobs:

  build:
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    steps:
      - name: Check out code
@@ -52,6 +53,7 @@ jobs:

  test-integration:
    runs-on: ubuntu-latest
+    timeout-minutes: 90
    needs:
      - build
    strategy:
@@ -18,6 +18,7 @@ jobs:

  test-knative-conformance:
    runs-on: ubuntu-latest
+    timeout-minutes: 20

    steps:
      - name: Check out code
@@ -13,6 +13,7 @@ jobs:
  generate-packages:
    name: List Go Packages
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
@@ -36,6 +37,7 @@ jobs:

  test-unit:
    runs-on: ubuntu-latest
+    timeout-minutes: 15
    needs: generate-packages
    strategy:
      matrix:
@@ -59,6 +61,7 @@ jobs:

  test-ui-unit:
    runs-on: ubuntu-latest
+    timeout-minutes: 15

    steps:
      - name: Check out code
@@ -13,6 +13,7 @@ jobs:

  lint:
    runs-on: ubuntu-latest
+    timeout-minutes: 15

    steps:
      - name: Check out code
@@ -33,6 +34,7 @@ jobs:

  validate:
    runs-on: ubuntu-latest
+    timeout-minutes: 15

    steps:
      - name: Check out code
@@ -54,6 +56,7 @@ jobs:

  validate-generate:
    runs-on: ubuntu-latest
+    timeout-minutes: 15

    steps:
      - name: Check out code
@@ -72,11 +75,6 @@ jobs:
          make generate
          git diff --exit-code

-      - name: go mod tidy
-        run: |
-          go mod tidy
-          git diff --exit-code
-
      - name: make generate-crd
        run: |
          make generate-crd
@@ -82,6 +82,7 @@ linters:
      toolchain-pattern: go1\.\d+\.\d+$
      tool-forbidden: true
      go-version-pattern: ^1\.\d+(\.0)?$
+      replace-local: true
      replace-allow-list:
        - github.com/abbot/go-http-auth
        - github.com/gorilla/mux
@@ -89,6 +90,7 @@ linters:
        - github.com/mailgun/multibuf
        - github.com/jaguilar/vt100
        - github.com/cucumber/godog
+        - github.com/vulcand/oxy/v2
    govet:
      enable-all: true
      disable:
@@ -346,6 +348,9 @@ linters:
        text: 'appendAssign: append result not assigned to the same slice'
        linters:
          - gocritic
+      - path: pkg/server/conncontext.go
+        linters:
+          - fatcontext
    paths:
      - pkg/provider/kubernetes/crd/generated/

@@ -0,0 +1,113 @@
+# Traefik — Contributor Guide for AI Agents
+
+Traefik is a modern HTTP reverse proxy and load balancer that discovers services from orchestrators (Kubernetes, Docker, Nomad, ...) and wires up routing dynamically. This file is the canonical guide for AI coding agents (Claude Code, Codex, Gemini, Cursor, ...) working in this repository; `CLAUDE.md` is a thin pointer to this file. For everything not covered here, defer to [`CONTRIBUTING.md`](./CONTRIBUTING.md) and [`docs/content/contributing/`](./docs/content/contributing/).
+
+> **Training-data notice.** Traefik evolved significantly between v2 and v3 (label formats, provider names, CRD shapes, middleware names). If anything you think you know about Traefik contradicts this file or the current code, trust this file and the code — not your training data.
+
+## Core vocabulary
+
+These terms appear everywhere in the code and configuration. Use them precisely; they are not interchangeable.
+
+- **EntryPoint** — a network listener (port + protocol).
+- **Router** — matches an incoming request and selects a service.
+- **Middleware** — transforms a request or response in the routing chain (auth, headers, rate limiting, ...).
+- **Service** — defines how to load-balance to backend servers.
+- **Provider** — a source of dynamic configuration (Kubernetes CRD, Docker labels, a file, an HTTP endpoint, ...).
+- **Static vs Dynamic configuration** — two distinct domains:
+  - *Static* is set at startup (entrypoints, providers, global options) and lives under [`pkg/config/static`](./pkg/config/static).
+  - *Dynamic* is produced by providers at runtime (routers, services, middlewares) and lives under [`pkg/config/dynamic`](./pkg/config/dynamic).
+
+  These terms are accurate for the code, but user-facing docs deliberately hide the distinction to keep things simpler for readers: when writing or editing under [`docs/content/`](./docs/content), prefer **install configuration** (over *static*) and **routing configuration** (over *dynamic*).
+
+At request time the components chain in this order:
+
+```
+Client → EntryPoint → Router → Middleware chain → Service → Backend
+```
+
+The middleware chain is ordered: middlewares run in the sequence declared on the router, and the router match happens *before* any middleware runs.
+
+## Where things live
+
+- `cmd/traefik/` — main.
+- `pkg/provider/` — one subpackage per provider (Kubernetes, Docker, file, ...).
+- `pkg/server/` — routing core, middleware chain, configuration watcher.
+- `pkg/middlewares/` — HTTP and TCP middleware implementations.
+- `pkg/config/static`, `pkg/config/dynamic` — the two config domains above.
+- `pkg/plugins/` — Yaegi and WASM plugin runtimes.
+- `pkg/observability/logs/` — logging helpers; the project uses `github.com/rs/zerolog` exclusively.
+- `webui/` — React dashboard. Built assets under `webui/static/` are embedded into the Go binary via `//go:embed` (see `webui/embed.go`) and must be regenerated with `make generate-webui` (Docker required) — they are not meant to be hand-edited.
+- `integration/` — integration tests; reusable fixtures under `integration/fixtures/`.
+- `docs/content/` — MkDocs sources for the public documentation.
+
+## Before you edit
+
+Read two or three existing files in the same package before adding a new one, and copy their structure. Do not invent new directory layouts, file-naming conventions, or abstraction boundaries — match the neighbours. When adding a new provider, read two existing providers under `pkg/provider/`; when adding a middleware, read two under `pkg/middlewares/`.
+
+## Build, test, lint
+
+The Go version is declared in [`go.mod`](./go.mod) — check there rather than hard-coding a version. All day-to-day commands go through `make`:
+
+```bash
+make binary             # build the traefik binary (runs generate-webui first)
+make test-unit          # run Go unit tests
+make test-integration   # run integration tests (requires Docker)
+make lint               # run golangci-lint
+make validate-files     # misspell, shellcheck, generated-files check
+make validate           # lint + validate-files (run this before pushing)
+make fmt                # gofumpt / goimports
+make generate           # regenerate non-CRD generated code (deepcopy, etc.)
+make generate-crd       # regenerate Kubernetes CRD clientset + deepcopy
+make generate-webui     # rebuild the embedded WebUI assets (Docker required)
+make docs-serve         # preview the documentation locally
+```
+
+Full environment setup (Docker, `GOPATH` layout, Tailscale for Docker Desktop users, how to target a single integration test via `TESTFLAGS`) is documented in [`docs/content/contributing/building-testing.md`](./docs/content/contributing/building-testing.md). CI runs `make validate` and fails if `make generate` or `make generate-crd` leave the tree dirty — always commit regenerated files alongside the source change that triggered them.
+
+## Code style
+
+Standard Go formatting (`gofumpt`/`goimports`) and `golangci-lint` cover most rules automatically; run `make lint` to catch them. Two project-specific rules that tooling does **not** enforce:
+
+- **Comments answer *why*, not *what*.** Comments that restate what the code already says are noise: they go stale and waste review time. Only add a comment when it records *why* the code exists — a constraint, a past incident, a spec reference, an edge case. Comments explaining *how* should be rare and usually indicate the code needs to be clearer. When a comment is present, it **must end with a period**.
+- **Assertion messages are minimal.** Prefer `assert.Equal(t, expected, actual)` over `assert.Equal(t, expected, actual, "detailed explanation")`. The test name provides the context; a descriptive message is usually noise.
+
+Prefer modern standard-library packages (`slices`, `maps`, `cmp`, ...) over hand-rolled helpers or third-party libraries when the Go version in `go.mod` supports them.
+
+## Common patterns
+
+- **Logging.** The project uses `github.com/rs/zerolog` exclusively — do not import `log`, `slog`, or `logrus`. Inside a middleware, get a logger via `middlewares.GetLogger(ctx, name, typeName)` (see [`pkg/middlewares/middleware.go`](./pkg/middlewares/middleware.go)) where `typeName` is a package-level `const` like `const typeNameForward = "ForwardAuth"`. Elsewhere, extract the logger from the context with `log.Ctx(ctx)` and attach it to a new context with `.WithContext(ctx)`.
+- **Context propagation.** `context.Context` is always the first argument, named `ctx`. Avoid `context.Background()` in request paths; propagate from the caller. Define custom context keys as unexported struct types (`type myKey struct{}`) to prevent collisions.
+
+## Testing conventions
+
+- Unit tests live next to the code as `*_test.go` files using `testing.T` with `testify/assert` and `testify/require`.
+- Use `require.*` for preconditions that must stop the test on failure (setup, must-not-be-nil). Use `assert.*` for independent checks where you want the test to keep running and report every failure.
+- Integration tests under `integration/` are built on `testify/suite` (see `integration/integration_test.go`) and reuse fixtures from `integration/fixtures/`. New fixtures should follow the pattern of the existing ones.
+- New providers require integration tests.
+- Prefer running a focused test over the whole suite while iterating. When iterating on a failing test, capture the output to a file once and grep it (`... > /tmp/out.log 2>&1`) rather than re-running the suite with different `TESTFLAGS`. See [`docs/content/contributing/building-testing.md`](./docs/content/contributing/building-testing.md) for the `TESTFLAGS` invocation.
+
+## Documentation
+
+User-facing features need matching documentation updates under `docs/content/`. Integrate new pages into the existing structure rather than creating parallel sections. Preview locally with `make docs-serve`.
+
+## Contributing etiquette
+
+- **Target the right branch** (the [PR template](./.github/PULL_REQUEST_TEMPLATE.md) is authoritative): enhancements go to `master`; bug fixes and documentation updates go to the current maintenance branches (`v3.6` for v3, `v2.11` for v2, security-fixes only). Forward-ports from the maintenance branches up to `master` are handled by maintainers.
+- Keep pull requests small and focused; one logical change per PR.
+- For anything beyond a bug fix, open an issue first and wait for a maintainer to confirm the direction before investing significant work.
+- Follow the full guide in [`docs/content/contributing/submitting-pull-requests.md`](./docs/content/contributing/submitting-pull-requests.md).
+
+## AI assistance disclosure
+
+Traefik welcomes AI-assisted contributions, provided a few simple rules are followed:
+
+- **Declare substantial AI assistance** with an `Assisted-by:` trailer at the bottom of the commit message whenever an agent produced a meaningful portion of the diff — for example `Assisted-by: Claude Opus 4.6`. Trivial edits such as a typo fix or a one-line rename do not need a trailer.
+- **Keep issue and PR conversations human.** Do not let an agent post comments, review replies, or triage messages on your behalf. If an agent drafted a message for you, rewrite it in your own voice before sending — maintainers need to know they are talking to a person, not a bot.
+- **Align with a maintainer before generating code for anything larger than a bug fix.** An agent can produce thousands of lines in minutes; maintainer review capacity cannot scale the same way. Open an issue, state the intended approach, and wait for confirmation before asking an agent to implement it.
+
+## Things to avoid
+
+- Do not hand-edit generated files — notably `**/zz_generated*.go`, everything under `pkg/provider/kubernetes/crd/generated/`, and `webui/static/`. Regenerate them via `make generate`, `make generate-crd`, or `make generate-webui` and commit the result.
+- Do not skip `make lint` and `make validate-files` (or `make validate`) before pushing.
+- Do not opportunistically reformat, rename, or refactor files you did not otherwise need to touch. Drive-by changes turn a reviewable diff into noise — scope every PR to one logical change.
+- Do not include unrelated refactors, formatting-only changes to untouched files, or speculative abstractions in a feature PR.
@@ -1,3 +1,627 @@
+## [v3.7.5](https://github.com/traefik/traefik/tree/v3.7.5) (2026-06-10)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.4...v3.7.5)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Skip ingress when auth-secret resolution fails ([#13323](https://github.com/traefik/traefik/pull/13323) @gndz07)
+- **[k8s/ingress-nginx]** Pass endpointslice fencing on ingress-nginx provider ([#13290](https://github.com/traefik/traefik/pull/13290) @Learloj)
+- **[k8s/gatewayapi]** Reject cross-provider references with backendRefs.namespace ([#13322](https://github.com/traefik/traefik/pull/13322) @youkoulayley)
+- **[server]** Bump to github.com/pires/go-proxyproto v0.12.0 ([#13313](https://github.com/traefik/traefik/pull/13313) @timschumi)
+- **[tls]** Fix routers with same host, different tlsoptions on different entryPoint ([#13329](https://github.com/traefik/traefik/pull/13329) @juliens)
+- **[tls]** Fix snicheck for routers with no hosts ([#13333](https://github.com/traefik/traefik/pull/13333) @rtribotte)
+
+## [v3.6.21](https://github.com/traefik/traefik/tree/v3.6.21) (2026-06-10)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.20...v3.6.21)
+
+**Bug fixes:**
+- **[k8s/gatewayapi]** Reject cross-provider references with backendRefs.namespace ([#13322](https://github.com/traefik/traefik/pull/13322) @youkoulayley)
+- **[server]** Bump to github.com/pires/go-proxyproto v0.12.0 ([#13313](https://github.com/traefik/traefik/pull/13313) @timschumi)
+- **[tls]** Fix routers with same host, different tlsoptions on different entryPoint ([#13329](https://github.com/traefik/traefik/pull/13329) @juliens)
+- **[tls]** Fix snicheck for routers with no hosts ([#13333](https://github.com/traefik/traefik/pull/13333) @rtribotte)
+
+## [v2.11.50](https://github.com/traefik/traefik/tree/v2.11.50) (2026-06-10)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.49...v2.11.50)
+
+**Bug fixes:**
+- **[tls]** Fix routers with same host, different tlsoptions on different entryPoint ([#13329](https://github.com/traefik/traefik/pull/13329) @juliens)
+- **[tls]** Fix snicheck for routers with no hosts ([#13333](https://github.com/traefik/traefik/pull/13333) @rtribotte)
+
+## [v3.7.4](https://github.com/traefik/traefik/tree/v3.7.4) (2026-06-05)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.3...v3.7.4)
+
+**Bug fixes:**
+- **[middleware]** Fix redis write timeout option configuration ([#13273](https://github.com/traefik/traefik/pull/13273) @bzyy1024)
+- **[webui]** Bump react-router and jsdom ([#13301](https://github.com/traefik/traefik/pull/13301) @gndz07)
+- **[k8s/gatewayapi]** Fix BackendTLSPolicy status update ([#13306](https://github.com/traefik/traefik/pull/13306) @AnatoleLucet)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.59.1 ([#13300](https://github.com/traefik/traefik/pull/13300) @rtribotte)
+- **[webui]** Bump axios to v1.17.0 ([#13299](https://github.com/traefik/traefik/pull/13299) @gndz07)
+- **[tls]** Fix snicheck with keepalive ([#13305](https://github.com/traefik/traefik/pull/13305) @juliens)
+
+## [v3.6.20](https://github.com/traefik/traefik/tree/v3.6.20) (2026-06-05)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.19...v3.6.20)
+
+**Bug fixes:**
+- **[middleware]** Fix redis write timeout option configuration ([#13273](https://github.com/traefik/traefik/pull/13273) @bzyy1024)
+- **[webui]** Bump react-router and jsdom ([#13301](https://github.com/traefik/traefik/pull/13301) @gndz07)
+- **[k8s/gatewayapi]** Fix BackendTLSPolicy status update ([#13306](https://github.com/traefik/traefik/pull/13306) @AnatoleLucet)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.59.1 ([#13300](https://github.com/traefik/traefik/pull/13300) @rtribotte)
+- **[webui]** Bump axios to v1.17.0 ([#13299](https://github.com/traefik/traefik/pull/13299) @gndz07)
+- **[tls]** Fix snicheck with keepalive ([#13305](https://github.com/traefik/traefik/pull/13305) @juliens)
+
+## [v2.11.49](https://github.com/traefik/traefik/tree/v2.11.49) (2026-06-05)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.48...v2.11.49)
+
+**Bug fixes:**
+- **[http3]** Bump github.com/quic-go/quic-go to v0.59.1 ([#13300](https://github.com/traefik/traefik/pull/13300) @rtribotte)
+- **[webui]** Bump axios to v1.17.0 ([#13299](https://github.com/traefik/traefik/pull/13299) @gndz07)
+- **[tls]** Fix snicheck with keepalive ([#13305](https://github.com/traefik/traefik/pull/13305) @juliens)
+
+## [v3.7.3](https://github.com/traefik/traefik/tree/v3.7.3) (2026-06-04)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.1...v3.7.3)
+
+**Bug fixes:**
+- **[tls]** Compute resolved tlsOptions after applying models ([#13291](https://github.com/traefik/traefik/pull/13291) @rtribotte)
+- **[webui, tcp]** Fix TCP router service resolution in dashboard flow diagram ([#13155](https://github.com/traefik/traefik/pull/13155) @aliamerj)
+- **[k8s/ingress-nginx]** Trim quotes from proxy_set_header header name ([#13203](https://github.com/traefik/traefik/pull/13203) @crisbal)
+- **[accesslogs]** Escape double quotes in quoted log fields ([#13180](https://github.com/traefik/traefik/pull/13180) @KaanSimsek)
+- **[k8s/gatewayapi]** Escape exact gRPC method matches ([#13201](https://github.com/traefik/traefik/pull/13201) @nickmnt)
+- **[logs, middleware]** Allow query parameters to be dropped from RequestPath in access log ([#13091](https://github.com/traefik/traefik/pull/13091) @calinelson)
+- **[k8s/ingress-nginx]** Clear Ssl-Client-* headers when no client certificate is present ([#13260](https://github.com/traefik/traefik/pull/13260) @gndz07)
+- **[k8s/gatewayapi]** Bump github.com/moby/spdystream to v0.5.1 ([#13252](https://github.com/traefik/traefik/pull/13252) @kevinpollet)
+- **[file]** Improve file provider behavior regarding dangling symlinks ([#12449](https://github.com/traefik/traefik/pull/12449) @fh-yuxiao-zeng)
+- **[server]** Bump github.com/bytedance/sonic to v1.15.1 ([#13254](https://github.com/traefik/traefik/pull/13254) @kevinpollet)
+- **[middleware, authentication]** Add error on basic auth build if users is empty ([#13195](https://github.com/traefik/traefik/pull/13195) @rtribotte)
+- **[k8s/ingress]** Avoid ingress path matcher injection and backport 11d251415 ([#13227](https://github.com/traefik/traefik/pull/13227) @rtribotte)
+- **[server]** Move snicheck to ctx instead of simulated routing ([#13214](https://github.com/traefik/traefik/pull/13214) @juliens)
+- **[middleware]** Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation ([#13215](https://github.com/traefik/traefik/pull/13215) @rtribotte)
+- **[server]** Bump golang.org/x/net to v0.55.0 ([#13251](https://github.com/traefik/traefik/pull/13251) @kevinpollet)
+- **[k8s/gatewayapi]** Change default values and expose configuration for Kubernetes client QPS and Burst ([#13277](https://github.com/traefik/traefik/pull/13277) @kevinpollet)
+- **[server]** Bump golang.org/x/crypto to v0.52.0 ([#13276](https://github.com/traefik/traefik/pull/13276) @rtribotte)
+
+**Documentation:**
+- **[k8s]** Document new chart behavior on Gateway API ([#13167](https://github.com/traefik/traefik/pull/13167) @mloiseleur)
+- **[file]** Replace generated File routing reference page ([#13170](https://github.com/traefik/traefik/pull/13170) @sheddy-traefik)
+- **[k8s/crd]** Fix typo in accesslogs field name ([#13177](https://github.com/traefik/traefik/pull/13177) @PlayMTL)
+- **[k8s/ingress-nginx]** Surface the Ingress status race condition during NGINX coexistence ([#13205](https://github.com/traefik/traefik/pull/13205) @emilevauge)
+- Polish grammar in migration guides ([#13174](https://github.com/traefik/traefik/pull/13174) @quyentonndbs)
+- **[middleware]** Remove whitespace in HTML tag ([#13160](https://github.com/traefik/traefik/pull/13160) @marbon87)
+- Add @LBF38 as a current maintainer ([#13225](https://github.com/traefik/traefik/pull/13225) @emilevauge)
+- Add ingressClassName to Kubernetes CRD provider migration guide ([#13248](https://github.com/traefik/traefik/pull/13248) @kevinpollet)
+- **[k8s/ingress-nginx]** Add nginx.ingress.kubernetes.io/enable-global-auth to the list of supported annotations ([#13219](https://github.com/traefik/traefik/pull/13219) @filip2mac)
+- **[k8s/ingress-nginx]** Capitalize NGINX in kubernetesIngressNGINX ([#13236](https://github.com/traefik/traefik/pull/13236) @smellems)
+
+## [v3.6.19](https://github.com/traefik/traefik/tree/v3.6.19) (2026-06-04)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.17...v3.6.19)
+
+**Bug fixes:**
+- **[tls]** Compute resolved tlsOptions after applying models ([#13291](https://github.com/traefik/traefik/pull/13291) @rtribotte)
+- **[accesslogs]** Escape double quotes in quoted log fields ([#13180](https://github.com/traefik/traefik/pull/13180) @KaanSimsek)
+- **[k8s/gatewayapi]** Escape exact gRPC method matches ([#13201](https://github.com/traefik/traefik/pull/13201) @nickmnt)
+- **[logs, middleware]** Allow query parameters to be dropped from RequestPath in access log ([#13091](https://github.com/traefik/traefik/pull/13091) @calinelson)
+- **[k8s/gatewayapi]** Bump github.com/moby/spdystream to v0.5.1 ([#13252](https://github.com/traefik/traefik/pull/13252) @kevinpollet)
+- **[file]** Improve file provider behavior regarding dangling symlinks ([#12449](https://github.com/traefik/traefik/pull/12449) @fh-yuxiao-zeng)
+- **[server]** Bump github.com/bytedance/sonic to v1.15.1 ([#13254](https://github.com/traefik/traefik/pull/13254) @kevinpollet)
+- **[middleware, authentication]** Add error on basic auth build if users is empty ([#13195](https://github.com/traefik/traefik/pull/13195) @rtribotte)
+- **[k8s/ingress]** Avoid ingress path matcher injection and backport 11d251415 ([#13227](https://github.com/traefik/traefik/pull/13227) @rtribotte)
+- **[server]** Move snicheck to ctx instead of simulated routing ([#13214](https://github.com/traefik/traefik/pull/13214) @juliens)
+- **[middleware]** Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation ([#13215](https://github.com/traefik/traefik/pull/13215) @rtribotte)
+- **[server]** Bump golang.org/x/net to v0.55.0 ([#13251](https://github.com/traefik/traefik/pull/13251) @kevinpollet)
+- **[k8s/gatewayapi]** Change default values and expose configuration for Kubernetes client QPS and Burst ([#13277](https://github.com/traefik/traefik/pull/13277) @kevinpollet)
+- **[server]** Bump golang.org/x/crypto to v0.52.0 ([#13276](https://github.com/traefik/traefik/pull/13276) @rtribotte)
+
+**Documentation:**
+- **[file]** Replace generated File routing reference page ([#13170](https://github.com/traefik/traefik/pull/13170) @sheddy-traefik)
+- **[k8s/crd]** Fix typo in accesslogs field name ([#13177](https://github.com/traefik/traefik/pull/13177) @PlayMTL)
+- **[k8s/ingress-nginx]** Surface the Ingress status race condition during NGINX coexistence ([#13205](https://github.com/traefik/traefik/pull/13205) @emilevauge)
+- Polish grammar in migration guides ([#13174](https://github.com/traefik/traefik/pull/13174) @quyentonndbs)
+- **[middleware]** Remove whitespace in HTML tag ([#13160](https://github.com/traefik/traefik/pull/13160) @marbon87)
+- Add @LBF38 as a current maintainer ([#13225](https://github.com/traefik/traefik/pull/13225) @emilevauge)
+- **[k8s/ingress-nginx]** Capitalize NGINX in kubernetesIngressNGINX ([#13236](https://github.com/traefik/traefik/pull/13236) @smellems)
+
+## [v2.11.48](https://github.com/traefik/traefik/tree/v2.11.48) (2026-06-04)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.46...v2.11.48)
+
+**Bug fixes:**
+- **[tls]** Compute resolved tlsOptions after applying models ([#13291](https://github.com/traefik/traefik/pull/13291) @rtribotte)
+- **[middleware, authentication]** Add error on basic auth build if users is empty ([#13195](https://github.com/traefik/traefik/pull/13195) @rtribotte)
+- **[k8s/ingress]** Avoid ingress path matcher injection and backport 11d251415 ([#13227](https://github.com/traefik/traefik/pull/13227) @rtribotte)
+- **[server]** Move snicheck to ctx instead of simulated routing ([#13214](https://github.com/traefik/traefik/pull/13214) @juliens)
+- **[middleware]** Reject requests with different paths after StripPrefix and StripPrefixRegex normalisation ([#13215](https://github.com/traefik/traefik/pull/13215) @rtribotte)
+- **[server]** Bump golang.org/x/net to v0.55.0 ([#13251](https://github.com/traefik/traefik/pull/13251) @kevinpollet)
+- **[server]** Bump golang.org/x/crypto to v0.52.0 ([#13276](https://github.com/traefik/traefik/pull/13276) @rtribotte)
+- 
+## [v3.7.2](https://github.com/traefik/traefik/tree/v3.7.2) (2026-06-03)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.1...v3.7.2)
+
+Release canceled.
+
+## [v3.6.18](https://github.com/traefik/traefik/tree/v3.6.18) (2026-06-03)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.17...v3.6.18)
+
+Release canceled.
+
+## [v2.11.47](https://github.com/traefik/traefik/tree/v2.11.47) (2026-06-03)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.46...v2.11.47)
+
+Release canceled.
+
+## [v3.7.1](https://github.com/traefik/traefik/tree/v3.7.1) (2026-05-11)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0...v3.7.1)
+
+**Bug fixes:**
+- **[k8s/ingress, k8s/crd, k8s/gatewayapi]** Add CrossProviderNamespaces option  ([#13094](https://github.com/traefik/traefik/pull/13094) @rtribotte)
+- **[k8s/crd]** Fix cross-provider ref check for Kubernetes CRD provider ([#13121](https://github.com/traefik/traefik/pull/13121) @rtribotte)
+
+## [v3.6.17](https://github.com/traefik/traefik/tree/v3.6.17) (2026-05-11)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.16...v3.6.17)
+
+**Bug fixes:**
+- **[k8s/ingress, k8s/crd, k8s/gatewayapi]** Add CrossProviderNamespaces option  ([#13094](https://github.com/traefik/traefik/pull/13094) @rtribotte)
+- **[k8s/crd]** Fix cross-provider ref check for Kubernetes CRD provider ([#13121](https://github.com/traefik/traefik/pull/13121) @rtribotte)
+
+## [v2.11.46](https://github.com/traefik/traefik/tree/v2.11.46) (2026-05-11)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.45...v2.11.46)
+
+**Bug fixes:**
+- **[k8s/ingress, k8s/crd, k8s/gatewayapi]** Add CrossProviderNamespaces option  ([#13094](https://github.com/traefik/traefik/pull/13094) @rtribotte)
+- **[k8s/crd]** Fix cross-provider ref check for Kubernetes CRD provider ([#13121](https://github.com/traefik/traefik/pull/13121) @rtribotte)
+
+##  [v3.7.0](https://github.com/traefik/traefik/tree/v3.7.0) (2026-05-05)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.0-rc1...v3.7.0)
+
+**Enhancements:**
+- **[k8s/ingress-nginx]** Use a metamodel to generate dynamic configuration in ingress-nginx ([#13062](https://github.com/traefik/traefik/pull/13062) @juliens)
+- **[k8s/ingress-nginx]** Add limit-connections support ([#13030](https://github.com/traefik/traefik/pull/13030) @amazon7737)
+- **[webui]** Display server weight in service detail view ([#12325](https://github.com/traefik/traefik/pull/12325) @murataslan1)
+- **[webui, tls]** Add certificates menu and overview ([#12628](https://github.com/traefik/traefik/pull/12628) @holomekc)
+- **[provider]** Add providers routing precedence configuration ([#12895](https://github.com/traefik/traefik/pull/12895) @juliens)
+- **[k8s/ingress-nginx]** Support NGINX global auth annotation ([#12893](https://github.com/traefik/traefik/pull/12893) @foxcool)
+- **[k8s/ingress-nginx]** Add limit-burst-multiplier annotation support ([#12899](https://github.com/traefik/traefik/pull/12899) @amazon7737)
+- **[k8s/ingress-nginx, k8s/ingress, rules]** Add wildcard host in Host and HostSNI matchers ([#12884](https://github.com/traefik/traefik/pull/12884) @juliens)
+- **[k8s/gatewayapi]** Support multiple certificateRefs on gateway listeners ([#12590](https://github.com/traefik/traefik/pull/12590) @mortennordbye)
+- **[k8s/gatewayapi]** Add secret support for BackendTLSPolicy caCertificateRefs ([#12927](https://github.com/traefik/traefik/pull/12927) @kevinpollet)
+- **[accesslogs, k8s/ingress-nginx]** Support nginx.ingress.kubernetes.io/enable-access-log annotation ([#12908](https://github.com/traefik/traefik/pull/12908) @ris-tlp)
+- **[accesslogs, k8s/ingress-nginx, k8s/ingress]** Add Kubernetes Ingress logs fields ([#12913](https://github.com/traefik/traefik/pull/12913) @rtribotte)
+- **[k8s/knative]** Support knative v1.20.0 ([#12441](https://github.com/traefik/traefik/pull/12441) @idurgakalyan)
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.5.1 ([#12768](https://github.com/traefik/traefik/pull/12768) @mmatur)
+- **[k8s/ingress-nginx, middleware, authentication]** Add support for auth-snippet ([#12778](https://github.com/traefik/traefik/pull/12778) @juliens)
+- **[accesslogs, otel]** Allow Stdio access logs alongsige OTLP logging ([#12307](https://github.com/traefik/traefik/pull/12307) @Mulgish)
+- **[acme]** Add CertificateTimeout ACME configuration option ([#12278](https://github.com/traefik/traefik/pull/12278) @ceko)
+- **[k8s/ingress-nginx]** Support nginx.ingress.kubernetes.io/allowlist-source-range ([#12659](https://github.com/traefik/traefik/pull/12659) @ris-tlp)
+- **[k8s/crd]** Add ingressClassName field to the CRDs spec ([#12313](https://github.com/traefik/traefik/pull/12313) @kkrypt0nn)
+- **[k8s/crd]** Service failover support in TraefikService CRD ([#12733](https://github.com/traefik/traefik/pull/12733) @jspdown)
+- **[k8s/crd, service]** Support cipher suites configuration with ServersTransport ([#11965](https://github.com/traefik/traefik/pull/11965) @NEwa-05)
+- **[k8s/ingress, middleware, k8s/crd, service, k8s/gatewayapi]** Services middleware and Gateway API filters on HTTP backends ([#12544](https://github.com/traefik/traefik/pull/12544) @juliens)
+- **[k8s/ingress-nginx]** Add nginx.ingress.kubernetes.io/proxy-connect-timeout annotation ([#12572](https://github.com/traefik/traefik/pull/12572) @gndz07)
+- **[k8s/ingress-nginx]** Add rewrite-target nginx annotations support ([#12534](https://github.com/traefik/traefik/pull/12534) @LBF38)
+- **[k8s/ingress-nginx]** Add support for app-root nginx annotation ([#12576](https://github.com/traefik/traefik/pull/12576) @LBF38)
+- **[k8s/ingress-nginx]** Add support for auth-signin annotation ([#12502](https://github.com/traefik/traefik/pull/12502) @DesalLama)
+- **[k8s/ingress-nginx]** Add support for from-to-www-redirect NGINX annotation ([#12610](https://github.com/traefik/traefik/pull/12610) @LBF38)
+- **[k8s/ingress-nginx]** Add support for proxy-read-timeout and proxy-send-timeout NGINX annotations ([#12630](https://github.com/traefik/traefik/pull/12630) @LBF38)
+- **[k8s/ingress-nginx]** Add support for session-cookie-expires nginx annotation ([#12558](https://github.com/traefik/traefik/pull/12558) @LBF38)
+- **[k8s/ingress-nginx]** Add support for upstream-hash-by NGINX annotation ([#12749](https://github.com/traefik/traefik/pull/12749) @LBF38)
+- **[k8s/ingress-nginx]** Allow entry points to be specified on Nginx Ingresses ([#12727](https://github.com/traefik/traefik/pull/12727) @ajacques)
+- **[k8s/ingress-nginx]** Implement proxy-http-version annotation ([#12743](https://github.com/traefik/traefik/pull/12743) @KshitijBharde)
+- **[k8s/ingress-nginx]** Nginx x-forwarded-prefix annotation ([#12697](https://github.com/traefik/traefik/pull/12697) @nandorKollar)
+- **[k8s/ingress-nginx]** Support auth-tls-secret and auth-tls-verify-client annotations ([#12595](https://github.com/traefik/traefik/pull/12595) @gndz07)
+- **[k8s/ingress-nginx]** Support limit-rpm annotation for ingress-nginx ([#12703](https://github.com/traefik/traefik/pull/12703) @Ph4rell)
+- **[k8s/ingress-nginx]** Support limit-rps annotation for Ingress NGINX ([#12709](https://github.com/traefik/traefik/pull/12709) @amazon7737)
+- **[k8s/ingress-nginx]** Support NGINX buffering annotations ([#12459](https://github.com/traefik/traefik/pull/12459) @blasko03)
+- **[k8s/ingress-nginx]** Support NGINX canary annotations ([#12739](https://github.com/traefik/traefik/pull/12739) @kevinpollet)
+- **[k8s/ingress-nginx]** Support NGINX custom-headers annotation ([#12414](https://github.com/traefik/traefik/pull/12414) @nandorKollar)
+- **[k8s/ingress-nginx]** Support NGINX upstream-vhost annotation ([#12412](https://github.com/traefik/traefik/pull/12412) @nandorKollar)
+- **[k8s/ingress-nginx]** Support NGINX whitelist-source-range annotation ([#12423](https://github.com/traefik/traefik/pull/12423) @blasko03)
+- **[k8s/ingress-nginx]** Support permanent-redirect and temporal-redirect annotations ([#12561](https://github.com/traefik/traefik/pull/12561) @LBF38)
+- **[k8s/ingress-nginx]** Support proxy-next-upstream* annotations ([#12710](https://github.com/traefik/traefik/pull/12710) @gndz07)
+- **[k8s/ingress-nginx]** Support server-alias annotation for Ingress NGINX ([#12707](https://github.com/traefik/traefik/pull/12707) @amazon7737)
+- **[k8s/ingress-nginx]** Support upstream-keepalive-timeout ([#12708](https://github.com/traefik/traefik/pull/12708) @jcob-sikorski)
+- **[k8s/ingress-nginx]** Add support for variable interpolation in auth-signin NGINX annotation ([#12640](https://github.com/traefik/traefik/pull/12640) @LBF38)
+- **[k8s/ingress-nginx]** Implement server-snippet and configuration-snippet annotations ([#12715](https://github.com/traefik/traefik/pull/12715) @juliens)
+- **[k8s/ingress-nginx]** Add custom-http-errors and default-backend annotations ([#12637](https://github.com/traefik/traefik/pull/12637) @juliens)
+- **[k8s/ingress-nginx]** Support auth-tls-pass-certificate-to-upstream annotation ([#12629](https://github.com/traefik/traefik/pull/12629) @gndz07)
+- **[metrics]** Support file path for metrics.influxdb2.token option ([#12458](https://github.com/traefik/traefik/pull/12458) @barhun)
+- **[middleware]** Add encodedCharacters middleware ([#12555](https://github.com/traefik/traefik/pull/12555) @gndz07)
+- **[middleware]** Enable retries based on HTTP response status codes, timeout, and non-idempotent methods ([#12667](https://github.com/traefik/traefik/pull/12667) @LBF38)
+- **[middleware, authentication]** Add authSignInURL in forward auth middleware ([#12293](https://github.com/traefik/traefik/pull/12293) @kyounghunJang)
+- **[server]** Add global option to disable X-Forwarded-For appending ([#12374](https://github.com/traefik/traefik/pull/12374) @lbenguigui)
+- **[server]** Replace Split in loops with more efficient SplitSeq ([#12316](https://github.com/traefik/traefik/pull/12316) @boqishan)
+- **[service]** Failover according to response status code ([#12596](https://github.com/traefik/traefik/pull/12596) @lbenguigui)
+- **[tls]** Make TLSStore gracefully handle missing secrets ([#12522](https://github.com/traefik/traefik/pull/12522) @david-garcia-garcia)
+- **[webui]** Add dashboard name configuration ([#12410](https://github.com/traefik/traefik/pull/12410) @gndz07)
+- **[webui]** Web UI dashboard improvements ([#12236](https://github.com/traefik/traefik/pull/12236) @gndz07)
+- **[webui]** Details pages UI improvement ([#12377](https://github.com/traefik/traefik/pull/12377) @gndz07)
+- Use unicode.MaxASCII for clearer ASCII check ([#12741](https://github.com/traefik/traefik/pull/12741) @1911860538)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Add ipAllowListStrategy option for allowlist/whitelist annotations ([#12932](https://github.com/traefik/traefik/pull/12932) @mathieuherbert)
+- **[k8s/ingress-nginx]** Fix regressions after refacto of the ingress-nginx provider ([#13086](https://github.com/traefik/traefik/pull/13086) @juliens)
+- **[k8s/ingress-nginx]** Fix typo in default CORS allowed headers ([#13088](https://github.com/traefik/traefik/pull/13088) @mliang2)
+- **[docker, ecs]** Migrate to github.com/moby/moby modules ([#12672](https://github.com/traefik/traefik/pull/12672) @thaJeztah)
+- **[logs, metrics, tracing]** Bump go.opentelemetry.io/otel ([#13100](https://github.com/traefik/traefik/pull/13100) @juliens)
+- **[k8s/crd]** Remove cross-provider sanitization for Kubernetes service loading ([#13087](https://github.com/traefik/traefik/pull/13087) @rtribotte)
+- **[docker, ecs]** Migrate to github.com/moby/moby modules ([#13053](https://github.com/traefik/traefik/pull/13053) @mmatur)
+- **[k8s/ingress-nginx]** Fix SSL redirect behavior for ingress-nginx provider ([#13028](https://github.com/traefik/traefik/pull/13028) @gndz07)
+- **[k8s/ingress-nginx]** Do not require a port for ExternalName services ([#13033](https://github.com/traefik/traefik/pull/13033) @kevinpollet)
+- **[k8s, k8s/ingress-nginx]** Add regression test for ingress default backend without rules ([#13066](https://github.com/traefik/traefik/pull/13066) @mmatur)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.35.1 ([#13027](https://github.com/traefik/traefik/pull/13027) @ldez)
+- **[server]** Bump github.com/vulcand/oxy to v2.1.0 ([#13046](https://github.com/traefik/traefik/pull/13046) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.35.2 ([#13043](https://github.com/traefik/traefik/pull/13043) @ldez)
+- **[middleware]** Add errorRequestHeaders option to Errors middleware ([#13034](https://github.com/traefik/traefik/pull/13034) @gndz07)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.34.0 ([#12993](https://github.com/traefik/traefik/pull/12993) @ldez)
+- **[docker]** Downgrade log level for missing container on inspect ([#12900](https://github.com/traefik/traefik/pull/12900) @Otoru)
+- **[k8s/crd, k8s]** Honor allowCrossNamespace with chain middleware CRD ([#12976](https://github.com/traefik/traefik/pull/12976) @rtribotte)
+- **[k8s/ingress-nginx]** Avoid 302 redirect when rewrite-target value is not an absolute URL for ingress-nginx provider ([#12977](https://github.com/traefik/traefik/pull/12977) @gndz07)
+- **[k8s/ingress-nginx]** Fix custom headers annotation with 503 Service Unavailable ([#12969](https://github.com/traefik/traefik/pull/12969) @LBF38)
+- **[k8s/ingress-nginx]** Fix service unavailable on ingress-nginx ([#12996](https://github.com/traefik/traefik/pull/12996) @LBF38)
+- **[k8s/ingress-nginx]** Handle duplicate server-alias on ingress-nginx provider ([#13019](https://github.com/traefik/traefik/pull/13019) @gndz07)
+- **[k8s/ingress-nginx]** Use QuoteMeta for cookie name when building canary rules ([#12973](https://github.com/traefik/traefik/pull/12973) @kevinpollet)
+- **[middleware, authentication]** Cleanup and make ForwardAuth logs consistent ([#13013](https://github.com/traefik/traefik/pull/13013) @kevinpollet)
+- **[middleware, authentication]** Fix trustForwardHeader on forward auth middleware ([#12994](https://github.com/traefik/traefik/pull/12994) @juliens)
+- **[middleware, authentication]** Remove map lookup making the basic auth notFoundSecret empty ([#12960](https://github.com/traefik/traefik/pull/12960) @rtribotte)
+- **[middleware, k8s/ingress-nginx]** Fix app-root with query params redirect ([#12986](https://github.com/traefik/traefik/pull/12986) @LBF38)
+- **[middleware, k8s/ingress-nginx]** Fix rewrite target with full URL and no regex in ingress path ([#12992](https://github.com/traefik/traefik/pull/12992) @LBF38)
+- **[middleware, k8s/ingress-nginx]** Preserve request query on absolute-URL redirect ([#13020](https://github.com/traefik/traefik/pull/13020) @SAY-5)
+- **[middleware, k8s/ingress-nginx]** Resolve NGINX variables in ingress-nginx upstream-vhost annotation ([#12978](https://github.com/traefik/traefik/pull/12978) @mmatur)
+- **[middleware]** Deprecate ForwardAuth.TrustForwardHeader option ([#13012](https://github.com/traefik/traefik/pull/13012) @kevinpollet)
+- **[middleware]** Remove untrusted X headers with underscores ([#12961](https://github.com/traefik/traefik/pull/12961) @rtribotte)
+- **[middleware]** Sanitize the request URL after stripping the prefix ([#12990](https://github.com/traefik/traefik/pull/12990) @kevinpollet)
+- **[sticky-session, k8s/crd]** Make SameSite cookie value case-insensitive ([#12922](https://github.com/traefik/traefik/pull/12922) @murataslan1)
+- **[tls]** Restore default cipher suites when serversTransport has no explicit cipherSuites ([#12974](https://github.com/traefik/traefik/pull/12974) @mmatur)
+- **[webui]** Bump lodash version ([#12954](https://github.com/traefik/traefik/pull/12954) @gndz07)
+- **[webui]** Upgrade form-data to 2.5.4, 3.0.4, 4.0.4 ([#12958](https://github.com/traefik/traefik/pull/12958) @orbisai0security)
+- **[k8s/ingress-nginx]** Fix rewrite-target annotation handling with empty path and non-regex path ([#12905](https://github.com/traefik/traefik/pull/12905) @LBF38)
+- **[middleware]** Bump github.com/klauspost/compress v1.18.4 ([#12937](https://github.com/traefik/traefik/pull/12937) @thaJeztah)
+- **[k8s/crd]** Fix panic with Failover services in Kubernetes ([#12853](https://github.com/traefik/traefik/pull/12853) @juliens)
+- **[k8s/ingress-nginx]** Fix rewrite directive in configuration-snippet to trim quotes ([#12855](https://github.com/traefik/traefik/pull/12855) @gndz07)
+- **[k8s/ingress-nginx]** Fix rewrite-target to handle full URL ([#12854](https://github.com/traefik/traefik/pull/12854) @gndz07)
+- **[k8s/ingress-nginx]** Handle empty rewrite-target like unset rewrite-target ([#12832](https://github.com/traefik/traefik/pull/12832) @sathieu)
+- **[k8s/ingress-nginx]** Fix TLS behavior in ingress-nginx provider ([#12831](https://github.com/traefik/traefik/pull/12831) @LBF38)
+- **[k8s/ingress-nginx]** Fix auth-response-headers whitespace trimming in ingress-nginx provider ([#12856](https://github.com/traefik/traefik/pull/12856) @mmatur)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.33.0 ([#12840](https://github.com/traefik/traefik/pull/12840) @ldez)
+- **[server, tcp]** Fix postgres STARTTLS with TLS termination ([#12847](https://github.com/traefik/traefik/pull/12847) @mmatur)
+- **[api]** Fix allow colons and tildes in api.basePath validation ([#12857](https://github.com/traefik/traefik/pull/12857) @mmatur)
+- **[server]** Fix comment and unnecessary allocation in withRoutingPath ([#12880](https://github.com/traefik/traefik/pull/12880) @boinger)
+- **[grpc]** Bump google.golang.org/grpc to v1.79.3 ([#12845](https://github.com/traefik/traefik/pull/12845) @mmatur)
+- **[middleware, authentication]** Prevent duplicate user headers in basic and digest auth middleware ([#12851](https://github.com/traefik/traefik/pull/12851) @juliens)
+- **[middleware]** Fix StripPrefix and StripPrefixRegex to slice the prefix using encoded prefix length ([#12863](https://github.com/traefik/traefik/pull/12863) @gndz07)
+- **[k8s/ingress-nginx]** Fix use-regex annotation behavior and add strictValidatePathType config for ingress-nginx provider ([#12773](https://github.com/traefik/traefik/pull/12773) @gndz07)
+- **[logs, otel]** Add OTel-conformant trace context attributes to access logs ([#12801](https://github.com/traefik/traefik/pull/12801) @mmatur)
+- **[k8s/gatewayapi]** Fix incorrect hostname matching between listener and route ([#12599](https://github.com/traefik/traefik/pull/12599) @TheColorman)
+- **[k8s/ingress]** Fix ingress router's rule ([#12808](https://github.com/traefik/traefik/pull/12808) @gndz07)
+- **[webui]** Remove AGPL license in code ([#12799](https://github.com/traefik/traefik/pull/12799) @Desel72)
+- **[k8s/ingress-nginx]** Fix proxy-ssl-verify annotation ([#12825](https://github.com/traefik/traefik/pull/12825) @LBF38)
+- **[http]** Add maxResponseBodySize configuration on HTTP provider ([#12788](https://github.com/traefik/traefik/pull/12788) @gndz07)
+- **[tls]** Support fragmented TLS client hello ([#12787](https://github.com/traefik/traefik/pull/12787) @rtribotte)
+- **[middleware, authentication]** Make basic auth check timing constant ([#12803](https://github.com/traefik/traefik/pull/12803) @rtribotte)
+- **[acme]** Add missing renew options ([#12467](https://github.com/traefik/traefik/pull/12467) @ldez)
+- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) @LBF38)
+- **[acme]** Alter TLS renewal period ([#12479](https://github.com/traefik/traefik/pull/12479) @LtHummus)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.28.0 ([#12218](https://github.com/traefik/traefik/pull/12218) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.29.0 ([#12333](https://github.com/traefik/traefik/pull/12333) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.30.1 ([#12432](https://github.com/traefik/traefik/pull/12432) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.31.0 ([#12529](https://github.com/traefik/traefik/pull/12529) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.32.0 ([#12702](https://github.com/traefik/traefik/pull/12702) @ldez)
+- **[acme]** Remove invalid private key in log ([#12574](https://github.com/traefik/traefik/pull/12574) @juliens)
+- **[acme]** Replace hardcoded references to LetsEncrypt in log messages ([#12464](https://github.com/traefik/traefik/pull/12464) @schildbach)
+- **[cli]** Fix health check ping ([#12512](https://github.com/traefik/traefik/pull/12512) @olamilekan000)
+- **[docker]** Auto-negotiate Docker API Version ([#12256](https://github.com/traefik/traefik/pull/12256) @felixbuenemann)
+- **[docker]** Bump Docker and OpenTelemetry dependencies ([#12761](https://github.com/traefik/traefik/pull/12761) @mmatur)
+- **[docker, docker/swarm]** Auto-negotiate Docker API version ([#12262](https://github.com/traefik/traefik/pull/12262) @kevinpollet)
+- **[fastproxy]** Bump github.com/valyala/fasthttp to v1.69.0 ([#12763](https://github.com/traefik/traefik/pull/12763) @kevinpollet)
+- **[healthcheck]** Reject absolute URL in healthcheck path configuration ([#12653](https://github.com/traefik/traefik/pull/12653) @rtribotte)
+- **[healthcheck]** Validate healthcheck path configuration ([#12642](https://github.com/traefik/traefik/pull/12642) @rtribotte)
+- **[healthcheck, grpc]** Remove path parsing with grpc healthcheck ([#12760](https://github.com/traefik/traefik/pull/12760) @rtribotte)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.0 ([#12308](https://github.com/traefik/traefik/pull/12308) @GreyXor)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.1 ([#12319](https://github.com/traefik/traefik/pull/12319) @GreyXor)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.58.0 ([#12448](https://github.com/traefik/traefik/pull/12448) @GreyXor)
+- **[http3]** Bump github.com/quic-go/quic-go to v0.59.0 ([#12553](https://github.com/traefik/traefik/pull/12553) @jnoordsij)
+- **[k8s]** Fix condition used for serving and fenced endpoints ([#12521](https://github.com/traefik/traefik/pull/12521) @LBF38)
+- **[k8s/gatewayapi]** Fix Gateway API router's rules ([#12753](https://github.com/traefik/traefik/pull/12753) @rtribotte)
+- **[k8s/ingress]** Fix panic for empty defaultBackend and defaultBackend without resources ([#12509](https://github.com/traefik/traefik/pull/12509) @gndz07)
+- **[k8s/ingress-nginx]** Add AllowCrossNamespaceResources and GlobalAllowedResponseHeader options to control custom headers annotations ([#12680](https://github.com/traefik/traefik/pull/12680) @rtribotte)
+- **[k8s/ingress-nginx]** Deprecate Kubernetes Ingress NGINX provider experimental flag ([#12286](https://github.com/traefik/traefik/pull/12286) @rtribotte)
+- **[k8s/ingress-nginx]** Fix nginx rewrite target ([#12730](https://github.com/traefik/traefik/pull/12730) @mmatur)
+- **[k8s/ingress-nginx]** Fix NGINX sslredirect annotation support ([#12387](https://github.com/traefik/traefik/pull/12387) @rtribotte)
+- **[k8s/ingress-nginx]** Fix nginx.ingress.kubernetes.io/proxy-ssl-verify annotation support ([#12351](https://github.com/traefik/traefik/pull/12351) @rtribotte)
+- **[k8s/ingress-nginx]** Fix SSL redirect to match NGINX behavior ([#12361](https://github.com/traefik/traefik/pull/12361) @mmatur)
+- **[k8s/ingress-nginx]** Fix the service name for ingress-nginx provider ([#12352](https://github.com/traefik/traefik/pull/12352) @mmatur)
+- **[k8s/ingress-nginx]** Fix use-regex nginx annotation ([#12531](https://github.com/traefik/traefik/pull/12531) @LBF38)
+- **[k8s/ingress-nginx]** Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS ([#12528](https://github.com/traefik/traefik/pull/12528) @rtribotte)
+- **[metrics, tracing, accesslogs]** Fix ObservabilityConfig SetDefaults  ([#12636](https://github.com/traefik/traefik/pull/12636) @mmatur)
+- **[middleware]** Fix case sensitivity on x-forwarded headers for Connection ([#12690](https://github.com/traefik/traefik/pull/12690) @LBF38)
+- **[middleware]** Fix HasSecureHeadersDefined returning false when stsSeconds is 0 ([#12684](https://github.com/traefik/traefik/pull/12684) @veeceey)
+- **[middleware, authentication]** Add maxResponseBodySize configuration to forwardAuth middleware ([#12694](https://github.com/traefik/traefik/pull/12694) @gndz07)
+- **[middleware, authentication]** Change ForwardAuth error log level from DEBUG to ERROR ([#12324](https://github.com/traefik/traefik/pull/12324) @murataslan1)
+- **[middleware, authentication]** Handle empty/missing User-Agent header ([#12545](https://github.com/traefik/traefik/pull/12545) @a-stangl)
+- **[middleware, k8s, k8s/ingress-nginx]** Fix from to www nginx annotation ([#12736](https://github.com/traefik/traefik/pull/12736) @mmatur)
+- **[middleware, k8s/ingress-nginx]** Fix custom error pages behavior for ingress-nginx provider ([#12738](https://github.com/traefik/traefik/pull/12738) @mmatur)
+- **[otel]** Bump go.opentelemetry.io/otel dependencies ([#12754](https://github.com/traefik/traefik/pull/12754) @rtribotte)
+- **[plugins]** Validate plugin module name ([#12291](https://github.com/traefik/traefik/pull/12291) @kevinpollet)
+- **[redis]** Fix mutually exclusive verification for Redis ([#12442](https://github.com/traefik/traefik/pull/12442) @juliens)
+- **[server]** Bump golang.org/x/crypto to v0.45.0 ([#12296](https://github.com/traefik/traefik/pull/12296) @kevinpollet)
+- **[server]** Bump golang.org/x/net to v0.51.0 ([#12756](https://github.com/traefik/traefik/pull/12756) @kevinpollet)
+- **[server]** Filter unknown nodes with file and env for the deprecation loader ([#12227](https://github.com/traefik/traefik/pull/12227) @rtribotte)
+- **[server]** Fix deny encoded characters ([#12454](https://github.com/traefik/traefik/pull/12454) @rtribotte)
+- **[server]** Fix deny encoded characters ([#12457](https://github.com/traefik/traefik/pull/12457) @rtribotte)
+- **[server]** Fix multi-layer routing with models ([#12258](https://github.com/traefik/traefik/pull/12258) @juliens)
+- **[server]** Fix TLS handshake error handling ([#12692](https://github.com/traefik/traefik/pull/12692) @juliens)
+- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) @gndz07)
+- **[server]** Make the aggregator compute provider namespace for router's parentRefs ([#12235](https://github.com/traefik/traefik/pull/12235) @rtribotte)
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12424](https://github.com/traefik/traefik/pull/12424) @kevinpollet)
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12426](https://github.com/traefik/traefik/pull/12426) @rtribotte)
+- **[server]** Reject suspicious encoded characters ([#12360](https://github.com/traefik/traefik/pull/12360) @rtribotte)
+- **[server]** Remove conn deadline after STARTTLS negociation ([#12639](https://github.com/traefik/traefik/pull/12639) @rtribotte)
+- **[service]** Avoid recursion with services ([#12591](https://github.com/traefik/traefik/pull/12591) @juliens)
+- **[tls]** Fix verifyServerCertMatchesURI function behavior ([#12575](https://github.com/traefik/traefik/pull/12575) @kevinpollet)
+- **[tls, server]** Cap TLS record length to RFC 8446 limit in ClientHello peeking ([#12638](https://github.com/traefik/traefik/pull/12638) @mmatur)
+- **[tracing, otel]** Use ParentBased sampler to respect parent span sampling decision ([#12403](https://github.com/traefik/traefik/pull/12403) @xe-leon)
+- **[udp]** Revert "Avoid allocations in readLoop by using sync.Pool" ([#12267](https://github.com/traefik/traefik/pull/12267) @kevinpollet)
+- **[webui]** Bump dependencies of documentation and webui ([#12581](https://github.com/traefik/traefik/pull/12581) @gndz07)
+- **[webui]** Fix basePath validation for dashboard template ([#12729](https://github.com/traefik/traefik/pull/12729) @gndz07)
+- **[webui]** Fix blocked navigation on Safari ([#12231](https://github.com/traefik/traefik/pull/12231) @gndz07)
+- **[webui]** Fix missing type definition ([#12780](https://github.com/traefik/traefik/pull/12780) @gndz07)
+- **[webui]** Fix priority display in dashboard and ACME bypass redirect ([#12740](https://github.com/traefik/traefik/pull/12740) @mmatur)
+- **[webui]** Restore remote Upgrade to Hub button web component ([#12219](https://github.com/traefik/traefik/pull/12219) @gndz07)
+- **[webui]** Use url.Parse to validate X-Forwarded-Prefix value ([#12643](https://github.com/traefik/traefik/pull/12643) @kevinpollet)
+- **[webui]** Validate X-Forwarded-Prefix value for dashboard redirect ([#12514](https://github.com/traefik/traefik/pull/12514) @LBF38)
+
+**Documentation:**
+- **[service]** Service-level Middleware Documentation ([#13095](https://github.com/traefik/traefik/pull/13095) @nmengin)
+- **[k8s/gatewayapi]** Update Helm chart values link for Kubernetes Gateway ([#13063](https://github.com/traefik/traefik/pull/13063) @0054)
+- **[k8s/ingress-nginx]** Add ingress-nginx ConfigMap migration step ([#12963](https://github.com/traefik/traefik/pull/12963) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Delete the coming soon section from the ingress-nginx documentation ([#13037](https://github.com/traefik/traefik/pull/13037) @nmengin)
+- **[k8s]** Fix yaml indentation ([#12957](https://github.com/traefik/traefik/pull/12957) @isayme)
+- **[k8s]** Clarify install config watchNamespace watches only one namespace ([#12962](https://github.com/traefik/traefik/pull/12962) @parkerfath)
+- **[k8s/crd]** Update ingressroute.md ([#12916](https://github.com/traefik/traefik/pull/12916) @Rajakavitha1)
+- **[k8s/ingress-nginx]** Document the rd parameter behavior for the auth-signin annotation ([#13017](https://github.com/traefik/traefik/pull/13017) @kevinpollet)
+- Reverse versions order in migration guide ([#12959](https://github.com/traefik/traefik/pull/12959) @nmengin)
+- Update vulnerability submission guidelines ([#12968](https://github.com/traefik/traefik/pull/12968) @emilevauge)
+- **[docker]** Fix docker-compose.yaml location in Docker setup page ([#12860](https://github.com/traefik/traefik/pull/12860) @ScottA38)
+- **[docker, consul, ecs, k8s]** Fix documentation on how to restrict the scope of service discovery ([#12645](https://github.com/traefik/traefik/pull/12645) @mloiseleur)
+- **[k8s/gatewayapi]** Update gateway-api link in getting-started to v1.5.1 ([#12930](https://github.com/traefik/traefik/pull/12930) @isayme)
+- **[k8s/ingress-nginx]** Add OVHcloud (OpenStack Octavia) to Cloud-Specific IP Management ([#12759](https://github.com/traefik/traefik/pull/12759) @antonin-a)
+- **[k8s/ingress-nginx]** Clarify IngressClass selection logic ([#12926](https://github.com/traefik/traefik/pull/12926) @kevinpollet)
+- Add redirects for deleted pages ([#12889](https://github.com/traefik/traefik/pull/12889) @sheddy-traefik)
+- Fix default value of http.sanitizePath ([#12904](https://github.com/traefik/traefik/pull/12904) @iTob191)
+- **[acme]** Clarify CNAME explanation in ACME Documentation ([#12818](https://github.com/traefik/traefik/pull/12818) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Add ingress-nginx migration banner on documentation pages ([#12872](https://github.com/traefik/traefik/pull/12872) @gndz07)
+- **[k8s/ingress]** Improve Kubernetes Ingress Routing Documentation ([#12876](https://github.com/traefik/traefik/pull/12876) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Clarify that NGINX Ingress watchNamespace watches only one namespace ([#12873](https://github.com/traefik/traefik/pull/12873) @parkerfath)
+- **[k8s]** Improve the multi tenant security note ([#12822](https://github.com/traefik/traefik/pull/12822) @nmengin)
+- Fix unnecessary escaping of pipe in regexp examples ([#12784](https://github.com/traefik/traefik/pull/12784) @diegmonti)
+- Add vulnerability submission quality guidelines ([#12807](https://github.com/traefik/traefik/pull/12807) @emilevauge)
+- Fix start up message format ([#12806](https://github.com/traefik/traefik/pull/12806) @mloiseleur)
+- Remove unsupported servers[n].address from TCP label examples ([#12817](https://github.com/traefik/traefik/pull/12817) @sheddy-traefik)
+- Bump mkdocs-traefiklabs to use consent mode ([#12804](https://github.com/traefik/traefik/pull/12804) @darkweaver87)
+- **[acme]** Add missing ACME options and clean up table for more visibility ([#12208](https://github.com/traefik/traefik/pull/12208) @sheddy-traefik)
+- **[api]** Fix typo in API dashboard configuration instructions ([#12335](https://github.com/traefik/traefik/pull/12335) @NAICOLAS)
+- **[docker]** Add documentation for loadbalancer.server.url in Docker and Swarm providers ([#12289](https://github.com/traefik/traefik/pull/12289) @webash)
+- **[docker]** Update docker in-depth setup guide ([#12682](https://github.com/traefik/traefik/pull/12682) @mdevino)
+- **[docker/swarm]** Update swarm.md traefik version ([#12508](https://github.com/traefik/traefik/pull/12508) @DBouraoui)
+- **[k8s]** Fix Gateway API version and the list of features supported ([#12254](https://github.com/traefik/traefik/pull/12254) @nmengin)
+- **[k8s]** Fix Kubernetes reference yml file ([#12406](https://github.com/traefik/traefik/pull/12406) @mmatur)
+- **[k8s]** Fix kubernetes.md with correct http redirections ([#12603](https://github.com/traefik/traefik/pull/12603) @MartenM)
+- **[k8s]** Fix Nginx provider documentation ([#12266](https://github.com/traefik/traefik/pull/12266) @nmengin)
+- **[k8s]** Improve the K8S multi-tenancy security note ([#12444](https://github.com/traefik/traefik/pull/12444) @nmengin)
+- **[k8s]** Make labelSelector option casing more consistent ([#12658](https://github.com/traefik/traefik/pull/12658) @holysoles)
+- **[k8s, k8s/ingress-nginx]** Add configmaps right to Ingress NGINX RBAC ([#12557](https://github.com/traefik/traefik/pull/12557) @kevinpollet)
+- **[k8s/gatewayapi]** Fix links of Helm chart values reference to providers.kubernetesGateway.enabled ([#12315](https://github.com/traefik/traefik/pull/12315) @shouhei)
+- **[k8s/ingress, k8s]** Fix Kubernetes Ingress provider documentation ([#12443](https://github.com/traefik/traefik/pull/12443) @nmengin)
+- **[k8s/ingress-nginx]** Add auth-signin to unsupported nginx annotations list ([#12370](https://github.com/traefik/traefik/pull/12370) @fibsifan)
+- **[k8s/ingress-nginx]** Add RBAC documentation for Ingress NGINX provider ([#12445](https://github.com/traefik/traefik/pull/12445) @nmn3m)
+- **[k8s/ingress-nginx]** Add temporary note to advertise the incoming NGINX annotations ([#12699](https://github.com/traefik/traefik/pull/12699) @nmengin)
+- **[k8s/ingress-nginx]** Fix default value of ingress-nginx provider in documentation ([#12328](https://github.com/traefik/traefik/pull/12328) @mloiseleur)
+- **[k8s/ingress-nginx]** Fix ingress-nginx annotations documentation ([#12510](https://github.com/traefik/traefik/pull/12510) @nmengin)
+- **[k8s/ingress-nginx]** Improve ingress-nginx provider documentation ([#12288](https://github.com/traefik/traefik/pull/12288) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Improve the configuration options display of the Kubernetes ingress-nginx provider ([#12297](https://github.com/traefik/traefik/pull/12297) @mloiseleur)
+- **[k8s/ingress-nginx]** NGINX Ingress Controller to Traefik Migration Guide ([#12318](https://github.com/traefik/traefik/pull/12318) @sheddy-traefik)
+- **[middleware]** Correct documentation for Digest auth ([#12651](https://github.com/traefik/traefik/pull/12651) @Zash)
+- **[middleware]** Fix default encodings in compress middleware ([#12216](https://github.com/traefik/traefik/pull/12216) @Belphemur)
+- **[middleware, k8s/crd]** Fix the errors middleware's document for Kubernetes CRD ([#12600](https://github.com/traefik/traefik/pull/12600) @yuito-it)
+- **[service]** Fix loadbalancer doc for highest random weight ([#12283](https://github.com/traefik/traefik/pull/12283) @ozon2)
+- **[tls]** Clarify SNI selection ([#12482](https://github.com/traefik/traefik/pull/12482) @AnuragEkkati)
+- Add @gndz07 as a current maintainer ([#12594](https://github.com/traefik/traefik/pull/12594) @emilevauge)
+- Add a Breaking change note to the changelog ([#12398](https://github.com/traefik/traefik/pull/12398) @nmengin)
+- Add documentation about checkNewVersion ([#12298](https://github.com/traefik/traefik/pull/12298) @darkweaver87)
+- Add missing `.http` to TOML table names ([#12713](https://github.com/traefik/traefik/pull/12713) @Darsstar)
+- Add product comparison matrix and features page ([#12037](https://github.com/traefik/traefik/pull/12037) @sheddy-traefik)
+- Bring back security section on API & Dashboard documentation page ([#12507](https://github.com/traefik/traefik/pull/12507) @gndz07)
+- Clarify doc about encoded characters rejection ([#12391](https://github.com/traefik/traefik/pull/12391) @rtribotte)
+- Clean Up Menu Entries & Update Expose Overview ([#12405](https://github.com/traefik/traefik/pull/12405) @sheddy-traefik)
+- Correct encoded characters allowance in entrypoints.md ([#12679](https://github.com/traefik/traefik/pull/12679) @Apflkuacha)
+- Correctly Format the HTTP Service Documentation ([#12311](https://github.com/traefik/traefik/pull/12311) @sheddy-traefik)
+- Document negative priority support for routers ([#12505](https://github.com/traefik/traefik/pull/12505) @understood-the-assignment)
+- Document Path matcher placeholder removal in v3 migration guide ([#12570](https://github.com/traefik/traefik/pull/12570) @sheddy-traefik)
+- Fix API basepath option documentation ([#12744](https://github.com/traefik/traefik/pull/12744) @nmengin)
+- Fix broken links in TCP Service and HTTP Router documentation ([#12215](https://github.com/traefik/traefik/pull/12215) @sheddy-traefik)
+- Fix code copy button positioning ([#12520](https://github.com/traefik/traefik/pull/12520) @AnuragEkkati)
+- Fix encoded characters entryPoint option documentation ([#12384](https://github.com/traefik/traefik/pull/12384) @rtribotte)
+- Fix encoded characters option documentation ([#12373](https://github.com/traefik/traefik/pull/12373) @kevinpollet)
+- Fix encodedCharacters entryPoint option documentation ([#12385](https://github.com/traefik/traefik/pull/12385) @rtribotte)
+- Fix incorrect TOML example in entrypoints docs ([#12711](https://github.com/traefik/traefik/pull/12711) @mfmfuyu)
+- Fix link description in Traefik Proxy documentation ([#12488](https://github.com/traefik/traefik/pull/12488) @schaerfo)
+- Fix Menu Item Naming ([#12431](https://github.com/traefik/traefik/pull/12431) @sheddy-traefik)
+- Fix migration guide indentation ([#12365](https://github.com/traefik/traefik/pull/12365) @kevinpollet)
+- Fix migration guide URLs in deprecation notice ([#12430](https://github.com/traefik/traefik/pull/12430) @alexmar07)
+- Fix typo in kubernetes.md ([#12515](https://github.com/traefik/traefik/pull/12515) @EdwardSalkeld)
+- Fix typo in v3.6 migration guide ([#12212](https://github.com/traefik/traefik/pull/12212) @jnoordsij)
+- Fix typo on JWT documentation ([#12616](https://github.com/traefik/traefik/pull/12616) @mdevino)
+- Improve Service Reference page ([#12541](https://github.com/traefik/traefik/pull/12541) @sheddy-traefik)
+- Improve the structure of the routing reference pages ([#12429](https://github.com/traefik/traefik/pull/12429) @sheddy-traefik)
+- Increased content width in documentation ([#12632](https://github.com/traefik/traefik/pull/12632) @tobiasge)
+- Remove extra dots in migration guide ([#12573](https://github.com/traefik/traefik/pull/12573) @rtribotte)
+- Remove extraneous dots in migration guide ([#12571](https://github.com/traefik/traefik/pull/12571) @dathbe)
+- Restore documentation on http.maxHeaderBytes ([#12440](https://github.com/traefik/traefik/pull/12440) @mloiseleur)
+- Split Expose User Guides & Add Multi-Layer Routing Section ([#12238](https://github.com/traefik/traefik/pull/12238) @sheddy-traefik)
+- Update Configuration Overview Page ([#12202](https://github.com/traefik/traefik/pull/12202) @sheddy-traefik)
+- Update SECURITY.md ([#12304](https://github.com/traefik/traefik/pull/12304) @cwayne18)
+- Update SECURITY.md to streamline information ([#12310](https://github.com/traefik/traefik/pull/12310) @emilevauge)
+
+**Misc:**
+- Make FLAGS Make variable usable ([#13009](https://github.com/traefik/traefik/pull/13009) @twz123)
+
+## [v3.6.16](https://github.com/traefik/traefik/tree/v3.6.16) (2026-05-05)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.15...v3.6.16)
+
+**Bug fixes:**
+- **[k8s/crd]** Remove cross-provider sanitization for Kubernetes service loading ([#13087](https://github.com/traefik/traefik/pull/13087) @rtribotte)
+- **[k8s/ingress-nginx]** Fix typo in default CORS allowed headers ([#13088](https://github.com/traefik/traefik/pull/13088) @mliang2)
+- **[logs, metrics, tracing]** Bump go.opentelemetry.io/otel ([#13100](https://github.com/traefik/traefik/pull/13100) @juliens)
+- **[docker, ecs]** Migrate to github.com/moby/moby modules ([#12672](https://github.com/traefik/traefik/pull/12672) @thaJeztah)
+- **[docker, ecs]** Migrate to github.com/moby/moby modules ([#13053](https://github.com/traefik/traefik/pull/13053) @mmatur)
+
+**Documentation:**
+- **[k8s/gatewayapi]** Update Helm chart values link for Kubernetes Gateway ([#13063](https://github.com/traefik/traefik/pull/13063) @0054)
+
+## [v2.11.45](https://github.com/traefik/traefik/tree/v2.11.45) (2026-05-05)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.44...v2.11.45)
+
+**Bug fixes:**
+- **[k8s/crd]** Remove cross-provider sanitization for Kubernetes service loading ([#13087](https://github.com/traefik/traefik/pull/13087) @rtribotte)
+- **[docker, ecs]** Migrate to github.com/moby/moby modules ([#13053](https://github.com/traefik/traefik/pull/13053) @mmatur)
+
+## [v3.7.0-rc.3](https://github.com/traefik/traefik/tree/v3.7.0-rc.3) (2026-04-29)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0-rc.2...v3.7.0-rc.3)
+
+**Enhancements:**
+- **[k8s/ingress-nginx]** Use a metamodel to generate dynamic configuration in ingress-nginx ([#13062](https://github.com/traefik/traefik/pull/13062) @juliens)
+- **[k8s/ingress-nginx]** Add limit-connections support ([#13030](https://github.com/traefik/traefik/pull/13030) @amazon7737)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Fix SSL redirect behavior for ingress-nginx provider ([#13028](https://github.com/traefik/traefik/pull/13028) @gndz07)
+- **[k8s/ingress-nginx]** Do not require a port for ExternalName services ([#13033](https://github.com/traefik/traefik/pull/13033) @kevinpollet)
+- **[k8s, k8s/ingress-nginx]** Add regression test for ingress default backend without rules ([#13066](https://github.com/traefik/traefik/pull/13066) @mmatur)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.35.1 ([#13027](https://github.com/traefik/traefik/pull/13027) @ldez)
+- **[server]** Bump github.com/vulcand/oxy to v2.1.0 ([#13046](https://github.com/traefik/traefik/pull/13046) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.35.2 ([#13043](https://github.com/traefik/traefik/pull/13043) @ldez)
+- **[middleware]** Add errorRequestHeaders option to Errors middleware ([#13034](https://github.com/traefik/traefik/pull/13034) @gndz07)
+
+**Documentation:**
+- **[k8s/ingress-nginx]** Add ingress-nginx ConfigMap migration step ([#12963](https://github.com/traefik/traefik/pull/12963) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Delete the coming soon section from the ingress-nginx documentation ([#13037](https://github.com/traefik/traefik/pull/13037) @nmengin)
+
+**Misc:**
+- Make FLAGS Make variable usable ([#13009](https://github.com/traefik/traefik/pull/13009) @twz123)
+
+## [v3.6.15](https://github.com/traefik/traefik/tree/v3.6.15) (2026-04-29)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.14...v3.6.15)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.35.2 ([#13043](https://github.com/traefik/traefik/pull/13043) @ldez)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.35.1 ([#13027](https://github.com/traefik/traefik/pull/13027) @ldez)
+- **[middleware]** Add errorRequestHeaders option to Errors middleware ([#13034](https://github.com/traefik/traefik/pull/13034) @gndz07)
+- **[k8s/ingress-nginx]** Do not require a port for ExternalName services ([#13033](https://github.com/traefik/traefik/pull/13033) @kevinpollet)
+- **[server]** Bump github.com/vulcand/oxy to v2.1.0 ([#13046](https://github.com/traefik/traefik/pull/13046) @ldez)
+
+**Misc:**
+- Make FLAGS Make variable usable ([#13009](https://github.com/traefik/traefik/pull/13009) @twz123)
+
+## [v2.11.44](https://github.com/traefik/traefik/tree/v2.11.44) (2026-04-29)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.43...v2.11.44)
+
+**Bug fixes:**
+- **[middleware]** Add errorRequestHeaders option to Errors middleware ([#13034](https://github.com/traefik/traefik/pull/13034) @gndz07)
+- **[acme]** Bump github.com/go-acme/lego to v4.35.2 ([#13052](https://github.com/traefik/traefik/pull/13052) @mmatur)
+
+**Misc:**
+- Make FLAGS Make variable usable ([#13009](https://github.com/traefik/traefik/pull/13009) @twz123)
+
+## [v3.7.0-rc.2](https://github.com/traefik/traefik/tree/v3.7.0-rc.2) (2026-04-22)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0-rc.1...v3.7.0-rc.2)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.34.0 ([#12993](https://github.com/traefik/traefik/pull/12993) @ldez)
+- **[docker]** Downgrade log level for missing container on inspect ([#12900](https://github.com/traefik/traefik/pull/12900) @Otoru)
+- **[k8s/crd, k8s]** Honor allowCrossNamespace with chain middleware CRD ([#12976](https://github.com/traefik/traefik/pull/12976) @rtribotte)
+- **[k8s/ingress-nginx]** Avoid 302 redirect when rewrite-target value is not an absolute URL for ingress-nginx provider ([#12977](https://github.com/traefik/traefik/pull/12977) @gndz07)
+- **[k8s/ingress-nginx]** Fix custom headers annotation with 503 Service Unavailable ([#12969](https://github.com/traefik/traefik/pull/12969) @LBF38)
+- **[k8s/ingress-nginx]** Fix service unavailable on ingress-nginx ([#12996](https://github.com/traefik/traefik/pull/12996) @LBF38)
+- **[k8s/ingress-nginx]** Handle duplicate server-alias on ingress-nginx provider ([#13019](https://github.com/traefik/traefik/pull/13019) @gndz07)
+- **[k8s/ingress-nginx]** Use QuoteMeta for cookie name when building canary rules ([#12973](https://github.com/traefik/traefik/pull/12973) @kevinpollet)
+- **[middleware, authentication]** Cleanup and make ForwardAuth logs consistent ([#13013](https://github.com/traefik/traefik/pull/13013) @kevinpollet)
+- **[middleware, authentication]** Fix trustForwardHeader on forward auth middleware ([#12994](https://github.com/traefik/traefik/pull/12994) @juliens)
+- **[middleware, authentication]** Remove map lookup making the basic auth notFoundSecret empty ([#12960](https://github.com/traefik/traefik/pull/12960) @rtribotte)
+- **[middleware, k8s/ingress-nginx]** Fix app-root with query params redirect ([#12986](https://github.com/traefik/traefik/pull/12986) @LBF38)
+- **[middleware, k8s/ingress-nginx]** Fix rewrite target with full URL and no regex in ingress path ([#12992](https://github.com/traefik/traefik/pull/12992) @LBF38)
+- **[middleware, k8s/ingress-nginx]** Preserve request query on absolute-URL redirect ([#13020](https://github.com/traefik/traefik/pull/13020) @SAY-5)
+- **[middleware, k8s/ingress-nginx]** Resolve NGINX variables in ingress-nginx upstream-vhost annotation ([#12978](https://github.com/traefik/traefik/pull/12978) @mmatur)
+- **[middleware]** Deprecate ForwardAuth.TrustForwardHeader option ([#13012](https://github.com/traefik/traefik/pull/13012) @kevinpollet)
+- **[middleware]** Remove untrusted X headers with underscores ([#12961](https://github.com/traefik/traefik/pull/12961) @rtribotte)
+- **[middleware]** Sanitize the request URL after stripping the prefix ([#12990](https://github.com/traefik/traefik/pull/12990) @kevinpollet)
+- **[sticky-session, k8s/crd]** Make SameSite cookie value case-insensitive ([#12922](https://github.com/traefik/traefik/pull/12922) @murataslan1)
+- **[tls]** Restore default cipher suites when serversTransport has no explicit cipherSuites ([#12974](https://github.com/traefik/traefik/pull/12974) @mmatur)
+- **[webui]** Bump lodash version ([#12954](https://github.com/traefik/traefik/pull/12954) @gndz07)
+- **[webui]** Upgrade form-data to 2.5.4, 3.0.4, 4.0.4 ([#12958](https://github.com/traefik/traefik/pull/12958) @orbisai0security)
+
+**Documentation:**
+- **[k8s]** Fix yaml indentation ([#12957](https://github.com/traefik/traefik/pull/12957) @isayme)
+- **[k8s]** Clarify install config watchNamespace watches only one namespace ([#12962](https://github.com/traefik/traefik/pull/12962) @parkerfath)
+- **[k8s/crd]** Update ingressroute.md ([#12916](https://github.com/traefik/traefik/pull/12916) @Rajakavitha1)
+- **[k8s/ingress-nginx]** Document the rd parameter behavior for the auth-signin annotation ([#13017](https://github.com/traefik/traefik/pull/13017) @kevinpollet)
+- Reverse versions order in migration guide ([#12959](https://github.com/traefik/traefik/pull/12959) @nmengin)
+- Update vulnerability submission guidelines ([#12968](https://github.com/traefik/traefik/pull/12968) @emilevauge)
+
+## [v3.6.14](https://github.com/traefik/traefik/tree/v3.6.14) (2026-04-22)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.13...v3.6.14)
+
+**Bug fixes:**
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.34.0 ([#12993](https://github.com/traefik/traefik/pull/12993) @ldez)
+- **[docker]** Downgrade log level for missing container on inspect ([#12900](https://github.com/traefik/traefik/pull/12900) @Otoru)
+- **[sticky-session, k8s/crd]** Make SameSite cookie value case-insensitive ([#12922](https://github.com/traefik/traefik/pull/12922) @murataslan1)
+- **[k8s/crd, k8s]** Honor allowCrossNamespace with chain middleware CRD ([#12976](https://github.com/traefik/traefik/pull/12976) @rtribotte)
+- **[middleware]** Remove untrusted X headers with underscores ([#12961](https://github.com/traefik/traefik/pull/12961) @rtribotte)
+- **[middleware]** Sanitize the request URL after stripping the prefix ([#12990](https://github.com/traefik/traefik/pull/12990) @kevinpollet)
+- **[middleware]** Deprecate ForwardAuth.TrustForwardHeader option ([#13012](https://github.com/traefik/traefik/pull/13012) @kevinpollet)
+- **[middleware, authentication]** Remove map lookup making the basic auth notFoundSecret empty ([#12960](https://github.com/traefik/traefik/pull/12960) @rtribotte)
+- **[middleware, authentication]** Fix trustForwardHeader on forward auth middleware ([#12994](https://github.com/traefik/traefik/pull/12994) @juliens)
+- **[middleware, authentication]** Cleanup and make ForwardAuth logs consistent ([#13013](https://github.com/traefik/traefik/pull/13013) @kevinpollet)
+- **[webui]** Upgrade form-data to 2.5.4, 3.0.4, 4.0.4 ([#12958](https://github.com/traefik/traefik/pull/12958) @orbisai0security)
+
+**Documentation:**
+- **[k8s]** Fix yaml indentation ([#12957](https://github.com/traefik/traefik/pull/12957) @isayme)
+- **[k8s]** Clarify install config watchNamespace watches only one namespace ([#12962](https://github.com/traefik/traefik/pull/12962) @parkerfath)
+- **[k8s/crd]** Update ingressroute.md ([#12916](https://github.com/traefik/traefik/pull/12916) @Rajakavitha1)
+- Reverse versions order in migration guide ([#12959](https://github.com/traefik/traefik/pull/12959) @nmengin)
+- Update vulnerability submission guidelines ([#12968](https://github.com/traefik/traefik/pull/12968) @emilevauge)
+
+## [v2.11.43](https://github.com/traefik/traefik/tree/v2.11.43) (2026-04-22)
+[All Commits](https://github.com/traefik/traefik/compare/v2.11.42...v2.11.43)
+
+**Bug fixes:**
+- **[middleware, authentication]** Remove map lookup making the basic auth notFoundSecret empty ([#12960](https://github.com/traefik/traefik/pull/12960) @rtribotte)
+- **[middleware, authentication]** Fix trustForwardHeader on forward auth middleware ([#12994](https://github.com/traefik/traefik/pull/12994) @juliens)
+- **[middleware, authentication]** Cleanup and make ForwardAuth logs consistent ([#13013](https://github.com/traefik/traefik/pull/13013) @kevinpollet)
+- **[middleware]** Remove untrusted X headers with underscores ([#12961](https://github.com/traefik/traefik/pull/12961) @rtribotte)
+- **[middleware]** Sanitize the request URL after stripping the prefix ([#12990](https://github.com/traefik/traefik/pull/12990) @kevinpollet)
+- **[k8s/crd, k8s]** Honor allowCrossNamespace with chain middleware CRD ([#12976](https://github.com/traefik/traefik/pull/12976) @rtribotte)
+
+## [v3.7.0-rc.1](https://github.com/traefik/traefik/tree/v3.7.0-rc.1) (2026-04-07)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0-ea.3...v3.7.0-rc.1)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Fix rewrite-target annotation handling with empty path and non-regex path ([#12905](https://github.com/traefik/traefik/pull/12905) @LBF38)
+- **[middleware]** Bump github.com/klauspost/compress v1.18.4 ([#12937](https://github.com/traefik/traefik/pull/12937) @thaJeztah)
+
+**Enhancement:**
+- **[webui]** Display server weight in service detail view ([#12325](https://github.com/traefik/traefik/pull/12325) @murataslan1)
+- **[webui, tls]** Add certificates menu and overview ([#12628](https://github.com/traefik/traefik/pull/12628) @holomekc)
+- **[provider]** Add providers routing precedence configuration ([#12895](https://github.com/traefik/traefik/pull/12895) @juliens)
+- **[k8s/ingress-nginx]** Support NGINX global auth annotation ([#12893](https://github.com/traefik/traefik/pull/12893) @foxcool)
+- **[k8s/ingress-nginx]** Add limit-burst-multiplier annotation support ([#12899](https://github.com/traefik/traefik/pull/12899) @amazon7737)
+- **[k8s/ingress-nginx, k8s/ingress, rules]** Add wildcard host in Host and HostSNI matchers ([#12884](https://github.com/traefik/traefik/pull/12884) @juliens)
+- **[k8s/gatewayapi]** Support multiple certificateRefs on gateway listeners ([#12590](https://github.com/traefik/traefik/pull/12590) @mortennordbye)
+- **[k8s/gatewayapi]** Add secret support for BackendTLSPolicy caCertificateRefs ([#12927](https://github.com/traefik/traefik/pull/12927) @kevinpollet)
+- **[accesslogs, k8s/ingress-nginx]** Support nginx.ingress.kubernetes.io/enable-access-log annotation ([#12908](https://github.com/traefik/traefik/pull/12908) @ris-tlp)
+- **[accesslogs, k8s/ingress-nginx, k8s/ingress]** Add Kubernetes Ingress logs fields ([#12913](https://github.com/traefik/traefik/pull/12913) @rtribotte)
+
+**Documentation:**
+- **[docker]** Fix docker-compose.yaml location in Docker setup page ([#12860](https://github.com/traefik/traefik/pull/12860) @ScottA38)
+- **[docker, consul, ecs, k8s]** Fix documentation on how to restrict the scope of service discovery ([#12645](https://github.com/traefik/traefik/pull/12645) @mloiseleur)
+- **[k8s/gatewayapi]** Update gateway-api link in getting-started to v1.5.1 ([#12930](https://github.com/traefik/traefik/pull/12930) @isayme)
+- **[k8s/ingress-nginx]** Add OVHcloud (OpenStack Octavia) to Cloud-Specific IP Management ([#12759](https://github.com/traefik/traefik/pull/12759) @antonin-a)
+- **[k8s/ingress-nginx]** Clarify IngressClass selection logic ([#12926](https://github.com/traefik/traefik/pull/12926) @kevinpollet)
+- Add redirects for deleted pages ([#12889](https://github.com/traefik/traefik/pull/12889) @sheddy-traefik)
+- Fix default value of http.sanitizePath ([#12904](https://github.com/traefik/traefik/pull/12904) @iTob191)
+
 ## [v3.6.13](https://github.com/traefik/traefik/tree/v3.6.13) (2026-04-07)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.12...v3.6.13)

@@ -13,6 +637,30 @@
 - Add redirects for deleted pages ([#12889](https://github.com/traefik/traefik/pull/12889) @sheddy-traefik)
 - Fix default value of http.sanitizePath ([#12904](https://github.com/traefik/traefik/pull/12904) @iTob191)

+## [v3.7.0-ea.3](https://github.com/traefik/traefik/tree/v3.7.0-ea.3) (2026-03-26)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0-ea.2...v3.7.0-ea.3)
+
+**Bug fixes:**
+- **[k8s/crd]** Fix panic with Failover services in Kubernetes ([#12853](https://github.com/traefik/traefik/pull/12853) @juliens)
+- **[k8s/ingress-nginx]** Fix rewrite directive in configuration-snippet to trim quotes ([#12855](https://github.com/traefik/traefik/pull/12855) @gndz07)
+- **[k8s/ingress-nginx]** Fix rewrite-target to handle full URL ([#12854](https://github.com/traefik/traefik/pull/12854) @gndz07)
+- **[k8s/ingress-nginx]** Handle empty rewrite-target like unset rewrite-target ([#12832](https://github.com/traefik/traefik/pull/12832) @sathieu)
+- **[k8s/ingress-nginx]** Fix TLS behavior in ingress-nginx provider ([#12831](https://github.com/traefik/traefik/pull/12831) @LBF38)
+- **[k8s/ingress-nginx]** Fix auth-response-headers whitespace trimming in ingress-nginx provider ([#12856](https://github.com/traefik/traefik/pull/12856) @mmatur)
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.33.0 ([#12840](https://github.com/traefik/traefik/pull/12840) @ldez)
+- **[server, tcp]** Fix postgres STARTTLS with TLS termination ([#12847](https://github.com/traefik/traefik/pull/12847) @mmatur)
+- **[api]** Fix allow colons and tildes in api.basePath validation ([#12857](https://github.com/traefik/traefik/pull/12857) @mmatur)
+- **[server]** Fix comment and unnecessary allocation in withRoutingPath ([#12880](https://github.com/traefik/traefik/pull/12880) @boinger)
+- **[grpc]** Bump google.golang.org/grpc to v1.79.3 ([#12845](https://github.com/traefik/traefik/pull/12845) @mmatur)
+- **[middleware, authentication]** Prevent duplicate user headers in basic and digest auth middleware ([#12851](https://github.com/traefik/traefik/pull/12851) @juliens)
+- **[middleware]** Fix StripPrefix and StripPrefixRegex to slice the prefix using encoded prefix length ([#12863](https://github.com/traefik/traefik/pull/12863) @gndz07)
+
+**Documentation:**
+- **[acme]** Clarify CNAME explanation in ACME Documentation ([#12818](https://github.com/traefik/traefik/pull/12818) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Add ingress-nginx migration banner on documentation pages ([#12872](https://github.com/traefik/traefik/pull/12872) @gndz07)
+- **[k8s/ingress]** Improve Kubernetes Ingress Routing Documentation ([#12876](https://github.com/traefik/traefik/pull/12876) @sheddy-traefik)
+- **[k8s/ingress-nginx]** Clarify that NGINX Ingress watchNamespace watches only one namespace ([#12873](https://github.com/traefik/traefik/pull/12873) @parkerfath)
+
 ## [v3.6.12](https://github.com/traefik/traefik/tree/v3.6.12) (2026-03-26)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.11...v3.6.12)

@@ -32,6 +680,33 @@
 - **[k8s/ingress-nginx]** Clarify that NGINX Ingress watchNamespace watches only one namespace ([#12873](https://github.com/traefik/traefik/pull/12873) @parkerfath)
 - **[k8s/ingress]** Improve Kubernetes Ingress Routing Documentation ([#12876](https://github.com/traefik/traefik/pull/12876) @sheddy-traefik)

+## [v3.7.0-ea.2](https://github.com/traefik/traefik/tree/v3.7.0-ea.2) (2026-03-19)
+[All Commits](https://github.com/traefik/traefik/compare/v3.7.0-ea.1...v3.7.0-ea.2)
+
+**Enhancement:**
+- **[k8s/knative]** Support knative v1.20.0 ([#12441](https://github.com/traefik/traefik/pull/12441) @idurgakalyan)
+- **[k8s/gatewayapi]** Bump sigs.k8s.io/gateway-api to v1.5.1 ([#12768](https://github.com/traefik/traefik/pull/12768) @mmatur)
+- **[k8s/ingress-nginx, middleware, authentication]** Add support for auth-snippet ([#12778](https://github.com/traefik/traefik/pull/12778) @juliens)
+
+**Bug fixes:**
+- **[k8s/ingress-nginx]** Fix use-regex annotation behavior and add strictValidatePathType config for ingress-nginx provider ([#12773](https://github.com/traefik/traefik/pull/12773) @gndz07)
+- **[logs, otel]** Add OTel-conformant trace context attributes to access logs ([#12801](https://github.com/traefik/traefik/pull/12801) @mmatur)
+- **[k8s/gatewayapi]** Fix incorrect hostname matching between listener and route ([#12599](https://github.com/traefik/traefik/pull/12599) @TheColorman)
+- **[k8s/ingress]** Fix ingress router's rule ([#12808](https://github.com/traefik/traefik/pull/12808) @gndz07)
+- **[webui]** Remove AGPL license in code ([#12799](https://github.com/traefik/traefik/pull/12799) @Desel72)
+- **[k8s/ingress-nginx]** Fix proxy-ssl-verify annotation ([#12825](https://github.com/traefik/traefik/pull/12825) @LBF38)
+- **[http]** Add maxResponseBodySize configuration on HTTP provider ([#12788](https://github.com/traefik/traefik/pull/12788) @gndz07)
+- **[tls]** Support fragmented TLS client hello ([#12787](https://github.com/traefik/traefik/pull/12787) @rtribotte)
+- **[middleware, authentication]** Make basic auth check timing constant ([#12803](https://github.com/traefik/traefik/pull/12803) @rtribotte)
+
+  **Documentation:**
+- **[k8s]** Improve the multi tenant security note ([#12822](https://github.com/traefik/traefik/pull/12822) @nmengin)
+- Fix unnecessary escaping of pipe in regexp examples ([#12784](https://github.com/traefik/traefik/pull/12784) @diegmonti)
+- Add vulnerability submission quality guidelines ([#12807](https://github.com/traefik/traefik/pull/12807) @emilevauge)
+- Fix start up message format ([#12806](https://github.com/traefik/traefik/pull/12806) @mloiseleur)
+- Remove unsupported servers[n].address from TCP label examples ([#12817](https://github.com/traefik/traefik/pull/12817) @sheddy-traefik)
+- Bump mkdocs-traefiklabs to use consent mode ([#12804](https://github.com/traefik/traefik/pull/12804) @darkweaver87)
+
 ## [v3.6.11](https://github.com/traefik/traefik/tree/v3.6.11) (2026-03-19)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.10...v3.6.11)

@@ -72,10 +747,199 @@
 **Documentation:**
 - Bump mkdocs-traefiklabs to use consent mode ([#12804](https://github.com/traefik/traefik/pull/12804) @darkweaver87)

+## [v3.7.0-ea.1](https://github.com/traefik/traefik/tree/v3.7.0-ea.1) (2026-03-11)
+[All Commits](https://github.com/traefik/traefik/compare/v3.6.0-rc1...v3.7.0-ea.1)
+
+**Enhancements:**
+- **[accesslogs, otel]** Allow Stdio access logs alongsige OTLP logging ([#12307](https://github.com/traefik/traefik/pull/12307) by [Mulgish](https://github.com/Mulgish))
+- **[acme]** Add CertificateTimeout ACME configuration option ([#12278](https://github.com/traefik/traefik/pull/12278) by [ceko](https://github.com/ceko))
+- **[k8s/ingress-nginx]** Support nginx.ingress.kubernetes.io/allowlist-source-range ([#12659](https://github.com/traefik/traefik/pull/12659) by [ris-tlp](https://github.com/ris-tlp))
+- **[k8s/crd]** Add ingressClassName field to the CRDs spec ([#12313](https://github.com/traefik/traefik/pull/12313) by [kkrypt0nn](https://github.com/kkrypt0nn))
+- **[k8s/crd]** Service failover support in TraefikService CRD ([#12733](https://github.com/traefik/traefik/pull/12733) by [jspdown](https://github.com/jspdown))
+- **[k8s/crd, service]** Support cipher suites configuration with ServersTransport ([#11965](https://github.com/traefik/traefik/pull/11965) by [NEwa-05](https://github.com/NEwa-05))
+- **[k8s/ingress, middleware, k8s/crd, service, k8s/gatewayapi]** Services middleware and Gateway API filters on HTTP backends ([#12544](https://github.com/traefik/traefik/pull/12544) by [juliens](https://github.com/juliens))
+- **[k8s/ingress-nginx]** Add nginx.ingress.kubernetes.io/proxy-connect-timeout annotation ([#12572](https://github.com/traefik/traefik/pull/12572) by [gndz07](https://github.com/gndz07))
+- **[k8s/ingress-nginx]** Add rewrite-target nginx annotations support ([#12534](https://github.com/traefik/traefik/pull/12534) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Add support for app-root nginx annotation ([#12576](https://github.com/traefik/traefik/pull/12576) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Add support for auth-signin annotation ([#12502](https://github.com/traefik/traefik/pull/12502) by [DesalLama](https://github.com/DesalLama))
+- **[k8s/ingress-nginx]** Add support for from-to-www-redirect NGINX annotation ([#12610](https://github.com/traefik/traefik/pull/12610) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Add support for proxy-read-timeout and proxy-send-timeout NGINX annotations ([#12630](https://github.com/traefik/traefik/pull/12630) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Add support for session-cookie-expires nginx annotation ([#12558](https://github.com/traefik/traefik/pull/12558) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Add support for upstream-hash-by NGINX annotation ([#12749](https://github.com/traefik/traefik/pull/12749) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Allow entry points to be specified on Nginx Ingresses ([#12727](https://github.com/traefik/traefik/pull/12727) by [ajacques](https://github.com/ajacques))
+- **[k8s/ingress-nginx]** Implement proxy-http-version annotation ([#12743](https://github.com/traefik/traefik/pull/12743) by [KshitijBharde](https://github.com/KshitijBharde))
+- **[k8s/ingress-nginx]** Nginx x-forwarded-prefix annotation ([#12697](https://github.com/traefik/traefik/pull/12697) by [nandorKollar](https://github.com/nandorKollar))
+- **[k8s/ingress-nginx]** Support auth-tls-secret and auth-tls-verify-client annotations ([#12595](https://github.com/traefik/traefik/pull/12595) by [gndz07](https://github.com/gndz07))
+- **[k8s/ingress-nginx]** Support limit-rpm annotation for ingress-nginx ([#12703](https://github.com/traefik/traefik/pull/12703) by [Ph4rell](https://github.com/Ph4rell))
+- **[k8s/ingress-nginx]** Support limit-rps annotation for Ingress NGINX ([#12709](https://github.com/traefik/traefik/pull/12709) by [amazon7737](https://github.com/amazon7737))
+- **[k8s/ingress-nginx]** Support NGINX buffering annotations ([#12459](https://github.com/traefik/traefik/pull/12459) by [blasko03](https://github.com/blasko03))
+- **[k8s/ingress-nginx]** Support NGINX canary annotations ([#12739](https://github.com/traefik/traefik/pull/12739) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/ingress-nginx]** Support NGINX custom-headers annotation ([#12414](https://github.com/traefik/traefik/pull/12414) by [nandorKollar](https://github.com/nandorKollar))
+- **[k8s/ingress-nginx]** Support NGINX upstream-vhost annotation ([#12412](https://github.com/traefik/traefik/pull/12412) by [nandorKollar](https://github.com/nandorKollar))
+- **[k8s/ingress-nginx]** Support NGINX whitelist-source-range annotation ([#12423](https://github.com/traefik/traefik/pull/12423) by [blasko03](https://github.com/blasko03))
+- **[k8s/ingress-nginx]** Support permanent-redirect and temporal-redirect annotations ([#12561](https://github.com/traefik/traefik/pull/12561) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Support proxy-next-upstream* annotations ([#12710](https://github.com/traefik/traefik/pull/12710) by [gndz07](https://github.com/gndz07))
+- **[k8s/ingress-nginx]** Support server-alias annotation for Ingress NGINX ([#12707](https://github.com/traefik/traefik/pull/12707) by [amazon7737](https://github.com/amazon7737))
+- **[k8s/ingress-nginx]** Support upstream-keepalive-timeout ([#12708](https://github.com/traefik/traefik/pull/12708) by [jcob-sikorski](https://github.com/jcob-sikorski))
+- **[k8s/ingress-nginx]** Add support for variable interpolation in auth-signin NGINX annotation ([#12640](https://github.com/traefik/traefik/pull/12640) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Implement server-snippet and configuration-snippet annotations ([#12715](https://github.com/traefik/traefik/pull/12715) by [juliens](https://github.com/juliens))
+- **[k8s/ingress-nginx]** Add custom-http-errors and default-backend annotations ([#12637](https://github.com/traefik/traefik/pull/12637) by [juliens](https://github.com/juliens))
+- **[k8s/ingress-nginx]** Support auth-tls-pass-certificate-to-upstream annotation ([#12629](https://github.com/traefik/traefik/pull/12629) by [gndz07](https://github.com/gndz07))
+- **[metrics]** Support file path for metrics.influxdb2.token option ([#12458](https://github.com/traefik/traefik/pull/12458) by [barhun](https://github.com/barhun))
+- **[middleware]** Add encodedCharacters middleware ([#12555](https://github.com/traefik/traefik/pull/12555) by [gndz07](https://github.com/gndz07))
+- **[middleware]** Enable retries based on HTTP response status codes, timeout, and non-idempotent methods ([#12667](https://github.com/traefik/traefik/pull/12667) by [LBF38](https://github.com/LBF38))
+- **[middleware, authentication]** Add authSignInURL in forward auth middleware ([#12293](https://github.com/traefik/traefik/pull/12293) by [kyounghunJang](https://github.com/kyounghunJang))
+- **[server]** Add global option to disable X-Forwarded-For appending ([#12374](https://github.com/traefik/traefik/pull/12374) by [lbenguigui](https://github.com/lbenguigui))
+- **[server]** Replace Split in loops with more efficient SplitSeq ([#12316](https://github.com/traefik/traefik/pull/12316) by [boqishan](https://github.com/boqishan))
+- **[service]** Failover according to response status code ([#12596](https://github.com/traefik/traefik/pull/12596) by [lbenguigui](https://github.com/lbenguigui))
+- **[tls]** Make TLSStore gracefully handle missing secrets ([#12522](https://github.com/traefik/traefik/pull/12522) by [david-garcia-garcia](https://github.com/david-garcia-garcia))
+- **[webui]** Add dashboard name configuration ([#12410](https://github.com/traefik/traefik/pull/12410) by [gndz07](https://github.com/gndz07))
+- **[webui]** Web UI dashboard improvements ([#12236](https://github.com/traefik/traefik/pull/12236) by [gndz07](https://github.com/gndz07))
+- **[webui]** Details pages UI improvement ([#12377](https://github.com/traefik/traefik/pull/12377) by [gndz07](https://github.com/gndz07))
+- Use unicode.MaxASCII for clearer ASCII check ([#12741](https://github.com/traefik/traefik/pull/12741) by [1911860538](https://github.com/1911860538))
+
+**Bug fixes:**
+- **[acme]** Add missing renew options ([#12467](https://github.com/traefik/traefik/pull/12467) by [ldez](https://github.com/ldez))
+- **[acme]** Add timeout to ACME-TLS/1 challenge handshake ([#12516](https://github.com/traefik/traefik/pull/12516) by [LBF38](https://github.com/LBF38))
+- **[acme]** Alter TLS renewal period ([#12479](https://github.com/traefik/traefik/pull/12479) by [LtHummus](https://github.com/LtHummus))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.28.0 ([#12218](https://github.com/traefik/traefik/pull/12218) by [ldez](https://github.com/ldez))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.29.0 ([#12333](https://github.com/traefik/traefik/pull/12333) by [ldez](https://github.com/ldez))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.30.1 ([#12432](https://github.com/traefik/traefik/pull/12432) by [ldez](https://github.com/ldez))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.31.0 ([#12529](https://github.com/traefik/traefik/pull/12529) by [ldez](https://github.com/ldez))
+- **[acme]** Bump github.com/go-acme/lego/v4 to v4.32.0 ([#12702](https://github.com/traefik/traefik/pull/12702) by [ldez](https://github.com/ldez))
+- **[acme]** Remove invalid private key in log ([#12574](https://github.com/traefik/traefik/pull/12574) by [juliens](https://github.com/juliens))
+- **[acme]** Replace hardcoded references to LetsEncrypt in log messages ([#12464](https://github.com/traefik/traefik/pull/12464) by [schildbach](https://github.com/schildbach))
+- **[cli]** Fix health check ping ([#12512](https://github.com/traefik/traefik/pull/12512) by [olamilekan000](https://github.com/olamilekan000))
+- **[docker]** Auto-negotiate Docker API Version ([#12256](https://github.com/traefik/traefik/pull/12256) by [felixbuenemann](https://github.com/felixbuenemann))
+- **[docker]** Bump Docker and OpenTelemetry dependencies ([#12761](https://github.com/traefik/traefik/pull/12761) by [mmatur](https://github.com/mmatur))
+- **[docker, docker/swarm]** Auto-negotiate Docker API version ([#12262](https://github.com/traefik/traefik/pull/12262) by [kevinpollet](https://github.com/kevinpollet))
+- **[fastproxy]** Bump github.com/valyala/fasthttp to v1.69.0 ([#12763](https://github.com/traefik/traefik/pull/12763) by [kevinpollet](https://github.com/kevinpollet))
+- **[healthcheck]** Reject absolute URL in healthcheck path configuration ([#12653](https://github.com/traefik/traefik/pull/12653) by [rtribotte](https://github.com/rtribotte))
+- **[healthcheck]** Validate healthcheck path configuration ([#12642](https://github.com/traefik/traefik/pull/12642) by [rtribotte](https://github.com/rtribotte))
+- **[healthcheck, grpc]** Remove path parsing with grpc healthcheck ([#12760](https://github.com/traefik/traefik/pull/12760) by [rtribotte](https://github.com/rtribotte))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.0 ([#12308](https://github.com/traefik/traefik/pull/12308) by [GreyXor](https://github.com/GreyXor))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.57.1 ([#12319](https://github.com/traefik/traefik/pull/12319) by [GreyXor](https://github.com/GreyXor))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.58.0 ([#12448](https://github.com/traefik/traefik/pull/12448) by [GreyXor](https://github.com/GreyXor))
+- **[http3]** Bump github.com/quic-go/quic-go to v0.59.0 ([#12553](https://github.com/traefik/traefik/pull/12553) by [jnoordsij](https://github.com/jnoordsij))
+- **[k8s]** Fix condition used for serving and fenced endpoints ([#12521](https://github.com/traefik/traefik/pull/12521) by [LBF38](https://github.com/LBF38))
+- **[k8s/gatewayapi]** Fix Gateway API router's rules ([#12753](https://github.com/traefik/traefik/pull/12753) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress]** Fix panic for empty defaultBackend and defaultBackend without resources ([#12509](https://github.com/traefik/traefik/pull/12509) by [gndz07](https://github.com/gndz07))
+- **[k8s/ingress-nginx]** Add AllowCrossNamespaceResources and GlobalAllowedResponseHeader options to control custom headers annotations ([#12680](https://github.com/traefik/traefik/pull/12680) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress-nginx]** Deprecate Kubernetes Ingress NGINX provider experimental flag ([#12286](https://github.com/traefik/traefik/pull/12286) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress-nginx]** Fix nginx rewrite target ([#12730](https://github.com/traefik/traefik/pull/12730) by [mmatur](https://github.com/mmatur))
+- **[k8s/ingress-nginx]** Fix NGINX sslredirect annotation support ([#12387](https://github.com/traefik/traefik/pull/12387) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress-nginx]** Fix nginx.ingress.kubernetes.io/proxy-ssl-verify annotation support ([#12351](https://github.com/traefik/traefik/pull/12351) by [rtribotte](https://github.com/rtribotte))
+- **[k8s/ingress-nginx]** Fix SSL redirect to match NGINX behavior ([#12361](https://github.com/traefik/traefik/pull/12361) by [mmatur](https://github.com/mmatur))
+- **[k8s/ingress-nginx]** Fix the service name for ingress-nginx provider ([#12352](https://github.com/traefik/traefik/pull/12352) by [mmatur](https://github.com/mmatur))
+- **[k8s/ingress-nginx]** Fix use-regex nginx annotation ([#12531](https://github.com/traefik/traefik/pull/12531) by [LBF38](https://github.com/LBF38))
+- **[k8s/ingress-nginx]** Prevent Ingress Nginx provider http router to attach to an entrypoint with TLS ([#12528](https://github.com/traefik/traefik/pull/12528) by [rtribotte](https://github.com/rtribotte))
+- **[metrics, tracing, accesslogs]** Fix ObservabilityConfig SetDefaults  ([#12636](https://github.com/traefik/traefik/pull/12636) by [mmatur](https://github.com/mmatur))
+- **[middleware]** Fix case sensitivity on x-forwarded headers for Connection ([#12690](https://github.com/traefik/traefik/pull/12690) by [LBF38](https://github.com/LBF38))
+- **[middleware]** Fix HasSecureHeadersDefined returning false when stsSeconds is 0 ([#12684](https://github.com/traefik/traefik/pull/12684) by [veeceey](https://github.com/veeceey))
+- **[middleware, authentication]** Add maxResponseBodySize configuration to forwardAuth middleware ([#12694](https://github.com/traefik/traefik/pull/12694) by [gndz07](https://github.com/gndz07))
+- **[middleware, authentication]** Change ForwardAuth error log level from DEBUG to ERROR ([#12324](https://github.com/traefik/traefik/pull/12324) by [murataslan1](https://github.com/murataslan1))
+- **[middleware, authentication]** Handle empty/missing User-Agent header ([#12545](https://github.com/traefik/traefik/pull/12545) by [a-stangl](https://github.com/a-stangl))
+- **[middleware, k8s, k8s/ingress-nginx]** Fix from to www nginx annotation ([#12736](https://github.com/traefik/traefik/pull/12736) by [mmatur](https://github.com/mmatur))
+- **[middleware, k8s/ingress-nginx]** Fix custom error pages behavior for ingress-nginx provider ([#12738](https://github.com/traefik/traefik/pull/12738) by [mmatur](https://github.com/mmatur))
+- **[otel]** Bump go.opentelemetry.io/otel dependencies ([#12754](https://github.com/traefik/traefik/pull/12754) by [rtribotte](https://github.com/rtribotte))
+- **[plugins]** Validate plugin module name ([#12291](https://github.com/traefik/traefik/pull/12291) by [kevinpollet](https://github.com/kevinpollet))
+- **[redis]** Fix mutually exclusive verification for Redis ([#12442](https://github.com/traefik/traefik/pull/12442) by [juliens](https://github.com/juliens))
+- **[server]** Bump golang.org/x/crypto to v0.45.0 ([#12296](https://github.com/traefik/traefik/pull/12296) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Bump golang.org/x/net to v0.51.0 ([#12756](https://github.com/traefik/traefik/pull/12756) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Filter unknown nodes with file and env for the deprecation loader ([#12227](https://github.com/traefik/traefik/pull/12227) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Fix deny encoded characters ([#12454](https://github.com/traefik/traefik/pull/12454) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Fix deny encoded characters ([#12457](https://github.com/traefik/traefik/pull/12457) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Fix multi-layer routing with models ([#12258](https://github.com/traefik/traefik/pull/12258) by [juliens](https://github.com/juliens))
+- **[server]** Fix TLS handshake error handling ([#12692](https://github.com/traefik/traefik/pull/12692) by [juliens](https://github.com/juliens))
+- **[server]** Make encoded character options opt-in ([#12540](https://github.com/traefik/traefik/pull/12540) by [gndz07](https://github.com/gndz07))
+- **[server]** Make the aggregator compute provider namespace for router's parentRefs ([#12235](https://github.com/traefik/traefik/pull/12235) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12424](https://github.com/traefik/traefik/pull/12424) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Print access logs for rejected requests and warn about new behavior ([#12426](https://github.com/traefik/traefik/pull/12426) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Reject suspicious encoded characters ([#12360](https://github.com/traefik/traefik/pull/12360) by [rtribotte](https://github.com/rtribotte))
+- **[server]** Remove conn deadline after STARTTLS negociation ([#12639](https://github.com/traefik/traefik/pull/12639) by [rtribotte](https://github.com/rtribotte))
+- **[service]** Avoid recursion with services ([#12591](https://github.com/traefik/traefik/pull/12591) by [juliens](https://github.com/juliens))
+- **[tls]** Fix verifyServerCertMatchesURI function behavior ([#12575](https://github.com/traefik/traefik/pull/12575) by [kevinpollet](https://github.com/kevinpollet))
+- **[tls, server]** Cap TLS record length to RFC 8446 limit in ClientHello peeking ([#12638](https://github.com/traefik/traefik/pull/12638) by [mmatur](https://github.com/mmatur))
+- **[tracing, otel]** Use ParentBased sampler to respect parent span sampling decision ([#12403](https://github.com/traefik/traefik/pull/12403) by [xe-leon](https://github.com/xe-leon))
+- **[udp]** Revert "Avoid allocations in readLoop by using sync.Pool" ([#12267](https://github.com/traefik/traefik/pull/12267) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Bump dependencies of documentation and webui ([#12581](https://github.com/traefik/traefik/pull/12581) by [gndz07](https://github.com/gndz07))
+- **[webui]** Fix basePath validation for dashboard template ([#12729](https://github.com/traefik/traefik/pull/12729) by [gndz07](https://github.com/gndz07))
+- **[webui]** Fix blocked navigation on Safari ([#12231](https://github.com/traefik/traefik/pull/12231) by [gndz07](https://github.com/gndz07))
+- **[webui]** Fix missing type definition ([#12780](https://github.com/traefik/traefik/pull/12780) by [gndz07](https://github.com/gndz07))
+- **[webui]** Fix priority display in dashboard and ACME bypass redirect ([#12740](https://github.com/traefik/traefik/pull/12740) by [mmatur](https://github.com/mmatur))
+- **[webui]** Restore remote Upgrade to Hub button web component ([#12219](https://github.com/traefik/traefik/pull/12219) by [gndz07](https://github.com/gndz07))
+- **[webui]** Use url.Parse to validate X-Forwarded-Prefix value ([#12643](https://github.com/traefik/traefik/pull/12643) by [kevinpollet](https://github.com/kevinpollet))
+- **[webui]** Validate X-Forwarded-Prefix value for dashboard redirect ([#12514](https://github.com/traefik/traefik/pull/12514) by [LBF38](https://github.com/LBF38))
+
+**Documentation:**
+- **[acme]** Add missing ACME options and clean up table for more visibility ([#12208](https://github.com/traefik/traefik/pull/12208) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[api]** Fix typo in API dashboard configuration instructions ([#12335](https://github.com/traefik/traefik/pull/12335) by [NAICOLAS](https://github.com/NAICOLAS))
+- **[docker]** Add documentation for loadbalancer.server.url in Docker and Swarm providers ([#12289](https://github.com/traefik/traefik/pull/12289) by [webash](https://github.com/webash))
+- **[docker]** Update docker in-depth setup guide ([#12682](https://github.com/traefik/traefik/pull/12682) by [mdevino](https://github.com/mdevino))
+- **[docker/swarm]** Update swarm.md traefik version ([#12508](https://github.com/traefik/traefik/pull/12508) by [DBouraoui](https://github.com/DBouraoui))
+- **[k8s]** Fix Gateway API version and the list of features supported ([#12254](https://github.com/traefik/traefik/pull/12254) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Fix Kubernetes reference yml file ([#12406](https://github.com/traefik/traefik/pull/12406) by [mmatur](https://github.com/mmatur))
+- **[k8s]** Fix kubernetes.md with correct http redirections ([#12603](https://github.com/traefik/traefik/pull/12603) by [MartenM](https://github.com/MartenM))
+- **[k8s]** Fix Nginx provider documentation ([#12266](https://github.com/traefik/traefik/pull/12266) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Improve the K8S multi-tenancy security note ([#12444](https://github.com/traefik/traefik/pull/12444) by [nmengin](https://github.com/nmengin))
+- **[k8s]** Make labelSelector option casing more consistent ([#12658](https://github.com/traefik/traefik/pull/12658) by [holysoles](https://github.com/holysoles))
+- **[k8s, k8s/ingress-nginx]** Add configmaps right to Ingress NGINX RBAC ([#12557](https://github.com/traefik/traefik/pull/12557) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/gatewayapi]** Fix links of Helm chart values reference to providers.kubernetesGateway.enabled ([#12315](https://github.com/traefik/traefik/pull/12315) by [shouhei](https://github.com/shouhei))
+- **[k8s/ingress, k8s]** Fix Kubernetes Ingress provider documentation ([#12443](https://github.com/traefik/traefik/pull/12443) by [nmengin](https://github.com/nmengin))
+- **[k8s/ingress-nginx]** Add auth-signin to unsupported nginx annotations list ([#12370](https://github.com/traefik/traefik/pull/12370) by [fibsifan](https://github.com/fibsifan))
+- **[k8s/ingress-nginx]** Add RBAC documentation for Ingress NGINX provider ([#12445](https://github.com/traefik/traefik/pull/12445) by [nmn3m](https://github.com/nmn3m))
+- **[k8s/ingress-nginx]** Add temporary note to advertise the incoming NGINX annotations ([#12699](https://github.com/traefik/traefik/pull/12699) by [nmengin](https://github.com/nmengin))
+- **[k8s/ingress-nginx]** Fix default value of ingress-nginx provider in documentation ([#12328](https://github.com/traefik/traefik/pull/12328) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s/ingress-nginx]** Fix ingress-nginx annotations documentation ([#12510](https://github.com/traefik/traefik/pull/12510) by [nmengin](https://github.com/nmengin))
+- **[k8s/ingress-nginx]** Improve ingress-nginx provider documentation ([#12288](https://github.com/traefik/traefik/pull/12288) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[k8s/ingress-nginx]** Improve the configuration options display of the Kubernetes ingress-nginx provider ([#12297](https://github.com/traefik/traefik/pull/12297) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s/ingress-nginx]** NGINX Ingress Controller to Traefik Migration Guide ([#12318](https://github.com/traefik/traefik/pull/12318) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- **[middleware]** Correct documentation for Digest auth ([#12651](https://github.com/traefik/traefik/pull/12651) by [Zash](https://github.com/Zash))
+- **[middleware]** Fix default encodings in compress middleware ([#12216](https://github.com/traefik/traefik/pull/12216) by [Belphemur](https://github.com/Belphemur))
+- **[middleware, k8s/crd]** Fix the errors middleware's document for Kubernetes CRD ([#12600](https://github.com/traefik/traefik/pull/12600) by [yuito-it](https://github.com/yuito-it))
+- **[service]** Fix loadbalancer doc for highest random weight ([#12283](https://github.com/traefik/traefik/pull/12283) by [ozon2](https://github.com/ozon2))
+- **[tls]** Clarify SNI selection ([#12482](https://github.com/traefik/traefik/pull/12482) by [AnuragEkkati](https://github.com/AnuragEkkati))
+- Add @gndz07 as a current maintainer ([#12594](https://github.com/traefik/traefik/pull/12594) by [emilevauge](https://github.com/emilevauge))
+- Add a Breaking change note to the changelog ([#12398](https://github.com/traefik/traefik/pull/12398) by [nmengin](https://github.com/nmengin))
+- Add documentation about checkNewVersion ([#12298](https://github.com/traefik/traefik/pull/12298) by [darkweaver87](https://github.com/darkweaver87))
+- Add missing `.http` to TOML table names ([#12713](https://github.com/traefik/traefik/pull/12713) by [Darsstar](https://github.com/Darsstar))
+- Add product comparison matrix and features page ([#12037](https://github.com/traefik/traefik/pull/12037) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Bring back security section on API & Dashboard documentation page ([#12507](https://github.com/traefik/traefik/pull/12507) by [gndz07](https://github.com/gndz07))
+- Clarify doc about encoded characters rejection ([#12391](https://github.com/traefik/traefik/pull/12391) by [rtribotte](https://github.com/rtribotte))
+- Clean Up Menu Entries & Update Expose Overview ([#12405](https://github.com/traefik/traefik/pull/12405) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Correct encoded characters allowance in entrypoints.md ([#12679](https://github.com/traefik/traefik/pull/12679) by [Apflkuacha](https://github.com/Apflkuacha))
+- Correctly Format the HTTP Service Documentation ([#12311](https://github.com/traefik/traefik/pull/12311) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Document negative priority support for routers ([#12505](https://github.com/traefik/traefik/pull/12505) by [understood-the-assignment](https://github.com/understood-the-assignment))
+- Document Path matcher placeholder removal in v3 migration guide ([#12570](https://github.com/traefik/traefik/pull/12570) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix API basepath option documentation ([#12744](https://github.com/traefik/traefik/pull/12744) by [nmengin](https://github.com/nmengin))
+- Fix broken links in TCP Service and HTTP Router documentation ([#12215](https://github.com/traefik/traefik/pull/12215) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix code copy button positioning ([#12520](https://github.com/traefik/traefik/pull/12520) by [AnuragEkkati](https://github.com/AnuragEkkati))
+- Fix encoded characters entryPoint option documentation ([#12384](https://github.com/traefik/traefik/pull/12384) by [rtribotte](https://github.com/rtribotte))
+- Fix encoded characters option documentation ([#12373](https://github.com/traefik/traefik/pull/12373) by [kevinpollet](https://github.com/kevinpollet))
+- Fix encodedCharacters entryPoint option documentation ([#12385](https://github.com/traefik/traefik/pull/12385) by [rtribotte](https://github.com/rtribotte))
+- Fix incorrect TOML example in entrypoints docs ([#12711](https://github.com/traefik/traefik/pull/12711) by [mfmfuyu](https://github.com/mfmfuyu))
+- Fix link description in Traefik Proxy documentation ([#12488](https://github.com/traefik/traefik/pull/12488) by [schaerfo](https://github.com/schaerfo))
+- Fix Menu Item Naming ([#12431](https://github.com/traefik/traefik/pull/12431) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Fix migration guide indentation ([#12365](https://github.com/traefik/traefik/pull/12365) by [kevinpollet](https://github.com/kevinpollet))
+- Fix migration guide URLs in deprecation notice ([#12430](https://github.com/traefik/traefik/pull/12430) by [alexmar07](https://github.com/alexmar07))
+- Fix typo in kubernetes.md ([#12515](https://github.com/traefik/traefik/pull/12515) by [EdwardSalkeld](https://github.com/EdwardSalkeld))
+- Fix typo in v3.6 migration guide ([#12212](https://github.com/traefik/traefik/pull/12212) by [jnoordsij](https://github.com/jnoordsij))
+- Fix typo on JWT documentation ([#12616](https://github.com/traefik/traefik/pull/12616) by [mdevino](https://github.com/mdevino))
+- Improve Service Reference page ([#12541](https://github.com/traefik/traefik/pull/12541) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Improve the structure of the routing reference pages ([#12429](https://github.com/traefik/traefik/pull/12429) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Increased content width in documentation ([#12632](https://github.com/traefik/traefik/pull/12632) by [tobiasge](https://github.com/tobiasge))
+- Remove extra dots in migration guide ([#12573](https://github.com/traefik/traefik/pull/12573) by [rtribotte](https://github.com/rtribotte))
+- Remove extraneous dots in migration guide ([#12571](https://github.com/traefik/traefik/pull/12571) by [dathbe](https://github.com/dathbe))
+- Restore documentation on http.maxHeaderBytes ([#12440](https://github.com/traefik/traefik/pull/12440) by [mloiseleur](https://github.com/mloiseleur))
+- Split Expose User Guides & Add Multi-Layer Routing Section ([#12238](https://github.com/traefik/traefik/pull/12238) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Update Configuration Overview Page ([#12202](https://github.com/traefik/traefik/pull/12202) by [sheddy-traefik](https://github.com/sheddy-traefik))
+- Update SECURITY.md ([#12304](https://github.com/traefik/traefik/pull/12304) by [cwayne18](https://github.com/cwayne18))
+- Update SECURITY.md to streamline information ([#12310](https://github.com/traefik/traefik/pull/12310) by [emilevauge](https://github.com/emilevauge))
+
 ## [v3.6.10](https://github.com/traefik/traefik/tree/v3.6.10) (2026-03-06)
 [All Commits](https://github.com/traefik/traefik/compare/v3.6.9...v3.6.10)

-  **Bug fixes:**
+**Bug fixes:**
 - **[docker]** Bump Docker and OpenTelemetry dependencies ([#12761](https://github.com/traefik/traefik/pull/12761) by [mmatur](https://github.com/mmatur))
 - **[fastproxy]** Bump github.com/valyala/fasthttp to v1.69.0 ([#12763](https://github.com/traefik/traefik/pull/12763) by [kevinpollet](https://github.com/kevinpollet))
 - **[healthcheck, grpc]** Remove path parsing with grpc healthcheck ([#12760](https://github.com/traefik/traefik/pull/12760) by [rtribotte](https://github.com/rtribotte))
@@ -0,0 +1 @@
+@AGENTS.md
@@ -58,7 +58,7 @@ generate:
 #? binary: Build the binary
 binary: generate-webui dist
 	@echo SHA: $(VERSION) $(CODENAME) $(DATE)
-	CGO_ENABLED=0 GOGC=${GOGC} GOOS=${GOOS} GOARCH=${GOARCH} go build ${FLAGS[*]} -ldflags "-s -w \
+	CGO_ENABLED=0 GOGC=${GOGC} GOOS=${GOOS} GOARCH=${GOARCH} go build ${FLAGS} -ldflags "-s -w \
    -X github.com/traefik/traefik/v3/pkg/version.Version=$(VERSION) \
    -X github.com/traefik/traefik/v3/pkg/version.Codename=$(CODENAME) \
    -X github.com/traefik/traefik/v3/pkg/version.BuildDate=$(DATE)" \
@@ -103,7 +103,7 @@ test-integration:
 #? test-gateway-api-conformance: Run the Gateway API conformance tests
 test-gateway-api-conformance: build-image-dirty
 	# In case of a new Minor/Major version, the traefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -tags gatewayAPIConformance -test.run GatewayAPIConformanceSuite -traefikVersion="v3.6" $(TESTFLAGS)
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -tags gatewayAPIConformance -test.run GatewayAPIConformanceSuite -traefikVersion="v3.7" $(TESTFLAGS)

 .PHONY: test-knative-conformance
 #? test-knative-conformance: Run the Knative conformance tests
@@ -61,7 +61,12 @@ func Do(staticConfiguration static.Configuration) (*http.Response, error) {
 		return nil, fmt.Errorf("ping: missing %s entry point", ep)
 	}

-	client := &http.Client{Timeout: 5 * time.Second}
+	client := &http.Client{
+		Timeout: 5 * time.Second,
+		Transport: &http.Transport{
+			Proxy: nil,
+		},
+	}
 	protocol := "http"

 	// TODO Handle TLS on ping etc...
@@ -97,10 +97,10 @@ func runCmd(staticConfiguration *static.Configuration) error {
 		return fmt.Errorf("setting up logger: %w", err)
 	}

-	log.Warn().Msg("Traefik can reject some encoded characters in the request path. " +
-		"When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986), " +
-		"it is recommended to set these options to `false` to avoid split-view situation. " +
-		"Refer to the documentation for more details: https://doc.traefik.io/traefik/v3.6/migrate/v3/#encoded-characters-configuration-default-values")
+	log.Warn().Msg("Traefik can reject some encoded characters in the request path." +
+		"When your backend is not fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986)," +
+		"it is recommended to set these options to `false` to avoid split-view situation." +
+		"Refer to the documentation for more details: https://doc.traefik.io/traefik/v3.7/migrate/v3/#encoded-characters-configuration-default-values")

 	http.DefaultTransport.(*http.Transport).Proxy = http.ProxyFromEnvironment

@@ -231,6 +231,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	if staticConfiguration.API != nil {
 		version.DisableDashboardAd = staticConfiguration.API.DisableDashboardAd
+		version.DashboardName = staticConfiguration.API.DashboardName
 	}

 	// Plugins
@@ -302,7 +303,7 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err

 	dialerManager := tcp.NewDialerManager(spiffeX509Source)
 	acmeHTTPHandler := getHTTPChallengeHandler(acmeProviders, httpChallengeProvider)
-	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, transportManager, proxyBuilder, acmeHTTPHandler)
+	managerFactory := service.NewManagerFactory(*staticConfiguration, routinesPool, observabilityMgr, transportManager, proxyBuilder, acmeHTTPHandler, tlsManager)

 	// Router factory

@@ -1,4 +1,4 @@
 /* Use a wider grid to accommodate table content and code blocks. */
 .md-grid {
-  max-width: 1650px;
+  max-width: 1800px;
 }
@@ -24,6 +24,7 @@ description: "Traefik Proxy is an open source software with a thriving community
 * Baptiste Mayelle [@youkoulayley](https://github.com/youkoulayley)
 * Jesper Noordsij [@jnoordsij](https://github.com/jnoordsij)
 * Gina Adzani [@gndz07](https://github.com/gndz07)
+* Mathis Urien [@LBF38](https://github.com/LBF38)

 ## Past Maintainers

@@ -15,6 +15,10 @@ You can subscribe by sending an email to security+subscribe@traefik.io or on [th
 Reported vulnerabilities can be found on
 [cve.mitre.org](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=traefik).

+CVEs are only created for vulnerabilities affecting **Generally Available (GA) versions** of Traefik.
+Vulnerabilities discovered in non-GA versions (release candidates, betas, early access, or development branches)
+will be fixed without creating a CVE.
+
 ## Report a Vulnerability

 We want to keep Traefik safe for everyone.
@@ -22,6 +26,28 @@ If you've discovered a security vulnerability in Traefik,
 we appreciate your help in disclosing it to us in a responsible manner,
 by creating a [security advisory](https://github.com/traefik/traefik/security/advisories).

+## Code of Conduct for Vulnerability Submissions
+
+We are committed to handling every legitimate report responsibly,
+and we expect submitters to engage with our security team in a respectful and collaborative manner.
+
+The following behaviors are **not acceptable** and will not be tolerated:
+
+- **Threats** to publicly disclose the vulnerability if it is not fixed within a timeframe you set unilaterally.
+- **Ultimatums** or pressure tactics intended to force a faster response than our normal triage and remediation process allows.
+- **Demands** for payment, bug bounties, or any form of compensation in exchange for not disclosing the issue
+  (Traefik does not operate a paid bug bounty program).
+- **Aggressive, abusive, or disrespectful communication** with our security team.
+
+Submitters who engage in any of the above may face the following consequences:
+
+- The submitter **will not be credited** in the security advisory or any subsequent communication.
+- The submitter's GitHub profile may be **reported to GitHub** for violation of platform terms of service.
+- We may **decline to engage further** on the report, while still addressing the underlying issue if it is legitimate.
+
+We take security seriously and act on legitimate reports as quickly as our resources allow.
+Patience and constructive dialogue help us protect users effectively.
+
 ## Submission Quality Guidelines

 We have been receiving an increasing number of low-quality vulnerability reports that are not actual security issues.
@@ -8,6 +8,7 @@ In this advanced guide, you'll learn how to enhance your Traefik deployment with
 - **Let's Encrypt** for automated certificate management
 - **Sticky sessions** for stateful applications
 - **Multi-layer routing** for hierarchical routing with a complex authentication based routing example
+- **Service middlewares** for applying middleware at the service level

 ## Prerequisites

@@ -382,6 +383,71 @@ You should see the response from the admin-backend service when authenticating a

 For more details about multi-layer routing, see the [Multi-Layer Routing documentation](../../reference/routing-configuration/http/routing/multi-layer-routing.md).

+## Service Middlewares
+
+Service middlewares allow you to apply middleware to a service rather than to individual routers. This means the middleware takes effect for all requests handled by the service, regardless of which router forwards the request.
+
+This is useful when you want to apply the same middleware (like headers, rate limiting, or authentication) to all traffic reaching a service without having to configure it on each router.
+
+### When to Use Service Middlewares
+
+Use service middlewares when:
+
+- Multiple routers forward traffic to the same service, and all should have the same middleware applied
+- You want to ensure a middleware is always applied to a service regardless of how traffic reaches it
+- You're centralizing middleware configuration at the service level for easier management
+
+### Add Service Middleware Labels
+
+Add the following labels to your whoami service in `docker-compose.yml`:
+
+```yaml
+services:
+  whoami:
+    image: traefik/whoami
+    networks:
+      - proxy
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
+      - "traefik.http.routers.whoami.entrypoints=websecure"
+      - "traefik.http.routers.whoami.tls=true"
+      # Define the middleware
+      - "traefik.http.middlewares.service-headers.headers.customRequestHeaders.X-Service-Middleware=applied"
+      # Attach middleware at the SERVICE level (not the router level)
+      - "traefik.http.services.whoami.middlewares=service-headers"
+      - "traefik.http.services.whoami.loadbalancer.server.port=80"
+```
+
+!!! info "Service-Level vs Router-Level Middlewares"
+
+    - **Router-level middleware** (`traefik.http.routers.<name>.middlewares`): Applied only when traffic matches that specific router's rule
+    - **Service-level middleware** (`traefik.http.services.<name>.middlewares`): Applied to all traffic reaching the service, regardless of which router forwarded it
+
+    When both are configured, router middlewares execute first, followed by service middlewares.
+
+Apply the changes:
+
+```bash
+docker compose up -d
+```
+
+### Test Service Middleware
+
+Verify the service middleware is working:
+
+```bash
+curl -k -H "Host: whoami.docker.localhost" https://localhost/
+```
+
+In the response from whoami, you should see the custom header that was added by the service middleware:
+
+```text
+X-Service-Middleware: applied
+```
+
+For more details on service middlewares, see the [reference documentation](../../reference/routing-configuration/http/load-balancing/service.md#middlewares).
+
 ## Conclusion

 In this advanced guide, you've learned how to:
@@ -390,6 +456,7 @@ In this advanced guide, you've learned how to:
 - Automate certificate management with Let's Encrypt
 - Implement sticky sessions for stateful applications
 - Setup multi-layer routing for authentication-based routing
+- Apply middlewares at the service level for centralized middleware management

 These advanced capabilities allow you to build production-ready Traefik deployments with Docker. Each of these can be further customized to meet your specific requirements.

@@ -9,6 +9,7 @@ In this advanced guide, you'll learn how to enhance your Traefik deployment with
 - **cert-manager** for automated certificate management (Gateway API)
 - **Sticky sessions** for stateful applications
 - **Multi-layer routing** for hierarchical routing with complex authentication scenarios (IngressRoute only)
+- **Service middlewares** for applying middleware at the service level

 ## Prerequisites

@@ -806,6 +807,182 @@ spec:

 For more details about multi-layer routing, see the [Multi-Layer Routing documentation](../../reference/routing-configuration/http/routing/multi-layer-routing.md).

+## Service Middlewares
+
+Service middlewares allow you to apply middleware to a service rather than to individual routers. This means the middleware takes effect for all requests handled by the service, regardless of which router forwards the request.
+
+This is useful when you want to apply the same middleware (like headers, rate limiting, or authentication) to all traffic reaching a service without having to configure it on each router.
+
+### When to Use Service Middlewares
+
+Use service middlewares when:
+
+- Multiple routers forward traffic to the same service, and all should have the same middleware applied
+- You want to ensure a middleware is always applied to a service regardless of how traffic reaches it
+- You're centralizing middleware configuration at the service level for easier management
+
+!!! info "Service-Level vs Router-Level Middlewares"
+
+    - **Router-level middleware**: Applied only when traffic matches that specific router's rule
+    - **Service-level middleware**: Applied to all traffic reaching the service, regardless of which router forwarded it
+
+    When both are configured, router middlewares execute first, followed by service middlewares.
+
+### Using IngressRoute with Service Middlewares
+
+With IngressRoute, you can attach middlewares directly to a service reference within a route:
+
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: service-headers
+  namespace: default
+spec:
+  headers:
+    customRequestHeaders:
+      X-Service-Middleware: "applied"
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: whoami
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`whoami.docker.localhost`)
+    kind: Rule
+    services:
+    - name: whoami
+      port: 80
+      middlewares:
+        - name: service-headers
+  tls: {}
+```
+
+Save this as `service-middleware-ingressroute.yaml` and apply it:
+
+```bash
+kubectl apply -f service-middleware-ingressroute.yaml
+```
+
+### Using Gateway API with Backend Filters
+
+Gateway API supports applying filters directly to individual backends through the `backendRefs[].filters` field. This enables backend-level request modifications.
+
+```yaml
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: service-headers
+  namespace: default
+spec:
+  headers:
+    customRequestHeaders:
+      X-Service-Middleware: "applied"
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: whoami
+  namespace: default
+spec:
+  parentRefs:
+  - name: traefik-gateway
+    sectionName: websecure
+  hostnames:
+  - "whoami.docker.localhost"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    backendRefs:
+    - name: whoami
+      port: 80
+      filters:
+      - type: ExtensionRef
+        extensionRef:
+          group: traefik.io
+          kind: Middleware
+          name: service-headers
+```
+
+Gateway API also supports the native `RequestHeaderModifier` filter type for simpler header modifications:
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: whoami
+  namespace: default
+spec:
+  parentRefs:
+  - name: traefik-gateway
+    sectionName: websecure
+  hostnames:
+  - "whoami.docker.localhost"
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    backendRefs:
+    - name: whoami
+      port: 80
+      filters:
+      - type: RequestHeaderModifier
+        requestHeaderModifier:
+          add:
+          - name: X-Backend-Header
+            value: "gateway-api-filter"
+```
+
+Save and apply:
+
+```bash
+kubectl apply -f service-middleware-gateway.yaml
+```
+
+### Using Kubernetes Ingress with Service Annotation
+
+For standard Kubernetes Ingress, you can apply middlewares to a service using annotations:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: whoami
+  namespace: default
+  annotations:
+    traefik.ingress.kubernetes.io/service.middlewares: default-service-headers@kubernetescrd
+spec:
+  selector:
+    app: whoami
+  ports:
+    - port: 80
+```
+
+The annotation value follows the format `<namespace>-<middleware-name>@kubernetescrd`.
+
+### Test Service Middleware
+
+Verify the service middleware is working:
+
+```bash
+curl -k -H "Host: whoami.docker.localhost" https://localhost/
+```
+
+In the response from whoami, you should see the custom header that was added by the service middleware:
+
+```text
+X-Service-Middleware: applied
+```
+
+For more details on service middlewares, see the [reference documentation](../../reference/routing-configuration/http/load-balancing/service.md#middlewares).
+
 ## Conclusion

 In this advanced guide, you've learned how to:
@@ -814,6 +991,7 @@ In this advanced guide, you've learned how to:
 - Automate certificate management with Let's Encrypt (IngressRoute) and cert-manager (Gateway API)
 - Implement sticky sessions for stateful applications
 - Setup multi-layer routing for authentication-based routing (IngressRoute only)
+- Apply middlewares at the service level for centralized middleware management

 These advanced capabilities allow you to build production-ready Traefik deployments with Kubernetes. Each of these can be further customized to meet your specific requirements.

@@ -8,6 +8,7 @@ In this advanced guide, you'll learn how to enhance your Traefik deployment with
 - **Let's Encrypt** for automated certificate management
 - **Sticky sessions** for stateful applications
 - **Multi-layer routing** for complex authentication scenarios
+- **Service middlewares** for applying middleware at the service level

 ## Prerequisites

@@ -382,6 +383,73 @@ You should see the response from the admin-backend service when authenticating a

 For more details about multi-layer routing, see the [Multi-Layer Routing documentation](../../reference/routing-configuration/http/routing/multi-layer-routing.md).

+## Service Middlewares
+
+Service middlewares allow you to apply middleware to a service rather than to individual routers. This means the middleware takes effect for all requests handled by the service, regardless of which router forwards the request.
+
+This is useful when you want to apply the same middleware (like headers, rate limiting, or authentication) to all traffic reaching a service without having to configure it on each router.
+
+### When to Use Service Middlewares
+
+Use service middlewares when:
+
+- Multiple routers forward traffic to the same service, and all should have the same middleware applied
+- You want to ensure a middleware is always applied to a service regardless of how traffic reaches it
+- You're centralizing middleware configuration at the service level for easier management
+
+### Add Service Middleware Labels
+
+Add the following labels to your whoami service deployment section in `docker-compose.yml`:
+
+```yaml
+services:
+  whoami:
+    image: traefik/whoami
+    networks:
+      - traefik_proxy
+    deploy:
+      replicas: 2
+      labels:
+        - "traefik.enable=true"
+        - "traefik.http.routers.whoami.rule=Host(`whoami.swarm.localhost`)"
+        - "traefik.http.routers.whoami.entrypoints=websecure"
+        - "traefik.http.routers.whoami.tls=true"
+        # Define the middleware
+        - "traefik.http.middlewares.service-headers.headers.customRequestHeaders.X-Service-Middleware=applied"
+        # Attach middleware at the SERVICE level (not the router level)
+        - "traefik.http.services.whoami.middlewares=service-headers"
+        - "traefik.http.services.whoami.loadbalancer.server.port=80"
+```
+
+!!! info "Service-Level vs Router-Level Middlewares"
+
+    - **Router-level middleware** (`traefik.http.routers.<name>.middlewares`): Applied only when traffic matches that specific router's rule
+    - **Service-level middleware** (`traefik.http.services.<name>.middlewares`): Applied to all traffic reaching the service, regardless of which router forwarded it
+
+    When both are configured, router middlewares execute first, followed by service middlewares.
+
+Deploy the stack:
+
+```bash
+docker stack deploy -c docker-compose.yml traefik
+```
+
+### Test Service Middleware
+
+Verify the service middleware is working:
+
+```bash
+curl -k -H "Host: whoami.swarm.localhost" https://localhost/
+```
+
+In the response from whoami, you should see the custom header that was added by the service middleware:
+
+```text
+X-Service-Middleware: applied
+```
+
+For more details on service middlewares, see the [reference documentation](../../reference/routing-configuration/http/load-balancing/service.md#middlewares).
+
 ## Conclusion

 In this advanced guide, you've learned how to:
@@ -390,6 +458,7 @@ In this advanced guide, you've learned how to:
 - Automate certificate management with Let's Encrypt
 - Implement sticky sessions for stateful applications
 - Setup multi-layer routing for authentication-based routing
+- Apply middlewares at the service level for centralized middleware management

 These advanced capabilities allow you to build production-ready Traefik deployments with Docker Swarm. Each of these can be further customized to meet your specific requirements.

@@ -77,7 +77,7 @@ traefik --help
 # or

 docker run traefik[:version] --help
-# ex: docker run traefik:v3.6 --help
+# ex: docker run traefik:v3.7 --help
 ```

 Check the [CLI reference](../reference/install-configuration/configuration-options.md "Link to CLI reference overview") for an overview about all available arguments.
@@ -36,7 +36,7 @@ This configuration:
 # docker-compose.yml
 services:
  traefik:
-    image: traefik:v3.6
+    image: traefik:v3.7
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
@@ -84,7 +84,7 @@ docker run -d \
  -p 8080:8080 \
  -v $PWD/traefik.yml:/etc/traefik/traefik.yml \
  -v /var/run/docker.sock:/var/run/docker.sock \
-  traefik:v3.6
+  traefik:v3.7
 ```

 ## Expose the Dashboard
@@ -250,7 +250,7 @@ To use the Gateway API:
 Install the Gateway API CRDs in your cluster:

 ```bash
-kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
+kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
 ```

 Create an HTTPRoute. This configuration:
@@ -50,8 +50,9 @@ spec:
                name: whoami
                port:
                  number: 80
+```

---
+```yaml tab="Service & Deployment"
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -92,6 +93,12 @@ For a complete list of supported annotations and behavioral differences, see the

    The Kubernetes Ingress NGINX provider requires **Traefik v3.6.2 or later**.

+!!! info "Legacy Scheme Headers"
+
+    If your applications still depend on ingress-nginx's legacy `X-Forwarded-Scheme` or `X-Scheme` headers,
+    enable `entryPoints.<name>.forwardedHeaders.addXForwardedSchemeHeaders=true` on the entrypoints that receive this traffic.
+    This keeps `X-Forwarded-Proto` unchanged and restores the compatibility headers at the entrypoint level for every provider.
+
 ---

 ## Prerequisites
@@ -132,10 +139,85 @@ Final:       DNS → LoadBalancer → Traefik → Your Services

 **Migration Flow:**

-1. Install Traefik alongside NGINX (both serving traffic in parallel)
-2. Add Traefik LoadBalancer to DNS (if you choose DNS option; cf. step 3)
-3. Progressively shift traffic from NGINX to Traefik
-4. Remove NGINX from DNS, preserve the IngressClass, and uninstall
+- **Step 0** - Review your ingress-nginx ConfigMap and translate cluster-wide defaults to Traefik
+- **Step 1** - Install Traefik alongside NGINX
+- **Step 2** - Verify Traefik is handling traffic
+- **Step 3** - Progressively shift traffic from NGINX to Traefik
+- **Step 4** - Remove NGINX from DNS, preserve the IngressClass, and uninstall
+
+---
+
+## Step 0: Migrate Your Global ConfigMap Settings
+
+Before you install Traefik, review the global defaults currently set in the `ingress-nginx` ConfigMap.
+In ingress-nginx, the controller ConfigMap acts as a cluster-wide configuration layer.
+In Traefik, the same behavior is split across:
+
+- the `providers.kubernetesIngressNGINX` static configuration for ingress-nginx compatibility defaults
+- entryPoints for listener behavior such as HTTP-to-HTTPS redirection and PROXY protocol
+- dynamic `tls.options` and HTTP middlewares for TLS policy, HSTS, and other header behavior
+- Traefik access log configuration for request logging
+
+Start by exporting the ConfigMap you use today and reviewing the keys you have customized:
+
+```bash
+kubectl get configmap --all-namespaces -l app.kubernetes.io/name=ingress-nginx,app.kubernetes.io/component=controller -o yaml
+```
+
+This label selector locates the controller ConfigMap regardless of the namespace or release name you used when installing ingress-nginx.
+
+!!! tip "Convert NGINX units before copying values"
+
+    Several ingress-nginx ConfigMap keys use NGINX-style values such as `16k`, `1m`, or `30s`.
+    In Traefik, the matching `providers.kubernetesIngressNGINX` options below expect:
+
+    - raw byte values for body-size and buffer settings
+    - integer seconds for `proxyConnectTimeout` and `proxyNextUpstreamTimeout`
+    - booleans for `proxyRequestBuffering` and `proxyBuffering`
+
+### ConfigMap to Traefik Mapping
+
+| ingress-nginx ConfigMap key | Traefik equivalent <br/> (provider options) | Notes |
+|---|---|---|
+| `proxy-connect-timeout` | `proxyConnectTimeout` | Use integer seconds. |
+| `proxy-request-buffering` | `proxyRequestBuffering` | Translate `on` / `off` to `true` / `false`. ingress-nginx enables request buffering by default, while Traefik defaults to `false`. |
+| `client-body-buffer-size` | `clientBodyBufferSize` | Convert values such as `16k` to bytes. |
+| `proxy-buffering` | `proxyBuffering` | Translate `on` / `off` to `true` / `false`. |
+| `proxy-body-size` | `proxyBodySize` | Convert values such as `1m` to bytes. |
+| `proxy-buffer-size` | `proxyBufferSize` | Convert values such as `8k` to bytes. |
+| `proxy-buffers-number` | `proxyBuffersNumber` | Keep the integer value. |
+| `proxy-next-upstream` | `proxyNextUpstream` | Use a space-separated list of retry conditions such as `error timeout http_502`. |
+| `proxy-next-upstream-timeout` | `proxyNextUpstreamTimeout` | Use integer seconds. |
+| `proxy-next-upstream-tries` | `proxyNextUpstreamTries` | Keep the integer value. |
+| `custom-http-errors` | `customHTTPErrors` | Also configure `providers.kubernetesIngressNGINX.defaultBackendService` if you want a global error page service. |
+| `global-allowed-response-headers` | `globalAllowedResponseHeaders` | Required for `nginx.ingress.kubernetes.io/custom-headers` annotations to take effect. |
+| `allow-cross-namespace-resources` | `allowCrossNamespaceResources` | Use when migrated ingresses must reference supported resources in other namespaces. |
+| `strict-validate-path-type` | `strictValidatePathType` | Traefik v3.7 defaults this option to `true`. |
+| `ssl-redirect` / `force-ssl-redirect` | `nginx.ingress.kubernetes.io/ssl-redirect` and `nginx.ingress.kubernetes.io/force-ssl-redirect` annotations, or cluster-wide [entryPoint redirection](../reference/install-configuration/entrypoints.md#configuration-example) | Traefik translates the annotations when they are present. For a global default, configure HTTP-to-HTTPS redirection on the `web` entryPoint and set `providers.kubernetesIngressNGINX.httpEntryPoint` / `httpsEntryPoint` if you need explicit entryPoint selection. |
+| `ssl-protocols` / `ssl-ciphers` | [TLS options](../reference/routing-configuration/http/tls/tls-options.md) | Apply them globally through an entryPoint TLS option, or per Ingress via `traefik.ingress.kubernetes.io/router.tls.options`. |
+| `hsts`, `hsts-max-age`, `hsts-include-subdomains`, `hsts-preload` | [Headers middleware](../reference/routing-configuration/http/middlewares/headers.md) | Use `stsSeconds`, `stsIncludeSubdomains`, `stsPreload`, and `forceSTSHeader`. Attach the middleware on an entryPoint for a cluster-wide default. |
+| `use-proxy-protocol` | [EntryPoint `proxyProtocol` configuration](../reference/install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) | Configure it on every entryPoint that sits behind a load balancer speaking PROXY protocol. |
+| `access-log-path` | `accessLog.filePath` | Static configuration. |
+| `log-format-upstream` | `accessLog.format` | Use Traefik's built-in `common`, `genericCLF`, or `json` formats. Custom NGINX log format strings do not have a 1:1 equivalent. |
+
+### ConfigMap Keys Without a Direct Equivalent
+
+Some ingress-nginx ConfigMap keys are NGINX-specific and can be dropped during migration because Traefik does not expose raw NGINX internals.
+Common examples include:
+
+- worker tuning such as `worker-processes`, `worker-cpu-affinity`, and Lua shared dict settings
+- snippet-style keys such as `main-snippet`, `http-snippet`, `server-snippet`, `location-snippet`, and `stream-snippet`
+- custom NGINX log format templates beyond Traefik's built-in access log formats
+
+When you find one of these keys, translate the underlying intent rather than trying to copy the directive verbatim.
+
+### Reference Pages
+
+- [Kubernetes Ingress NGINX provider configuration](../reference/install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md)
+- [Traefik TLS Options](../reference/routing-configuration/http/tls/tls-options.md)
+- [Traefik Headers Middleware](../reference/routing-configuration/http/middlewares/headers.md)
+- [Traefik EntryPoints configuration](../reference/install-configuration/entrypoints.md)
+- [ingress-nginx ConfigMap reference](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/)

 ---

@@ -154,6 +236,10 @@ Final:       DNS → LoadBalancer → Traefik → Your Services
    ```
 Install Traefik with the Kubernetes Ingress NGINX provider enabled. Both controllers will serve the same Ingress resources simultaneously.

+!!! warning "Read the status race condition note first"
+
+    Running both controllers against the same Ingresses creates contention on the `status.loadBalancer.ingress[]` field. Before installing, review the [Ingress Status Race Condition](#status-race) section in Step 3 and decide which mitigation to apply (disable `publishService` on Traefik, or use a transitional IngressClass).
+
 ### Add Traefik Helm Repository

 ```bash
@@ -166,7 +252,7 @@ helm repo update
 ```bash
 helm upgrade --install traefik traefik/traefik \
  --namespace traefik --create-namespace \
-  --set providers.kubernetesIngressNginx.enabled=true
+  --set providers.kubernetesIngressNGINX.enabled=true
 ```

 Or using a [values file](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/VALUES.md) for more configuration:
@@ -174,7 +260,7 @@ Or using a [values file](https://github.com/traefik/traefik-helm-chart/blob/mast
 ```yaml tab="traefik-values.yaml"
 ...
 providers:
-  kubernetesIngressNginx:
+  kubernetesIngressNGINX:
    enabled: true
 ...
 ```
@@ -279,11 +365,20 @@ echo $(kubectl get svc -n traefik traefik -o go-template='{{ $ing := index .stat

    Some ISPs ignore DNS TTL values to reduce traffic costs, caching records longer than specified. After removing NGINX from DNS, keep NGINX running for at least 24-48 hours before uninstalling to avoid dropping traffic from users whose ISPs have stale DNS caches.

-??? info "ExternalDNS Users"
+<a id="status-race"></a>

-    If you use [ExternalDNS](https://github.com/kubernetes-sigs/external-dns) to automatically manage DNS records based on Ingress status, both NGINX and Traefik will compete to update the Ingress status with their LoadBalancer IPs when `publishService` is enabled. Traefik typically wins because it updates faster, which can cause unexpected traffic shifts.
+!!! warning "Ingress Status Race Condition During Coexistence"

-    **Recommended approach for ExternalDNS:**
+    While both controllers manage the same Ingress resources (same `ingressClassName: nginx`), they will both attempt to write the LoadBalancer address into `status.loadBalancer.ingress[]` on every Ingress they own. Each controller overwrites the other in a tight reconciliation loop, with no error reported in the logs (just repeated `Updated ingress status` info lines on both sides).
+
+    Routing itself is not affected: both controllers correctly serve traffic during the coexistence window. The flapping status field affects anything that watches it:
+
+    - [ExternalDNS](https://github.com/kubernetes-sigs/external-dns), which may shift DNS records back and forth between the two LoadBalancer IPs.
+    - kube-state-metrics, monitoring dashboards, and alerting rules that observe Ingress status.
+    - GitOps tools such as ArgoCD or Flux, which will report a permanent drift on every affected Ingress.
+    - Custom operators reconciling on the Ingress status field.
+
+    **Recommended mitigation (option 1): disable status publishing on Traefik during coexistence**

    1. **[Install Traefik](#step-1-install-traefik-alongside-nginx) with `publishService` disabled**:

@@ -296,9 +391,11 @@ echo $(kubectl get svc -n traefik traefik -o go-template='{{ $ing := index .stat
              enabled: false  # Disable to prevent status updates
        ```

-    2. **Test Traefik** using [port-forward](#step-2-verify-traefik-is-handling-traffic) or a separate test hostname
+        Traefik keeps serving the Ingresses normally. It only stops writing the status field, leaving NGINX as the sole writer.

-    3. **Switch DNS via NGINX** - Configure NGINX to publish Traefik's service address:
+    2. **Test Traefik** using [port-forward](#step-2-verify-traefik-is-handling-traffic) or a separate test hostname.
+
+    3. **Switch DNS via NGINX** (ExternalDNS users only). Configure NGINX to publish Traefik's service address so ExternalDNS points traffic to Traefik:

        ```yaml
        # nginx-values.yaml
@@ -307,11 +404,13 @@ echo $(kubectl get svc -n traefik traefik -o go-template='{{ $ing := index .stat
            pathOverride: "traefik/traefik"  # Points to Traefik's service
        ```

-        This makes NGINX update the Ingress status with Traefik's LoadBalancer IP, causing ExternalDNS to point traffic to Traefik.
+    4. **Verify traffic flows through Traefik**. At this point, you can still roll back by removing the `pathOverride`.

-    4. **Verify traffic flows through Traefik** - At this point, you can still rollback by removing the `pathOverride`
+    5. **[Enable `publishService` on Traefik](#step-1-install-traefik-alongside-nginx)** and [uninstall NGINX](#step-4-uninstall-ingress-nginx-controller).

-    5. **[Enable `publishService` on Traefik](#step-1-install-traefik-alongside-nginx)** and [uninstall NGINX](#step-5-uninstall-nginx-ingress-controller)
+    **Alternative mitigation (option 2): use a transitional IngressClass**
+
+    Give the migrating NGINX a distinct IngressClass (for example `nginx-migration`) so the two controllers never own the same Ingress at the same time. This is the approach SUSE documents for RKE2 migrations: see [SUSE: Migrate from Ingress NGINX to Traefik](https://documentation.suse.com/cloudnative/rke2/latest/en/reference/ingress_migration.html). This avoids any contention on `status.loadBalancer.ingress[]` entirely, at the cost of a short traffic-cutover step instead of a progressive DNS shift.

 ### Option B: External Load Balancer with Weighted Traffic

@@ -453,14 +552,14 @@ kubectl get svc -n ingress-nginx ingress-nginx-controller -o go-template='{{ $in
    
    ```bash
    NGINX_IP=$(kubectl get svc -n ingress-nginx ingress-nginx-controller \
-  -o go-template='{{ $ing := index .status.loadBalancer.ingress 0 }}{{ if $ing.ip }}{{ $ing.ip }}{{ else }}{{ $ing.hostname }}{{ end }}')
-     
+      -o go-template='{{ $ing := index .status.loadBalancer.ingress 0 }}{{ if $ing.ip }}{{ $ing.ip }}{{ else }}{{ $ing.hostname }}{{ end }}')
+
    echo "NGINX IP: $NGINX_IP"
    ```
-    
+
    **Edit your existing NGINX LoadBalancer service to ensure that the floating IP is not released when the loadbalancer service is deleted:**
-    
-    
+
+    ```bash
    kubectl annotate svc my-lb-svc loadbalancer.openstack.org/keep-floatingip=true
    ```
    
@@ -17,7 +17,7 @@ For more information about the changes in Traefik v2, please refer to the [v2 do

    We created a tool to help during the migration: [traefik-migration-tool](https://github.com/traefik/traefik-migration-tool)

-    This tool allows to:
+    This tool lets you:

    - convert `Ingress` to Traefik `IngressRoute` resources.
    - convert `acme.json` file from v1 to v2 format.
@@ -680,7 +680,7 @@ It can be configured in the install configuration.
 ##### Configure the Syntax Per Router

 The rule syntax can also be configured on a per-router basis.
-This allows to have heterogeneous router configurations and ease migration.
+This allows you to have heterogeneous router configurations and ease migration.

 ??? example "An example router with syntax configuration"

@@ -175,6 +175,7 @@ When using the `json` format, you can customize which fields are included in you

 - **Request Fields:** You can choose to `keep`, `drop`, or `redact` any of the standard request fields. A complete list of available fields like `ClientHost`, `RequestMethod`, and `Duration` can be found in the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md#json-format-fields).
 - **Request Headers:** You can also specify which request headers should be included in the logs, and whether their values should be `kept`, `dropped`, or `redacted`.
+- **Request Query Parameters:** You can choose to `keep` or `drop` the query parameters for a request.

 !!! info
    For detailed configuration options, refer to the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md).
@@ -30,6 +30,7 @@
 - "traefik.http.middlewares.middleware08.digestauth.removeheader=true"
 - "traefik.http.middlewares.middleware08.digestauth.users=foobar, foobar"
 - "traefik.http.middlewares.middleware08.digestauth.usersfile=foobar"
+- "traefik.http.middlewares.middleware09.errors.errorrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware09.errors.query=foobar"
 - "traefik.http.middlewares.middleware09.errors.service=foobar"
 - "traefik.http.middlewares.middleware09.errors.status=foobar, foobar"
@@ -193,6 +193,7 @@
        status = ["foobar", "foobar"]
        service = "foobar"
        query = "foobar"
+        errorRequestHeaders = ["foobar", "foobar"]
        [http.middlewares.Middleware09.errors.statusRewrites]
          name0 = 42
          name1 = 42
@@ -379,6 +380,9 @@
      serverName = "foobar"
      insecureSkipVerify = true
      rootCAs = ["foobar", "foobar"]
+      cipherSuites = ["foobar", "foobar"]
+      minVersion = "foobar"
+      maxVersion = "foobar"
      maxIdleConnsPerHost = 42
      disableHTTP2 = true
      peerCertURI = "foobar"
@@ -403,6 +407,9 @@
      serverName = "foobar"
      insecureSkipVerify = true
      rootCAs = ["foobar", "foobar"]
+      cipherSuites = ["foobar", "foobar"]
+      minVersion = "foobar"
+      maxVersion = "foobar"
      maxIdleConnsPerHost = 42
      disableHTTP2 = true
      peerCertURI = "foobar"
@@ -208,6 +208,9 @@ http:
          name1: 42
        service: foobar
        query: foobar
+        errorRequestHeaders:
+          - foobar
+          - foobar
    Middleware10:
      forwardAuth:
        address: foobar
@@ -438,6 +441,11 @@ http:
          keyFile: foobar
        - certFile: foobar
          keyFile: foobar
+      cipherSuites:
+        - foobar
+        - foobar
+      minVersion: foobar
+      maxVersion: foobar
      maxIdleConnsPerHost: 42
      forwardingTimeouts:
        dialTimeout: 42s
@@ -463,6 +471,11 @@ http:
          keyFile: foobar
        - certFile: foobar
          keyFile: foobar
+      cipherSuites:
+        - foobar
+        - foobar
+      minVersion: foobar
+      maxVersion: foobar
      maxIdleConnsPerHost: 42
      forwardingTimeouts:
        dialTimeout: 42s
@@ -24,7 +24,7 @@ spec:
      serviceAccountName: traefik-controller
      containers:
        - name: traefik
-          image: traefik:v3.6
+          image: traefik:v3.7
          args:
            - --entryPoints.web.address=:80
            - --entryPoints.websecure.address=:443
@@ -8,6 +8,7 @@ rules:
    resources:
      - services
      - secrets
+      - configmaps
    verbs:
      - list
      - watch
@@ -43,16 +43,20 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/entrypoints/
                  Default: all.
                items:
                  type: string
                type: array
+              ingressClassName:
+                description: IngressClassName defines the name of the IngressClass
+                  cluster resource.
+                type: string
              parentRefs:
                description: |-
                  ParentRefs defines references to parent IngressRoute resources for multi-layer routing.
                  When set, this IngressRoute's routers will be children of the referenced parent IngressRoute's routers.
-                  More info: https://doc.traefik.io/traefik/v3.6/routing/routers/#parentrefs
+                  More info: https://doc.traefik.io/traefik/v3.7/routing/routers/#parentrefs
                items:
                  description: IngressRouteRef is a reference to an IngressRoute resource.
                  properties:
@@ -84,12 +88,12 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/rules-and-priority/
                      type: string
                    middlewares:
                      description: |-
                        Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/middleware/
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/middleware/
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
@@ -109,7 +113,7 @@ spec:
                    observability:
                      description: |-
                        Observability defines the observability configuration for a router.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/observability/
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/observability/
                      properties:
                        accessLogs:
                          description: AccessLogs enables access logs for this router.
@@ -132,7 +136,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#priority
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/rules-and-priority/#priority
                      maximum: 9223372036854775000
                      type: integer
                    services:
@@ -219,6 +223,25 @@ spec:
                            - Service
                            - TraefikService
                            type: string
+                          middlewares:
+                            description: Middlewares defines the list of references
+                              to Middleware resources to apply to the service.
+                            items:
+                              description: MiddlewareRef is a reference to a Middleware
+                                resource.
+                              properties:
+                                name:
+                                  description: Name defines the name of the referenced
+                                    Middleware resource.
+                                  type: string
+                                namespace:
+                                  description: Namespace defines the namespace of
+                                    the referenced Middleware resource.
+                                  type: string
+                              required:
+                              - name
+                              type: object
+                            type: array
                          name:
                            description: |-
                              Name defines the name of the referenced Kubernetes Service or TraefikService.
@@ -302,7 +325,7 @@ spec:
                          sticky:
                            description: |-
                              Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
@@ -340,6 +363,9 @@ spec:
                                    - none
                                    - lax
                                    - strict
+                                    - None
+                                    - Lax
+                                    - Strict
                                    type: string
                                  secure:
                                    description: Secure defines whether the cookie
@@ -373,7 +399,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/rules-and-priority/#rulesyntax

                        Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                      type: string
@@ -384,18 +410,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/routing/router/#tls
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/routing/router/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/tls/certificate-resolvers/acme/
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/tls/certificate-resolvers/acme/
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#domains
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -414,17 +440,17 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-options/
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-options/
                    properties:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsoption/
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsoption/
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsoption/
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsoption/
                        type: string
                    required:
                    - name
@@ -441,12 +467,12 @@ spec:
                      name:
                        description: |-
                          Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsstore/
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsstore/
                        type: string
                      namespace:
                        description: |-
                          Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/tlsstore/
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/tlsstore/
                        type: string
                    required:
                    - name
@@ -43,11 +43,15 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/entrypoints/
                  Default: all.
                items:
                  type: string
                type: array
+              ingressClassName:
+                description: IngressClassName defines the name of the IngressClass
+                  cluster resource.
+                type: string
              routes:
                description: Routes defines the list of routes.
                items:
@@ -56,7 +60,7 @@ spec:
                    match:
                      description: |-
                        Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/rules-and-priority/
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +84,7 @@ spec:
                    priority:
                      description: |-
                        Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#priority
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/rules-and-priority/#priority
                      maximum: 9223372036854775000
                      type: integer
                    services:
@@ -122,7 +126,7 @@ spec:
                          proxyProtocol:
                            description: |-
                              ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/service/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/service/#proxy-protocol

                              Deprecated: ProxyProtocol will not be supported in future APIVersions, please use ServersTransport to configure ProxyProtocol instead.
                            properties:
@@ -166,7 +170,7 @@ spec:
                    syntax:
                      description: |-
                        Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/rules-and-priority/#rulesyntax

                        Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                      enum:
@@ -180,18 +184,18 @@ spec:
              tls:
                description: |-
                  TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/routing/router/#tls
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/routing/router/#tls
                properties:
                  certResolver:
                    description: |-
                      CertResolver defines the name of the certificate resolver to use.
                      Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/tls/certificate-resolvers/acme/
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/tls/certificate-resolvers/acme/
                    type: string
                  domains:
                    description: |-
                      Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/tls/#domains
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/tls/#domains
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
@@ -210,7 +214,7 @@ spec:
                    description: |-
                      Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                      If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/tls/#tls-options
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
@@ -43,11 +43,15 @@ spec:
                description: |-
                  EntryPoints defines the list of entry point names to bind to.
                  Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/install-configuration/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/install-configuration/entrypoints/
                  Default: all.
                items:
                  type: string
                type: array
+              ingressClassName:
+                description: IngressClassName defines the name of the IngressClass
+                  cluster resource.
+                type: string
              routes:
                description: Routes defines the list of routes.
                items:
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -45,7 +45,7 @@ spec:
                description: |-
                  AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/addprefix/
                properties:
                  prefix:
                    description: |-
@@ -60,12 +60,12 @@ spec:
                description: |-
                  BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/basicauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/basicauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -86,7 +86,7 @@ spec:
                description: |-
                  Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/buffering/#maxrequestbodybytes
                properties:
                  maxRequestBodyBytes:
                    description: |-
@@ -118,14 +118,14 @@ spec:
                    description: |-
                      RetryExpression defines the retry conditions.
                      It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/buffering/#retryexpression
                    type: string
                type: object
              chain:
                description: |-
                  Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/chain/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/chain/
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
@@ -188,7 +188,7 @@ spec:
                description: |-
                  Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/compress/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/compress/
                properties:
                  defaultEncoding:
                    description: DefaultEncoding specifies the default encoding if
@@ -239,12 +239,12 @@ spec:
                description: |-
                  DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/digestauth/
                properties:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/digestauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/digestauth/#headerfield
                    type: string
                  realm:
                    description: |-
@@ -260,11 +260,44 @@ spec:
                      containing user credentials.
                    type: string
                type: object
+              encodedCharacters:
+                description: EncodedCharacters configures which encoded characters
+                  are allowed in the request path.
+                properties:
+                  allowEncodedBackSlash:
+                    description: AllowEncodedBackSlash defines whether requests with
+                      encoded back slash characters in the path are allowed.
+                    type: boolean
+                  allowEncodedHash:
+                    description: AllowEncodedHash defines whether requests with encoded
+                      hash characters in the path are allowed.
+                    type: boolean
+                  allowEncodedNullCharacter:
+                    description: AllowEncodedNullCharacter defines whether requests
+                      with encoded null characters in the path are allowed.
+                    type: boolean
+                  allowEncodedPercent:
+                    description: AllowEncodedPercent defines whether requests with
+                      encoded percent characters in the path are allowed.
+                    type: boolean
+                  allowEncodedQuestionMark:
+                    description: AllowEncodedQuestionMark defines whether requests
+                      with encoded question mark characters in the path are allowed.
+                    type: boolean
+                  allowEncodedSemicolon:
+                    description: AllowEncodedSemicolon defines whether requests with
+                      encoded semicolon characters in the path are allowed.
+                    type: boolean
+                  allowEncodedSlash:
+                    description: AllowEncodedSlash defines whether requests with encoded
+                      slash characters in the path are allowed.
+                    type: boolean
+                type: object
              errors:
                description: |-
                  ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/errorpages/
                properties:
                  query:
                    description: |-
@@ -276,7 +309,7 @@ spec:
                  service:
                    description: |-
                      Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/errorpages/#service
                    properties:
                      healthCheck:
                        description: Healthcheck defines health checks for ExternalName
@@ -354,6 +387,25 @@ spec:
                        - Service
                        - TraefikService
                        type: string
+                      middlewares:
+                        description: Middlewares defines the list of references to
+                          Middleware resources to apply to the service.
+                        items:
+                          description: MiddlewareRef is a reference to a Middleware
+                            resource.
+                          properties:
+                            name:
+                              description: Name defines the name of the referenced
+                                Middleware resource.
+                              type: string
+                            namespace:
+                              description: Namespace defines the namespace of the
+                                referenced Middleware resource.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
                      name:
                        description: |-
                          Name defines the name of the referenced Kubernetes Service or TraefikService.
@@ -437,7 +489,7 @@ spec:
                      sticky:
                        description: |-
                          Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
@@ -474,6 +526,9 @@ spec:
                                - none
                                - lax
                                - strict
+                                - None
+                                - Lax
+                                - Strict
                                type: string
                              secure:
                                description: Secure defines whether the cookie can
@@ -526,7 +581,7 @@ spec:
                description: |-
                  ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/forwardauth/
                properties:
                  addAuthCookiesToResponse:
                    description: AddAuthCookiesToResponse defines the list of cookies
@@ -554,7 +609,11 @@ spec:
                  authResponseHeadersRegex:
                    description: |-
                      AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/forwardauth/#authresponseheadersregex
+                    type: string
+                  authSigninURL:
+                    description: AuthSigninURL specifies the URL to redirect to when
+                      the authentication server returns 401 Unauthorized.
                    type: string
                  forwardBody:
                    description: ForwardBody defines whether to send the request body
@@ -563,7 +622,7 @@ spec:
                  headerField:
                    description: |-
                      HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/forwardauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/forwardauth/#headerfield
                    type: string
                  maxBodySize:
                    description: MaxBodySize defines the maximum body size in bytes
@@ -609,8 +668,10 @@ spec:
                        type: boolean
                    type: object
                  trustForwardHeader:
-                    description: 'TrustForwardHeader defines whether to trust (ie:
-                      forward) all X-Forwarded-* headers.'
+                    description: |-
+                      TrustForwardHeader defines whether to trust (ie: forward) all X-Forwarded-* headers.
+
+                      Deprecated: Use forwardedHeaders.trustedIPs at the EntryPoint level instead, and set trustForwardHeader to true on this middleware.
                    type: boolean
                type: object
              grpcWeb:
@@ -630,7 +691,7 @@ spec:
                description: |-
                  Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/headers/#customrequestheaders
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
@@ -802,7 +863,7 @@ spec:
                description: |-
                  InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/inflightreq/
                properties:
                  amount:
                    description: |-
@@ -816,12 +877,12 @@ spec:
                      SourceCriterion defines what criterion is used to group requests as originating from a common source.
                      If several strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/inflightreq/#sourcecriterion
                    properties:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -857,12 +918,12 @@ spec:
                description: |-
                  IPAllowList holds the IP allowlist middleware configuration.
                  This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/ipallowlist/
                properties:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -900,7 +961,7 @@ spec:
                  ipStrategy:
                    description: |-
                      IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/ipallowlist/#ipstrategy
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
@@ -931,7 +992,7 @@ spec:
                description: |-
                  PassTLSClientCert holds the pass TLS client cert middleware configuration.
                  This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/passtlsclientcert/
                properties:
                  info:
                    description: Info selects the specific client certificate details
@@ -1034,13 +1095,13 @@ spec:
                  x-kubernetes-preserve-unknown-fields: true
                description: |-
                  Plugin defines the middleware plugin configuration.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/overview/#community-middlewares
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/overview/#community-middlewares
                type: object
              rateLimit:
                description: |-
                  RateLimit holds the rate limit configuration.
                  This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/ratelimit/
                properties:
                  average:
                    description: |-
@@ -1159,7 +1220,7 @@ spec:
                      ipStrategy:
                        description: |-
                          IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/ipallowlist/#ipstrategy
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
@@ -1195,7 +1256,7 @@ spec:
                description: |-
                  RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/redirectregex/#regex
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
@@ -1214,7 +1275,7 @@ spec:
                description: |-
                  RedirectScheme holds the redirect scheme middleware configuration.
                  This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/redirectscheme/
                properties:
                  permanent:
                    description: |-
@@ -1232,7 +1293,7 @@ spec:
                description: |-
                  ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/replacepath/
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
@@ -1243,7 +1304,7 @@ spec:
                description: |-
                  ReplacePathRegex holds the replace path regex middleware configuration.
                  This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/replacepathregex/
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
@@ -1259,13 +1320,18 @@ spec:
                  Retry holds the retry middleware configuration.
                  This middleware reissues requests a given number of times to a backend server if that server does not reply.
                  As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/middlewares/retry/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/middlewares/retry/
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
                      be retried.
                    minimum: 0
                    type: integer
+                  disableRetryOnNetworkError:
+                    description: DisableRetryOnNetworkError defines whether to disable
+                      the retry if an error occurs when transmitting the request to
+                      the server.
+                    type: boolean
                  initialInterval:
                    anyOf:
                    - type: integer
@@ -1278,12 +1344,40 @@ spec:
                      see https://pkg.go.dev/time#ParseDuration.
                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                    x-kubernetes-int-or-string: true
+                  maxRequestBodyBytes:
+                    description: |-
+                      MaxRequestBodyBytes defines the maximum size for the request body.
+                      Default is `-1`, which means no limit.
+                    format: int64
+                    minimum: -1
+                    type: integer
+                  retryNonIdempotentMethod:
+                    description: RetryNonIdempotentMethod activates the retry for
+                      non-idempotent methods (POST, LOCK, PATCH)
+                    type: boolean
+                  status:
+                    description: Status defines the range of HTTP status codes to
+                      retry on.
+                    items:
+                      pattern: ^([1-5][0-9]{2}[,-]?)+$
+                      type: string
+                    type: array
+                  timeout:
+                    anyOf:
+                    - type: integer
+                    - type: string
+                    description: |-
+                      Timeout defines how much time the middleware is allowed to retry the request.
+                      The value of timeout should be provided in seconds or as a valid duration format,
+                      see https://pkg.go.dev/time#ParseDuration.
+                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
+                    x-kubernetes-int-or-string: true
                type: object
              stripPrefix:
                description: |-
                  StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/stripprefix/
                properties:
                  forceSlash:
                    description: |-
@@ -1302,7 +1396,7 @@ spec:
                description: |-
                  StripPrefixRegex holds the strip prefix regex middleware configuration.
                  This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.6/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.7/middlewares/http/stripprefixregex/
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/middlewares/overview/
        properties:
          apiVersion:
            description: |-
@@ -56,7 +56,7 @@ spec:
                description: |-
                  IPAllowList defines the IPAllowList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/middlewares/ipallowlist/
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
@@ -69,7 +69,7 @@ spec:
                description: |-
                  IPWhiteList defines the IPWhiteList middleware configuration.
                  This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/middlewares/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/middlewares/ipwhitelist/

                  Deprecated: please use IPAllowList instead.
                properties:
@@ -21,7 +21,7 @@ spec:
          ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/serverstransport/
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/serverstransport/
        properties:
          apiVersion:
            description: |-
@@ -49,6 +49,12 @@ spec:
                items:
                  type: string
                type: array
+              cipherSuites:
+                description: CipherSuites defines the cipher suites to use when contacting
+                  backend servers.
+                items:
+                  type: string
+                type: array
              disableHTTP2:
                description: DisableHTTP2 disables HTTP/2 for connections with backend
                  servers.
@@ -109,6 +115,14 @@ spec:
                  to keep per-host.
                minimum: -1
                type: integer
+              maxVersion:
+                description: MaxVersion defines the maximum TLS version to use when
+                  contacting backend servers.
+                type: string
+              minVersion:
+                description: MinVersion defines the minimum TLS version to use when
+                  contacting backend servers.
+                type: string
              peerCertURI:
                description: PeerCertURI defines the peer cert URI used to match against
                  SAN URI during the peer certificate verification.
@@ -21,7 +21,7 @@ spec:
          ServersTransportTCP is the CRD implementation of a TCPServersTransport.
          If no tcpServersTransport is specified, a default one named default@internal will be used.
          The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/tcp/serverstransport/
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/tcp/serverstransport/
        properties:
          apiVersion:
            description: |-
@@ -19,7 +19,7 @@ spec:
      openAPIV3Schema:
        description: |-
          TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#tls-options
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#tls-options
        properties:
          apiVersion:
            description: |-
@@ -44,14 +44,14 @@ spec:
              alpnProtocols:
                description: |-
                  ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#alpn-protocols
                items:
                  type: string
                type: array
              cipherSuites:
                description: |-
                  CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#cipher-suites
                items:
                  type: string
                type: array
@@ -79,7 +79,7 @@ spec:
              curvePreferences:
                description: |-
                  CurvePreferences defines the preferred elliptic curves.
-                  More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#curve-preferences
                items:
                  type: string
                type: array
@@ -21,7 +21,7 @@ spec:
          TLSStore is the CRD implementation of a Traefik TLS Store.
          For the time being, only the TLSStore named default is supported.
          This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/tls/tls-certificates/#certificates-stores#certificates-stores
        properties:
          apiVersion:
            description: |-
@@ -22,7 +22,7 @@ spec:
          TraefikService object allows to:
          - Apply weight to Services on load-balancing
          - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/traefikservice/
+          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/traefikservice/
        properties:
          apiVersion:
            description: |-
@@ -44,6 +44,532 @@ spec:
          spec:
            description: TraefikServiceSpec defines the desired state of a TraefikService.
            properties:
+              failover:
+                description: Failover defines the Failover service configuration.
+                properties:
+                  errors:
+                    description: Errors defines which errors should trigger the use
+                      of the fallback service.
+                    properties:
+                      maxRequestBodyBytes:
+                        description: |-
+                          MaxRequestBodyBytes defines the maximum size allowed for the body of the request.
+                          Default value is -1, which means unlimited size.
+                        format: int64
+                        type: integer
+                      status:
+                        description: Status defines the list of status code ranges
+                          for which the fallback service should be used.
+                        items:
+                          type: string
+                        type: array
+                    type: object
+                  fallback:
+                    description: Fallback defines the fallback service to use when
+                      the main service returns an error.
+                    properties:
+                      healthCheck:
+                        description: Healthcheck defines health checks for ExternalName
+                          services.
+                        properties:
+                          followRedirects:
+                            description: |-
+                              FollowRedirects defines whether redirects should be followed during the health check calls.
+                              Default: true
+                            type: boolean
+                          headers:
+                            additionalProperties:
+                              type: string
+                            description: Headers defines custom headers to be sent
+                              to the health check endpoint.
+                            type: object
+                          hostname:
+                            description: Hostname defines the value of hostname in
+                              the Host header of the health check request.
+                            type: string
+                          interval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Interval defines the frequency of the health check calls for healthy targets.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
+                          method:
+                            description: Method defines the healthcheck method.
+                            type: string
+                          mode:
+                            description: |-
+                              Mode defines the health check mode.
+                              If defined to grpc, will use the gRPC health check protocol to probe the server.
+                              Default: http
+                            type: string
+                          path:
+                            description: Path defines the server URL path for the
+                              health check endpoint.
+                            type: string
+                          port:
+                            description: Port defines the server URL port for the
+                              health check endpoint.
+                            type: integer
+                          scheme:
+                            description: Scheme replaces the server URL scheme for
+                              the health check endpoint.
+                            type: string
+                          status:
+                            description: Status defines the expected HTTP status code
+                              of the response to the health check request.
+                            type: integer
+                          timeout:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                              Default: 5s
+                            x-kubernetes-int-or-string: true
+                          unhealthyInterval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                              When UnhealthyInterval is not defined, it defaults to the Interval value.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
+                        type: object
+                      kind:
+                        description: Kind defines the kind of the Service.
+                        enum:
+                        - Service
+                        - TraefikService
+                        type: string
+                      middlewares:
+                        description: Middlewares defines the list of references to
+                          Middleware resources to apply to the service.
+                        items:
+                          description: MiddlewareRef is a reference to a Middleware
+                            resource.
+                          properties:
+                            name:
+                              description: Name defines the name of the referenced
+                                Middleware resource.
+                              type: string
+                            namespace:
+                              description: Namespace defines the namespace of the
+                                referenced Middleware resource.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      name:
+                        description: |-
+                          Name defines the name of the referenced Kubernetes Service or TraefikService.
+                          The differentiation between the two is specified in the Kind field.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Kubernetes Service or TraefikService.
+                        type: string
+                      nativeLB:
+                        description: |-
+                          NativeLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                          The Kubernetes Service itself does load-balance to the pods.
+                          By default, NativeLB is false.
+                        type: boolean
+                      nodePortLB:
+                        description: |-
+                          NodePortLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                          It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                          By default, NodePortLB is false.
+                        type: boolean
+                      passHostHeader:
+                        description: |-
+                          PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+                          By default, passHostHeader is true.
+                        type: boolean
+                      passiveHealthCheck:
+                        description: PassiveHealthCheck defines passive health checks
+                          for ExternalName services.
+                        properties:
+                          failureWindow:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: FailureWindow defines the time window during
+                              which the failed attempts must occur for the server
+                              to be marked as unhealthy. It also defines for how long
+                              the server will be considered unhealthy.
+                            x-kubernetes-int-or-string: true
+                          maxFailedAttempts:
+                            description: MaxFailedAttempts is the number of consecutive
+                              failed attempts allowed within the failure window before
+                              marking the server as unhealthy.
+                            type: integer
+                        type: object
+                      port:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          Port defines the port of a Kubernetes Service.
+                          This can be a reference to a named port.
+                        x-kubernetes-int-or-string: true
+                      responseForwarding:
+                        description: ResponseForwarding defines how Traefik forwards
+                          the response from the upstream Kubernetes Service to the
+                          client.
+                        properties:
+                          flushInterval:
+                            description: |-
+                              FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+                              A negative value means to flush immediately after each write to the client.
+                              This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+                              for such responses, writes are flushed to the client immediately.
+                              Default: 100ms
+                            type: string
+                        type: object
+                      scheme:
+                        description: |-
+                          Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+                          It defaults to https when Kubernetes Service port is 443, http otherwise.
+                        type: string
+                      serversTransport:
+                        description: |-
+                          ServersTransport defines the name of ServersTransport resource to use.
+                          It allows to configure the transport between Traefik and your servers.
+                          Can only be used on a Kubernetes Service.
+                        type: string
+                      sticky:
+                        description: |-
+                          Sticky defines the sticky sessions configuration.
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                        properties:
+                          cookie:
+                            description: Cookie defines the sticky cookie configuration.
+                            properties:
+                              domain:
+                                description: |-
+                                  Domain defines the host to which the cookie will be sent.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                                type: string
+                              httpOnly:
+                                description: HTTPOnly defines whether the cookie can
+                                  be accessed by client-side APIs, such as JavaScript.
+                                type: boolean
+                              maxAge:
+                                description: |-
+                                  MaxAge defines the number of seconds until the cookie expires.
+                                  When set to a negative number, the cookie expires immediately.
+                                  When set to zero, the cookie never expires.
+                                type: integer
+                              name:
+                                description: Name defines the Cookie name.
+                                type: string
+                              path:
+                                description: |-
+                                  Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                  When not provided the cookie will be sent on every request to the domain.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                type: string
+                              sameSite:
+                                description: |-
+                                  SameSite defines the same site policy.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                enum:
+                                - none
+                                - lax
+                                - strict
+                                - None
+                                - Lax
+                                - Strict
+                                type: string
+                              secure:
+                                description: Secure defines whether the cookie can
+                                  only be transmitted over an encrypted connection
+                                  (i.e. HTTPS).
+                                type: boolean
+                            type: object
+                        type: object
+                      strategy:
+                        description: |-
+                          Strategy defines the load balancing strategy between the servers.
+                          Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
+                          RoundRobin value is deprecated and supported for backward compatibility.
+                        enum:
+                        - wrr
+                        - p2c
+                        - hrw
+                        - leasttime
+                        - RoundRobin
+                        type: string
+                      weight:
+                        description: |-
+                          Weight defines the weight and should only be specified when Name references a TraefikService object
+                          (and to be precise, one that embeds a Weighted Round Robin).
+                        minimum: 0
+                        type: integer
+                    required:
+                    - name
+                    type: object
+                  service:
+                    description: Service defines the main service to use.
+                    properties:
+                      healthCheck:
+                        description: Healthcheck defines health checks for ExternalName
+                          services.
+                        properties:
+                          followRedirects:
+                            description: |-
+                              FollowRedirects defines whether redirects should be followed during the health check calls.
+                              Default: true
+                            type: boolean
+                          headers:
+                            additionalProperties:
+                              type: string
+                            description: Headers defines custom headers to be sent
+                              to the health check endpoint.
+                            type: object
+                          hostname:
+                            description: Hostname defines the value of hostname in
+                              the Host header of the health check request.
+                            type: string
+                          interval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Interval defines the frequency of the health check calls for healthy targets.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
+                          method:
+                            description: Method defines the healthcheck method.
+                            type: string
+                          mode:
+                            description: |-
+                              Mode defines the health check mode.
+                              If defined to grpc, will use the gRPC health check protocol to probe the server.
+                              Default: http
+                            type: string
+                          path:
+                            description: Path defines the server URL path for the
+                              health check endpoint.
+                            type: string
+                          port:
+                            description: Port defines the server URL port for the
+                              health check endpoint.
+                            type: integer
+                          scheme:
+                            description: Scheme replaces the server URL scheme for
+                              the health check endpoint.
+                            type: string
+                          status:
+                            description: Status defines the expected HTTP status code
+                              of the response to the health check request.
+                            type: integer
+                          timeout:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
+                              Default: 5s
+                            x-kubernetes-int-or-string: true
+                          unhealthyInterval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                              When UnhealthyInterval is not defined, it defaults to the Interval value.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
+                        type: object
+                      kind:
+                        description: Kind defines the kind of the Service.
+                        enum:
+                        - Service
+                        - TraefikService
+                        type: string
+                      middlewares:
+                        description: Middlewares defines the list of references to
+                          Middleware resources to apply to the service.
+                        items:
+                          description: MiddlewareRef is a reference to a Middleware
+                            resource.
+                          properties:
+                            name:
+                              description: Name defines the name of the referenced
+                                Middleware resource.
+                              type: string
+                            namespace:
+                              description: Namespace defines the namespace of the
+                                referenced Middleware resource.
+                              type: string
+                          required:
+                          - name
+                          type: object
+                        type: array
+                      name:
+                        description: |-
+                          Name defines the name of the referenced Kubernetes Service or TraefikService.
+                          The differentiation between the two is specified in the Kind field.
+                        type: string
+                      namespace:
+                        description: Namespace defines the namespace of the referenced
+                          Kubernetes Service or TraefikService.
+                        type: string
+                      nativeLB:
+                        description: |-
+                          NativeLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+                          The Kubernetes Service itself does load-balance to the pods.
+                          By default, NativeLB is false.
+                        type: boolean
+                      nodePortLB:
+                        description: |-
+                          NodePortLB controls, when creating the load-balancer,
+                          whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
+                          It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
+                          By default, NodePortLB is false.
+                        type: boolean
+                      passHostHeader:
+                        description: |-
+                          PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+                          By default, passHostHeader is true.
+                        type: boolean
+                      passiveHealthCheck:
+                        description: PassiveHealthCheck defines passive health checks
+                          for ExternalName services.
+                        properties:
+                          failureWindow:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: FailureWindow defines the time window during
+                              which the failed attempts must occur for the server
+                              to be marked as unhealthy. It also defines for how long
+                              the server will be considered unhealthy.
+                            x-kubernetes-int-or-string: true
+                          maxFailedAttempts:
+                            description: MaxFailedAttempts is the number of consecutive
+                              failed attempts allowed within the failure window before
+                              marking the server as unhealthy.
+                            type: integer
+                        type: object
+                      port:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          Port defines the port of a Kubernetes Service.
+                          This can be a reference to a named port.
+                        x-kubernetes-int-or-string: true
+                      responseForwarding:
+                        description: ResponseForwarding defines how Traefik forwards
+                          the response from the upstream Kubernetes Service to the
+                          client.
+                        properties:
+                          flushInterval:
+                            description: |-
+                              FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+                              A negative value means to flush immediately after each write to the client.
+                              This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+                              for such responses, writes are flushed to the client immediately.
+                              Default: 100ms
+                            type: string
+                        type: object
+                      scheme:
+                        description: |-
+                          Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+                          It defaults to https when Kubernetes Service port is 443, http otherwise.
+                        type: string
+                      serversTransport:
+                        description: |-
+                          ServersTransport defines the name of ServersTransport resource to use.
+                          It allows to configure the transport between Traefik and your servers.
+                          Can only be used on a Kubernetes Service.
+                        type: string
+                      sticky:
+                        description: |-
+                          Sticky defines the sticky sessions configuration.
+                          More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                        properties:
+                          cookie:
+                            description: Cookie defines the sticky cookie configuration.
+                            properties:
+                              domain:
+                                description: |-
+                                  Domain defines the host to which the cookie will be sent.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                                type: string
+                              httpOnly:
+                                description: HTTPOnly defines whether the cookie can
+                                  be accessed by client-side APIs, such as JavaScript.
+                                type: boolean
+                              maxAge:
+                                description: |-
+                                  MaxAge defines the number of seconds until the cookie expires.
+                                  When set to a negative number, the cookie expires immediately.
+                                  When set to zero, the cookie never expires.
+                                type: integer
+                              name:
+                                description: Name defines the Cookie name.
+                                type: string
+                              path:
+                                description: |-
+                                  Path defines the path that must exist in the requested URL for the browser to send the Cookie header.
+                                  When not provided the cookie will be sent on every request to the domain.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
+                                type: string
+                              sameSite:
+                                description: |-
+                                  SameSite defines the same site policy.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                enum:
+                                - none
+                                - lax
+                                - strict
+                                - None
+                                - Lax
+                                - Strict
+                                type: string
+                              secure:
+                                description: Secure defines whether the cookie can
+                                  only be transmitted over an encrypted connection
+                                  (i.e. HTTPS).
+                                type: boolean
+                            type: object
+                        type: object
+                      strategy:
+                        description: |-
+                          Strategy defines the load balancing strategy between the servers.
+                          Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).
+                          RoundRobin value is deprecated and supported for backward compatibility.
+                        enum:
+                        - wrr
+                        - p2c
+                        - hrw
+                        - leasttime
+                        - RoundRobin
+                        type: string
+                      weight:
+                        description: |-
+                          Weight defines the weight and should only be specified when Name references a TraefikService object
+                          (and to be precise, one that embeds a Weighted Round Robin).
+                        minimum: 0
+                        type: integer
+                    required:
+                    - name
+                    type: object
+                required:
+                - errors
+                - fallback
+                - service
+                type: object
              highestRandomWeight:
                description: HighestRandomWeight defines the highest random weight
                  service configuration.
@@ -131,6 +657,25 @@ spec:
                          - Service
                          - TraefikService
                          type: string
+                        middlewares:
+                          description: Middlewares defines the list of references
+                            to Middleware resources to apply to the service.
+                          items:
+                            description: MiddlewareRef is a reference to a Middleware
+                              resource.
+                            properties:
+                              name:
+                                description: Name defines the name of the referenced
+                                  Middleware resource.
+                                type: string
+                              namespace:
+                                description: Namespace defines the namespace of the
+                                  referenced Middleware resource.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          type: array
                        name:
                          description: |-
                            Name defines the name of the referenced Kubernetes Service or TraefikService.
@@ -214,7 +759,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -251,6 +796,9 @@ spec:
                                  - none
                                  - lax
                                  - strict
+                                  - None
+                                  - Lax
+                                  - Strict
                                  type: string
                                secure:
                                  description: Secure defines whether the cookie can
@@ -368,6 +916,24 @@ spec:
                      Default value is -1, which means unlimited size.
                    format: int64
                    type: integer
+                  middlewares:
+                    description: Middlewares defines the list of references to Middleware
+                      resources to apply to the service.
+                    items:
+                      description: MiddlewareRef is a reference to a Middleware resource.
+                      properties:
+                        name:
+                          description: Name defines the name of the referenced Middleware
+                            resource.
+                          type: string
+                        namespace:
+                          description: Namespace defines the namespace of the referenced
+                            Middleware resource.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    type: array
                  mirrorBody:
                    description: |-
                      MirrorBody defines whether the body of the request should be mirrored.
@@ -455,6 +1021,25 @@ spec:
                          - Service
                          - TraefikService
                          type: string
+                        middlewares:
+                          description: Middlewares defines the list of references
+                            to Middleware resources to apply to the service.
+                          items:
+                            description: MiddlewareRef is a reference to a Middleware
+                              resource.
+                            properties:
+                              name:
+                                description: Name defines the name of the referenced
+                                  Middleware resource.
+                                type: string
+                              namespace:
+                                description: Namespace defines the namespace of the
+                                  referenced Middleware resource.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          type: array
                        name:
                          description: |-
                            Name defines the name of the referenced Kubernetes Service or TraefikService.
@@ -543,7 +1128,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -580,6 +1165,9 @@ spec:
                                  - none
                                  - lax
                                  - strict
+                                  - None
+                                  - Lax
+                                  - Strict
                                  type: string
                                secure:
                                  description: Secure defines whether the cookie can
@@ -692,7 +1280,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -729,6 +1317,9 @@ spec:
                            - none
                            - lax
                            - strict
+                            - None
+                            - Lax
+                            - Strict
                            type: string
                          secure:
                            description: Secure defines whether the cookie can only
@@ -843,6 +1434,25 @@ spec:
                          - Service
                          - TraefikService
                          type: string
+                        middlewares:
+                          description: Middlewares defines the list of references
+                            to Middleware resources to apply to the service.
+                          items:
+                            description: MiddlewareRef is a reference to a Middleware
+                              resource.
+                            properties:
+                              name:
+                                description: Name defines the name of the referenced
+                                  Middleware resource.
+                                type: string
+                              namespace:
+                                description: Namespace defines the namespace of the
+                                  referenced Middleware resource.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          type: array
                        name:
                          description: |-
                            Name defines the name of the referenced Kubernetes Service or TraefikService.
@@ -926,7 +1536,7 @@ spec:
                        sticky:
                          description: |-
                            Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/http/load-balancing/service/#sticky-sessions
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
@@ -963,6 +1573,9 @@ spec:
                                  - none
                                  - lax
                                  - strict
+                                  - None
+                                  - Lax
+                                  - Strict
                                  type: string
                                secure:
                                  description: Secure defines whether the cookie can
@@ -996,7 +1609,7 @@ spec:
                  sticky:
                    description: |-
                      Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.6/reference/routing-configuration/kubernetes/crd/http/traefikservice/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.7/reference/routing-configuration/kubernetes/crd/http/traefikservice/#stickiness-and-load-balancing
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
@@ -1033,6 +1646,9 @@ spec:
                            - none
                            - lax
                            - strict
+                            - None
+                            - Lax
+                            - Strict
                            type: string
                          secure:
                            description: Secure defines whether the cookie can only
@@ -10,10 +10,12 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-accesslog" href="#opt-accesslog" title="#opt-accesslog">accesslog</a> | Access log settings. | false |
 | <a id="opt-accesslog-addinternals" href="#opt-accesslog-addinternals" title="#opt-accesslog-addinternals">accesslog.addinternals</a> | Enables access log for internal services (ping, dashboard, etc...). | false |
 | <a id="opt-accesslog-bufferingsize" href="#opt-accesslog-bufferingsize" title="#opt-accesslog-bufferingsize">accesslog.bufferingsize</a> | Number of access log lines to process in a buffered way. | 0 |
+| <a id="opt-accesslog-dualoutput" href="#opt-accesslog-dualoutput" title="#opt-accesslog-dualoutput">accesslog.dualoutput</a> | Enables access log output alongside OTLP. By default, this output is disabled when OTLP is configured. | false |
 | <a id="opt-accesslog-fields-defaultmode" href="#opt-accesslog-fields-defaultmode" title="#opt-accesslog-fields-defaultmode">accesslog.fields.defaultmode</a> | Default mode for fields: keep | drop | keep |
 | <a id="opt-accesslog-fields-headers-defaultmode" href="#opt-accesslog-fields-headers-defaultmode" title="#opt-accesslog-fields-headers-defaultmode">accesslog.fields.headers.defaultmode</a> | Default mode for fields: keep | drop | redact | drop |
 | <a id="opt-accesslog-fields-headers-names-name" href="#opt-accesslog-fields-headers-names-name" title="#opt-accesslog-fields-headers-names-name">accesslog.fields.headers.names._name_</a> | Override mode for headers | |
 | <a id="opt-accesslog-fields-names-name" href="#opt-accesslog-fields-names-name" title="#opt-accesslog-fields-names-name">accesslog.fields.names._name_</a> | Override mode for fields | |
+| <a id="opt-accesslog-fields-queryparameters-defaultmode" href="#opt-accesslog-fields-queryparameters-defaultmode" title="#opt-accesslog-fields-queryparameters-defaultmode">accesslog.fields.queryparameters.defaultmode</a> | Default mode for query parameters: keep | drop | keep |
 | <a id="opt-accesslog-filepath" href="#opt-accesslog-filepath" title="#opt-accesslog-filepath">accesslog.filepath</a> | Access log file path. Stdout is used when omitted or empty. | |
 | <a id="opt-accesslog-filters-minduration" href="#opt-accesslog-filters-minduration" title="#opt-accesslog-filters-minduration">accesslog.filters.minduration</a> | Keep access logs when request took longer than the specified duration. | 0 |
 | <a id="opt-accesslog-filters-retryattempts" href="#opt-accesslog-filters-retryattempts" title="#opt-accesslog-filters-retryattempts">accesslog.filters.retryattempts</a> | Keep access logs when at least one retry happened. | false |
@@ -40,6 +42,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-api" href="#opt-api" title="#opt-api">api</a> | Enable api/dashboard. | false |
 | <a id="opt-api-basepath" href="#opt-api-basepath" title="#opt-api-basepath">api.basepath</a> | Defines the base path where the API and Dashboard will be exposed. | / |
 | <a id="opt-api-dashboard" href="#opt-api-dashboard" title="#opt-api-dashboard">api.dashboard</a> | Activate dashboard. | true |
+| <a id="opt-api-dashboardname" href="#opt-api-dashboardname" title="#opt-api-dashboardname">api.dashboardname</a> | Custom name for the dashboard. | |
 | <a id="opt-api-debug" href="#opt-api-debug" title="#opt-api-debug">api.debug</a> | Enable additional endpoints for debugging and profiling. | false |
 | <a id="opt-api-disabledashboardad" href="#opt-api-disabledashboardad" title="#opt-api-disabledashboardad">api.disabledashboardad</a> | Disable ad in the dashboard. | false |
 | <a id="opt-api-insecure" href="#opt-api-insecure" title="#opt-api-insecure">api.insecure</a> | Activate API directly on the entryPoint named traefik. | false |
@@ -49,6 +52,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-certificatesresolvers-name-acme-caservername" href="#opt-certificatesresolvers-name-acme-caservername" title="#opt-certificatesresolvers-name-acme-caservername">certificatesresolvers._name_.acme.caservername</a> | Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list. | |
 | <a id="opt-certificatesresolvers-name-acme-casystemcertpool" href="#opt-certificatesresolvers-name-acme-casystemcertpool" title="#opt-certificatesresolvers-name-acme-casystemcertpool">certificatesresolvers._name_.acme.casystemcertpool</a> | Define if the certificates pool must use a copy of the system cert pool. | false |
 | <a id="opt-certificatesresolvers-name-acme-certificatesduration" href="#opt-certificatesresolvers-name-acme-certificatesduration" title="#opt-certificatesresolvers-name-acme-certificatesduration">certificatesresolvers._name_.acme.certificatesduration</a> | Certificates' duration in hours. | 2160 |
+| <a id="opt-certificatesresolvers-name-acme-certificatetimeout" href="#opt-certificatesresolvers-name-acme-certificatetimeout" title="#opt-certificatesresolvers-name-acme-certificatetimeout">certificatesresolvers._name_.acme.certificatetimeout</a> | Timeout for obtaining the certificate during the finalization request. | 30 |
 | <a id="opt-certificatesresolvers-name-acme-clientresponseheadertimeout" href="#opt-certificatesresolvers-name-acme-clientresponseheadertimeout" title="#opt-certificatesresolvers-name-acme-clientresponseheadertimeout">certificatesresolvers._name_.acme.clientresponseheadertimeout</a> | Timeout for receiving the response headers when communicating with the ACME server. | 30 |
 | <a id="opt-certificatesresolvers-name-acme-clienttimeout" href="#opt-certificatesresolvers-name-acme-clienttimeout" title="#opt-certificatesresolvers-name-acme-clienttimeout">certificatesresolvers._name_.acme.clienttimeout</a> | Timeout for a complete HTTP transaction with the ACME server. | 120 |
 | <a id="opt-certificatesresolvers-name-acme-disablecommonname" href="#opt-certificatesresolvers-name-acme-disablecommonname" title="#opt-certificatesresolvers-name-acme-disablecommonname">certificatesresolvers._name_.acme.disablecommonname</a> | Disable the common name in the CSR. | false |
@@ -81,8 +85,10 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-entrypoints-name-address" href="#opt-entrypoints-name-address" title="#opt-entrypoints-name-address">entrypoints._name_.address</a> | Entry point address. | |
 | <a id="opt-entrypoints-name-allowacmebypass" href="#opt-entrypoints-name-allowacmebypass" title="#opt-entrypoints-name-allowacmebypass">entrypoints._name_.allowacmebypass</a> | Enables handling of ACME TLS and HTTP challenges with custom routers. | false |
 | <a id="opt-entrypoints-name-asdefault" href="#opt-entrypoints-name-asdefault" title="#opt-entrypoints-name-asdefault">entrypoints._name_.asdefault</a> | Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. | false |
+| <a id="opt-entrypoints-name-forwardedheaders-addxforwardedschemeheaders" href="#opt-entrypoints-name-forwardedheaders-addxforwardedschemeheaders" title="#opt-entrypoints-name-forwardedheaders-addxforwardedschemeheaders">entrypoints._name_.forwardedheaders.addxforwardedschemeheaders</a> | Add the X-Forwarded-Scheme and X-Scheme headers. | false |
 | <a id="opt-entrypoints-name-forwardedheaders-connection" href="#opt-entrypoints-name-forwardedheaders-connection" title="#opt-entrypoints-name-forwardedheaders-connection">entrypoints._name_.forwardedheaders.connection</a> | List of Connection headers that are allowed to pass through the middleware chain before being removed. | |
 | <a id="opt-entrypoints-name-forwardedheaders-insecure" href="#opt-entrypoints-name-forwardedheaders-insecure" title="#opt-entrypoints-name-forwardedheaders-insecure">entrypoints._name_.forwardedheaders.insecure</a> | Trust all forwarded headers. | false |
+| <a id="opt-entrypoints-name-forwardedheaders-notappendxforwardedfor" href="#opt-entrypoints-name-forwardedheaders-notappendxforwardedfor" title="#opt-entrypoints-name-forwardedheaders-notappendxforwardedfor">entrypoints._name_.forwardedheaders.notappendxforwardedfor</a> | Disable appending RemoteAddr to X-Forwarded-For header. Defaults to false (appending is enabled). | false |
 | <a id="opt-entrypoints-name-forwardedheaders-trustedips" href="#opt-entrypoints-name-forwardedheaders-trustedips" title="#opt-entrypoints-name-forwardedheaders-trustedips">entrypoints._name_.forwardedheaders.trustedips</a> | Trust only forwarded headers from selected IPs. | |
 | <a id="opt-entrypoints-name-http" href="#opt-entrypoints-name-http" title="#opt-entrypoints-name-http">entrypoints._name_.http</a> | HTTP configuration. | |
 | <a id="opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" href="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash" title="#opt-entrypoints-name-http-encodedcharacters-allowencodedbackslash">entrypoints._name_.http.encodedcharacters.allowencodedbackslash</a> | Defines whether requests with encoded back slash characters in the path are allowed. | true |
@@ -148,6 +154,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-experimental-plugins-name-settings-useunsafe" href="#opt-experimental-plugins-name-settings-useunsafe" title="#opt-experimental-plugins-name-settings-useunsafe">experimental.plugins._name_.settings.useunsafe</a> | Allow the plugin to use unsafe and syscall packages. | false |
 | <a id="opt-experimental-plugins-name-version" href="#opt-experimental-plugins-name-version" title="#opt-experimental-plugins-name-version">experimental.plugins._name_.version</a> | plugin's version. | |
 | <a id="opt-global-checknewversion" href="#opt-global-checknewversion" title="#opt-global-checknewversion">global.checknewversion</a> | Periodically check if a new version has been released. | true |
+| <a id="opt-global-notappendxforwardedfor" href="#opt-global-notappendxforwardedfor" title="#opt-global-notappendxforwardedfor">global.notappendxforwardedfor</a> | Disable appending RemoteAddr to X-Forwarded-For header. Defaults to false (appending is enabled). | false |
 | <a id="opt-global-sendanonymoususage" href="#opt-global-sendanonymoususage" title="#opt-global-sendanonymoususage">global.sendanonymoususage</a> | Periodically send anonymous usage statistics. If the option is not specified, it will be disabled by default. | false |
 | <a id="opt-hostresolver" href="#opt-hostresolver" title="#opt-hostresolver">hostresolver</a> | Enable CNAME Flattening. | false |
 | <a id="opt-hostresolver-cnameflattening" href="#opt-hostresolver-cnameflattening" title="#opt-hostresolver-cnameflattening">hostresolver.cnameflattening</a> | A flag to enable/disable CNAME flattening | false |
@@ -197,7 +204,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-metrics-influxdb2-bucket" href="#opt-metrics-influxdb2-bucket" title="#opt-metrics-influxdb2-bucket">metrics.influxdb2.bucket</a> | InfluxDB v2 bucket ID. | |
 | <a id="opt-metrics-influxdb2-org" href="#opt-metrics-influxdb2-org" title="#opt-metrics-influxdb2-org">metrics.influxdb2.org</a> | InfluxDB v2 org ID. | |
 | <a id="opt-metrics-influxdb2-pushinterval" href="#opt-metrics-influxdb2-pushinterval" title="#opt-metrics-influxdb2-pushinterval">metrics.influxdb2.pushinterval</a> | InfluxDB v2 push interval. | 10 |
-| <a id="opt-metrics-influxdb2-token" href="#opt-metrics-influxdb2-token" title="#opt-metrics-influxdb2-token">metrics.influxdb2.token</a> | InfluxDB v2 access token. | |
+| <a id="opt-metrics-influxdb2-token" href="#opt-metrics-influxdb2-token" title="#opt-metrics-influxdb2-token">metrics.influxdb2.token</a> | InfluxDB v2 access token. It accepts either a token value or a file path to the token. | |
 | <a id="opt-metrics-otlp" href="#opt-metrics-otlp" title="#opt-metrics-otlp">metrics.otlp</a> | OpenTelemetry metrics exporter type. | false |
 | <a id="opt-metrics-otlp-addentrypointslabels" href="#opt-metrics-otlp-addentrypointslabels" title="#opt-metrics-otlp-addentrypointslabels">metrics.otlp.addentrypointslabels</a> | Enable metrics on entry points. | true |
 | <a id="opt-metrics-otlp-addrouterslabels" href="#opt-metrics-otlp-addrouterslabels" title="#opt-metrics-otlp-addrouterslabels">metrics.otlp.addrouterslabels</a> | Enable metrics on routers. | false |
@@ -348,21 +355,25 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-providers-kubernetescrd-allowemptyservices" href="#opt-providers-kubernetescrd-allowemptyservices" title="#opt-providers-kubernetescrd-allowemptyservices">providers.kubernetescrd.allowemptyservices</a> | Allow the creation of services without endpoints. | false |
 | <a id="opt-providers-kubernetescrd-allowexternalnameservices" href="#opt-providers-kubernetescrd-allowexternalnameservices" title="#opt-providers-kubernetescrd-allowexternalnameservices">providers.kubernetescrd.allowexternalnameservices</a> | Allow ExternalName services. | false |
 | <a id="opt-providers-kubernetescrd-certauthfilepath" href="#opt-providers-kubernetescrd-certauthfilepath" title="#opt-providers-kubernetescrd-certauthfilepath">providers.kubernetescrd.certauthfilepath</a> | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| <a id="opt-providers-kubernetescrd-crossprovidernamespaces" href="#opt-providers-kubernetescrd-crossprovidernamespaces" title="#opt-providers-kubernetescrd-crossprovidernamespaces">providers.kubernetescrd.crossprovidernamespaces</a> | List of namespaces from which IngressRoute, IngressRouteTCP, IngressRouteUDP, and TraefikService are allowed to declare cross-provider references. | |
 | <a id="opt-providers-kubernetescrd-disableclusterscoperesources" href="#opt-providers-kubernetescrd-disableclusterscoperesources" title="#opt-providers-kubernetescrd-disableclusterscoperesources">providers.kubernetescrd.disableclusterscoperesources</a> | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
 | <a id="opt-providers-kubernetescrd-endpoint" href="#opt-providers-kubernetescrd-endpoint" title="#opt-providers-kubernetescrd-endpoint">providers.kubernetescrd.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
-| <a id="opt-providers-kubernetescrd-ingressclass" href="#opt-providers-kubernetescrd-ingressclass" title="#opt-providers-kubernetescrd-ingressclass">providers.kubernetescrd.ingressclass</a> | Value of kubernetes.io/ingress.class annotation to watch for. | |
+| <a id="opt-providers-kubernetescrd-ingressclass" href="#opt-providers-kubernetescrd-ingressclass" title="#opt-providers-kubernetescrd-ingressclass">providers.kubernetescrd.ingressclass</a> | Value of ingressClassName field or kubernetes.io/ingress.class annotation to watch for. | |
 | <a id="opt-providers-kubernetescrd-labelselector" href="#opt-providers-kubernetescrd-labelselector" title="#opt-providers-kubernetescrd-labelselector">providers.kubernetescrd.labelselector</a> | Kubernetes label selector to use. | |
 | <a id="opt-providers-kubernetescrd-namespaces" href="#opt-providers-kubernetescrd-namespaces" title="#opt-providers-kubernetescrd-namespaces">providers.kubernetescrd.namespaces</a> | Kubernetes namespaces. | |
 | <a id="opt-providers-kubernetescrd-nativelbbydefault" href="#opt-providers-kubernetescrd-nativelbbydefault" title="#opt-providers-kubernetescrd-nativelbbydefault">providers.kubernetescrd.nativelbbydefault</a> | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
 | <a id="opt-providers-kubernetescrd-throttleduration" href="#opt-providers-kubernetescrd-throttleduration" title="#opt-providers-kubernetescrd-throttleduration">providers.kubernetescrd.throttleduration</a> | Ingress refresh throttle duration | 0 |
 | <a id="opt-providers-kubernetescrd-token" href="#opt-providers-kubernetescrd-token" title="#opt-providers-kubernetescrd-token">providers.kubernetescrd.token</a> | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
 | <a id="opt-providers-kubernetesgateway" href="#opt-providers-kubernetesgateway" title="#opt-providers-kubernetesgateway">providers.kubernetesgateway</a> | Enables Kubernetes Gateway API provider. | false |
+| <a id="opt-providers-kubernetesgateway-burst" href="#opt-providers-kubernetesgateway-burst" title="#opt-providers-kubernetesgateway-burst">providers.kubernetesgateway.burst</a> | Defines the maximum burst of requests to the Kubernetes API server. | 100 |
 | <a id="opt-providers-kubernetesgateway-certauthfilepath" href="#opt-providers-kubernetesgateway-certauthfilepath" title="#opt-providers-kubernetesgateway-certauthfilepath">providers.kubernetesgateway.certauthfilepath</a> | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| <a id="opt-providers-kubernetesgateway-crossprovidernamespaces" href="#opt-providers-kubernetesgateway-crossprovidernamespaces" title="#opt-providers-kubernetesgateway-crossprovidernamespaces">providers.kubernetesgateway.crossprovidernamespaces</a> | List of namespaces from which Gateway API routes are allowed to declare TraefikService backendRef references. | |
 | <a id="opt-providers-kubernetesgateway-endpoint" href="#opt-providers-kubernetesgateway-endpoint" title="#opt-providers-kubernetesgateway-endpoint">providers.kubernetesgateway.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
 | <a id="opt-providers-kubernetesgateway-experimentalchannel" href="#opt-providers-kubernetesgateway-experimentalchannel" title="#opt-providers-kubernetesgateway-experimentalchannel">providers.kubernetesgateway.experimentalchannel</a> | Toggles Experimental Channel resources support (TCPRoute, TLSRoute...). | false |
 | <a id="opt-providers-kubernetesgateway-labelselector" href="#opt-providers-kubernetesgateway-labelselector" title="#opt-providers-kubernetesgateway-labelselector">providers.kubernetesgateway.labelselector</a> | Kubernetes label selector to select specific GatewayClasses. | |
 | <a id="opt-providers-kubernetesgateway-namespaces" href="#opt-providers-kubernetesgateway-namespaces" title="#opt-providers-kubernetesgateway-namespaces">providers.kubernetesgateway.namespaces</a> | Kubernetes namespaces. | |
 | <a id="opt-providers-kubernetesgateway-nativelbbydefault" href="#opt-providers-kubernetesgateway-nativelbbydefault" title="#opt-providers-kubernetesgateway-nativelbbydefault">providers.kubernetesgateway.nativelbbydefault</a> | Defines whether to use Native Kubernetes load-balancing by default. | false |
+| <a id="opt-providers-kubernetesgateway-qps" href="#opt-providers-kubernetesgateway-qps" title="#opt-providers-kubernetesgateway-qps">providers.kubernetesgateway.qps</a> | Defines the maximum QPS to the Kubernetes API server. Setting this to a negative value will disable client-side ratelimiting. | 50 |
 | <a id="opt-providers-kubernetesgateway-statusaddress-hostname" href="#opt-providers-kubernetesgateway-statusaddress-hostname" title="#opt-providers-kubernetesgateway-statusaddress-hostname">providers.kubernetesgateway.statusaddress.hostname</a> | Hostname used for Kubernetes Gateway status address. | |
 | <a id="opt-providers-kubernetesgateway-statusaddress-ip" href="#opt-providers-kubernetesgateway-statusaddress-ip" title="#opt-providers-kubernetesgateway-statusaddress-ip">providers.kubernetesgateway.statusaddress.ip</a> | IP used to set Kubernetes Gateway status address. | |
 | <a id="opt-providers-kubernetesgateway-statusaddress-service" href="#opt-providers-kubernetesgateway-statusaddress-service" title="#opt-providers-kubernetesgateway-statusaddress-service">providers.kubernetesgateway.statusaddress.service</a> | Published Kubernetes Service to copy status addresses from. | |
@@ -374,6 +385,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-providers-kubernetesingress-allowemptyservices" href="#opt-providers-kubernetesingress-allowemptyservices" title="#opt-providers-kubernetesingress-allowemptyservices">providers.kubernetesingress.allowemptyservices</a> | Allow creation of services without endpoints. | false |
 | <a id="opt-providers-kubernetesingress-allowexternalnameservices" href="#opt-providers-kubernetesingress-allowexternalnameservices" title="#opt-providers-kubernetesingress-allowexternalnameservices">providers.kubernetesingress.allowexternalnameservices</a> | Allow ExternalName services. | false |
 | <a id="opt-providers-kubernetesingress-certauthfilepath" href="#opt-providers-kubernetesingress-certauthfilepath" title="#opt-providers-kubernetesingress-certauthfilepath">providers.kubernetesingress.certauthfilepath</a> | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| <a id="opt-providers-kubernetesingress-crossprovidernamespaces" href="#opt-providers-kubernetesingress-crossprovidernamespaces" title="#opt-providers-kubernetesingress-crossprovidernamespaces">providers.kubernetesingress.crossprovidernamespaces</a> | List of namespaces from which Ingresses or Services are allowed to declare Middlewares, TLSOptions, or ServersTransport references. | |
 | <a id="opt-providers-kubernetesingress-disableclusterscoperesources" href="#opt-providers-kubernetesingress-disableclusterscoperesources" title="#opt-providers-kubernetesingress-disableclusterscoperesources">providers.kubernetesingress.disableclusterscoperesources</a> | Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). | false |
 | <a id="opt-providers-kubernetesingress-disableingressclasslookup" href="#opt-providers-kubernetesingress-disableingressclasslookup" title="#opt-providers-kubernetesingress-disableingressclasslookup">providers.kubernetesingress.disableingressclasslookup</a> | Disables the lookup of IngressClasses (Deprecated, please use DisableClusterScopeResources). | false |
 | <a id="opt-providers-kubernetesingress-endpoint" href="#opt-providers-kubernetesingress-endpoint" title="#opt-providers-kubernetesingress-endpoint">providers.kubernetesingress.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
@@ -384,21 +396,46 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-providers-kubernetesingress-labelselector" href="#opt-providers-kubernetesingress-labelselector" title="#opt-providers-kubernetesingress-labelselector">providers.kubernetesingress.labelselector</a> | Kubernetes Ingress label selector to use. | |
 | <a id="opt-providers-kubernetesingress-namespaces" href="#opt-providers-kubernetesingress-namespaces" title="#opt-providers-kubernetesingress-namespaces">providers.kubernetesingress.namespaces</a> | Kubernetes namespaces. | |
 | <a id="opt-providers-kubernetesingress-nativelbbydefault" href="#opt-providers-kubernetesingress-nativelbbydefault" title="#opt-providers-kubernetesingress-nativelbbydefault">providers.kubernetesingress.nativelbbydefault</a> | Defines whether to use Native Kubernetes load-balancing mode by default. | false |
+| <a id="opt-providers-kubernetesingress-reportnodeinternalips" href="#opt-providers-kubernetesingress-reportnodeinternalips" title="#opt-providers-kubernetesingress-reportnodeinternalips">providers.kubernetesingress.reportnodeinternalips</a> | Report node internal IPs in Ingress status. | false |
 | <a id="opt-providers-kubernetesingress-strictprefixmatching" href="#opt-providers-kubernetesingress-strictprefixmatching" title="#opt-providers-kubernetesingress-strictprefixmatching">providers.kubernetesingress.strictprefixmatching</a> | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). | false |
 | <a id="opt-providers-kubernetesingress-throttleduration" href="#opt-providers-kubernetesingress-throttleduration" title="#opt-providers-kubernetesingress-throttleduration">providers.kubernetesingress.throttleduration</a> | Ingress refresh throttle duration | 0 |
 | <a id="opt-providers-kubernetesingress-token" href="#opt-providers-kubernetesingress-token" title="#opt-providers-kubernetesingress-token">providers.kubernetesingress.token</a> | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
 | <a id="opt-providers-kubernetesingressnginx" href="#opt-providers-kubernetesingressnginx" title="#opt-providers-kubernetesingressnginx">providers.kubernetesingressnginx</a> | Enables Kubernetes Ingress NGINX provider. | false |
+| <a id="opt-providers-kubernetesingressnginx-allowcrossnamespaceresources" href="#opt-providers-kubernetesingressnginx-allowcrossnamespaceresources" title="#opt-providers-kubernetesingressnginx-allowcrossnamespaceresources">providers.kubernetesingressnginx.allowcrossnamespaceresources</a> | Allow Ingress to reference resources (e.g. ConfigMaps, Secrets) in different namespaces. | false |
+| <a id="opt-providers-kubernetesingressnginx-allowsnippetannotations" href="#opt-providers-kubernetesingressnginx-allowsnippetannotations" title="#opt-providers-kubernetesingressnginx-allowsnippetannotations">providers.kubernetesingressnginx.allowsnippetannotations</a> | Enables to parse and add -snippet annotations/directives. | false |
 | <a id="opt-providers-kubernetesingressnginx-certauthfilepath" href="#opt-providers-kubernetesingressnginx-certauthfilepath" title="#opt-providers-kubernetesingressnginx-certauthfilepath">providers.kubernetesingressnginx.certauthfilepath</a> | Kubernetes certificate authority file path (not needed for in-cluster client). | |
+| <a id="opt-providers-kubernetesingressnginx-clientbodybuffersize" href="#opt-providers-kubernetesingressnginx-clientbodybuffersize" title="#opt-providers-kubernetesingressnginx-clientbodybuffersize">providers.kubernetesingressnginx.clientbodybuffersize</a> | Default buffer size for reading client request body. | 16384 |
 | <a id="opt-providers-kubernetesingressnginx-controllerclass" href="#opt-providers-kubernetesingressnginx-controllerclass" title="#opt-providers-kubernetesingressnginx-controllerclass">providers.kubernetesingressnginx.controllerclass</a> | Ingress Class Controller value this controller satisfies. | k8s.io/ingress-nginx |
+| <a id="opt-providers-kubernetesingressnginx-customhttperrors" href="#opt-providers-kubernetesingressnginx-customhttperrors" title="#opt-providers-kubernetesingressnginx-customhttperrors">providers.kubernetesingressnginx.customhttperrors</a> | Defines which status should result in calling the default backend to return an error page. | |
 | <a id="opt-providers-kubernetesingressnginx-defaultbackendservice" href="#opt-providers-kubernetesingressnginx-defaultbackendservice" title="#opt-providers-kubernetesingressnginx-defaultbackendservice">providers.kubernetesingressnginx.defaultbackendservice</a> | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'. | |
 | <a id="opt-providers-kubernetesingressnginx-disablesvcexternalname" href="#opt-providers-kubernetesingressnginx-disablesvcexternalname" title="#opt-providers-kubernetesingressnginx-disablesvcexternalname">providers.kubernetesingressnginx.disablesvcexternalname</a> | Disable support for Services of type ExternalName. | false |
 | <a id="opt-providers-kubernetesingressnginx-endpoint" href="#opt-providers-kubernetesingressnginx-endpoint" title="#opt-providers-kubernetesingressnginx-endpoint">providers.kubernetesingressnginx.endpoint</a> | Kubernetes server endpoint (required for external cluster client). | |
+| <a id="opt-providers-kubernetesingressnginx-globalallowedresponseheaders" href="#opt-providers-kubernetesingressnginx-globalallowedresponseheaders" title="#opt-providers-kubernetesingressnginx-globalallowedresponseheaders">providers.kubernetesingressnginx.globalallowedresponseheaders</a> | List of allowed response headers inside the custom headers annotations. | |
+| <a id="opt-providers-kubernetesingressnginx-globalauthurl" href="#opt-providers-kubernetesingressnginx-globalauthurl" title="#opt-providers-kubernetesingressnginx-globalauthurl">providers.kubernetesingressnginx.globalauthurl</a> | URL to the service that provides authentication for all the locations. Per ingress auth-url annotation has precedence over this option. | |
+| <a id="opt-providers-kubernetesingressnginx-httpentrypoint" href="#opt-providers-kubernetesingressnginx-httpentrypoint" title="#opt-providers-kubernetesingressnginx-httpentrypoint">providers.kubernetesingressnginx.httpentrypoint</a> | Defines the EntryPoint to use for HTTP requests. | |
+| <a id="opt-providers-kubernetesingressnginx-httpsentrypoint" href="#opt-providers-kubernetesingressnginx-httpsentrypoint" title="#opt-providers-kubernetesingressnginx-httpsentrypoint">providers.kubernetesingressnginx.httpsentrypoint</a> | Defines the EntryPoint to use for HTTPS requests. | |
 | <a id="opt-providers-kubernetesingressnginx-ingressclass" href="#opt-providers-kubernetesingressnginx-ingressclass" title="#opt-providers-kubernetesingressnginx-ingressclass">providers.kubernetesingressnginx.ingressclass</a> | Name of the ingress class this controller satisfies. | nginx |
 | <a id="opt-providers-kubernetesingressnginx-ingressclassbyname" href="#opt-providers-kubernetesingressnginx-ingressclassbyname" title="#opt-providers-kubernetesingressnginx-ingressclassbyname">providers.kubernetesingressnginx.ingressclassbyname</a> | Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. | false |
+| <a id="opt-providers-kubernetesingressnginx-ipallowliststrategy-depth" href="#opt-providers-kubernetesingressnginx-ipallowliststrategy-depth" title="#opt-providers-kubernetesingressnginx-ipallowliststrategy-depth">providers.kubernetesingressnginx.ipallowliststrategy.depth</a> |  | 0 |
+| <a id="opt-providers-kubernetesingressnginx-ipallowliststrategy-excludedips" href="#opt-providers-kubernetesingressnginx-ipallowliststrategy-excludedips" title="#opt-providers-kubernetesingressnginx-ipallowliststrategy-excludedips">providers.kubernetesingressnginx.ipallowliststrategy.excludedips</a> |  | |
+| <a id="opt-providers-kubernetesingressnginx-ipallowliststrategy-ipv6subnet" href="#opt-providers-kubernetesingressnginx-ipallowliststrategy-ipv6subnet" title="#opt-providers-kubernetesingressnginx-ipallowliststrategy-ipv6subnet">providers.kubernetesingressnginx.ipallowliststrategy.ipv6subnet</a> |  | 0 |
+| <a id="opt-providers-kubernetesingressnginx-proxybodysize" href="#opt-providers-kubernetesingressnginx-proxybodysize" title="#opt-providers-kubernetesingressnginx-proxybodysize">providers.kubernetesingressnginx.proxybodysize</a> | Default maximum size of a client request body in bytes. | 1048576 |
+| <a id="opt-providers-kubernetesingressnginx-proxybuffering" href="#opt-providers-kubernetesingressnginx-proxybuffering" title="#opt-providers-kubernetesingressnginx-proxybuffering">providers.kubernetesingressnginx.proxybuffering</a> | Defines whether to enable response buffering. | false |
+| <a id="opt-providers-kubernetesingressnginx-proxybuffersize" href="#opt-providers-kubernetesingressnginx-proxybuffersize" title="#opt-providers-kubernetesingressnginx-proxybuffersize">providers.kubernetesingressnginx.proxybuffersize</a> | Default buffer size for reading the response body. | 8192 |
+| <a id="opt-providers-kubernetesingressnginx-proxybuffersnumber" href="#opt-providers-kubernetesingressnginx-proxybuffersnumber" title="#opt-providers-kubernetesingressnginx-proxybuffersnumber">providers.kubernetesingressnginx.proxybuffersnumber</a> | Default number of buffers for reading a response. | 4 |
+| <a id="opt-providers-kubernetesingressnginx-proxyconnecttimeout" href="#opt-providers-kubernetesingressnginx-proxyconnecttimeout" title="#opt-providers-kubernetesingressnginx-proxyconnecttimeout">providers.kubernetesingressnginx.proxyconnecttimeout</a> | Amount of time to wait until a connection to a server can be established. Timeout value is unitless and in seconds. | 60 |
+| <a id="opt-providers-kubernetesingressnginx-proxynextupstream" href="#opt-providers-kubernetesingressnginx-proxynextupstream" title="#opt-providers-kubernetesingressnginx-proxynextupstream">providers.kubernetesingressnginx.proxynextupstream</a> | Defines in which cases a request should be retried. | error timeout |
+| <a id="opt-providers-kubernetesingressnginx-proxynextupstreamtimeout" href="#opt-providers-kubernetesingressnginx-proxynextupstreamtimeout" title="#opt-providers-kubernetesingressnginx-proxynextupstreamtimeout">providers.kubernetesingressnginx.proxynextupstreamtimeout</a> | Limits the total elapsed time to retry the request if the backend server does not reply. Timeout value is unitless and in seconds. | 0 |
+| <a id="opt-providers-kubernetesingressnginx-proxynextupstreamtries" href="#opt-providers-kubernetesingressnginx-proxynextupstreamtries" title="#opt-providers-kubernetesingressnginx-proxynextupstreamtries">providers.kubernetesingressnginx.proxynextupstreamtries</a> | Limits the number of possible tries if the backend server does not reply. | 3 |
+| <a id="opt-providers-kubernetesingressnginx-proxyreadtimeout" href="#opt-providers-kubernetesingressnginx-proxyreadtimeout" title="#opt-providers-kubernetesingressnginx-proxyreadtimeout">providers.kubernetesingressnginx.proxyreadtimeout</a> | Amount of time between two successive read operations. Timeout value is unitless and in seconds. | 60 |
+| <a id="opt-providers-kubernetesingressnginx-proxyrequestbuffering" href="#opt-providers-kubernetesingressnginx-proxyrequestbuffering" title="#opt-providers-kubernetesingressnginx-proxyrequestbuffering">providers.kubernetesingressnginx.proxyrequestbuffering</a> | Defines whether to enable request buffering. | false |
+| <a id="opt-providers-kubernetesingressnginx-proxysendtimeout" href="#opt-providers-kubernetesingressnginx-proxysendtimeout" title="#opt-providers-kubernetesingressnginx-proxysendtimeout">providers.kubernetesingressnginx.proxysendtimeout</a> | Amount of time between two successive write operations. Timeout value is unitless and in seconds. | 60 |
 | <a id="opt-providers-kubernetesingressnginx-publishservice" href="#opt-providers-kubernetesingressnginx-publishservice" title="#opt-providers-kubernetesingressnginx-publishservice">providers.kubernetesingressnginx.publishservice</a> | Service fronting the Ingress controller. Takes the form 'namespace/name'. | |
 | <a id="opt-providers-kubernetesingressnginx-publishstatusaddress" href="#opt-providers-kubernetesingressnginx-publishstatusaddress" title="#opt-providers-kubernetesingressnginx-publishstatusaddress">providers.kubernetesingressnginx.publishstatusaddress</a> | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies. | |
+| <a id="opt-providers-kubernetesingressnginx-strictvalidatepathtype" href="#opt-providers-kubernetesingressnginx-strictvalidatepathtype" title="#opt-providers-kubernetesingressnginx-strictvalidatepathtype">providers.kubernetesingressnginx.strictvalidatepathtype</a> | Defines whether to reject the entire ingress when any path contains regex characters and pathType is Prefix or Exact. | true |
 | <a id="opt-providers-kubernetesingressnginx-throttleduration" href="#opt-providers-kubernetesingressnginx-throttleduration" title="#opt-providers-kubernetesingressnginx-throttleduration">providers.kubernetesingressnginx.throttleduration</a> | Ingress refresh throttle duration. | 0 |
 | <a id="opt-providers-kubernetesingressnginx-token" href="#opt-providers-kubernetesingressnginx-token" title="#opt-providers-kubernetesingressnginx-token">providers.kubernetesingressnginx.token</a> | Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token. | |
+| <a id="opt-providers-kubernetesingressnginx-upstreamkeepalivetimeout" href="#opt-providers-kubernetesingressnginx-upstreamkeepalivetimeout" title="#opt-providers-kubernetesingressnginx-upstreamkeepalivetimeout">providers.kubernetesingressnginx.upstreamkeepalivetimeout</a> | Defines the idle timeout for keep-alive connections to upstream servers. Timeout value is unitless and in seconds. | 60 |
 | <a id="opt-providers-kubernetesingressnginx-watchingresswithoutclass" href="#opt-providers-kubernetesingressnginx-watchingresswithoutclass" title="#opt-providers-kubernetesingressnginx-watchingresswithoutclass">providers.kubernetesingressnginx.watchingresswithoutclass</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. | false |
 | <a id="opt-providers-kubernetesingressnginx-watchnamespace" href="#opt-providers-kubernetesingressnginx-watchnamespace" title="#opt-providers-kubernetesingressnginx-watchnamespace">providers.kubernetesingressnginx.watchnamespace</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty. | |
 | <a id="opt-providers-kubernetesingressnginx-watchnamespaceselector" href="#opt-providers-kubernetesingressnginx-watchnamespaceselector" title="#opt-providers-kubernetesingressnginx-watchnamespaceselector">providers.kubernetesingressnginx.watchnamespaceselector</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects. | |
@@ -422,6 +459,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | <a id="opt-providers-nomad-throttleduration" href="#opt-providers-nomad-throttleduration" title="#opt-providers-nomad-throttleduration">providers.nomad.throttleduration</a> | Watch throttle duration. | 0 |
 | <a id="opt-providers-nomad-watch" href="#opt-providers-nomad-watch" title="#opt-providers-nomad-watch">providers.nomad.watch</a> | Watch Nomad Service events. | false |
 | <a id="opt-providers-plugin-name" href="#opt-providers-plugin-name" title="#opt-providers-plugin-name">providers.plugin._name_</a> | Plugins configuration. | |
+| <a id="opt-providers-precedence" href="#opt-providers-precedence" title="#opt-providers-precedence">providers.precedence</a> | Defines the routing precedence between providers. | kubernetesgateway, kubernetescrd, kubernetes, kubernetesingressnginx, swarm, docker, file, redis, knative, consul, consulcatalog, nomad, etcd, ecs, http, zookeeper, rest |
 | <a id="opt-providers-providersthrottleduration" href="#opt-providers-providersthrottleduration" title="#opt-providers-providersthrottleduration">providers.providersthrottleduration</a> | Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. | 2 |
 | <a id="opt-providers-redis" href="#opt-providers-redis" title="#opt-providers-redis">providers.redis</a> | Enables Redis provider. | false |
 | <a id="opt-providers-redis-db" href="#opt-providers-redis-db" title="#opt-providers-redis-db">providers.redis.db</a> | Database to be selected after connecting to the server. | 0 |
@@ -89,8 +89,10 @@ additionalArguments:
 | <a id="opt-asDefault" href="#opt-asDefault" title="#opt-asDefault">`asDefault`</a> | Mark the `entryPoint` to be in the list of default `entryPoints`.<br /> `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option.<br /> More information [here](#asdefault).                                                                                                                                                                                                                                                                                                                                                                                                                                       | false                   | No       |
 | <a id="opt-allowACMEByPass" href="#opt-allowACMEByPass" title="#opt-allowACMEByPass">`allowACMEByPass`</a> | Enables handling of ACME TLS and HTTP challenges with custom routers instead of the internal ACME router.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | false                   | No       |
 | <a id="opt-forwardedHeaders-connection" href="#opt-forwardedHeaders-connection" title="#opt-forwardedHeaders-connection">`forwardedHeaders.`<br />`connection`</a> | List of Connection headers that are allowed to pass through the middleware chain before being removed.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
+| <a id="opt-forwardedHeaders-addXForwardedSchemeHeaders" href="#opt-forwardedHeaders-addXForwardedSchemeHeaders" title="#opt-forwardedHeaders-addXForwardedSchemeHeaders">`forwardedHeaders.`<br />`addXForwardedSchemeHeaders`</a> | Add the compatibility headers `X-Forwarded-Scheme` and `X-Scheme`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | false                   | No       |
 | <a id="opt-forwardedHeaders-insecure" href="#opt-forwardedHeaders-insecure" title="#opt-forwardedHeaders-insecure">`forwardedHeaders.`<br />`insecure`</a> | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`).<br />We recommend to use this option only for tests purposes, not in production.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
 | <a id="opt-forwardedHeaders-trustedIPs" href="#opt-forwardedHeaders-trustedIPs" title="#opt-forwardedHeaders-trustedIPs">`forwardedHeaders.`<br />`trustedIPs`</a> | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | -                       | No       |
+| <a id="opt-forwardedHeaders-notAppendXForwardedFor" href="#opt-forwardedHeaders-notAppendXForwardedFor" title="#opt-forwardedHeaders-notAppendXForwardedFor">`forwardedHeaders.`<br />`notAppendXForwardedFor`</a> | When set to `true`, Traefik will not append the client's `RemoteAddr` to the `X-Forwarded-For` header. The existing header is preserved as-is. If no `X-Forwarded-For` header exists, none will be added.                                                                                                                                                                                                                                                                                                                                    | false                   | No       |
 | <a id="opt-http-redirections-entryPoint-to" href="#opt-http-redirections-entryPoint-to" title="#opt-http-redirections-entryPoint-to">`http.redirections.`<br />`entryPoint.to`</a> | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. <br /> The target element can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | -                       | Yes      |
 | <a id="opt-http-redirections-entryPoint-scheme" href="#opt-http-redirections-entryPoint-scheme" title="#opt-http-redirections-entryPoint-scheme">`http.redirections.`<br />`entryPoint.scheme`</a> | The target scheme to use for (permanent) redirection of all incoming requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | https                   | No       |
 | <a id="opt-http-redirections-entryPoint-permanent" href="#opt-http-redirections-entryPoint-permanent" title="#opt-http-redirections-entryPoint-permanent">`http.redirections.`<br />`entryPoint.permanent`</a> | Enable permanent redirecting of all incoming requests on an entry point to another one changing the scheme. <br /> The target element, it can be an entry point name (ex: `websecure`), or a port (`:443`).                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | false                   | No       |
@@ -391,6 +393,37 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
    --entryPoints.web.forwardedHeaders.connection=foobar
    ```

+??? info "`forwardedHeaders.addXForwardedSchemeHeaders`"
+
+    Add the compatibility headers `X-Forwarded-Scheme` and `X-Scheme` next to `X-Forwarded-Proto`.
+    This is primarily useful when migrating from ingress-nginx and your applications still rely on these legacy headers.
+    When enabled, these compatibility headers follow the same value as `X-Forwarded-Proto`.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      websecure:
+        address: ":443"
+        forwardedHeaders:
+          addXForwardedSchemeHeaders: true
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.websecure]
+        address = ":443"
+
+        [entryPoints.websecure.forwardedHeaders]
+          addXForwardedSchemeHeaders = true
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.websecure.address=:443
+    --entryPoints.websecure.forwardedHeaders.addXForwardedSchemeHeaders=true
+    ```
+
 ### HTTP3

 As HTTP/3 actually uses UDP, when Traefik is configured with a TCP `entryPoint`
@@ -141,6 +141,9 @@ Traefik also supports the `OTEL_RESOURCE_ATTRIBUTES` env variable to set up the

 Access logs concern everything that happens to the requests handled by Traefik.

+!!! note "Stdio logs are not enabled by default alongside OTLP exports"
+    If you would like Stdio access logs to be available, use [accessLog.dualOutput](#opt-accesslog-dualOutput) option.
+
 ### Configuration Example

 ```yaml tab="File (YAML)"
@@ -168,6 +171,9 @@ accessLog:
        User-Agent: redact
        # Drop the Authorization header value
        Authorization: drop
+    queryParameters:
+      # Drop all query parameters
+      defaultMode: drop
 ```

 ```toml tab="File (TOML)"
@@ -191,10 +197,14 @@ accessLog:
      [accessLog.fields.headers.names]
        User-Agent = "redact"
        Authorization = "drop"
+
+    [accessLog.fields.queryParameters]
+      defaultMode = "drop"
 ```

 ```sh tab="CLI"
 --accesslog=true
+--accesslog.dualoutput=true
 --accesslog.format=json
 --accesslog.filters.statuscodes=200,300-302
 --accesslog.filters.retryattempts
@@ -204,6 +214,7 @@ accessLog:
 --accesslog.fields.headers.defaultmode=keep
 --accesslog.fields.headers.names.User-Agent=redact
 --accesslog.fields.headers.names.Authorization=drop
+--accesslog.fields.queryparameters.defaultmode=drop
 ```

 ### Configuration Options
@@ -213,6 +224,7 @@ The section below describes how to configure Traefik access logs using the stati
 | Field      | Description    | Default | Required |
 |:-----------|:--------------------------|:--------|:---------|
 | <a id="opt-accesslog-filePath" href="#opt-accesslog-filePath" title="#opt-accesslog-filePath">`accesslog.filePath`</a> | By default, the access logs are written to the standard output.<br />You can configure a file path instead using the `filePath` option.|  | No      |
+| <a id="opt-accesslog-dualOutput" href="#opt-accesslog-dualOutput" title="#opt-accesslog-dualOutput">`accesslog.dualOutput`</a> | Force Stdio logging, even if OTLP is configured. By default, Stdio logging is disabled when OTLP is enabled for performance reasons. | false      | No      |
 | <a id="opt-accesslog-format" href="#opt-accesslog-format" title="#opt-accesslog-format">`accesslog.format`</a> | By default, logs are written using the Traefik Common Log Format (CLF).<br />Available formats: [`common`](#traefik-clf-format-fields) (Traefik extended CLF), [`genericCLF`](#generic-clf-format-fields) (standard CLF compatible with analyzers), or [`json`](#json-format-fields).<br />If the given format is unsupported, the default (`common`) is used instead. | "common" | No      |
 | <a id="opt-accesslog-bufferingSize" href="#opt-accesslog-bufferingSize" title="#opt-accesslog-bufferingSize">`accesslog.bufferingSize`</a> | To write the logs in an asynchronous fashion, specify a  `bufferingSize` option.<br />This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.<br />In some cases, this option can greatly help performances.| 0 | No      |
 | <a id="opt-accesslog-addInternals" href="#opt-accesslog-addInternals" title="#opt-accesslog-addInternals">`accesslog.addInternals`</a> | Enables access logs for internal resources (e.g.: `ping@internal`). | false  | No      |
@@ -223,6 +235,7 @@ The section below describes how to configure Traefik access logs using the stati
 | <a id="opt-accesslog-fields-names" href="#opt-accesslog-fields-names" title="#opt-accesslog-fields-names">`accesslog.fields.names`</a> | Set the fields list to display in the access logs (format `name:mode`).<br /> Available fields list [here](#json-format-fields). |  [ ]    | No      |
 | <a id="opt-accesslog-fields-headers-defaultMode" href="#opt-accesslog-fields-headers-defaultMode" title="#opt-accesslog-fields-headers-defaultMode">`accesslog.fields.headers.defaultMode`</a> | Mode to apply by default to the access logs headers (`keep`, `redact` or `drop`).  | drop | No      |
 | <a id="opt-accesslog-fields-headers-names" href="#opt-accesslog-fields-headers-names" title="#opt-accesslog-fields-headers-names">`accesslog.fields.headers.names`</a> | Set the headers list to display in the access logs (format `name:mode`). |   [ ]   | No      |
+| <a id="opt-accesslog-fields-queryParameters-defaultMode" href="#opt-accesslog-fields-queryParameters-defaultMode" title="#opt-accesslog-fields-queryParameters-defaultMode">`accesslog.fields.queryParameters.defaultMode`</a> | Mode to apply by default to the access logs query parameters (`keep` or `drop`) | keep | No      |

 ### OpenTelemetry

@@ -252,6 +265,8 @@ experimental:
  otlpLogs: true

 accesslog:
+  # Keep Stdio logs alongside OTEL logging
+  dualOutput: true
  otlp:
    http:
      endpoint: https://collector:4318/v1/logs
@@ -263,6 +278,9 @@ accesslog:
 [experimental]
  otlpLogs = true

+[accessLog]
+  dualOutput = true
+
 [accesslog.otlp]
  http.endpoint = "https://collector:4318/v1/logs"
  http.headers.Authorization = "Bearer auth_asKXRhIMplM7El1JENjrotGouS1LYRdL"
@@ -374,6 +392,10 @@ Below the fields displayed with the generic CLF format:
 | <a id="opt-TLSVersion" href="#opt-TLSVersion" title="#opt-TLSVersion">`TLSVersion`</a> | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS).   |
 | <a id="opt-TLSCipher" href="#opt-TLSCipher" title="#opt-TLSCipher">`TLSCipher`</a> | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS).      |
 | <a id="opt-TLSClientSubject" href="#opt-TLSClientSubject" title="#opt-TLSClientSubject">`TLSClientSubject`</a> | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`).  |
+| <a id="opt-KubernetesIngressNamespace" href="#opt-KubernetesIngressNamespace" title="#opt-KubernetesIngressNamespace">`KubernetesIngressNamespace`</a> | The namespace of the Kubernetes Ingress resource the router handles. Only available with the Kubernetes Ingress and Kubernetes Ingress Nginx providers. |
+| <a id="opt-KubernetesIngressName" href="#opt-KubernetesIngressName" title="#opt-KubernetesIngressName">`KubernetesIngressName`</a> | The name of the Kubernetes Ingress resource the router handles. Only available with the Kubernetes Ingress and Kubernetes Ingress Nginx providers. |
+| <a id="opt-KubernetesServiceName" href="#opt-KubernetesServiceName" title="#opt-KubernetesServiceName">`KubernetesServiceName`</a> | The name of the Kubernetes Service associated with the Ingress the router handles. Only available with the Kubernetes Ingress and Kubernetes Ingress Nginx providers. |
+| <a id="opt-KubernetesServicePort" href="#opt-KubernetesServicePort" title="#opt-KubernetesServicePort">`KubernetesServicePort`</a> | The port of the Kubernetes Service associated with the Ingress the router handles. Only available with the Kubernetes Ingress and Kubernetes Ingress Nginx providers. |

 ### Log Rotation

@@ -397,7 +419,7 @@ Example utilizing Docker Compose:
 ```yaml
 services:
  traefik:
-    image: traefik:v3.6
+    image: traefik:v3.7
    environment:
      - TZ=US/Alaska
    command:
@@ -20,13 +20,13 @@ enabling seamless integration between Traefik's networking capabilities and Knat
 1. Install/update the Knative CRDs.

    ```bash
-    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-crds.yaml
+    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.20.0/serving-crds.yaml
    ```

 2. Install the Knative Serving core components.

    ```bash
-    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.19.0/serving-core.yaml
+    kubectl apply -f https://github.com/knative/serving/releases/download/knative-v1.20.0/serving-core.yaml
    ```

 3. Update the config-network configuration to use the Traefik ingress class.
@@ -50,7 +50,7 @@ enabling seamless integration between Traefik's networking capabilities and Knat
 5. Install/update the Traefik [RBAC](../../../dynamic-configuration/kubernetes-knative-rbac.yml).

    ```bash
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
    ```

 ## Configuration Example
@@ -20,10 +20,10 @@ When you install Traefik without using the Helm Chart, or when you are upgrading

 ```bash
 # Install Traefik Resource Definitions:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

 # Install RBAC for Traefik:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 ```

 ## Configuration Example
@@ -60,11 +60,12 @@ providers:
 | <a id="opt-providers-kubernetesCRD-certAuthFilePath" href="#opt-providers-kubernetesCRD-certAuthFilePath" title="#opt-providers-kubernetesCRD-certAuthFilePath">`providers.kubernetesCRD.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration. | ""      | No |
 | <a id="opt-providers-kubernetesCRD-namespaces" href="#opt-providers-kubernetesCRD-namespaces" title="#opt-providers-kubernetesCRD-namespaces">`providers.kubernetesCRD.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces. | []      | No |
 | <a id="opt-providers-kubernetesCRD-labelSelector" href="#opt-providers-kubernetesCRD-labelSelector" title="#opt-providers-kubernetesCRD-labelSelector">`providers.kubernetesCRD.labelSelector`</a> | Allow filtering on specific resource objects only using label selectors.<br />Only to Traefik [Custom Resources](#routing-configuration) (they all must match the filter).<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | ""      | No |
-| <a id="opt-providers-kubernetesCRD-ingressClass" href="#opt-providers-kubernetesCRD-ingressClass" title="#opt-providers-kubernetesCRD-ingressClass">`providers.kubernetesCRD.ingressClass`</a> | Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed. | ""      | No |
+| <a id="opt-providers-kubernetesCRD-ingressClass" href="#opt-providers-kubernetesCRD-ingressClass" title="#opt-providers-kubernetesCRD-ingressClass">`providers.kubernetesCRD.ingressClass`</a> | Value of `spec.ingressClassName` field (or the deprecated `kubernetes.io/ingress.class` annotation) that identifies resource objects to be processed.<br />If empty, resources missing the field/annotation, having an empty value, or the value `traefik` are processed.<br />The `spec.ingressClassName` field takes precedence over the annotation. | ""      | No |
 | <a id="opt-providers-kubernetesCRD-throttleDuration" href="#opt-providers-kubernetesCRD-throttleDuration" title="#opt-providers-kubernetesCRD-throttleDuration">`providers.kubernetesCRD.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught. | 0s      | No |
 | <a id="opt-providers-kubernetesCRD-allowEmptyServices" href="#opt-providers-kubernetesCRD-allowEmptyServices" title="#opt-providers-kubernetesCRD-allowEmptyServices">`providers.kubernetesCRD.allowEmptyServices`</a> | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status.  | false   | No |
 | <a id="opt-providers-kubernetesCRD-allowCrossNamespace" href="#opt-providers-kubernetesCRD-allowCrossNamespace" title="#opt-providers-kubernetesCRD-allowCrossNamespace">`providers.kubernetesCRD.allowCrossNamespace`</a> | Allows the `IngressRoutes` to reference resources in namespaces other than theirs. | false   | No |
 | <a id="opt-providers-kubernetesCRD-allowExternalNameServices" href="#opt-providers-kubernetesCRD-allowExternalNameServices" title="#opt-providers-kubernetesCRD-allowExternalNameServices">`providers.kubernetesCRD.allowExternalNameServices`</a> | Allows the `IngressRoutes` to reference ExternalName services. | false   | No |
+| <a id="opt-providers-kubernetesCRD-crossProviderNamespaces" href="#opt-providers-kubernetesCRD-crossProviderNamespaces" title="#opt-providers-kubernetesCRD-crossProviderNamespaces">`providers.kubernetesCRD.crossProviderNamespaces`</a> | List of namespaces from which `IngressRoute`, `IngressRouteTCP`, `IngressRouteUDP`, and `TraefikService` are allowed to declare cross-provider references (e.g. `myservice@file`).<br />When unset, all namespaces are allowed. When set to `[]`, every cross-provider reference is rejected. | []      | No |
 | <a id="opt-providers-kubernetesCRD-nativeLBByDefault" href="#opt-providers-kubernetesCRD-nativeLBByDefault" title="#opt-providers-kubernetesCRD-nativeLBByDefault">`providers.kubernetesCRD.nativeLBByDefault`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `IngressRoute` by default.<br />It can be overridden in the [`Service`](../../../../reference/routing-configuration/kubernetes/crd/http/service.md#opt-nativeLB). | false   | No |
 | <a id="opt-providers-kubernetesCRD-disableClusterScopeResources" href="#opt-providers-kubernetesCRD-disableClusterScopeResources" title="#opt-providers-kubernetesCRD-disableClusterScopeResources">`providers.kubernetesCRD.disableClusterScopeResources`</a> | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle IngressRoutes with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false   | No |

@@ -8,16 +8,15 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
 specification from the Kubernetes Special Interest Groups (SIGs).

-This provider supports Standard version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the Gateway API specification.
+This provider supports Standard version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the Gateway API specification.

-It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, and `GRPCRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute`, and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels). 
+It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, `GRPCRoute`, and `TLSRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute` from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).

-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.4.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.5.1/traefik-traefik).

 !!! info "Using The Helm Chart"

-    When using the Traefik [Helm Chart](../../../../getting-started/kubernetes.md#install-traefik), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
-    The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L323).
+    When using the Traefik [Helm Chart](../../../../getting-started/kubernetes.md#install-traefik), the RBAC (Role-Based Access Control) are automatically managed for you.

 ## Requirements

@@ -27,14 +26,14 @@ For more details, check out the conformance [report](https://github.com/kubernet

    ```bash
    # Install Gateway API CRDs from the Standard channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard-install.yaml
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
    ```

-2. Install/update the Traefik [RBAC](../../../dynamic-configuration/kubernetes-gateway-rbac.yml).
+2. If you are not using the Helm Chart, install/update the Traefik [RBAC](../../../dynamic-configuration/kubernetes-gateway-rbac.yml) for Gateway API.

    ```bash
-    # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    # Install Traefik RBACs for Gateway API.
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
    ```

 ## Configuration Example
@@ -67,21 +66,24 @@ providers:

 <!-- markdownlint-disable MD013 -->

-| Field                                                                 | Description                                                                                                                                                                                                                                                                                                                                                                                           | Default | Required |
-|:----------------------------------------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.**                  | 2s      | No       |
-| <a id="opt-providers-kubernetesGateway-endpoint" href="#opt-providers-kubernetesGateway-endpoint" title="#opt-providers-kubernetesGateway-endpoint">`providers.kubernetesGateway.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                                         | ""      | No       |
-| <a id="opt-providers-kubernetesGateway-experimentalChannel" href="#opt-providers-kubernetesGateway-experimentalChannel" title="#opt-providers-kubernetesGateway-experimentalChannel">`providers.kubernetesGateway.experimentalChannel`</a> | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).<br />(ex: `TCPRoute` and `TLSRoute`)                                                                                                                                                                                    | false   | No       |
-| <a id="opt-providers-kubernetesGateway-token" href="#opt-providers-kubernetesGateway-token" title="#opt-providers-kubernetesGateway-token">`providers.kubernetesGateway.token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                            | ""      | No       |
-| <a id="opt-providers-kubernetesGateway-certAuthFilePath" href="#opt-providers-kubernetesGateway-certAuthFilePath" title="#opt-providers-kubernetesGateway-certAuthFilePath">`providers.kubernetesGateway.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                            | ""      | No       |
-| <a id="opt-providers-kubernetesGateway-namespaces" href="#opt-providers-kubernetesGateway-namespaces" title="#opt-providers-kubernetesGateway-namespaces">`providers.kubernetesGateway.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces.                                                                                                                                                                                                                                                                                                                               | []      | No       |
-| <a id="opt-providers-kubernetesGateway-labelselector" href="#opt-providers-kubernetesGateway-labelselector" title="#opt-providers-kubernetesGateway-labelselector">`providers.kubernetesGateway.labelselector`</a> | Allow filtering on `GatewayClass` only. If left empty, Traefik processes all GatewayClass objects in the configured namespaces.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | ""      | No       |
-| <a id="opt-providers-kubernetesGateway-throttleDuration" href="#opt-providers-kubernetesGateway-throttleDuration" title="#opt-providers-kubernetesGateway-throttleDuration">`providers.kubernetesGateway.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                                            | 0s      | No       |
-| <a id="opt-providers-kubernetesGateway-nativeLBByDefault" href="#opt-providers-kubernetesGateway-nativeLBByDefault" title="#opt-providers-kubernetesGateway-nativeLBByDefault">`providers.kubernetesGateway.nativeLBByDefault`</a> | Defines whether to use Native Kubernetes load-balancing mode by default. For more information, please check out the `traefik.io/service.nativelb` service annotation documentation.                                                                                                                                                                                                                   | false   | No       |
-| <a id="opt-providers-kubernetesGateway-statusAddress-hostname" href="#opt-providers-kubernetesGateway-statusAddress-hostname" title="#opt-providers-kubernetesGateway-statusAddress-hostname">`providers.kubernetesGateway.`<br />`statusAddress.hostname`</a> | Hostname copied to the Gateway `status.addresses`.                                                                                                                                                                                                                                                                                                                                                    | ""      | No       |
-| <a id="opt-providers-kubernetesGateway-statusAddress-ip" href="#opt-providers-kubernetesGateway-statusAddress-ip" title="#opt-providers-kubernetesGateway-statusAddress-ip">`providers.kubernetesGateway.`<br />`statusAddress.ip`</a> | IP address copied to the Gateway `status.addresses`, and currently only supports one IP value (IPv4 or IPv6).                                                                                                                                                                                                                                                                                         | ""      | No       |
-| <a id="opt-providers-kubernetesGateway-statusAddress-service-namespace" href="#opt-providers-kubernetesGateway-statusAddress-service-namespace" title="#opt-providers-kubernetesGateway-statusAddress-service-namespace">`providers.kubernetesGateway.`<br />`statusAddress.service.namespace`</a> | The namespace of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`.                                                                                                                           | ""      | No       |
-| <a id="opt-providers-kubernetesGateway-statusAddress-service-name" href="#opt-providers-kubernetesGateway-statusAddress-service-name" title="#opt-providers-kubernetesGateway-statusAddress-service-name">`providers.kubernetesGateway.`<br />`statusAddress.service.name`</a> | The name of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`.                                                                                                                                | ""      | No       |
+| Field                                                                 | Description                                                                                                                                                                                                                                                                                                                                                                          | Default | Required |
+|:----------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No       |
+| <a id="opt-providers-kubernetesGateway-endpoint" href="#opt-providers-kubernetesGateway-endpoint" title="#opt-providers-kubernetesGateway-endpoint">`providers.kubernetesGateway.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                        | ""      | No       |
+| <a id="opt-providers-kubernetesGateway-experimentalChannel" href="#opt-providers-kubernetesGateway-experimentalChannel" title="#opt-providers-kubernetesGateway-experimentalChannel">`providers.kubernetesGateway.experimentalChannel`</a> | Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).<br />(ex: `TCPRoute`)                                                                                                                                                                   | false   | No       |
+| <a id="opt-providers-kubernetesGateway-token" href="#opt-providers-kubernetesGateway-token" title="#opt-providers-kubernetesGateway-token">`providers.kubernetesGateway.token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                           | ""      | No       |
+| <a id="opt-providers-kubernetesGateway-certAuthFilePath" href="#opt-providers-kubernetesGateway-certAuthFilePath" title="#opt-providers-kubernetesGateway-certAuthFilePath">`providers.kubernetesGateway.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           | ""      | No       |
+| <a id="opt-providers-kubernetesGateway-namespaces" href="#opt-providers-kubernetesGateway-namespaces" title="#opt-providers-kubernetesGateway-namespaces">`providers.kubernetesGateway.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces.                                                                                                                                                                                                                                                                                                              | []      | No       |
+| <a id="opt-providers-kubernetesGateway-labelselector" href="#opt-providers-kubernetesGateway-labelselector" title="#opt-providers-kubernetesGateway-labelselector">`providers.kubernetesGateway.labelselector`</a> | Allow filtering on `GatewayClass` only. If left empty, Traefik processes all GatewayClass objects in the configured namespaces.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.                                                                                                                   | ""      | No       |
+| <a id="opt-providers-kubernetesGateway-throttleDuration" href="#opt-providers-kubernetesGateway-throttleDuration" title="#opt-providers-kubernetesGateway-throttleDuration">`providers.kubernetesGateway.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                           | 0s      | No       |
+| <a id="opt-providers-kubernetesGateway-nativeLBByDefault" href="#opt-providers-kubernetesGateway-nativeLBByDefault" title="#opt-providers-kubernetesGateway-nativeLBByDefault">`providers.kubernetesGateway.nativeLBByDefault`</a> | Defines whether to use Native Kubernetes load-balancing mode by default. For more information, please check out the `traefik.io/service.nativelb` service annotation documentation.                                                                                                                                                                                                  | false   | No       |
+| <a id="opt-providers-kubernetesGateway-statusAddress-hostname" href="#opt-providers-kubernetesGateway-statusAddress-hostname" title="#opt-providers-kubernetesGateway-statusAddress-hostname">`providers.kubernetesGateway.`<br />`statusAddress.hostname`</a> | Hostname copied to the Gateway `status.addresses`.                                                                                                                                                                                                                                                                                                                                   | ""      | No       |
+| <a id="opt-providers-kubernetesGateway-statusAddress-ip" href="#opt-providers-kubernetesGateway-statusAddress-ip" title="#opt-providers-kubernetesGateway-statusAddress-ip">`providers.kubernetesGateway.`<br />`statusAddress.ip`</a> | IP address copied to the Gateway `status.addresses`, and currently only supports one IP value (IPv4 or IPv6).                                                                                                                                                                                                                                                                        | ""      | No       |
+| <a id="opt-providers-kubernetesGateway-statusAddress-service-namespace" href="#opt-providers-kubernetesGateway-statusAddress-service-namespace" title="#opt-providers-kubernetesGateway-statusAddress-service-namespace">`providers.kubernetesGateway.`<br />`statusAddress.service.namespace`</a> | The namespace of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`.                                                                                                          | ""      | No       |
+| <a id="opt-providers-kubernetesGateway-statusAddress-service-name" href="#opt-providers-kubernetesGateway-statusAddress-service-name" title="#opt-providers-kubernetesGateway-statusAddress-service-name">`providers.kubernetesGateway.`<br />`statusAddress.service.name`</a> | The name of the Kubernetes service to copy status addresses from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the Gateway `status.addresses`.                                                                                                               | ""      | No       |
+| <a id="opt-providers-kubernetesGateway-crossProviderNamespaces" href="#opt-providers-kubernetesGateway-crossProviderNamespaces" title="#opt-providers-kubernetesGateway-crossProviderNamespaces">`providers.kubernetesGateway.crossProviderNamespaces`</a> | List of namespaces from which Gateway API routes (`HTTPRoute`, `TCPRoute`, `TLSRoute`) are allowed to declare a `backendRef` of kind `TraefikService`.<br />When unset, all namespaces are allowed. When set to `[]`, every such backendRef is rejected and the route is dropped.                                                                                                    | []      | No       |
+| <a id="opt-providers-kubernetesgateway-qps" href="#opt-providers-kubernetesgateway-qps" title="#opt-providers-kubernetesgateway-qps">providers.kubernetesgateway.qps</a> | Defines the maximum QPS to the Kubernetes API server. Setting this to a negative value will disable client-side ratelimiting.                                                                                                                                                                                                                                                        | 50 | No       |
+| <a id="opt-providers-kubernetesgateway-burst" href="#opt-providers-kubernetesgateway-burst" title="#opt-providers-kubernetesgateway-burst">providers.kubernetesgateway.burst</a> | Defines the maximum burst of requests to the Kubernetes API server.                                                                                                                                                                                                                                                                                                                  | 100 | No |

 <!-- markdownlint-enable MD013 -->

@@ -19,8 +19,8 @@ It also supports many of the [ingress-nginx](https://kubernetes.github.io/ingres

 ## Requirements

-When you install Traefik without using the Helm Chart, 
-ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik Kubernetes Ingress NGINX provider. 
+When you install Traefik without using the Helm Chart,
+ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik Kubernetes Ingress NGINX provider.

 !!! note "Additional RBAC for Namespace Selector"

@@ -29,7 +29,7 @@ ensure that you add/update the [RBAC](https://kubernetes.io/docs/reference/acces

 ```bash
 # Install RBAC for Traefik Ingress NGINX provider:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
 ```

 ## Ingress Discovery
@@ -39,7 +39,7 @@ This provider discovers all Ingresses in the cluster by default, which may lead
 **Best Practices:**

 - Use IngressClass to specify which Ingresses should be handled by this provider
- Configure `watchNamespace` to limit discovery to specific namespaces
+- Configure `watchNamespace` to limit discovery to a single namespace
 - Use `watchNamespaceSelector` to target Ingresses based on namespace labels

 ### IngressClass Selection Logic
@@ -65,6 +65,28 @@ providers:
    controllerClass: "k8s.io/ingress-nginx"
    watchIngressWithoutClass: false
    ingressClassByName: false
+    globalAuthURL: "http://foo.com/auth"
+    proxyConnectTimeout: 60
+    proxyReadTimeout: 60
+    proxySendTimeout: 60
+    proxyRequestBuffering: false
+    clientBodyBufferSize: "16384" # 16k
+    proxyBuffering: false
+    proxyBodySize: "1048576"      # 1m
+    proxyBufferSize: "8192"       # 8k
+    proxyBuffersNumber: 4
+    upstreamKeepaliveTimeout: 60
+    customHTTPErrors:
+      - "404"
+      - "503"
+    allowCrossNamespaceResources: true
+    allowSnippetAnnotations: false
+    globalAllowedResponseHeaders:
+      - "X-Custom-Header1"
+      - "X-Custom-Header2"
+    ipAllowListStrategy:
+      depth: 2
+    strictValidatePathType: false
 ```

 ```toml tab="File (TOML)"
@@ -79,6 +101,25 @@ providers:
  controllerClass = "k8s.io/ingress-nginx"
  watchIngressWithoutClass = false
  ingressClassByName = false
+  globalAuthURL = "http://foo.com/auth"
+  proxyConnectTimeout = 60
+  proxyReadTimeout = 60
+  proxySendTimeout = 60
+  proxyRequestBuffering = false
+  clientBodyBufferSize = "16384" # 16k
+  proxyBuffering = false
+  proxyBodySize = "1048576"      # 1m
+  proxyBufferSize = "8192"       # 8k
+  proxyBuffersNumber = 4
+  upstreamKeepaliveTimeout = 60
+  customHTTPErrors = ["404", "503"]
+  allowCrossNamespaceResources = true
+  allowSnippetAnnotations = false
+  globalAllowedResponseHeaders = ["X-Custom-Header1", "X-Custom-Header2"]
+  strictValidatePathType = false
+
+[providers.kubernetesIngressNGINX.ipAllowListStrategy]
+  depth = 2
 ```

 ```bash tab="CLI"
@@ -88,6 +129,23 @@ providers:
 --providers.kubernetesingressnginx.controllerclass=k8s.io/ingress-nginx
 --providers.kubernetesingressnginx.watchingresswithoutclass=false
 --providers.kubernetesingressnginx.ingressclassbyname=false
+--providers.kubernetesingressnginx.globalauthurl=http://foo.com/auth
+--providers.kubernetesingressnginx.proxyconnecttimeout=60
+--providers.kubernetesingressnginx.proxyreadtimeout=60
+--providers.kubernetesingressnginx.proxysendtimeout=60
+--providers.kubernetesingressnginx.proxyrequestbuffering=false
+--providers.kubernetesingressnginx.clientbodybuffersize=16384 # 16k
+--providers.kubernetesingressnginx.proxybuffering=false
+--providers.kubernetesingressnginx.proxybodysize=1048576      # 1m
+--providers.kubernetesingressnginx.proxybuffersize=8192       # 8k
+--providers.kubernetesingressnginx.proxybuffersnumber=4
+--providers.kubernetesingressnginx.upstreamkeepalimetimeout=60
+--providers.kubernetesingressnginx.customhttperrors=404,503
+--providers.kubernetesingressnginx.allowCrossNamespaceResources=true
+--providers.kubernetesingressnginx.allowsnippetannotations=false
+--providers.kubernetesingressnginx.globalAllowedResponseHeaders=X-Custom-Header1,X-Custom-Header2
+--providers.kubernetesingressnginx.ipallowliststrategy.depth=2
+--providers.kubernetesingressnginx.strictvalidatepathtype=false
 ```

 ```yaml tab="Helm Chart Values"
@@ -120,23 +178,47 @@ This provider watches for incoming Ingress events and automatically translates N
 ## Configuration Options
 <!-- markdownlint-disable MD013 -->

-| Field                                                                                                                                                                                                                                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                          | Default | Required |
-|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| <a id="opt-providers-providers-ThrottleDuration" href="#opt-providers-providers-ThrottleDuration" title="#opt-providers-providers-ThrottleDuration">`providers.providers`<br/>`ThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.** | 2s      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-endpoint" href="#opt-providers-kubernetesIngressNGINX-endpoint" title="#opt-providers-kubernetesIngressNGINX-endpoint">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                        | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-token" href="#opt-providers-kubernetesIngressNGINX-token" title="#opt-providers-kubernetesIngressNGINX-token">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                           | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-certAuthFilePath" href="#opt-providers-kubernetesIngressNGINX-certAuthFilePath" title="#opt-providers-kubernetesIngressNGINX-certAuthFilePath">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                           | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-throttleDuration" href="#opt-providers-kubernetesIngressNGINX-throttleDuration" title="#opt-providers-kubernetesIngressNGINX-throttleDuration">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                           | 0s      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-watchNamespace" href="#opt-providers-kubernetesIngressNGINX-watchNamespace" title="#opt-providers-kubernetesIngressNGINX-watchNamespace">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespace`</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.                                                                                                                                                                                                                                                      | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" href="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" title="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespaceSelector`</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects.                                                                                                                                                                                                                                                                                                | ""      | No       |
+| Field                                                                                                                                                                                                                                                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | Default | Required |
+|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------|:---------|
+| <a id="opt-providers-providers-ThrottleDuration" href="#opt-providers-providers-ThrottleDuration" title="#opt-providers-providers-ThrottleDuration">`providers.providers`<br/>`ThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.**                                                                                                                                                                            | 2s     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-endpoint" href="#opt-providers-kubernetesIngressNGINX-endpoint" title="#opt-providers-kubernetesIngressNGINX-endpoint">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-token" href="#opt-providers-kubernetesIngressNGINX-token" title="#opt-providers-kubernetesIngressNGINX-token">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-certAuthFilePath" href="#opt-providers-kubernetesIngressNGINX-certAuthFilePath" title="#opt-providers-kubernetesIngressNGINX-certAuthFilePath">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-throttleDuration" href="#opt-providers-kubernetesIngressNGINX-throttleDuration" title="#opt-providers-kubernetesIngressNGINX-throttleDuration">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                                                                                                                                                                                                      | 0s     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-globalAuthURL" href="#opt-providers-kubernetesIngressNGINX-globalAuthURL" title="#opt-providers-kubernetesIngressNGINX-globalAuthURL">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`globalAuthURL`</a> | URL to the service that provides authentication for all the locations. Per-ingress `auth-url` annotation has precedence over this option.                                                                                                                                                                                                                                                                                                                                                                                                                        | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-watchNamespace" href="#opt-providers-kubernetesIngressNGINX-watchNamespace" title="#opt-providers-kubernetesIngressNGINX-watchNamespace">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespace`</a> | Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.                                                                                                                                                                                                                                                                                                                                                                                                                                 | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" href="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector" title="#opt-providers-kubernetesIngressNGINX-watchNamespaceSelector">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchNamespaceSelector`</a> | Selector selects namespaces the controller watches for updates to Kubernetes objects.                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | ""     | No       |
 | <a id="opt-providers-kubernetesIngressNGINX-ingressClass" href="#opt-providers-kubernetesIngressNGINX-ingressClass" title="#opt-providers-kubernetesIngressNGINX-ingressClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ingressClass`</a> | Name of the IngressClass this controller handles. When `ingressClassByName` is `true`, IngressClasses with this name are included in discovery regardless of their `spec.controller` value.                                                                                                                                                                                          | "nginx"      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-controllerClass" href="#opt-providers-kubernetesIngressNGINX-controllerClass" title="#opt-providers-kubernetesIngressNGINX-controllerClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`controllerClass`</a> | Ingress Class Controller value this controller satisfies.                                                                                                                                                                                                                                                                                                                            | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" href="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" title="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchIngressWithoutClass`</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified.                                                                                                                                                                                                                                                                    | false   | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-controllerClass" href="#opt-providers-kubernetesIngressNGINX-controllerClass" title="#opt-providers-kubernetesIngressNGINX-controllerClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`controllerClass`</a> | Ingress Class Controller value this controller satisfies.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" href="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass" title="#opt-providers-kubernetesIngressNGINX-watchIngressWithoutClass">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`watchIngressWithoutClass`</a> | Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified.                                                                                                                                                                                                                                                                                                                                                                                                                                               | false  | No       |
 | <a id="opt-providers-kubernetesIngressNGINX-ingressClassByName" href="#opt-providers-kubernetesIngressNGINX-ingressClassByName" title="#opt-providers-kubernetesIngressNGINX-ingressClassByName">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ingressClassByName`</a> | When `true`, any IngressClass whose **name** matches `ingressClass` is include in discovery, even if its `spec.controller` does not match `controllerClass`. This is evaluated alongside the controller-based selection, not instead of it.                                                                                                                                          | false   | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-publishService" href="#opt-providers-kubernetesIngressNGINX-publishService" title="#opt-providers-kubernetesIngressNGINX-publishService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishService`</a> | Service fronting the Ingress controller. Takes the form `namespace/name`.                                                                                                                                                                                                                                                                                                            | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-publishStatusAddress" href="#opt-providers-kubernetesIngressNGINX-publishStatusAddress" title="#opt-providers-kubernetesIngressNGINX-publishStatusAddress">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishStatusAddress`</a> | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.                                                                                                                                                                                                                                               | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-defaultBackendService" href="#opt-providers-kubernetesIngressNGINX-defaultBackendService" title="#opt-providers-kubernetesIngressNGINX-defaultBackendService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`defaultBackendService`</a> | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.                                                                                                                                                                                                                                                                 | ""      | No       |
-| <a id="opt-providers-kubernetesIngressNGINX-disableSvcExternalName" href="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName" title="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`disableSvcExternalName`</a> | Disable support for Services of type ExternalName.                                                                                                                                                                                                                                                                                                                                   | false   | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-publishService" href="#opt-providers-kubernetesIngressNGINX-publishService" title="#opt-providers-kubernetesIngressNGINX-publishService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishService`</a> | Service fronting the Ingress controller. Takes the form `namespace/name`.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-publishStatusAddress" href="#opt-providers-kubernetesIngressNGINX-publishStatusAddress" title="#opt-providers-kubernetesIngressNGINX-publishStatusAddress">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`publishStatusAddress`</a> | Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.                                                                                                                                                                                                                                                                                                                                                                                                                          | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-defaultBackendService" href="#opt-providers-kubernetesIngressNGINX-defaultBackendService" title="#opt-providers-kubernetesIngressNGINX-defaultBackendService">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`defaultBackendService`</a> | Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.                                                                                                                                                                                                                                                                                                                                                                                                                                            | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-disableSvcExternalName" href="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName" title="#opt-providers-kubernetesIngressNGINX-disableSvcExternalName">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`disableSvcExternalName`</a> | Disable support for Services of type ExternalName.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | false  | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyConnectTimeout" href="#opt-providers-kubernetesIngressNGINX-proxyConnectTimeout" title="#opt-providers-kubernetesIngressNGINX-proxyConnectTimeout">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyConnectTimeout`</a> | Amount of time to wait until a connection to a server can be established. The value is unitless and in seconds. This is used as the global connection timeout when no ingress-specific timeout is configured. An ingress-specific timeout can be configured using [`nginx.ingress.kubernetes.io/proxy-connect-timeout`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout) annotation.                                                                                                           | 60     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyReadTimeout" href="#opt-providers-kubernetesIngressNGINX-proxyReadTimeout" title="#opt-providers-kubernetesIngressNGINX-proxyReadTimeout">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyReadTimeout`</a> | Amount of time between two successive read operations. The value is unitless and in seconds. This is used as the global read timeout when no ingress-specific timeout is configured. An ingress-specific timeout can be configured using [`nginx.ingress.kubernetes.io/proxy-read-timeout`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-read-timeout) annotation.                                                                                                                                         | 60     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxySendTimeout" href="#opt-providers-kubernetesIngressNGINX-proxySendTimeout" title="#opt-providers-kubernetesIngressNGINX-proxySendTimeout">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxySendTimeout`</a> | Amount of time between two successive write operations. The value is unitless and in seconds. This is used as the global send timeout when no ingress-specific timeout is configured. An ingress-specific timeout can be configured using [`nginx.ingress.kubernetes.io/proxy-send-timeout`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-send-timeout) annotation.                                                                                                                                         | 60     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyrequestbuffering" href="#opt-providers-kubernetesIngressNGINX-proxyrequestbuffering" title="#opt-providers-kubernetesIngressNGINX-proxyrequestbuffering">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyrequestbuffering`</a> | Defines whether request buffering is enabled by default for all ingresses.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | false  | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-clientBodyBufferSize" href="#opt-providers-kubernetesIngressNGINX-clientBodyBufferSize" title="#opt-providers-kubernetesIngressNGINX-clientBodyBufferSize">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`clientBodyBufferSize`</a> | Default buffer size for reading client request body in bytes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 16384  | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxybuffering" href="#opt-providers-kubernetesIngressNGINX-proxybuffering" title="#opt-providers-kubernetesIngressNGINX-proxybuffering">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxybuffering`</a> | Defines whether response buffering is enabled by default for all ingresses.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | false  | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyBodySize" href="#opt-providers-kubernetesIngressNGINX-proxyBodySize" title="#opt-providers-kubernetesIngressNGINX-proxyBodySize">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyBodySize`</a> | Default maximum size of a client request body in bytes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 1048576 | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyBufferSize" href="#opt-providers-kubernetesIngressNGINX-proxyBufferSize" title="#opt-providers-kubernetesIngressNGINX-proxyBufferSize">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyBufferSize`</a> | Default buffer size for reading the response body in bytes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | 8192   | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyBuffersNumber" href="#opt-providers-kubernetesIngressNGINX-proxyBuffersNumber" title="#opt-providers-kubernetesIngressNGINX-proxyBuffersNumber">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyBuffersNumber`</a> | Default number of buffers for reading a response.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | 4               | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyNextUpstreama" href="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreama" title="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreama">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyNextUpstream`</a></a> | Defines in which cases a request should be retried. Accepted values are a space-separated list of: `error`, `timeout`, `http_XXX` (e.g. http_502), `non_idempotent`, and `off` (disables retry). This is used as the global proxy-next-upstream configuration when no ingress-specific value is configured. An ingress-specific configuration can be set using [`nginx.ingress.kubernetes.io/proxy-next-upstream`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-next-upstream) annotation.                  | "error timeout" | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTriesa" href="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTriesa" title="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTriesa">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyNextUpstreamTries`</a></a> | Limits the number of possible tries if the backend server does not reply. 0 means unlimited tries, which is capped to the number of available servers. This is used as the global retry count configuration when no ingress-specific value is configured. An ingress-specific retry limit can be set using [`nginx.ingress.kubernetes.io/proxy-next-upstream-tries`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries) annotation.                                                          | 3               | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTimeouta" href="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTimeouta" title="#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTimeouta">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`proxyNextUpstreamTimeout`</a></a> | Limits the total elapsed time to retry the request if the backend server does not reply. Timeout value is unitless and in seconds. 0 means no timeout. This is used as the global retry timeout when no ingress-specific value is configured. An ingress-specific retry timeout can be set using [`nginx.ingress.kubernetes.io/proxy-next-upstream-timeout`](../../../../routing-configuration/kubernetes/ingress-nginx/#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout) annotation.                                                                | 0               | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-upstreamKeepaliveTimeout" href="#opt-providers-kubernetesIngressNGINX-upstreamKeepaliveTimeout" title="#opt-providers-kubernetesIngressNGINX-upstreamKeepaliveTimeout">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`upstreamKeepaliveTimeout`</a> | Defines the idle timeout for keep-alive connections to upstream servers. The value is unitless and in seconds.                                                                                                                                                                                                                                                                                                                                                                                                                                                   | 60              | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-customHTTPErrors" href="#opt-providers-kubernetesIngressNGINX-customHTTPErrors" title="#opt-providers-kubernetesIngressNGINX-customHTTPErrors">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`customHTTPErrors`<br/></a> | Defines which status should result in calling the default backend to return an error page.                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | []              | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-allowCrossNamespaceResources" href="#opt-providers-kubernetesIngressNGINX-allowCrossNamespaceResources" title="#opt-providers-kubernetesIngressNGINX-allowCrossNamespaceResources">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`allowCrossNamespaceResources`</a> | Allow Ingress to reference resources (e.g. ConfigMaps, Secrets) in different namespaces.                                                                                                                                                                                                                                                                                                                                                              | false   | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-globalAllowedResponseHeaders" href="#opt-providers-kubernetesIngressNGINX-globalAllowedResponseHeaders" title="#opt-providers-kubernetesIngressNGINX-globalAllowedResponseHeaders">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`globalAllowedResponseHeaders`</a> | List of allowed response headers inside the custom headers annotations. It is required to configure it for the custom headers annotations to take effect.                                                                                                                                                                                                                                                                                                                                                                                                       | []      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-ipAllowListStrategy" href="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy" title="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ipAllowListStrategy`</a> | Defines the IP strategy to determine the client IP for `allowlist-source-range` and `whitelist-source-range` annotations. When set, the strategy is applied to every generated IPAllowList middleware.                                                                                                                                                                                                                                                                                                                                                            | -       | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-depth" href="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-depth" title="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-depth">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ipAllowListStrategy.`<br/>`depth`</a> | Number of trusted proxy hops to skip when extracting the client IP from the `X-Forwarded-For` header. 0 disables depth-based extraction.                                                                                                                                                                                                                                                                                                                                                                                                                         | 0       | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-excludedIPs" href="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-excludedIPs" title="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-excludedIPs">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ipAllowListStrategy.`<br/>`excludedIPs`</a> | List of IPs to exclude when scanning the `X-Forwarded-For` header to find the client IP.                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | []      | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-ipv6Subnet" href="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-ipv6Subnet" title="#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy-ipv6Subnet">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`ipAllowListStrategy.`<br/>`ipv6Subnet`</a> | IPv6 subnet size used to group IPv6 addresses when checking the allow list. 0 disables subnet grouping.                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 0       | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-httpentrypoint" href="#opt-providers-kubernetesIngressNGINX-httpentrypoint" title="#opt-providers-kubernetesIngressNGINX-httpentrypoint">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`httpentrypoint`</a> | Defines the EntryPoint to use for HTTP requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-httpsentrypoint" href="#opt-providers-kubernetesIngressNGINX-httpsentrypoint" title="#opt-providers-kubernetesIngressNGINX-httpsentrypoint">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`httpsentrypoint`</a> | Defines the EntryPoint to use for HTTPS requests.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | ""     | No       |
+| <a id="opt-providers-kubernetesIngressNGINX-strictValidatePathType" href="#opt-providers-kubernetesIngressNGINX-strictValidatePathType" title="#opt-providers-kubernetesIngressNGINX-strictValidatePathType">`providers.`<br/>`kubernetesIngressNGINX.`<br/>`strictValidatePathType`</a> | Defines whether to reject the entire ingress when any path contains regex characters and pathType is Prefix or Exact.                                                                                                                                                                                                                                                                                                                                                                                                                                          | true            | No       |

 <!-- markdownlint-enable MD013 -->

@@ -45,25 +45,27 @@ which in turn creates the resulting routers, services, handlers, etc.

 <!-- markdownlint-disable MD013 -->

-| Field                                                               | Description    | Default | Required |
-| :------------------------------------------------------------------ | :------------- | :------ | :------- |
-| <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.**     | 2s      | No       |
-| <a id="opt-providers-kubernetesIngress-endpoint" href="#opt-providers-kubernetesIngress-endpoint" title="#opt-providers-kubernetesIngress-endpoint">`providers.kubernetesIngress.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).   | ""      | No       |
-| <a id="opt-providers-kubernetesIngress-token" href="#opt-providers-kubernetesIngress-token" title="#opt-providers-kubernetesIngress-token">`providers.kubernetesIngress.token`</a> | Bearer token used for the Kubernetes client configuration.  | ""      | No       |
-| <a id="opt-providers-kubernetesIngress-certAuthFilePath" href="#opt-providers-kubernetesIngress-certAuthFilePath" title="#opt-providers-kubernetesIngress-certAuthFilePath">`providers.kubernetesIngress.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.  | ""      | No       |
-| <a id="opt-providers-kubernetesIngress-namespaces" href="#opt-providers-kubernetesIngress-namespaces" title="#opt-providers-kubernetesIngress-namespaces">`providers.kubernetesIngress.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces.   |         | No       |
-| <a id="opt-providers-kubernetesIngress-labelselector" href="#opt-providers-kubernetesIngress-labelselector" title="#opt-providers-kubernetesIngress-labelselector">`providers.kubernetesIngress.labelselector`</a> | Allow filtering on `Ingress` objects using label selectors.<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.        | ""      | No       |
-| <a id="opt-providers-kubernetesIngress-ingressClass" href="#opt-providers-kubernetesIngress-ingressClass" title="#opt-providers-kubernetesIngress-ingressClass">`providers.kubernetesIngress.ingressClass`</a> | The `IngressClass` resource name or the `kubernetes.io/ingress.class` annotation value that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed.     | ""      | No       |
-| <a id="opt-providers-kubernetesIngress-disableIngressClassLookup" href="#opt-providers-kubernetesIngress-disableIngressClassLookup" title="#opt-providers-kubernetesIngress-disableIngressClassLookup">`providers.kubernetesIngress.disableIngressClassLookup`</a> | Prevent to discover IngressClasses in the cluster.<br />It alleviates the requirement of giving Traefik the rights to look IngressClasses up.<br />Ignore Ingresses with IngressClass.<br />Annotations are not affected by this option.   | false   | No       |
-| <a id="opt-providers-kubernetesIngress-ingressEndpoint-hostname" href="#opt-providers-kubernetesIngress-ingressEndpoint-hostname" title="#opt-providers-kubernetesIngress-ingressEndpoint-hostname">`providers.kubernetesIngress.`<br />`ingressEndpoint.hostname`</a> | Hostname used for Kubernetes Ingress endpoints.  | ""      | No       |
-| <a id="opt-providers-kubernetesIngress-ingressEndpoint-ip" href="#opt-providers-kubernetesIngress-ingressEndpoint-ip" title="#opt-providers-kubernetesIngress-ingressEndpoint-ip">`providers.kubernetesIngress.`<br />`ingressEndpoint.ip`</a> | This IP will get copied to the Ingress `status.loadbalancer.ip`, and currently only supports one IP value (IPv4 or IPv6). | ""      | No       |
-| <a id="opt-providers-kubernetesIngress-ingressEndpoint-publishedService" href="#opt-providers-kubernetesIngress-ingressEndpoint-publishedService" title="#opt-providers-kubernetesIngress-ingressEndpoint-publishedService">`providers.kubernetesIngress.`<br />`ingressEndpoint.publishedService`</a> | The Kubernetes service to copy status from.<br />More information [here](#ingressendpointpublishedservice). | ""      | No       |
-| <a id="opt-providers-kubernetesIngress-throttleDuration" href="#opt-providers-kubernetesIngress-throttleDuration" title="#opt-providers-kubernetesIngress-throttleDuration">`providers.kubernetesIngress.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.  | 0s      | No       |
-| <a id="opt-providers-kubernetesIngress-allowEmptyServices" href="#opt-providers-kubernetesIngress-allowEmptyServices" title="#opt-providers-kubernetesIngress-allowEmptyServices">`providers.kubernetesIngress.allowEmptyServices`</a> | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status.  | false   | No       |
-| <a id="opt-providers-kubernetesIngress-allowExternalNameServices" href="#opt-providers-kubernetesIngress-allowExternalNameServices" title="#opt-providers-kubernetesIngress-allowExternalNameServices">`providers.kubernetesIngress.allowExternalNameServices`</a> | Allows the `Ingress` to reference ExternalName services.   | false   | No       |
-| <a id="opt-providers-kubernetesIngress-nativeLBByDefault" href="#opt-providers-kubernetesIngress-nativeLBByDefault" title="#opt-providers-kubernetesIngress-nativeLBByDefault">`providers.kubernetesIngress.nativeLBByDefault`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `Ingress` by default.<br />It can be overridden in the [`Service`](../../../../reference/routing-configuration/kubernetes/crd/http/service.md#opt-nativeLB)         | false   | No       |
-| <a id="opt-providers-kubernetesIngress-disableClusterScopeResources" href="#opt-providers-kubernetesIngress-disableClusterScopeResources" title="#opt-providers-kubernetesIngress-disableClusterScopeResources">`providers.kubernetesIngress.disableClusterScopeResources`</a> | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services. | false   | No       |
-| <a id="opt-providers-kubernetesIngress-strictPrefixMatching" href="#opt-providers-kubernetesIngress-strictPrefixMatching" title="#opt-providers-kubernetesIngress-strictPrefixMatching">`providers.kubernetesIngress.strictPrefixMatching`</a> | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). For example, a PathPrefix of `/foo` will match `/foo`, `/foo/`, and `/foo/bar` but not `/foobar`.                           | false   | No       |
+| Field                                                                                                                                                                                                                                                                                                  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Default | Required |
+|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| <a id="opt-providers-providersThrottleDuration" href="#opt-providers-providersThrottleDuration" title="#opt-providers-providersThrottleDuration">`providers.providersThrottleDuration`</a> | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.**                                                                                  | 2s      | No       |
+| <a id="opt-providers-kubernetesIngress-endpoint" href="#opt-providers-kubernetesIngress-endpoint" title="#opt-providers-kubernetesIngress-endpoint">`providers.kubernetesIngress.endpoint`</a> | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                                                                                                         | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-token" href="#opt-providers-kubernetesIngress-token" title="#opt-providers-kubernetesIngress-token">`providers.kubernetesIngress.token`</a> | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                                                                                            | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-certAuthFilePath" href="#opt-providers-kubernetesIngress-certAuthFilePath" title="#opt-providers-kubernetesIngress-certAuthFilePath">`providers.kubernetesIngress.certAuthFilePath`</a> | Path to the certificate authority file.<br />Used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                                                            | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-namespaces" href="#opt-providers-kubernetesIngress-namespaces" title="#opt-providers-kubernetesIngress-namespaces">`providers.kubernetesIngress.namespaces`</a> | Array of namespaces to watch.<br />If left empty, watch all namespaces.                                                                                                                                                                                                                                                                                                                                                                                               |         | No       |
+| <a id="opt-providers-kubernetesIngress-labelselector" href="#opt-providers-kubernetesIngress-labelselector" title="#opt-providers-kubernetesIngress-labelselector">`providers.kubernetesIngress.labelselector`</a> | Allow filtering on `Ingress` objects using label selectors.<br />No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.<br />See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.                                                                                                                                                                                               | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-ingressClass" href="#opt-providers-kubernetesIngress-ingressClass" title="#opt-providers-kubernetesIngress-ingressClass">`providers.kubernetesIngress.ingressClass`</a> | The `IngressClass` resource name or the `kubernetes.io/ingress.class` annotation value that identifies resource objects to be processed.<br />If empty, resources missing the annotation, having an empty value, or the value `traefik` are processed.                                                                                                                                                                                                                | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-disableIngressClassLookup" href="#opt-providers-kubernetesIngress-disableIngressClassLookup" title="#opt-providers-kubernetesIngress-disableIngressClassLookup">`providers.kubernetesIngress.disableIngressClassLookup`</a> | Prevent to discover IngressClasses in the cluster.<br />It alleviates the requirement of giving Traefik the rights to look IngressClasses up.<br />Ignore Ingresses with IngressClass.<br />Annotations are not affected by this option.                                                                                                                                                                                                                              | false   | No       |
+| <a id="opt-providers-kubernetesIngress-ingressEndpoint-hostname" href="#opt-providers-kubernetesIngress-ingressEndpoint-hostname" title="#opt-providers-kubernetesIngress-ingressEndpoint-hostname">`providers.kubernetesIngress.`<br />`ingressEndpoint.hostname`</a> | Hostname used for Kubernetes Ingress endpoints.                                                                                                                                                                                                                                                                                                                                                                                                                       | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-ingressEndpoint-ip" href="#opt-providers-kubernetesIngress-ingressEndpoint-ip" title="#opt-providers-kubernetesIngress-ingressEndpoint-ip">`providers.kubernetesIngress.`<br />`ingressEndpoint.ip`</a> | This IP will get copied to the Ingress `status.loadbalancer.ip`, and currently only supports one IP value (IPv4 or IPv6).                                                                                                                                                                                                                                                                                                                                             | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-ingressEndpoint-publishedService" href="#opt-providers-kubernetesIngress-ingressEndpoint-publishedService" title="#opt-providers-kubernetesIngress-ingressEndpoint-publishedService">`providers.kubernetesIngress.`<br />`ingressEndpoint.publishedService`</a> | The Kubernetes service to copy status from.<br />More information [here](#ingressendpointpublishedservice).                                                                                                                                                                                                                                                                                                                                                           | ""      | No       |
+| <a id="opt-providers-kubernetesIngress-reportNodeInternalIPs" href="#opt-providers-kubernetesIngress-reportNodeInternalIPs" title="#opt-providers-kubernetesIngress-reportNodeInternalIPs">`providers.kubernetesIngress.reportNodeInternalIPs`</a> | Report node internal IPs in Ingress status.<br />Incompatible with `ingressEndpoint` and `disableClusterScopeResources`.<br />More information [here](#reportnodeinternalips).                                                                                                                                                                                                                                                                                       | false   | No       |
+| <a id="opt-providers-kubernetesIngress-throttleDuration" href="#opt-providers-kubernetesIngress-throttleDuration" title="#opt-providers-kubernetesIngress-throttleDuration">`providers.kubernetesIngress.throttleDuration`</a> | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                                                                                                            | 0s      | No       |
+| <a id="opt-providers-kubernetesIngress-allowEmptyServices" href="#opt-providers-kubernetesIngress-allowEmptyServices" title="#opt-providers-kubernetesIngress-allowEmptyServices">`providers.kubernetesIngress.allowEmptyServices`</a> | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status.                                                                                                                                                                                                                 | false   | No       |
+| <a id="opt-providers-kubernetesIngress-allowExternalNameServices" href="#opt-providers-kubernetesIngress-allowExternalNameServices" title="#opt-providers-kubernetesIngress-allowExternalNameServices">`providers.kubernetesIngress.allowExternalNameServices`</a> | Allows the `Ingress` to reference ExternalName services.                                                                                                                                                                                                                                                                                                                                                                                                              | false   | No       |
+| <a id="opt-providers-kubernetesIngress-crossProviderNamespaces" href="#opt-providers-kubernetesIngress-crossProviderNamespaces" title="#opt-providers-kubernetesIngress-crossProviderNamespaces">`providers.kubernetesIngress.crossProviderNamespaces`</a> | List of namespaces from which Ingresses or Services are allowed to use `traefik.ingress.kubernetes.io/router.middlewares`, `traefik.ingress.kubernetes.io/router.tls.options`, or `traefik.ingress.kubernetes.io/service.serverstransport` annotations.<br />When unset, all namespaces are allowed. When set to `[]`, every cross-provider reference is rejected.                                                                                                          | []      | No       |
+| <a id="opt-providers-kubernetesIngress-nativeLBByDefault" href="#opt-providers-kubernetesIngress-nativeLBByDefault" title="#opt-providers-kubernetesIngress-nativeLBByDefault">`providers.kubernetesIngress.nativeLBByDefault`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `Ingress` by default.<br />It can be overridden in the [`Service`](../../../../reference/routing-configuration/kubernetes/crd/http/service.md#opt-nativeLB)                                                                                                                                                                                       | false   | No       |
+| <a id="opt-providers-kubernetesIngress-disableClusterScopeResources" href="#opt-providers-kubernetesIngress-disableClusterScopeResources" title="#opt-providers-kubernetesIngress-disableClusterScopeResources">`providers.kubernetesIngress.disableClusterScopeResources`</a> | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`).<br />By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.<br />Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).<br />This will also prevent from using the `NodePortLB` options on services and is incompatible with `reportNodeInternalIPs`. | false   | No       |
+| <a id="opt-providers-kubernetesIngress-strictPrefixMatching" href="#opt-providers-kubernetesIngress-strictPrefixMatching" title="#opt-providers-kubernetesIngress-strictPrefixMatching">`providers.kubernetesIngress.strictPrefixMatching`</a> | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). For example, a PathPrefix of `/foo` will match `/foo`, `/foo/`, and `/foo/bar` but not `/foobar`.                                                                                                                                                                                                      | false   | No       |

 <!-- markdownlint-enable MD013 -->

@@ -137,6 +139,31 @@ providers:
 --providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service
 ```

+### `reportNodeInternalIPs`
+
+When set to `true`, Traefik reports the internal IPs of all nodes in the cluster into the `status.loadBalancer.ingress` field of each managed Ingress resource.
+
+This is the equivalent of ingress-nginx's `--report-node-internal-ip-address` flag and is the recommended approach for bare-metal Kubernetes deployments where Traefik runs as a DaemonSet without a cloud LoadBalancer or MetalLB.
+
+This option requires cluster-scope access to Node resources and is mutually exclusive with `ingressEndpoint` and `disableClusterScopeResources`.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    reportNodeInternalIPs: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  reportNodeInternalIPs = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.reportnodeinternalips=true
+```
+
 ## Routing Configuration

 See the dedicated section in [routing](../../../../reference/routing-configuration/kubernetes/ingress.md).
@@ -165,4 +165,62 @@ you can do so in two different ways:
    - [Kubernetes Gateway API](./kubernetes/kubernetes-gateway.md#opt-providers-kubernetesGateway-labelselector)
    - [Kubernetes Ingress](./kubernetes/kubernetes-ingress.md#opt-providers-kubernetesIngress-labelselector)

+## Providers Precedence
+
+### `providers.precedence`
+
+_Optional_
+
+When two routers from **different providers** define the same rule with equal numeric [priority](../../routing-configuration/http/routing/rules-and-priority.md#priority-calculation),
+the `precedence` option determines which provider's route takes precedence.
+
+The list is ordered from highest to lowest precedence: a provider listed first wins over providers listed later.
+
+```yaml tab="File (YAML)"
+providers:
+  precedence:
+    - kubernetescrd
+    - kubernetes
+    - file
+```
+
+```toml tab="File (TOML)"
+[providers]
+  precedence = ["kubernetescrd", "kubernetes", "file"]
+```
+
+```bash tab="CLI"
+--providers.precedence=kubernetescrd,kubernetes,file
+```
+
+#### Default precedence
+
+When `precedence` is not set, Traefik uses the following default order (highest precedence first):
+
+| Position | Provider name            |
+|----------|--------------------------|
+| <a id="opt-1" href="#opt-1" title="#opt-1">1</a> | `kubernetesgateway`      |
+| <a id="opt-2" href="#opt-2" title="#opt-2">2</a> | `kubernetescrd`          |
+| <a id="opt-3" href="#opt-3" title="#opt-3">3</a> | `kubernetes`             |
+| <a id="opt-4" href="#opt-4" title="#opt-4">4</a> | `kubernetesingressnginx` |
+| <a id="opt-5" href="#opt-5" title="#opt-5">5</a> | `swarm`                  |
+| <a id="opt-6" href="#opt-6" title="#opt-6">6</a> | `docker`                 |
+| <a id="opt-7" href="#opt-7" title="#opt-7">7</a> | `file`                   |
+| <a id="opt-8" href="#opt-8" title="#opt-8">8</a> | `redis`                  |
+| <a id="opt-9" href="#opt-9" title="#opt-9">9</a> | `knative`                |
+| <a id="opt-10" href="#opt-10" title="#opt-10">10</a> | `consul`                 |
+| <a id="opt-11" href="#opt-11" title="#opt-11">11</a> | `consulcatalog`          |
+| <a id="opt-12" href="#opt-12" title="#opt-12">12</a> | `nomad`                  |
+| <a id="opt-13" href="#opt-13" title="#opt-13">13</a> | `etcd`                   |
+| <a id="opt-14" href="#opt-14" title="#opt-14">14</a> | `ecs`                    |
+| <a id="opt-15" href="#opt-15" title="#opt-15">15</a> | `http`                   |
+| <a id="opt-16" href="#opt-16" title="#opt-16">16</a> | `zookeeper`              |
+| <a id="opt-17" href="#opt-17" title="#opt-17">17</a> | `rest`                   |
+
+!!! note
+
+    - `precedence` only acts as a **tiebreaker**: it is applied only when two routes from different providers share the same numeric `priority` value. An explicit router priority always takes precedence.
+    - A provider absent from `precedence` loses to any listed provider.
+    - Provider names are case-insensitive.
+
 {% include-markdown "includes/traefik-for-business-applications.md" %}
@@ -91,6 +91,7 @@ ACME certificate resolvers have the following configuration options:
 | <a id="opt-acme-certificatesDuration" href="#opt-acme-certificatesDuration" title="#opt-acme-certificatesDuration">`acme.certificatesDuration`</a> | The certificates' duration in hours, exclusively used to determine renewal dates. | 2160 | No |
 | <a id="opt-acme-clientTimeout" href="#opt-acme-clientTimeout" title="#opt-acme-clientTimeout">`acme.clientTimeout`</a> | Timeout for HTTP Client used to communicate with the ACME server. | 2m | No |
 | <a id="opt-acme-clientResponseHeaderTimeout" href="#opt-acme-clientResponseHeaderTimeout" title="#opt-acme-clientResponseHeaderTimeout">`acme.clientResponseHeaderTimeout`</a> | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s | No |
+| <a id="opt-acme-certificateTimeout" href="#opt-acme-certificateTimeout" title="#opt-acme-certificateTimeout">`acme.certificateTimeout`</a> | Timeout for obtaining the certificate during the finalization request. Set this if the ACME server is slow to issue a certificate. | 30s | No |
 | <a id="opt-acme-dnsChallenge" href="#opt-acme-dnsChallenge" title="#opt-acme-dnsChallenge">`acme.dnsChallenge`</a> | Enable DNS-01 challenge. More information [here](#dnschallenge). | - | No |
 | <a id="opt-acme-dnsChallenge-provider" href="#opt-acme-dnsChallenge-provider" title="#opt-acme-dnsChallenge-provider">`acme.dnsChallenge.provider`</a> | DNS provider to use. | "" | No |
 | <a id="opt-acme-dnsChallenge-resolvers" href="#opt-acme-dnsChallenge-resolvers" title="#opt-acme-dnsChallenge-resolvers">`acme.dnsChallenge.resolvers`</a> | DNS servers to resolve the FQDN authority. | [] | No |
@@ -35,6 +35,11 @@ http:
          - "spiffe://example.org/id1"
          - "spiffe://example.org/id2"
        trustDomain: "example.org"
+      cipherSuites: 
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      minVersion: VersionTLS12
+      maxVersion: VersionTLS12
 ```

 ```toml tab="Structured (TOML)"
@@ -46,6 +51,9 @@ http:
  maxIdleConnsPerHost = 100
  disableHTTP2 = true
  peerCertURI = "spiffe://example.org/peer"
+  cipherSuites = ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]
+  minVersion = "VersionTLS12"
+  maxVersion = "VersionTLS12"

  [http.serversTransports.mytransport.forwardingTimeouts]
    dialTimeout = "30s"
@@ -100,6 +108,9 @@ labels:
 | <a id="opt-certificates" href="#opt-certificates" title="#opt-certificates">`certificates`</a> | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS.                        | []      | No       |
 | <a id="opt-insecureSkipVerify" href="#opt-insecureSkipVerify" title="#opt-insecureSkipVerify">`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified.                                                               | false   | No       |
 | <a id="opt-rootcas" href="#opt-rootcas" title="#opt-rootcas">`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections).                                   | []      | No       |
+| <a id="opt-cipherSuites" href="#opt-cipherSuites" title="#opt-cipherSuites">`cipherSuites`</a> | Defines the cipher suites to use when contacting backend servers. | [] | No |
+| <a id="opt-minVersion" href="#opt-minVersion" title="#opt-minVersion">`minVersion`</a> | Defines the minimum TLS version to use when contacting backend servers. | "" | No |
+| <a id="opt-maxVersion" href="#opt-maxVersion" title="#opt-maxVersion">`maxVersion`</a> | Defines the maximum TLS version to use when contacting backend servers. | "" | No |
 | <a id="opt-maxIdleConnsPerHost" href="#opt-maxIdleConnsPerHost" title="#opt-maxIdleConnsPerHost">`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host.                                                                                  | 200     | No       |
 | <a id="opt-disableHTTP2" href="#opt-disableHTTP2" title="#opt-disableHTTP2">`disableHTTP2`</a> | Disables HTTP/2 for connections with servers.                                                                                            | false   | No       |
 | <a id="opt-peerCertURI" href="#opt-peerCertURI" title="#opt-peerCertURI">`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification.                                             | ""      | No       |
@@ -336,7 +336,7 @@ When set to a negative number, the cookie expires immediately.
 By default, the affinity cookie is created without those flags.
 One however can change that through configuration.

-`SameSite` can be `none`, `lax`, `strict` or empty.
+`SameSite` can be `none`, `lax`, `strict` or empty. Values are case-insensitive.

 #### Domain

@@ -483,6 +483,67 @@ Below are the available options for the passive health check mechanism:
 | <a id="opt-failureWindow" href="#opt-failureWindow" title="#opt-failureWindow">`failureWindow`</a> | Defines the time window during which the failed attempts must occur for the server to be marked as unhealthy. It also defines for how long the server will be considered unhealthy. | 10s     | No       |
 | <a id="opt-maxFailedAttempts" href="#opt-maxFailedAttempts" title="#opt-maxFailedAttempts">`maxFailedAttempts`</a> | Defines the number of consecutive failed attempts allowed within the failure window before marking the server as unhealthy.                                                         | 1       | No       |

+### Middlewares
+
+You can attach a list of [middlewares](../middlewares/overview.md) to each HTTP service.
+The middlewares will take effect for all requests handled by the service, regardless of which router forwards the request.
+
+!!! info "Middlewares Execution Order"
+
+    When both a router and a service have middlewares configured, the router middlewares are applied first, followed by the service middlewares.
+    This means the request passes through router middlewares before reaching service middlewares.
+
+!!! info "Supported Providers"
+
+    Service-level middlewares can be configured with the [File](../../../install-configuration/providers/others/file.md), [Docker](../../other-providers/docker.md), [Swarm](../../other-providers/docker.md), [Kubernetes IngressRoute](../../kubernetes/crd/http/ingressroute.md), [Kubernetes Ingress](../../kubernetes/ingress.md), and [Kubernetes Gateway API](../../kubernetes/gateway-api.md) providers.
+
+??? example "Attaching Middlewares to a Service -- Using the [File Provider](../../../install-configuration/providers/others/file.md)"
+
+    ```yaml tab="Structured (YAML)"
+    ## Dynamic configuration
+    http:
+      services:
+        my-service:
+          middlewares:
+            - add-header
+          loadBalancer:
+            servers:
+              - url: "http://127.0.0.1:8080"
+
+      middlewares:
+        add-header:
+          headers:
+            customRequestHeaders:
+              X-Custom-Header: "service-middleware"
+    ```
+
+    ```toml tab="Structured (TOML)"
+    ## Dynamic configuration
+    [http.services]
+      [http.services.my-service]
+        middlewares = ["add-header"]
+        [http.services.my-service.loadBalancer]
+          [[http.services.my-service.loadBalancer.servers]]
+            url = "http://127.0.0.1:8080"
+
+    [http.middlewares]
+      [http.middlewares.add-header.headers]
+        [http.middlewares.add-header.headers.customRequestHeaders]
+          X-Custom-Header = "service-middleware"
+    ```
+
+??? example "Attaching Middlewares to a Service -- Using [Docker Labels](../../other-providers/docker.md)"
+
+    ```yaml
+    labels:
+      # Define the middleware
+      - "traefik.http.middlewares.add-header.headers.customRequestHeaders.X-Custom-Header=service-middleware"
+      # Attach middleware to the service (at service level, not loadBalancer level)
+      - "traefik.http.services.my-service.middlewares=add-header"
+      # Configure the service
+      - "traefik.http.services.my-service.loadbalancer.server.port=8080"
+    ```
+
 ## Advanced Service Types

 Advanced service types allow you to compose multiple services together for weighted distribution, consistent hashing, mirroring, or failover scenarios.
@@ -760,7 +821,7 @@ The `mirroring` service type mirrors requests sent to a service to other service
 !!! info "Supported Providers"

    This service type can be defined currently with the [File](../../../install-configuration/providers/others/file.md) provider or [IngressRoute](../../../routing-configuration/kubernetes/crd/http/ingressroute.md).
-    
+
 ```yaml tab="Structured (YAML)"
 ## Routing configuration
 http:
@@ -887,15 +948,19 @@ http:
        url = "http://private-ip-server-2/"
 ```

-### Failover 
+### Failover

-The `failover` service type forwards all requests to a fallback service when the main service becomes unreachable.
+The `failover` service type forwards requests to a fallback service when the main service is unavailable.
+Failover can be triggered in two ways:
+
+- **Health check-based**: When the main service becomes unreachable based on [health checks](#health-check).
+- **Status code-based**: When the main service responds with specific HTTP status codes defined in the [errors](#errors) configuration.

 !!! info "Relation to HealthCheck"
    The failover service relies on the HealthCheck system to get notified when its main service becomes unreachable, which means HealthCheck needs to be enabled and functional on the main service. However, HealthCheck does not need to be enabled on the failover service itself for it to be functional. It is only required in order to propagate upwards the information when the failover itself becomes down (i.e. both its main and its fallback are down too).

-!!! info "Supported Provider"
-    This service type can currently only be defined with the [File](../../../install-configuration/providers/others/file.md) provider.
+!!! info "Supported Providers"
+    This service type can be defined with the [File](../../../install-configuration/providers/others/file.md) and [Kubernetes CRD](../../../install-configuration/providers/kubernetes/kubernetes-crd.md) providers.

 #### HealthCheck

@@ -905,7 +970,7 @@ HealthCheck enables automatic self-healthcheck for this service, i.e. if the mai

    If HealthCheck is enabled for a given service and any of its descendants does not have it enabled, the creation of the service will fail.

-    HealthCheck on a Failover service can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md).  
+    HealthCheck on a Failover service can be defined currently only with the [File provider](../../../install-configuration/providers/others/file.md). 

 ```yaml tab="Structured (YAML)"
 ## Routing configuration
@@ -940,15 +1005,15 @@ http:
 ## Routing configuration
 [http.services]
  [http.services.app]
-    [http.services.app.failover.healthCheck]
    [http.services.app.failover]
      service = "main"
      fallback = "backup"
+      [http.services.app.failover.healthCheck]

  [http.services.main]
    [http.services.main.loadBalancer]
      [http.services.main.loadBalancer.healthCheck]
-        path = "/health"
+        path = "/status"
        interval = "10s"
        timeout = "3s"
      [[http.services.main.loadBalancer.servers]]
@@ -957,9 +1022,163 @@ http:
  [http.services.backup]
    [http.services.backup.loadBalancer]
      [http.services.backup.loadBalancer.healthCheck]
-        path = "/health"
+        path = "/status"
        interval = "10s"
        timeout = "3s"
      [[http.services.backup.loadBalancer.servers]]
        url = "http://private-ip-server-2/"
 ```
+
+#### Errors
+
+The `errors` option enables status code-based failover.
+When the main service responds with an HTTP status code matching one of the configured ranges, Traefik automatically retries the request on the fallback service.
+
+To support request replay, the request body is buffered up to `maxRequestBodyBytes`.
+Requests with bodies larger than this limit receive a `413 Request Entity Too Large` response.
+
+Below is a list of options available for the `errors` option and an example of how to configure it for a failover service:
+
+| Field                 | Description                                                                                                       | Default |
+|-----------------------|-------------------------------------------------------------------------------------------------------------------|---------|
+| <a id="opt-status-2" href="#opt-status-2" title="#opt-status-2">`status`</a> | List of HTTP status code ranges that trigger failover. Supports single codes (`"500"`) and ranges (`"500-504"`).  | None    |
+| <a id="opt-maxRequestBodyBytes" href="#opt-maxRequestBodyBytes" title="#opt-maxRequestBodyBytes">`maxRequestBodyBytes`</a> | Maximum request body size (in bytes) to buffer for replay to the fallback service. Set to `-1` for no limit.      | `-1`    |
+
+```yaml tab="Structured (YAML)"
+## Routing configuration
+http:
+  services:
+    app:
+      failover:
+        service: main
+        fallback: backup
+        errors:
+          status:
+            - "500-504"
+          maxRequestBodyBytes: 1048576
+
+    main:
+      loadBalancer:
+        servers:
+          - url: "http://private-ip-server-1/"
+
+    backup:
+      loadBalancer:
+        servers:
+          - url: "http://private-ip-server-2/"
+```
+
+```toml tab="Structured (TOML)"
+## Routing configuration
+[http.services]
+  [http.services.app]
+    [http.services.app.failover]
+      service = "main"
+      fallback = "backup"
+      [http.services.app.failover.errors]
+        status = ["500-504"]
+        maxRequestBodyBytes = 1048576
+
+  [http.services.main]
+    [http.services.main.loadBalancer]
+      [[http.services.main.loadBalancer.servers]]
+        url = "http://private-ip-server-1/"
+
+  [http.services.backup]
+    [http.services.backup.loadBalancer]
+      [[http.services.backup.loadBalancer.servers]]
+        url = "http://private-ip-server-2/"
+```
+
+#### Chaining Failover Services
+
+Failover services can be chained together for multi-level redundancy.
+In the following example, if the primary service fails, traffic goes to the secondary service.
+If both primary and secondary fail, traffic goes to the tertiary service.
+
+```yaml tab="Structured (YAML)"
+## Routing configuration
+http:
+  services:
+    app:
+      failover:
+        healthCheck: {}
+        service: primary-failover
+        fallback: tertiary
+
+    primary-failover:
+      failover:
+        healthCheck: {}
+        service: primary
+        fallback: secondary
+
+    primary:
+      loadBalancer:
+        healthCheck:
+          path: /health
+          interval: 10s
+          timeout: 3s
+        servers:
+          - url: "http://primary-server/"
+
+    secondary:
+      loadBalancer:
+        healthCheck:
+          path: /health
+          interval: 10s
+          timeout: 3s
+        servers:
+          - url: "http://secondary-server/"
+
+    tertiary:
+      loadBalancer:
+        healthCheck:
+          path: /health
+          interval: 10s
+          timeout: 3s
+        servers:
+          - url: "http://tertiary-server/"
+```
+
+```toml tab="Structured (TOML)"
+## Routing configuration
+[http.services]
+  [http.services.app]
+    [http.services.app.failover]
+      service = "primary-failover"
+      fallback = "tertiary"
+      [http.services.app.failover.healthCheck]
+
+  [http.services.primary-failover]
+    [http.services.primary-failover.failover]
+      service = "primary"
+      fallback = "secondary"
+      [http.services.primary-failover.failover.healthCheck]
+
+  [http.services.primary]
+    [http.services.primary.loadBalancer]
+      [http.services.primary.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.primary.loadBalancer.servers]]
+        url = "http://primary-server/"
+
+  [http.services.secondary]
+    [http.services.secondary.loadBalancer]
+      [http.services.secondary.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.secondary.loadBalancer.servers]]
+        url = "http://secondary-server/"
+
+  [http.services.tertiary]
+    [http.services.tertiary.loadBalancer]
+      [http.services.tertiary.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "10s"
+        timeout = "3s"
+      [[http.services.tertiary.loadBalancer.servers]]
+        url = "http://tertiary-server/"
+```
@@ -0,0 +1,62 @@
+---
+title: "Traefik EncodedCharacters Documentation"
+description: "In Traefik Proxy, the EncodedCharacters middleware controls which ambiguous reserved encoded characters are allowed in the request path. Read the technical documentation."
+---
+
+The EncodedCharacters middleware controls which ambiguous reserved encoded characters are allowed in the request path.
+
+When you use this middleware, by default, potentially dangerous encoded characters are rejected for security enhancement.
+
+## Configuration Examples
+
+```yaml tab="Docker & Swarm"
+# Allow encoded slash in the request path.
+labels:
+  - "traefik.http.middlewares.test-encodedchars.encodedcharacters.allowencodedslash=true"
+```
+
+```yaml tab="Kubernetes"
+# Allow encoded slash in the request path.
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-encodedchars
+spec:
+  encodedCharacters:
+    allowEncodedSlash: true
+```
+
+```yaml tab="Consul Catalog"
+# Allow encoded slash in the request path.
+- "traefik.http.middlewares.test-encodedchars.encodedcharacters.allowencodedslash=true"
+```
+
+```yaml tab="File (YAML)"
+# Allow encoded slash in the request path.
+http:
+  middlewares:
+    test-encodedchars:
+      encodedCharacters:
+        allowEncodedSlash: true
+```
+
+```toml tab="File (TOML)"
+# Allow encoded slash in the request path.
+[http.middlewares]
+  [http.middlewares.test-encodedchars.encodedCharacters]
+    allowEncodedSlash = true
+```
+
+## Configuration Options
+
+When you are configuring these options, check if your backend is fully compliant with [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986).
+This helps avoid split-view situation, where Traefik and your backend interpret the same URL differently.
+
+| Field                   | Description                                                        | Default | Required |
+|-------------------------|--------------------------------------------------------------------|---------| -------- |
+| <a id="opt-allowEncodedSlash" href="#opt-allowEncodedSlash" title="#opt-allowEncodedSlash">`allowEncodedSlash`</a> | Allow encoded slash (`%2F` and `%2f`) in the request path.         | `false` | No |
+| <a id="opt-allowEncodedBackSlash" href="#opt-allowEncodedBackSlash" title="#opt-allowEncodedBackSlash">`allowEncodedBackSlash`</a> | Allow encoded backslash (`%5C` and `%5c`) in the request path.     | `false` | No |
+| <a id="opt-allowEncodedSemicolon" href="#opt-allowEncodedSemicolon" title="#opt-allowEncodedSemicolon">`allowEncodedSemicolon`</a> | Allow encoded semicolon (`%3B` and `%3b`) in the request path.     | `false` | No |
+| <a id="opt-allowEncodedPercent" href="#opt-allowEncodedPercent" title="#opt-allowEncodedPercent">`allowEncodedPercent`</a> | Allow encoded percent (`%25`) in the request path.                 | `false` | No |
+| <a id="opt-allowEncodedQuestionMark" href="#opt-allowEncodedQuestionMark" title="#opt-allowEncodedQuestionMark">`allowEncodedQuestionMark`</a> | Allow encoded question mark (`%3F` and `%3f`) in the request path. | `false` | No |
+| <a id="opt-allowEncodedHash" href="#opt-allowEncodedHash" title="#opt-allowEncodedHash">`allowEncodedHash`</a> | Allow encoded hash (`%23`) in the request path. | `false` | No |
@@ -129,3 +129,12 @@ The table below lists all the available variables and their associated values.
 | <a id="opt-status-2" href="#opt-status-2" title="#opt-status-2">`{status}`</a> | The response status code.                                        |
 | <a id="opt-originalStatus" href="#opt-originalStatus" title="#opt-originalStatus">`{originalStatus}`</a> | The original response status code, if it has been modified by the `statusRewrites` option. |
 | <a id="opt-url" href="#opt-url" title="#opt-url">`{url}`</a> | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL.|
+
+### `errorRequestHeaders`
+
+Defines the list of original request headers forwarded to the error page service.
+
+By default (`errorRequestHeaders` not set), all request headers — including authentication material such as `Authorization` and `Cookie` — are forwarded.
+If the error page service is in a separate trust domain, use this option to restrict which headers cross the service boundary.
+
+Set to an explicit list to forward only those headers, or set to an empty list (`errorRequestHeaders: []`) to forward no headers.
@@ -53,26 +53,27 @@ spec:

 ## Configuration Options

-| Field      | Description     | Default | Required |
-|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| <a id="opt-address" href="#opt-address" title="#opt-address">`address`</a> | Authentication server address. | "" | Yes      |
-| <a id="opt-trustForwardHeader" href="#opt-trustForwardHeader" title="#opt-trustForwardHeader">`trustForwardHeader`</a> | Trust all `X-Forwarded-*` headers. | false | No      |
-| <a id="opt-authResponseHeaders" href="#opt-authResponseHeaders" title="#opt-authResponseHeaders">`authResponseHeaders`</a> | List of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers. | [] | No      |
-| <a id="opt-authResponseHeadersRegex" href="#opt-authResponseHeadersRegex" title="#opt-authResponseHeadersRegex">`authResponseHeadersRegex`</a> | Regex to match by the headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.<br /> More information [here](#authresponseheadersregex). | "" | No      |
-| <a id="opt-authRequestHeaders" href="#opt-authRequestHeaders" title="#opt-authRequestHeaders">`authRequestHeaders`</a> | List of the headers to copy from the request to the authentication server. <br /> It allows filtering headers that should not be passed to the authentication server. <br /> If not set or empty, then all request headers are passed. | [] | No      |
-| <a id="opt-addAuthCookiesToResponse" href="#opt-addAuthCookiesToResponse" title="#opt-addAuthCookiesToResponse">`addAuthCookiesToResponse`</a> | List of cookies to copy from the authentication server to the response, replacing any existing conflicting cookie from the forwarded response.<br /> Please note that all backend cookies matching the configured list will not be added to the response. | [] | No      |
-| <a id="opt-forwardBody" href="#opt-forwardBody" title="#opt-forwardBody">`forwardBody`</a> | Sets the `forwardBody` option to `true` to send the Body. As body is read inside Traefik before forwarding, this breaks streaming. | false | No      |
-| <a id="opt-maxBodySize" href="#opt-maxBodySize" title="#opt-maxBodySize">`maxBodySize`</a> | Set the `maxBodySize` to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized). If left unset, the request body size is unrestricted which can have performance or security implications. < br/>More information [here](#maxbodysize).| -1 | No      |
+| Field                                                                                                                                          | Description                                                                                                                                                                                                                                                                 | Default | Required |
+|:-----------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| <a id="opt-address" href="#opt-address" title="#opt-address">`address`</a> | Authentication server address.                                                                                                                                                                                                                                              | "" | Yes      |
+| <a id="opt-trustForwardHeader" href="#opt-trustForwardHeader" title="#opt-trustForwardHeader">`trustForwardHeader`</a> | Trust all `X-Forwarded-*` headers.                                                                                                                                                                                                                                          <br/>The trustForwardHeader option is deprecated and will be removed in the next major version. <br/>More information [here](#trustforwardheader)| false | No      |
+| <a id="opt-authResponseHeaders" href="#opt-authResponseHeaders" title="#opt-authResponseHeaders">`authResponseHeaders`</a> | List of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.                                                                                                                                   | [] | No      |
+| <a id="opt-authResponseHeadersRegex" href="#opt-authResponseHeadersRegex" title="#opt-authResponseHeadersRegex">`authResponseHeadersRegex`</a> | Regex to match by the headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.<br /> More information [here](#authresponseheadersregex).                                                     | "" | No      |
+| <a id="opt-authRequestHeaders" href="#opt-authRequestHeaders" title="#opt-authRequestHeaders">`authRequestHeaders`</a> | List of the headers to copy from the request to the authentication server. <br /> It allows filtering headers that should not be passed to the authentication server. <br /> If not set or empty, then all request headers are passed.                                      | [] | No      |
+| <a id="opt-addAuthCookiesToResponse" href="#opt-addAuthCookiesToResponse" title="#opt-addAuthCookiesToResponse">`addAuthCookiesToResponse`</a> | List of cookies to copy from the authentication server to the response, replacing any existing conflicting cookie from the forwarded response.<br /> Please note that all backend cookies matching the configured list will not be added to the response.                   | [] | No      |
+| <a id="opt-forwardBody" href="#opt-forwardBody" title="#opt-forwardBody">`forwardBody`</a> | Sets the `forwardBody` option to `true` to send the Body. As body is read inside Traefik before forwarding, this breaks streaming.                                                                                                                                          | false | No      |
+| <a id="opt-maxBodySize" href="#opt-maxBodySize" title="#opt-maxBodySize">`maxBodySize`</a> | Set the `maxBodySize` to limit the body size in bytes. If body is bigger than this, it returns a 401 (unauthorized). If left unset, the request body size is unrestricted which can have performance or security implications. <br/>More information [here](#maxbodysize). | -1 | No      |
 | <a id="opt-maxResponseBodySize" href="#opt-maxResponseBodySize" title="#opt-maxResponseBodySize">`maxResponseBodySize`</a> | Set the `maxResponseBodySize` to limit the response body size from the authentication server in bytes. If the response body exceeds this limit, it returns a 401 (unauthorized). If left unset, the response body size is unrestricted which can have performance or security implications. <br/>More information [here](#maxresponsebodysize).| -1 | No      |
-| <a id="opt-headerField" href="#opt-headerField" title="#opt-headerField">`headerField`</a> | Defines a header field to store the authenticated user. | "" | No      |
-| <a id="opt-preserveLocationHeader" href="#opt-preserveLocationHeader" title="#opt-preserveLocationHeader">`preserveLocationHeader`</a> | Defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server. | false | No      |
-| <a id="opt-preserveRequestMethod" href="#opt-preserveRequestMethod" title="#opt-preserveRequestMethod">`preserveRequestMethod`</a> | Defines whether to preserve the original request method while forwarding the request to the authentication server. | false | No      |
-| <a id="opt-tls-ca" href="#opt-tls-ca" title="#opt-tls-ca">`tls.ca`</a> | Sets the path to the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. | "" | No |
-| <a id="opt-tls-cert" href="#opt-tls-cert" title="#opt-tls-cert">`tls.cert`</a> | Sets the path to the public certificate used for the secure connection to the authentication server. When using this option, setting the key option is required. | "" | No |
-| <a id="opt-tls-key" href="#opt-tls-key" title="#opt-tls-key">`tls.key`</a> | Sets the path to the private key used for the secure connection to the authentication server. When using this option, setting the `cert` option is required. | "" | No |
-| <a id="opt-tls-caSecret" href="#opt-tls-caSecret" title="#opt-tls-caSecret">`tls.caSecret`</a> | Defines the secret that contains the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. **This option is only available for the Kubernetes CRD**. | | No |
-| <a id="opt-tls-certSecret" href="#opt-tls-certSecret" title="#opt-tls-certSecret">`tls.certSecret`</a> | Defines the secret that contains both the private and public certificates used for the secure connection to the authentication server. **This option is only available for the Kubernetes CRD**. |  | No |
-| <a id="opt-tls-insecureSkipVerify" href="#opt-tls-insecureSkipVerify" title="#opt-tls-insecureSkipVerify">`tls.insecureSkipVerify`</a> | During TLS connections, if this option is set to `true`, the authentication server will accept any certificate presented by the server regardless of the host names it covers. | false | No |
+| <a id="opt-headerField" href="#opt-headerField" title="#opt-headerField">`headerField`</a> | Defines a header field to store the authenticated user.                                                                                                                                                                                                                     | "" | No      |
+| <a id="opt-preserveLocationHeader" href="#opt-preserveLocationHeader" title="#opt-preserveLocationHeader">`preserveLocationHeader`</a> | Defines whether to forward the Location header to the client as is or prefix it with the domain name of the authentication server.                                                                                                                                          | false | No      |
+| <a id="opt-preserveRequestMethod" href="#opt-preserveRequestMethod" title="#opt-preserveRequestMethod">`preserveRequestMethod`</a> | Defines whether to preserve the original request method while forwarding the request to the authentication server.                                                                                                                                                          | false | No      |
+| <a id="opt-authSigninURL" href="#opt-authSigninURL" title="#opt-authSigninURL">`authSigninURL`</a> | Specifies the URL to redirect to when the authentication server returns 401 Unauthorized.                                                                                                                                                                                   | "" | No      |
+| <a id="opt-tls-ca" href="#opt-tls-ca" title="#opt-tls-ca">`tls.ca`</a> | Sets the path to the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle.                                                                                                                                  | "" | No |
+| <a id="opt-tls-cert" href="#opt-tls-cert" title="#opt-tls-cert">`tls.cert`</a> | Sets the path to the public certificate used for the secure connection to the authentication server. When using this option, setting the key option is required.                                                                                                            | "" | No |
+| <a id="opt-tls-key" href="#opt-tls-key" title="#opt-tls-key">`tls.key`</a> | Sets the path to the private key used for the secure connection to the authentication server. When using this option, setting the `cert` option is required.                                                                                                                | "" | No |
+| <a id="opt-tls-caSecret" href="#opt-tls-caSecret" title="#opt-tls-caSecret">`tls.caSecret`</a> | Defines the secret that contains the certificate authority used for the secured connection to the authentication server, it defaults to the system bundle. **This option is only available for the Kubernetes CRD**.                                                        | | No |
+| <a id="opt-tls-certSecret" href="#opt-tls-certSecret" title="#opt-tls-certSecret">`tls.certSecret`</a> | Defines the secret that contains both the private and public certificates used for the secure connection to the authentication server. **This option is only available for the Kubernetes CRD**.                                                                            |  | No |
+| <a id="opt-tls-insecureSkipVerify" href="#opt-tls-insecureSkipVerify" title="#opt-tls-insecureSkipVerify">`tls.insecureSkipVerify`</a> | During TLS connections, if this option is set to `true`, the authentication server will accept any certificate presented by the server regardless of the host names it covers.                                                                                              | false | No |

 ### authResponseHeadersRegex

@@ -127,6 +128,25 @@ If left unset, the request body size is unrestricted which can have performance
    It is strongly recommended to set this option to a suitable value.
    Not setting it (or setting it to `-1`) allows unlimited response body sizes which can lead to DoS attacks and memory exhaustion.

+### trustForwardHeader
+
+!!! warning
+
+    `trustForwardHeader` option is deprecated and will be removed in the next major version.
+    
+    Configure the trusted IPs at the [EntryPoint level](../../../install-configuration/entrypoints.md#forwarded-headers) using `forwardedHeaders.trustedIPs`, 
+    and set `trustForwardHeader` to `true` on this middleware.
+
+    With this setup, the EntryPoint is responsible for sanitizing incoming `X-Forwarded-*` headers:
+    it strips any such headers sent by untrusted clients and only preserves those coming from trusted upstream proxies.
+    By the time the ForwardAuth middleware processes the request, all `X-Forwarded-*` headers are guaranteed to be trustworthy,
+    including those intentionally added by other middlewares in the chain — for example, the `X-Forwarded-Prefix` header set by the [StripPrefix](stripprefix.md) middleware.
+
+    If `trustForwardHeader` is not explicitly set, Traefik will log a warning at startup and use a legacy behavior where some `X-Forwarded-*` headers (e.g. `X-Forwarded-For`, `X-Forwarded-Proto`) are removed but others (e.g. `X-Forwarded-Prefix`) are forwarded untouched.
+    To silence this warning, explicitly set `trustForwardHeader` to `true` or `false`.
+
+Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.
+
 ## Forward-Request Headers

 The following request properties are provided to the forward-auth target endpoint as `X-Forwarded-` headers.
@@ -54,12 +54,12 @@ spec:

 ## Configuration Options

-| Field      | Description     | Default | Required |
-|:-----------|:------------------------------|:--------|:---------|
-| <a id="opt-sourceRange" href="#opt-sourceRange" title="#opt-sourceRange">`sourceRange`</a> | List of allowed IPs (or ranges of allowed IPs by using CIDR notation). |      | Yes      |
-| <a id="opt-ipStrategy-depth" href="#opt-ipStrategy-depth" title="#opt-ipStrategy-depth">`ipStrategy.depth`</a> | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br /> If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`ipStrategy](#ipstrategy), and [`depth`](#example-of-depth--x-forwarded-for) below. | 0      | No      |
-| <a id="opt-ipStrategy-excludedIPs" href="#opt-ipStrategy-excludedIPs" title="#opt-ipStrategy-excludedIPs">`ipStrategy.excludedIPs`</a> | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`ipStrategy](#ipstrategy), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. |       | No      |
-| <a id="opt-ipStrategy-ipv6Subnet" href="#opt-ipStrategy-ipv6Subnet" title="#opt-ipStrategy-ipv6Subnet">`ipStrategy.ipv6Subnet`</a> |  If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips--x-forwarded-for) below. |       | No      |
+| Field      | Description                                                                                                                                                                                                                                                                                                                                                                                                         | Default | Required |
+|:-----------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| <a id="opt-sourceRange" href="#opt-sourceRange" title="#opt-sourceRange">`sourceRange`</a> | List of allowed IPs (or ranges of allowed IPs by using CIDR notation).                                                                                                                                                                                                                                                                                                                                              |      | Yes      |
+| <a id="opt-ipStrategy-depth" href="#opt-ipStrategy-depth" title="#opt-ipStrategy-depth">`ipStrategy.depth`</a> | Depth position of the IP to select in the `X-Forwarded-For` header (starting from the right).<br />0 means no depth.<br />If greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty<br /> If higher than 0, the `excludedIPs` options is not evaluated.<br /> More information about [`ipStrategy`](#ipstrategy), and [`depth`](#example-of-depth-x-forwarded-for) below.      | 0      | No      |
+| <a id="opt-ipStrategy-excludedIPs" href="#opt-ipStrategy-excludedIPs" title="#opt-ipStrategy-excludedIPs">`ipStrategy.excludedIPs`</a> | Allows Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.<br />If `depth` is specified, `excludedIPs` is ignored.<br /> More information about [`ipStrategy`](#ipstrategy), and [`excludedIPs`](#example-of-excludedips-x-forwarded-for) below.                                                                                                                                  |       | No      |
+| <a id="opt-ipStrategy-ipv6Subnet" href="#opt-ipStrategy-ipv6Subnet" title="#opt-ipStrategy-ipv6Subnet">`ipStrategy.ipv6Subnet`</a> | If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to. <br />More information about [`ipStrategy.ipv6Subnet`](#ipstrategyipv6subnet), and [`excludedIPs`](#example-of-excludedips-x-forwarded-for) below.                                                                                                                                    |       | No      |

 ### ipStrategy

@@ -5,7 +5,14 @@ description: "There are several available middleware in Traefik Proxy used to mo

 # HTTP Middleware Overview

-Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service (or before the answer from the services are sent to the clients).
+Attached to [routers](../routing/router.md) or [services](../load-balancing/service.md), pieces of middleware are a means of tweaking the requests before they are sent to your backend servers (or before the answer is sent to the clients).
+
+Middlewares can be attached at two levels:
+
+- **Router-level:** Applied to all requests matching the router's rule, before forwarding to the service.
+- **Service-level:** Applied to all requests handled by the service, regardless of which router forwards the request. See [service middlewares](../load-balancing/service.md#middlewares).
+
+When both are configured, router middlewares execute first, followed by service middlewares.

 There are several available middlewares in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.

@@ -18,8 +25,8 @@ Middlewares that use the same protocol can be combined into chains to fit every

 ## Available HTTP Middlewares

-| Middleware                                | Purpose                                           | Area                        |
-|-------------------------------------------|---------------------------------------------------|-----------------------------|
+| Middleware                                                                                                                               | Purpose                                           | Area                        |
+|------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|-----------------------------|
 | <a id="opt-AddPrefix" href="#opt-AddPrefix" title="#opt-AddPrefix">[AddPrefix](addprefix.md)</a> | Adds a Path Prefix                                | Path Modifier               |
 | <a id="opt-BasicAuth" href="#opt-BasicAuth" title="#opt-BasicAuth">[BasicAuth](basicauth.md)</a> | Adds Basic Authentication                         | Security, Authentication    |
 | <a id="opt-Buffering" href="#opt-Buffering" title="#opt-Buffering">[Buffering](buffering.md)</a> | Buffers the request/response                      | Request Lifecycle           |
@@ -28,6 +35,7 @@ Middlewares that use the same protocol can be combined into chains to fit every
 | <a id="opt-Compress" href="#opt-Compress" title="#opt-Compress">[Compress](compress.md)</a> | Compresses the response                           | Content Modifier            |
 | <a id="opt-ContentType" href="#opt-ContentType" title="#opt-ContentType">[ContentType](contenttype.md)</a> | Handles Content-Type auto-detection               | Misc                        |
 | <a id="opt-DigestAuth" href="#opt-DigestAuth" title="#opt-DigestAuth">[DigestAuth](digestauth.md)</a> | Adds Digest Authentication                        | Security, Authentication    |
+| <a id="opt-EncodedCharacters" href="#opt-EncodedCharacters" title="#opt-EncodedCharacters">[EncodedCharacters](encodedcharacters.md)</a> | Defines allowed reserved encoded characters in the request path | Security, Request Lifecycle           |
 | <a id="opt-Errors" href="#opt-Errors" title="#opt-Errors">[Errors](errorpages.md)</a> | Defines custom error pages                        | Request Lifecycle           |
 | <a id="opt-ForwardAuth" href="#opt-ForwardAuth" title="#opt-ForwardAuth">[ForwardAuth](forwardauth.md)</a> | Delegates Authentication                          | Security, Authentication    |
 | <a id="opt-GrpcWeb" href="#opt-GrpcWeb" title="#opt-GrpcWeb">[GrpcWeb](grpcweb.md)</a> | Converts gRPC Web requests to HTTP/2 gRPC requests.                           | Request                   |
@@ -18,6 +18,13 @@ http:
      retry:
        attempts: 4
        initialInterval: 100ms
+        timeout: 60s
+        maxRequestBodyBytes: 1024
+        status: 
+          - "400"
+          - "500-599"
+        disableRetryOnNetworkError: true
+        retryNonIdempotentMethod: true
 ```

 ```toml tab="Structured (TOML)"
@@ -26,6 +33,11 @@ http:
  [http.middlewares.test-retry.retry]
    attempts = 4
    initialInterval = "100ms"
+    timeout = "60s"
+    maxRequestBodyBytes = 1024
+    status = ["400","500-599"]
+    disableRetryOnNetworkError = true
+    retryNonIdempotentMethod = true
 ```

 ```yaml tab="Labels"
@@ -33,6 +45,11 @@ http:
 labels:
  - "traefik.http.middlewares.test-retry.retry.attempts=4"
  - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
+  - "traefik.http.middlewares.test-retry.retry.timeout=60s"
+  - "traefik.http.middlewares.test-retry.retry.maxrequestbodybytes=1024"
+  - "traefik.http.middlewares.test-retry.retry.status=400,500-599"
+  - "traefik.http.middlewares.test-retry.retry.disableretryonnetworkerror=true"
+  - "traefik.http.middlewares.test-retry.retry.retrynonidempotentmethod=true"
 ```

 ```json tab="Tags"
@@ -42,7 +59,12 @@ labels:
  // ...
  "Tags" : [
    "traefik.http.middlewares.test-retry.retry.attempts=4",
-    "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
+    "traefik.http.middlewares.test-retry.retry.initialinterval=100ms",
+    "traefik.http.middlewares.test-retry.retry.timeout=60s",
+    "traefik.http.middlewares.test-retry.retry.maxrequestbodybytes=1024",
+    "traefik.http.middlewares.test-retry.retry.status=400,500-599",
+    "traefik.http.middlewares.test-retry.retry.disableretryonnetworkerror=true",
+    "traefik.http.middlewares.test-retry.retry.retrynonidempotentmethod=true"
  ]
 }

@@ -58,6 +80,13 @@ spec:
  retry:
    attempts: 4
    initialInterval: 100ms
+    timeout: 60s
+    maxRequestBodyBytes: 1024
+    status: 
+      - "400"
+      - "500-599"
+    disableRetryOnNetworkError: true
+    retryNonIdempotentMethod: true
 ```

 ## Configuration Options
@@ -66,3 +95,49 @@ spec:
 |:------|:------------|:--------|:---------|
 | <a id="opt-attempts" href="#opt-attempts" title="#opt-attempts">`attempts`</a> | number of times the request should be retried. |  | Yes |
 | <a id="opt-initialInterval" href="#opt-initialInterval" title="#opt-initialInterval">`initialInterval`</a> | First wait time in the exponential backoff series. <br />The maximum interval is calculated as twice the `initialInterval`. <br /> If unspecified, requests will be retried immediately.<br /> Defined in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). | 0 | No |
+| <a id="opt-timeout" href="#opt-timeout" title="#opt-timeout">`timeout`</a> | How much time the middleware is allowed to retry the request. <br /> Defined in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration). | 0 | No |
+| <a id="opt-maxRequestBodyBytes" href="#opt-maxRequestBodyBytes" title="#opt-maxRequestBodyBytes">`maxRequestBodyBytes`</a> | Defines the maximum size for the request body. <br/>More information [here](#maxrequestbodybytes). | 2MB | No |
+| <a id="opt-status" href="#opt-status" title="#opt-status">`status`</a> | Defines the range of HTTP status codes to retry on. <br/>More information [here](#disableretryonnetworkerror-and-status). | [] | No |
+| <a id="opt-disableRetryOnNetworkError" href="#opt-disableRetryOnNetworkError" title="#opt-disableRetryOnNetworkError">`disableRetryOnNetworkError`</a> | This option disables the retry if an error occurs when transmitting the request to the server. <br/>More information [here](#disableretryonnetworkerror-and-status).  | false | No |
+| <a id="opt-retryNonIdempotentMethod" href="#opt-retryNonIdempotentMethod" title="#opt-retryNonIdempotentMethod">`retryNonIdempotentMethod`</a> | Activates the retry for non-idempotent methods (`POST`, `LOCK`, `PATCH`) | false | No |
+
+### maxRequestBodyBytes
+
+The `maxRequestBodyBytes` option controls the maximum size of request bodies that will be sent to the server.
+
+**⚠️ Important Security Consideration**
+
+When `maxRequestBodyBytes` is set to `-1`, it means there is no limit for request body size. This can have significant security and performance implications:
+
+- **Security Risk**: Attackers can send extremely large request bodies, potentially causing DoS attacks or memory exhaustion
+- **Performance Impact**: Large request bodies consume memory and processing resources, affecting overall system performance
+- **Resource Consumption**: Unlimited body size can lead to unexpected resource usage patterns
+
+**Recommended Configuration**
+
+It is strongly recommended to set an appropriate `maxRequestBodyBytes` value for your use case:
+
+```yaml
+# For most web applications (1MB limit)
+maxRequestBodyBytes: 1048576  # 1MB in bytes
+
+# For API endpoints expecting larger payloads (10MB limit)  
+maxRequestBodyBytes: 10485760  # 10MB in bytes
+
+# For file upload authentication (100MB limit)
+maxRequestBodyBytes: 104857600  # 100MB in bytes
+```
+
+**Guidelines for Setting `maxRequestBodyBytes`**
+
+- **Web Forms**: 1-5MB is typically sufficient for most form submissions
+- **API Endpoints**: Consider your largest expected JSON/XML payload + buffer
+- **File Uploads**: Set based on your maximum expected file size
+- **High-Traffic Services**: Use smaller limits to prevent resource exhaustion
+
+## disableRetryOnNetworkError and status
+
+The `disableRetryOnNetworkError` option disables the retry if an error occurs when transmitting the request to the server, at the TCP layer.
+However, if you want to retry only for specific HTTP status codes, you can configure the `status` option with the relevant status codes to retry on.
+
+If `disableRetryOnNetworkError` is set to `true`, you must define the `status` option. Otherwise, the middleware will raise a configuration error.
@@ -24,7 +24,7 @@ The table below lists all the available matchers:
 |-----------------------------------------------------------------|:-------------------------------------------------------------------------------|
 | <a id="opt-Headerkey-value" href="#opt-Headerkey-value" title="#opt-Headerkey-value">[```Header(`key`, `value`)```](#header-and-headerregexp)</a> | Matches requests containing a header named `key` set to `value`.               |
 | <a id="opt-HeaderRegexpkey-regexp" href="#opt-HeaderRegexpkey-regexp" title="#opt-HeaderRegexpkey-regexp">[```HeaderRegexp(`key`, `regexp`)```](#header-and-headerregexp)</a> | Matches requests containing a header named `key` matching `regexp`.            |
-| <a id="opt-Hostdomain" href="#opt-Hostdomain" title="#opt-Hostdomain">[```Host(`domain`)```](#host-and-hostregexp)</a> | Matches requests host set to `domain`.                                         |
+| <a id="opt-Hostdomain" href="#opt-Hostdomain" title="#opt-Hostdomain">[```Host(`domain`)```](#host-and-hostregexp)</a> | Matches requests host set to `domain`. Supports wildcard subdomain matching (e.g. `*.example.com`). |
 | <a id="opt-HostRegexpregexp" href="#opt-HostRegexpregexp" title="#opt-HostRegexpregexp">[```HostRegexp(`regexp`)```](#host-and-hostregexp)</a> | Matches requests host matching `regexp`.                                       |
 | <a id="opt-Methodmethod" href="#opt-Methodmethod" title="#opt-Methodmethod">[```Method(`method`)```](#method)</a> | Matches requests method set to `method`.                                       |
 | <a id="opt-Pathpath" href="#opt-Pathpath" title="#opt-Pathpath">[```Path(`path`)```](#path-pathprefix-and-pathregexp)</a> | Matches requests path set to `path`.                                           |
@@ -54,6 +54,15 @@ If no `Host` is set in the request URL (for example, it's an IP address), these

 These matchers will match the request's host in lowercase.

+!!! info "Wildcard subdomain matching"
+
+    The `Host` matcher supports a single-level wildcard prefix (`*.example.com`) to match any direct subdomain of `example.com`.
+    It should be preferred over the `HostRegexp` matcher as it allows attaching a TLS option and is more efficient.
+
+    A wildcard matches exactly one subdomain label: `*.example.com` matches `foo.example.com` but not `foo.bar.example.com` or `example.com` itself.    
+
+    This is only available with the **v3 rule syntax** (the default).
+
 | Behavior                                                        | Rule                                                                    |
 |-----------------------------------------------------------------|:------------------------------------------------------------------------|
 | <a id="opt-Match-requests-with-Host-set-to-example-com" href="#opt-Match-requests-with-Host-set-to-example-com" title="#opt-Match-requests-with-Host-set-to-example-com">Match requests with `Host` set to `example.com`.</a> | ```Host(`example.com`)``` |
@@ -232,6 +241,12 @@ Traefik reserves a range of priorities for its internal routers, the maximum use
 - `(MaxInt32 - 1000)` = `2147482647` for 32-bit platforms,
 - `(MaxInt64 - 1000)` = `9223372036854774807` for 64-bit platforms.

+!!! info "Providers Precedence"
+
+    When two routes from **different providers** share the same numeric priority,
+    Traefik uses the [`providers.precedence`](../../../install-configuration/providers/overview.md#providers-precedence) install configuration option to determine which route takes precedence.
+    The provider listed first in `precedence` wins the tie.
+
 ### Example

 ```yaml tab="Structured (YAML)"
@@ -5,7 +5,7 @@ description: "An IngressRoute is a Traefik CRD is in charge of connecting incomi

 `IngressRoute` is the CRD implementation of a [Traefik HTTP router](../../../http/routing/rules-and-priority.md).

-Before creating `IngressRoute` objects, you need to apply the [Traefik Kubernetes CRDs](https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions) to your Kubernetes cluster.
+Before creating `IngressRoute` objects, you need to apply the Traefik Kubernetes CRDs such as [Definitions](/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml) and [RBAC](/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml) to your Kubernetes cluster.

 This registers the `IngressRoute` kind and other Traefik-specific resources.

@@ -21,6 +21,7 @@ metadata:
  namespace: apps

 spec:
+  ingressClassName: traefik-lb
  entryPoints:
    - web
  parentRefs:
@@ -79,6 +80,7 @@ spec:

 | Field                                                                                                                                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                      | Default | Required |
 |:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+| <a id="opt-ingressClassName" href="#opt-ingressClassName" title="#opt-ingressClassName">`ingressClassName`</a> | Defines the [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) cluster resource to use. It replaces the deprecated `kubernetes.io/ingress.class` annotation.<br />The spec field takes precedence over the annotation.                                                                                                               |         | No       |
 | <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of [entry points](../../../../install-configuration/entrypoints.md) names.<br />If not specified, HTTP routers will accept requests from all EntryPoints in the list of default EntryPoints.                                                                                                                                                                                |         | No       |
 | <a id="opt-parentRefs" href="#opt-parentRefs" title="#opt-parentRefs">`parentRefs`</a> | List of references to parent IngressRoute resources for multi-layer routing. When specified, this IngressRoute's routers become children of the referenced parent IngressRoute's routers. See [Multi-Layer Routing](#multi-layer-routing-with-ingressroutes) section for details.                                                                                                |         | No       |
 | <a id="opt-parentRefsn-name" href="#opt-parentRefsn-name" title="#opt-parentRefsn-name">`parentRefs[n].name`</a> | Name of the referenced parent IngressRoute resource.                                                                                                                                                                                                                                                                                                                             |         | Yes      |
@@ -90,7 +92,7 @@ spec:
 | <a id="opt-routesn-middlewares" href="#opt-routesn-middlewares" title="#opt-routesn-middlewares">`routes[n].middlewares`</a> | List of middlewares to attach to the IngressRoute. <br />More information [here](#middleware).                                                                                                                                                                                                                                                                                   | ""      | No       |
 | <a id="opt-routesn-middlewaresm-name" href="#opt-routesn-middlewaresm-name" title="#opt-routesn-middlewaresm-name">`routes[n].`<br />`middlewares[m].`<br />`name`</a> | Middleware name.<br />The character `@` is not authorized. <br />More information [here](#middleware).                                                                                                                                                                                                                                                                           |         | Yes      |
 | <a id="opt-routesn-middlewaresm-namespace" href="#opt-routesn-middlewaresm-namespace" title="#opt-routesn-middlewaresm-namespace">`routes[n].`<br />`middlewares[m].`<br />`namespace`</a> | Middleware namespace.<br />Can be empty if the middleware belongs to the same namespace as the IngressRoute. <br />More information [here](#middleware).                                                                                                                                                                                                                         |         | No       |
-| <a id="opt-routesn-observability-accesslogs" href="#opt-routesn-observability-accesslogs" title="#opt-routesn-observability-accesslogs">`routes[n].`<br />`observability.`<br />`accesslogs`</a> | Defines whether the route will produce [access-logs](../../../../install-configuration/observability/logs-and-accesslogs.md). See [here](../../../http/routing/observability.md) for more information.                                                                                                                                                                           | false   | No       |
+| <a id="opt-routesn-observability-accessLogs" href="#opt-routesn-observability-accessLogs" title="#opt-routesn-observability-accessLogs">`routes[n].`<br />`observability.`<br />`accessLogs`</a> | Defines whether the route will produce [access-logs](../../../../install-configuration/observability/logs-and-accesslogs.md). See [here](../../../http/routing/observability.md) for more information.                                                                                                                                                                           | false   | No       |
 | <a id="opt-routesn-observability-metrics" href="#opt-routesn-observability-metrics" title="#opt-routesn-observability-metrics">`routes[n].`<br />`observability.`<br />`metrics`</a> | Defines whether the route will produce [metrics](../../../../install-configuration/observability/metrics.md). See [here](../../../http/routing/observability.md) for more information.                                                                                                                                                                                           | false   | No       |
 | <a id="opt-routesn-observability-tracing" href="#opt-routesn-observability-tracing" title="#opt-routesn-observability-tracing">`routes[n].`<br />`observability.`<br />`tracing`</a> | Defines whether the route will produce [traces](../../../../install-configuration/observability/tracing.md). See [here](../../../http/routing/observability.md) for more information.                                                                                                                                                                                            | false   | No       |
 | <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration.<br />Can be an empty value(`{}`):<br />A self signed is generated in such a case<br />(or the [default certificate](../tls/tlsstore.md) is used if it is defined.)                                                                                                                                                                                                   |         | No       |
@@ -67,6 +67,21 @@ spec:
 | <a id="opt-serverstransport-forwardingTimeouts-idleConnTimeout" href="#opt-serverstransport-forwardingTimeouts-idleConnTimeout" title="#opt-serverstransport-forwardingTimeouts-idleConnTimeout">`serverstransport.`<br />`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />Zero means no timeout. | 90s  | No |
 | <a id="opt-serverstransport-spiffe-ids" href="#opt-serverstransport-spiffe-ids" title="#opt-serverstransport-spiffe-ids">`serverstransport.`<br />`spiffe.ids`</a> | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. |  | No |
 | <a id="opt-serverstransport-spiffe-trustDomain" href="#opt-serverstransport-spiffe-trustDomain" title="#opt-serverstransport-spiffe-trustDomain">`serverstransport.`<br />`spiffe.trustDomain`</a> | Allow SPIFFE trust domain. | ""  | No |
+| <a id="opt-serverstransport-serverName-2" href="#opt-serverstransport-serverName-2" title="#opt-serverstransport-serverName-2">`serverstransport.`<br />`serverName`</a> | Defines the server name that will be used for SNI. |  | No |
+| <a id="opt-serverstransport-insecureSkipVerify-2" href="#opt-serverstransport-insecureSkipVerify-2" title="#opt-serverstransport-insecureSkipVerify-2">`serverstransport.`<br />`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified. | false  | No |
+| <a id="opt-serverstransport-rootcas-2" href="#opt-serverstransport-rootcas-2" title="#opt-serverstransport-rootcas-2">`serverstransport.`<br />`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). |  | No |
+| <a id="opt-serverstransport-certificatesSecrets-2" href="#opt-serverstransport-certificatesSecrets-2" title="#opt-serverstransport-certificatesSecrets-2">`serverstransport.`<br />`certificatesSecrets`</a> | Certificates to present to the server for mTLS. |  | No |
+| <a id="opt-serverstransport-cipherSuites" href="#opt-serverstransport-cipherSuites" title="#opt-serverstransport-cipherSuites">`serverstransport.`<br />`cipherSuites`</a> | Defines the cipher suites to use when contacting backend servers. | [] | No |
+| <a id="opt-serverstransport-minVersion" href="#opt-serverstransport-minVersion" title="#opt-serverstransport-minVersion">`serverstransport.`<br />`minVersion`</a> | Defines the minimum TLS version to use when contacting backend servers. | "" | No |
+| <a id="opt-serverstransport-maxVersion" href="#opt-serverstransport-maxVersion" title="#opt-serverstransport-maxVersion">`serverstransport.`<br />`maxVersion`</a> | Defines the maximum TLS version to use when contacting backend servers. | "" | No |
+| <a id="opt-serverstransport-maxIdleConnsPerHost-2" href="#opt-serverstransport-maxIdleConnsPerHost-2" title="#opt-serverstransport-maxIdleConnsPerHost-2">`serverstransport.`<br />`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
+| <a id="opt-serverstransport-disableHTTP2-2" href="#opt-serverstransport-disableHTTP2-2" title="#opt-serverstransport-disableHTTP2-2">`serverstransport.`<br />`disableHTTP2`</a> | Disables HTTP/2 for connections with servers. | false | No |
+| <a id="opt-serverstransport-peerCertURI-2" href="#opt-serverstransport-peerCertURI-2" title="#opt-serverstransport-peerCertURI-2">`serverstransport.`<br />`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
+| <a id="opt-serverstransport-forwardingTimeouts-dialTimeout-2" href="#opt-serverstransport-forwardingTimeouts-dialTimeout-2" title="#opt-serverstransport-forwardingTimeouts-dialTimeout-2">`serverstransport.`<br />`forwardingTimeouts.dialTimeout`</a> | Amount of time to wait until a connection to a server can be established.<br />Zero means no timeout. | 30s  | No |
+| <a id="opt-serverstransport-forwardingTimeouts-responseHeaderTimeout-2" href="#opt-serverstransport-forwardingTimeouts-responseHeaderTimeout-2" title="#opt-serverstransport-forwardingTimeouts-responseHeaderTimeout-2">`serverstransport.`<br />`forwardingTimeouts.responseHeaderTimeout`</a> | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />Zero means no timeout | 0s  | No |
+| <a id="opt-serverstransport-forwardingTimeouts-idleConnTimeout-2" href="#opt-serverstransport-forwardingTimeouts-idleConnTimeout-2" title="#opt-serverstransport-forwardingTimeouts-idleConnTimeout-2">`serverstransport.`<br />`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />Zero means no timeout. | 90s  | No |
+| <a id="opt-serverstransport-spiffe-ids-2" href="#opt-serverstransport-spiffe-ids-2" title="#opt-serverstransport-spiffe-ids-2">`serverstransport.`<br />`spiffe.ids`</a> | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. |  | No |
+| <a id="opt-serverstransport-spiffe-trustDomain-2" href="#opt-serverstransport-spiffe-trustDomain-2" title="#opt-serverstransport-spiffe-trustDomain-2">`serverstransport.`<br />`spiffe.trustDomain`</a> | Allow SPIFFE trust domain. | ""  | No |

 !!! note "CA Secret"
    The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.
@@ -48,6 +48,10 @@ spec:
          name: cookie
          secure: true
      strategy: wrr
+      # Attach middlewares to this service
+      middlewares:
+        - name: my-middleware
+          namespace: apps
 ```

 ```yaml tab="TraefikService"
@@ -80,36 +84,39 @@ spec:

 ## Configuration Options

-| Field                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Default                                                              | Required |
-|:---------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
-| <a id="opt-kind" href="#opt-kind" title="#opt-kind">`kind`</a> | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> **TraefikService**: Traefik Service.<br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                             | "Service"                                                            | No       |
-| <a id="opt-name" href="#opt-name" title="#opt-name">`name`</a> | Service name.<br />The character `@` is not authorized. <br />More information [here](#middleware).                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                      | Yes      |
-| <a id="opt-namespace" href="#opt-namespace" title="#opt-namespace">`namespace`</a> | Service namespace.<br />Can be empty if the service belongs to the same namespace as the IngressRoute. <br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                                              |                                                                      | No       |
-| <a id="opt-port" href="#opt-port" title="#opt-port">`port`</a> | Service port (number or port name).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                      | No       |
-| <a id="opt-responseForwarding-flushInterval" href="#opt-responseForwarding-flushInterval" title="#opt-responseForwarding-flushInterval">`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                               | 100ms                                                                | No       |
-| <a id="opt-scheme" href="#opt-scheme" title="#opt-scheme">`scheme`</a> | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                         | "http"<br />"https" if `port` is 443 or contains the string *https*. | No       |
-| <a id="opt-serversTransport" href="#opt-serversTransport" title="#opt-serversTransport">`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                     | ""                                                                   | No       |
-| <a id="opt-passHostHeader" href="#opt-passHostHeader" title="#opt-passHostHeader">`passHostHeader`</a> | Forward client Host header to server.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | true                                                                 | No       |
-| <a id="opt-healthCheck-scheme" href="#opt-healthCheck-scheme" title="#opt-healthCheck-scheme">`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
-| <a id="opt-healthCheck-mode" href="#opt-healthCheck-mode" title="#opt-healthCheck-mode">`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                             | "http"                                                               | No       |
-| <a id="opt-healthCheck-path" href="#opt-healthCheck-path" title="#opt-healthCheck-path">`healthCheck.path`</a> | Server URL path for the health check endpoint. <br />The configured path must be relative URL. <br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                             | ""                                                                   | No       |
-| <a id="opt-healthCheck-interval" href="#opt-healthCheck-interval" title="#opt-healthCheck-interval">`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                              | "100ms"                                                              | No       |
-| <a id="opt-healthCheck-unhealthyInterval" href="#opt-healthCheck-unhealthyInterval" title="#opt-healthCheck-unhealthyInterval">`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                | "100ms"                                                              | No       |
-| <a id="opt-healthCheck-method" href="#opt-healthCheck-method" title="#opt-healthCheck-method">`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                            | "GET"                                                                | No       |
-| <a id="opt-healthCheck-status" href="#opt-healthCheck-status" title="#opt-healthCheck-status">`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                   |                                                                      | No       |
-| <a id="opt-healthCheck-port" href="#opt-healthCheck-port" title="#opt-healthCheck-port">`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                               |                                                                      | No       |
-| <a id="opt-healthCheck-timeout" href="#opt-healthCheck-timeout" title="#opt-healthCheck-timeout">`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                     | "5s"                                                                 | No       |
-| <a id="opt-healthCheck-hostname" href="#opt-healthCheck-hostname" title="#opt-healthCheck-hostname">`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                 | ""                                                                   | No       |
-| <a id="opt-healthCheck-followRedirect" href="#opt-healthCheck-followRedirect" title="#opt-healthCheck-followRedirect">`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                      | true                                                                 | No       |
-| <a id="opt-healthCheck-headers" href="#opt-healthCheck-headers" title="#opt-healthCheck-headers">`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)).                                                                                                                                                                                                                                                                                                   |                                                                      | No       |
-| <a id="opt-sticky-cookie-name" href="#opt-sticky-cookie-name" title="#opt-sticky-cookie-name">`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**. | ""                                                                   | No       |
-| <a id="opt-sticky-cookie-httpOnly" href="#opt-sticky-cookie-httpOnly" title="#opt-sticky-cookie-httpOnly">`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                 | false                                                                | No       |
-| <a id="opt-sticky-cookie-secure" href="#opt-sticky-cookie-secure" title="#opt-sticky-cookie-secure">`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                       | false                                                                | No       |
-| <a id="opt-sticky-cookie-sameSite" href="#opt-sticky-cookie-sameSite" title="#opt-sticky-cookie-sameSite">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                              | ""                                                                   | No       |
-| <a id="opt-sticky-cookie-maxAge" href="#opt-sticky-cookie-maxAge" title="#opt-sticky-cookie-maxAge">`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                       | 0                                                                    | No       |
-| <a id="opt-strategy" href="#opt-strategy" title="#opt-strategy">`strategy`</a> | Strategy defines the load balancing strategy between the servers.<br />Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                              | "RoundRobin"                                                         | No       |
-| <a id="opt-nativeLB" href="#opt-nativeLB" title="#opt-nativeLB">`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                               | false                                                                | No       |
-| <a id="opt-nodePortLB" href="#opt-nodePortLB" title="#opt-nodePortLB">`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                 | false                                                                | No       |
+| Field                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Default                                                              | Required |
+|:---------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
+| <a id="opt-kind" href="#opt-kind" title="#opt-kind">`kind`</a> | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> **TraefikService**: Traefik Service.<br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                  | "Service"                                                            | No       |
+| <a id="opt-name" href="#opt-name" title="#opt-name">`name`</a> | Service name.<br />The character `@` is not authorized. <br />More information [here](#middleware).                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                      | Yes      |
+| <a id="opt-namespace" href="#opt-namespace" title="#opt-namespace">`namespace`</a> | Service namespace.<br />Can be empty if the service belongs to the same namespace as the IngressRoute. <br />More information [here](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                                                   |                                                                      | No       |
+| <a id="opt-port" href="#opt-port" title="#opt-port">`port`</a> | Service port (number or port name).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                      | No       |
+| <a id="opt-responseForwarding-flushInterval" href="#opt-responseForwarding-flushInterval" title="#opt-responseForwarding-flushInterval">`responseForwarding.`<br />`flushInterval`</a> | Interval, in milliseconds, in between flushes to the client while copying the response body.<br />A negative value means to flush immediately after each write to the client.<br />This configuration is ignored when a response is a streaming response; for such responses, writes are flushed to the client immediately.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                    | 100ms                                                                | No       |
+| <a id="opt-scheme" href="#opt-scheme" title="#opt-scheme">`scheme`</a> | Scheme to use for the request to the upstream Kubernetes Service.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                              | "http"<br />"https" if `port` is 443 or contains the string *https*. | No       |
+| <a id="opt-serversTransport" href="#opt-serversTransport" title="#opt-serversTransport">`serversTransport`</a> | Name of ServersTransport resource to use to configure the transport between Traefik and your servers.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                          | ""                                                                   | No       |
+| <a id="opt-passHostHeader" href="#opt-passHostHeader" title="#opt-passHostHeader">`passHostHeader`</a> | Forward client Host header to server.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | true                                                                 | No       |
+| <a id="opt-healthCheck-scheme" href="#opt-healthCheck-scheme" title="#opt-healthCheck-scheme">`healthCheck.scheme`</a> | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                           | ""                                                                   | No       |
+| <a id="opt-healthCheck-mode" href="#opt-healthCheck-mode" title="#opt-healthCheck-mode">`healthCheck.mode`</a> | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                  | "http"                                                               | No       |
+| <a id="opt-healthCheck-path" href="#opt-healthCheck-path" title="#opt-healthCheck-path">`healthCheck.path`</a> | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                             | ""                                                                   | No       |
+| <a id="opt-healthCheck-interval" href="#opt-healthCheck-interval" title="#opt-healthCheck-interval">`healthCheck.interval`</a> | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                   | "100ms"                                                              | No       |
+| <a id="opt-healthCheck-unhealthyInterval" href="#opt-healthCheck-unhealthyInterval" title="#opt-healthCheck-unhealthyInterval">`healthCheck.unhealthyInterval`</a> | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                     | "100ms"                                                              | No       |
+| <a id="opt-healthCheck-method" href="#opt-healthCheck-method" title="#opt-healthCheck-method">`healthCheck.method`</a> | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                 | "GET"                                                                | No       |
+| <a id="opt-healthCheck-status" href="#opt-healthCheck-status" title="#opt-healthCheck-status">`healthCheck.status`</a> | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                        |                                                                      | No       |
+| <a id="opt-healthCheck-port" href="#opt-healthCheck-port" title="#opt-healthCheck-port">`healthCheck.port`</a> | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                    |                                                                      | No       |
+| <a id="opt-healthCheck-timeout" href="#opt-healthCheck-timeout" title="#opt-healthCheck-timeout">`healthCheck.timeout`</a> | Maximum duration to wait before considering the server unhealthy.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                          | "5s"                                                                 | No       |
+| <a id="opt-healthCheck-hostname" href="#opt-healthCheck-hostname" title="#opt-healthCheck-hostname">`healthCheck.hostname`</a> | Value in the Host header of the health check request.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
+| <a id="opt-healthCheck-followRedirect" href="#opt-healthCheck-followRedirect" title="#opt-healthCheck-followRedirect">`healthCheck.`<br />`followRedirect`</a> | Follow the redirections during the healtchcheck.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                           | true                                                                 | No       |
+| <a id="opt-healthCheck-headers" href="#opt-healthCheck-headers" title="#opt-healthCheck-headers">`healthCheck.headers`</a> | Map of header to send to the health check endpoint<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service)).                                                                                                                                                                                                                                                                                                        |                                                                      | No       |
+| <a id="opt-sticky-cookie-name" href="#opt-sticky-cookie-name" title="#opt-sticky-cookie-name">`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />Evaluated only if the kind is **Service**.      | ""                                                                   | No       |
+| <a id="opt-sticky-cookie-httpOnly" href="#opt-sticky-cookie-httpOnly" title="#opt-sticky-cookie-httpOnly">`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                      | false                                                                | No       |
+| <a id="opt-sticky-cookie-secure" href="#opt-sticky-cookie-secure" title="#opt-sticky-cookie-secure">`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                            | false                                                                | No       |
+| <a id="opt-sticky-cookie-sameSite" href="#opt-sticky-cookie-sameSite" title="#opt-sticky-cookie-sameSite">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                   | ""                                                                   | No       |
+| <a id="opt-sticky-cookie-maxAge" href="#opt-sticky-cookie-maxAge" title="#opt-sticky-cookie-maxAge">`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                            | 0                                                                    | No       |
+| <a id="opt-strategy" href="#opt-strategy" title="#opt-strategy">`strategy`</a> | Strategy defines the load balancing strategy between the servers.<br />Supported values are: wrr (Weighed round-robin), p2c (Power of two choices), hrw (Highest Random Weight), and leasttime (Least-Time).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                   | "RoundRobin"                                                         | No       |
+| <a id="opt-nativeLB" href="#opt-nativeLB" title="#opt-nativeLB">`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br /> Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                    | false                                                                | No       |
+| <a id="opt-nodePortLB" href="#opt-nodePortLB" title="#opt-nodePortLB">`nodePortLB`</a> | Use the nodePort IP address when the service type is NodePort.<br />It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                      | false                                                                | No       |
+| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | List of references to [Middleware](./middleware.md) resources to apply to the service.<br />The middlewares will take effect for all requests handled by the service, regardless of which router forwards the request.<br />Evaluated only if the kind is **Service**.<br />More information [here](#middlewares).                                                                                                                                                                                                                                             |                                                                      | No       |
+| <a id="opt-middlewaresn-name" href="#opt-middlewaresn-name" title="#opt-middlewaresn-name">`middlewares[n].name`</a> | Middleware name.<br />The character `@` is not authorized.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                                                      | Yes      |
+| <a id="opt-middlewaresn-namespace" href="#opt-middlewaresn-namespace" title="#opt-middlewaresn-namespace">`middlewares[n].namespace`</a> | Middleware namespace.<br />Can be empty if the middleware belongs to the same namespace as the IngressRoute.                                                                                                                                                                                                                                                                                                                                                                                                                                                     |                                                                      | No       |


 ### ExternalName Service
@@ -419,6 +426,61 @@ spec:
          ...
        ```

+### Middlewares
+
+You can attach a list of [middlewares](./middleware.md) to each service.
+The middlewares will take effect for all requests handled by the service, regardless of which router forwards the request.
+
+For more information on service-level middlewares, see [service middlewares](../../../http/load-balancing/service.md#middlewares).
+
+??? example "Attaching Middlewares to a Service"
+
+    ```yaml tab="IngressRoute"
+    apiVersion: traefik.io/v1alpha1
+    kind: IngressRoute
+    metadata:
+      name: test-name
+      namespace: default
+    spec:
+      entryPoints:
+        - web
+      routes:
+        - kind: Rule
+          match: Host(`example.com`)
+          services:
+            - kind: Service
+              name: whoami
+              port: 80
+              middlewares:
+                - name: add-header
+                  namespace: default
+    ```
+
+    ```yaml tab="Middleware"
+    apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: add-header
+      namespace: default
+    spec:
+      headers:
+        customRequestHeaders:
+          X-Custom-Header: "service-middleware"
+    ```
+
+    ```yaml tab="Whoami Service"
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: whoami
+      namespace: default
+    spec:
+      ports:
+        - port: 80
+      selector:
+        app: whoami
+    ```
+
 ### Configuring Backend Protocol

 There are 3 ways to configure the backend protocol for communication between Traefik and your pods:
@@ -3,13 +3,14 @@ title: "Traefik Kubernetes Services Documentation"
 description: "Learn how to configure routing and load balancing in Traefik Proxy to reach Services, which handle incoming requests. Read the technical documentation."
 --- 

-A `TraefikService` is a custom resource that sits on top of the Kubernetes Services. It enables advanced load-balancing features such as a [Weighted Round Robin](#weighted-round-robin) load balancing, a [Highest Random Weight](#highest-random-weight) load balancing, or a [Mirroring](#mirroring) between your Kubernetes Services.
+A `TraefikService` is a custom resource that sits on top of the Kubernetes Services. It enables advanced load-balancing features such as a [Weighted Round Robin](#weighted-round-robin) load balancing, a [Highest Random Weight](#highest-random-weight) load balancing, a [Mirroring](#mirroring), or a [Failover](#failover) between your Kubernetes Services.

 Services configure how to reach the actual endpoints that will eventually handle incoming requests. In Traefik, the target service can be either a standard [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/)—which exposes a pod—or a TraefikService. The latter allows you to combine advanced load-balancing options like:

 - [Weighted Round Robin load balancing](#weighted-round-robin).
 - [Highest Random Weight load balancing](#highest-random-weight).
- [Mirroring](#mirroring). 
+- [Mirroring](#mirroring).
+- [Failover](#failover).

 ## Weighted Round Robin

@@ -156,7 +157,7 @@ data:
 | <a id="opt-sticky-cookie-name" href="#opt-sticky-cookie-name" title="#opt-sticky-cookie-name">`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness at the WRR service level.<br />When sticky sessions are enabled, a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.<br />On subsequent requests, to keep the session alive with the same server, the client should send the cookie with the value set.<br />If the server pecified in the cookie becomes unhealthy, the request will be forwarded to a new server (and the cookie will keep track of the new server).<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels) | Abbreviation of a sha1<br />(ex: `_1d52e`).                          | No       |
 | <a id="opt-sticky-cookie-httpOnly" href="#opt-sticky-cookie-httpOnly" title="#opt-sticky-cookie-httpOnly">`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie used for the stickiness at the WRR service level to be accessed by client-side APIs, such as JavaScript.<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels)                                                                                                                                                                                                                                                                                                                                                                                                          | false                                                                | No       |
 | <a id="opt-sticky-cookie-secure" href="#opt-sticky-cookie-secure" title="#opt-sticky-cookie-secure">`sticky.`<br />`cookie.secure`</a> | Allow the cookie used for the stickiness at the WRR service level to be only transmitted over an encrypted connection (i.e. HTTPS).<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels)                                                                                                                                                                                                                                                                                                                                                                                                | false                                                                | No       |
-| <a id="opt-sticky-cookie-sameSite" href="#opt-sticky-cookie-sameSite" title="#opt-sticky-cookie-sameSite">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy for the cookie used for the stickiness at the WRR service level.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels)                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
+| <a id="opt-sticky-cookie-sameSite" href="#opt-sticky-cookie-sameSite" title="#opt-sticky-cookie-sameSite">`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy for the cookie used for the stickiness at the WRR service level.<br />Allowed values:<br />-`none`<br />-`lax`<br />-`strict`<br />-`None`<br />-`Lax`<br />-`Strict`<br />More information about WRR stickiness [here](#stickiness-on-multiple-levels)                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
 | <a id="opt-sticky-cookie-maxAge" href="#opt-sticky-cookie-maxAge" title="#opt-sticky-cookie-maxAge">`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie used for the stickiness at the WRR service level expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.                                                                                                                                                                                                                                                                                                                                                                                                                                 | 0                                                                    | No       |

 #### Stickiness on multiple levels
@@ -344,7 +345,7 @@ spec:
 | <a id="opt-servicesm-sticky-cookie-name" href="#opt-servicesm-sticky-cookie-name" title="#opt-servicesm-sticky-cookie-name">`services[m].`<br />`sticky.`<br />`cookie.name`</a> | Name of the cookie used for the stickiness.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Abbreviation of a sha1<br />(ex: `_1d52e`).                          | No       |
 | <a id="opt-servicesm-sticky-cookie-httpOnly" href="#opt-servicesm-sticky-cookie-httpOnly" title="#opt-servicesm-sticky-cookie-httpOnly">`services[m].`<br />`sticky.`<br />`cookie.httpOnly`</a> | Allow the cookie can be accessed by client-side APIs, such as JavaScript.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | false                                                                | No       |
 | <a id="opt-servicesm-sticky-cookie-secure" href="#opt-servicesm-sticky-cookie-secure" title="#opt-servicesm-sticky-cookie-secure">`services[m].`<br />`sticky.`<br />`cookie.secure`</a> | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | false                                                                | No       |
-| <a id="opt-servicesm-sticky-cookie-sameSite" href="#opt-servicesm-sticky-cookie-sameSite" title="#opt-servicesm-sticky-cookie-sameSite">`services[m].`<br />`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values:<br />-`none`<br />-`lax`<br />`strict`<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                        | ""                                                                   | No       |
+| <a id="opt-servicesm-sticky-cookie-sameSite" href="#opt-servicesm-sticky-cookie-sameSite" title="#opt-servicesm-sticky-cookie-sameSite">`services[m].`<br />`sticky.`<br />`cookie.sameSite`</a> | [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) policy.<br />Allowed values (case-insensitive):<br />-`none`<br />-`lax`<br />-`strict`<br />-`None`<br />-`Lax`<br />-`Strict`<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                        | ""                                                                   | No       |
 | <a id="opt-servicesm-sticky-cookie-maxAge" href="#opt-servicesm-sticky-cookie-maxAge" title="#opt-servicesm-sticky-cookie-maxAge">`services[m].`<br />`sticky.`<br />`cookie.maxAge`</a> | Number of seconds until the cookie expires.<br />Negative number, the cookie expires immediately.<br />0, the cookie never expires.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                  | 0                                                                    | No       |
 | <a id="opt-servicesm-strategy" href="#opt-servicesm-strategy" title="#opt-servicesm-strategy">`services[m].`<br />`strategy`</a> | Load balancing strategy between the servers.<br />RoundRobin is the only supported value yet.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | "RoundRobin"                                                         | No       |
 | <a id="opt-servicesm-nativeLB" href="#opt-servicesm-nativeLB" title="#opt-servicesm-nativeLB">`services[m].`<br />`nativeLB`</a> | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                                                                                                                                                                           | false                                                                | No       |
@@ -507,3 +508,143 @@ The mirrorerd service dedicated option are described below.
 | Field                                                         | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Default                                                              | Required |
 |:--------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
 | <a id="opt-mirrorsm-percent" href="#opt-mirrorsm-percent" title="#opt-mirrorsm-percent">`mirrors[m].percent`</a> | Traffic percentage to route to the service.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | 0                                                                   | No       |
+
+## Failover
+
+The failover service forwards all requests to a fallback service when the main service responds with specific HTTP status codes defined in the `errors` configuration.
+
+!!! Failover on Heathcheck Status
+
+    HealthCheck on a Failover service can be defined currently only with the [File provider](../../../../install-configuration/providers/others/file.md).
+
+### Configuration Examples
+
+```yaml tab="IngressRoute"
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: test-name
+  namespace: apps
+
+spec:
+  entryPoints:
+  - websecure
+  routes:
+  - match: Host(`example.com`) && PathPrefix(`/foo`)
+    kind: Rule
+    services:
+    # Set a Failover TraefikService
+    - name: failover1
+      namespace: apps
+      kind: TraefikService
+```
+
+```yaml tab="Failover from Kubernetes Services"
+apiVersion: traefik.io/v1alpha1
+kind: TraefikService
+metadata:
+  name: failover1
+  namespace: apps
+
+spec:
+  failover:
+    service:
+      name: svc1
+      port: 80
+    fallback:
+      name: svc2
+      port: 80
+    errors:
+      status:
+        - "500-503"
+        - "429"
+```
+
+```yaml tab="Failover from TraefikService (WRR)"
+apiVersion: traefik.io/v1alpha1
+kind: TraefikService
+metadata:
+  name: failover1
+  namespace: apps
+
+spec:
+  failover:
+    service:
+      name: wrr1
+      kind: TraefikService
+    fallback:
+      name: wrr2
+      kind: TraefikService
+    errors:
+      status:
+        - "500-503"
+```
+
+```yaml tab="Failover with maxRequestBodyBytes"
+apiVersion: traefik.io/v1alpha1
+kind: TraefikService
+metadata:
+  name: failover1
+  namespace: apps
+
+spec:
+  failover:
+    service:
+      name: svc1
+      port: 80
+    fallback:
+      name: svc2
+      port: 80
+    errors:
+      status:
+        - "500-503"
+        - "429"
+      maxRequestBodyBytes: 1048576
+```
+
+```yaml tab="Kubernetes Services"
+apiVersion: v1
+kind: Service
+metadata:
+  name: svc1
+  namespace: apps
+
+spec:
+  ports:
+  - name: http
+    port: 80
+  selector:
+    app: traefiklabs
+    task: app1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: svc2
+  namespace: apps
+
+spec:
+  ports:
+  - name: http
+    port: 80
+  selector:
+    app: traefiklabs
+    task: app2
+```
+
+### Configuration Options
+
+#### Main Service and Fallback Options
+
+The `service` and `fallback` fields each define a target service using the same options as a [`Service`](./service.md).
+
+The exhaustive list of the service options is described in the [`Service`](./service.md#configuration-options) documentation.
+
+#### Failover Dedicated Options
+
+| Field                                                          | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Default                                                              | Required |
+|:---------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
+| <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | Main service to forward requests to. Provides the same options as a [`Service`](./service.md).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                                      | Yes      |
+| <a id="opt-fallback" href="#opt-fallback" title="#opt-fallback">`fallback`</a> | Fallback service to use when the main service returns matching error status codes. Provides the same options as a [`Service`](./service.md).                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                      | Yes      |
+| <a id="opt-errors-status" href="#opt-errors-status" title="#opt-errors-status">`errors.status`</a> | List of HTTP status code ranges for which the fallback service should be used.<br />Each entry can be a single code (e.g. `"429"`) or a range (e.g. `"500-503"`).                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                                      | No       |
+| <a id="opt-errors-maxRequestBodyBytes" href="#opt-errors-maxRequestBodyBytes" title="#opt-errors-maxRequestBodyBytes">`errors.`<br />`maxRequestBodyBytes`</a> | Maximum size allowed for the body of the request.<br />If the body is larger, the request is not replayed to the fallback service.<br />-1 means unlimited size.                                                                                                                                                                                                                                                                                                                                                                                                                                                    | -1                                                                   | No       |
@@ -24,6 +24,7 @@ metadata:
  namespace: apps

 spec:
+  ingressClassName: traefik-lb
  entryPoints:
    - footcp
  routes:
@@ -58,6 +59,7 @@ spec:

 | Field                                | Description                                                                                                                                                                                                                                                                                  | Default                                   | Required |
 |-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------|-----------------------|
+| <a id="opt-ingressClassName" href="#opt-ingressClassName" title="#opt-ingressClassName">`ingressClassName`</a> | Defines the [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) cluster resource to use. It replaces the deprecated `kubernetes.io/ingress.class` annotation.<br />The spec field takes precedence over the annotation. | | No |
 | <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of entrypoints names.                                                                                                                                                                                                                                                                   | | No |
 | <a id="opt-routes" href="#opt-routes" title="#opt-routes">`routes`</a> | List of routes.                                                                                                                                                                                                                                                                              | | Yes |
 | <a id="opt-routesn-match" href="#opt-routesn-match" title="#opt-routesn-match">`routes[n].match`</a> | Defines the [rule](../../../tcp/routing/rules-and-priority.md#rules) of the underlying router.                                                                                                                                                                                               | | Yes |
@@ -18,6 +18,7 @@ metadata:
  name: ingressrouteudpfoo
  namespace: apps
 spec:
+  ingressClassName: traefik-lb
  entryPoints:
    - fooudp  # The entry point where Traefik listens for incoming traffic.
  routes:
@@ -32,6 +33,7 @@ spec:

 | Field  |  Description | Default  | Required |
 |------------------------------------|-----------------------------|-------------------------------------------|-----------------------|
+| <a id="opt-ingressClassName" href="#opt-ingressClassName" title="#opt-ingressClassName">`ingressClassName`</a> | Defines the [IngressClass](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class) cluster resource to use. It replaces the deprecated `kubernetes.io/ingress.class` annotation.<br />The spec field takes precedence over the annotation. | | No |
 | <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of entrypoints names.  | | No |
 | <a id="opt-routes" href="#opt-routes" title="#opt-routes">` routes `</a> | List of routes.  | | Yes |
 | <a id="opt-routesn-services" href="#opt-routesn-services" title="#opt-routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. See [here](#externalname-service) for `ExternalName Service` setup. | | No |
@@ -8,11 +8,11 @@ description: "The Kubernetes Gateway API can be used as a provider for routing a
 When using the Kubernetes Gateway API provider, Traefik leverages the Gateway API Custom Resource Definitions (CRDs) to obtain its routing configuration. 
 For detailed information on the Gateway API concepts and resources, refer to the official [documentation](https://gateway-api.sigs.k8s.io/).

-The Kubernetes Gateway API provider supports version [v1.4.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.4.0) of the specification.
+The Kubernetes Gateway API provider supports version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the specification.

-It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, and `GRPCRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute`, and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels). 
+It fully supports all `HTTPRoute` core and some extended features, like `BackendTLSPolicy`, `GRPCRoute`, and `TLSRoute` resources from the [Standard channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels), as well as `TCPRoute` from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).

-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.4.0/traefik-traefik).
+For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.5.1/traefik-traefik).


 ## Deploying a Gateway
@@ -110,6 +110,36 @@ data:
    LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRUUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Nzd2dna25BZ0VBQW9JQ0FRQ1pNNm1WNUJkV2V0QzYKbXZ6dGFQaGxTY2dJY253emdzbDhBcXp3RDJNOVJWVkZwRUxBbTh2OTNlRWtMZEY2ZnNkY0FhUXQxWlFDSFdYbwovZkxwUTVVa1B4dXY2TVArdjRtSjB2OGRLRlo3UjcwaTVud1lCMkVlVkw2RUNZaWlxNmZ6VEtsa3F6U0QvNW93CnpTdy96amtHVGEwSXcvdkg5YXNINzRIajNXdEE3RythenZjaVlhQTZxK1dWYlZxNlBIanF6em9obEFuMkh1anoKNmhEamFpZXN2TGx3QS9CL3JoRHNBS2graTByOEFKUTFqM0JiTGJuYkJyWmZqYnBJUjNhYVh5amkwK3RQWENnVQo5M0JlOXZtS2U2U2NHUjcvNk9ubWJrU3NMY2RXaFpVNzcrL2c4WllsZGhwS01nczc4ekJYUlh4bHlzSThHRUtqClNYbnd5OVpmTU9kSTRKQU1jbU9JTmlZQWNtWm5JTUJIa0xacFl3aUl0eFdseXVJcWxoZFpkSHNrTFdNSjBSTHUKMUZoUzJwRVdDTmUzN1QwYjlobTRYNDlydUFiekl1M01xSmczcXFIdGRMNGRkZ1JZRHNjMXd0cDJrR2dBZGxDaQpySHJReitZeDBCTU9WbGRHM2htUlFIeWRxMkhyWW0xeEFDNWpMZ3FvaVZhY09wd0xKY21PcGsrZWVNQkNZNVo0CnpDWDdYV3l3YVZjbTJzdmhpTzE4QmRSK2g5aFliMkRNZDFCendDbE95endQcUlvQy9uNGRURG96Ry9GT3NySzgKLzRGeHc2NkNWZjNxODMwTVB3UndsQ0sxQ0I3RjNQK3lKWkpPelRuK05QZ2dGQW9NaGZUYXBQWTFhUGlWajBzVApvb0IwWjhjRVdUZE5ycUFObVBrOWgzaEIycG44SndJREFRQUJBb0lDQUVCa2dKRXA3ODAvamVBQktQSTR2cjhFCkJmblc5UEZKdFpwVUhaQkJSM3NIVzFJTU9xcHVVWTJBNXhLbjEzWmZOemdxMEhFYlpqeUZVc0pkaXU0VW8razYKUlU3b3pRaVVSU0VTK0h1dTZycWlhcEx5d1pIditCZ2hrbm80NzU4Lyt6VytNU3pJOFNmU0ZXTVJ1ZG1QdWxRMQo3ZGJUV1U2d3FaU0tUTlFUeXZMYzdnUHBuZUpybWtkTzNRNnppZ0RoVGdtVDFHRXNzZ3NxN3NzbXhMWnhkZithCnkyNlRtVkJ4UDFlUzV6OVpHTWxYRFBSK044RjdOTFVrMng3S21WT3NCZVBZdjN5bmlpNHZGQUhNQndWRFZadXAKWUlUajRpMjZIaVhtanlLM2t5T0F2anNWSElRMXh1QTBCZFROdC84WXRtYllJL005QitydVg0UDJiRFNUMktRKwo4TlN2Uk9wbVppcnBHZkY3bExMSGpJUjlTMFhCWDd6VDRoWnBRWnpqK3NEWnhDM2Y3TGIwRFlKYkp0TmlDYTQxCmNpTjhNUlNldzNneHZ0RVk0RzdnN3hjbkJNdjdNT3RwQTE3d2gvMHdLd0h0amYzSWh2TmIzdkZwT0k5d1FqSzYKSlRQMng4bENJV0tyalpObVN0UksreHJTN3hTOUZVdnBhSVlyclRLQkZWSmcyMURCYWI1L3hqRlBlQWxXejczSwpvVkhsa0hLdXNMSjZLczZzcXo0ZG9mbzg3dkFsUFJzTXRkZ1ZnZFIzNXhLTGtEWXNIbGxML3Z5dE9oSkNieXB5CkJqQm1TR0RMdzBDdWplaHVtU2czYjdSUGVTNk5rbHNqUEIrMVpzRjhpVGdCcjMyM1hvTmNha2dhWWVYQlg4NFAKaE1WZHUxWk1rbXJZMWhXTzEydnhBb0lCQVFEWU5Vb2xCMkhsdWlDcVFqdmU4UFNhV0YxRmhwNUlOMGJIZEppeApIdkhqMkplVHJ6V1pUZFlIdFNJR2RzalhTOTBESXo2bXJhMW9YZXFRYlgrODVlOUFQQkZnRTJmNU5uTzBCSVVJCk5hMXRiVGpIOUhjRGRzQmJKUkZwYnk1ODZUb3lhdFY3bS9zcjVpQUZlZFMyenFOTm1XUmZOdllZS2xselZoSEUKdUd4ZjZxMHJTWktVQUhja2s1bU5Yais3WFhZaTgyemErVEE3ZjBDVm5OamR3OXFpd3B2aTJKTFB2SnA0bWt6KwpyMEN1RW9yV2NhMUdTL2hTVWdXemw3NzhQdlRpZFI2RW4zMDB2ZlIyTE84aG1xRjhVL3Bpb2UrTDVjSllRNnNKCk1YMngrYThzWFFpZ3dwdG02aUNxQ2FuS3ExN3NUZS9RTmQ1czdwb3ZOaHVKOHd3dEFvSUJBUUMxWmM5ZktPUFgKVzZSN1VoaHRRcmhIc3htQnRIQ1BuNWRLbjN5MElNNWRBaEFSdFZDV1U0M0hOTHpCNW1LbjU2dnZrSVNFaXdBbAoxTGhuY2I3YXQ2cHpTSlZtMm5oTDhjeUZrdGQrNzVyL1FHNFlpNnZQbHNBODV5ZXZpZDhZcWswaHdaZXExY05xCmxETUN3NWsrV0drckM2VW5jZXNIc2FWbDJTUGdZV1c1L3I1NnVxUnBsaVFka1EyZmlEYWRyblVueU8ycHg3bFMKVG1HemZaNmtzTWh2MlZFR1NPRm05aUo0dWlPb0xyZVhoU1RQRmxTdjdZUTZSWWtSaGgwT0tqdXM5bXZacEIxWApjcytYN0UyVTNlM0RZelpCR0NFdmxxaFNWTFRScjdIN21pMWxUMEozR0RzbDdiUk9xOE50WVdQa3hhSlNCUnQ5Ck9TcTlkTm9CcGRvakFvSUJBQ2lQdnN3NW1WVW0yUS80QXhGdE5RWnJ3M3ZTcUlrMXpaS0h2a21rVzQ3NlNGMk4KaGttdmY1TE1tWWlLNmx6eHY1SGlIOVBYUzJ3RUNvaHo4bjMyeVM3TTFobW5LbDlucHNkRC9jMHZmTXpGcTl4ZgpjYUIxdTlxZGxxbW9FUm1nQzZuL3Z2TkVyUmRzUWQrbEhwSDVMRXZYbGl3Q3ZLS0Y5MmdhNHBSOFlPQ1J2MUVhCnFXUVl2a0ZmYTNSSkZUM0taK3BncnJCYUJZRnoreUxXWFIwbHJEUFN2TG9QRldQaHB6MHUvWGplV2cwT0wzdlIKc2NjNVkybldOM21jNDFpaFd3SE5KUitPYUVmbnh5QVFpQUJPNlRMUThtMWtvZk1sOUpMb2h3TGZoUXhKb21KNQpSYkFiTWxwWlhDMXFTSzliL1IvcDh5NmxuSWZsTDRuaDVjSzRsVFVDZ2dFQUpSSHVSQU1tTksrTXVJcjVaUEs2Cm1DUjR0UEg4QXMzWmJDMlZuWFlLMWlVQ3hhdXBFVjkzM05yaExEcjV0Rmg2NFpWR0Q1UWNicDYvSkp5eEpSOWQKblB1YlZJNlhBT1lrSnJQd2lBZE5SSmFWS1R6NTJvMXpNYjhIZEM4WHdZR2tDNTcxY0xzSW1YSTV6bm5NaWxvaworK0FBVzBSRGhLb0FKQVV3K0x6T3ZpamFJbGljR3R2TSs2SFdCK0VkVURJRHpTS1p0eFdTd01nMTNTbHh6elExCmNlNFdTZE9CQkxxT0p0L2JRNVp3ZkcyQUxUWGlEcVhhWE5JekJickRtMDUwTFkrYVVMcmlLQ25WVkxXODBReGQKZDQyQjIrR2pmb2NxVk5Ec3R1RlIzUm9QNXVGQXN2Zm50b09TVW5WMWxaZk9nMFVFUEFEQk1tRUpZL2hLU1FYcwp3d0tDQVFBNWQya2hFQ1c1V3QrMzRYWnl1b3NFTjZ4UDExbC96VDRBZjhGSWtQLzlkb0JXRnBhc28zbG1NcXZHCmhPeFErbnZBSjFhNzhZRjA4N3p1UC9DZkQ0UElOUTV4YzZHMDNQdG5JOVNVT0dpMDB4Zlg5MU5NMHBHYWJqb0QKZ0RqVzJxSkJDaVB5N0RIR1RlZkU5eUNUbkhrY1NBbWllVGc3aGFyeEZPOUREZTJKbzhKQXV2SHI1aGVxazVIcgpLYlgzTy9vNUMwcWVnYW1rWVRLcHZzV2VFdXhkY2l5LzFQd3NnV3BuV1JPWllQNENrSkJweEx1bDNVamVSY3dkCnRhcjBJYU52WlV2NFd4U0JZdWVHMDFyYUd2SDZtTTcyTEExR3MrMytwTnZwUVo3bGo2S09tcFlhQUlhemVxY2MKTjJjT2R5U1RqZmQ5OFlNVFAxbmIyK3N1Yy91VAotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg==
 ```

+### Multiple TLS Certificates
+
+Traefik supports multiple secret `certificateRefs` per Gateway listener.
+If one of the certificates is invalid or cannot be loaded, the listener will be considered invalid and will not be able to serve traffic until the issue is resolved.
+
+For example, the following `Gateway` listener references two different certificates:
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: multi-cert-gateway
+  namespace: default
+spec:
+  gatewayClassName: traefik
+  listeners:
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: example-com-tls
+          - name: example-org-tls
+      allowedRoutes:
+        namespaces:
+          from: Same
+```
+
 ## Exposing a Route

 Once a `Gateway` is deployed (see [Deploying a Gateway](#deploying-a-gateway)) `HTTPRoute`, `TCPRoute`, 
@@ -399,6 +429,106 @@ Once everything is deployed, sending a `GET` request should return the following
    X-Real-Ip: 10.42.2.1
    ```

+#### Backend-Level Filters
+
+In addition to route-level filters, the Gateway API also supports applying filters directly to individual backends through the `backendRefs[].filters` field.
+This allows request modifications to be applied to specific backends, enabling the `HTTPRouteBackendRequestHeaderModification` extended feature.
+
+!!! info "Supported Filter Types"
+
+    Backend-level filters support the same filter types as route-level filters:
+
+    - `RequestHeaderModifier`: Add, set, or remove HTTP request headers before forwarding to the backend.
+    - `ResponseHeaderModifier`: Add, set, or remove HTTP response headers.
+    - `RequestRedirect`: Redirect the request to a different URL.
+    - `URLRewrite`: Rewrite the request URL path and/or hostname.
+    - `ExtensionRef`: Reference a Traefik [Middleware](../kubernetes/crd/http/middleware.md) resource.
+
+!!! info "Middlewares Execution Order"
+
+    When both route-level and backend-level filters are configured, route-level filters are applied first, followed by backend-level filters.
+
+For more information on service-level middlewares, see [service middlewares](../http/load-balancing/service.md#middlewares).
+
+??? example "Using RequestHeaderModifier on a Backend"
+
+    ```yaml tab="HTTPRoute"
+    ---
+    apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      name: whoami-http
+      namespace: default
+    spec:
+      parentRefs:
+        - name: traefik
+          sectionName: http
+          kind: Gateway
+
+      hostnames:
+        - whoami.localhost
+
+      rules:
+        - matches:
+            - path:
+                type: PathPrefix
+                value: /
+
+          backendRefs:
+            - name: whoami
+              namespace: default
+              port: 80
+              filters:
+                - type: RequestHeaderModifier
+                  requestHeaderModifier:
+                    set:
+                      - name: X-Backend-Header
+                        value: "backend-filter"
+    ```
+
+??? example "Using ExtensionRef (Traefik Middleware) on a Backend"
+
+    ```yaml tab="HTTPRoute"
+    ---
+    apiVersion: gateway.networking.k8s.io/v1
+    kind: HTTPRoute
+    metadata:
+      name: whoami-http
+      namespace: default
+    spec:
+      parentRefs:
+        - name: traefik
+          sectionName: http
+          kind: Gateway
+
+      hostnames:
+        - whoami.localhost
+
+      rules:
+        - backendRefs:
+            - name: whoami
+              namespace: default
+              port: 80
+              filters:
+                - type: ExtensionRef
+                  extensionRef:
+                    group: traefik.io
+                    kind: Middleware
+                    name: add-prefix
+    ```
+
+    ```yaml tab="AddPrefix Middleware"
+    ---
+    apiVersion: traefik.io/v1alpha1
+    kind: Middleware
+    metadata:
+      name: add-prefix
+      namespace: default
+    spec:
+      addPrefix:
+        prefix: /api
+    ```
+
 ### GRPC

 The `GRPCRoute` is an extended resource in the Gateway API specification, designed to define how GRPC traffic should be routed within a Kubernetes cluster. 
@@ -19,7 +19,8 @@ Enable seamless migration from NGINX Ingress Controller to Traefik with NGINX an

 ## Ingress Discovery

-This provider discovers all Ingresses in the cluster by default, which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.
+This provider discovers all Ingresses in the cluster by default,
+which may lead to duplicated routers if you are also using the standard Kubernetes Ingress provider.

 **Best Practices:**

@@ -29,7 +30,22 @@ This provider discovers all Ingresses in the cluster by default, which may lead

 ## Routing Configuration

-This provider watches for incoming Ingress events and automatically translates NGINX annotations into Traefik's dynamic configuration, creating the corresponding routers, services, middlewares, and other components needed to handle your traffic.
+This provider watches for incoming Ingress events and automatically translates NGINX annotations into Traefik's dynamic configuration,
+creating the corresponding routers, services, middlewares, and other components needed to handle your traffic.
+
+!!! warning "ConfigMap Configuration and Default Behaviors"
+
+    Routing annotations take precedence over provider-level defaults,
+    but they don't control all behaviors that NGINX Ingress Controller's ConfigMap configuration would handle globally.
+
+    Important differences in default behaviors:
+    
+    - **Request buffering**: NGINX enables `proxy-request-buffering` by default, while Traefik requires explicit opt-in via the provider's `proxyRequestBuffering` option.
+    - **Legacy scheme headers**: If your applications depend on `X-Forwarded-Scheme` or `X-Scheme`, enable `entryPoints.<name>.forwardedHeaders.addXForwardedSchemeHeaders=true` on the relevant entrypoints.
+
+    To ensure consistent behavior during migration,
+    review and configure Traefik's provider-level options to match your current NGINX ConfigMap settings.
+    See the [provider configuration options](../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx.md) for available settings.

 ## Configuration Example

@@ -148,7 +164,7 @@ This provider watches for incoming Ingress events and automatically translates N
            serviceAccountName: traefik-ingress-controller
            containers:
              - name: traefik
-                image: traefik:v3.6
+                image: traefik:v3.7
                args:
                  - --entryPoints.web.address=:80
                  - --providers.kubernetesingressnginx
@@ -252,59 +268,72 @@ This provider watches for incoming Ingress events and automatically translates N
 This section lists all known NGINX Ingress annotations.
 The following annotations are organized by category for easier navigation.

-### Coming Soon: More Annotations in Active Development
-
- Several annotations currently listed as unsupported are actively being implemented and will become available in upcoming release.
-
-!!! tip "Preview upcoming annotation support"
-    You can follow the progress and explore annotations that are already available in the next version of Traefik by visiting the **[experimental documentation (master branch)](https://doc.traefik.io/traefik/master/reference/routing-configuration/kubernetes/ingress-nginx/)**.
-
-    The experimental page reflects the state of the `master` branch and may include annotations not yet available in the current stable release. Features shown there are subject to change before the final release.
-
 ### Authentication

-| Annotation                                            | Limitations / Notes                                                                        |
-|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-ioauth-type" href="#opt-nginx-ingress-kubernetes-ioauth-type" title="#opt-nginx-ingress-kubernetes-ioauth-type">`nginx.ingress.kubernetes.io/auth-type`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-secret" href="#opt-nginx-ingress-kubernetes-ioauth-secret" title="#opt-nginx-ingress-kubernetes-ioauth-secret">`nginx.ingress.kubernetes.io/auth-secret`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-secret-type" href="#opt-nginx-ingress-kubernetes-ioauth-secret-type" title="#opt-nginx-ingress-kubernetes-ioauth-secret-type">`nginx.ingress.kubernetes.io/auth-secret-type`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-realm" href="#opt-nginx-ingress-kubernetes-ioauth-realm" title="#opt-nginx-ingress-kubernetes-ioauth-realm">`nginx.ingress.kubernetes.io/auth-realm`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-url" href="#opt-nginx-ingress-kubernetes-ioauth-url" title="#opt-nginx-ingress-kubernetes-ioauth-url">`nginx.ingress.kubernetes.io/auth-url`</a> | Only URL and response headers copy supported. Forward auth behaves differently than NGINX. |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-method" href="#opt-nginx-ingress-kubernetes-ioauth-method" title="#opt-nginx-ingress-kubernetes-ioauth-method">`nginx.ingress.kubernetes.io/auth-method`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-response-headers" href="#opt-nginx-ingress-kubernetes-ioauth-response-headers" title="#opt-nginx-ingress-kubernetes-ioauth-response-headers">`nginx.ingress.kubernetes.io/auth-response-headers`</a> |                                                                                            |
+| Annotation                                            | Limitations / Notes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
+|-------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioauth-type" href="#opt-nginx-ingress-kubernetes-ioauth-type" title="#opt-nginx-ingress-kubernetes-ioauth-type">`nginx.ingress.kubernetes.io/auth-type`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-secret" href="#opt-nginx-ingress-kubernetes-ioauth-secret" title="#opt-nginx-ingress-kubernetes-ioauth-secret">`nginx.ingress.kubernetes.io/auth-secret`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-secret-type" href="#opt-nginx-ingress-kubernetes-ioauth-secret-type" title="#opt-nginx-ingress-kubernetes-ioauth-secret-type">`nginx.ingress.kubernetes.io/auth-secret-type`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-realm" href="#opt-nginx-ingress-kubernetes-ioauth-realm" title="#opt-nginx-ingress-kubernetes-ioauth-realm">`nginx.ingress.kubernetes.io/auth-realm`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-url" href="#opt-nginx-ingress-kubernetes-ioauth-url" title="#opt-nginx-ingress-kubernetes-ioauth-url">`nginx.ingress.kubernetes.io/auth-url`</a> | Only URL and response headers copy supported. Forward auth behaves differently than NGINX. It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`.                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-signin" href="#opt-nginx-ingress-kubernetes-ioauth-signin" title="#opt-nginx-ingress-kubernetes-ioauth-signin">`nginx.ingress.kubernetes.io/auth-signin`</a> | Redirects to signin URL on 401 response. It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`. <br/><br/>Like ingress-nginx, Traefik automatically appends `rd=$scheme://$best_http_host$escaped_request_uri` so the auth service can redirect back after sign-in; pass an empty `rd` to disable it. On routes without a `Host` matcher, the request's `Host` header feeds the interpolation and can be abused for open redirects. Scoping routers with a `Host` rule is strongly recommended when relying on this behavior.  |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-snippet" href="#opt-nginx-ingress-kubernetes-ioauth-snippet" title="#opt-nginx-ingress-kubernetes-ioauth-snippet">`nginx.ingress.kubernetes.io/auth-snippet`</a> | Supported directives: `proxy_method`, `more_set_headers`, `proxy_set_header`, `more_set_input_headers`, `set`, `if`, `return code [text]`. It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`.                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-method" href="#opt-nginx-ingress-kubernetes-ioauth-method" title="#opt-nginx-ingress-kubernetes-ioauth-method">`nginx.ingress.kubernetes.io/auth-method`</a> | This annotation uses the `proxy_method` directive in Nginx. Thus, it can't be defined on an ingress that already have an `auth-snippet` annotation with the `proxy_method` directive.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-response-headers" href="#opt-nginx-ingress-kubernetes-ioauth-response-headers" title="#opt-nginx-ingress-kubernetes-ioauth-response-headers">`nginx.ingress.kubernetes.io/auth-response-headers`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioenable-global-auth" href="#opt-nginx-ingress-kubernetes-ioenable-global-auth" title="#opt-nginx-ingress-kubernetes-ioenable-global-auth">`nginx.ingress.kubernetes.io/enable-global-auth`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

 ### SSL/TLS

-| Annotation                                            | Limitations / Notes                                                                        |
-|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-iossl-redirect" href="#opt-nginx-ingress-kubernetes-iossl-redirect" title="#opt-nginx-ingress-kubernetes-iossl-redirect">`nginx.ingress.kubernetes.io/ssl-redirect`</a> | Cannot opt-out per route if enabled globally.                                              |
-| <a id="opt-nginx-ingress-kubernetes-ioforce-ssl-redirect" href="#opt-nginx-ingress-kubernetes-ioforce-ssl-redirect" title="#opt-nginx-ingress-kubernetes-ioforce-ssl-redirect">`nginx.ingress.kubernetes.io/force-ssl-redirect`</a> | Cannot opt-out per route if enabled globally.                                              |
-| <a id="opt-nginx-ingress-kubernetes-iossl-passthrough" href="#opt-nginx-ingress-kubernetes-iossl-passthrough" title="#opt-nginx-ingress-kubernetes-iossl-passthrough">`nginx.ingress.kubernetes.io/ssl-passthrough`</a> | Some differences in SNI/default backend handling.                                          |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name">`nginx.ingress.kubernetes.io/proxy-ssl-server-name`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-name" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-name" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-name">`nginx.ingress.kubernetes.io/proxy-ssl-name`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-verify" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify">`nginx.ingress.kubernetes.io/proxy-ssl-verify`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-secret" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-secret" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-secret">`nginx.ingress.kubernetes.io/proxy-ssl-secret`</a> |                                                                                            |
+| Annotation                                                                                                                                                                                                                                          | Limitations / Notes                                                                                            |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-iossl-redirect" href="#opt-nginx-ingress-kubernetes-iossl-redirect" title="#opt-nginx-ingress-kubernetes-iossl-redirect">`nginx.ingress.kubernetes.io/ssl-redirect`</a> | Cannot opt-out per route if enabled globally.                                                                  |
+| <a id="opt-nginx-ingress-kubernetes-ioforce-ssl-redirect" href="#opt-nginx-ingress-kubernetes-ioforce-ssl-redirect" title="#opt-nginx-ingress-kubernetes-ioforce-ssl-redirect">`nginx.ingress.kubernetes.io/force-ssl-redirect`</a> | Cannot opt-out per route if enabled globally.                                                                  |
+| <a id="opt-nginx-ingress-kubernetes-iossl-passthrough" href="#opt-nginx-ingress-kubernetes-iossl-passthrough" title="#opt-nginx-ingress-kubernetes-iossl-passthrough">`nginx.ingress.kubernetes.io/ssl-passthrough`</a> | Some differences in SNI/default backend handling.                                                              |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-server-name">`nginx.ingress.kubernetes.io/proxy-ssl-server-name`</a> |                                                                                                                |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-name" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-name" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-name">`nginx.ingress.kubernetes.io/proxy-ssl-name`</a> |                                                                                                                |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-verify" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify">`nginx.ingress.kubernetes.io/proxy-ssl-verify`</a> |                                                                                                                |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-secret" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-secret" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-secret">`nginx.ingress.kubernetes.io/proxy-ssl-secret`</a> |                                                                                                                |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-secret" href="#opt-nginx-ingress-kubernetes-ioauth-tls-secret" title="#opt-nginx-ingress-kubernetes-ioauth-tls-secret">`nginx.ingress.kubernetes.io/auth-tls-secret`</a> | When validation fails, the rejection happens during the TLS handshake rather than returning a 400 Bad Request. |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-verify-client" href="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-client" title="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-client">`nginx.ingress.kubernetes.io/auth-tls-verify-client`</a> | When validation fails, the rejection happens during the TLS handshake rather than returning a 400 Bad Request. |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream" href="#opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream" title="#opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream">`nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream`</a> |       |
+| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth" href="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth" title="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth">`nginx.ingress.kubernetes.io/auth-tls-verify-depth`</a> | Go has no configurable depth limit. It will accept any valid chain regardless of how many intermediates it contains.|

 ### Session Affinity

-| Annotation                                            | Limitations / Notes                                                                        |
-|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-ioaffinity" href="#opt-nginx-ingress-kubernetes-ioaffinity" title="#opt-nginx-ingress-kubernetes-ioaffinity">`nginx.ingress.kubernetes.io/affinity`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-ioaffinity-mode" href="#opt-nginx-ingress-kubernetes-ioaffinity-mode" title="#opt-nginx-ingress-kubernetes-ioaffinity-mode">`nginx.ingress.kubernetes.io/affinity-mode`</a> | Only persistent mode supported; balanced/canary not supported.                             |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-name" href="#opt-nginx-ingress-kubernetes-iosession-cookie-name" title="#opt-nginx-ingress-kubernetes-iosession-cookie-name">`nginx.ingress.kubernetes.io/session-cookie-name`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-secure" href="#opt-nginx-ingress-kubernetes-iosession-cookie-secure" title="#opt-nginx-ingress-kubernetes-iosession-cookie-secure">`nginx.ingress.kubernetes.io/session-cookie-secure`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-path" href="#opt-nginx-ingress-kubernetes-iosession-cookie-path" title="#opt-nginx-ingress-kubernetes-iosession-cookie-path">`nginx.ingress.kubernetes.io/session-cookie-path`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-domain" href="#opt-nginx-ingress-kubernetes-iosession-cookie-domain" title="#opt-nginx-ingress-kubernetes-iosession-cookie-domain">`nginx.ingress.kubernetes.io/session-cookie-domain`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-samesite" href="#opt-nginx-ingress-kubernetes-iosession-cookie-samesite" title="#opt-nginx-ingress-kubernetes-iosession-cookie-samesite">`nginx.ingress.kubernetes.io/session-cookie-samesite`</a> |                                                                                            |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-max-age" href="#opt-nginx-ingress-kubernetes-iosession-cookie-max-age" title="#opt-nginx-ingress-kubernetes-iosession-cookie-max-age">`nginx.ingress.kubernetes.io/session-cookie-max-age`</a> |                                                                                            |
+| Annotation                                            | Limitations / Notes                                                     |
+|-------------------------------------------------------|-------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioaffinity" href="#opt-nginx-ingress-kubernetes-ioaffinity" title="#opt-nginx-ingress-kubernetes-ioaffinity">`nginx.ingress.kubernetes.io/affinity`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-ioaffinity-mode" href="#opt-nginx-ingress-kubernetes-ioaffinity-mode" title="#opt-nginx-ingress-kubernetes-ioaffinity-mode">`nginx.ingress.kubernetes.io/affinity-mode`</a> | Only persistent mode supported; balanced not supported.           |
+| <a id="opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior" href="#opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior" title="#opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior">`nginx.ingress.kubernetes.io/affinity-canary-behavior`</a> | Only the sticky behavior is supported; legacy behavior is not supported. |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-name" href="#opt-nginx-ingress-kubernetes-iosession-cookie-name" title="#opt-nginx-ingress-kubernetes-iosession-cookie-name">`nginx.ingress.kubernetes.io/session-cookie-name`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-secure" href="#opt-nginx-ingress-kubernetes-iosession-cookie-secure" title="#opt-nginx-ingress-kubernetes-iosession-cookie-secure">`nginx.ingress.kubernetes.io/session-cookie-secure`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-path" href="#opt-nginx-ingress-kubernetes-iosession-cookie-path" title="#opt-nginx-ingress-kubernetes-iosession-cookie-path">`nginx.ingress.kubernetes.io/session-cookie-path`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-domain" href="#opt-nginx-ingress-kubernetes-iosession-cookie-domain" title="#opt-nginx-ingress-kubernetes-iosession-cookie-domain">`nginx.ingress.kubernetes.io/session-cookie-domain`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-samesite" href="#opt-nginx-ingress-kubernetes-iosession-cookie-samesite" title="#opt-nginx-ingress-kubernetes-iosession-cookie-samesite">`nginx.ingress.kubernetes.io/session-cookie-samesite`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-max-age" href="#opt-nginx-ingress-kubernetes-iosession-cookie-max-age" title="#opt-nginx-ingress-kubernetes-iosession-cookie-max-age">`nginx.ingress.kubernetes.io/session-cookie-max-age`</a> |                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-expires" href="#opt-nginx-ingress-kubernetes-iosession-cookie-expires" title="#opt-nginx-ingress-kubernetes-iosession-cookie-expires">`nginx.ingress.kubernetes.io/session-cookie-expires`</a> |                                                                         |

 ### Load Balancing & Backend

-| Annotation                                            | Limitations / Notes                                                                        |
-|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-ioload-balance" href="#opt-nginx-ingress-kubernetes-ioload-balance" title="#opt-nginx-ingress-kubernetes-ioload-balance">`nginx.ingress.kubernetes.io/load-balance`</a> | Only round_robin supported; ewma and IP hash not supported.                                |
-| <a id="opt-nginx-ingress-kubernetes-iobackend-protocol" href="#opt-nginx-ingress-kubernetes-iobackend-protocol" title="#opt-nginx-ingress-kubernetes-iobackend-protocol">`nginx.ingress.kubernetes.io/backend-protocol`</a> | FCGI and AUTO_HTTP not supported.                                                          |
-| <a id="opt-nginx-ingress-kubernetes-ioservice-upstream" href="#opt-nginx-ingress-kubernetes-ioservice-upstream" title="#opt-nginx-ingress-kubernetes-ioservice-upstream">`nginx.ingress.kubernetes.io/service-upstream`</a> |                                                                                            |
+| Annotation                                                                                                                                                                                                                  | Limitations / Notes                                                                                                                                                                                                                                                                                                                |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioload-balance" href="#opt-nginx-ingress-kubernetes-ioload-balance" title="#opt-nginx-ingress-kubernetes-ioload-balance">`nginx.ingress.kubernetes.io/load-balance`</a> | Only round_robin supported; ewma and IP hash not supported.                                                                                                                                                                                                                                                                        |
+| <a id="opt-nginx-ingress-kubernetes-iobackend-protocol" href="#opt-nginx-ingress-kubernetes-iobackend-protocol" title="#opt-nginx-ingress-kubernetes-iobackend-protocol">`nginx.ingress.kubernetes.io/backend-protocol`</a> | FCGI and AUTO_HTTP not supported.                                                                                                                                                                                                                                                                                                  |
+| <a id="opt-nginx-ingress-kubernetes-ioservice-upstream" href="#opt-nginx-ingress-kubernetes-ioservice-upstream" title="#opt-nginx-ingress-kubernetes-ioservice-upstream">`nginx.ingress.kubernetes.io/service-upstream`</a> |                                                                                                                                                                                                                                                                                                                                    |
+| <a id="opt-nginx-ingress-kubernetes-ioupstream-hash-by" href="#opt-nginx-ingress-kubernetes-ioupstream-hash-by" title="#opt-nginx-ingress-kubernetes-ioupstream-hash-by">`nginx.ingress.kubernetes.io/upstream-hash-by`</a> | It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`. |
+| <a id="opt-nginx-ingress-kubernetes-ioupstream-vhost" href="#opt-nginx-ingress-kubernetes-ioupstream-vhost" title="#opt-nginx-ingress-kubernetes-ioupstream-vhost">`nginx.ingress.kubernetes.io/upstream-vhost`</a> | Supports NGINX variable interpolation. Request-time variables (`$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`) and the provider-resolved per-location variables (`$namespace`, `$ingress_name`, `$service_name`, `$service_port`, `$location_path`) are supported. The NGINX-internal variable `$proxy_upstream_name` is not available. |
+| <a id="opt-nginx-ingress-kubernetes-iocustom-headers" href="#opt-nginx-ingress-kubernetes-iocustom-headers" title="#opt-nginx-ingress-kubernetes-iocustom-headers">`nginx.ingress.kubernetes.io/custom-headers`</a> | Header whitelisting, similar to `global-allowed-response-headers` NGINX config is not supported.                                                                                                                                                                                                                                   |
+| <a id="opt-nginx-ingress-kubernetes-iodefault-backend" href="#opt-nginx-ingress-kubernetes-iodefault-backend" title="#opt-nginx-ingress-kubernetes-iodefault-backend">`nginx.ingress.kubernetes.io/default-backend`</a> | Specifies a fallback service within the same namespace as the Ingress resource used to handle requests when the primary backend service has no active endpoints. If the specified service exposes multiple ports, the first port will receive the traffic.                                                                         |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-http-version" href="#opt-nginx-ingress-kubernetes-ioproxy-http-version" title="#opt-nginx-ingress-kubernetes-ioproxy-http-version">`nginx.ingress.kubernetes.io/proxy-http-version`</a> | Controls HTTP protocol version for backend communication. Supported value: `"1.1"` (disables HTTP/2 to backend). Value `"1.0"` is not supported and will log a warning.                                                                                                                                                            |
+| <a id="opt-nginx-ingress-kubernetes-iocanary" href="#opt-nginx-ingress-kubernetes-iocanary" title="#opt-nginx-ingress-kubernetes-iocanary">`nginx.ingress.kubernetes.io/canary`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header" href="#opt-nginx-ingress-kubernetes-iocanary-by-header" title="#opt-nginx-ingress-kubernetes-iocanary-by-header">`nginx.ingress.kubernetes.io/canary-by-header`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header-value" href="#opt-nginx-ingress-kubernetes-iocanary-by-header-value" title="#opt-nginx-ingress-kubernetes-iocanary-by-header-value">`nginx.ingress.kubernetes.io/canary-by-header-value`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header-pattern" href="#opt-nginx-ingress-kubernetes-iocanary-by-header-pattern" title="#opt-nginx-ingress-kubernetes-iocanary-by-header-pattern">`nginx.ingress.kubernetes.io/canary-by-header-pattern`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-by-cookie" href="#opt-nginx-ingress-kubernetes-iocanary-by-cookie" title="#opt-nginx-ingress-kubernetes-iocanary-by-cookie">`nginx.ingress.kubernetes.io/canary-by-cookie`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-weight" href="#opt-nginx-ingress-kubernetes-iocanary-weight" title="#opt-nginx-ingress-kubernetes-iocanary-weight">`nginx.ingress.kubernetes.io/canary-weight`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iocanary-weight-total" href="#opt-nginx-ingress-kubernetes-iocanary-weight-total" title="#opt-nginx-ingress-kubernetes-iocanary-weight-total">`nginx.ingress.kubernetes.io/canary-weight-total`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-iox-forwarded-prefix" href="#opt-nginx-ingress-kubernetes-iox-forwarded-prefix" title="#opt-nginx-ingress-kubernetes-iox-forwarded-prefix">`nginx.ingress.kubernetes.io/x-forwarded-prefix`</a> |                                                                                                                                                                                                                                                                                                                                                                                                                      |

 ### CORS

@@ -320,9 +349,76 @@ The following annotations are organized by category for easier navigation.

 ### Routing

-| Annotation                                            | Limitations / Notes                                                                        |
-|-------------------------------------------------------|--------------------------------------------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-iouse-regex" href="#opt-nginx-ingress-kubernetes-iouse-regex" title="#opt-nginx-ingress-kubernetes-iouse-regex">`nginx.ingress.kubernetes.io/use-regex`</a> |                                                                                            |
+| Annotation                                                                                                                                                                                                                                              | Limitations / Notes                                                                                                                                                                                                                                                                                                                                                                                       |
+|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioapp-root" href="#opt-nginx-ingress-kubernetes-ioapp-root" title="#opt-nginx-ingress-kubernetes-ioapp-root">`nginx.ingress.kubernetes.io/app-root`</a> |                                                                                                                                                                                                                                                                                                                                                                                                           |
+| <a id="opt-nginx-ingress-kubernetes-iofrom-to-www-redirect" href="#opt-nginx-ingress-kubernetes-iofrom-to-www-redirect" title="#opt-nginx-ingress-kubernetes-iofrom-to-www-redirect">`nginx.ingress.kubernetes.io/from-to-www-redirect`</a> | Doesn't support wildcard hosts.                                                                                                                                                                                                                                                                                                                                                                           |
+| <a id="opt-nginx-ingress-kubernetes-iouse-regex" href="#opt-nginx-ingress-kubernetes-iouse-regex" title="#opt-nginx-ingress-kubernetes-iouse-regex">`nginx.ingress.kubernetes.io/use-regex`</a> |                                                                                                                                                                                                                                                                                                                                                                                                           |
+| <a id="opt-nginx-ingress-kubernetes-iorewrite-target" href="#opt-nginx-ingress-kubernetes-iorewrite-target" title="#opt-nginx-ingress-kubernetes-iorewrite-target">`nginx.ingress.kubernetes.io/rewrite-target`</a> |                                                                                                                                                                                                                                                                                                                                                                                                           |
+| <a id="opt-nginx-ingress-kubernetes-iopermanent-redirect" href="#opt-nginx-ingress-kubernetes-iopermanent-redirect" title="#opt-nginx-ingress-kubernetes-iopermanent-redirect">`nginx.ingress.kubernetes.io/permanent-redirect`</a> | Defaults to a 301 Moved Permanently status code.                                                                                                                                                                                                                                                                                                                                                          |
+| <a id="opt-nginx-ingress-kubernetes-iopermanent-redirect-code" href="#opt-nginx-ingress-kubernetes-iopermanent-redirect-code" title="#opt-nginx-ingress-kubernetes-iopermanent-redirect-code">`nginx.ingress.kubernetes.io/permanent-redirect-code`</a> | Only valid 3XX HTTP Status Codes are accepted.                                                                                                                                                                                                                                                                                                                                                            |
+| <a id="opt-nginx-ingress-kubernetes-iotemporal-redirect" href="#opt-nginx-ingress-kubernetes-iotemporal-redirect" title="#opt-nginx-ingress-kubernetes-iotemporal-redirect">`nginx.ingress.kubernetes.io/temporal-redirect`</a> | Takes precedence over the `permanent-redirect` annotation. Defaults to a 302 Found status code.                                                                                                                                                                                                                                                                                                           |
+| <a id="opt-nginx-ingress-kubernetes-iotemporal-redirect-code" href="#opt-nginx-ingress-kubernetes-iotemporal-redirect-code" title="#opt-nginx-ingress-kubernetes-iotemporal-redirect-code">`nginx.ingress.kubernetes.io/temporal-redirect-code`</a> | Only valid 3XX HTTP Status Codes are accepted.                                                                                                                                                                                                                                                                                                                                                            |
+| <a id="opt-nginx-ingress-kubernetes-iocustom-http-errors" href="#opt-nginx-ingress-kubernetes-iocustom-http-errors" title="#opt-nginx-ingress-kubernetes-iocustom-http-errors">`nginx.ingress.kubernetes.io/custom-http-errors`</a> | Specifies a comma-separated list of HTTP status codes that should be intercepted and served by an error page backend. When any of these status codes occur, the request is forwarded to the global default backend, or to the backend defined by the [default-backend](#opt-nginx-ingress-kubernetes-iodefault-backend) annotation if specified. |
+| <a id="opt-nginx-ingress-kubernetes-ioserver-alias" href="#opt-nginx-ingress-kubernetes-ioserver-alias" title="#opt-nginx-ingress-kubernetes-ioserver-alias">`nginx.ingress.kubernetes.io/server-alias`</a> | Ignored if the alias conflicts with an existing Ingress Host rule. Ingress Host rules always take precedence.                                                                                                                                                                                                                                    |
+| <a id="opt-nginx-ingress-kubernetes-ioserver-snippet" href="#opt-nginx-ingress-kubernetes-ioserver-snippet" title="#opt-nginx-ingress-kubernetes-ioserver-snippet">`nginx.ingress.kubernetes.io/server-snippet`</a> | Supported directives: `add_header`, `proxy_method`, `more_set_headers`, `proxy_set_header`, `more_set_input_headers`, `set`, `if`, `return code [text]`. It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`. |
+| <a id="opt-nginx-ingress-kubernetes-ioconfiguration-snippet" href="#opt-nginx-ingress-kubernetes-ioconfiguration-snippet" title="#opt-nginx-ingress-kubernetes-ioconfiguration-snippet">`nginx.ingress.kubernetes.io/configuration-snippet`</a> | Supported directives: `add_header`, `proxy_method`, `more_set_headers`, `proxy_set_header`, `more_set_input_headers`, `set`, `if`, `return code [text]`. It supports minimal variable interpolation by using the following NGINX variables: `$scheme`, `$host`, `$http_*`, `$hostname`, `$request_uri`, `$request_method`, `$query_string`, `$args`, `$arg_*`, `$remote_addr`, `$uri`, `$document_uri`, `$server_name`, `$server_port`, `$content_type`, `$content_length`, `$cookie_*`, `$is_args`, `$best_http_host`, `$escaped_request_uri`, `$proxy_add_x_forwarded_for`. |
+
+### IP Whitelist
+
+!!! info "Client IP Strategy"
+
+    By default, the client IP is determined from the remote address of the incoming request.
+    When Traefik is behind a reverse proxy, the actual client IP is often found in the `X-Forwarded-For` header instead.
+    This can be configured globally using the provider option [`ipAllowListStrategy`](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-ipAllowListStrategy).
+
+| Annotation                                                                                                                                                                                                                                          | Limitations / Notes                                                                        |
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-iowhitelist-source-range" href="#opt-nginx-ingress-kubernetes-iowhitelist-source-range" title="#opt-nginx-ingress-kubernetes-iowhitelist-source-range">`nginx.ingress.kubernetes.io/whitelist-source-range`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-ioallowlist-source-range" href="#opt-nginx-ingress-kubernetes-ioallowlist-source-range" title="#opt-nginx-ingress-kubernetes-ioallowlist-source-range">`nginx.ingress.kubernetes.io/allowlist-source-range`</a> |                                                      |
+
+### Rate Limiting
+
+| Annotation                                                                                                                                                                                      | Limitations / Notes                                                                                       |
+| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |-----------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-iolimit-rps" href="#opt-nginx-ingress-kubernetes-iolimit-rps" title="#opt-nginx-ingress-kubernetes-iolimit-rps">`nginx.ingress.kubernetes.io/limit-rps`</a> | Exceeding the limit returns `429 Too Many Requests` instead of NGINX's default `503 Service Unavailable`. |
+| <a id="opt-nginx-ingress-kubernetes-iolimit-rpm" href="#opt-nginx-ingress-kubernetes-iolimit-rpm" title="#opt-nginx-ingress-kubernetes-iolimit-rpm">`nginx.ingress.kubernetes.io/limit-rpm`</a> | Exceeding the limit returns `429 Too Many Requests` instead of NGINX's default `503 Service Unavailable`. |
+| <a id="opt-nginx-ingress-kubernetes-iolimit-burst-multiplier" href="#opt-nginx-ingress-kubernetes-iolimit-burst-multiplier" title="#opt-nginx-ingress-kubernetes-iolimit-burst-multiplier">`nginx.ingress.kubernetes.io/limit-burst-multiplier`</a> | Default to a multiplier of 5 if the configured value is less than 1. Exceeding the limit returns `429 Too Many Requests` instead of NGINX's default `503 Service Unavailable`. |
+| <a id="opt-nginx-ingress-kubernetes-iolimit-connections" href="#opt-nginx-ingress-kubernetes-iolimit-connections" title="#opt-nginx-ingress-kubernetes-iolimit-connections">`nginx.ingress.kubernetes.io/limit-connections`</a> | Exceeding the limit returns `429 Too Many Requests` instead of NGINX's default `503 Service Unavailable`. The concurrent connection limit is evaluated per client IP address. Values less than or equal to `0` are safely ignored. |
+
+### Buffering
+
+| Annotation                                                                                                                                                                                                                                                  | Limitations / Notes                                                                                           |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-request-buffering" href="#opt-nginx-ingress-kubernetes-ioproxy-request-buffering" title="#opt-nginx-ingress-kubernetes-ioproxy-request-buffering">`nginx.ingress.kubernetes.io/proxy-request-buffering`</a> |                                                                                                               |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-body-size" href="#opt-nginx-ingress-kubernetes-ioproxy-body-size" title="#opt-nginx-ingress-kubernetes-ioproxy-body-size">`nginx.ingress.kubernetes.io/proxy-body-size`</a> |                                                                                                               |
+| <a id="opt-nginx-ingress-kubernetes-ioclient-body-buffer-size" href="#opt-nginx-ingress-kubernetes-ioclient-body-buffer-size" title="#opt-nginx-ingress-kubernetes-ioclient-body-buffer-size">`nginx.ingress.kubernetes.io/client-body-buffer-size`</a> |                                                                                                               |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffering" href="#opt-nginx-ingress-kubernetes-ioproxy-buffering" title="#opt-nginx-ingress-kubernetes-ioproxy-buffering">`nginx.ingress.kubernetes.io/proxy-buffering`</a> |                                                                                                               |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffer-size" href="#opt-nginx-ingress-kubernetes-ioproxy-buffer-size" title="#opt-nginx-ingress-kubernetes-ioproxy-buffer-size">`nginx.ingress.kubernetes.io/proxy-buffer-size`</a> |                                                                                                               |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffers-number" href="#opt-nginx-ingress-kubernetes-ioproxy-buffers-number" title="#opt-nginx-ingress-kubernetes-ioproxy-buffers-number">`nginx.ingress.kubernetes.io/proxy-buffers-number`</a> | With Traefik, `proxy-buffer-numbers` is actually used to compute the size of a single buffer (size * number). |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size" href="#opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size" title="#opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size">`nginx.ingress.kubernetes.io/proxy-max-temp-file-size`</a> |                                                                                                               |
+
+### Observability
+
+| Annotation                                                                                                                                                                                                                                      | Limitations / Notes                                                                                                                                                                                                                                                                                                                  |
+|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioenable-access-log" href="#opt-nginx-ingress-kubernetes-ioenable-access-log" title="#opt-nginx-ingress-kubernetes-ioenable-access-log">`nginx.ingress.kubernetes.io/enable-access-log`</a> | Access logs must first be enabled in the [install configuration](../../../install-configuration/observability/logs-and-accesslogs/#access-logs) (globally or per entrypoint) for this annotation to take effect. When access logs are enabled, this annotation allows opting out specific Ingresses by setting it to `"false"`. Conversely, when access logs are disabled on an entrypoint, setting this annotation to `"true"` allows opting in specific Ingresses. |
+
+### Timeout
+
+| Annotation                                          | Limitations / Notes                                                                                                                                                                                                                     |
+|-----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-connect-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout">`nginx.ingress.kubernetes.io/proxy-connect-timeout`</a> | Timeout can be defined globally at the provider level using the [`proxyConnectTimeout` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxyConnectTimeout). |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-send-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-send-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-send-timeout">`nginx.ingress.kubernetes.io/proxy-send-timeout`</a> | Timeout can be defined globally at the provider level using the [`proxySendTimeout` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxySendTimeout).  |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-read-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-read-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-read-timeout">`nginx.ingress.kubernetes.io/proxy-read-timeout`</a> | Timeout can be defined globally at the provider level using the [`proxyReadTimeout` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxyReadTimeout). |
+
+### Retry
+
+| Annotation                                                | Limitations / Notes                                                                                                                                                                                                                                                                                                                                                                                                           |
+|-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream">`nginx.ingress.kubernetes.io/proxy-next-upstream`</a> | Unlike NGINX, Traefik does not guarantee that retries are sent to a different server. There is no difference between `error` and `timeout`, both are treated as TCP level failure. This configuration can be defined globally at the provider level using the [`proxyNextUpstream` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxyNextUpstream). |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries">`nginx.ingress.kubernetes.io/proxy-next-upstream-tries`</a> | Unlimited retry (0) will be capped to the number of available servers to avoid infinite retries. The value can be defined globally at the provider level using the [`proxyNextUpstreamTries` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTries).                                                                                 |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout">`nginx.ingress.kubernetes.io/proxy-next-upstream-timeout`</a> | The timeout can be defined globally at the provider level using the [`proxyNextUpstreamTimeout` option](../../../install-configuration/providers/kubernetes/kubernetes-ingress-nginx/#opt-providers-kubernetesIngressNGINX-proxyNextUpstreamTimeout).                                                                                                                                                                         |

 ## Limitations

@@ -331,11 +427,14 @@ The following annotations are organized by category for easier navigation.
 - **Authentication**: Forward auth behaves differently and session caching is not supported. NGINX supports sub-request based auth, while Traefik forwards the original request.
 - **Session Affinity**: Only persistent mode is supported.
 - **Leader Election**: Not supported; no cluster mode with leader election.
- **Default Backend**: Only defaultBackend in Ingress spec is supported; the annotation is ignored.
 - **Load Balancing**: Only round_robin is supported; EWMA and IP hash are not supported.
 - **CORS**: NGINX responds with all configured headers unconditionally; Traefik handles headers differently between pre-flight and regular requests.
 - **TLS/Backend Protocols**: AUTO_HTTP, FCGI and some TLS options are not supported in Traefik.
- **Path Handling**: Traefik preserves trailing slashes by default; NGINX removes them unless configured otherwise
+- **Path Handling**: Traefik preserves trailing slashes by default; NGINX removes them unless configured otherwise.
+- **Retry**: NGINX guarantee that the next retry will be passed to the next server, while on Traefik there is a possibility that the retry would be passed to the same server.
+- **Rate Limiting**: NGINX uses the **Leaky Bucket** algorithm, where requests are queued and drained at a fixed rate. Once the queue (burst) is full, excess requests are rejected immediately with `503`.
+Traefik uses the **Token Bucket** algorithm, where the bucket starts full at `burst` tokens, each request consumes one token, and tokens refill at the `limit-rps` rate. When the bucket is empty, the request is either delayed until more tokens are available or rejected with `429` if the delay would be too long.
+In practice, Traefik is slightly more lenient under bursty load, as it smooths out burst traffic rather than dropping it, but the steady-state throughput cap is similar.

 ### Unsupported Annotations

@@ -350,14 +449,7 @@ The following annotations are organized by category for easier navigation.

 | Annotation                                                                  | Notes                                                |
 |-----------------------------------------------------------------------------|------------------------------------------------------|
-| <a id="opt-nginx-ingress-kubernetes-ioapp-root" href="#opt-nginx-ingress-kubernetes-ioapp-root" title="#opt-nginx-ingress-kubernetes-ioapp-root">`nginx.ingress.kubernetes.io/app-root`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior" href="#opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior" title="#opt-nginx-ingress-kubernetes-ioaffinity-canary-behavior">`nginx.ingress.kubernetes.io/affinity-canary-behavior`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-signin" href="#opt-nginx-ingress-kubernetes-ioauth-signin" title="#opt-nginx-ingress-kubernetes-ioauth-signin">`nginx.ingress.kubernetes.io/auth-signin`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-secret" href="#opt-nginx-ingress-kubernetes-ioauth-tls-secret" title="#opt-nginx-ingress-kubernetes-ioauth-tls-secret">`nginx.ingress.kubernetes.io/auth-tls-secret`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth" href="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth" title="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-depth">`nginx.ingress.kubernetes.io/auth-tls-verify-depth`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-verify-client" href="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-client" title="#opt-nginx-ingress-kubernetes-ioauth-tls-verify-client">`nginx.ingress.kubernetes.io/auth-tls-verify-client`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-tls-error-page" href="#opt-nginx-ingress-kubernetes-ioauth-tls-error-page" title="#opt-nginx-ingress-kubernetes-ioauth-tls-error-page">`nginx.ingress.kubernetes.io/auth-tls-error-page`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream" href="#opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream" title="#opt-nginx-ingress-kubernetes-ioauth-tls-pass-certificate-to-upstream">`nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-tls-match-cn" href="#opt-nginx-ingress-kubernetes-ioauth-tls-match-cn" title="#opt-nginx-ingress-kubernetes-ioauth-tls-match-cn">`nginx.ingress.kubernetes.io/auth-tls-match-cn`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-cache-key" href="#opt-nginx-ingress-kubernetes-ioauth-cache-key" title="#opt-nginx-ingress-kubernetes-ioauth-cache-key">`nginx.ingress.kubernetes.io/auth-cache-key`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-cache-duration" href="#opt-nginx-ingress-kubernetes-ioauth-cache-duration" title="#opt-nginx-ingress-kubernetes-ioauth-cache-duration">`nginx.ingress.kubernetes.io/auth-cache-duration`</a> |                                                      |
@@ -366,62 +458,29 @@ The following annotations are organized by category for easier navigation.
 | <a id="opt-nginx-ingress-kubernetes-ioauth-keepalive-requests" href="#opt-nginx-ingress-kubernetes-ioauth-keepalive-requests" title="#opt-nginx-ingress-kubernetes-ioauth-keepalive-requests">`nginx.ingress.kubernetes.io/auth-keepalive-requests`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-keepalive-timeout" href="#opt-nginx-ingress-kubernetes-ioauth-keepalive-timeout" title="#opt-nginx-ingress-kubernetes-ioauth-keepalive-timeout">`nginx.ingress.kubernetes.io/auth-keepalive-timeout`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioauth-proxy-set-headers" href="#opt-nginx-ingress-kubernetes-ioauth-proxy-set-headers" title="#opt-nginx-ingress-kubernetes-ioauth-proxy-set-headers">`nginx.ingress.kubernetes.io/auth-proxy-set-headers`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioauth-snippet" href="#opt-nginx-ingress-kubernetes-ioauth-snippet" title="#opt-nginx-ingress-kubernetes-ioauth-snippet">`nginx.ingress.kubernetes.io/auth-snippet`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioenable-global-auth" href="#opt-nginx-ingress-kubernetes-ioenable-global-auth" title="#opt-nginx-ingress-kubernetes-ioenable-global-auth">`nginx.ingress.kubernetes.io/enable-global-auth`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary" href="#opt-nginx-ingress-kubernetes-iocanary" title="#opt-nginx-ingress-kubernetes-iocanary">`nginx.ingress.kubernetes.io/canary`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header" href="#opt-nginx-ingress-kubernetes-iocanary-by-header" title="#opt-nginx-ingress-kubernetes-iocanary-by-header">`nginx.ingress.kubernetes.io/canary-by-header`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header-value" href="#opt-nginx-ingress-kubernetes-iocanary-by-header-value" title="#opt-nginx-ingress-kubernetes-iocanary-by-header-value">`nginx.ingress.kubernetes.io/canary-by-header-value`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-by-header-pattern" href="#opt-nginx-ingress-kubernetes-iocanary-by-header-pattern" title="#opt-nginx-ingress-kubernetes-iocanary-by-header-pattern">`nginx.ingress.kubernetes.io/canary-by-header-pattern`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-by-cookie" href="#opt-nginx-ingress-kubernetes-iocanary-by-cookie" title="#opt-nginx-ingress-kubernetes-iocanary-by-cookie">`nginx.ingress.kubernetes.io/canary-by-cookie`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-weight" href="#opt-nginx-ingress-kubernetes-iocanary-weight" title="#opt-nginx-ingress-kubernetes-iocanary-weight">`nginx.ingress.kubernetes.io/canary-weight`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocanary-weight-total" href="#opt-nginx-ingress-kubernetes-iocanary-weight-total" title="#opt-nginx-ingress-kubernetes-iocanary-weight-total">`nginx.ingress.kubernetes.io/canary-weight-total`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioclient-body-buffer-size" href="#opt-nginx-ingress-kubernetes-ioclient-body-buffer-size" title="#opt-nginx-ingress-kubernetes-ioclient-body-buffer-size">`nginx.ingress.kubernetes.io/client-body-buffer-size`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioconfiguration-snippet" href="#opt-nginx-ingress-kubernetes-ioconfiguration-snippet" title="#opt-nginx-ingress-kubernetes-ioconfiguration-snippet">`nginx.ingress.kubernetes.io/configuration-snippet`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iocustom-http-errors" href="#opt-nginx-ingress-kubernetes-iocustom-http-errors" title="#opt-nginx-ingress-kubernetes-iocustom-http-errors">`nginx.ingress.kubernetes.io/custom-http-errors`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iodisable-proxy-intercept-errors" href="#opt-nginx-ingress-kubernetes-iodisable-proxy-intercept-errors" title="#opt-nginx-ingress-kubernetes-iodisable-proxy-intercept-errors">`nginx.ingress.kubernetes.io/disable-proxy-intercept-errors`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iodefault-backend" href="#opt-nginx-ingress-kubernetes-iodefault-backend" title="#opt-nginx-ingress-kubernetes-iodefault-backend">`nginx.ingress.kubernetes.io/default-backend`</a> | Use `defaultBackend` in Ingress spec. |
 | <a id="opt-nginx-ingress-kubernetes-iolimit-rate-after" href="#opt-nginx-ingress-kubernetes-iolimit-rate-after" title="#opt-nginx-ingress-kubernetes-iolimit-rate-after">`nginx.ingress.kubernetes.io/limit-rate-after`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iolimit-rate" href="#opt-nginx-ingress-kubernetes-iolimit-rate" title="#opt-nginx-ingress-kubernetes-iolimit-rate">`nginx.ingress.kubernetes.io/limit-rate`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iolimit-whitelist" href="#opt-nginx-ingress-kubernetes-iolimit-whitelist" title="#opt-nginx-ingress-kubernetes-iolimit-whitelist">`nginx.ingress.kubernetes.io/limit-whitelist`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iolimit-rps" href="#opt-nginx-ingress-kubernetes-iolimit-rps" title="#opt-nginx-ingress-kubernetes-iolimit-rps">`nginx.ingress.kubernetes.io/limit-rps`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iolimit-rpm" href="#opt-nginx-ingress-kubernetes-iolimit-rpm" title="#opt-nginx-ingress-kubernetes-iolimit-rpm">`nginx.ingress.kubernetes.io/limit-rpm`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iolimit-burst-multiplier" href="#opt-nginx-ingress-kubernetes-iolimit-burst-multiplier" title="#opt-nginx-ingress-kubernetes-iolimit-burst-multiplier">`nginx.ingress.kubernetes.io/limit-burst-multiplier`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iolimit-connections" href="#opt-nginx-ingress-kubernetes-iolimit-connections" title="#opt-nginx-ingress-kubernetes-iolimit-connections">`nginx.ingress.kubernetes.io/limit-connections`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioglobal-rate-limit" href="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit" title="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit">`nginx.ingress.kubernetes.io/global-rate-limit`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioglobal-rate-limit-window" href="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-window" title="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-window">`nginx.ingress.kubernetes.io/global-rate-limit-window`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioglobal-rate-limit-key" href="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-key" title="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-key">`nginx.ingress.kubernetes.io/global-rate-limit-key`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioglobal-rate-limit-ignored-cidrs" href="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-ignored-cidrs" title="#opt-nginx-ingress-kubernetes-ioglobal-rate-limit-ignored-cidrs">`nginx.ingress.kubernetes.io/global-rate-limit-ignored-cidrs`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iopermanent-redirect" href="#opt-nginx-ingress-kubernetes-iopermanent-redirect" title="#opt-nginx-ingress-kubernetes-iopermanent-redirect">`nginx.ingress.kubernetes.io/permanent-redirect`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iopermanent-redirect-code" href="#opt-nginx-ingress-kubernetes-iopermanent-redirect-code" title="#opt-nginx-ingress-kubernetes-iopermanent-redirect-code">`nginx.ingress.kubernetes.io/permanent-redirect-code`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iotemporal-redirect" href="#opt-nginx-ingress-kubernetes-iotemporal-redirect" title="#opt-nginx-ingress-kubernetes-iotemporal-redirect">`nginx.ingress.kubernetes.io/temporal-redirect`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iopreserve-trailing-slash" href="#opt-nginx-ingress-kubernetes-iopreserve-trailing-slash" title="#opt-nginx-ingress-kubernetes-iopreserve-trailing-slash">`nginx.ingress.kubernetes.io/preserve-trailing-slash`</a> | Traefik preserves trailing slash by default.         |
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-cookie-domain" href="#opt-nginx-ingress-kubernetes-ioproxy-cookie-domain" title="#opt-nginx-ingress-kubernetes-ioproxy-cookie-domain">`nginx.ingress.kubernetes.io/proxy-cookie-domain`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-cookie-path" href="#opt-nginx-ingress-kubernetes-ioproxy-cookie-path" title="#opt-nginx-ingress-kubernetes-ioproxy-cookie-path">`nginx.ingress.kubernetes.io/proxy-cookie-path`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-connect-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-connect-timeout">`nginx.ingress.kubernetes.io/proxy-connect-timeout`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-send-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-send-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-send-timeout">`nginx.ingress.kubernetes.io/proxy-send-timeout`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-read-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-read-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-read-timeout">`nginx.ingress.kubernetes.io/proxy-read-timeout`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream">`nginx.ingress.kubernetes.io/proxy-next-upstream`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-timeout">`nginx.ingress.kubernetes.io/proxy-next-upstream-timeout`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries" href="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries" title="#opt-nginx-ingress-kubernetes-ioproxy-next-upstream-tries">`nginx.ingress.kubernetes.io/proxy-next-upstream-tries`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-request-buffering" href="#opt-nginx-ingress-kubernetes-ioproxy-request-buffering" title="#opt-nginx-ingress-kubernetes-ioproxy-request-buffering">`nginx.ingress.kubernetes.io/proxy-request-buffering`</a> |                                                      |
+| <a id="opt-nginx-ingress-kubernetes-ioproxy-cookie-path" href="#opt-nginx-ingress-kubernetes-ioproxy-cookie-path" title="#opt-nginx-ingress-kubernetes-ioproxy-cookie-path">`nginx.ingress.kubernetes.io/proxy-cookie-path`</a> | 
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-redirect-from" href="#opt-nginx-ingress-kubernetes-ioproxy-redirect-from" title="#opt-nginx-ingress-kubernetes-ioproxy-redirect-from">`nginx.ingress.kubernetes.io/proxy-redirect-from`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-redirect-to" href="#opt-nginx-ingress-kubernetes-ioproxy-redirect-to" title="#opt-nginx-ingress-kubernetes-ioproxy-redirect-to">`nginx.ingress.kubernetes.io/proxy-redirect-to`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-http-version" href="#opt-nginx-ingress-kubernetes-ioproxy-http-version" title="#opt-nginx-ingress-kubernetes-ioproxy-http-version">`nginx.ingress.kubernetes.io/proxy-http-version`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-ciphers" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-ciphers" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-ciphers">`nginx.ingress.kubernetes.io/proxy-ssl-ciphers`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-verify-depth" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify-depth" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-verify-depth">`nginx.ingress.kubernetes.io/proxy-ssl-verify-depth`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioproxy-ssl-protocols" href="#opt-nginx-ingress-kubernetes-ioproxy-ssl-protocols" title="#opt-nginx-ingress-kubernetes-ioproxy-ssl-protocols">`nginx.ingress.kubernetes.io/proxy-ssl-protocols`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioenable-rewrite-log" href="#opt-nginx-ingress-kubernetes-ioenable-rewrite-log" title="#opt-nginx-ingress-kubernetes-ioenable-rewrite-log">`nginx.ingress.kubernetes.io/enable-rewrite-log`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iorewrite-target" href="#opt-nginx-ingress-kubernetes-iorewrite-target" title="#opt-nginx-ingress-kubernetes-iorewrite-target">`nginx.ingress.kubernetes.io/rewrite-target`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iosatisfy" href="#opt-nginx-ingress-kubernetes-iosatisfy" title="#opt-nginx-ingress-kubernetes-iosatisfy">`nginx.ingress.kubernetes.io/satisfy`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioserver-alias" href="#opt-nginx-ingress-kubernetes-ioserver-alias" title="#opt-nginx-ingress-kubernetes-ioserver-alias">`nginx.ingress.kubernetes.io/server-alias`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioserver-snippet" href="#opt-nginx-ingress-kubernetes-ioserver-snippet" title="#opt-nginx-ingress-kubernetes-ioserver-snippet">`nginx.ingress.kubernetes.io/server-snippet`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iosession-cookie-conditional-samesite-none" href="#opt-nginx-ingress-kubernetes-iosession-cookie-conditional-samesite-none" title="#opt-nginx-ingress-kubernetes-iosession-cookie-conditional-samesite-none">`nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iosession-cookie-expires" href="#opt-nginx-ingress-kubernetes-iosession-cookie-expires" title="#opt-nginx-ingress-kubernetes-iosession-cookie-expires">`nginx.ingress.kubernetes.io/session-cookie-expires`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iosession-cookie-change-on-failure" href="#opt-nginx-ingress-kubernetes-iosession-cookie-change-on-failure" title="#opt-nginx-ingress-kubernetes-iosession-cookie-change-on-failure">`nginx.ingress.kubernetes.io/session-cookie-change-on-failure`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iossl-ciphers" href="#opt-nginx-ingress-kubernetes-iossl-ciphers" title="#opt-nginx-ingress-kubernetes-iossl-ciphers">`nginx.ingress.kubernetes.io/ssl-ciphers`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iossl-prefer-server-ciphers" href="#opt-nginx-ingress-kubernetes-iossl-prefer-server-ciphers" title="#opt-nginx-ingress-kubernetes-iossl-prefer-server-ciphers">`nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioconnection-proxy-header" href="#opt-nginx-ingress-kubernetes-ioconnection-proxy-header" title="#opt-nginx-ingress-kubernetes-ioconnection-proxy-header">`nginx.ingress.kubernetes.io/connection-proxy-header`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioenable-access-log" href="#opt-nginx-ingress-kubernetes-ioenable-access-log" title="#opt-nginx-ingress-kubernetes-ioenable-access-log">`nginx.ingress.kubernetes.io/enable-access-log`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioenable-opentracing" href="#opt-nginx-ingress-kubernetes-ioenable-opentracing" title="#opt-nginx-ingress-kubernetes-ioenable-opentracing">`nginx.ingress.kubernetes.io/enable-opentracing`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioopentracing-trust-incoming-span" href="#opt-nginx-ingress-kubernetes-ioopentracing-trust-incoming-span" title="#opt-nginx-ingress-kubernetes-ioopentracing-trust-incoming-span">`nginx.ingress.kubernetes.io/opentracing-trust-incoming-span`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-ioenable-opentelemetry" href="#opt-nginx-ingress-kubernetes-ioenable-opentelemetry" title="#opt-nginx-ingress-kubernetes-ioenable-opentelemetry">`nginx.ingress.kubernetes.io/enable-opentelemetry`</a> |                                                      |
@@ -433,15 +492,7 @@ The following annotations are organized by category for easier navigation.
 | <a id="opt-nginx-ingress-kubernetes-iomirror-request-body" href="#opt-nginx-ingress-kubernetes-iomirror-request-body" title="#opt-nginx-ingress-kubernetes-iomirror-request-body">`nginx.ingress.kubernetes.io/mirror-request-body`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iomirror-target" href="#opt-nginx-ingress-kubernetes-iomirror-target" title="#opt-nginx-ingress-kubernetes-iomirror-target">`nginx.ingress.kubernetes.io/mirror-target`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iomirror-host" href="#opt-nginx-ingress-kubernetes-iomirror-host" title="#opt-nginx-ingress-kubernetes-iomirror-host">`nginx.ingress.kubernetes.io/mirror-host`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iox-forwarded-prefix" href="#opt-nginx-ingress-kubernetes-iox-forwarded-prefix" title="#opt-nginx-ingress-kubernetes-iox-forwarded-prefix">`nginx.ingress.kubernetes.io/x-forwarded-prefix`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioupstream-hash-by" href="#opt-nginx-ingress-kubernetes-ioupstream-hash-by" title="#opt-nginx-ingress-kubernetes-ioupstream-hash-by">`nginx.ingress.kubernetes.io/upstream-hash-by`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioupstream-vhost" href="#opt-nginx-ingress-kubernetes-ioupstream-vhost" title="#opt-nginx-ingress-kubernetes-ioupstream-vhost">`nginx.ingress.kubernetes.io/upstream-vhost`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iodenylist-source-range" href="#opt-nginx-ingress-kubernetes-iodenylist-source-range" title="#opt-nginx-ingress-kubernetes-iodenylist-source-range">`nginx.ingress.kubernetes.io/denylist-source-range`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-iowhitelist-source-range" href="#opt-nginx-ingress-kubernetes-iowhitelist-source-range" title="#opt-nginx-ingress-kubernetes-iowhitelist-source-range">`nginx.ingress.kubernetes.io/whitelist-source-range`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffering" href="#opt-nginx-ingress-kubernetes-ioproxy-buffering" title="#opt-nginx-ingress-kubernetes-ioproxy-buffering">`nginx.ingress.kubernetes.io/proxy-buffering`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffers-number" href="#opt-nginx-ingress-kubernetes-ioproxy-buffers-number" title="#opt-nginx-ingress-kubernetes-ioproxy-buffers-number">`nginx.ingress.kubernetes.io/proxy-buffers-number`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-buffer-size" href="#opt-nginx-ingress-kubernetes-ioproxy-buffer-size" title="#opt-nginx-ingress-kubernetes-ioproxy-buffer-size">`nginx.ingress.kubernetes.io/proxy-buffer-size`</a> |                                                      |
-| <a id="opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size" href="#opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size" title="#opt-nginx-ingress-kubernetes-ioproxy-max-temp-file-size">`nginx.ingress.kubernetes.io/proxy-max-temp-file-size`</a> |                                                      |
 | <a id="opt-nginx-ingress-kubernetes-iostream-snippet" href="#opt-nginx-ingress-kubernetes-iostream-snippet" title="#opt-nginx-ingress-kubernetes-iostream-snippet">`nginx.ingress.kubernetes.io/stream-snippet`</a> |                                                      |

 ### Global Configuration
@@ -85,6 +85,14 @@ spec:
 | <a id="opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-maxage" href="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-maxage" title="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-maxage">`traefik.ingress.kubernetes.io/service.sticky.cookie.maxage`</a> | Sets the Max-Age attribute (in seconds) on the sticky session cookie.<br/>See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `42` |
 | <a id="opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-path" href="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-path" title="#opt-traefik-ingress-kubernetes-ioservice-sticky-cookie-path">`traefik.ingress.kubernetes.io/service.sticky.cookie.path`</a> | Sets the Path attribute on the sticky session cookie, defining the path that must exist in the requested URL.<br/>See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `/foobar` |

+??? info "`traefik.ingress.kubernetes.io/service.middlewares`"
+
+    See [service middlewares](../http/load-balancing/service.md#middlewares) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/service.middlewares: auth@file,prefix@kubernetescrd
+    ```
+
 ## TLS

 ### Enabling TLS via HTTP Options on Entrypoint
@@ -231,7 +239,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
          serviceAccountName: traefik-ingress-controller
          containers:
            - name: traefik
-              image: traefik:v3.6
+              image: traefik:v3.7
              args:
                - --entryPoints.websecure.address=:443
                - --entryPoints.websecure.http.tls
@@ -8,7 +8,7 @@ description: "The Knative provider can be used for routing and load balancing in
 When using the Knative provider, Traefik leverages Knative's Custom Resource Definitions (CRDs) to obtain its routing configuration. 
 For detailed information on Knative concepts and resources, refer to the official [documentation](https://knative.dev/docs/).

-The Knative provider supports version [v1.19.0](https://github.com/knative/serving/releases/tag/knative-v1.19.0) of the specification.
+The Knative provider supports versions [v1.19.0](https://github.com/knative/serving/releases/tag/knative-v1.19.0) and [v1.20.0](https://github.com/knative/serving/releases/tag/knative-v1.20.0) of the specification.

 ## Deploying a Knative Service

@@ -1,26 +1,454 @@
 ---
-title: "Traefik File Dynamic Configuration"
-description: "This guide will provide you with the YAML and TOML files for dynamic configuration in Traefik Proxy. Read the technical documentation."
+title: "Traefik File Routing Configuration"
+description: "This guide will provide you with the reference for file-based routing configuration in Traefik Proxy. Read the technical documentation."
 ---

+# Traefik File Routing Configuration

-# Traefik and Configuration Files
+The file provider lets you define routing configuration in YAML or TOML.
+Use it to declare routers, services, middlewares, TCP and UDP routing, and TLS options that Traefik should load from a file or a directory.

-!!! warning "Work In Progress"
+To configure the file provider itself, see the [File provider install configuration](../../install-configuration/providers/others/file.md) page.

-    This page is still work in progress to provide a better documention of the routing options.
+## Configuration Examples

-    It has been created to provide a centralized page with all the option in YAML and TOML format.
+??? example "Configuring the File Provider and Exposing One HTTP Service"
+
+    Enabling the file provider:
+
+    ```yaml tab="Structured (YAML)"
+    providers:
+      file:
+        filename: /etc/traefik/dynamic.yml
+    ```
+
+    ```toml tab="Structured (TOML)"
+    [providers.file]
+      filename = "/etc/traefik/dynamic.toml"
+    ```
+
+    ```bash tab="CLI"
+    --providers.file.filename=/etc/traefik/dynamic.yml
+    ```
+
+    Declaring the dynamic HTTP configuration:
+
+    ```yaml tab="Structured (YAML)"
+    http:
+      routers:
+        app:
+          rule: Host(`example.com`)
+          entryPoints:
+            - websecure
+          service: app
+          tls: {}
+
+      services:
+        app:
+          loadBalancer:
+            servers:
+              - url: http://127.0.0.1:8080
+    ```
+
+    ```toml tab="Structured (TOML)"
+    [http.routers.app]
+      rule = "Host(`example.com`)"
+      entryPoints = ["websecure"]
+      service = "app"
+
+      [http.routers.app.tls]
+
+    [http.services.app.loadBalancer]
+      [[http.services.app.loadBalancer.servers]]
+        url = "http://127.0.0.1:8080"
+    ```
+
+??? example "Specifying More Than One Router and Service"
+
+    Define each router and explicitly attach it to the service that should handle matching requests.
+
+    ```yaml tab="Structured (YAML)"
+    http:
+      routers:
+        app:
+          rule: Host(`example-a.com`)
+          service: app
+        admin:
+          rule: Host(`example-b.com`)
+          service: admin
+
+      services:
+        app:
+          loadBalancer:
+            servers:
+              - url: http://127.0.0.1:8000
+        admin:
+          loadBalancer:
+            servers:
+              - url: http://127.0.0.1:9000
+    ```
+
+    ```toml tab="Structured (TOML)"
+    [http.routers.app]
+      rule = "Host(`example-a.com`)"
+      service = "app"
+
+    [http.routers.admin]
+      rule = "Host(`example-b.com`)"
+      service = "admin"
+
+    [http.services.app.loadBalancer]
+      [[http.services.app.loadBalancer.servers]]
+        url = "http://127.0.0.1:8000"
+
+    [http.services.admin.loadBalancer]
+      [[http.services.admin.loadBalancer.servers]]
+        url = "http://127.0.0.1:9000"
+    ```
+
+??? example "Declaring and Referencing Middlewares"
+
+    Middlewares declared by the file provider can be used by routers from the file provider or by routers from other providers.
+    When another provider references them, use the `@file` provider suffix.
+
+    ```yaml tab="Structured (YAML)"
+    http:
+      routers:
+        app:
+          rule: Host(`secure.example.com`)
+          entryPoints:
+            - websecure
+          middlewares:
+            - secure-headers
+          service: app
+          tls:
+            options: modern
+
+      middlewares:
+        secure-headers:
+          headers:
+            stsSeconds: 31536000
+            forceSTSHeader: true
+
+      services:
+        app:
+          loadBalancer:
+            servers:
+              - url: http://127.0.0.1:8080
+
+    tls:
+      options:
+        modern:
+          minVersion: VersionTLS12
+          sniStrict: true
+    ```
+
+    ```toml tab="Structured (TOML)"
+    [http.routers.app]
+      rule = "Host(`secure.example.com`)"
+      entryPoints = ["websecure"]
+      middlewares = ["secure-headers"]
+      service = "app"
+
+      [http.routers.app.tls]
+        options = "modern"
+
+    [http.middlewares.secure-headers.headers]
+      stsSeconds = 31536000
+      forceSTSHeader = true
+
+    [http.services.app.loadBalancer]
+      [[http.services.app.loadBalancer.servers]]
+        url = "http://127.0.0.1:8080"
+
+    [tls.options.modern]
+      minVersion = "VersionTLS12"
+      sniStrict = true
+    ```
+
+??? example "Loading Multiple Dynamic Configuration Files"
+
+    Configure the file provider with a directory when you want to split dynamic configuration across multiple files.
+
+    ```yaml tab="Structured (YAML)"
+    providers:
+      file:
+        directory: /etc/traefik/dynamic
+        watch: true
+    ```
+
+    ```toml tab="Structured (TOML)"
+    [providers.file]
+      directory = "/etc/traefik/dynamic"
+      watch = true
+    ```
+
+    ```bash tab="CLI"
+    --providers.file.directory=/etc/traefik/dynamic
+    --providers.file.watch=true
+    ```
+
+    Example `/etc/traefik/dynamic/http.yml`:
+
+    ```yaml
+    http:
+      routers:
+        app:
+          rule: Host(`example.com`)
+          service: app
+
+      services:
+        app:
+          loadBalancer:
+            servers:
+              - url: http://127.0.0.1:8080
+    ```
+
+    Example `/etc/traefik/dynamic/tls.yml`:
+
+    ```yaml
+    tls:
+      certificates:
+        - certFile: /certs/example.crt
+          keyFile: /certs/example.key
+    ```

 ## Configuration Options

-```yml  tab="YAML"
--8<-- "content/reference/routing-configuration/other-providers/file.yaml"
-```
+### General

-```toml  tab="TOML"
--8<-- "content/reference/routing-configuration/other-providers/file.toml"
-```
+The file provider does not discover services automatically.
+Define every router, service, middleware, and TLS resource explicitly in the routing configuration file.
+
+When another provider references a resource declared by the file provider, append the `@file` provider suffix.
+For example, a Docker label can reference a file-provider middleware with `secure-headers@file`.
+
+The examples below use YAML-style field paths.
+In TOML, use the equivalent table and array syntax, such as `[http.routers.<router_name>]` and `[[http.services.<service_name>.loadBalancer.servers]]`.
+
+### HTTP
+
+#### Routers
+
+Define HTTP routers under `http.routers.<router_name>`.
+
+!!! warning "The character `@` is not authorized in the router name `<router_name>`."
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-http-routers-router-name-rule" href="#opt-http-routers-router-name-rule" title="#opt-http-routers-router-name-rule">`http.routers.<router_name>.rule`</a> | See [rule](../http/routing/rules-and-priority.md#rules) for more information. | ```Host(`example.com`)``` |
+| <a id="opt-http-routers-router-name-ruleSyntax" href="#opt-http-routers-router-name-ruleSyntax" title="#opt-http-routers-router-name-ruleSyntax">`http.routers.<router_name>.ruleSyntax`</a> | See [ruleSyntax](../http/routing/rules-and-priority.md#rulesyntax) for more information.<br/>RuleSyntax is deprecated and will be removed in the next major version. | `v3` |
+| <a id="opt-http-routers-router-name-entryPointsn" href="#opt-http-routers-router-name-entryPointsn" title="#opt-http-routers-router-name-entryPointsn">`http.routers.<router_name>.entryPoints[n]`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | `websecure` |
+| <a id="opt-http-routers-router-name-middlewaresn" href="#opt-http-routers-router-name-middlewaresn" title="#opt-http-routers-router-name-middlewaresn">`http.routers.<router_name>.middlewares[n]`</a> | See [middlewares overview](../http/middlewares/overview.md) for more information. | `secure-headers` |
+| <a id="opt-http-routers-router-name-service" href="#opt-http-routers-router-name-service" title="#opt-http-routers-router-name-service">`http.routers.<router_name>.service`</a> | See [service](../http/load-balancing/service.md) for more information. | `app` |
+| <a id="opt-http-routers-router-name-parentRefsn" href="#opt-http-routers-router-name-parentRefsn" title="#opt-http-routers-router-name-parentRefsn">`http.routers.<router_name>.parentRefs[n]`</a> | See [multi-layer routing](../http/routing/multi-layer-routing.md) for more information. | `parent-router@file` |
+| <a id="opt-http-routers-router-name-tls" href="#opt-http-routers-router-name-tls" title="#opt-http-routers-router-name-tls">`http.routers.<router_name>.tls`</a> | See [TLS](../http/tls/overview.md) for more information. | `{}` |
+| <a id="opt-http-routers-router-name-tls-certResolver" href="#opt-http-routers-router-name-tls-certResolver" title="#opt-http-routers-router-name-tls-certResolver">`http.routers.<router_name>.tls.certResolver`</a> | See [certResolver](../../install-configuration/tls/certificate-resolvers/overview.md) for more information. | `myresolver` |
+| <a id="opt-http-routers-router-name-tls-domainsn-main" href="#opt-http-routers-router-name-tls-domainsn-main" title="#opt-http-routers-router-name-tls-domainsn-main">`http.routers.<router_name>.tls.domains[n].main`</a> | See [domains](../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition) for more information. | `example.org` |
+| <a id="opt-http-routers-router-name-tls-domainsn-sansn" href="#opt-http-routers-router-name-tls-domainsn-sansn" title="#opt-http-routers-router-name-tls-domainsn-sansn">`http.routers.<router_name>.tls.domains[n].sans[n]`</a> | See [domains](../../install-configuration/tls/certificate-resolvers/acme.md#domain-definition) for more information. | `www.example.org` |
+| <a id="opt-http-routers-router-name-tls-options" href="#opt-http-routers-router-name-tls-options" title="#opt-http-routers-router-name-tls-options">`http.routers.<router_name>.tls.options`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `modern` |
+| <a id="opt-http-routers-router-name-observability-accessLogs" href="#opt-http-routers-router-name-observability-accessLogs" title="#opt-http-routers-router-name-observability-accessLogs">`http.routers.<router_name>.observability.accessLogs`</a> | Enables or disables access logs for the router. | `true` |
+| <a id="opt-http-routers-router-name-observability-metrics" href="#opt-http-routers-router-name-observability-metrics" title="#opt-http-routers-router-name-observability-metrics">`http.routers.<router_name>.observability.metrics`</a> | Enables or disables metrics for the router. | `true` |
+| <a id="opt-http-routers-router-name-observability-tracing" href="#opt-http-routers-router-name-observability-tracing" title="#opt-http-routers-router-name-observability-tracing">`http.routers.<router_name>.observability.tracing`</a> | Enables or disables tracing for the router. | `true` |
+| <a id="opt-http-routers-router-name-observability-traceVerbosity" href="#opt-http-routers-router-name-observability-traceVerbosity" title="#opt-http-routers-router-name-observability-traceVerbosity">`http.routers.<router_name>.observability.traceVerbosity`</a> | See [trace verbosity](../http/routing/observability.md#opt-traceVerbosity) for more information. | `minimal` |
+| <a id="opt-http-routers-router-name-priority" href="#opt-http-routers-router-name-priority" title="#opt-http-routers-router-name-priority">`http.routers.<router_name>.priority`</a> | See [priority](../http/routing/rules-and-priority.md#priority-calculation) for more information. | `42` |
+
+#### Services
+
+Define HTTP services under `http.services.<service_name>`.
+
+!!! warning "The character `@` is not authorized in the service name `<service_name>`."
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-http-services-service-name-loadBalancer-serversn-url" href="#opt-http-services-service-name-loadBalancer-serversn-url" title="#opt-http-services-service-name-loadBalancer-serversn-url">`http.services.<service_name>.loadBalancer.servers[n].url`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `http://127.0.0.1:8080` |
+| <a id="opt-http-services-service-name-loadBalancer-serversn-weight" href="#opt-http-services-service-name-loadBalancer-serversn-weight" title="#opt-http-services-service-name-loadBalancer-serversn-weight">`http.services.<service_name>.loadBalancer.servers[n].weight`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `1` |
+| <a id="opt-http-services-service-name-loadBalancer-serversn-preservePath" href="#opt-http-services-service-name-loadBalancer-serversn-preservePath" title="#opt-http-services-service-name-loadBalancer-serversn-preservePath">`http.services.<service_name>.loadBalancer.servers[n].preservePath`</a> | See [servers](../http/load-balancing/service.md#servers) for more information. | `true` |
+| <a id="opt-http-services-service-name-loadBalancer-strategy" href="#opt-http-services-service-name-loadBalancer-strategy" title="#opt-http-services-service-name-loadBalancer-strategy">`http.services.<service_name>.loadBalancer.strategy`</a> | See [load balancing strategies](../http/load-balancing/service.md#load-balancing-strategies) for more information. | `wrr` |
+| <a id="opt-http-services-service-name-loadBalancer-passHostHeader" href="#opt-http-services-service-name-loadBalancer-passHostHeader" title="#opt-http-services-service-name-loadBalancer-passHostHeader">`http.services.<service_name>.loadBalancer.passHostHeader`</a> | See [service load balancer](../http/load-balancing/service.md) for more information. | `true` |
+| <a id="opt-http-services-service-name-loadBalancer-healthCheck" href="#opt-http-services-service-name-loadBalancer-healthCheck" title="#opt-http-services-service-name-loadBalancer-healthCheck">`http.services.<service_name>.loadBalancer.healthCheck.*`</a> | See [health check](../http/load-balancing/service.md#health-check) for more information. | `path: /health` |
+| <a id="opt-http-services-service-name-loadBalancer-passiveHealthCheck" href="#opt-http-services-service-name-loadBalancer-passiveHealthCheck" title="#opt-http-services-service-name-loadBalancer-passiveHealthCheck">`http.services.<service_name>.loadBalancer.passiveHealthCheck.*`</a> | See [passive health check](../http/load-balancing/service.md#passive-health-check) for more information. | `maxFailedAttempts: 3` |
+| <a id="opt-http-services-service-name-loadBalancer-sticky-cookie" href="#opt-http-services-service-name-loadBalancer-sticky-cookie" title="#opt-http-services-service-name-loadBalancer-sticky-cookie">`http.services.<service_name>.loadBalancer.sticky.cookie.*`</a> | See [sticky sessions](../http/load-balancing/service.md#sticky-sessions) for more information. | `name: app-cookie` |
+| <a id="opt-http-services-service-name-loadBalancer-responseForwarding-flushInterval" href="#opt-http-services-service-name-loadBalancer-responseForwarding-flushInterval" title="#opt-http-services-service-name-loadBalancer-responseForwarding-flushInterval">`http.services.<service_name>.loadBalancer.responseForwarding.flushInterval`</a> | See [service load balancer](../http/load-balancing/service.md) for more information. | `100ms` |
+| <a id="opt-http-services-service-name-loadBalancer-serversTransport" href="#opt-http-services-service-name-loadBalancer-serversTransport" title="#opt-http-services-service-name-loadBalancer-serversTransport">`http.services.<service_name>.loadBalancer.serversTransport`</a> | See [ServersTransport](../http/load-balancing/serverstransport.md) for more information. | `secure-transport` |
+| <a id="opt-http-services-service-name-weighted-servicesn-name" href="#opt-http-services-service-name-weighted-servicesn-name" title="#opt-http-services-service-name-weighted-servicesn-name">`http.services.<service_name>.weighted.services[n].name`</a> | See [weighted round robin](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `app-v1` |
+| <a id="opt-http-services-service-name-weighted-servicesn-weight" href="#opt-http-services-service-name-weighted-servicesn-weight" title="#opt-http-services-service-name-weighted-servicesn-weight">`http.services.<service_name>.weighted.services[n].weight`</a> | See [weighted round robin](../http/load-balancing/service.md#weighted-round-robin-wrr) for more information. | `3` |
+| <a id="opt-http-services-service-name-weighted-sticky-cookie" href="#opt-http-services-service-name-weighted-sticky-cookie" title="#opt-http-services-service-name-weighted-sticky-cookie">`http.services.<service_name>.weighted.sticky.cookie.*`</a> | See [sticky sessions](../http/load-balancing/service.md#sticky-sessions) for more information. | `name: app-cookie` |
+| <a id="opt-http-services-service-name-weighted-healthCheck" href="#opt-http-services-service-name-weighted-healthCheck" title="#opt-http-services-service-name-weighted-healthCheck">`http.services.<service_name>.weighted.healthCheck`</a> | See [weighted service health check](../http/load-balancing/service.md#health-check) for more information. | `{}` |
+| <a id="opt-http-services-service-name-highestRandomWeight-servicesn-name" href="#opt-http-services-service-name-highestRandomWeight-servicesn-name" title="#opt-http-services-service-name-highestRandomWeight-servicesn-name">`http.services.<service_name>.highestRandomWeight.services[n].name`</a> | See [highest random weight](../http/load-balancing/service.md#highest-random-weight) for more information. | `app-v1` |
+| <a id="opt-http-services-service-name-highestRandomWeight-servicesn-weight" href="#opt-http-services-service-name-highestRandomWeight-servicesn-weight" title="#opt-http-services-service-name-highestRandomWeight-servicesn-weight">`http.services.<service_name>.highestRandomWeight.services[n].weight`</a> | See [highest random weight](../http/load-balancing/service.md#highest-random-weight) for more information. | `3` |
+| <a id="opt-http-services-service-name-highestRandomWeight-healthCheck" href="#opt-http-services-service-name-highestRandomWeight-healthCheck" title="#opt-http-services-service-name-highestRandomWeight-healthCheck">`http.services.<service_name>.highestRandomWeight.healthCheck`</a> | See [highest random weight](../http/load-balancing/service.md#highest-random-weight) for more information. | `{}` |
+| <a id="opt-http-services-service-name-mirroring-service" href="#opt-http-services-service-name-mirroring-service" title="#opt-http-services-service-name-mirroring-service">`http.services.<service_name>.mirroring.service`</a> | See [mirroring](../http/load-balancing/service.md#mirroring) for more information. | `app-main` |
+| <a id="opt-http-services-service-name-mirroring-mirrorBody" href="#opt-http-services-service-name-mirroring-mirrorBody" title="#opt-http-services-service-name-mirroring-mirrorBody">`http.services.<service_name>.mirroring.mirrorBody`</a> | See [mirroring](../http/load-balancing/service.md#mirroring) for more information. | `true` |
+| <a id="opt-http-services-service-name-mirroring-maxBodySize" href="#opt-http-services-service-name-mirroring-maxBodySize" title="#opt-http-services-service-name-mirroring-maxBodySize">`http.services.<service_name>.mirroring.maxBodySize`</a> | See [mirroring](../http/load-balancing/service.md#mirroring) for more information. | `1048576` |
+| <a id="opt-http-services-service-name-mirroring-mirrorsn-name" href="#opt-http-services-service-name-mirroring-mirrorsn-name" title="#opt-http-services-service-name-mirroring-mirrorsn-name">`http.services.<service_name>.mirroring.mirrors[n].name`</a> | See [mirroring](../http/load-balancing/service.md#mirroring) for more information. | `app-shadow` |
+| <a id="opt-http-services-service-name-mirroring-mirrorsn-percent" href="#opt-http-services-service-name-mirroring-mirrorsn-percent" title="#opt-http-services-service-name-mirroring-mirrorsn-percent">`http.services.<service_name>.mirroring.mirrors[n].percent`</a> | See [mirroring](../http/load-balancing/service.md#mirroring) for more information. | `10` |
+| <a id="opt-http-services-service-name-mirroring-healthCheck" href="#opt-http-services-service-name-mirroring-healthCheck" title="#opt-http-services-service-name-mirroring-healthCheck">`http.services.<service_name>.mirroring.healthCheck`</a> | See [mirroring](../http/load-balancing/service.md#mirroring) for more information. | `{}` |
+| <a id="opt-http-services-service-name-failover-service" href="#opt-http-services-service-name-failover-service" title="#opt-http-services-service-name-failover-service">`http.services.<service_name>.failover.service`</a> | See [failover](../http/load-balancing/service.md#failover) for more information. | `app-main` |
+| <a id="opt-http-services-service-name-failover-fallback" href="#opt-http-services-service-name-failover-fallback" title="#opt-http-services-service-name-failover-fallback">`http.services.<service_name>.failover.fallback`</a> | See [failover](../http/load-balancing/service.md#failover) for more information. | `app-backup` |
+| <a id="opt-http-services-service-name-failover-healthCheck" href="#opt-http-services-service-name-failover-healthCheck" title="#opt-http-services-service-name-failover-healthCheck">`http.services.<service_name>.failover.healthCheck`</a> | See [failover](../http/load-balancing/service.md#failover) for more information. | `{}` |
+| <a id="opt-http-services-service-name-failover-errors-maxRequestBodyBytes" href="#opt-http-services-service-name-failover-errors-maxRequestBodyBytes" title="#opt-http-services-service-name-failover-errors-maxRequestBodyBytes">`http.services.<service_name>.failover.errors.maxRequestBodyBytes`</a> | See [failover errors](../http/load-balancing/service.md#errors) for more information. | `1048576` |
+| <a id="opt-http-services-service-name-failover-errors-statusn" href="#opt-http-services-service-name-failover-errors-statusn" title="#opt-http-services-service-name-failover-errors-statusn">`http.services.<service_name>.failover.errors.status[n]`</a> | See [failover errors](../http/load-balancing/service.md#errors) for more information. | `500-599` |
+| <a id="opt-http-services-service-name-middlewaresn" href="#opt-http-services-service-name-middlewaresn" title="#opt-http-services-service-name-middlewaresn">`http.services.<service_name>.middlewares[n]`</a> | Adds middlewares to the service. | `service-ratelimit` |
+
+#### Middlewares
+
+Define HTTP middlewares under `http.middlewares.<middleware_name>`.
+
+For example, to declare an [`AddPrefix`](../http/middlewares/addprefix.md) middleware named `add-api`, set `http.middlewares.add-api.addPrefix.prefix=/api`.
+
+More information about available middlewares can be found in the dedicated [middlewares section](../http/middlewares/overview.md).
+
+!!! warning "The character `@` is not authorized in the middleware name `<middleware_name>`."
+
+!!! warning "Conflicts in Declaration"
+
+    If you declare multiple middlewares with the same name but different parameters, the middleware fails to be declared.
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-http-middlewares-middleware-name-middleware-type-middleware-option" href="#opt-http-middlewares-middleware-name-middleware-type-middleware-option" title="#opt-http-middlewares-middleware-name-middleware-type-middleware-option">`http.middlewares.<middleware_name>.<middleware_type>.<middleware_option>`</a> | With `middleware_type` the middleware type, such as `addPrefix` or `headers`, and `middleware_option` the option to set. | `prefix: /api` |
+
+#### ServersTransports
+
+Define HTTP ServersTransports under `http.serversTransports.<servers_transport_name>`.
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-http-serversTransports-servers-transport-name" href="#opt-http-serversTransports-servers-transport-name" title="#opt-http-serversTransports-servers-transport-name">`http.serversTransports.<servers_transport_name>.*`</a> | See [ServersTransport](../http/load-balancing/serverstransport.md) for more information. | `serverName: example.org` |
+
+### TCP
+
+You can declare TCP routers, services, middlewares, and ServersTransports with the file provider.
+
+#### TCP Routers
+
+Define TCP routers under `tcp.routers.<router_name>`.
+
+!!! warning "The character `@` is not authorized in the router name `<router_name>`."
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-tcp-routers-router-name-entryPointsn" href="#opt-tcp-routers-router-name-entryPointsn" title="#opt-tcp-routers-router-name-entryPointsn">`tcp.routers.<router_name>.entryPoints[n]`</a> | See [entry points](../../install-configuration/entrypoints.md) for more information. | `websecure` |
+| <a id="opt-tcp-routers-router-name-rule" href="#opt-tcp-routers-router-name-rule" title="#opt-tcp-routers-router-name-rule">`tcp.routers.<router_name>.rule`</a> | See [rule](../tcp/routing/rules-and-priority.md#rules) for more information. | ```HostSNI(`example.com`)``` |
+| <a id="opt-tcp-routers-router-name-ruleSyntax" href="#opt-tcp-routers-router-name-ruleSyntax" title="#opt-tcp-routers-router-name-ruleSyntax">`tcp.routers.<router_name>.ruleSyntax`</a> | Configures the rule syntax to use for parsing the rule on a per-router basis.<br/>RuleSyntax is deprecated and will be removed in the next major version. | `v3` |
+| <a id="opt-tcp-routers-router-name-middlewaresn" href="#opt-tcp-routers-router-name-middlewaresn" title="#opt-tcp-routers-router-name-middlewaresn">`tcp.routers.<router_name>.middlewares[n]`</a> | See [TCP middlewares overview](../tcp/middlewares/overview.md) for more information. | `ip-allowlist` |
+| <a id="opt-tcp-routers-router-name-service" href="#opt-tcp-routers-router-name-service" title="#opt-tcp-routers-router-name-service">`tcp.routers.<router_name>.service`</a> | See [service](../tcp/service.md) for more information. | `tcp-app` |
+| <a id="opt-tcp-routers-router-name-tls" href="#opt-tcp-routers-router-name-tls" title="#opt-tcp-routers-router-name-tls">`tcp.routers.<router_name>.tls`</a> | See [TLS](../tcp/tls.md) for more information. | `{}` |
+| <a id="opt-tcp-routers-router-name-tls-certResolver" href="#opt-tcp-routers-router-name-tls-certResolver" title="#opt-tcp-routers-router-name-tls-certResolver">`tcp.routers.<router_name>.tls.certResolver`</a> | See [certResolver](../tcp/tls.md#configuration-options) for more information. | `myresolver` |
+| <a id="opt-tcp-routers-router-name-tls-domainsn-main" href="#opt-tcp-routers-router-name-tls-domainsn-main" title="#opt-tcp-routers-router-name-tls-domainsn-main">`tcp.routers.<router_name>.tls.domains[n].main`</a> | See [TLS](../tcp/tls.md) for more information. | `example.org` |
+| <a id="opt-tcp-routers-router-name-tls-domainsn-sansn" href="#opt-tcp-routers-router-name-tls-domainsn-sansn" title="#opt-tcp-routers-router-name-tls-domainsn-sansn">`tcp.routers.<router_name>.tls.domains[n].sans[n]`</a> | See [TLS](../tcp/tls.md) for more information. | `www.example.org` |
+| <a id="opt-tcp-routers-router-name-tls-options" href="#opt-tcp-routers-router-name-tls-options" title="#opt-tcp-routers-router-name-tls-options">`tcp.routers.<router_name>.tls.options`</a> | See [TLS](../tcp/tls.md) for more information. | `modern` |
+| <a id="opt-tcp-routers-router-name-tls-passthrough" href="#opt-tcp-routers-router-name-tls-passthrough" title="#opt-tcp-routers-router-name-tls-passthrough">`tcp.routers.<router_name>.tls.passthrough`</a> | See [Passthrough](../tcp/tls.md#opt-passthrough) for more information. | `true` |
+| <a id="opt-tcp-routers-router-name-priority" href="#opt-tcp-routers-router-name-priority" title="#opt-tcp-routers-router-name-priority">`tcp.routers.<router_name>.priority`</a> | See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information. | `42` |
+
+#### TCP Services
+
+Define TCP services under `tcp.services.<service_name>`.
+
+!!! warning "The character `@` is not authorized in the service name `<service_name>`."
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-tcp-services-service-name-loadBalancer-serversn-address" href="#opt-tcp-services-service-name-loadBalancer-serversn-address" title="#opt-tcp-services-service-name-loadBalancer-serversn-address">`tcp.services.<service_name>.loadBalancer.servers[n].address`</a> | See [servers load balancer](../tcp/service.md#servers-load-balancer) for more information. | `127.0.0.1:9000` |
+| <a id="opt-tcp-services-service-name-loadBalancer-serversn-tls" href="#opt-tcp-services-service-name-loadBalancer-serversn-tls" title="#opt-tcp-services-service-name-loadBalancer-serversn-tls">`tcp.services.<service_name>.loadBalancer.servers[n].tls`</a> | Determines whether to use TLS when dialing the backend server. | `true` |
+| <a id="opt-tcp-services-service-name-loadBalancer-serversTransport" href="#opt-tcp-services-service-name-loadBalancer-serversTransport" title="#opt-tcp-services-service-name-loadBalancer-serversTransport">`tcp.services.<service_name>.loadBalancer.serversTransport`</a> | See [TCP ServersTransport](../tcp/serverstransport.md) for more information. | `secure-tcp` |
+| <a id="opt-tcp-services-service-name-loadBalancer-proxyProtocol-version" href="#opt-tcp-services-service-name-loadBalancer-proxyProtocol-version" title="#opt-tcp-services-service-name-loadBalancer-proxyProtocol-version">`tcp.services.<service_name>.loadBalancer.proxyProtocol.version`</a> | Enables Proxy Protocol for backend connections. | `2` |
+| <a id="opt-tcp-services-service-name-loadBalancer-terminationDelay" href="#opt-tcp-services-service-name-loadBalancer-terminationDelay" title="#opt-tcp-services-service-name-loadBalancer-terminationDelay">`tcp.services.<service_name>.loadBalancer.terminationDelay`</a> | Defines the delay before terminating connections. | `100` |
+| <a id="opt-tcp-services-service-name-loadBalancer-healthCheck" href="#opt-tcp-services-service-name-loadBalancer-healthCheck" title="#opt-tcp-services-service-name-loadBalancer-healthCheck">`tcp.services.<service_name>.loadBalancer.healthCheck.*`</a> | See [TCP service health check](../tcp/service.md#health-check) for more information. | `interval: 10s` |
+| <a id="opt-tcp-services-service-name-weighted-servicesn-name" href="#opt-tcp-services-service-name-weighted-servicesn-name" title="#opt-tcp-services-service-name-weighted-servicesn-name">`tcp.services.<service_name>.weighted.services[n].name`</a> | See [weighted round robin](../tcp/service.md#weighted-round-robin) for more information. | `tcp-v1` |
+| <a id="opt-tcp-services-service-name-weighted-servicesn-weight" href="#opt-tcp-services-service-name-weighted-servicesn-weight" title="#opt-tcp-services-service-name-weighted-servicesn-weight">`tcp.services.<service_name>.weighted.services[n].weight`</a> | See [weighted round robin](../tcp/service.md#weighted-round-robin) for more information. | `3` |
+| <a id="opt-tcp-services-service-name-weighted-healthCheck" href="#opt-tcp-services-service-name-weighted-healthCheck" title="#opt-tcp-services-service-name-weighted-healthCheck">`tcp.services.<service_name>.weighted.healthCheck`</a> | See [weighted round robin](../tcp/service.md#weighted-round-robin) for more information. | `{}` |
+
+#### TCP Middlewares
+
+Define TCP middlewares under `tcp.middlewares.<middleware_name>`.
+
+For example, to declare an [`InFlightConn`](../tcp/middlewares/inflightconn.md) middleware named `limit`, set `tcp.middlewares.limit.inFlightConn.amount=10`.
+
+More information about available middlewares is available in the dedicated [TCP middlewares section](../tcp/middlewares/overview.md).
+
+!!! warning "The character `@` is not authorized in the middleware name `<middleware_name>`."
+
+!!! warning "Conflicts in Declaration"
+
+    If you declare multiple middlewares with the same name but different parameters, the middleware fails to be declared.
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-tcp-middlewares-middleware-name-middleware-type-middleware-option" href="#opt-tcp-middlewares-middleware-name-middleware-type-middleware-option" title="#opt-tcp-middlewares-middleware-name-middleware-type-middleware-option">`tcp.middlewares.<middleware_name>.<middleware_type>.<middleware_option>`</a> | With `middleware_type` the middleware type, such as `inFlightConn`, and `middleware_option` the option to set. | `amount: 10` |
+
+#### TCP ServersTransports
+
+Define TCP ServersTransports under `tcp.serversTransports.<servers_transport_name>`.
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-tcp-serversTransports-servers-transport-name" href="#opt-tcp-serversTransports-servers-transport-name" title="#opt-tcp-serversTransports-servers-transport-name">`tcp.serversTransports.<servers_transport_name>.*`</a> | See [TCP ServersTransport](../tcp/serverstransport.md) for more information. | `dialTimeout: 30s` |
+
+### UDP
+
+You can declare UDP routers and services with the file provider.
+
+#### UDP Routers
+
+Define UDP routers under `udp.routers.<router_name>`.
+
+!!! warning "The character `@` is not authorized in the router name `<router_name>`."
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-udp-routers-router-name-entryPointsn" href="#opt-udp-routers-router-name-entryPointsn" title="#opt-udp-routers-router-name-entryPointsn">`udp.routers.<router_name>.entryPoints[n]`</a> | See [UDP router entrypoints](../udp/routing/rules-priority.md#entrypoints) for more information. | `dns` |
+| <a id="opt-udp-routers-router-name-service" href="#opt-udp-routers-router-name-service" title="#opt-udp-routers-router-name-service">`udp.routers.<router_name>.service`</a> | See [UDP router configuration](../udp/routing/rules-priority.md#configuration-example) for more information. | `dns-service` |
+
+#### UDP Services
+
+Define UDP services under `udp.services.<service_name>`.
+
+!!! warning "The character `@` is not authorized in the service name `<service_name>`."
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-udp-services-service-name-loadBalancer-serversn-address" href="#opt-udp-services-service-name-loadBalancer-serversn-address" title="#opt-udp-services-service-name-loadBalancer-serversn-address">`udp.services.<service_name>.loadBalancer.servers[n].address`</a> | See [UDP service](../udp/service.md) for more information. | `127.0.0.1:5353` |
+| <a id="opt-udp-services-service-name-weighted-servicesn-name" href="#opt-udp-services-service-name-weighted-servicesn-name" title="#opt-udp-services-service-name-weighted-servicesn-name">`udp.services.<service_name>.weighted.services[n].name`</a> | See [UDP service](../udp/service.md) for more information. | `dns-v1` |
+| <a id="opt-udp-services-service-name-weighted-servicesn-weight" href="#opt-udp-services-service-name-weighted-servicesn-weight" title="#opt-udp-services-service-name-weighted-servicesn-weight">`udp.services.<service_name>.weighted.services[n].weight`</a> | See [UDP service](../udp/service.md) for more information. | `3` |
+
+### TLS
+
+You can declare TLS certificates, options, and stores with the file provider.
+
+#### Certificates
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-tls-certificatesn-certFile" href="#opt-tls-certificatesn-certFile" title="#opt-tls-certificatesn-certFile">`tls.certificates[n].certFile`</a> | See [TLS certificates](../http/tls/tls-certificates.md) for more information. | `/certs/example.crt` |
+| <a id="opt-tls-certificatesn-keyFile" href="#opt-tls-certificatesn-keyFile" title="#opt-tls-certificatesn-keyFile">`tls.certificates[n].keyFile`</a> | See [TLS certificates](../http/tls/tls-certificates.md) for more information. | `/certs/example.key` |
+| <a id="opt-tls-certificatesn-storesn" href="#opt-tls-certificatesn-storesn" title="#opt-tls-certificatesn-storesn">`tls.certificates[n].stores[n]`</a> | See [certificate stores](../http/tls/tls-certificates.md#certificates-stores) for more information. | `default` |
+
+#### TLS Options
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-tls-options-options-name-minVersion" href="#opt-tls-options-options-name-minVersion" title="#opt-tls-options-options-name-minVersion">`tls.options.<options_name>.minVersion`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `VersionTLS12` |
+| <a id="opt-tls-options-options-name-maxVersion" href="#opt-tls-options-options-name-maxVersion" title="#opt-tls-options-options-name-maxVersion">`tls.options.<options_name>.maxVersion`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `VersionTLS13` |
+| <a id="opt-tls-options-options-name-cipherSuitesn" href="#opt-tls-options-options-name-cipherSuitesn" title="#opt-tls-options-options-name-cipherSuitesn">`tls.options.<options_name>.cipherSuites[n]`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256` |
+| <a id="opt-tls-options-options-name-curvePreferencesn" href="#opt-tls-options-options-name-curvePreferencesn" title="#opt-tls-options-options-name-curvePreferencesn">`tls.options.<options_name>.curvePreferences[n]`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `CurveP256` |
+| <a id="opt-tls-options-options-name-clientAuth-caFilesn" href="#opt-tls-options-options-name-clientAuth-caFilesn" title="#opt-tls-options-options-name-clientAuth-caFilesn">`tls.options.<options_name>.clientAuth.caFiles[n]`</a> | See [client authentication](../http/tls/tls-options.md#client-authentication-mtls) for more information. | `/certs/client-ca.crt` |
+| <a id="opt-tls-options-options-name-clientAuth-clientAuthType" href="#opt-tls-options-options-name-clientAuth-clientAuthType" title="#opt-tls-options-options-name-clientAuth-clientAuthType">`tls.options.<options_name>.clientAuth.clientAuthType`</a> | See [client authentication](../http/tls/tls-options.md#client-authentication-mtls) for more information. | `RequireAndVerifyClientCert` |
+| <a id="opt-tls-options-options-name-sniStrict" href="#opt-tls-options-options-name-sniStrict" title="#opt-tls-options-options-name-sniStrict">`tls.options.<options_name>.sniStrict`</a> | See [strict SNI checking](../http/tls/tls-options.md#strict-sni-checking) for more information. | `true` |
+| <a id="opt-tls-options-options-name-alpnProtocolsn" href="#opt-tls-options-options-name-alpnProtocolsn" title="#opt-tls-options-options-name-alpnProtocolsn">`tls.options.<options_name>.alpnProtocols[n]`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `h2` |
+| <a id="opt-tls-options-options-name-disableSessionTickets" href="#opt-tls-options-options-name-disableSessionTickets" title="#opt-tls-options-options-name-disableSessionTickets">`tls.options.<options_name>.disableSessionTickets`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `true` |
+| <a id="opt-tls-options-options-name-preferServerCipherSuites" href="#opt-tls-options-options-name-preferServerCipherSuites" title="#opt-tls-options-options-name-preferServerCipherSuites">`tls.options.<options_name>.preferServerCipherSuites`</a> | See [TLS options](../http/tls/tls-options.md) for more information. | `true` |
+
+#### TLS Stores
+
+| Field | Description | Value |
+|------|-------------|-------|
+| <a id="opt-tls-stores-store-name-defaultCertificate-certFile" href="#opt-tls-stores-store-name-defaultCertificate-certFile" title="#opt-tls-stores-store-name-defaultCertificate-certFile">`tls.stores.<store_name>.defaultCertificate.certFile`</a> | See [default certificate](../http/tls/tls-certificates.md#default-certificate) for more information. | `/certs/default.crt` |
+| <a id="opt-tls-stores-store-name-defaultCertificate-keyFile" href="#opt-tls-stores-store-name-defaultCertificate-keyFile" title="#opt-tls-stores-store-name-defaultCertificate-keyFile">`tls.stores.<store_name>.defaultCertificate.keyFile`</a> | See [default certificate](../http/tls/tls-certificates.md#default-certificate) for more information. | `/certs/default.key` |
+| <a id="opt-tls-stores-store-name-defaultGeneratedCert-resolver" href="#opt-tls-stores-store-name-defaultGeneratedCert-resolver" title="#opt-tls-stores-store-name-defaultGeneratedCert-resolver">`tls.stores.<store_name>.defaultGeneratedCert.resolver`</a> | See [ACME default certificate](../http/tls/tls-certificates.md#acme-default-certificate) for more information. | `myresolver` |
+| <a id="opt-tls-stores-store-name-defaultGeneratedCert-domain-main" href="#opt-tls-stores-store-name-defaultGeneratedCert-domain-main" title="#opt-tls-stores-store-name-defaultGeneratedCert-domain-main">`tls.stores.<store_name>.defaultGeneratedCert.domain.main`</a> | See [ACME default certificate](../http/tls/tls-certificates.md#acme-default-certificate) for more information. | `example.org` |
+| <a id="opt-tls-stores-store-name-defaultGeneratedCert-domain-sansn" href="#opt-tls-stores-store-name-defaultGeneratedCert-domain-sansn" title="#opt-tls-stores-store-name-defaultGeneratedCert-domain-sansn">`tls.stores.<store_name>.defaultGeneratedCert.domain.sans[n]`</a> | See [ACME default certificate](../http/tls/tls-certificates.md#acme-default-certificate) for more information. | `www.example.org` |

 ## Go Templating

@@ -69,7 +497,7 @@ To illustrate, it is possible to easily define multiple routers, services, and T
      {{ range $i, $e := until 10 }}
      - certFile: "/etc/traefik/cert-{{ $e }}.pem"
        keyFile: "/etc/traefik/cert-{{ $e }}.key"
-        store:
+        stores:
        - "my-store-foo-{{ $e }}"
        - "my-store-bar-{{ $e }}"
      {{end}}
@@ -101,7 +529,7 @@ To illustrate, it is possible to easily define multiple routers, services, and T

      [tcp.services]
      {{ range $i, $e := until 100 }}
-          [http.services.service{{ $e }}]
+          [tcp.services.service{{ $e }}]
          # ...
      {{ end }}

@@ -112,9 +540,9 @@ To illustrate, it is possible to easily define multiple routers, services, and T
      stores = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
    {{ end }}

-    [tls.config]
+    [tls.options]
    {{ range $i, $e := until 10 }}
-      [tls.config.TLS{{ $e }}]
+      [tls.options.TLS{{ $e }}]
      # ...
    {{ end }}
    ```
@@ -1,640 +0,0 @@
-## CODE GENERATED AUTOMATICALLY
-## THIS FILE MUST NOT BE EDITED BY HAND
-[http]
-  [http.routers]
-    [http.routers.Router0]
-      entryPoints = ["foobar", "foobar"]
-      middlewares = ["foobar", "foobar"]
-      service = "foobar"
-      rule = "foobar"
-      parentRefs = ["foobar", "foobar"]
-      ruleSyntax = "foobar"
-      priority = 42
-      [http.routers.Router0.tls]
-        options = "foobar"
-        certResolver = "foobar"
-
-        [[http.routers.Router0.tls.domains]]
-          main = "foobar"
-          sans = ["foobar", "foobar"]
-
-        [[http.routers.Router0.tls.domains]]
-          main = "foobar"
-          sans = ["foobar", "foobar"]
-      [http.routers.Router0.observability]
-        accessLogs = true
-        metrics = true
-        tracing = true
-        traceVerbosity = "foobar"
-    [http.routers.Router1]
-      entryPoints = ["foobar", "foobar"]
-      middlewares = ["foobar", "foobar"]
-      service = "foobar"
-      rule = "foobar"
-      parentRefs = ["foobar", "foobar"]
-      ruleSyntax = "foobar"
-      priority = 42
-      [http.routers.Router1.tls]
-        options = "foobar"
-        certResolver = "foobar"
-
-        [[http.routers.Router1.tls.domains]]
-          main = "foobar"
-          sans = ["foobar", "foobar"]
-
-        [[http.routers.Router1.tls.domains]]
-          main = "foobar"
-          sans = ["foobar", "foobar"]
-      [http.routers.Router1.observability]
-        accessLogs = true
-        metrics = true
-        tracing = true
-        traceVerbosity = "foobar"
-  [http.services]
-    [http.services.Service01]
-      [http.services.Service01.failover]
-        service = "foobar"
-        fallback = "foobar"
-        [http.services.Service01.failover.healthCheck]
-    [http.services.Service02]
-      [http.services.Service02.highestRandomWeight]
-
-        [[http.services.Service02.highestRandomWeight.services]]
-          name = "foobar"
-          weight = 42
-
-        [[http.services.Service02.highestRandomWeight.services]]
-          name = "foobar"
-          weight = 42
-        [http.services.Service02.highestRandomWeight.healthCheck]
-    [http.services.Service03]
-      [http.services.Service03.loadBalancer]
-        strategy = "foobar"
-        passHostHeader = true
-        serversTransport = "foobar"
-        [http.services.Service03.loadBalancer.sticky]
-          [http.services.Service03.loadBalancer.sticky.cookie]
-            name = "foobar"
-            secure = true
-            httpOnly = true
-            sameSite = "foobar"
-            maxAge = 42
-            path = "foobar"
-            domain = "foobar"
-
-        [[http.services.Service03.loadBalancer.servers]]
-          url = "foobar"
-          weight = 42
-          preservePath = true
-
-        [[http.services.Service03.loadBalancer.servers]]
-          url = "foobar"
-          weight = 42
-          preservePath = true
-        [http.services.Service03.loadBalancer.healthCheck]
-          scheme = "foobar"
-          mode = "foobar"
-          path = "foobar"
-          method = "foobar"
-          status = 42
-          port = 42
-          interval = "42s"
-          unhealthyInterval = "42s"
-          timeout = "42s"
-          hostname = "foobar"
-          followRedirects = true
-          [http.services.Service03.loadBalancer.healthCheck.headers]
-            name0 = "foobar"
-            name1 = "foobar"
-        [http.services.Service03.loadBalancer.passiveHealthCheck]
-          failureWindow = "42s"
-          maxFailedAttempts = 42
-        [http.services.Service03.loadBalancer.responseForwarding]
-          flushInterval = "42s"
-    [http.services.Service04]
-      [http.services.Service04.mirroring]
-        service = "foobar"
-        mirrorBody = true
-        maxBodySize = 42
-
-        [[http.services.Service04.mirroring.mirrors]]
-          name = "foobar"
-          percent = 42
-
-        [[http.services.Service04.mirroring.mirrors]]
-          name = "foobar"
-          percent = 42
-        [http.services.Service04.mirroring.healthCheck]
-    [http.services.Service05]
-      [http.services.Service05.weighted]
-
-        [[http.services.Service05.weighted.services]]
-          name = "foobar"
-          weight = 42
-
-        [[http.services.Service05.weighted.services]]
-          name = "foobar"
-          weight = 42
-        [http.services.Service05.weighted.sticky]
-          [http.services.Service05.weighted.sticky.cookie]
-            name = "foobar"
-            secure = true
-            httpOnly = true
-            sameSite = "foobar"
-            maxAge = 42
-            path = "foobar"
-            domain = "foobar"
-        [http.services.Service05.weighted.healthCheck]
-  [http.middlewares]
-    [http.middlewares.Middleware01]
-      [http.middlewares.Middleware01.addPrefix]
-        prefix = "foobar"
-    [http.middlewares.Middleware02]
-      [http.middlewares.Middleware02.basicAuth]
-        users = ["foobar", "foobar"]
-        usersFile = "foobar"
-        realm = "foobar"
-        removeHeader = true
-        headerField = "foobar"
-    [http.middlewares.Middleware03]
-      [http.middlewares.Middleware03.buffering]
-        maxRequestBodyBytes = 42
-        memRequestBodyBytes = 42
-        maxResponseBodyBytes = 42
-        memResponseBodyBytes = 42
-        retryExpression = "foobar"
-    [http.middlewares.Middleware04]
-      [http.middlewares.Middleware04.chain]
-        middlewares = ["foobar", "foobar"]
-    [http.middlewares.Middleware05]
-      [http.middlewares.Middleware05.circuitBreaker]
-        expression = "foobar"
-        checkPeriod = "42s"
-        fallbackDuration = "42s"
-        recoveryDuration = "42s"
-        responseCode = 42
-    [http.middlewares.Middleware06]
-      [http.middlewares.Middleware06.compress]
-        excludedContentTypes = ["foobar", "foobar"]
-        includedContentTypes = ["foobar", "foobar"]
-        minResponseBodyBytes = 42
-        encodings = ["foobar", "foobar"]
-        defaultEncoding = "foobar"
-    [http.middlewares.Middleware07]
-      [http.middlewares.Middleware07.contentType]
-        autoDetect = true
-    [http.middlewares.Middleware08]
-      [http.middlewares.Middleware08.digestAuth]
-        users = ["foobar", "foobar"]
-        usersFile = "foobar"
-        removeHeader = true
-        realm = "foobar"
-        headerField = "foobar"
-    [http.middlewares.Middleware09]
-      [http.middlewares.Middleware09.errors]
-        status = ["foobar", "foobar"]
-        service = "foobar"
-        query = "foobar"
-        [http.middlewares.Middleware09.errors.statusRewrites]
-          name0 = 42
-          name1 = 42
-    [http.middlewares.Middleware10]
-      [http.middlewares.Middleware10.forwardAuth]
-        address = "foobar"
-        trustForwardHeader = true
-        authResponseHeaders = ["foobar", "foobar"]
-        authResponseHeadersRegex = "foobar"
-        authRequestHeaders = ["foobar", "foobar"]
-        maxResponseBodySize = 42
-        addAuthCookiesToResponse = ["foobar", "foobar"]
-        headerField = "foobar"
-        forwardBody = true
-        maxBodySize = 42
-        preserveLocationHeader = true
-        preserveRequestMethod = true
-        [http.middlewares.Middleware10.forwardAuth.tls]
-          ca = "foobar"
-          cert = "foobar"
-          key = "foobar"
-          insecureSkipVerify = true
-          caOptional = true
-    [http.middlewares.Middleware11]
-      [http.middlewares.Middleware11.grpcWeb]
-        allowOrigins = ["foobar", "foobar"]
-    [http.middlewares.Middleware12]
-      [http.middlewares.Middleware12.headers]
-        accessControlAllowCredentials = true
-        accessControlAllowHeaders = ["foobar", "foobar"]
-        accessControlAllowMethods = ["foobar", "foobar"]
-        accessControlAllowOriginList = ["foobar", "foobar"]
-        accessControlAllowOriginListRegex = ["foobar", "foobar"]
-        accessControlExposeHeaders = ["foobar", "foobar"]
-        accessControlMaxAge = 42
-        addVaryHeader = true
-        allowedHosts = ["foobar", "foobar"]
-        hostsProxyHeaders = ["foobar", "foobar"]
-        stsSeconds = 42
-        stsIncludeSubdomains = true
-        stsPreload = true
-        forceSTSHeader = true
-        frameDeny = true
-        customFrameOptionsValue = "foobar"
-        contentTypeNosniff = true
-        browserXssFilter = true
-        customBrowserXSSValue = "foobar"
-        contentSecurityPolicy = "foobar"
-        contentSecurityPolicyReportOnly = "foobar"
-        publicKey = "foobar"
-        referrerPolicy = "foobar"
-        permissionsPolicy = "foobar"
-        isDevelopment = true
-        featurePolicy = "foobar"
-        sslRedirect = true
-        sslTemporaryRedirect = true
-        sslHost = "foobar"
-        sslForceHost = true
-        [http.middlewares.Middleware12.headers.customRequestHeaders]
-          name0 = "foobar"
-          name1 = "foobar"
-        [http.middlewares.Middleware12.headers.customResponseHeaders]
-          name0 = "foobar"
-          name1 = "foobar"
-        [http.middlewares.Middleware12.headers.sslProxyHeaders]
-          name0 = "foobar"
-          name1 = "foobar"
-    [http.middlewares.Middleware13]
-      [http.middlewares.Middleware13.ipAllowList]
-        sourceRange = ["foobar", "foobar"]
-        rejectStatusCode = 42
-        [http.middlewares.Middleware13.ipAllowList.ipStrategy]
-          depth = 42
-          excludedIPs = ["foobar", "foobar"]
-          ipv6Subnet = 42
-    [http.middlewares.Middleware14]
-      [http.middlewares.Middleware14.ipWhiteList]
-        sourceRange = ["foobar", "foobar"]
-        [http.middlewares.Middleware14.ipWhiteList.ipStrategy]
-          depth = 42
-          excludedIPs = ["foobar", "foobar"]
-          ipv6Subnet = 42
-    [http.middlewares.Middleware15]
-      [http.middlewares.Middleware15.inFlightReq]
-        amount = 42
-        [http.middlewares.Middleware15.inFlightReq.sourceCriterion]
-          requestHeaderName = "foobar"
-          requestHost = true
-          [http.middlewares.Middleware15.inFlightReq.sourceCriterion.ipStrategy]
-            depth = 42
-            excludedIPs = ["foobar", "foobar"]
-            ipv6Subnet = 42
-    [http.middlewares.Middleware16]
-      [http.middlewares.Middleware16.passTLSClientCert]
-        pem = true
-        [http.middlewares.Middleware16.passTLSClientCert.info]
-          notAfter = true
-          notBefore = true
-          sans = true
-          serialNumber = true
-          [http.middlewares.Middleware16.passTLSClientCert.info.subject]
-            country = true
-            province = true
-            locality = true
-            organization = true
-            organizationalUnit = true
-            commonName = true
-            serialNumber = true
-            domainComponent = true
-          [http.middlewares.Middleware16.passTLSClientCert.info.issuer]
-            country = true
-            province = true
-            locality = true
-            organization = true
-            commonName = true
-            serialNumber = true
-            domainComponent = true
-    [http.middlewares.Middleware17]
-      [http.middlewares.Middleware17.plugin]
-        [http.middlewares.Middleware17.plugin.PluginConf0]
-          name0 = "foobar"
-          name1 = "foobar"
-        [http.middlewares.Middleware17.plugin.PluginConf1]
-          name0 = "foobar"
-          name1 = "foobar"
-    [http.middlewares.Middleware18]
-      [http.middlewares.Middleware18.rateLimit]
-        average = 42
-        period = "42s"
-        burst = 42
-        [http.middlewares.Middleware18.rateLimit.sourceCriterion]
-          requestHeaderName = "foobar"
-          requestHost = true
-          [http.middlewares.Middleware18.rateLimit.sourceCriterion.ipStrategy]
-            depth = 42
-            excludedIPs = ["foobar", "foobar"]
-            ipv6Subnet = 42
-        [http.middlewares.Middleware18.rateLimit.redis]
-          endpoints = ["foobar", "foobar"]
-          username = "foobar"
-          password = "foobar"
-          db = 42
-          poolSize = 42
-          minIdleConns = 42
-          maxActiveConns = 42
-          readTimeout = "42s"
-          writeTimeout = "42s"
-          dialTimeout = "42s"
-          [http.middlewares.Middleware18.rateLimit.redis.tls]
-            ca = "foobar"
-            cert = "foobar"
-            key = "foobar"
-            insecureSkipVerify = true
-    [http.middlewares.Middleware19]
-      [http.middlewares.Middleware19.redirectRegex]
-        regex = "foobar"
-        replacement = "foobar"
-        permanent = true
-    [http.middlewares.Middleware20]
-      [http.middlewares.Middleware20.redirectScheme]
-        scheme = "foobar"
-        port = "foobar"
-        permanent = true
-    [http.middlewares.Middleware21]
-      [http.middlewares.Middleware21.replacePath]
-        path = "foobar"
-    [http.middlewares.Middleware22]
-      [http.middlewares.Middleware22.replacePathRegex]
-        regex = "foobar"
-        replacement = "foobar"
-    [http.middlewares.Middleware23]
-      [http.middlewares.Middleware23.retry]
-        attempts = 42
-        initialInterval = "42s"
-    [http.middlewares.Middleware24]
-      [http.middlewares.Middleware24.stripPrefix]
-        prefixes = ["foobar", "foobar"]
-        forceSlash = true
-    [http.middlewares.Middleware25]
-      [http.middlewares.Middleware25.stripPrefixRegex]
-        regex = ["foobar", "foobar"]
-  [http.serversTransports]
-    [http.serversTransports.ServersTransport0]
-      serverName = "foobar"
-      insecureSkipVerify = true
-      rootCAs = ["foobar", "foobar"]
-      maxIdleConnsPerHost = 42
-      disableHTTP2 = true
-      peerCertURI = "foobar"
-
-      [[http.serversTransports.ServersTransport0.certificates]]
-        certFile = "foobar"
-        keyFile = "foobar"
-
-      [[http.serversTransports.ServersTransport0.certificates]]
-        certFile = "foobar"
-        keyFile = "foobar"
-      [http.serversTransports.ServersTransport0.forwardingTimeouts]
-        dialTimeout = "42s"
-        responseHeaderTimeout = "42s"
-        idleConnTimeout = "42s"
-        readIdleTimeout = "42s"
-        pingTimeout = "42s"
-      [http.serversTransports.ServersTransport0.spiffe]
-        ids = ["foobar", "foobar"]
-        trustDomain = "foobar"
-    [http.serversTransports.ServersTransport1]
-      serverName = "foobar"
-      insecureSkipVerify = true
-      rootCAs = ["foobar", "foobar"]
-      maxIdleConnsPerHost = 42
-      disableHTTP2 = true
-      peerCertURI = "foobar"
-
-      [[http.serversTransports.ServersTransport1.certificates]]
-        certFile = "foobar"
-        keyFile = "foobar"
-
-      [[http.serversTransports.ServersTransport1.certificates]]
-        certFile = "foobar"
-        keyFile = "foobar"
-      [http.serversTransports.ServersTransport1.forwardingTimeouts]
-        dialTimeout = "42s"
-        responseHeaderTimeout = "42s"
-        idleConnTimeout = "42s"
-        readIdleTimeout = "42s"
-        pingTimeout = "42s"
-      [http.serversTransports.ServersTransport1.spiffe]
-        ids = ["foobar", "foobar"]
-        trustDomain = "foobar"
-
-[tcp]
-  [tcp.routers]
-    [tcp.routers.TCPRouter0]
-      entryPoints = ["foobar", "foobar"]
-      middlewares = ["foobar", "foobar"]
-      service = "foobar"
-      rule = "foobar"
-      ruleSyntax = "foobar"
-      priority = 42
-      [tcp.routers.TCPRouter0.tls]
-        passthrough = true
-        options = "foobar"
-        certResolver = "foobar"
-
-        [[tcp.routers.TCPRouter0.tls.domains]]
-          main = "foobar"
-          sans = ["foobar", "foobar"]
-
-        [[tcp.routers.TCPRouter0.tls.domains]]
-          main = "foobar"
-          sans = ["foobar", "foobar"]
-    [tcp.routers.TCPRouter1]
-      entryPoints = ["foobar", "foobar"]
-      middlewares = ["foobar", "foobar"]
-      service = "foobar"
-      rule = "foobar"
-      ruleSyntax = "foobar"
-      priority = 42
-      [tcp.routers.TCPRouter1.tls]
-        passthrough = true
-        options = "foobar"
-        certResolver = "foobar"
-
-        [[tcp.routers.TCPRouter1.tls.domains]]
-          main = "foobar"
-          sans = ["foobar", "foobar"]
-
-        [[tcp.routers.TCPRouter1.tls.domains]]
-          main = "foobar"
-          sans = ["foobar", "foobar"]
-  [tcp.services]
-    [tcp.services.TCPService01]
-      [tcp.services.TCPService01.loadBalancer]
-        serversTransport = "foobar"
-        terminationDelay = 42
-
-        [[tcp.services.TCPService01.loadBalancer.servers]]
-          address = "foobar"
-          tls = true
-
-        [[tcp.services.TCPService01.loadBalancer.servers]]
-          address = "foobar"
-          tls = true
-        [tcp.services.TCPService01.loadBalancer.proxyProtocol]
-          version = 42
-        [tcp.services.TCPService01.loadBalancer.healthCheck]
-          port = 42
-          send = "foobar"
-          expect = "foobar"
-          interval = "42s"
-          unhealthyInterval = "42s"
-          timeout = "42s"
-    [tcp.services.TCPService02]
-      [tcp.services.TCPService02.weighted]
-
-        [[tcp.services.TCPService02.weighted.services]]
-          name = "foobar"
-          weight = 42
-
-        [[tcp.services.TCPService02.weighted.services]]
-          name = "foobar"
-          weight = 42
-        [tcp.services.TCPService02.weighted.healthCheck]
-  [tcp.middlewares]
-    [tcp.middlewares.TCPMiddleware01]
-      [tcp.middlewares.TCPMiddleware01.ipAllowList]
-        sourceRange = ["foobar", "foobar"]
-    [tcp.middlewares.TCPMiddleware02]
-      [tcp.middlewares.TCPMiddleware02.ipWhiteList]
-        sourceRange = ["foobar", "foobar"]
-    [tcp.middlewares.TCPMiddleware03]
-      [tcp.middlewares.TCPMiddleware03.inFlightConn]
-        amount = 42
-  [tcp.serversTransports]
-    [tcp.serversTransports.TCPServersTransport0]
-      dialKeepAlive = "42s"
-      dialTimeout = "42s"
-      terminationDelay = "42s"
-      [tcp.serversTransports.TCPServersTransport0.proxyProtocol]
-        version = 42
-      [tcp.serversTransports.TCPServersTransport0.tls]
-        serverName = "foobar"
-        insecureSkipVerify = true
-        rootCAs = ["foobar", "foobar"]
-        peerCertURI = "foobar"
-
-        [[tcp.serversTransports.TCPServersTransport0.tls.certificates]]
-          certFile = "foobar"
-          keyFile = "foobar"
-
-        [[tcp.serversTransports.TCPServersTransport0.tls.certificates]]
-          certFile = "foobar"
-          keyFile = "foobar"
-        [tcp.serversTransports.TCPServersTransport0.tls.spiffe]
-          ids = ["foobar", "foobar"]
-          trustDomain = "foobar"
-    [tcp.serversTransports.TCPServersTransport1]
-      dialKeepAlive = "42s"
-      dialTimeout = "42s"
-      terminationDelay = "42s"
-      [tcp.serversTransports.TCPServersTransport1.proxyProtocol]
-        version = 42
-      [tcp.serversTransports.TCPServersTransport1.tls]
-        serverName = "foobar"
-        insecureSkipVerify = true
-        rootCAs = ["foobar", "foobar"]
-        peerCertURI = "foobar"
-
-        [[tcp.serversTransports.TCPServersTransport1.tls.certificates]]
-          certFile = "foobar"
-          keyFile = "foobar"
-
-        [[tcp.serversTransports.TCPServersTransport1.tls.certificates]]
-          certFile = "foobar"
-          keyFile = "foobar"
-        [tcp.serversTransports.TCPServersTransport1.tls.spiffe]
-          ids = ["foobar", "foobar"]
-          trustDomain = "foobar"
-
-[udp]
-  [udp.routers]
-    [udp.routers.UDPRouter0]
-      entryPoints = ["foobar", "foobar"]
-      service = "foobar"
-    [udp.routers.UDPRouter1]
-      entryPoints = ["foobar", "foobar"]
-      service = "foobar"
-  [udp.services]
-    [udp.services.UDPService01]
-      [udp.services.UDPService01.loadBalancer]
-
-        [[udp.services.UDPService01.loadBalancer.servers]]
-          address = "foobar"
-
-        [[udp.services.UDPService01.loadBalancer.servers]]
-          address = "foobar"
-    [udp.services.UDPService02]
-      [udp.services.UDPService02.weighted]
-
-        [[udp.services.UDPService02.weighted.services]]
-          name = "foobar"
-          weight = 42
-
-        [[udp.services.UDPService02.weighted.services]]
-          name = "foobar"
-          weight = 42
-
-[tls]
-
-  [[tls.certificates]]
-    certFile = "foobar"
-    keyFile = "foobar"
-    stores = ["foobar", "foobar"]
-
-  [[tls.certificates]]
-    certFile = "foobar"
-    keyFile = "foobar"
-    stores = ["foobar", "foobar"]
-  [tls.options]
-    [tls.options.Options0]
-      minVersion = "foobar"
-      maxVersion = "foobar"
-      cipherSuites = ["foobar", "foobar"]
-      curvePreferences = ["foobar", "foobar"]
-      sniStrict = true
-      alpnProtocols = ["foobar", "foobar"]
-      disableSessionTickets = true
-      preferServerCipherSuites = true
-      [tls.options.Options0.clientAuth]
-        caFiles = ["foobar", "foobar"]
-        clientAuthType = "foobar"
-    [tls.options.Options1]
-      minVersion = "foobar"
-      maxVersion = "foobar"
-      cipherSuites = ["foobar", "foobar"]
-      curvePreferences = ["foobar", "foobar"]
-      sniStrict = true
-      alpnProtocols = ["foobar", "foobar"]
-      disableSessionTickets = true
-      preferServerCipherSuites = true
-      [tls.options.Options1.clientAuth]
-        caFiles = ["foobar", "foobar"]
-        clientAuthType = "foobar"
-  [tls.stores]
-    [tls.stores.Store0]
-      [tls.stores.Store0.defaultCertificate]
-        certFile = "foobar"
-        keyFile = "foobar"
-      [tls.stores.Store0.defaultGeneratedCert]
-        resolver = "foobar"
-        [tls.stores.Store0.defaultGeneratedCert.domain]
-          main = "foobar"
-          sans = ["foobar", "foobar"]
-    [tls.stores.Store1]
-      [tls.stores.Store1.defaultCertificate]
-        certFile = "foobar"
-        keyFile = "foobar"
-      [tls.stores.Store1.defaultGeneratedCert]
-        resolver = "foobar"
-        [tls.stores.Store1.defaultGeneratedCert.domain]
-          main = "foobar"
-          sans = ["foobar", "foobar"]
@@ -1,724 +0,0 @@
-## CODE GENERATED AUTOMATICALLY
-## THIS FILE MUST NOT BE EDITED BY HAND
-http:
-  routers:
-    Router0:
-      entryPoints:
-        - foobar
-        - foobar
-      middlewares:
-        - foobar
-        - foobar
-      service: foobar
-      rule: foobar
-      parentRefs:
-        - foobar
-        - foobar
-      ruleSyntax: foobar
-      priority: 42
-      tls:
-        options: foobar
-        certResolver: foobar
-        domains:
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-      observability:
-        accessLogs: true
-        metrics: true
-        tracing: true
-        traceVerbosity: foobar
-    Router1:
-      entryPoints:
-        - foobar
-        - foobar
-      middlewares:
-        - foobar
-        - foobar
-      service: foobar
-      rule: foobar
-      parentRefs:
-        - foobar
-        - foobar
-      ruleSyntax: foobar
-      priority: 42
-      tls:
-        options: foobar
-        certResolver: foobar
-        domains:
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-      observability:
-        accessLogs: true
-        metrics: true
-        tracing: true
-        traceVerbosity: foobar
-  services:
-    Service01:
-      failover:
-        service: foobar
-        fallback: foobar
-        healthCheck: {}
-    Service02:
-      highestRandomWeight:
-        services:
-          - name: foobar
-            weight: 42
-          - name: foobar
-            weight: 42
-        healthCheck: {}
-    Service03:
-      loadBalancer:
-        sticky:
-          cookie:
-            name: foobar
-            secure: true
-            httpOnly: true
-            sameSite: foobar
-            maxAge: 42
-            path: foobar
-            domain: foobar
-        servers:
-          - url: foobar
-            weight: 42
-            preservePath: true
-          - url: foobar
-            weight: 42
-            preservePath: true
-        strategy: foobar
-        healthCheck:
-          scheme: foobar
-          mode: foobar
-          path: foobar
-          method: foobar
-          status: 42
-          port: 42
-          interval: 42s
-          unhealthyInterval: 42s
-          timeout: 42s
-          hostname: foobar
-          followRedirects: true
-          headers:
-            name0: foobar
-            name1: foobar
-        passiveHealthCheck:
-          failureWindow: 42s
-          maxFailedAttempts: 42
-        passHostHeader: true
-        responseForwarding:
-          flushInterval: 42s
-        serversTransport: foobar
-    Service04:
-      mirroring:
-        service: foobar
-        mirrorBody: true
-        maxBodySize: 42
-        mirrors:
-          - name: foobar
-            percent: 42
-          - name: foobar
-            percent: 42
-        healthCheck: {}
-    Service05:
-      weighted:
-        services:
-          - name: foobar
-            weight: 42
-          - name: foobar
-            weight: 42
-        sticky:
-          cookie:
-            name: foobar
-            secure: true
-            httpOnly: true
-            sameSite: foobar
-            maxAge: 42
-            path: foobar
-            domain: foobar
-        healthCheck: {}
-  middlewares:
-    Middleware01:
-      addPrefix:
-        prefix: foobar
-    Middleware02:
-      basicAuth:
-        users:
-          - foobar
-          - foobar
-        usersFile: foobar
-        realm: foobar
-        removeHeader: true
-        headerField: foobar
-    Middleware03:
-      buffering:
-        maxRequestBodyBytes: 42
-        memRequestBodyBytes: 42
-        maxResponseBodyBytes: 42
-        memResponseBodyBytes: 42
-        retryExpression: foobar
-    Middleware04:
-      chain:
-        middlewares:
-          - foobar
-          - foobar
-    Middleware05:
-      circuitBreaker:
-        expression: foobar
-        checkPeriod: 42s
-        fallbackDuration: 42s
-        recoveryDuration: 42s
-        responseCode: 42
-    Middleware06:
-      compress:
-        excludedContentTypes:
-          - foobar
-          - foobar
-        includedContentTypes:
-          - foobar
-          - foobar
-        minResponseBodyBytes: 42
-        encodings:
-          - foobar
-          - foobar
-        defaultEncoding: foobar
-    Middleware07:
-      contentType:
-        autoDetect: true
-    Middleware08:
-      digestAuth:
-        users:
-          - foobar
-          - foobar
-        usersFile: foobar
-        removeHeader: true
-        realm: foobar
-        headerField: foobar
-    Middleware09:
-      errors:
-        status:
-          - foobar
-          - foobar
-        statusRewrites:
-          name0: 42
-          name1: 42
-        service: foobar
-        query: foobar
-    Middleware10:
-      forwardAuth:
-        address: foobar
-        tls:
-          ca: foobar
-          cert: foobar
-          key: foobar
-          insecureSkipVerify: true
-          caOptional: true
-        trustForwardHeader: true
-        authResponseHeaders:
-          - foobar
-          - foobar
-        authResponseHeadersRegex: foobar
-        authRequestHeaders:
-          - foobar
-          - foobar
-        maxResponseBodySize: 42
-        addAuthCookiesToResponse:
-          - foobar
-          - foobar
-        headerField: foobar
-        forwardBody: true
-        maxBodySize: 42
-        preserveLocationHeader: true
-        preserveRequestMethod: true
-    Middleware11:
-      grpcWeb:
-        allowOrigins:
-          - foobar
-          - foobar
-    Middleware12:
-      headers:
-        customRequestHeaders:
-          name0: foobar
-          name1: foobar
-        customResponseHeaders:
-          name0: foobar
-          name1: foobar
-        accessControlAllowCredentials: true
-        accessControlAllowHeaders:
-          - foobar
-          - foobar
-        accessControlAllowMethods:
-          - foobar
-          - foobar
-        accessControlAllowOriginList:
-          - foobar
-          - foobar
-        accessControlAllowOriginListRegex:
-          - foobar
-          - foobar
-        accessControlExposeHeaders:
-          - foobar
-          - foobar
-        accessControlMaxAge: 42
-        addVaryHeader: true
-        allowedHosts:
-          - foobar
-          - foobar
-        hostsProxyHeaders:
-          - foobar
-          - foobar
-        sslProxyHeaders:
-          name0: foobar
-          name1: foobar
-        stsSeconds: 42
-        stsIncludeSubdomains: true
-        stsPreload: true
-        forceSTSHeader: true
-        frameDeny: true
-        customFrameOptionsValue: foobar
-        contentTypeNosniff: true
-        browserXssFilter: true
-        customBrowserXSSValue: foobar
-        contentSecurityPolicy: foobar
-        contentSecurityPolicyReportOnly: foobar
-        publicKey: foobar
-        referrerPolicy: foobar
-        permissionsPolicy: foobar
-        isDevelopment: true
-        featurePolicy: foobar
-        sslRedirect: true
-        sslTemporaryRedirect: true
-        sslHost: foobar
-        sslForceHost: true
-    Middleware13:
-      ipAllowList:
-        sourceRange:
-          - foobar
-          - foobar
-        ipStrategy:
-          depth: 42
-          excludedIPs:
-            - foobar
-            - foobar
-          ipv6Subnet: 42
-        rejectStatusCode: 42
-    Middleware14:
-      ipWhiteList:
-        sourceRange:
-          - foobar
-          - foobar
-        ipStrategy:
-          depth: 42
-          excludedIPs:
-            - foobar
-            - foobar
-          ipv6Subnet: 42
-    Middleware15:
-      inFlightReq:
-        amount: 42
-        sourceCriterion:
-          ipStrategy:
-            depth: 42
-            excludedIPs:
-              - foobar
-              - foobar
-            ipv6Subnet: 42
-          requestHeaderName: foobar
-          requestHost: true
-    Middleware16:
-      passTLSClientCert:
-        pem: true
-        info:
-          notAfter: true
-          notBefore: true
-          sans: true
-          serialNumber: true
-          subject:
-            country: true
-            province: true
-            locality: true
-            organization: true
-            organizationalUnit: true
-            commonName: true
-            serialNumber: true
-            domainComponent: true
-          issuer:
-            country: true
-            province: true
-            locality: true
-            organization: true
-            commonName: true
-            serialNumber: true
-            domainComponent: true
-    Middleware17:
-      plugin:
-        PluginConf0:
-          name0: foobar
-          name1: foobar
-        PluginConf1:
-          name0: foobar
-          name1: foobar
-    Middleware18:
-      rateLimit:
-        average: 42
-        period: 42s
-        burst: 42
-        sourceCriterion:
-          ipStrategy:
-            depth: 42
-            excludedIPs:
-              - foobar
-              - foobar
-            ipv6Subnet: 42
-          requestHeaderName: foobar
-          requestHost: true
-        redis:
-          endpoints:
-            - foobar
-            - foobar
-          tls:
-            ca: foobar
-            cert: foobar
-            key: foobar
-            insecureSkipVerify: true
-          username: foobar
-          password: foobar
-          db: 42
-          poolSize: 42
-          minIdleConns: 42
-          maxActiveConns: 42
-          readTimeout: 42s
-          writeTimeout: 42s
-          dialTimeout: 42s
-    Middleware19:
-      redirectRegex:
-        regex: foobar
-        replacement: foobar
-        permanent: true
-    Middleware20:
-      redirectScheme:
-        scheme: foobar
-        port: foobar
-        permanent: true
-    Middleware21:
-      replacePath:
-        path: foobar
-    Middleware22:
-      replacePathRegex:
-        regex: foobar
-        replacement: foobar
-    Middleware23:
-      retry:
-        attempts: 42
-        initialInterval: 42s
-    Middleware24:
-      stripPrefix:
-        prefixes:
-          - foobar
-          - foobar
-        forceSlash: true
-    Middleware25:
-      stripPrefixRegex:
-        regex:
-          - foobar
-          - foobar
-  serversTransports:
-    ServersTransport0:
-      serverName: foobar
-      insecureSkipVerify: true
-      rootCAs:
-        - foobar
-        - foobar
-      certificates:
-        - certFile: foobar
-          keyFile: foobar
-        - certFile: foobar
-          keyFile: foobar
-      maxIdleConnsPerHost: 42
-      forwardingTimeouts:
-        dialTimeout: 42s
-        responseHeaderTimeout: 42s
-        idleConnTimeout: 42s
-        readIdleTimeout: 42s
-        pingTimeout: 42s
-      disableHTTP2: true
-      peerCertURI: foobar
-      spiffe:
-        ids:
-          - foobar
-          - foobar
-        trustDomain: foobar
-    ServersTransport1:
-      serverName: foobar
-      insecureSkipVerify: true
-      rootCAs:
-        - foobar
-        - foobar
-      certificates:
-        - certFile: foobar
-          keyFile: foobar
-        - certFile: foobar
-          keyFile: foobar
-      maxIdleConnsPerHost: 42
-      forwardingTimeouts:
-        dialTimeout: 42s
-        responseHeaderTimeout: 42s
-        idleConnTimeout: 42s
-        readIdleTimeout: 42s
-        pingTimeout: 42s
-      disableHTTP2: true
-      peerCertURI: foobar
-      spiffe:
-        ids:
-          - foobar
-          - foobar
-        trustDomain: foobar
-tcp:
-  routers:
-    TCPRouter0:
-      entryPoints:
-        - foobar
-        - foobar
-      middlewares:
-        - foobar
-        - foobar
-      service: foobar
-      rule: foobar
-      ruleSyntax: foobar
-      priority: 42
-      tls:
-        passthrough: true
-        options: foobar
-        certResolver: foobar
-        domains:
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-    TCPRouter1:
-      entryPoints:
-        - foobar
-        - foobar
-      middlewares:
-        - foobar
-        - foobar
-      service: foobar
-      rule: foobar
-      ruleSyntax: foobar
-      priority: 42
-      tls:
-        passthrough: true
-        options: foobar
-        certResolver: foobar
-        domains:
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-          - main: foobar
-            sans:
-              - foobar
-              - foobar
-  services:
-    TCPService01:
-      loadBalancer:
-        servers:
-          - address: foobar
-            tls: true
-          - address: foobar
-            tls: true
-        serversTransport: foobar
-        proxyProtocol:
-          version: 42
-        terminationDelay: 42
-        healthCheck:
-          port: 42
-          send: foobar
-          expect: foobar
-          interval: 42s
-          unhealthyInterval: 42s
-          timeout: 42s
-    TCPService02:
-      weighted:
-        services:
-          - name: foobar
-            weight: 42
-          - name: foobar
-            weight: 42
-        healthCheck: {}
-  middlewares:
-    TCPMiddleware01:
-      ipAllowList:
-        sourceRange:
-          - foobar
-          - foobar
-    TCPMiddleware02:
-      ipWhiteList:
-        sourceRange:
-          - foobar
-          - foobar
-    TCPMiddleware03:
-      inFlightConn:
-        amount: 42
-  serversTransports:
-    TCPServersTransport0:
-      dialKeepAlive: 42s
-      dialTimeout: 42s
-      proxyProtocol:
-        version: 42
-      terminationDelay: 42s
-      tls:
-        serverName: foobar
-        insecureSkipVerify: true
-        rootCAs:
-          - foobar
-          - foobar
-        certificates:
-          - certFile: foobar
-            keyFile: foobar
-          - certFile: foobar
-            keyFile: foobar
-        peerCertURI: foobar
-        spiffe:
-          ids:
-            - foobar
-            - foobar
-          trustDomain: foobar
-    TCPServersTransport1:
-      dialKeepAlive: 42s
-      dialTimeout: 42s
-      proxyProtocol:
-        version: 42
-      terminationDelay: 42s
-      tls:
-        serverName: foobar
-        insecureSkipVerify: true
-        rootCAs:
-          - foobar
-          - foobar
-        certificates:
-          - certFile: foobar
-            keyFile: foobar
-          - certFile: foobar
-            keyFile: foobar
-        peerCertURI: foobar
-        spiffe:
-          ids:
-            - foobar
-            - foobar
-          trustDomain: foobar
-udp:
-  routers:
-    UDPRouter0:
-      entryPoints:
-        - foobar
-        - foobar
-      service: foobar
-    UDPRouter1:
-      entryPoints:
-        - foobar
-        - foobar
-      service: foobar
-  services:
-    UDPService01:
-      loadBalancer:
-        servers:
-          - address: foobar
-          - address: foobar
-    UDPService02:
-      weighted:
-        services:
-          - name: foobar
-            weight: 42
-          - name: foobar
-            weight: 42
-tls:
-  certificates:
-    - certFile: foobar
-      keyFile: foobar
-      stores:
-        - foobar
-        - foobar
-    - certFile: foobar
-      keyFile: foobar
-      stores:
-        - foobar
-        - foobar
-  options:
-    Options0:
-      minVersion: foobar
-      maxVersion: foobar
-      cipherSuites:
-        - foobar
-        - foobar
-      curvePreferences:
-        - foobar
-        - foobar
-      clientAuth:
-        caFiles:
-          - foobar
-          - foobar
-        clientAuthType: foobar
-      sniStrict: true
-      alpnProtocols:
-        - foobar
-        - foobar
-      disableSessionTickets: true
-      preferServerCipherSuites: true
-    Options1:
-      minVersion: foobar
-      maxVersion: foobar
-      cipherSuites:
-        - foobar
-        - foobar
-      curvePreferences:
-        - foobar
-        - foobar
-      clientAuth:
-        caFiles:
-          - foobar
-          - foobar
-        clientAuthType: foobar
-      sniStrict: true
-      alpnProtocols:
-        - foobar
-        - foobar
-      disableSessionTickets: true
-      preferServerCipherSuites: true
-  stores:
-    Store0:
-      defaultCertificate:
-        certFile: foobar
-        keyFile: foobar
-      defaultGeneratedCert:
-        resolver: foobar
-        domain:
-          main: foobar
-          sans:
-            - foobar
-            - foobar
-    Store1:
-      defaultCertificate:
-        certFile: foobar
-        keyFile: foobar
-      defaultGeneratedCert:
-        resolver: foobar
-        domain:
-          main: foobar
-          sans:
-            - foobar
-            - foobar
@@ -18,7 +18,7 @@ The table below lists all the available matchers:

 | Rule                                                        | Description                                                                                      |
 |-------------------------------------------------------------|:-------------------------------------------------------------------------------------------------|
-| <a id="opt-HostSNIdomain" href="#opt-HostSNIdomain" title="#opt-HostSNIdomain">[```HostSNI(`domain`)```](#hostsni-and-hostsniregexp)</a> | Checks if the connection's Server Name Indication is equal to `domain`.<br /> More information [here](#hostsni-and-hostsniregexp).                          |
+| <a id="opt-HostSNIdomain" href="#opt-HostSNIdomain" title="#opt-HostSNIdomain">[```HostSNI(`domain`)```](#hostsni-and-hostsniregexp)</a> | Checks if the connection's Server Name Indication is equal to `domain`. Supports wildcard subdomain matching (e.g. `*.example.com`).<br /> More information [here](#hostsni-and-hostsniregexp). |
 | <a id="opt-HostSNIRegexpregexp" href="#opt-HostSNIRegexpregexp" title="#opt-HostSNIRegexpregexp">[```HostSNIRegexp(`regexp`)```](#hostsni-and-hostsniregexp)</a> | Checks if the connection's Server Name Indication matches `regexp`.<br />Use a [Go](https://golang.org/pkg/regexp/) flavored syntax.<br /> More information [here](#hostsni-and-hostsniregexp). |
 | <a id="opt-ClientIPip" href="#opt-ClientIPip" title="#opt-ClientIPip">[```ClientIP(`ip`)```](#clientip)</a> | Checks if the connection's client IP correspond to `ip`. It accepts IPv4, IPv6 and CIDR formats.<br /> More information [here](#clientip). |
 | <a id="opt-ALPNprotocol" href="#opt-ALPNprotocol" title="#opt-ALPNprotocol">[```ALPN(`protocol`)```](#alpn)</a> | Checks if the connection's ALPN protocol equals `protocol`.<br /> More information [here](#alpn).          |
@@ -59,6 +59,15 @@ These matchers do not support non-ASCII characters, use punycode encoded values
    when one wants a non-TLS router that matches all (non-TLS) requests,
    one should use the specific ```HostSNI(`*`)``` syntax.

+!!! info "Wildcard subdomain matching"
+
+    The `HostSNI` matcher supports a single-level wildcard prefix (`*.example.com`) to match any direct subdomain of `example.com`.
+    It should be preferred over the `HostSNIRegexp` matcher as it allows attaching a TLS option and is more efficient.
+
+    A wildcard matches exactly one subdomain label: `*.example.com` matches `foo.example.com` but not `foo.bar.example.com` or `example.com` itself.    
+
+    This is only available with the **v3 rule syntax** (the default).
+
 #### Examples

 Match all connections:
@@ -77,7 +86,13 @@ Match TCP connections sent to `example.com`:
 HostSNI(`example.com`)
 ```

-Match TCP connections opened on any subdomain of `example.com`:
+Match TCP connections opened on any direct subdomain of `example.com` (e.g. `foo.example.com`):
+
+```yaml
+HostSNI(`*.example.com`)
+```
+
+Match TCP connections opened on any subdomain of `example.com` (including nested subdomains), using a regular expression:

 ```yaml
 HostSNIRegexp(`^.+\.example\.com$`)
@@ -201,3 +216,9 @@ Traefik reserves a range of priorities for its internal routers, the maximum use

 - `(MaxInt32 - 1000)` for 32-bit platforms,
 - `(MaxInt64 - 1000)` for 64-bit platforms.
+
+!!! info "Providers Precedence"
+
+    When two routes from **different providers** share the same numeric priority,
+    Traefik uses the [`providers.precedence`](../../../install-configuration/providers/overview.md#providers-precedence) install configuration option to determine which route takes precedence.
+    The provider listed first in `precedence` wins the tie.
@@ -50,6 +50,7 @@
      insecure = true
      trustedIPs = ["foobar", "foobar"]
      connection = ["foobar", "foobar"]
+      addXForwardedSchemeHeaders = true
    [entryPoints.EntryPoint0.http]
      middlewares = ["foobar", "foobar"]
      encodeQuerySemicolons = true
@@ -61,6 +61,7 @@ entryPoints:
      connection:
        - foobar
        - foobar
+      addXForwardedSchemeHeaders: true
    http:
      redirections:
        entryPoint:
@@ -133,3 +133,8 @@ entryPoints:
 --entryPoints.websecure.http.encodedCharacters.allowEncodedQuestionMark=false
 --entryPoints.websecure.http.encodedCharacters.allowEncodedHash=false
 ```
+
+!!! info "Encoded Characters filtering on a per-route basis"
+
+    If you need to configure encoded character filtering on a per-route basis, you can use the `EncodedCharacters` middleware.
+    Refer to the documentation for the [`EncodedCharacter` middleware](../reference/routing-configuration/http/middlewares/encodedcharacters.md) for detailed implementation instructions and configuration options.
@@ -64,7 +64,7 @@ In your project root folder (the parent folder to the `dynamic/tls.yaml` file),
 ```yaml
 services:
  traefik:
-    image: traefik:v3.6
+    image: traefik:v3.7
    container_name: traefik
    restart: unless-stopped
    security_opt:
@@ -153,9 +153,9 @@ ingressClass:
 # Providers tell Traefik where to find routing configuration.
 providers:
  kubernetesIngress:
-     enabled: false
+    enabled: false
  kubernetesGateway:
-     enabled: true
+    enabled: true

 ## Gateway Listeners
 gateway:
@@ -61,7 +61,7 @@ In the same directory, create `docker‑compose‑swarm.yaml`:
 ```yaml
 services:
  traefik:
-    image: traefik:v3.6
+    image: traefik:v3.7
    
    networks:
    # Connect to the 'traefik_proxy' overlay network for inter-container communication across nodes
@@ -1,7 +1,7 @@
 services:

  traefik:
-    image: "traefik:v3.6"
+    image: "traefik:v3.7"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
@@ -11,7 +11,7 @@ secrets:
 services:

  traefik:
-    image: "traefik:v3.6"
+    image: "traefik:v3.7"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
@@ -1,7 +1,7 @@
 services:

  traefik:
-    image: "traefik:v3.6"
+    image: "traefik:v3.7"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
@@ -1,7 +1,7 @@
 services:

  traefik:
-    image: "traefik:v3.6"
+    image: "traefik:v3.7"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
@@ -1,7 +1,7 @@
 services:

  traefik:
-    image: "traefik:v3.6"
+    image: "traefik:v3.7"
    container_name: "traefik"
    command:
      #- "--log.level=DEBUG"
@@ -318,6 +318,7 @@ nav:
              - 'ContentType': 'reference/routing-configuration/http/middlewares/contenttype.md'
              - 'DigestAuth': 'reference/routing-configuration/http/middlewares/digestauth.md'
              - '<span class="nav-link-with-icon">Distributed RateLimit <img src="https://doc.traefik.io/traefik-hub/img/ps-traefik-hub-logo-light.svg" class="menu-icon" alt="Traefik Hub API Gateway"></span>' : 'reference/routing-configuration/http/middlewares/distributed-ratelimit.md'
+              - 'EncodedCharacters': 'reference/routing-configuration/http/middlewares/encodedcharacters.md'
              - 'Errors': 'reference/routing-configuration/http/middlewares/errorpages.md'
              - 'ForwardAuth': 'reference/routing-configuration/http/middlewares/forwardauth.md'
              - 'GrpcWeb': 'reference/routing-configuration/http/middlewares/grpcweb.md'
@@ -0,0 +1,58 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1778036283,
+        "narHash": "sha256-GW2cEd/cLcVbbCes8iQuoY2qGIeCA7UiaD351hpkXfI=",
+        "rev": "ed67bc86e84e51d4a88e73c7fd36006dc876476f",
+        "type": "tarball",
+        "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre993032.ed67bc86e84e/nixexprs.tar.xz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz"
+      }
+    },
+    "nixpkgs-golangci": {
+      "locked": {
+        "lastModified": 1771861243,
+        "narHash": "sha256-mz05b1VyLWoTkNg8iJr3yXFJF7HDlwIUKI3ln39RacY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "80d901ec0377e19ac3f7bb8c035201e2e098cc97",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "80d901ec0377e19ac3f7bb8c035201e2e098cc97",
+        "type": "github"
+      }
+    },
+    "nixpkgs-kct": {
+      "locked": {
+        "lastModified": 1763934636,
+        "narHash": "sha256-9glbI7f1uU+yzQCq5LwLgdZqx6svOhZWkd4JRY265fc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ee09932cedcef15aaf476f9343d1dea2cb77e261",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-golangci": "nixpkgs-golangci",
+        "nixpkgs-kct": "nixpkgs-kct"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
@@ -0,0 +1,45 @@
+{
+  description = "Dev shell for dev environment";
+
+  inputs = {
+    # Main nixpkgs (used for gnused)
+    nixpkgs.url = "https://channels.nixos.org/nixpkgs-unstable/nixexprs.tar.xz";
+
+    # Pinned nixpkgs for kubernetes-controller-tools
+    # Search: https://www.nixhub.io/packages/kubernetes-controller-tools
+    nixpkgs-kct.url = "github:NixOS/nixpkgs/ee09932cedcef15aaf476f9343d1dea2cb77e261";
+
+    # Pinned nixpkgs for golangci-lint
+    # Search: https://www.nixhub.io/packages/golangci-lint
+    nixpkgs-golangci.url = "github:NixOS/nixpkgs/80d901ec0377e19ac3f7bb8c035201e2e098cc97";
+  };
+
+  outputs =
+    {
+      nixpkgs,
+      nixpkgs-kct,
+      nixpkgs-golangci,
+      ...
+    }:
+    let
+      inherit (nixpkgs.lib) genAttrs;
+      forEachSystem = genAttrs nixpkgs.lib.systems.flakeExposed;
+
+      pkgsForEach = nixpkgs.legacyPackages;
+      pkgsKctForEach = nixpkgs-kct.legacyPackages;
+      pkgsGolangCiForEach = nixpkgs-golangci.legacyPackages;
+    in
+    {
+      devShells = forEachSystem (system: {
+        default = pkgsForEach.${system}.mkShell {
+          packages = [
+            pkgsForEach.${system}.gnused
+            pkgsKctForEach.${system}.kubernetes-controller-tools
+            pkgsGolangCiForEach.${system}.golangci-lint
+          ];
+        };
+      });
+
+      formatter = forEachSystem (system: pkgsForEach.${system}.nixfmt);
+    };
+}
@@ -8,22 +8,22 @@ require (
 	github.com/abbot/go-http-auth v0.0.0-00010101000000-000000000000 // No tag on the repo.
 	github.com/andybalholm/brotli v1.2.0
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5
-	github.com/aws/aws-sdk-go-v2 v1.41.1
-	github.com/aws/aws-sdk-go-v2/config v1.32.8
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.8
+	github.com/aws/aws-sdk-go-v2 v1.41.6
+	github.com/aws/aws-sdk-go-v2/config v1.32.16
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.15
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.203.1
 	github.com/aws/aws-sdk-go-v2/service/ecs v1.53.15
 	github.com/aws/aws-sdk-go-v2/service/ssm v1.56.13
-	github.com/aws/smithy-go v1.24.0
+	github.com/aws/smithy-go v1.25.0
 	github.com/cenkalti/backoff/v4 v4.3.0
+	github.com/containerd/errdefs v1.0.0
 	github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd // No tag on the repo.
 	github.com/coreos/go-systemd/v22 v22.5.0
-	github.com/docker/cli v29.2.1+incompatible
-	github.com/docker/docker v28.5.2+incompatible
+	github.com/docker/cli v29.4.0+incompatible
 	github.com/docker/go-connections v0.6.0
 	github.com/fatih/structs v1.1.0
-	github.com/fsnotify/fsnotify v1.9.0
-	github.com/go-acme/lego/v4 v4.33.0
+	github.com/fsnotify/fsnotify v1.10.1
+	github.com/go-acme/lego/v4 v4.35.2
 	github.com/go-kit/kit v0.13.0
 	github.com/go-kit/log v0.2.1
 	github.com/golang/protobuf v1.5.4
@@ -33,9 +33,10 @@ require (
 	github.com/hashicorp/consul/api v1.26.1
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-retryablehttp v0.7.8
-	github.com/hashicorp/go-version v1.8.0
+	github.com/hashicorp/go-version v1.9.0
 	github.com/hashicorp/nomad/api v0.0.0-20231213195942-64e3dca9274b // No tag on the repo.
 	github.com/http-wasm/http-wasm-host-go v0.7.0
+	github.com/huandu/xstrings v1.5.0
 	github.com/influxdata/influxdb-client-go/v2 v2.7.0
 	github.com/influxdata/influxdb1-client v0.0.0-20200827194710-b269163b24ab // No tag on the repo.
 	github.com/klauspost/compress v1.18.5
@@ -49,86 +50,91 @@ require (
 	github.com/mitchellh/copystructure v1.2.0
 	github.com/mitchellh/hashstructure v1.0.0
 	github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // No tag on the repo.
+	github.com/moby/moby/api v1.54.1
+	github.com/moby/moby/client v0.4.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/pires/go-proxyproto v0.8.1
+	github.com/pires/go-proxyproto v0.12.0
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // No tag on the repo.
-	github.com/prometheus/client_golang v1.23.0
+	github.com/prometheus/client_golang v1.23.2
 	github.com/prometheus/client_model v0.6.2
-	github.com/quic-go/quic-go v0.59.0
+	github.com/quic-go/quic-go v0.59.1
 	github.com/redis/go-redis/v9 v9.8.0
 	github.com/rs/zerolog v1.33.0
-	github.com/sirupsen/logrus v1.9.3
+	github.com/sirupsen/logrus v1.9.4
 	github.com/spiffe/go-spiffe/v2 v2.6.0
 	github.com/stealthrocket/wasi-go v0.8.0
 	github.com/stealthrocket/wazergo v0.19.1
 	github.com/stretchr/testify v1.11.1
 	github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807 // No tag on the repo.
 	github.com/tailscale/tscert v0.0.0-20230806124524-28a91b69a046 // No tag on the repo.
-	github.com/testcontainers/testcontainers-go v0.40.0
-	github.com/testcontainers/testcontainers-go/modules/k3s v0.40.0
+	github.com/testcontainers/testcontainers-go v0.42.0
+	github.com/testcontainers/testcontainers-go/modules/k3s v0.42.0
 	github.com/tetratelabs/wazero v1.8.0
 	github.com/tidwall/gjson v1.17.0
 	github.com/traefik/grpc-web v0.16.0
 	github.com/traefik/paerser v0.2.2
+	github.com/traefik/traefik/dynamic/ext v0.0.0-00010101000000-000000000000
 	github.com/traefik/yaegi v0.16.1
+	github.com/tufanbarisyildirim/gonginx v0.0.0-20250620092546-c3e307e36701 // latest tag is too old.
 	github.com/unrolled/render v1.0.2
 	github.com/unrolled/secure v1.0.9
 	github.com/valyala/fasthttp v1.69.0
-	github.com/vulcand/oxy/v2 v2.0.3
-	github.com/vulcand/predicate v1.2.0
+	github.com/vulcand/oxy/v2 v2.1.0
+	github.com/vulcand/predicate v1.3.0
 	github.com/yuin/gopher-lua v1.1.1
 	go.opentelemetry.io/collector/pdata v1.41.0
 	go.opentelemetry.io/contrib/bridges/otellogrus v0.13.0
 	go.opentelemetry.io/contrib/propagators/autoprop v0.63.0
-	go.opentelemetry.io/otel v1.41.0
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.17.0
-	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.17.0
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.41.0
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.41.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.41.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0
-	go.opentelemetry.io/otel/log v0.17.0
-	go.opentelemetry.io/otel/metric v1.41.0
-	go.opentelemetry.io/otel/sdk v1.41.0
-	go.opentelemetry.io/otel/sdk/log v0.17.0
-	go.opentelemetry.io/otel/sdk/metric v1.41.0
-	go.opentelemetry.io/otel/trace v1.41.0
-	golang.org/x/crypto v0.48.0
-	golang.org/x/mod v0.32.0
-	golang.org/x/net v0.51.0
-	golang.org/x/sync v0.19.0
-	golang.org/x/sys v0.41.0
-	golang.org/x/text v0.34.0
-	golang.org/x/time v0.14.0
-	golang.org/x/tools v0.41.0
-	google.golang.org/grpc v1.79.3
+	go.opentelemetry.io/otel v1.43.0
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.19.0
+	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.19.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.43.0
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.43.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.43.0
+	go.opentelemetry.io/otel/log v0.19.0
+	go.opentelemetry.io/otel/metric v1.43.0
+	go.opentelemetry.io/otel/sdk v1.43.0
+	go.opentelemetry.io/otel/sdk/log v0.19.0
+	go.opentelemetry.io/otel/sdk/metric v1.43.0
+	go.opentelemetry.io/otel/trace v1.43.0
+	golang.org/x/crypto v0.52.0
+	golang.org/x/mod v0.35.0
+	golang.org/x/net v0.55.0
+	golang.org/x/sync v0.20.0
+	golang.org/x/sys v0.45.0
+	golang.org/x/text v0.37.0
+	golang.org/x/time v0.15.0
+	golang.org/x/tools v0.44.0
+	google.golang.org/grpc v1.80.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.34.3
-	k8s.io/apiextensions-apiserver v0.34.3
-	k8s.io/apimachinery v0.34.3
-	k8s.io/client-go v0.34.3
-	k8s.io/utils v0.0.0-20250820121507-0af2bda4dd1d // No tag on the repo.
-	knative.dev/networking v0.0.0-20241022012959-60e29ff520dc
-	knative.dev/pkg v0.0.0-20241021183759-9b9d535af5ad
+	k8s.io/api v0.35.2
+	k8s.io/apiextensions-apiserver v0.35.2
+	k8s.io/apimachinery v0.35.2
+	k8s.io/client-go v0.35.2
+	k8s.io/utils v0.0.0-20260108192941-914a6e750570 // No tag on the repo.
+	knative.dev/networking v0.0.0-20251217020127-11890a5dabea
+	knative.dev/pkg v0.0.0-20251216153728-9c8140b780d1
 	mvdan.cc/xurls/v2 v2.5.0
-	sigs.k8s.io/controller-runtime v0.22.1
-	sigs.k8s.io/gateway-api v1.4.0
-	sigs.k8s.io/structured-merge-diff/v6 v6.3.1
+	sigs.k8s.io/controller-runtime v0.23.3
+	sigs.k8s.io/gateway-api v1.5.1
+	sigs.k8s.io/gateway-api/conformance v1.5.1
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.2
 	sigs.k8s.io/yaml v1.6.0
 )

 require (
-	cloud.google.com/go/auth v0.18.1 // indirect
+	cloud.google.com/go/auth v0.20.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
 	cloud.google.com/go/compute/metadata v0.9.0 // indirect
 	dario.cat/mergo v1.0.2 // indirect
 	github.com/AdamSLevy/jsonrpc2/v14 v14.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.1 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.12.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/dns/armdns v1.2.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resourcegraph/armresourcegraph v0.9.0 // indirect
@@ -143,42 +149,43 @@ require (
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 // indirect
-	github.com/HdrHistogram/hdrhistogram-go v1.1.2 // indirect
+	github.com/HdrHistogram/hdrhistogram-go v1.2.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/Masterminds/semver/v3 v3.4.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/VividCortex/gohistogram v1.0.0 // indirect
-	github.com/akamai/AkamaiOPEN-edgegrid-golang/v11 v11.1.0 // indirect
+	github.com/akamai/AkamaiOPEN-edgegrid-golang/v13 v13.1.0 // indirect
+	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5 // indirect
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
-	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.15 // indirect
+	github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.16 // indirect
 	github.com/alibabacloud-go/debug v1.0.1 // indirect
 	github.com/alibabacloud-go/tea v1.4.0 // indirect
-	github.com/alibabacloud-go/tea-utils/v2 v2.0.7 // indirect
+	github.com/alibabacloud-go/tea-utils/v2 v2.0.9 // indirect
 	github.com/aliyun/credentials-go v1.4.7 // indirect
 	github.com/armon/go-metrics v0.4.1 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 // indirect
-	github.com/aws/aws-sdk-go-v2/service/lightsail v1.50.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/route53 v1.62.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.14 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.22 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.23 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.22 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lightsail v1.53.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.62.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.20 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.42.0 // indirect
 	github.com/aziontech/azionapi-go-sdk v0.144.0 // indirect
-	github.com/baidubce/bce-sdk-go v0.9.260 // indirect
+	github.com/baidubce/bce-sdk-go v0.9.265 // indirect
 	github.com/benbjohnson/clock v1.3.5 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blendle/zapdriver v1.3.1 // indirect
-	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
-	github.com/bytedance/sonic v1.12.0 // indirect
+	github.com/bodgit/tsig v1.2.2 // indirect
+	github.com/boombuler/barcode v1.0.1 // indirect
+	github.com/bytedance/sonic v1.15.1 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v1.0.0-rc.1 // indirect
@@ -192,14 +199,14 @@ require (
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/dnsimple/dnsimple-go/v4 v4.0.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/ebitengine/purego v0.8.4 // indirect
+	github.com/ebitengine/purego v0.10.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
-	github.com/exoscale/egoscale/v3 v3.1.33 // indirect
+	github.com/exoscale/egoscale/v3 v3.1.34 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/gin-gonic/gin v1.9.1 // indirect
 	github.com/go-acme/alidns-20150109/v4 v4.7.0 // indirect
@@ -208,7 +215,7 @@ require (
 	github.com/go-acme/tencentclouddnspod v1.3.24 // indirect
 	github.com/go-acme/tencentedgdeone v1.3.38 // indirect
 	github.com/go-errors/errors v1.0.1 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -221,27 +228,25 @@ require (
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.23.0 // indirect
-	github.com/go-resty/resty/v2 v2.17.1 // indirect
+	github.com/go-resty/resty/v2 v2.17.2 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
 	github.com/go-zookeeper/zk v1.0.3 // indirect
-	github.com/goccy/go-yaml v1.18.0 // indirect
+	github.com/goccy/go-yaml v1.19.2 // indirect
 	github.com/gofrs/flock v0.13.0 // indirect
 	github.com/gofrs/uuid v4.4.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.2.0 // indirect
-	github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
-	github.com/googleapis/gax-go/v2 v2.17.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.14 // indirect
+	github.com/googleapis/gax-go/v2 v2.21.0 // indirect
 	github.com/gophercloud/gophercloud v1.14.1 // indirect
 	github.com/gophercloud/utils v0.0.0-20231010081019-80377eca5d56 // indirect
-	github.com/gravitational/trace v1.1.16-0.20220114165159-14a9a7dd6aaf // indirect
+	github.com/gravitational/trace v1.5.1 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/hashicorp/cronexpr v1.1.2 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -254,48 +259,51 @@ require (
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/hashicorp/hcl v1.0.1-vault-5 // indirect
 	github.com/hashicorp/serf v0.10.1 // indirect
-	github.com/huandu/xstrings v1.5.0 // indirect
-	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.187 // indirect
+	github.com/huaweicloud/huaweicloud-sdk-go-v3 v0.1.192 // indirect
 	github.com/iij/doapi v0.0.0-20190504054126-0bbf12d6d7df // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839 // indirect
-	github.com/infobloxopen/infoblox-go-client/v2 v2.10.0 // indirect
-	github.com/jonboulle/clockwork v0.5.0 // indirect
+	github.com/infobloxopen/infoblox-go-client/v2 v2.11.0 // indirect
+	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
+	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
+	github.com/jcmturner/gofork v1.7.6 // indirect
+	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
+	github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
+	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
+	github.com/jinzhu/copier v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.13-0.20220915233716-71ac16282d12 // indirect
 	github.com/k0kubun/go-ansi v0.0.0-20180517002512-3bf9e2903213 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/kolo/xmlrpc v0.0.0-20220921171641-a4b6fa1dd06b // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/labbsr0x/bindman-dns-webhook v1.0.2 // indirect
 	github.com/labbsr0x/goh v1.0.1 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/linode/linodego v1.65.0 // indirect
-	github.com/liquidweb/liquidweb-cli v0.6.9 // indirect
+	github.com/linode/linodego v1.68.0 // indirect
+	github.com/liquidweb/liquidweb-cli v0.7.0 // indirect
 	github.com/liquidweb/liquidweb-go v1.6.4 // indirect
 	github.com/lufia/plan9stats v0.0.0-20250317134145-8bc96cf8fc35 // indirect
 	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/mailgun/minheap v0.0.0-20170619185613-3dbe6c6bf55f // indirect
-	github.com/mailgun/multibuf v0.1.2 // indirect
+	github.com/mailgun/multibuf v0.2.0 // indirect
 	github.com/mailgun/timetools v0.0.0-20141028012446-7e6055773c51 // indirect
-	github.com/mailru/easyjson v0.9.0 // indirect
+	github.com/mailru/easyjson v0.9.1 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-isatty v0.0.21 // indirect
 	github.com/mimuret/golang-iij-dpf v0.9.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/go-archive v0.1.0 // indirect
-	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/go-archive v0.2.0 // indirect
+	github.com/moby/patternmatcher v0.6.1 // indirect
+	github.com/moby/spdystream v0.5.1 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/user v0.4.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
-	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/namedotcom/go/v4 v4.0.2 // indirect
@@ -309,15 +317,15 @@ require (
 	github.com/nrdcg/mailinabox v0.3.0 // indirect
 	github.com/nrdcg/namesilo v0.5.0 // indirect
 	github.com/nrdcg/nodion v0.1.0 // indirect
-	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.108.2 // indirect
-	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.108.2 // indirect
+	github.com/nrdcg/oci-go-sdk/common/v1065 v1065.113.0 // indirect
+	github.com/nrdcg/oci-go-sdk/dns/v1065 v1065.113.0 // indirect
 	github.com/nrdcg/porkbun v0.4.0 // indirect
 	github.com/nrdcg/vegadns v0.3.0 // indirect
 	github.com/nzdjb/go-metaname v1.0.0 // indirect
 	github.com/onsi/ginkgo v1.16.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/openzipkin/zipkin-go v0.4.3 // indirect
+	github.com/openshift/gssapi v0.0.0-20161010215902-5fb4217df13b // indirect
 	github.com/ovh/go-ovh v1.9.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/peterhellberg/link v1.2.0 // indirect
@@ -325,13 +333,13 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/pquerna/otp v1.5.0 // indirect
-	github.com/prometheus/common v0.65.0 // indirect
-	github.com/prometheus/procfs v0.17.0 // indirect
+	github.com/prometheus/common v0.67.4 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
 	github.com/rs/cors v1.7.0 // indirect
 	github.com/rs/dnscache v0.0.0-20230804202142-fc85eb664529 // indirect
-	github.com/sacloud/api-client-go v0.3.3 // indirect
+	github.com/sacloud/api-client-go v0.3.5 // indirect
 	github.com/sacloud/go-http v0.1.9 // indirect
 	github.com/sacloud/iaas-api-go v1.23.1 // indirect
 	github.com/sacloud/packages-go v0.0.12 // indirect
@@ -339,8 +347,8 @@ require (
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.36 // indirect
 	github.com/selectel/domains-go v1.1.0 // indirect
-	github.com/selectel/go-selvpcclient/v4 v4.1.0 // indirect
-	github.com/shirou/gopsutil/v4 v4.25.6 // indirect
+	github.com/selectel/go-selvpcclient/v4 v4.2.0 // indirect
+	github.com/shirou/gopsutil/v4 v4.26.3 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/softlayer/softlayer-go v1.2.1 // indirect
 	github.com/softlayer/xmlrpc v0.0.0-20200409220501-5f089df7cb7e // indirect
@@ -348,55 +356,55 @@ require (
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
-	github.com/spf13/pflag v1.0.7 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/spf13/viper v1.18.2 // indirect
-	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/stretchr/objx v0.5.3 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.3.48 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.3.83 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
-	github.com/tklauser/go-sysconf v0.3.15 // indirect
-	github.com/tklauser/numcpus v0.10.0 // indirect
-	github.com/transip/gotransip/v6 v6.26.1 // indirect
+	github.com/tklauser/go-sysconf v0.3.16 // indirect
+	github.com/tklauser/numcpus v0.11.0 // indirect
+	github.com/transip/gotransip/v6 v6.26.2 // indirect
+	github.com/ucloud/ucloud-sdk-go v0.22.63 // indirect
 	github.com/ultradns/ultradns-go-sdk v1.8.1-20250722213956-faef419 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/vinyldns/go-vinyldns v0.9.17 // indirect
-	github.com/volcengine/volc-sdk-golang v1.0.237 // indirect
-	github.com/vultr/govultr/v3 v3.27.0 // indirect
+	github.com/volcengine/volc-sdk-golang v1.0.242 // indirect
+	github.com/vultr/govultr/v3 v3.31.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	github.com/yandex-cloud/go-genproto v0.54.0 // indirect
-	github.com/yandex-cloud/go-sdk/services/dns v0.0.36 // indirect
-	github.com/yandex-cloud/go-sdk/v2 v2.56.0 // indirect
+	github.com/yandex-cloud/go-genproto v0.73.0 // indirect
+	github.com/yandex-cloud/go-sdk/services/dns v0.0.54 // indirect
+	github.com/yandex-cloud/go-sdk/v2 v2.92.0 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.etcd.io/etcd/api/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/pkg/v3 v3.6.4 // indirect
-	go.etcd.io/etcd/client/v3 v3.6.4 // indirect
-	go.mongodb.org/mongo-driver v1.13.1 // indirect
-	go.opencensus.io v0.24.0 // indirect
+	go.etcd.io/etcd/api/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/pkg/v3 v3.6.5 // indirect
+	go.etcd.io/etcd/client/v3 v3.6.5 // indirect
+	go.mongodb.org/mongo-driver v1.17.9 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
 	go.opentelemetry.io/collector/featuregate v1.41.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
 	go.opentelemetry.io/contrib/propagators/aws v1.38.0 // indirect
 	go.opentelemetry.io/contrib/propagators/b3 v1.38.0 // indirect
 	go.opentelemetry.io/contrib/propagators/jaeger v1.38.0 // indirect
 	go.opentelemetry.io/contrib/propagators/ot v1.38.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.9.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/ratelimit v0.3.1 // indirect
-	go.uber.org/zap v1.27.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.uber.org/zap v1.27.1 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/arch v0.4.0 // indirect
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
-	golang.org/x/oauth2 v0.35.0 // indirect
-	golang.org/x/term v0.40.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/api v0.267.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260209200024-4cfbd4190f57 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260209200024-4cfbd4190f57 // indirect
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
+	golang.org/x/oauth2 v0.36.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
+	google.golang.org/api v0.276.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260401024825-9d38bb4040a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -404,12 +412,15 @@ require (
 	gopkg.in/ns1/ns1-go.v2 v2.17.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250814151709-d7b6acb124c3 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	nhooyr.io/websocket v1.8.7 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 )

+// Dynamic config extension.
+replace github.com/traefik/traefik/dynamic/ext => ./pkg/config/dynamic/ext
+
 // Containous forks
 replace (
 	github.com/abbot/go-http-auth => github.com/containous/go-http-auth v0.4.1-0.20200324110947-a37a7636d23e
@@ -0,0 +1,53 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[api]
+  insecure = true
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8000"
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.router1]
+    entrypoints = ["web"]
+    service = "failover-service"
+    rule = "Path(`/whoami`)"
+
+[http.services]
+  # Failover service with health check
+  [http.services.failover-service]
+    [http.services.failover-service.failover]
+      service = "main-service"
+      fallback = "fallback-service"
+      [http.services.failover-service.failover.healthCheck]
+
+  # Main service with health check enabled
+  [http.services.main-service]
+    [http.services.main-service.loadBalancer]
+      [http.services.main-service.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "1s"
+        timeout = "0.9s"
+      [[http.services.main-service.loadBalancer.servers]]
+        url = "http://{{ .MainServer }}:80"
+
+  # Fallback service with health check enabled
+  [http.services.fallback-service]
+    [http.services.fallback-service.loadBalancer]
+      [http.services.fallback-service.loadBalancer.healthCheck]
+        path = "/health"
+        interval = "1s"
+        timeout = "0.9s"
+      [[http.services.fallback-service.loadBalancer.servers]]
+        url = "http://{{ .FallbackServer }}:80"
--- a/Show More
+++ b/Show More