Allow configuration of ACME provider http timeout

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>

.github/workflows/release.yaml

@@ -10,7 +10,7 @@ env:
   CGO_ENABLED: 0
   VERSION: ${{ github.ref_name }}
   TRAEFIKER_EMAIL: "traefiker@traefik.io"
-  CODENAME: saintnectaire
+  CODENAME: chaource
 
 jobs:
 

CHANGELOG.md

@@ -1,3 +1,11 @@
+## [v3.4.0-rc2](https://github.com/traefik/traefik/tree/v3.4.0-rc2) (2025-04-18)
+[All Commits](https://github.com/traefik/traefik/compare/v3.4.0-rc1...v3.4.0-rc2)
+
+**Bug fixes:**
+- **[k8s/crd]** Remove default load-balancing strategy from CRD ([#11701](https://github.com/traefik/traefik/pull/11701) by [kevinpollet](https://github.com/kevinpollet))
+- **[k8s/crd]** Restrict regex validation of HTTP status codes for Ingress CRD resources ([#11670](https://github.com/traefik/traefik/pull/11670) by [jnoordsij](https://github.com/jnoordsij))
+- Bump github.com/redis/go-redis/v9 to v9.7.3 ([#11687](https://github.com/traefik/traefik/pull/11687) by [kevinpollet](https://github.com/kevinpollet))
+
 ## [v3.3.6](https://github.com/traefik/traefik/tree/v3.3.6) (2025-04-18)
 [All Commits](https://github.com/traefik/traefik/compare/v3.3.5...v3.3.6)
 
@@ -33,6 +41,37 @@
 
 Release canceled.
 
+## [v3.4.0-rc1](https://github.com/traefik/traefik/tree/v3.4.0-rc1) (2025-03-31)
+[All Commits](https://github.com/traefik/traefik/compare/v3.3.0-rc1...v3.4.0-rc1)
+
+**Enhancements:**
+- **[acme]** Add acme.profile and acme.emailAddresses options ([#11597](https://github.com/traefik/traefik/pull/11597) by [ldez](https://github.com/ldez))
+- **[docker,ecs,docker/swarm,consulcatalog,nomad]** Allow configuring server URLs with label providers ([#11374](https://github.com/traefik/traefik/pull/11374) by [yelvert](https://github.com/yelvert))
+- **[k8s/crd,k8s]** Improve CEL validation on Ingress CRD resources ([#11311](https://github.com/traefik/traefik/pull/11311) by [mloiseleur](https://github.com/mloiseleur))
+- **[k8s/gatewayapi]** Set rule priority in Gateway API TLSRoute ([#11443](https://github.com/traefik/traefik/pull/11443) by [augustozanellato](https://github.com/augustozanellato))
+- **[k8s/ingress]** Add ingress status for ClusterIP and NodePort Service Type ([#11100](https://github.com/traefik/traefik/pull/11100) by [mlec1](https://github.com/mlec1))
+- **[middleware,authentication]** Add option to preserve request method in forwardAuth ([#11473](https://github.com/traefik/traefik/pull/11473) by [an09mous](https://github.com/an09mous))
+- **[middleware]** Support rewriting status codes in error page middleware ([#11520](https://github.com/traefik/traefik/pull/11520) by [sevensolutions](https://github.com/sevensolutions))
+- **[middleware]** Add Redis rate limiter ([#10211](https://github.com/traefik/traefik/pull/10211) by [longquan0104](https://github.com/longquan0104))
+- **[service]** Add p2c load-balancing strategy for servers load-balancer ([#11547](https://github.com/traefik/traefik/pull/11547) by [rtribotte](https://github.com/rtribotte))
+- **[sticky-session]** Support domain configuration for sticky cookies ([#11556](https://github.com/traefik/traefik/pull/11556) by [jleal52](https://github.com/jleal52))
+- **[tls,k8s/crd,service]** Allow root CA to be added through config maps ([#11475](https://github.com/traefik/traefik/pull/11475) by [Nelwhix](https://github.com/Nelwhix))
+- **[tls]** Add support to disable session ticket ([#11609](https://github.com/traefik/traefik/pull/11609) by [avdhoot](https://github.com/avdhoot))
+- **[udp]** Add support for UDP routing in systemd socket activation ([#11022](https://github.com/traefik/traefik/pull/11022) by [tsiid](https://github.com/tsiid))
+- **[webui]** Add auto webui theme option and default to it ([#11455](https://github.com/traefik/traefik/pull/11455) by [zizzfizzix](https://github.com/zizzfizzix))
+- Replace experimental maps and slices with stdlib ([#11350](https://github.com/traefik/traefik/pull/11350) by [Juneezee](https://github.com/Juneezee))
+
+**Documentation:**
+- Deprecate defaultRuleSyntax and ruleSyntax options ([#11619](https://github.com/traefik/traefik/pull/11619) by [rtribotte](https://github.com/rtribotte))
+
+**Misc:**
+- Merge branch v3.3 into master ([#11653](https://github.com/traefik/traefik/pull/11653) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.3 into master ([#11595](https://github.com/traefik/traefik/pull/11595) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.3 into master ([#11541](https://github.com/traefik/traefik/pull/11541) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.3 into master ([#11504](https://github.com/traefik/traefik/pull/11504) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.3 into master ([#11420](https://github.com/traefik/traefik/pull/11420) by [kevinpollet](https://github.com/kevinpollet))
+- Merge branch v3.3 into master ([#11394](https://github.com/traefik/traefik/pull/11394) by [mmatur](https://github.com/mmatur))
+
 ## [v3.3.5](https://github.com/traefik/traefik/tree/v3.3.5) (2025-03-31)
 [All Commits](https://github.com/traefik/traefik/compare/v3.3.4...v3.3.5)
 

Makefile

@@ -101,7 +101,7 @@ test-integration: binary
 #? test-gateway-api-conformance: Run the conformance tests
 test-gateway-api-conformance: build-image-dirty
 	# In case of a new Minor/Major version, the k8sConformanceTraefikVersion needs to be updated.
-	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.3" $(TESTFLAGS)
+	GOOS=$(GOOS) GOARCH=$(GOARCH) go test ./integration -v -test.run K8sConformanceSuite -k8sConformance -k8sConformanceTraefikVersion="v3.4" $(TESTFLAGS)
 
 .PHONY: test-ui-unit
 #? test-ui-unit: Run the unit tests for the webui

cmd/traefik/traefik.go

@@ -12,7 +12,6 @@ import (
 	"os"
 	"os/signal"
 	"slices"
-	"sort"
 	"strings"
 	"syscall"
 	"time"
@@ -428,7 +427,7 @@ func getDefaultsEntrypoints(staticConfiguration *static.Configuration) []string
 		}
 	}
 
-	sort.Strings(defaultEntryPoints)
+	slices.Sort(defaultEntryPoints)
 	return defaultEntryPoints
 }
 
@@ -569,7 +568,7 @@ func registerMetricClients(metricsConfig *types.Metrics) []metrics.Registry {
 }
 
 func appendCertMetric(gauge gokitmetrics.Gauge, certificate *x509.Certificate) {
-	sort.Strings(certificate.DNSNames)
+	slices.Sort(certificate.DNSNames)
 
 	labels := []string{
 		"cn", certificate.Subject.CommonName,

docs/content/getting-started/configuration-overview.md

@@ -79,7 +79,7 @@ traefik --help
 # or
 
 docker run traefik[:version] --help
-# ex: docker run traefik:v3.3 --help
+# ex: docker run traefik:v3.4 --help
 ```
 
 Check the [CLI reference](../reference/static-configuration/cli.md "Link to CLI reference overview") for an overview about all available arguments.

docs/content/getting-started/install-traefik.md

@@ -16,12 +16,12 @@ You can install Traefik with the following flavors:
 
 Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
 
-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.3/traefik.sample.yml)
+* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.3/traefik.sample.toml)
+* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.4/traefik.sample.toml)
 
 ```shell
 docker run -d -p 8080:8080 -p 80:80 \
-    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.3
+    -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.4
 ```
 
 For more details, go to the [Docker provider documentation](../providers/docker.md)
@@ -29,7 +29,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
 !!! tip
 
     * Prefer a fixed version than the latest that could be an unexpected version.
-    ex: `traefik:v3.3`
+    ex: `traefik:v3.4`
     * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
     * Any orchestrator using docker images can fetch the official Traefik docker image.
 

docs/content/getting-started/quick-start-with-kubernetes.md

@@ -154,7 +154,7 @@ spec:
       serviceAccountName: traefik-account
       containers:
         - name: traefik
-          image: traefik:v3.3
+          image: traefik:v3.4
           args:
             - --api.insecure
             - --providers.kubernetesingress

docs/content/getting-started/quick-start.md

@@ -20,7 +20,7 @@ version: '3'
 services:
   reverse-proxy:
     # The official v3 Traefik docker image
-    image: traefik:v3.3
+    image: traefik:v3.4
     # Enables the web UI and tells Traefik to listen to docker
     command: --api.insecure=true --providers.docker
     ports:

docs/content/https/acme.md

@@ -250,6 +250,34 @@ when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpc
 !!! info ""
     Redirection is fully compatible with the `HTTP-01` challenge.
 
+#### `Delay`
+
+The delay between the creation of the challenge and the validation.
+A value lower than or equal to zero means no delay.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      httpChallenge:
+        # ...
+        delay: 12
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.httpChallenge]
+    # ...
+    delay = 12
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.httpchallenge.delay=12
+```
+
 ### `dnsChallenge`
 
 Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
@@ -807,6 +835,71 @@ certificatesResolvers:
 # ...
 ```
 
+### `clientTimeout`
+
+_Optional, Default=2m_
+
+`clientTimeout` is the total timeout for a complete HTTP transaction (including TCP connection, sending request and receiving response) with the ACME server.
+It defaults to 2 minutes.
+
+!!! warning "This timeout encompasses the entire request-response cycle, including the response headers timeout. It must be at least `clientResponseHeaderTimeout`, otherwise the certificate resolver will fail to start."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      clientTimeout: 1m
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  clientTimeout=1m
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.clientTimeout=1m
+# ...
+```
+
+!!! warning
+    This should not be confused with any timeouts used for validating challenges.
+
+### `clientResponseHeaderTimeout`
+
+_Optional, Default=30s_
+
+`clientResponseHeaderTimeout` defines how long the HTTP client waits for response headers when communicating with the `caServer`.
+It defaults to 30 seconds. 
+
+!!! warning "It must be lower than `clientTimeout`, otherwise the certificate resolver will fail to start."
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      clientResponseHeaderTimeout: 1m
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  clientResponseHeaderTimeout=1m
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=1m
+# ...
+```
+
 ### `preferredChain`
 
 _Optional, Default=""_
@@ -838,6 +931,66 @@ certificatesResolvers:
 # ...
 ```
 
+### `profile`
+
+_Optional, Default=""_
+
+Certificate profile to use.
+
+For more information, please check out the [Let's Encrypt blog post](https://letsencrypt.org/2025/01/09/acme-profiles/) about certificate profile selection.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      profile: tlsserver
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  profile = "tlsserver"
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.profile=tlsserver
+# ...
+```
+
+### `emailAddresses`
+
+_Optional, Default=""_
+
+CSR email addresses to use.
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      emailAddresses:
+        - foo@example.com
+        - bar@example.org
+      # ...
+```
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  emailAddresses = ["foo@example.com", "bar@example.org"]
+  # ...
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.emailaddresses=foo@example.com,bar@example.org
+# ...
+```
+
 ### `keyType`
 
 _Optional, Default="RSA4096"_

docs/content/https/ref-acme.toml

@@ -30,6 +30,20 @@
   #
   # certificatesDuration=2160
 
+  # Timeout for a complete HTTP transaction with the ACME server.
+  #
+  # Optional
+  # Default: 2m
+  #
+  # clientTimeout="2m"
+
+  # Timeout for receiving the response headers when communicating with the ACME server.
+  #
+  # Optional
+  # Default: 30s
+  #
+  # clientResponseHeaderTimeout="30s"
+
   # Preferred chain to use.
   #
   # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

docs/content/https/ref-acme.txt

@@ -29,6 +29,20 @@
 #
 --certificatesresolvers.myresolver.acme.certificatesDuration=2160
 
+# Timeout for a complete HTTP transaction with the ACME server.
+#
+# Optional
+# Default: 2m
+#
+--certificatesresolvers.myresolver.acme.clientTimeout=2m
+
+# Timeout for receiving the response headers when communicating with the ACME server.
+#
+# Optional
+# Default: 30s
+#
+--certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=30s
+
 # Preferred chain to use.
 #
 # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

docs/content/https/ref-acme.yaml

@@ -32,6 +32,20 @@ certificatesResolvers:
       #
       # certificatesDuration: 2160
 
+      # Timeout for a complete HTTP transaction with the ACME server.
+      #
+      # Optional
+      # Default: 2m
+      #
+      # clientTimeout: "2m"
+
+      # Timeout for receiving the response headers when communicating with the ACME server.
+      #
+      # Optional
+      # Default: 30s
+      #
+      # clientResponseHeaderTimeout: "30s"
+
       # Preferred chain to use.
       #
       # If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

docs/content/https/tls.md

@@ -553,4 +553,38 @@ spec:
     clientAuthType: RequireAndVerifyClientCert
 ```
 
+### Disable Session Tickets
+
+_Optional, Default="false"_
+
+When set to true, Traefik disables the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      disableSessionTickets: true
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    disableSessionTickets = true
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  disableSessionTickets: true
+```
+
 {!traefik-for-business-applications.md!}

docs/content/middlewares/http/errorpages.md

@@ -102,6 +102,19 @@ The status code ranges are inclusive (`505-599` will trigger with every code bet
     The comma-separated syntax is only available for label-based providers.
     The examples above demonstrate which syntax is appropriate for each provider.
 
+### `statusRewrites`
+
+An optional mapping of status codes to be rewritten. For example, if a service returns a 418, you might want to rewrite it to a 404.
+You can map individual status codes or even ranges to a different status code. The syntax for ranges follows the same rules as the `status` option.
+
+Here is an example:
+
+```yml
+statusRewrites:
+  "500-503": 500
+  "418": 404
+```
+
 ### `service`
 
 The service that will serve the new requested error page.
@@ -124,6 +137,7 @@ There are multiple variables that can be placed in the `query` option to insert
 The table below lists all the available variables and their associated values.
 
 | Variable           | Value                                                                                      |
-|------------|--------------------------------------------------------------------|
+|--------------------|--------------------------------------------------------------------------------------------|
-| `{status}` | The response status code.                                          |
+| `{status}`         | The response status code. It may be rewritten when using the `statusRewrites` option.      |
+| `{originalStatus}` | The original response status code, if it has been modified by the `statusRewrites` option. |
 | `{url}`            | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL.                         |

docs/content/middlewares/http/forwardauth.md

@@ -746,5 +746,45 @@ http:
   preserveLocationHeader = true
 ```
 
+### `preserveRequestMethod`
+
+_Optional, Default=false_
+
+`preserveRequestMethod` defines whether to preserve the original request method while forwarding the request to the authentication server. By default, when this option is set to `false`, incoming requests are always forwarded as `GET` requests to the authentication server.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-auth.forwardauth.preserveRequestMethod=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-auth
+spec:
+  forwardAuth:
+    # ...
+    preserveRequestMethod: true
+```
+
+```json tab="Consul Catalog"
+- "traefik.http.middlewares.test-auth.forwardauth.preserveRequestMethod=true"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-auth:
+      forwardAuth:
+        # ...
+        preserveRequestMethod: true
+```
+
+```toml tab="File (TOML)"
+[http.middlewares.test-auth.forwardAuth]
+  # ...
+  preserveRequestMethod = true
+```
 
 {!traefik-for-business-applications.md!}

docs/content/middlewares/http/ratelimit.md

@@ -496,3 +496,718 @@ http:
     [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
       requestHost = true
 ```
+
+### `redis`
+
+Enables distributed rate limit using `redis` to store the tokens.
+If not set, Traefik's in-memory storage is used by default.
+
+#### `redis.endpoints`
+
+_Required, Default="127.0.0.1:6379"_
+
+Defines how to connect to the Redis server.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.endpoints=127.0.0.1:6379"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    # ...
+    redis:
+      endpoints:
+        - "127.0.0.1:6379"
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.endpoints=127.0.0.1:6379"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          endpoints:
+            - "127.0.0.1:6379"
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      endpoints = ["127.0.0.1:6379"]
+```
+
+#### `redis.username`
+
+_Optional, Default=""_
+
+Defines the username used to authenticate with the Redis server.
+
+```yaml tab="Docker & Swarm"
+labels:
+    - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.username=user"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+   name: test-ratelimit
+spec:
+   rateLimit:
+      # ...
+      redis:
+         secret: mysecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+   name: mysecret
+   namespace: default
+
+data:
+   username: dXNlcm5hbWU=
+   password: cGFzc3dvcmQ=
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.username=user"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          username: user
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      username = "user"
+```
+
+#### `redis.password`
+
+_Optional, Default=""_
+
+Defines the password to authenticate against the Redis server.
+
+```yaml tab="Docker & Swarm"
+labels:
+    - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.password=password"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+   name: test-ratelimit
+spec:
+   rateLimit:
+      # ...
+      redis:
+         secret: mysecret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+   name: mysecret
+   namespace: default
+
+data:
+   username: dXNlcm5hbWU=
+   password: cGFzc3dvcmQ=
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.password=password"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          password: password
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      password = "password"
+```
+
+#### `redis.db`
+
+_Optional, Default=0_
+
+Defines the database to select after connecting to the Redis.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.db=0"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    # ...
+    redis:
+      db: 0
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.db=0"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          db: 0
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      db = 0
+```
+
+#### `redis.tls`
+
+Same as this [config](https://doc.traefik.io/traefik/providers/redis/#tls)
+
+_Optional_
+
+Defines the TLS configuration used for the secure connection to Redis.
+
+##### `redis.tls.ca`
+
+_Optional_
+
+`ca` is the path to the certificate authority used for the secure connection to Redis,
+it defaults to the system bundle.
+
+```yaml tab="Docker & Swarm"
+labels:
+    - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.ca=path/to/ca.crt"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    # ...
+    redis:
+      tls:
+        caSecret: mycasercret
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mycasercret
+  namespace: default
+
+data:
+  # Must contain a certificate under either a `tls.ca` or a `ca.crt` key. 
+  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.ca=path/to/ca.crt"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    rateLimit:
+      # ... 
+      redis:
+        tls:
+          ca: path/to/ca.crt
+```
+
+```toml tab="File (TOML)"
+[providers.redis.tls]
+  ca = "path/to/ca.crt"
+```
+
+##### `redis.tls.cert`
+
+_Optional_
+
+`cert` is the path to the public certificate used for the secure connection to Redis.
+When this option is set, the `key` option is required.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+   name: test-ratelimit
+spec:
+   rateLimit:
+      # ...
+      redis:
+         tls:
+           certSecret: mytlscert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+   name: mytlscert
+   namespace: default
+
+data:
+   tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        redis:
+          tls:
+            cert: path/to/foo.cert
+            key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      [http.middlewares.test-ratelimit.rateLimit.redis.tls]
+        cert = "path/to/foo.cert"
+        key = "path/to/foo.key"
+```
+
+##### `redis.tls.key`
+
+_Optional_
+
+`key` is the path to the private key used for the secure connection to Redis.
+When this option is set, the `cert` option is required.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+   name: test-ratelimit
+spec:
+   rateLimit:
+      # ...
+      redis:
+         tls:
+            certSecret: mytlscert
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+   name: mytlscert
+   namespace: default
+
+data:
+   tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
+   tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        redis:
+          tls:
+            cert: path/to/foo.cert
+            key: path/to/foo.key
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      [http.middlewares.test-ratelimit.rateLimit.redis.tls]
+        cert = "path/to/foo.cert"
+        key = "path/to/foo.key"
+```
+
+##### `redis.tls.insecureSkipVerify`
+
+_Optional, Default=false_
+
+If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.insecureSkipVerify=true"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    # ...
+    redis:
+      tls:
+        insecureSkipVerify: true
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.insecureSkipVerify=true"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          tls:
+            insecureSkipVerify: true
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      [http.middlewares.test-ratelimit.rateLimit.redis.tls]
+        insecureSkipVerify = true
+```
+
+#### `redis.poolSize`
+
+_Optional, Default=0_
+
+Defines the base number of socket connections.
+
+If there are not enough connections in the pool, new connections will be allocated beyond `redis.poolSize`. 
+You can limit this using `redis.maxActiveConns`.
+
+Zero means 10 connections per every available CPU as reported by runtime.GOMAXPROCS.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.poolSize=42"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    # ...
+    redis:
+      poolSize: 42
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.poolSize=42"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          poolSize: 42
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      poolSize = 42
+```
+
+#### `redis.minIdleConns`
+
+_Optional, Default=0_
+
+Defines the minimum number of idle connections, which is useful when establishing new connections is slow.
+Zero means that idle connections are not closed.
+
+```yaml tab="Docker & Swarm"
+labels:
+    - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.minIdleConns=42"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    # ...
+    redis:
+      minIdleConns: 42
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.minIdleConns=42"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          minIdleConns: 42
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      minIdleConns = 42
+```
+
+#### `redis.maxActiveConns`
+
+_Optional, Default=0_
+
+Defines the maximum number of connections the pool can allocate at a given time.
+Zero means no limit.
+
+```yaml tab="Docker & Swarm"
+labels:
+    - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.maxActiveConns=42"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    # ...
+    redis:
+      maxActiveConns: 42
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.maxActiveConns=42"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          maxActiveConns: 42
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      maxActiveConns = 42
+```
+
+#### `redis.readTimeout`
+
+_Optional, Default=3s_
+
+Defines the timeout for socket reads. 
+If reached, commands will fail with a timeout instead of blocking.
+Zero means no timeout.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.readTimeout=42s"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    # ...
+    redis:
+      readTimeout: 42s
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.readTimeout=42s"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          readTimeout: 42s
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      readTimeout = "42s"
+```
+
+#### `redis.writeTimeout`
+
+_Optional, Default=3s_
+
+Defines the timeout for socket writes. 
+If reached, commands will fail with a timeout instead of blocking. 
+Zero means no timeout.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.writeTimeout=42s"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    # ...
+    redis:
+      writeTimeout: 42s
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.writeTimeout=42s"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          writeTimeout: 42s
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      writeTimeout = "42s"
+```
+
+#### `redis.dialTimeout`
+
+_Optional, Default=5s_
+
+Defines the dial timeout for establishing new connections.
+Zero means no timeout.
+
+```yaml tab="Docker & Swarm"
+labels:
+  - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.dialTimeout=42s"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: test-ratelimit
+spec:
+  rateLimit:
+    # ...
+    redis:
+      dialTimeout: 42s
+```
+
+```yaml tab="Consul Catalog"
+- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.dialTimeout=42s"
+```
+
+```yaml tab="File (YAML)"
+http:
+  middlewares:
+    test-ratelimit:
+      rateLimit:
+        # ...
+        redis:
+          dialTimeout: 42s
+```
+
+```toml tab="File (TOML)"
+[http.middlewares]
+  [http.middlewares.test-ratelimit.rateLimit]
+    [http.middlewares.test-ratelimit.rateLimit.redis]
+      dialTimeout = "42s"
+```

docs/content/migration/v3.md

@@ -215,3 +215,66 @@ it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
 
     Setting the `sanitizePath` option to `false` is not safe.
     Ensure every request is properly url encoded instead.
+
+## v3.3 to v3.4
+
+### Kubernetes CRD Provider
+
+#### Load-Balancing
+
+In `v3.4`, the HTTP service definition has been updated.
+The strategy field now supports two new values: `wrr` and `p2c` (please refer to the [HTTP Services Load Balancing documentation](../../routing/services/#load-balancing-strategy) for more details).
+
+CRDs can be updated with this command:
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+```
+
+Please note that the `RoundRobin` strategy value is now deprecated, but still supported and equivalent to `wrr`, and will be removed in the next major release.
+
+#### ServersTransport CA Certificate
+
+In `v3.4`, a new `rootCAs` option has been added to the `ServersTransport` and `ServersTransportTCP` CRDs.
+It allows the configuration of CA certificates from both `ConfigMaps` and `Secrets`,
+and replaces the `rootCAsSecrets` option, as shown below:
+
+```yaml
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: foo
+  namespace: bar
+spec:
+  rootCAs:
+    - configMap: ca-config-map
+    - secret: ca-secret
+      
+---      
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransportTCP
+metadata:
+  name: foo
+  namespace: bar
+spec:
+  rootCAs:
+    - configMap: ca-config-map
+    - secret: ca-secret
+```
+
+The `rootCAsSecrets` option, which allows only `Secrets` references,
+is still supported, but is now deprecated,
+and will be removed in the next major release.
+
+### Rule Syntax
+
+In `v3.4.0`, the `core.defaultRuleSyntax` static configuration option and the `ruleSyntax` router option have been deprecated,
+and will be removed in the next major version.
+
+This `core.defaultRuleSyntax` option was used to switch between the v2 and v3 syntax for the router's rules,
+and to help with the migration from v2 to v3.
+
+The `ruleSyntax` router's option was used to override the default rule syntax for a specific router.
+
+In preparation for the next major release, please remove any use of these two options and use the v3 syntax for writing the router's rules.

docs/content/observability/access-logs.md

@@ -292,7 +292,7 @@ version: "3.7"
 
 services:
   traefik:
-    image: traefik:v3.3
+    image: traefik:v3.4
     environment:
       - TZ=US/Alaska
     command:

docs/content/providers/docker.md

@@ -166,7 +166,7 @@ See the [Docker API Access](#docker-api-access) section for more information.
 
     services:
       traefik:
-         image: traefik:v3.3 # The official v3 Traefik docker image
+         image: traefik:v3.4 # The official v3 Traefik docker image
          ports:
            - "80:80"
          volumes:

docs/content/providers/kubernetes-crd.md

@@ -31,10 +31,10 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
 
     ```bash
     # Install Traefik Resource Definitions:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
     
     # Install RBAC for Traefik:
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
     ```
 
 ## Resource Configuration

docs/content/providers/kubernetes-gateway.md

@@ -34,7 +34,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
 
     ```bash
     # Install Traefik RBACs.
-    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+    kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
     ```
 
 3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:

docs/content/providers/kubernetes-ingress.md

@@ -398,11 +398,17 @@ providers:
 
 _Optional, Default: ""_
 
-The Kubernetes service to copy status from.
-When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the ingresses.
-
 Format: `namespace/servicename`.
 
+The Kubernetes service to copy status from, 
+depending on the service type:
+
+- **ClusterIP:** The ExternalIPs of the service will be propagated to the ingress status.
+- **NodePort:** The ExternalIP addresses of the nodes in the cluster will be propagated to the ingress status.
+- **LoadBalancer:** The IPs from the service's `loadBalancer.status` field (which contains the endpoints provided by the load balancer) will be propagated to the ingress status.
+
+When using third-party tools such as External-DNS, this option enables the copying of external service IPs to the ingress resources.
+
 ```yaml tab="File (YAML)"
 providers:
   kubernetesIngress:
@@ -526,6 +532,6 @@ providers:
 ### Further
 
 To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.3/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
+many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.4/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
 
 {!traefik-for-business-applications.md!}

docs/content/providers/swarm.md

@@ -212,7 +212,7 @@ See the [Docker Swarm API Access](#docker-api-access) section for more informati
 
     services:
       traefik:
-         image: traefik:v3.3 # The official v3 Traefik docker image
+         image: traefik:v3.4 # The official v3 Traefik docker image
          ports:
            - "80:80"
          volumes:

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -33,6 +33,8 @@
 - "traefik.http.middlewares.middleware09.errors.query=foobar"
 - "traefik.http.middlewares.middleware09.errors.service=foobar"
 - "traefik.http.middlewares.middleware09.errors.status=foobar, foobar"
+- "traefik.http.middlewares.middleware09.errors.statusrewrites.name0=42"
+- "traefik.http.middlewares.middleware09.errors.statusrewrites.name1=42"
 - "traefik.http.middlewares.middleware10.forwardauth.addauthcookiestoresponse=foobar, foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.address=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.authrequestheaders=foobar, foobar"
@@ -42,6 +44,7 @@
 - "traefik.http.middlewares.middleware10.forwardauth.headerfield=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.maxbodysize=42"
 - "traefik.http.middlewares.middleware10.forwardauth.preservelocationheader=true"
+- "traefik.http.middlewares.middleware10.forwardauth.preserverequestmethod=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.ca=foobar"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware10.forwardauth.tls.cert=foobar"
@@ -129,6 +132,20 @@
 - "traefik.http.middlewares.middleware18.ratelimit.average=42"
 - "traefik.http.middlewares.middleware18.ratelimit.burst=42"
 - "traefik.http.middlewares.middleware18.ratelimit.period=42s"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.db=42"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.dialtimeout=42s"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.endpoints=foobar, foobar"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.maxactiveconns=42"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.minidleconns=42"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.password=foobar"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.poolsize=42"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.readtimeout=42s"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.tls.ca=foobar"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.tls.cert=foobar"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.tls.insecureskipverify=true"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.tls.key=foobar"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.username=foobar"
+- "traefik.http.middlewares.middleware18.ratelimit.redis.writetimeout=42s"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.depth=42"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.excludedips=foobar, foobar"
 - "traefik.http.middlewares.middleware18.ratelimit.sourcecriterion.ipstrategy.ipv6subnet=42"
@@ -192,19 +209,24 @@
 - "traefik.http.services.service02.loadbalancer.healthcheck.scheme=foobar"
 - "traefik.http.services.service02.loadbalancer.healthcheck.status=42"
 - "traefik.http.services.service02.loadbalancer.healthcheck.timeout=42s"
+- "traefik.http.services.service02.loadbalancer.healthcheck.unhealthyinterval=42s"
 - "traefik.http.services.service02.loadbalancer.passhostheader=true"
 - "traefik.http.services.service02.loadbalancer.responseforwarding.flushinterval=42s"
 - "traefik.http.services.service02.loadbalancer.serverstransport=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky=true"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie=true"
+- "traefik.http.services.service02.loadbalancer.sticky.cookie.domain=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.httponly=true"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.maxage=42"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.name=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.path=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.samesite=foobar"
 - "traefik.http.services.service02.loadbalancer.sticky.cookie.secure=true"
+- "traefik.http.services.service02.loadbalancer.strategy=foobar"
 - "traefik.http.services.service02.loadbalancer.server.port=foobar"
+- "traefik.http.services.service02.loadbalancer.server.preservepath=true"
 - "traefik.http.services.service02.loadbalancer.server.scheme=foobar"
+- "traefik.http.services.service02.loadbalancer.server.url=foobar"
 - "traefik.http.services.service02.loadbalancer.server.weight=42"
 - "traefik.tcp.middlewares.tcpmiddleware01.ipallowlist.sourcerange=foobar, foobar"
 - "traefik.tcp.middlewares.tcpmiddleware02.ipwhitelist.sourcerange=foobar, foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -54,6 +54,7 @@
         [http.services.Service01.failover.healthCheck]
     [http.services.Service02]
       [http.services.Service02.loadBalancer]
+        strategy = "foobar"
         passHostHeader = true
         serversTransport = "foobar"
         [http.services.Service02.loadBalancer.sticky]
@@ -64,6 +65,7 @@
             sameSite = "foobar"
             maxAge = 42
             path = "foobar"
+            domain = "foobar"
 
         [[http.services.Service02.loadBalancer.servers]]
           url = "foobar"
@@ -82,6 +84,7 @@
           status = 42
           port = 42
           interval = "42s"
+          unhealthyInterval = "42s"
           timeout = "42s"
           hostname = "foobar"
           followRedirects = true
@@ -122,6 +125,7 @@
             sameSite = "foobar"
             maxAge = 42
             path = "foobar"
+            domain = "foobar"
         [http.services.Service04.weighted.healthCheck]
   [http.middlewares]
     [http.middlewares.Middleware01]
@@ -173,6 +177,9 @@
         status = ["foobar", "foobar"]
         service = "foobar"
         query = "foobar"
+        [http.middlewares.Middleware09.errors.statusRewrites]
+          name0 = 42
+          name1 = 42
     [http.middlewares.Middleware10]
       [http.middlewares.Middleware10.forwardAuth]
         address = "foobar"
@@ -185,6 +192,7 @@
         forwardBody = true
         maxBodySize = 42
         preserveLocationHeader = true
+        preserveRequestMethod = true
         [http.middlewares.Middleware10.forwardAuth.tls]
           ca = "foobar"
           cert = "foobar"
@@ -305,6 +313,22 @@
             depth = 42
             excludedIPs = ["foobar", "foobar"]
             ipv6Subnet = 42
+        [http.middlewares.Middleware18.rateLimit.redis]
+          endpoints = ["foobar", "foobar"]
+          username = "foobar"
+          password = "foobar"
+          db = 42
+          poolSize = 42
+          minIdleConns = 42
+          maxActiveConns = 42
+          readTimeout = "42s"
+          writeTimeout = "42s"
+          dialTimeout = "42s"
+          [http.middlewares.Middleware18.rateLimit.redis.tls]
+            ca = "foobar"
+            cert = "foobar"
+            key = "foobar"
+            insecureSkipVerify = true
     [http.middlewares.Middleware19]
       [http.middlewares.Middleware19.redirectRegex]
         regex = "foobar"
@@ -547,6 +571,7 @@
       curvePreferences = ["foobar", "foobar"]
       sniStrict = true
       alpnProtocols = ["foobar", "foobar"]
+      disableSessionTickets = true
       preferServerCipherSuites = true
       [tls.options.Options0.clientAuth]
         caFiles = ["foobar", "foobar"]
@@ -558,6 +583,7 @@
       curvePreferences = ["foobar", "foobar"]
       sniStrict = true
       alpnProtocols = ["foobar", "foobar"]
+      disableSessionTickets = true
       preferServerCipherSuites = true
       [tls.options.Options1.clientAuth]
         caFiles = ["foobar", "foobar"]

docs/content/reference/dynamic-configuration/file.yaml

@@ -72,6 +72,7 @@ http:
             sameSite: foobar
             maxAge: 42
             path: foobar
+            domain: foobar
         servers:
           - url: foobar
             weight: 42
@@ -79,6 +80,7 @@ http:
           - url: foobar
             weight: 42
             preservePath: true
+        strategy: foobar
         healthCheck:
           scheme: foobar
           mode: foobar
@@ -87,6 +89,7 @@ http:
           status: 42
           port: 42
           interval: 42s
+          unhealthyInterval: 42s
           timeout: 42s
           hostname: foobar
           followRedirects: true
@@ -123,6 +126,7 @@ http:
             sameSite: foobar
             maxAge: 42
             path: foobar
+            domain: foobar
         healthCheck: {}
   middlewares:
     Middleware01:
@@ -186,6 +190,9 @@ http:
         status:
           - foobar
           - foobar
+        statusRewrites:
+          name0: 42
+          name1: 42
         service: foobar
         query: foobar
     Middleware10:
@@ -212,6 +219,7 @@ http:
         forwardBody: true
         maxBodySize: 42
         preserveLocationHeader: true
+        preserveRequestMethod: true
     Middleware11:
       grpcWeb:
         allowOrigins:
@@ -354,6 +362,24 @@ http:
             ipv6Subnet: 42
           requestHeaderName: foobar
           requestHost: true
+        redis:
+          endpoints:
+            - foobar
+            - foobar
+          tls:
+            ca: foobar
+            cert: foobar
+            key: foobar
+            insecureSkipVerify: true
+          username: foobar
+          password: foobar
+          db: 42
+          poolSize: 42
+          minIdleConns: 42
+          maxActiveConns: 42
+          readTimeout: 42s
+          writeTimeout: 42s
+          dialTimeout: 42s
     Middleware19:
       redirectRegex:
         regex: foobar
@@ -619,6 +645,7 @@ tls:
       alpnProtocols:
         - foobar
         - foobar
+      disableSessionTickets: true
       preferServerCipherSuites: true
     Options1:
       minVersion: foobar
@@ -638,6 +665,7 @@ tls:
       alpnProtocols:
         - foobar
         - foobar
+      disableSessionTickets: true
       preferServerCipherSuites: true
   stores:
     Store0:

docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: traefik-controller
       containers:
         - name: traefik
-          image: traefik:v3.3
+          image: traefik:v3.4
           args:
             - --entryPoints.web.address=:80
             - --entryPoints.websecure.address=:443

docs/content/reference/dynamic-configuration/kv-ref.md

@@ -40,6 +40,8 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware09/errors/service` | `foobar` |
 | `traefik/http/middlewares/Middleware09/errors/status/0` | `foobar` |
 | `traefik/http/middlewares/Middleware09/errors/status/1` | `foobar` |
+| `traefik/http/middlewares/Middleware09/errors/statusRewrites/name0` | `42` |
+| `traefik/http/middlewares/Middleware09/errors/statusRewrites/name1` | `42` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/addAuthCookiesToResponse/0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/addAuthCookiesToResponse/1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/address` | `foobar` |
@@ -52,6 +54,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware10/forwardAuth/headerField` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/maxBodySize` | `42` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/preserveLocationHeader` | `true` |
+| `traefik/http/middlewares/Middleware10/forwardAuth/preserveRequestMethod` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/ca` | `foobar` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/caOptional` | `true` |
 | `traefik/http/middlewares/Middleware10/forwardAuth/tls/cert` | `foobar` |
@@ -150,6 +153,21 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/middlewares/Middleware18/rateLimit/average` | `42` |
 | `traefik/http/middlewares/Middleware18/rateLimit/burst` | `42` |
 | `traefik/http/middlewares/Middleware18/rateLimit/period` | `42s` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/db` | `42` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/dialTimeout` | `42s` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/endpoints/0` | `foobar` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/endpoints/1` | `foobar` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/maxActiveConns` | `42` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/minIdleConns` | `42` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/password` | `foobar` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/poolSize` | `42` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/readTimeout` | `42s` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/ca` | `foobar` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/cert` | `foobar` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/insecureSkipVerify` | `true` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/key` | `foobar` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/username` | `foobar` |
+| `traefik/http/middlewares/Middleware18/rateLimit/redis/writeTimeout` | `42s` |
 | `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/depth` | `42` |
 | `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
 | `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/1` | `foobar` |
@@ -263,6 +281,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/services/Service02/loadBalancer/healthCheck/scheme` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/healthCheck/status` | `42` |
 | `traefik/http/services/Service02/loadBalancer/healthCheck/timeout` | `42s` |
+| `traefik/http/services/Service02/loadBalancer/healthCheck/unhealthyInterval` | `42s` |
 | `traefik/http/services/Service02/loadBalancer/passHostHeader` | `true` |
 | `traefik/http/services/Service02/loadBalancer/responseForwarding/flushInterval` | `42s` |
 | `traefik/http/services/Service02/loadBalancer/servers/0/preservePath` | `true` |
@@ -272,12 +291,14 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/services/Service02/loadBalancer/servers/1/url` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/servers/1/weight` | `42` |
 | `traefik/http/services/Service02/loadBalancer/serversTransport` | `foobar` |
+| `traefik/http/services/Service02/loadBalancer/sticky/cookie/domain` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/httpOnly` | `true` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/maxAge` | `42` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/name` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/path` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/sameSite` | `foobar` |
 | `traefik/http/services/Service02/loadBalancer/sticky/cookie/secure` | `true` |
+| `traefik/http/services/Service02/loadBalancer/strategy` | `foobar` |
 | `traefik/http/services/Service03/mirroring/healthCheck` | `` |
 | `traefik/http/services/Service03/mirroring/maxBodySize` | `42` |
 | `traefik/http/services/Service03/mirroring/mirrorBody` | `true` |
@@ -291,6 +312,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/http/services/Service04/weighted/services/0/weight` | `42` |
 | `traefik/http/services/Service04/weighted/services/1/name` | `foobar` |
 | `traefik/http/services/Service04/weighted/services/1/weight` | `42` |
+| `traefik/http/services/Service04/weighted/sticky/cookie/domain` | `foobar` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/httpOnly` | `true` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/maxAge` | `42` |
 | `traefik/http/services/Service04/weighted/sticky/cookie/name` | `foobar` |
@@ -394,6 +416,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/tls/options/Options0/clientAuth/clientAuthType` | `foobar` |
 | `traefik/tls/options/Options0/curvePreferences/0` | `foobar` |
 | `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
+| `traefik/tls/options/Options0/disableSessionTickets` | `true` |
 | `traefik/tls/options/Options0/maxVersion` | `foobar` |
 | `traefik/tls/options/Options0/minVersion` | `foobar` |
 | `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
@@ -407,6 +430,7 @@ THIS FILE MUST NOT BE EDITED BY HAND
 | `traefik/tls/options/Options1/clientAuth/clientAuthType` | `foobar` |
 | `traefik/tls/options/Options1/curvePreferences/0` | `foobar` |
 | `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
+| `traefik/tls/options/Options1/disableSessionTickets` | `true` |
 | `traefik/tls/options/Options1/maxVersion` | `foobar` |
 | `traefik/tls/options/Options1/minVersion` | `foobar` |
 | `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |

docs/content/reference/dynamic-configuration/traefik.io_ingressroutes.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -64,12 +64,12 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule
+                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rule
                       type: string
                     middlewares:
                       description: |-
                         Middlewares defines the list of references to Middleware resources.
-                        More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-middleware
+                        More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-middleware
                       items:
                         description: MiddlewareRef is a reference to a Middleware
                           resource.
@@ -101,7 +101,8 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority
+                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#priority
+                      maximum: 9223372036854775000
                       type: integer
                     services:
                       description: |-
@@ -135,7 +136,7 @@ spec:
                                 - type: integer
                                 - type: string
                                 description: |-
-                                  Interval defines the frequency of the health check calls.
+                                  Interval defines the frequency of the health check calls for healthy targets.
                                   Default: 30s
                                 x-kubernetes-int-or-string: true
                               method:
@@ -171,6 +172,15 @@ spec:
                                   Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                                   Default: 5s
                                 x-kubernetes-int-or-string: true
+                              unhealthyInterval:
+                                anyOf:
+                                - type: integer
+                                - type: string
+                                description: |-
+                                  UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                                  When UnhealthyInterval is not defined, it defaults to the Interval value.
+                                  Default: 30s
+                                x-kubernetes-int-or-string: true
                             type: object
                           kind:
                             description: Kind defines the kind of the Service.
@@ -242,11 +252,16 @@ spec:
                           sticky:
                             description: |-
                               Sticky defines the sticky sessions configuration.
-                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
+                              More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
                             properties:
                               cookie:
                                 description: Cookie defines the sticky cookie configuration.
                                 properties:
+                                  domain:
+                                    description: |-
+                                      Domain defines the host to which the cookie will be sent.
+                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                                    type: string
                                   httpOnly:
                                     description: HTTPOnly defines whether the cookie
                                       can be accessed by client-side APIs, such as
@@ -271,6 +286,10 @@ spec:
                                     description: |-
                                       SameSite defines the same site policy.
                                       More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                    enum:
+                                    - none
+                                    - lax
+                                    - strict
                                     type: string
                                   secure:
                                     description: Secure defines whether the cookie
@@ -282,12 +301,18 @@ spec:
                           strategy:
                             description: |-
                               Strategy defines the load balancing strategy between the servers.
-                              RoundRobin is the only supported value at the moment.
+                              Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
+                              RoundRobin value is deprecated and supported for backward compatibility.
+                            enum:
+                            - wrr
+                            - p2c
+                            - RoundRobin
                             type: string
                           weight:
                             description: |-
                               Weight defines the weight and should only be specified when Name references a TraefikService object
                               (and to be precise, one that embeds a Weighted Round Robin).
+                            minimum: 0
                             type: integer
                         required:
                         - name
@@ -296,7 +321,8 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax
+                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rulesyntax
+                        Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
                       type: string
                   required:
                   - match
@@ -305,18 +331,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration.
-                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls
+                  More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#tls
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.4/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -335,17 +361,17 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
                     properties:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSOption.
-                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsoption
+                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsoption
                         type: string
                     required:
                     - name
@@ -362,12 +388,12 @@ spec:
                       name:
                         description: |-
                           Name defines the name of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                       namespace:
                         description: |-
                           Namespace defines the namespace of the referenced TLSStore.
-                          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-tlsstore
+                          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-tlsstore
                         type: string
                     required:
                     - name

docs/content/reference/dynamic-configuration/traefik.io_ingressroutetcps.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -56,7 +56,7 @@ spec:
                     match:
                       description: |-
                         Match defines the router's rule.
-                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rule_1
+                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rule_1
                       type: string
                     middlewares:
                       description: Middlewares defines the list of references to MiddlewareTCP
@@ -80,7 +80,8 @@ spec:
                     priority:
                       description: |-
                         Priority defines the router's priority.
-                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#priority_1
+                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#priority_1
+                      maximum: 9223372036854775000
                       type: integer
                     services:
                       description: Services defines the list of TCP services.
@@ -121,11 +122,13 @@ spec:
                           proxyProtocol:
                             description: |-
                               ProxyProtocol defines the PROXY protocol configuration.
-                              More info: https://doc.traefik.io/traefik/v3.3/routing/services/#proxy-protocol
+                              More info: https://doc.traefik.io/traefik/v3.4/routing/services/#proxy-protocol
                             properties:
                               version:
                                 description: Version defines the PROXY Protocol version
                                   to use.
+                                maximum: 2
+                                minimum: 1
                                 type: integer
                             type: object
                           serversTransport:
@@ -150,6 +153,7 @@ spec:
                           weight:
                             description: Weight defines the weight used when balancing
                               requests between multiple Kubernetes Service.
+                            minimum: 0
                             type: integer
                         required:
                         - name
@@ -159,7 +163,11 @@ spec:
                     syntax:
                       description: |-
                         Syntax defines the router's rule syntax.
-                        More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#rulesyntax_1
+                        More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#rulesyntax_1
+                        Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
+                      enum:
+                      - v3
+                      - v2
                       type: string
                   required:
                   - match
@@ -168,18 +176,18 @@ spec:
               tls:
                 description: |-
                   TLS defines the TLS configuration on a layer 4 / TCP Route.
-                  More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#tls_1
+                  More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#tls_1
                 properties:
                   certResolver:
                     description: |-
                       CertResolver defines the name of the certificate resolver to use.
                       Cert resolvers have to be configured in the static configuration.
-                      More info: https://doc.traefik.io/traefik/v3.3/https/acme/#certificate-resolvers
+                      More info: https://doc.traefik.io/traefik/v3.4/https/acme/#certificate-resolvers
                     type: string
                   domains:
                     description: |-
                       Domains defines the list of domains that will be used to issue certificates.
-                      More info: https://doc.traefik.io/traefik/v3.3/routing/routers/#domains
+                      More info: https://doc.traefik.io/traefik/v3.4/routing/routers/#domains
                     items:
                       description: Domain holds a domain name with SANs.
                       properties:
@@ -198,7 +206,7 @@ spec:
                     description: |-
                       Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
                       If not defined, the `default` TLSOption is used.
-                      More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
+                      More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
                     properties:
                       name:
                         description: Name defines the name of the referenced Traefik

docs/content/reference/dynamic-configuration/traefik.io_ingressrouteudps.yaml

@@ -43,7 +43,7 @@ spec:
                 description: |-
                   EntryPoints defines the list of entry point names to bind to.
                   Entry points have to be configured in the static configuration.
-                  More info: https://doc.traefik.io/traefik/v3.3/routing/entrypoints/
+                  More info: https://doc.traefik.io/traefik/v3.4/routing/entrypoints/
                   Default: all.
                 items:
                   type: string
@@ -92,6 +92,7 @@ spec:
                           weight:
                             description: Weight defines the weight used when balancing
                               requests between multiple Kubernetes Service.
+                            minimum: 0
                             type: integer
                         required:
                         - name

docs/content/reference/dynamic-configuration/traefik.io_middlewares.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           Middleware is the CRD implementation of a Traefik Middleware.
-          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/overview/
+          More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/overview/
         properties:
           apiVersion:
             description: |-
@@ -45,24 +45,27 @@ spec:
                 description: |-
                   AddPrefix holds the add prefix middleware configuration.
                   This middleware updates the path of a request before forwarding it.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/addprefix/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/addprefix/
                 properties:
                   prefix:
                     description: |-
                       Prefix is the string to add before the current path in the requested URL.
                       It should include a leading slash (/).
                     type: string
+                    x-kubernetes-validations:
+                    - message: must start with a '/'
+                      rule: self.startsWith('/')
                 type: object
               basicAuth:
                 description: |-
                   BasicAuth holds the basic auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -83,7 +86,7 @@ spec:
                 description: |-
                   Buffering holds the buffering middleware configuration.
                   This middleware retries or limits the size of requests that can be forwarded to backends.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#maxrequestbodybytes
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/buffering/#maxrequestbodybytes
                 properties:
                   maxRequestBodyBytes:
                     description: |-
@@ -115,14 +118,14 @@ spec:
                     description: |-
                       RetryExpression defines the retry conditions.
                       It is a logical combination of functions with operators AND (&&) and OR (||).
-                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/buffering/#retryexpression
+                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/buffering/#retryexpression
                     type: string
                 type: object
               chain:
                 description: |-
                   Chain holds the configuration of the chain middleware.
                   This middleware enables to define reusable combinations of other pieces of middleware.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/chain/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/chain/
                 properties:
                   middlewares:
                     description: Middlewares is the list of MiddlewareRef which composes
@@ -152,6 +155,7 @@ spec:
                     - type: string
                     description: CheckPeriod is the interval between successive checks
                       of the circuit breaker condition (when in standby state).
+                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                     x-kubernetes-int-or-string: true
                   expression:
                     description: Expression is the condition that triggers the tripped
@@ -171,17 +175,20 @@ spec:
                     description: RecoveryDuration is the duration for which the circuit
                       breaker will try to recover (as soon as it is in recovering
                       state).
+                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                     x-kubernetes-int-or-string: true
                   responseCode:
                     description: ResponseCode is the status code that the circuit
                       breaker will return while it is in the open state.
+                    maximum: 599
+                    minimum: 100
                     type: integer
                 type: object
               compress:
                 description: |-
                   Compress holds the compress middleware configuration.
                   This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/compress/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/compress/
                 properties:
                   defaultEncoding:
                     description: DefaultEncoding specifies the default encoding if
@@ -212,6 +219,7 @@ spec:
                     description: |-
                       MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed.
                       Default: 1024.
+                    minimum: 0
                     type: integer
                 type: object
               contentType:
@@ -230,12 +238,12 @@ spec:
                 description: |-
                   DigestAuth holds the digest auth middleware configuration.
                   This middleware restricts access to your services to known users.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/digestauth/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/digestauth/
                 properties:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/basicauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/basicauth/#headerfield
                     type: string
                   realm:
                     description: |-
@@ -255,17 +263,19 @@ spec:
                 description: |-
                   ErrorPage holds the custom error middleware configuration.
                   This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/errorpages/
                 properties:
                   query:
                     description: |-
                       Query defines the URL for the error page (hosted by service).
                       The {status} variable can be used in order to insert the status code in the URL.
+                      The {originalStatus} variable can be used in order to insert the upstream status code in the URL.
+                      The {url} variable can be used in order to insert the escaped request URL.
                     type: string
                   service:
                     description: |-
                       Service defines the reference to a Kubernetes Service that will serve the error page.
-                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/errorpages/#service
+                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/errorpages/#service
                     properties:
                       healthCheck:
                         description: Healthcheck defines health checks for ExternalName
@@ -291,7 +301,7 @@ spec:
                             - type: integer
                             - type: string
                             description: |-
-                              Interval defines the frequency of the health check calls.
+                              Interval defines the frequency of the health check calls for healthy targets.
                               Default: 30s
                             x-kubernetes-int-or-string: true
                           method:
@@ -327,6 +337,15 @@ spec:
                               Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                               Default: 5s
                             x-kubernetes-int-or-string: true
+                          unhealthyInterval:
+                            anyOf:
+                            - type: integer
+                            - type: string
+                            description: |-
+                              UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                              When UnhealthyInterval is not defined, it defaults to the Interval value.
+                              Default: 30s
+                            x-kubernetes-int-or-string: true
                         type: object
                       kind:
                         description: Kind defines the kind of the Service.
@@ -398,11 +417,16 @@ spec:
                       sticky:
                         description: |-
                           Sticky defines the sticky sessions configuration.
-                          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
+                          More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
                         properties:
                           cookie:
                             description: Cookie defines the sticky cookie configuration.
                             properties:
+                              domain:
+                                description: |-
+                                  Domain defines the host to which the cookie will be sent.
+                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                                type: string
                               httpOnly:
                                 description: HTTPOnly defines whether the cookie can
                                   be accessed by client-side APIs, such as JavaScript.
@@ -426,6 +450,10 @@ spec:
                                 description: |-
                                   SameSite defines the same site policy.
                                   More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                enum:
+                                - none
+                                - lax
+                                - strict
                                 type: string
                               secure:
                                 description: Secure defines whether the cookie can
@@ -437,12 +465,18 @@ spec:
                       strategy:
                         description: |-
                           Strategy defines the load balancing strategy between the servers.
-                          RoundRobin is the only supported value at the moment.
+                          Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
+                          RoundRobin value is deprecated and supported for backward compatibility.
+                        enum:
+                        - wrr
+                        - p2c
+                        - RoundRobin
                         type: string
                       weight:
                         description: |-
                           Weight defines the weight and should only be specified when Name references a TraefikService object
                           (and to be precise, one that embeds a Weighted Round Robin).
+                        minimum: 0
                         type: integer
                     required:
                     - name
@@ -455,14 +489,22 @@ spec:
                       as ranges by separating two codes with a dash (500-599),
                       or a combination of the two (404,418,500-599).
                     items:
+                      pattern: ^([1-5][0-9]{2}[,-]?)+$
                       type: string
                     type: array
+                  statusRewrites:
+                    additionalProperties:
+                      type: integer
+                    description: |-
+                      StatusRewrites defines a mapping of status codes that should be returned instead of the original error status codes.
+                      For example: "418": 404 or "410-418": 404
+                    type: object
                 type: object
               forwardAuth:
                 description: |-
                   ForwardAuth holds the forward auth middleware configuration.
                   This middleware delegates the request authentication to a Service.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/
                 properties:
                   addAuthCookiesToResponse:
                     description: AddAuthCookiesToResponse defines the list of cookies
@@ -490,7 +532,7 @@ spec:
                   authResponseHeadersRegex:
                     description: |-
                       AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
-                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#authresponseheadersregex
+                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/#authresponseheadersregex
                     type: string
                   forwardBody:
                     description: ForwardBody defines whether to send the request body
@@ -499,7 +541,7 @@ spec:
                   headerField:
                     description: |-
                       HeaderField defines a header field to store the authenticated user.
-                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/forwardauth/#headerfield
+                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/forwardauth/#headerfield
                     type: string
                   maxBodySize:
                     description: MaxBodySize defines the maximum body size in bytes
@@ -511,6 +553,11 @@ spec:
                       the Location header to the client as is or prefix it with the
                       domain name of the authentication server.
                     type: boolean
+                  preserveRequestMethod:
+                    description: PreserveRequestMethod defines whether to preserve
+                      the original request method while forwarding the request to
+                      the authentication server.
+                    type: boolean
                   tls:
                     description: TLS defines the configuration used to secure the
                       connection to the authentication server.
@@ -556,7 +603,7 @@ spec:
                 description: |-
                   Headers holds the headers middleware configuration.
                   This middleware manages the requests and responses headers.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/headers/#customrequestheaders
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/headers/#customrequestheaders
                 properties:
                   accessControlAllowCredentials:
                     description: AccessControlAllowCredentials defines whether the
@@ -721,36 +768,39 @@ spec:
                       STSSeconds defines the max-age of the Strict-Transport-Security header.
                       If set to 0, the header is not set.
                     format: int64
+                    minimum: 0
                     type: integer
                 type: object
               inFlightReq:
                 description: |-
                   InFlightReq holds the in-flight request middleware configuration.
                   This middleware limits the number of requests being processed and served concurrently.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/inflightreq/
                 properties:
                   amount:
                     description: |-
                       Amount defines the maximum amount of allowed simultaneous in-flight request.
                       The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy).
                     format: int64
+                    minimum: 0
                     type: integer
                   sourceCriterion:
                     description: |-
                       SourceCriterion defines what criterion is used to group requests as originating from a common source.
                       If several strategies are defined at the same time, an error will be raised.
                       If none are set, the default is to use the requestHost.
-                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/inflightreq/#sourcecriterion
+                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/inflightreq/#sourcecriterion
                     properties:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
                               header and take the IP located at the depth position
                               (starting from the right).
+                            minimum: 0
                             type: integer
                           excludedIPs:
                             description: ExcludedIPs configures Traefik to scan the
@@ -780,17 +830,18 @@ spec:
                 description: |-
                   IPAllowList holds the IP allowlist middleware configuration.
                   This middleware limits allowed requests based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/
                 properties:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
                           header and take the IP located at the depth position (starting
                           from the right).
+                        minimum: 0
                         type: integer
                       excludedIPs:
                         description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
@@ -822,12 +873,13 @@ spec:
                   ipStrategy:
                     description: |-
                       IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                      More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
+                      More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
                     properties:
                       depth:
                         description: Depth tells Traefik to use the X-Forwarded-For
                           header and take the IP located at the depth position (starting
                           from the right).
+                        minimum: 0
                         type: integer
                       excludedIPs:
                         description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
@@ -852,7 +904,7 @@ spec:
                 description: |-
                   PassTLSClientCert holds the pass TLS client cert middleware configuration.
                   This middleware adds the selected data from the passed client TLS certificate to a header.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/passtlsclientcert/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/passtlsclientcert/
                 properties:
                   info:
                     description: Info selects the specific client certificate details
@@ -961,7 +1013,7 @@ spec:
                 description: |-
                   RateLimit holds the rate limit configuration.
                   This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ratelimit/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ratelimit/
                 properties:
                   average:
                     description: |-
@@ -970,12 +1022,14 @@ spec:
                       The rate is actually defined by dividing Average by Period. So for a rate below 1req/s,
                       one needs to define a Period larger than a second.
                     format: int64
+                    minimum: 0
                     type: integer
                   burst:
                     description: |-
                       Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time.
                       It defaults to 1.
                     format: int64
+                    minimum: 0
                     type: integer
                   period:
                     anyOf:
@@ -985,6 +1039,90 @@ spec:
                       Period, in combination with Average, defines the actual maximum rate, such as:
                       r = Average / Period. It defaults to a second.
                     x-kubernetes-int-or-string: true
+                  redis:
+                    description: Redis hold the configs of Redis as bucket in rate
+                      limiter.
+                    properties:
+                      db:
+                        description: DB defines the Redis database that will be selected
+                          after connecting to the server.
+                        type: integer
+                      dialTimeout:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          DialTimeout sets the timeout for establishing new connections.
+                          Default value is 5 seconds.
+                        pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
+                        x-kubernetes-int-or-string: true
+                      endpoints:
+                        description: |-
+                          Endpoints contains either a single address or a seed list of host:port addresses.
+                          Default value is ["localhost:6379"].
+                        items:
+                          type: string
+                        type: array
+                      maxActiveConns:
+                        description: |-
+                          MaxActiveConns defines the maximum number of connections allocated by the pool at a given time.
+                          Default value is 0, meaning there is no limit.
+                        type: integer
+                      minIdleConns:
+                        description: |-
+                          MinIdleConns defines the minimum number of idle connections.
+                          Default value is 0, and idle connections are not closed by default.
+                        type: integer
+                      poolSize:
+                        description: |-
+                          PoolSize defines the initial number of socket connections.
+                          If the pool runs out of available connections, additional ones will be created beyond PoolSize.
+                          This can be limited using MaxActiveConns.
+                          // Default value is 0, meaning 10 connections per every available CPU as reported by runtime.GOMAXPROCS.
+                        type: integer
+                      readTimeout:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          ReadTimeout defines the timeout for socket read operations.
+                          Default value is 3 seconds.
+                        pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
+                        x-kubernetes-int-or-string: true
+                      secret:
+                        description: Secret defines the name of the referenced Kubernetes
+                          Secret containing Redis credentials.
+                        type: string
+                      tls:
+                        description: |-
+                          TLS defines TLS-specific configurations, including the CA, certificate, and key,
+                          which can be provided as a file path or file content.
+                        properties:
+                          caSecret:
+                            description: |-
+                              CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate.
+                              The CA certificate is extracted from key `tls.ca` or `ca.crt`.
+                            type: string
+                          certSecret:
+                            description: |-
+                              CertSecret is the name of the referenced Kubernetes Secret containing the client certificate.
+                              The client certificate is extracted from the keys `tls.crt` and `tls.key`.
+                            type: string
+                          insecureSkipVerify:
+                            description: InsecureSkipVerify defines whether the server
+                              certificates should be validated.
+                            type: boolean
+                        type: object
+                      writeTimeout:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          WriteTimeout defines the timeout for socket write operations.
+                          Default value is 3 seconds.
+                        pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
+                        x-kubernetes-int-or-string: true
+                    type: object
                   sourceCriterion:
                     description: |-
                       SourceCriterion defines what criterion is used to group requests as originating from a common source.
@@ -994,12 +1132,13 @@ spec:
                       ipStrategy:
                         description: |-
                           IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
-                          More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/ipallowlist/#ipstrategy
+                          More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/ipallowlist/#ipstrategy
                         properties:
                           depth:
                             description: Depth tells Traefik to use the X-Forwarded-For
                               header and take the IP located at the depth position
                               (starting from the right).
+                            minimum: 0
                             type: integer
                           excludedIPs:
                             description: ExcludedIPs configures Traefik to scan the
@@ -1029,7 +1168,7 @@ spec:
                 description: |-
                   RedirectRegex holds the redirect regex middleware configuration.
                   This middleware redirects a request using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectregex/#regex
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/redirectregex/#regex
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -1048,7 +1187,7 @@ spec:
                 description: |-
                   RedirectScheme holds the redirect scheme middleware configuration.
                   This middleware redirects requests from a scheme/port to another.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/redirectscheme/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/redirectscheme/
                 properties:
                   permanent:
                     description: Permanent defines whether the redirection is permanent
@@ -1065,7 +1204,7 @@ spec:
                 description: |-
                   ReplacePath holds the replace path middleware configuration.
                   This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepath/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/replacepath/
                 properties:
                   path:
                     description: Path defines the path to use as replacement in the
@@ -1076,7 +1215,7 @@ spec:
                 description: |-
                   ReplacePathRegex holds the replace path regex middleware configuration.
                   This middleware replaces the path of a URL using regex matching and replacement.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/replacepathregex/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/replacepathregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression used to match
@@ -1092,11 +1231,12 @@ spec:
                   Retry holds the retry middleware configuration.
                   This middleware reissues requests a given number of times to a backend server if that server does not reply.
                   As soon as the server answers, the middleware stops retrying, regardless of the response status.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/retry/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/retry/
                 properties:
                   attempts:
                     description: Attempts defines how many times the request should
                       be retried.
+                    minimum: 0
                     type: integer
                   initialInterval:
                     anyOf:
@@ -1108,13 +1248,14 @@ spec:
                       If unspecified, requests will be retried immediately.
                       The value of initialInterval should be provided in seconds or as a valid duration format,
                       see https://pkg.go.dev/time#ParseDuration.
+                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                     x-kubernetes-int-or-string: true
                 type: object
               stripPrefix:
                 description: |-
                   StripPrefix holds the strip prefix middleware configuration.
                   This middleware removes the specified prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefix/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/stripprefix/
                 properties:
                   forceSlash:
                     description: |-
@@ -1133,7 +1274,7 @@ spec:
                 description: |-
                   StripPrefixRegex holds the strip prefix regex middleware configuration.
                   This middleware removes the matching prefixes from the URL path.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/http/stripprefixregex/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/http/stripprefixregex/
                 properties:
                   regex:
                     description: Regex defines the regular expression to match the

docs/content/reference/dynamic-configuration/traefik.io_middlewaretcps.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
-          More info: https://doc.traefik.io/traefik/v3.3/middlewares/overview/
+          More info: https://doc.traefik.io/traefik/v3.4/middlewares/overview/
         properties:
           apiVersion:
             description: |-
@@ -49,13 +49,14 @@ spec:
                       Amount defines the maximum amount of allowed simultaneous connections.
                       The middleware closes the connection if there are already amount connections opened.
                     format: int64
+                    minimum: 0
                     type: integer
                 type: object
               ipAllowList:
                 description: |-
                   IPAllowList defines the IPAllowList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipallowlist/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/tcp/ipallowlist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of
@@ -69,7 +70,7 @@ spec:
                   IPWhiteList defines the IPWhiteList middleware configuration.
                   This middleware accepts/refuses connections based on the client IP.
                   Deprecated: please use IPAllowList instead.
-                  More info: https://doc.traefik.io/traefik/v3.3/middlewares/tcp/ipwhitelist/
+                  More info: https://doc.traefik.io/traefik/v3.4/middlewares/tcp/ipwhitelist/
                 properties:
                   sourceRange:
                     description: SourceRange defines the allowed IPs (or ranges of

docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml

@@ -21,7 +21,7 @@ spec:
           ServersTransport is the CRD implementation of a ServersTransport.
           If no serversTransport is specified, the default@internal will be used.
           The default@internal serversTransport is created from the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_1
+          More info: https://doc.traefik.io/traefik/v3.4/routing/services/#serverstransport_1
         properties:
           apiVersion:
             description: |-
@@ -63,6 +63,7 @@ spec:
                     - type: string
                     description: DialTimeout is the amount of time to wait until a
                       connection to a backend server can be established.
+                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                     x-kubernetes-int-or-string: true
                   idleConnTimeout:
                     anyOf:
@@ -71,6 +72,7 @@ spec:
                     description: IdleConnTimeout is the maximum period for which an
                       idle HTTP keep-alive connection will remain open before closing
                       itself.
+                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                     x-kubernetes-int-or-string: true
                   pingTimeout:
                     anyOf:
@@ -78,6 +80,7 @@ spec:
                     - type: string
                     description: PingTimeout is the timeout after which the HTTP/2
                       connection will be closed if a response to ping is not received.
+                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                     x-kubernetes-int-or-string: true
                   readIdleTimeout:
                     anyOf:
@@ -86,6 +89,7 @@ spec:
                     description: ReadIdleTimeout is the timeout after which a health
                       check using ping frame will be carried out if no frame is received
                       on the HTTP/2 connection.
+                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                     x-kubernetes-int-or-string: true
                   responseHeaderTimeout:
                     anyOf:
@@ -94,6 +98,7 @@ spec:
                     description: ResponseHeaderTimeout is the amount of time to wait
                       for a server's response headers after fully writing the request
                       (including its body, if any).
+                    pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                     x-kubernetes-int-or-string: true
                 type: object
               insecureSkipVerify:
@@ -102,14 +107,39 @@ spec:
               maxIdleConnsPerHost:
                 description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
                   to keep per-host.
+                minimum: 0
                 type: integer
               peerCertURI:
                 description: PeerCertURI defines the peer cert URI used to match against
                   SAN URI during the peer certificate verification.
                 type: string
+              rootCAs:
+                description: RootCAs defines a list of CA certificate Secrets or ConfigMaps
+                  used to validate server certificates.
+                items:
+                  description: |-
+                    RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
+                    If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
+                  properties:
+                    configMap:
+                      description: |-
+                        ConfigMap defines the name of a ConfigMap that holds a CA certificate.
+                        The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
+                      type: string
+                    secret:
+                      description: |-
+                        Secret defines the name of a Secret that holds a CA certificate.
+                        The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
+                      type: string
+                  type: object
+                  x-kubernetes-validations:
+                  - message: RootCA cannot have both Secret and ConfigMap defined.
+                    rule: has(self.secret) && has(self.configMap)
+                type: array
               rootCAsSecrets:
-                description: RootCAsSecrets defines a list of CA secret used to validate
+                description: |-
-                  self-signed certificate.
+                  RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+                  Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
                 items:
                   type: string
                 type: array

docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml

@@ -21,7 +21,7 @@ spec:
           ServersTransportTCP is the CRD implementation of a TCPServersTransport.
           If no tcpServersTransport is specified, a default one named default@internal will be used.
           The default@internal tcpServersTransport can be configured in the static configuration.
-          More info: https://doc.traefik.io/traefik/v3.3/routing/services/#serverstransport_3
+          More info: https://doc.traefik.io/traefik/v3.4/routing/services/#serverstransport_3
         properties:
           apiVersion:
             description: |-
@@ -53,6 +53,7 @@ spec:
                   the protocol and operating system. Network protocols or operating
                   systems that do not support keep-alives ignore this field. If negative,
                   keep-alive probes are disabled.
+                pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                 x-kubernetes-int-or-string: true
               dialTimeout:
                 anyOf:
@@ -60,6 +61,7 @@ spec:
                 - type: string
                 description: DialTimeout is the amount of time to wait until a connection
                   to a backend server can be established.
+                pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                 x-kubernetes-int-or-string: true
               terminationDelay:
                 anyOf:
@@ -68,6 +70,7 @@ spec:
                 description: TerminationDelay defines the delay to wait before fully
                   terminating the connection, after one connected peer has closed
                   its writing capability.
+                pattern: ^([0-9]+(ns|us|µs|ms|s|m|h)?)+$
                 x-kubernetes-int-or-string: true
               tls:
                 description: TLS defines the TLS configuration
@@ -86,9 +89,33 @@ spec:
                       MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
                       PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
                     type: string
+                  rootCAs:
+                    description: RootCAs defines a list of CA certificate Secrets
+                      or ConfigMaps used to validate server certificates.
+                    items:
+                      description: |-
+                        RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
+                        If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
+                      properties:
+                        configMap:
+                          description: |-
+                            ConfigMap defines the name of a ConfigMap that holds a CA certificate.
+                            The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
+                          type: string
+                        secret:
+                          description: |-
+                            Secret defines the name of a Secret that holds a CA certificate.
+                            The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
+                          type: string
+                      type: object
+                      x-kubernetes-validations:
+                      - message: RootCA cannot have both Secret and ConfigMap defined.
+                        rule: has(self.secret) && has(self.configMap)
+                    type: array
                   rootCAsSecrets:
-                    description: RootCAsSecrets defines a list of CA secret used to
+                    description: |-
-                      validate self-signed certificates.
+                      RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+                      Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
                     items:
                       type: string
                     type: array

docs/content/reference/dynamic-configuration/traefik.io_tlsoptions.yaml

@@ -19,7 +19,7 @@ spec:
       openAPIV3Schema:
         description: |-
           TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
-          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#tls-options
+          More info: https://doc.traefik.io/traefik/v3.4/https/tls/#tls-options
         properties:
           apiVersion:
             description: |-
@@ -44,14 +44,14 @@ spec:
               alpnProtocols:
                 description: |-
                   ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
-                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#alpn-protocols
+                  More info: https://doc.traefik.io/traefik/v3.4/https/tls/#alpn-protocols
                 items:
                   type: string
                 type: array
               cipherSuites:
                 description: |-
                   CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
-                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#cipher-suites
+                  More info: https://doc.traefik.io/traefik/v3.4/https/tls/#cipher-suites
                 items:
                   type: string
                 type: array
@@ -79,10 +79,14 @@ spec:
               curvePreferences:
                 description: |-
                   CurvePreferences defines the preferred elliptic curves in a specific order.
-                  More info: https://doc.traefik.io/traefik/v3.3/https/tls/#curve-preferences
+                  More info: https://doc.traefik.io/traefik/v3.4/https/tls/#curve-preferences
                 items:
                   type: string
                 type: array
+              disableSessionTickets:
+                description: DisableSessionTickets disables TLS session resumption
+                  via session tickets.
+                type: boolean
               maxVersion:
                 description: |-
                   MaxVersion defines the maximum TLS version that Traefik will accept.

docs/content/reference/dynamic-configuration/traefik.io_tlsstores.yaml

@@ -21,7 +21,7 @@ spec:
           TLSStore is the CRD implementation of a Traefik TLS Store.
           For the time being, only the TLSStore named default is supported.
           This means that you cannot have two stores that are named default in different Kubernetes namespaces.
-          More info: https://doc.traefik.io/traefik/v3.3/https/tls/#certificates-stores
+          More info: https://doc.traefik.io/traefik/v3.4/https/tls/#certificates-stores
         properties:
           apiVersion:
             description: |-

docs/content/reference/dynamic-configuration/traefik.io_traefikservices.yaml

@@ -22,7 +22,7 @@ spec:
           TraefikService object allows to:
           - Apply weight to Services on load-balancing
           - Mirror traffic on services
-          More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#kind-traefikservice
+          More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#kind-traefikservice
         properties:
           apiVersion:
             description: |-
@@ -71,7 +71,7 @@ spec:
                         - type: integer
                         - type: string
                         description: |-
-                          Interval defines the frequency of the health check calls.
+                          Interval defines the frequency of the health check calls for healthy targets.
                           Default: 30s
                         x-kubernetes-int-or-string: true
                       method:
@@ -107,6 +107,15 @@ spec:
                           Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                           Default: 5s
                         x-kubernetes-int-or-string: true
+                      unhealthyInterval:
+                        anyOf:
+                        - type: integer
+                        - type: string
+                        description: |-
+                          UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                          When UnhealthyInterval is not defined, it defaults to the Interval value.
+                          Default: 30s
+                        x-kubernetes-int-or-string: true
                     type: object
                   kind:
                     description: Kind defines the kind of the Service.
@@ -156,7 +165,7 @@ spec:
                               - type: integer
                               - type: string
                               description: |-
-                                Interval defines the frequency of the health check calls.
+                                Interval defines the frequency of the health check calls for healthy targets.
                                 Default: 30s
                               x-kubernetes-int-or-string: true
                             method:
@@ -192,6 +201,15 @@ spec:
                                 Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                                 Default: 5s
                               x-kubernetes-int-or-string: true
+                            unhealthyInterval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                                When UnhealthyInterval is not defined, it defaults to the Interval value.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
                           type: object
                         kind:
                           description: Kind defines the kind of the Service.
@@ -268,11 +286,16 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
                               properties:
+                                domain:
+                                  description: |-
+                                    Domain defines the host to which the cookie will be sent.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                                  type: string
                                 httpOnly:
                                   description: HTTPOnly defines whether the cookie
                                     can be accessed by client-side APIs, such as JavaScript.
@@ -296,6 +319,10 @@ spec:
                                   description: |-
                                     SameSite defines the same site policy.
                                     More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                  enum:
+                                  - none
+                                  - lax
+                                  - strict
                                   type: string
                                 secure:
                                   description: Secure defines whether the cookie can
@@ -307,12 +334,18 @@ spec:
                         strategy:
                           description: |-
                             Strategy defines the load balancing strategy between the servers.
-                            RoundRobin is the only supported value at the moment.
+                            Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
+                            RoundRobin value is deprecated and supported for backward compatibility.
+                          enum:
+                          - wrr
+                          - p2c
+                          - RoundRobin
                           type: string
                         weight:
                           description: |-
                             Weight defines the weight and should only be specified when Name references a TraefikService object
                             (and to be precise, one that embeds a Weighted Round Robin).
+                          minimum: 0
                           type: integer
                       required:
                       - name
@@ -381,11 +414,16 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines the sticky sessions configuration.
-                      More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
+                      More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
                         properties:
+                          domain:
+                            description: |-
+                              Domain defines the host to which the cookie will be sent.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                            type: string
                           httpOnly:
                             description: HTTPOnly defines whether the cookie can be
                               accessed by client-side APIs, such as JavaScript.
@@ -409,6 +447,10 @@ spec:
                             description: |-
                               SameSite defines the same site policy.
                               More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                            enum:
+                            - none
+                            - lax
+                            - strict
                             type: string
                           secure:
                             description: Secure defines whether the cookie can only
@@ -419,12 +461,18 @@ spec:
                   strategy:
                     description: |-
                       Strategy defines the load balancing strategy between the servers.
-                      RoundRobin is the only supported value at the moment.
+                      Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
+                      RoundRobin value is deprecated and supported for backward compatibility.
+                    enum:
+                    - wrr
+                    - p2c
+                    - RoundRobin
                     type: string
                   weight:
                     description: |-
                       Weight defines the weight and should only be specified when Name references a TraefikService object
                       (and to be precise, one that embeds a Weighted Round Robin).
+                    minimum: 0
                     type: integer
                 required:
                 - name
@@ -463,7 +511,7 @@ spec:
                               - type: integer
                               - type: string
                               description: |-
-                                Interval defines the frequency of the health check calls.
+                                Interval defines the frequency of the health check calls for healthy targets.
                                 Default: 30s
                               x-kubernetes-int-or-string: true
                             method:
@@ -499,6 +547,15 @@ spec:
                                 Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
                                 Default: 5s
                               x-kubernetes-int-or-string: true
+                            unhealthyInterval:
+                              anyOf:
+                              - type: integer
+                              - type: string
+                              description: |-
+                                UnhealthyInterval defines the frequency of the health check calls for unhealthy targets.
+                                When UnhealthyInterval is not defined, it defaults to the Interval value.
+                                Default: 30s
+                              x-kubernetes-int-or-string: true
                           type: object
                         kind:
                           description: Kind defines the kind of the Service.
@@ -570,11 +627,16 @@ spec:
                         sticky:
                           description: |-
                             Sticky defines the sticky sessions configuration.
-                            More info: https://doc.traefik.io/traefik/v3.3/routing/services/#sticky-sessions
+                            More info: https://doc.traefik.io/traefik/v3.4/routing/services/#sticky-sessions
                           properties:
                             cookie:
                               description: Cookie defines the sticky cookie configuration.
                               properties:
+                                domain:
+                                  description: |-
+                                    Domain defines the host to which the cookie will be sent.
+                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                                  type: string
                                 httpOnly:
                                   description: HTTPOnly defines whether the cookie
                                     can be accessed by client-side APIs, such as JavaScript.
@@ -598,6 +660,10 @@ spec:
                                   description: |-
                                     SameSite defines the same site policy.
                                     More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                                  enum:
+                                  - none
+                                  - lax
+                                  - strict
                                   type: string
                                 secure:
                                   description: Secure defines whether the cookie can
@@ -609,12 +675,18 @@ spec:
                         strategy:
                           description: |-
                             Strategy defines the load balancing strategy between the servers.
-                            RoundRobin is the only supported value at the moment.
+                            Supported values are: wrr (Weighed round-robin) and p2c (Power of two choices).
+                            RoundRobin value is deprecated and supported for backward compatibility.
+                          enum:
+                          - wrr
+                          - p2c
+                          - RoundRobin
                           type: string
                         weight:
                           description: |-
                             Weight defines the weight and should only be specified when Name references a TraefikService object
                             (and to be precise, one that embeds a Weighted Round Robin).
+                          minimum: 0
                           type: integer
                       required:
                       - name
@@ -623,11 +695,16 @@ spec:
                   sticky:
                     description: |-
                       Sticky defines whether sticky sessions are enabled.
-                      More info: https://doc.traefik.io/traefik/v3.3/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+                      More info: https://doc.traefik.io/traefik/v3.4/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
                     properties:
                       cookie:
                         description: Cookie defines the sticky cookie configuration.
                         properties:
+                          domain:
+                            description: |-
+                              Domain defines the host to which the cookie will be sent.
+                              More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+                            type: string
                           httpOnly:
                             description: HTTPOnly defines whether the cookie can be
                               accessed by client-side APIs, such as JavaScript.
@@ -651,6 +728,10 @@ spec:
                             description: |-
                               SameSite defines the same site policy.
                               More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+                            enum:
+                            - none
+                            - lax
+                            - strict
                             type: string
                           secure:
                             description: Secure defines whether the cookie can only

docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md

@@ -40,7 +40,7 @@ which in turn creates the resulting routers, services, handlers, etc.
 <!-- markdownlint-disable MD013 -->
 
 | Field                                                                  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                            | Default | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
+|:-----------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
 | `providers.providersThrottleDuration`                                  | Minimum amount of time to wait for, after a configuration reload, before taking into account any new configuration refresh event.<br />If multiple events occur within this time, only the most recent one is taken into account, and all others are discarded.<br />**This option cannot be set per provider, but the throttling algorithm applies to each of them independently.**                                                                                   | 2s      | No       |
 | `providers.kubernetesIngress.endpoint`                                 | Server endpoint URL.<br />More information [here](#endpoint).                                                                                                                                                                                                                                                                                                                                                                                                          | ""      | No       |
 | `providers.kubernetesIngress.token`                                    | Bearer token used for the Kubernetes client configuration.                                                                                                                                                                                                                                                                                                                                                                                                             | ""      | No       |
@@ -51,7 +51,7 @@ which in turn creates the resulting routers, services, handlers, etc.
 | `providers.kubernetesIngress.disableIngressClassLookup`                | Prevent to discover IngressClasses in the cluster.<br />It alleviates the requirement of giving Traefik the rights to look IngressClasses up.<br />Ignore Ingresses with IngressClass.<br />Annotations are not affected by this option.                                                                                                                                                                                                                               | false   | No       |
 | `providers.kubernetesIngress.`<br />`ingressEndpoint.hostname`         | Hostname used for Kubernetes Ingress endpoints.                                                                                                                                                                                                                                                                                                                                                                                                                        | ""      | No       |
 | `providers.kubernetesIngress.`<br />`ingressEndpoint.ip`               | This IP will get copied to the Ingress `status.loadbalancer.ip`, and currently only supports one IP value (IPv4 or IPv6).                                                                                                                                                                                                                                                                                                                                              | ""      | No       |
-| `providers.kubernetesIngress.`<br />`ingressEndpoint.publishedService` | The Kubernetes service to copy status from.<br />When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the ingresses. | ""  | No |
+| `providers.kubernetesIngress.`<br />`ingressEndpoint.publishedService` | The Kubernetes service to copy status from.<br />More information [here](#ingressendpointpublishedservice).                                                                                                                                                                                                                                                                                                                                                            | ""      | No       |
 | `providers.kubernetesIngress.throttleDuration`                         | Minimum amount of time to wait between two Kubernetes events before producing a new configuration.<br />This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.<br />If empty, every event is caught.                                                                                                                                                                                             | 0s      | No       |
 | `providers.kubernetesIngress.allowEmptyServices`                       | Allows creating a route to reach a service that has no endpoint available.<br />It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status.                                                                                                                                                                                                                  | false   | No       |
 | `providers.kubernetesIngress.allowCrossNamespace`                      | Allows the `Ingress` to reference resources in namespaces other than theirs.                                                                                                                                                                                                                                                                                                                                                                                           | false   | No       |
@@ -99,6 +99,38 @@ providers:
 --providers.kubernetesingress.endpoint=http://localhost:8080
 ```
 
+###  `ingressEndpoint.publishedService`
+
+Format: `namespace/servicename`.
+
+The Kubernetes service to copy status from,
+depending on the service type:
+
+- **ClusterIP:** The ExternalIPs of the service will be propagated to the ingress status.
+- **NodePort:** The ExternalIP addresses of the nodes in the cluster will be propagated to the ingress status.
+- **LoadBalancer:** The IPs from the service's `loadBalancer.status` field (which contains the endpoints provided by the load balancer) will be propagated to the ingress status.
+
+When using third-party tools such as External-DNS, this option enables the copying of external service IPs to the ingress resources.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    ingressEndpoint:
+      publishedService: "namespace/foo-service"
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress.ingressEndpoint]
+  publishedService = "namespace/foo-service"
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service
+```
+
+
 ## Routing Configuration
 
 See the dedicated section in [routing](../../../../routing/providers/kubernetes-ingress.md).

docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md

@@ -74,7 +74,7 @@ certificatesResolvers:
 ACME certificate resolvers have the following configuration options:
 
 | Field                                             | Description                                                                                                                                                                                                                                                                                                                | Default                                        | Required |
-|:------------------|:--------------------|:-----------------------------------------------|:---------|
+|:--------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------|:---------|
 | `acme.email`                                      | Email address used for registration.                                                                                                                                                                                                                                                                                       | ""                                             | Yes      |
 | `acme.caServer`                                   | CA server to use.                                                                                                                                                                                                                                                                                                          | https://acme-v02.api.letsencrypt.org/directory | No       |
 | `acme.preferredChain`                             | Preferred chain to use. If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name. If no match, the default offered chain will be used.                                                                                                                              | ""                                             | No       |
@@ -83,6 +83,8 @@ ACME certificate resolvers have the following configuration options:
 | `acme.eab.kid`                                    | Key identifier from External CA.                                                                                                                                                                                                                                                                                           | ""                                             | No       |
 | `acme.eab.hmacEncoded`                            | HMAC key from External CA, should be in Base64 URL Encoding without padding format.                                                                                                                                                                                                                                        | ""                                             | No       |
 | `acme.certificatesDuration`                       | The certificates' duration in hours, exclusively used to determine renewal dates.                                                                                                                                                                                                                                          | 2160                                           | No       |
+| `acme.clientTimeout`  | Timeout for HTTP Client used to communicate with the ACME server. | 2m  | No       |
+| `acme.clientResponseHeaderTimeout`  | Timeout for response headers for HTTP Client used to communicate with the ACME server. | 30s  | No       |
 | `acme.dnsChallenge`                               | Enable DNS-01 challenge. More information [here](#dnschallenge).                                                                                                                                                                                                                                                           | -                                              | No       |
 | `acme.dnsChallenge.provider`                      | DNS provider to use.                                                                                                                                                                                                                                                                                                       | ""                                             | No       |
 | `acme.dnsChallenge.resolvers`                     | DNS servers to resolve the FQDN authority.                                                                                                                                                                                                                                                                                 | []                                             | No       |
@@ -92,6 +94,7 @@ ACME certificate resolvers have the following configuration options:
 | `acme.dnsChallenge.propagation.disableANSChecks`  | Disables the challenge TXT record propagation checks against authoritative nameservers. This option will skip the propagation check against the nameservers of the authority (SOA). It should be used only if the nameservers of the authority are not reachable.                                                          | false                                          | No       |
 | `acme.httpChallenge`                              | Enable HTTP-01 challenge. More information [here](#httpchallenge).                                                                                                                                                                                                                                                         |                                                | No       |
 | `acme.httpChallenge.entryPoint`                   | EntryPoint to use for the HTTP-01 challenges. Must be reachable by Let's Encrypt through port 80                                                                                                                                                                                                                           | ""                                             | Yes      |
+| `acme.httpChallenge.delay`                        | The delay between the creation of the challenge and the validation. A value lower than or equal to zero means no delay.                                                                                                                                                                                                    | 0                                              | No       |
 | `acme.tlsChallenge`                               | Enable TLS-ALPN-01 challenge. Traefik must be reachable by Let's Encrypt through port 443. More information [here](#tlschallenge).                                                                                                                                                                                         | -                                              | No       |
 | `acme.storage`                                    | File path used for certificates storage.                                                                                                                                                                                                                                                                                   | "acme.json"                                    | Yes      |
 

docs/content/reference/routing-configuration/http/load-balancing/service.md

@@ -70,7 +70,6 @@ labels:
 
 ```json tab="Tags"
 {
-  // ...
   "Tags": [
     "traefik.http.services.my-service.loadBalancer.servers[0].url=http://private-ip-server-1/",
     "traefik.http.services.my-service.loadBalancer.servers[0].weight=2",
@@ -89,7 +88,7 @@ labels:
 ### Configuration Options
 
 | Field                              | Description                                                                                                                                                                                                                                                                                                                                                                                   | Required |
-|----------|------------------------------------------|----------|
+|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
 | `servers`                          | Represents individual backend instances for your service                                                                                                                                                                                                                                                                                                                                      | Yes      |
 | `sticky`                           | Defines a `Set-Cookie` header is set on the initial response to let the client know which server handles the first response.                                                                                                                                                                                                                                                                  | No       |
 | `healthcheck`                      | Configures health check to remove unhealthy servers from the load balancing rotation.                                                                                                                                                                                                                                                                                                         | No       |
@@ -105,7 +104,7 @@ Servers represent individual backend instances for your service. The [service lo
 ##### Configuration Options
 
 | Field          | Description                                        | Required                                                                         |
-|----------|------------------------------------------|----------|
+|----------------|----------------------------------------------------|----------------------------------------------------------------------------------|
 | `url`          | Points to a specific instance.                     | Yes for File provider, No for [Docker provider](../../other-providers/docker.md) |
 | `weight`       | Allows for weighted load balancing on the servers. | No                                                                               |
 | `preservePath` | Allows to preserve the URL path.                   | No                                                                               |
@@ -119,13 +118,14 @@ To propagate status changes (e.g. all servers of this service are down) upwards,
 Below are the available options for the health check mechanism:
 
 | Field               | Description                                                                                                                   | Default | Required |
-|----------|------------------------------------------|----------|--------|
+|---------------------|-------------------------------------------------------------------------------------------------------------------------------|---------|----------|
 | `path`              | Defines the server URL path for the health check endpoint.                                                                    | ""      | Yes      |
 | `scheme`            | Replaces the server URL scheme for the health check endpoint.                                                                 |         | No       |
 | `mode`              | If defined to `grpc`, will use the gRPC health check protocol to probe the server.                                            | http    | No       |
 | `hostname`          | Defines the value of hostname in the Host header of the health check request.                                                 | ""      | No       |
 | `port`              | Replaces the server URL port for the health check endpoint.                                                                   |         | No       |
-|`interval`| Defines the frequency of the health check calls. | 30s | No |
+| `interval`          | Defines the frequency of the health check calls for healthy targets.                                                          | 30s     | No       |
+| `unhealthyInterval` | Defines the frequency of the health check calls for unhealthy targets. When not defined, it defaults to the `interval` value. | 30s     | No       |
 | `timeout`           | Defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.            | 5s      | No       |
 | `headers`           | Defines custom headers to be sent to the health check endpoint.                                                               |         | No       |
 | `followRedirects`   | Defines whether redirects should be followed during the health check calls.                                                   | true    | No       |

docs/content/reference/routing-configuration/http/router/rules-and-priority.md

@@ -112,6 +112,11 @@ It only matches the request client IP and does not use the `X-Forwarded-For` hea
 
 ### RuleSyntax
 
+!!! warning
+
+    RuleSyntax option is deprecated and will be removed in the next major version.
+    Please do not use this field and rewrite the router rules to use the v3 syntax.
+
 In Traefik v3 a new rule syntax has been introduced ([migration guide](../../../../migration/v3.md)). the `ruleSyntax` option allows to configure the rule syntax to be used for parsing the rule on a per-router basis. This allows to have heterogeneous router configurations and ease migration.
 
 The default value of the `ruleSyntax` option is inherited from the `defaultRuleSyntax` option in the install configuration (formerly known as static configuration). By default, the `defaultRuleSyntax` static option is v3, meaning that the default rule syntax is also v3

docs/content/reference/routing-configuration/http/tls/tls-options.md

@@ -225,4 +225,38 @@ tls:
       clientAuthType = "RequireAndVerifyClientCert"
 ```
 
+### Disable Session Tickets
+
+_Optional, Default="false"_
+
+When set to true, Traefik disables the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.
+
+```yaml tab="File (YAML)"
+# Dynamic configuration
+
+tls:
+  options:
+    default:
+      disableSessionTickets: true
+```
+
+```toml tab="File (TOML)"
+# Dynamic configuration
+
+[tls.options]
+  [tls.options.default]
+    disableSessionTickets = true
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.io/v1alpha1
+kind: TLSOption
+metadata:
+  name: default
+  namespace: default
+
+spec:
+  disableSessionTickets: true
+```
+
 {!traefik-for-business-applications.md!}

docs/content/reference/routing-configuration/kubernetes/crd/http/ingressroute.md

@@ -75,7 +75,7 @@ spec:
 ## Configuration Options
 
 | Field                                                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Default                                                              | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
+|:---------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
 | `entryPoints`                                                                    | List of [entry points](../../../../install-configuration/entrypoints.md) names.<br />If not specified, HTTP routers will accept requests from all EntryPoints in the list of default EntryPoints.                                                                                                                                                                                                                                                                                                                                                                                                              |                                                                      | No       |
 | `routes`                                                                         | List of routes.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                                                                      | Yes      |
 | `routes[n].kind`                                                                 | Kind of router matching, only `Rule` is allowed yet.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | "Rule"                                                               | No       |
@@ -99,7 +99,8 @@ spec:
 | `routes[n].`<br />`services[m].`<br />`healthCheck.scheme`                       | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                           | ""                                                                   | No       |
 | `routes[n].`<br />`services[m].`<br />`healthCheck.mode`                         | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                  | "http"                                                               | No       |
 | `routes[n].`<br />`services[m].`<br />`healthCheck.path`                         | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                             | ""                                                                   | No       |
-| `routes[n].`<br />`services[m].`<br />`healthCheck.interval` | Frequency of the health check calls.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service). | "100ms" | No |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.interval`                     | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                   | "100ms"                                                              | No       |
+| `routes[n].`<br />`services[m].`<br />`healthCheck.unhealthyInterval`            | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                     | "100ms"                                                              | No       |
 | `routes[n].`<br />`services[m].`<br />`healthCheck.method`                       | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                 | "GET"                                                                | No       |
 | `routes[n].`<br />`services[m].`<br />`healthCheck.status`                       | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                        |                                                                      | No       |
 | `routes[n].`<br />`services[m].`<br />`healthCheck.port`                         | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#externalname-service).                                                                                                                                                                                                                                                                                                                                                                    |                                                                      | No       |

docs/content/reference/routing-configuration/kubernetes/crd/http/tlsoption.md

@@ -47,7 +47,7 @@ spec:
 ## Configuration Options
 
 | Field                       | Description                                                                                                                                                                                                                                                                                                                                                                                              | Default                    | Required |
-|:----------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------|:---------|
+|:----------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------|:---------|
 | `minVersion`                | Minimum TLS version that is acceptable.                                                                                                                                                                                                                                                                                                                                                                  | "VersionTLS12"             | No       |
 | `maxVersion`                | Maximum TLS version that is acceptable.<br />We do not recommend setting this option to disable TLS 1.3.                                                                                                                                                                                                                                                                                                 |                            | No       |
 | `cipherSuites`              | List of supported [cipher suites](https://godoc.org/crypto/tls#pkg-constants) for TLS versions up to TLS 1.2.<br />[Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa.](https://tools.ietf.org/html/rfc8446)<br />With TLS 1.3, [the cipher suites are not configurable](https://golang.org/doc/go1.12#tls_1_3) (all supported cipher suites are safe in this case). |                            | No       |
@@ -56,6 +56,7 @@ spec:
 | `clientAuth.clientAuthType` | Client Authentication (mTLS) option.<br />Client authentication type to apply. Available values [here](#client-authentication-mtls).                                                                                                                                                                                                                                                                     |                            | No       |
 | `sniStrict`                 | Allow rejecting connections from clients connections that do not specify a server_name extension.<br />The [default certificate](../../../http/tls/tls-certificates.md#default-certificate) is never served is the option is enabled.                                                                                                                                                                    | false                      | No       |
 | `alpnProtocols`             | List of supported application level protocols for the TLS handshake, in order of preference.<br />If the client supports ALPN, the selected protocol will be one from this list, and the connection will fail if there is no mutually supported protocol.                                                                                                                                                | "h2, http/1.1, acme-tls/1" | No       |
+| `disableSessiontTickets`    | Allow disabling the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.                                                                                                                                                                                                                                                                           | false                      | No       |
 
 ### Client Authentication (mTLS)
 
@@ -76,7 +77,7 @@ When no TLS options are specified in an `IngressRoute`/`IngressRouteTCP`, the `d
 The default behavior is summed up in the table below:
 
 | Configuration             | Behavior                                                    |
-|:--------------------------|:-----------------------------------------------------------|
+|:--------------------------|:------------------------------------------------------------|
 | No `default` TLS Option   | Default internal set of TLS Options by default.             |
 | One `default` TLS Option  | Custom TLS Options applied by default.                      |
 | Many `default` TLS Option | Error log + Default internal set of TLS Options by default. |

docs/content/reference/routing-configuration/kubernetes/crd/http/traefikservice.md

@@ -149,7 +149,7 @@ data:
 ### Configuration Options
 
 | Field                                                          | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | Default                                                              | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
+|:---------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
 | `services`                                                     | List of any combination of TraefikService and [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). <br />.                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                      | No       |
 | `services[m].`<br />`kind`                                     | Kind of the service targeted.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br /> - **TraefikService**: Traefik Service.                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | ""                                                                   | No       |
 | `services[m].`<br />`name`                                     | Service name.<br />The character `@` is not authorized.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | ""                                                                   | Yes      |
@@ -162,7 +162,8 @@ data:
 | `services[m].`<br />`healthCheck.scheme`                       | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                        | ""                                                                   | No       |
 | `services[m].`<br />`healthCheck.mode`                         | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                               | "http"                                                               | No       |
 | `services[m].`<br />`healthCheck.path`                         | Server URL path for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                          | ""                                                                   | No       |
-| `services[m].`<br />`healthCheck.interval` | Frequency of the health check calls.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName]`ExternalName`. | "100ms" | No |
+| `services[m].`<br />`healthCheck.interval`                     | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName]`ExternalName`.                                                                                                                                                                                                                                                                                                                                                                  | "100ms"                                                              | No       |
+| `services[m].`<br />`healthCheck.unhealthyInterval`            | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName]`ExternalName`.                                                                                                                                                                                                                                                                                                    | "100ms"                                                              | No       |
 | `services[m].`<br />`healthCheck.method`                       | HTTP method for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                              | "GET"                                                                | No       |
 | `services[m].`<br />`healthCheck.status`                       | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind is **Service**.                                                                                                                                                                                                                                                                                                              |                                                                      | No       |
 | `services[m].`<br />`healthCheck.port`                         | URL port for the health check endpoint.<br />Evaluated only if the kind is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type `ExternalName`.                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                      | No       |
@@ -373,7 +374,7 @@ spec:
     The mirrored services properties are set in the `mirrors` list.
 
 | Field                                                         | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       | Default                                                              | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
+|:--------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------------|:---------|
 | `kind`                                                        | Kind of the main service.<br />Two values allowed:<br />- **Service**: Kubernetes Service<br />- **TraefikService**: Traefik Service.<br />More information [here](#services)                                                                                                                                                                                                                                                                                                                                                                                                     | ""                                                                   | No       |
 | `name`                                                        | Main service name.<br />The character `@` is not authorized.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ""                                                                   | Yes      |
 | `namespace`                                                   | Main service namespace.<br />More information [here](#services).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  | ""                                                                   | No       |
@@ -385,7 +386,8 @@ spec:
 | `healthCheck.scheme`                                          | Server URL scheme for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                      | ""                                                                   | No       |
 | `healthCheck.mode`                                            | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                             | "http"                                                               | No       |
 | `healthCheck.path`                                            | Server URL path for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                        | ""                                                                   | No       |
-| `healthCheck.interval` | Frequency of the health check calls.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services). | "100ms" | No |
+| `healthCheck.interval`                                        | Frequency of the health check calls for healthy targets.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                              | "100ms"                                                              | No       |
+| `healthCheck.unhealthyInterval`                               | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                | "100ms"                                                              | No       |
 | `healthCheck.method`                                          | HTTP method for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                            | "GET"                                                                | No       |
 | `healthCheck.status`                                          | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind of the main service is **Service**.                                                                                                                                                                                                                                                       |                                                                      | No       |
 | `healthCheck.port`                                            | URL port for the health check endpoint.<br />Evaluated only if the kind of the main service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                               |                                                                      | No       |
@@ -417,6 +419,7 @@ spec:
 | `mirrors[m].`<br />`healthCheck.mode`                         | Health check mode.<br /> If defined to grpc, will use the gRPC health check protocol to probe the server.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                         | "http"                                                               | No       |
 | `mirrors[m].`<br />`healthCheck.path`                         | Server URL path for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                    | ""                                                                   | No       |
 | `mirrors[m].`<br />`healthCheck.interval`                     | Frequency of the health check calls.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                              | "100ms"                                                              | No       |
+| `mirrors[m].`<br />`healthCheck.unhealthyInterval`            | Frequency of the health check calls for unhealthy targets.<br />When not defined, it defaults to the `interval` value.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                            | "100ms"                                                              | No       |
 | `mirrors[m].`<br />`healthCheck.method`                       | HTTP method for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                        | "GET"                                                                | No       |
 | `mirrors[m].`<br />`healthCheck.status`                       | Expected HTTP status code of the response to the health check request.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.<br />If not set, expect a status between 200 and 399.<br />Evaluated only if the kind of the mirrored service is **Service**.                                                                                                                                                                                                                                                   |                                                                      | No       |
 | `mirrors[m].`<br />`healthCheck.port`                         | URL port for the health check endpoint.<br />Evaluated only if the kind of the mirrored service is **Service**.<br />Only for [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type [ExternalName](#services).                                                                                                                                                                                                                                                                                                                           |                                                                      | No       |

docs/content/reference/routing-configuration/kubernetes/ingress.md

@@ -77,6 +77,11 @@ spec:
 
 ??? info "`traefik.ingress.kubernetes.io/router.rulesyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     See [rule syntax](../http/router/rules-and-priority.md#rulesyntax) for more information.
 
     ```yaml

docs/content/reference/routing-configuration/other-providers/consul-catalog.md

@@ -45,6 +45,11 @@ For example, to change the rule, you could add the tag ```traefik.http.routers.m
 
 ??? info "`traefik.http.routers.<router_name>.ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     See [ruleSyntax](../http/router/rules-and-priority.md#rulesyntax) for more information.
     
     ```yaml
@@ -217,6 +222,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+    
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
     
     See [health check](../http/load-balancing/service.md#health-check) for more information.
@@ -380,6 +393,11 @@ You can declare TCP Routers, Middlewares and/or Services using tags.
 
 ??? info "`traefik.tcp.routers.<router_name>.ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     configure the rule syntax to be used for parsing the rule on a per-router basis.
     
     ```yaml

docs/content/reference/routing-configuration/other-providers/docker.md

@@ -158,6 +158,11 @@ For example, to change the rule, you could add the label ```traefik.http.routers
 
 ??? info "`traefik.http.routers.<router_name>.ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     See [ruleSyntax](../http/router/rules-and-priority.md#rulesyntax) for more information.
     
     ```yaml
@@ -322,6 +327,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
      "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+
+    ```yaml
+     "traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10s"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../http/load-balancing/service.md#health-check) for more information.
@@ -496,6 +509,11 @@ You can declare TCP Routers and/or Services using labels.
 
 ??? info "`traefik.tcp.routers.<router_name>.ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     configure the rule syntax to be used for parsing the rule on a per-router basis.
     
     ```yaml

docs/content/reference/routing-configuration/other-providers/ecs.md

@@ -47,6 +47,11 @@ For example, to change the rule, you could add the label ```traefik.http.routers
 
 ??? info "`traefik.http.routers.<router_name>.ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     See [ruleSyntax](../http/router/rules-and-priority.md#rulesyntax) for more information.
     
     ```yaml
@@ -213,6 +218,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+    
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
     
     See [health check](../http/load-balancing/service.md#health-check) for more information.
@@ -380,6 +393,11 @@ You can declare TCP Routers and/or Services using labels.
 
 ??? info "`traefik.tcp.routers.<router_name>.ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     configure the rule syntax to be used for parsing the rule on a per-router basis.
     
     ```yaml

docs/content/reference/routing-configuration/other-providers/kv.md

@@ -25,6 +25,11 @@ description: "Read the technical documentation to learn the Traefik Routing Conf
 
 ??? info "`traefik/http/routers/<router_name>/ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     See [rule](../http/router/rules-and-priority.md#rulesyntax) for more information.
     
     | Key (Path)                           | Value                      |
@@ -198,6 +203,14 @@ description: "Read the technical documentation to learn the Traefik Routing Conf
     |---------------------------------------------------------------------|-------|
     | `traefik/http/services/myservice/loadbalancer/healthcheck/interval` | `10`  |
 
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/unhealthyinterval`"
+
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+
+    | Key (Path)                                                                   | Value |
+    |------------------------------------------------------------------------------|-------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/unhealthyinterval` | `10`  |
+
 ??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/path`"
 
     See [health check](../http/load-balancing/service.md#health-check) for more information.
@@ -590,10 +603,11 @@ You can declare UDP Routers and/or Services using KV.
 With the KV provider, you configure some parameters of the TLS connection using the `tls/options` key. For example, you can define a basic setup like this:
 
 | Key (Path)                                           | Value    |
-|---------------------------------------------------------------------------------|------------------|
+|------------------------------------------------------|----------|
 | `traefik/tls/options/Options0/alpnProtocols/0`       | `foobar` |
 | `traefik/tls/options/Options0/cipherSuites/0`        | `foobar` |
 | `traefik/tls/options/Options0/clientAuth/caFiles/0`  | `foobar` |
+| `traefik/tls/options/Options0/disableSessiontickets` | `true`   |
 
 For more information on the available TLS options that can be configured, please refer to the [TLS Options](../http/tls/tls-options.md) page.
 
@@ -602,7 +616,7 @@ For more information on the available TLS options that can be configured, please
 You can configure Traefik to use an ACME provider (like Let's Encrypt) to generate the default certificate. The configuration to resolve the default certificate should be defined in a TLS store:
 
 | Key (Path)                                                     | Value    |
-|---------------------------------------------------------------------------------|----------------|
+|----------------------------------------------------------------|----------|
 | `traefik/tls/stores/Store0/defaultGeneratedCert/domain/main`   | `foobar` |
 | `traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/0` | `foobar` |
 | `traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/1` | `foobar` |

docs/content/reference/routing-configuration/other-providers/nomad.md

@@ -45,6 +45,11 @@ For example, to change the rule, you could add the tag ```traefik.http.routers.m
 
 ??? info "`traefik.http.routers.<router_name>.ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     See [ruleSyntax](../http/router/rules-and-priority.md#rulesyntax) for more information.
     
     ```yaml
@@ -217,6 +222,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../http/load-balancing/service.md#health-check) for more information.
@@ -372,6 +385,11 @@ You can declare TCP Routers and/or Services using tags.
 
 ??? info "`traefik.tcp.routers.<router_name>.ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     configure the rule syntax to be used for parsing the rule on a per-router basis.
     
     ```yaml

docs/content/reference/routing-configuration/other-providers/swarm.md

@@ -169,6 +169,11 @@ For example, to change the rule, you could add the label ```traefik.http.routers
 
 ??? info "`traefik.http.routers.<router_name>.ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     See [ruleSyntax](../http/router/rules-and-priority.md#rulesyntax) for more information.
     
     ```yaml
@@ -346,6 +351,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../http/load-balancing/service.md#health-check) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10s"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../http/load-balancing/service.md#health-check) for more information.
@@ -518,6 +531,11 @@ You can declare TCP Routers and/or Services using labels.
 
 ??? info "`traefik.tcp.routers.<router_name>.ruleSyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     configure the rule syntax to be used for parsing the rule on a per-router basis.
     
     ```yaml

docs/content/reference/static-configuration/cli-ref.md

@@ -129,6 +129,12 @@ Define if the certificates pool must use a copy of the system cert pool. (Defaul
 `--certificatesresolvers.<name>.acme.certificatesduration`:  
 Certificates' duration in hours. (Default: ```2160```)
 
+`--certificatesresolvers.<name>.acme.clientresponseheadertimeout`:  
+Timeout for receiving the response headers when communicating with the ACME server. (Default: ```30```)
+
+`--certificatesresolvers.<name>.acme.clienttimeout`:  
+Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
+
 `--certificatesresolvers.<name>.acme.dnschallenge`:  
 Activate DNS-01 Challenge. (Default: ```false```)
 
@@ -168,9 +174,15 @@ Key identifier from External CA.
 `--certificatesresolvers.<name>.acme.email`:  
 Email address used for registration.
 
+`--certificatesresolvers.<name>.acme.emailaddresses`:  
+CSR email addresses to use.
+
 `--certificatesresolvers.<name>.acme.httpchallenge`:  
 Activate HTTP-01 Challenge. (Default: ```false```)
 
+`--certificatesresolvers.<name>.acme.httpchallenge.delay`:  
+Delay between the creation of the challenge and the validation. (Default: ```0```)
+
 `--certificatesresolvers.<name>.acme.httpchallenge.entrypoint`:  
 HTTP challenge EntryPoint
 
@@ -180,6 +192,9 @@ KeyType used for generating certificate private key. Allow value 'EC256', 'EC384
 `--certificatesresolvers.<name>.acme.preferredchain`:  
 Preferred chain to use.
 
+`--certificatesresolvers.<name>.acme.profile`:  
+Certificate profile to use.
+
 `--certificatesresolvers.<name>.acme.storage`:  
 Storage to use. (Default: ```acme.json```)
 
@@ -339,6 +354,9 @@ Environment variables to forward to the wasm guest.
 `--experimental.localplugins.<name>.settings.mounts`:  
 Directory to mount to the wasm guest.
 
+`--experimental.localplugins.<name>.settings.useunsafe`:  
+Allow the plugin to use unsafe package. (Default: ```false```)
+
 `--experimental.otlplogs`:  
 Enables the OpenTelemetry logs integration. (Default: ```false```)
 
@@ -354,6 +372,9 @@ Environment variables to forward to the wasm guest.
 `--experimental.plugins.<name>.settings.mounts`:  
 Directory to mount to the wasm guest.
 
+`--experimental.plugins.<name>.settings.useunsafe`:  
+Allow the plugin to use unsafe package. (Default: ```false```)
+
 `--experimental.plugins.<name>.version`:  
 plugin's version.
 

docs/content/reference/static-configuration/env-ref.md

@@ -129,6 +129,12 @@ Define if the certificates pool must use a copy of the system cert pool. (Defaul
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CERTIFICATESDURATION`:  
 Certificates' duration in hours. (Default: ```2160```)
 
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CLIENTRESPONSEHEADERTIMEOUT`:  
+Timeout for receiving the response headers when communicating with the ACME server. (Default: ```30```)
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_CLIENTTIMEOUT`:  
+Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE`:  
 Activate DNS-01 Challenge. (Default: ```false```)
 
@@ -168,9 +174,15 @@ Key identifier from External CA.
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EMAIL`:  
 Email address used for registration.
 
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EMAILADDRESSES`:  
+CSR email addresses to use.
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE`:  
 Activate HTTP-01 Challenge. (Default: ```false```)
 
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_DELAY`:  
+Delay between the creation of the challenge and the validation. (Default: ```0```)
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_HTTPCHALLENGE_ENTRYPOINT`:  
 HTTP challenge EntryPoint
 
@@ -180,6 +192,9 @@ KeyType used for generating certificate private key. Allow value 'EC256', 'EC384
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_PREFERREDCHAIN`:  
 Preferred chain to use.
 
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_PROFILE`:  
+Certificate profile to use.
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_STORAGE`:  
 Storage to use. (Default: ```acme.json```)
 
@@ -339,6 +354,9 @@ Environment variables to forward to the wasm guest.
 `TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>_SETTINGS_MOUNTS`:  
 Directory to mount to the wasm guest.
 
+`TRAEFIK_EXPERIMENTAL_LOCALPLUGINS_<NAME>_SETTINGS_USEUNSAFE`:  
+Allow the plugin to use unsafe package. (Default: ```false```)
+
 `TRAEFIK_EXPERIMENTAL_OTLPLOGS`:  
 Enables the OpenTelemetry logs integration. (Default: ```false```)
 
@@ -354,6 +372,9 @@ Environment variables to forward to the wasm guest.
 `TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_SETTINGS_MOUNTS`:  
 Directory to mount to the wasm guest.
 
+`TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_SETTINGS_USEUNSAFE`:  
+Allow the plugin to use unsafe package. (Default: ```false```)
+
 `TRAEFIK_EXPERIMENTAL_PLUGINS_<NAME>_VERSION`:  
 plugin's version.
 

docs/content/reference/static-configuration/file.toml

@@ -506,9 +506,13 @@
       email = "foobar"
       caServer = "foobar"
       preferredChain = "foobar"
+      profile = "foobar"
+      emailAddresses = ["foobar", "foobar"]
       storage = "foobar"
       keyType = "foobar"
       certificatesDuration = 42
+      clientTimeout = "42s"
+      clientResponseHeaderTimeout = "42s"
       caCertificates = ["foobar", "foobar"]
       caSystemCertPool = true
       caServerName = "foobar"
@@ -527,6 +531,7 @@
           delayBeforeChecks = "42s"
       [certificatesResolvers.CertificateResolver0.acme.httpChallenge]
         entryPoint = "foobar"
+        delay = "42s"
       [certificatesResolvers.CertificateResolver0.acme.tlsChallenge]
     [certificatesResolvers.CertificateResolver0.tailscale]
   [certificatesResolvers.CertificateResolver1]
@@ -534,9 +539,13 @@
       email = "foobar"
       caServer = "foobar"
       preferredChain = "foobar"
+      profile = "foobar"
+      emailAddresses = ["foobar", "foobar"]
       storage = "foobar"
       keyType = "foobar"
       certificatesDuration = 42
+      clientTimeout = "42s"
+      clientResponseHeaderTimeout = "42s"
       caCertificates = ["foobar", "foobar"]
       caSystemCertPool = true
       caServerName = "foobar"
@@ -555,6 +564,7 @@
           delayBeforeChecks = "42s"
       [certificatesResolvers.CertificateResolver1.acme.httpChallenge]
         entryPoint = "foobar"
+        delay = "42s"
       [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]
     [certificatesResolvers.CertificateResolver1.tailscale]
 
@@ -569,23 +579,27 @@
       [experimental.plugins.Descriptor0.settings]
         envs = ["foobar", "foobar"]
         mounts = ["foobar", "foobar"]
+        useUnsafe = true
     [experimental.plugins.Descriptor1]
       moduleName = "foobar"
       version = "foobar"
       [experimental.plugins.Descriptor1.settings]
         envs = ["foobar", "foobar"]
         mounts = ["foobar", "foobar"]
+        useUnsafe = true
   [experimental.localPlugins]
     [experimental.localPlugins.LocalDescriptor0]
       moduleName = "foobar"
       [experimental.localPlugins.LocalDescriptor0.settings]
         envs = ["foobar", "foobar"]
         mounts = ["foobar", "foobar"]
+        useUnsafe = true
     [experimental.localPlugins.LocalDescriptor1]
       moduleName = "foobar"
       [experimental.localPlugins.LocalDescriptor1.settings]
         envs = ["foobar", "foobar"]
         mounts = ["foobar", "foobar"]
+        useUnsafe = true
   [experimental.fastProxy]
     debug = true
 

docs/content/reference/static-configuration/file.yaml

@@ -547,12 +547,18 @@ certificatesResolvers:
       email: foobar
       caServer: foobar
       preferredChain: foobar
+      profile: foobar
+      emailAddresses:
+        - foobar
+        - foobar
       storage: foobar
       keyType: foobar
       eab:
         kid: foobar
         hmacEncoded: foobar
       certificatesDuration: 42
+      clientTimeout: 42s
+      clientResponseHeaderTimeout: 42s
       caCertificates:
         - foobar
         - foobar
@@ -572,6 +578,7 @@ certificatesResolvers:
         disablePropagationCheck: true
       httpChallenge:
         entryPoint: foobar
+        delay: 42s
       tlsChallenge: {}
     tailscale: {}
   CertificateResolver1:
@@ -579,12 +586,18 @@ certificatesResolvers:
       email: foobar
       caServer: foobar
       preferredChain: foobar
+      profile: foobar
+      emailAddresses:
+        - foobar
+        - foobar
       storage: foobar
       keyType: foobar
       eab:
         kid: foobar
         hmacEncoded: foobar
       certificatesDuration: 42
+      clientTimeout: 42s
+      clientResponseHeaderTimeout: 42s
       caCertificates:
         - foobar
         - foobar
@@ -604,6 +617,7 @@ certificatesResolvers:
         disablePropagationCheck: true
       httpChallenge:
         entryPoint: foobar
+        delay: 42s
       tlsChallenge: {}
     tailscale: {}
 experimental:
@@ -618,6 +632,7 @@ experimental:
         mounts:
           - foobar
           - foobar
+        useUnsafe: true
     Descriptor1:
       moduleName: foobar
       version: foobar
@@ -628,6 +643,7 @@ experimental:
         mounts:
           - foobar
           - foobar
+        useUnsafe: true
   localPlugins:
     LocalDescriptor0:
       moduleName: foobar
@@ -638,6 +654,7 @@ experimental:
         mounts:
           - foobar
           - foobar
+        useUnsafe: true
     LocalDescriptor1:
       moduleName: foobar
       settings:
@@ -647,6 +664,7 @@ experimental:
         mounts:
           - foobar
           - foobar
+        useUnsafe: true
   abortOnPluginFailure: true
   fastProxy:
     debug: true

docs/content/routing/entrypoints.md

@@ -1290,7 +1290,7 @@ entryPoints:
 
 Traefik supports [systemd socket activation](https://www.freedesktop.org/software/systemd/man/latest/systemd-socket-activate.html).
 
-When a socket activation file descriptor name matches an EntryPoint name, the corresponding file descriptor will be used as the TCP listener for the matching EntryPoint.
+When a socket activation file descriptor name matches an EntryPoint name, the corresponding file descriptor will be used as the TCP/UDP listener for the matching EntryPoint.
 
 ```bash
 systemd-socket-activate -l 80 -l 443 --fdname web:websecure  ./traefik --entrypoints.web --entrypoints.websecure
@@ -1298,16 +1298,16 @@ systemd-socket-activate -l 80 -l 443 --fdname web:websecure  ./traefik --entrypo
 
 !!! warning "EntryPoint Address"
 
-    When a socket activation file descriptor name matches an EntryPoint name its address configuration is ignored.     
+    When a socket activation file descriptor name matches an EntryPoint name its address configuration is ignored. For support UDP routing, address must have /udp suffix (--entrypoints.my-udp-entrypoint.address=/udp)
-
-!!! warning "TCP Only"
-
-    Socket activation is not yet supported with UDP entryPoints.
 
 !!! warning "Docker Support"
 
     Socket activation is not supported by Docker but works with Podman containers.
 
+!!! warning "Multiple listeners in socket file"
+
+    Each systemd socket file must contain only one Listen directive, except in the case of HTTP/3, where the file must include both ListenStream and ListenDatagram directives. To set up TCP and UDP listeners on the same port, use multiple socket files with different entrypoints names.
+
 ## Observability Options
 
 This section is dedicated to options to control observability for an EntryPoint.

docs/content/routing/providers/consul-catalog.md

@@ -168,6 +168,15 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.server.scheme=http
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.url`"
+
+    Defines the service URL.
+    This option cannot be used in combination with `port` or `scheme` definition.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.server.url=http://foobar:8080
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.serverstransport`"
     
     Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
@@ -209,6 +218,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
     
     See [health check](../services/index.md#health-check) for more information.
@@ -313,6 +330,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.domain`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.sticky.cookie.domain=foo.com
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.maxage`"
     
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -329,6 +354,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.strategy`"
+
+    See [load balancing strategy](../services/index.md#load-balancing-strategy) for more information.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.strategy=p2c
+    ```
+
 ### Middleware
 
 You can declare pieces of middleware using tags starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.

docs/content/routing/providers/docker.md

@@ -283,6 +283,15 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.server.scheme=http"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.url`"
+
+    Defines the service URL.
+    This option cannot be used in combination with `port` or `scheme` definition.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.server.url=http://foobar:8080"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.serverstransport`"
 
     Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
@@ -324,6 +333,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10s"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../services/index.md#health-check) for more information.
@@ -428,6 +445,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.domain`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.domain=foo.com"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.maxage`"
 
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -444,6 +469,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.strategy`"
+
+    See [load balancing strategy](../services/index.md#load-balancing-strategy) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.strategy=p2c"
+    ```
+
 ### Middleware
 
 You can declare pieces of middleware using labels starting with `traefik.http.middlewares.<name-of-your-choice>.`,

docs/content/routing/providers/ecs.md

@@ -170,6 +170,15 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
     traefik.http.services.myservice.loadbalancer.server.scheme=http
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.url`"
+
+    Defines the service URL.
+    This option cannot be used in combination with `port` or `scheme` definition.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.server.url=http://foobar:8080
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.serverstransport`"
     
     Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
@@ -211,6 +220,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+    
+    See [health check](../services/index.md#health-check) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
     
     See [health check](../services/index.md#health-check) for more information.
@@ -315,6 +332,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
     traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.domain`"
+    
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+    
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.sticky.cookie.domain=foo.com
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.maxage`"
     
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -333,6 +358,14 @@ you'd add the label `traefik.http.services.{name-of-your-choice}.loadbalancer.pa
     traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.strategy`"
+
+    See [load balancing strategy](../services/index.md#load-balancing-strategy) for more information.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.strategy=p2c
+    ```
+
 ### Middleware
 
 You can declare pieces of middleware using labels starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.

docs/content/routing/providers/kubernetes-crd.md

@@ -48,7 +48,7 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v3.3
+              image: traefik:v3.4
               args:
                 - --log.level=DEBUG
                 - --api
@@ -357,19 +357,20 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
               sameSite: none
               maxAge: 42  
               path: /foo
-          strategy: RoundRobin
+              domain: foo.com
+          strategy: wrr                 # [16]
           weight: 10
-          nativeLB: true                # [16]
+          nativeLB: true                # [17]
-          nodePortLB: true              # [17]
+          nodePortLB: true              # [18]
-      tls:                              # [18]
+      tls:                              # [19]
-        secretName: supersecret         # [19]
+        secretName: supersecret         # [20]
-        options:                        # [20]
+        options:                        # [21]
-          name: opt                     # [21]
+          name: opt                     # [22]
-          namespace: default            # [22]
+          namespace: default            # [23]
-        certResolver: foo               # [23]
+        certResolver: foo               # [24]
-        domains:                        # [24]
+        domains:                        # [25]
-        - main: example.net             # [25]
+        - main: example.net             # [26]
-          sans:                         # [26]
+          sans:                         # [27]
           - a.example.net
           - b.example.net
     ```
@@ -391,17 +392,18 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
 | [13] | `services[n].port`             | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.                                                                                                                                       |
 | [14] | `services[n].serversTransport` | Defines the reference to a [ServersTransport](#kind-serverstransport). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). |
 | [15] | `services[n].healthCheck`      | Defines the HealthCheck when service references a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) of type ExternalName.                                                                                                                               |
-| [16] | `services[n].nativeLB`         | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.                                                                                                                                     |
+| [16] | `services[n].strategy`         | Defines the load-balancing strategy for the load-balancer. Supported values are `wrr` and `p2c`, please refer to the [Load Balancing documentation](../routing/services/#load-balancing-strategy) for more information.                                                                      |
-| [17] | `services[n].nodePortLB`       | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.                                                                                                                               |
+| [17] | `services[n].nativeLB`         | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.                                                                                                                                     |
-| [18] | `tls`                          | Defines [TLS](../routers/index.md#tls) certificate configuration                                                                                                                                                                                                                             |
+| [18] | `services[n].nodePortLB`       | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.                                                                                                                               |
-| [19] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                         |
+| [19] | `tls`                          | Defines [TLS](../routers/index.md#tls) certificate configuration                                                                                                                                                                                                                             |
-| [20] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                      |
+| [20] | `tls.secretName`               | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace)                                                                                                                                         |
-| [21] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                |
+| [21] | `tls.options`                  | Defines the reference to a [TLSOption](#kind-tlsoption)                                                                                                                                                                                                                                      |
-| [22] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                           |
+| [22] | `options.name`                 | Defines the [TLSOption](#kind-tlsoption) name                                                                                                                                                                                                                                                |
-| [23] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver)                                                                                                                                                                                                                  |
+| [23] | `options.namespace`            | Defines the [TLSOption](#kind-tlsoption) namespace                                                                                                                                                                                                                                           |
-| [24] | `tls.domains`                  | List of [domains](../routers/index.md#domains)                                                                                                                                                                                                                                               |
+| [24] | `tls.certResolver`             | Defines the reference to a [CertResolver](../routers/index.md#certresolver)                                                                                                                                                                                                                  |
-| [25] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                 |
+| [25] | `tls.domains`                  | List of [domains](../routers/index.md#domains)                                                                                                                                                                                                                                               |
-| [26] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                           |
+| [26] | `domains[n].main`              | Defines the main domain name                                                                                                                                                                                                                                                                 |
+| [27] | `domains[n].sans`              | List of SANs (alternative domains)                                                                                                                                                                                                                                                           |
 
 ??? example "Declaring an IngressRoute"
 
@@ -604,7 +606,7 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
 
 #### Load Balancing
 
-More information in the dedicated server [load balancing](../services/index.md#load-balancing) section.
+More information in the dedicated server [load balancing](../services/index.md#load-balancing-strategy) section.
 
 !!! info "Declaring and using Kubernetes Service Load Balancing"
 
@@ -1849,9 +1851,9 @@ Register the `TLSStore` kind in the Kubernetes cluster before creating `TLSStore
     spec:
       serverName: foobar                        # [1]
       insecureSkipVerify: true                  # [2]
-      rootCAsSecrets:                           # [3]
+      rootCAs:                                  # [3]
-        - foobar
+        - configMap: foobar
-        - foobar
+        - secret: foobar
       certificatesSecrets:                      # [4]
         - foobar
         - foobar
@@ -1870,10 +1872,10 @@ Register the `TLSStore` kind in the Kubernetes cluster before creating `TLSStore
     ```
 
 | Ref  | Attribute               | Purpose                                                                                                                                                                                         |
-|------|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|------|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | [1]  | `serverName`            | ServerName used to contact the server.                                                                                                                                                          |
 | [2]  | `insecureSkipVerify`    | Controls whether the server's certificate chain and host name is verified.                                                                                                                      |
-| [3]  | `rootCAsSecrets`        | Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key. |
+| [3]  | `rootCAs`               | Defines the set of root certificate authorities to use when verifying server certificates. The referenced Secret or ConfigMap must contain a certificate under either a tls.ca or a ca.crt key. |
 | [4]  | `certificatesSecrets`   | Certificates to present to the server for mTLS.                                                                                                                                                 |
 | [5]  | `maxIdleConnsPerHost`   | Controls the maximum idle (keep-alive) connections to keep per-host. If zero, `defaultMaxIdleConnsPerHost` is used.                                                                             |
 | [6]  | `forwardingTimeouts`    | Timeouts for requests forwarded to the servers.                                                                                                                                                 |
@@ -1958,9 +1960,9 @@ The `default@internal` serversTransportTCP is created from the [static configura
         serverName: foobar                      # [5]
         insecureSkipVerify: true                # [6]
         peerCertURI: foobar                     # [7]
-        rootCAsSecrets:                         # [8]
+        rootCAs:                                # [8]
-          - foobar
+          - secret: foobar
-          - foobar
+          - configMap: foobar
         certificatesSecrets:                    # [9]
           - foobar
           - foobar
@@ -1980,7 +1982,7 @@ The `default@internal` serversTransportTCP is created from the [static configura
 | [5]  | `serverName`          | ServerName used to contact the server.                                                                                                                                                                                                                                                                                                              |
 | [6]  | `insecureSkipVerify`  | Controls whether the server's certificate chain and host name is verified.                                                                                                                                                                                                                                                                          |
 | [7]  | `peerCertURI`         | URI used to match against SAN URIs during the server's certificate verification.                                                                                                                                                                                                                                                                    |
-| [8]  | `rootCAsSecrets`      | Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key.                                                                                                                                                                             |
+| [8]  | `rootCAs`             | Defines the set of root certificate authorities to use when verifying server certificates. The referenced Secret or ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.                                                                                                                                                     |
 | [9]  | `certificatesSecrets` | Certificates to present to the server for mTLS.                                                                                                                                                                                                                                                                                                     |
 | [10] | `spiffe`              | The SPIFFE configuration.                                                                                                                                                                                                                                                                                                                           |
 | [11] | `ids`                 | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).                                                                                                                                                                                                                                                                      |

docs/content/routing/providers/kubernetes-ingress.md

@@ -130,7 +130,7 @@ which in turn will create the resulting routers, services, handlers, etc.
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v3.3
+              image: traefik:v3.4
               args:
                 - --entryPoints.web.address=:80
                 - --providers.kubernetesingress
@@ -231,6 +231,11 @@ which in turn will create the resulting routers, services, handlers, etc.
 
 ??? info "`traefik.ingress.kubernetes.io/router.rulesyntax`"
 
+    !!! warning
+
+        RuleSyntax option is deprecated and will be removed in the next major version.
+        Please do not use this field and rewrite the router rules to use the v3 syntax.
+
     See [rule syntax](../routers/index.md#rulesyntax) for more information.
 
     ```yaml
@@ -391,6 +396,14 @@ which in turn will create the resulting routers, services, handlers, etc.
     traefik.ingress.kubernetes.io/service.sticky.cookie.samesite: "none"
     ```
 
+??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.domain`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    ```yaml
+    traefik.ingress.kubernetes.io/service.sticky.cookie.domain: "foo.com"
+    ```
+
 ??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.httponly`"
 
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -580,7 +593,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v3.3
+              image: traefik:v3.4
               args:
                 - --entryPoints.websecure.address=:443
                 - --entryPoints.websecure.http.tls
@@ -773,7 +786,7 @@ For more options, please refer to the available [annotations](#on-ingress).
           serviceAccountName: traefik-ingress-controller
           containers:
             - name: traefik
-              image: traefik:v3.3
+              image: traefik:v3.4
               args:
                 - --entryPoints.websecure.address=:443
                 - --providers.kubernetesingress

docs/content/routing/providers/kv.md

@@ -180,6 +180,14 @@ A Story of key & values
     |---------------------------------------------------------------------|-------|
     | `traefik/http/services/myservice/loadbalancer/healthcheck/interval` | `10`  |
 
+??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/unhealthyinterval`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    | Key (Path)                                                                   | Value |
+    |------------------------------------------------------------------------------|-------|
+    | `traefik/http/services/myservice/loadbalancer/healthcheck/unhealthyinterval` | `10`  |
+
 ??? info "`traefik/http/services/<service_name>/loadbalancer/healthcheck/path`"
 
     See [health check](../services/index.md#health-check) for more information.
@@ -276,6 +284,14 @@ A Story of key & values
     |-----------------------------------------------------------------------|--------|
     | `traefik/http/services/myservice/loadbalancer/sticky/cookie/samesite` | `none` |
 
+??? info "`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/domain`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    | Key (Path)                                                            | Value     |
+    |-----------------------------------------------------------------------|-----------|
+    | `traefik/http/services/myservice/loadbalancer/sticky/cookie/domain`   | `foo.com` |
+
 ??? info "`traefik/http/services/<service_name>/loadbalancer/sticky/cookie/maxage`"
 
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -292,6 +308,14 @@ A Story of key & values
     |---------------------------------------------------------------------------------|-------|
     | `traefik/http/services/myservice/loadbalancer/responseforwarding/flushinterval` | `10`  |
 
+??? info "`traefik/http/services/<service_name>/loadbalancer/strategy`"
+
+    See [load balancing strategy](../services/index.md#load-balancing-strategy) for more information.
+
+    | Key (Path)                                              | Value |
+    |---------------------------------------------------------|-------|
+    | `traefik/http/services/myservice/loadbalancer/strategy` | `p2c` |
+
 ??? info "`traefik/http/services/<service_name>/mirroring/service`"
 
     | Key (Path)                                               | Value    |
@@ -340,6 +364,12 @@ A Story of key & values
     |------------------------------------------------------------------------|--------|
     | `traefik/http/services/<service_name>/weighted/sticky/cookie/samesite` | `none` |
 
+??? info "`traefik/http/services/<service_name>/weighted/sticky/cookie/domain`"
+
+    | Key (Path)                                                             | Value     |
+    |------------------------------------------------------------------------|-----------|
+    | `traefik/http/services/<service_name>/weighted/sticky/cookie/domain`   | `foo.com` |
+
 ??? info "`traefik/http/services/<service_name>/weighted/sticky/cookie/httpOnly`"
 
     | Key (Path)                                                             | Value  |

docs/content/routing/providers/nomad.md

@@ -168,6 +168,15 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.server.scheme=http
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.url`"
+
+    Defines the service URL.
+    This option cannot be used in combination with `port` or `scheme` definition.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.server.url=http://foobar:8080
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.serverstransport`"
 
     Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
@@ -209,6 +218,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../services/index.md#health-check) for more information.
@@ -297,6 +314,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.domain`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.sticky.cookie.domain=foo.com
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.maxage`"
 
     See [sticky sessions](../services/index.md#sticky-sessions) for more information.
@@ -321,6 +346,14 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
     traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.strategy`"
+
+    See [load balancing strategy](../services/index.md#load-balancing-strategy) for more information.
+
+    ```yaml
+    traefik.http.services.myservice.loadbalancer.strategy=p2c
+    ```
+
 ### Middleware
 
 You can declare pieces of middleware using tags starting with `traefik.http.middlewares.{name-of-your-choice}.`, followed by the middleware type/options.

docs/content/routing/providers/swarm.md

@@ -297,6 +297,15 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.server.scheme=http"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.server.url`"
+
+    Defines the service URL.
+    This option cannot be used in combination with `port` or `scheme` definition.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.server.url=http://foobar:8080"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.serverstransport`"
 
     Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
@@ -338,6 +347,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.healthcheck.interval=10s"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.unhealthyinterval`"
+
+    See [health check](../services/index.md#health-check) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.unhealthyinterval=10s"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.path`"
 
     See [health check](../services/index.md#health-check) for more information.
@@ -442,6 +459,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.domain`"
+
+    See [sticky sessions](../services/index.md#sticky-sessions) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.sticky.cookie.domain=foo.com"
+    ```
+
 ??? info "`traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval`"
 
     See [response forwarding](../services/index.md#response-forwarding) for more information.
@@ -450,6 +475,14 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     - "traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10"
     ```
 
+??? info "`traefik.http.services.<service_name>.loadbalancer.strategy`"
+
+    See [load balancing strategy](../services/index.md#load-balancing-strategy) for more information.
+
+    ```yaml
+    - "traefik.http.services.myservice.loadbalancer.strategy=p2c"
+    ```
+
 ### Middleware
 
 You can declare pieces of middleware using labels starting with `traefik.http.middlewares.<name-of-your-choice>.`,

docs/content/routing/services/index.md

@@ -139,6 +139,47 @@ The `url` option point to a specific instance.
           url = "http://private-ip-server-1/"
     ```
 
+The `preservePath` option allows to preserve the URL path.
+
+!!! info "Health Check"
+
+    When a [health check](#health-check) is configured for the server, the path is not preserved.
+
+??? example "A Service with One Server and PreservePath -- Using the [File Provider](../../providers/file.md)"
+
+    ```yaml tab="YAML"
+    ## Dynamic configuration
+    http:
+      services:
+        my-service:
+          loadBalancer:
+            servers:
+              - url: "http://private-ip-server-1/base"
+                preservePath: true
+    ```
+
+    ```toml tab="TOML"
+    ## Dynamic configuration
+    [http.services]
+      [http.services.my-service.loadBalancer]
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-1/base"
+          preservePath = true
+    ```
+
+#### Load Balancing Strategy
+
+The `strategy` option allows to choose the load balancing algorithm.
+
+Two load balancing algorithms are supported:
+
+- Weighed round-robin (wrr)
+- Power of two choices (p2c)
+
+##### WRR
+
+Weighed round-robin is the default strategy (and does not need to be specified).
+
 The `weight` option allows for weighted load balancing on the servers.
 
 ??? example "A Service with Two Servers with Weight -- Using the [File Provider](../../providers/file.md)"
@@ -169,39 +210,11 @@ The `weight` option allows for weighted load balancing on the servers.
           weight = 1
     ```
 
-The `preservePath` option allows to preserve the URL path.
+##### P2C
 
-!!! info "Health Check"
+Power of two choices algorithm is a load balancing strategy that selects two servers at random and chooses the one with the least number of active requests.
 
-    When a [health check](#health-check) is configured for the server, the path is not preserved.
+??? example "P2C Load Balancing -- Using the [File Provider](../../providers/file.md)"
-
-??? example "A Service with One Server and PreservePath -- Using the [File Provider](../../providers/file.md)"
-
-    ```yaml tab="YAML"
-    ## Dynamic configuration
-    http:
-      services:
-        my-service:
-          loadBalancer:
-            servers:
-              - url: "http://private-ip-server-1/base"
-                preservePath: true
-    ```
-
-    ```toml tab="TOML"
-    ## Dynamic configuration
-    [http.services]
-      [http.services.my-service.loadBalancer]
-        [[http.services.my-service.loadBalancer.servers]]
-          url = "http://private-ip-server-1/base"
-          preservePath = true
-    ```
-
-#### Load-balancing
-
-For now, only round robin load balancing is supported:
-
-??? example "Load Balancing -- Using the [File Provider](../../providers/file.md)"
 
     ```yaml tab="YAML"
     ## Dynamic configuration
@@ -209,19 +222,24 @@ For now, only round robin load balancing is supported:
       services:
         my-service:
           loadBalancer:
+            strategy: "p2c"
             servers:
             - url: "http://private-ip-server-1/"
             - url: "http://private-ip-server-2/"
+            - url: "http://private-ip-server-3/"
     ```
 
     ```toml tab="TOML"
     ## Dynamic configuration
     [http.services]
       [http.services.my-service.loadBalancer]
+        strategy = "p2c"
         [[http.services.my-service.loadBalancer.servers]]
           url = "http://private-ip-server-1/"
         [[http.services.my-service.loadBalancer.servers]]
           url = "http://private-ip-server-2/"       
+        [[http.services.my-service.loadBalancer.servers]]
+          url = "http://private-ip-server-3/"
     ```
 
 #### Sticky sessions
@@ -255,6 +273,12 @@ On subsequent requests, to keep the session alive with the same server, the clie
 
     `SameSite` can be `none`, `lax`, `strict` or empty.
 
+!!! info "Domain"
+
+    The Domain attribute of a cookie specifies the domain for which the cookie is valid. 
+    
+    By setting the Domain attribute, the cookie can be shared across subdomains (for example, a cookie set for example.com would be accessible to www.example.com, api.example.com, etc.). This is particularly useful in cases where sticky sessions span multiple subdomains, ensuring that the session is maintained even when the client interacts with different parts of the infrastructure.
+
 ??? example "Adding Stickiness -- Using the [File Provider](../../providers/file.md)"
 
     ```yaml tab="YAML"
@@ -286,6 +310,7 @@ On subsequent requests, to keep the session alive with the same server, the clie
               cookie:
                 name: my_sticky_cookie_name
                 secure: true
+                domain: mysite.site
                 httpOnly: true
     ```
 
@@ -297,6 +322,7 @@ On subsequent requests, to keep the session alive with the same server, the clie
           name = "my_sticky_cookie_name"
           secure = true
           httpOnly = true
+          domain = "mysite.site"
           sameSite = "none"
     ```
 
@@ -389,7 +415,8 @@ Below are the available options for the health check mechanism:
 - `mode` (default: http), if defined to `grpc`, will use the gRPC health check protocol to probe the server.
 - `hostname` (optional), sets the value of `hostname` in the `Host` header of the health check request.
 - `port` (optional), replaces the server URL `port` for the health check endpoint.
-- `interval` (default: 30s), defines the frequency of the health check calls.
+- `interval` (default: 30s), defines the frequency of the health check calls for healthy targets.
+- `unhealthyInterval` (default: 30s), defines the frequency of the health check calls for unhealthy targets.  When not defined, it defaults to the `interval` value.
 - `timeout` (default: 5s), defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.
 - `headers` (optional), defines custom headers to be sent to the health check endpoint.
 - `followRedirects` (default: true), defines whether redirects should be followed during the health check calls.
@@ -398,7 +425,7 @@ Below are the available options for the health check mechanism:
 
 !!! info "Interval & Timeout Format"
 
-    Interval and timeout are to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
+    Interval, UnhealthyInterval and Timeout are to be given in a format understood by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
 
 !!! info "Recovering Servers"
 

docs/content/user-guides/crd-acme/03-deployments.yml

@@ -26,7 +26,7 @@ spec:
       serviceAccountName: traefik-ingress-controller
       containers:
         - name: traefik
-          image: traefik:v3.3
+          image: traefik:v3.4
           args:
             - --api.insecure
             - --accesslog

docs/content/user-guides/crd-acme/index.md

@@ -49,10 +49,10 @@ and the RBAC authorization resources which will be referenced through the `servi
 
 ```bash
 # Install Traefik Resource Definitions:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
 
 # Install RBAC for Traefik:
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 ```
 
 ### Services
@@ -60,7 +60,7 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/con
 Then, the services. One for Traefik itself, and one for the app it routes for, i.e. in this case our demo HTTP server: [whoami](https://github.com/traefik/whoami).
 
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/user-guides/crd-acme/02-services.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/user-guides/crd-acme/02-services.yml
 ```
 
 ```yaml
@@ -73,7 +73,7 @@ Next, the deployments, i.e. the actual pods behind the services.
 Again, one pod for Traefik, and one for the whoami app.
 
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/user-guides/crd-acme/03-deployments.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/user-guides/crd-acme/03-deployments.yml
 ```
 
 ```yaml
@@ -100,7 +100,7 @@ Look it up.
 We can now finally apply the actual ingressRoutes, with:
 
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/user-guides/crd-acme/04-ingressroutes.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/user-guides/crd-acme/04-ingressroutes.yml
 ```
 
 ```yaml
@@ -126,7 +126,7 @@ Nowadays, TLS v1.0 and v1.1 are deprecated.
 In order to force TLS v1.2 or later on all your IngressRoute, you can define the `default` TLSOption:
 
 ```bash
-kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/content/user-guides/crd-acme/05-tlsoption.yml
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/content/user-guides/crd-acme/05-tlsoption.yml
 ```
 
 ```yaml

docs/content/user-guides/docker-compose/acme-dns/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v3.3"
+    image: "traefik:v3.4"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"

docs/content/user-guides/docker-compose/acme-dns/docker-compose_secrets.yml

@@ -13,7 +13,7 @@ secrets:
 services:
 
   traefik:
-    image: "traefik:v3.3"
+    image: "traefik:v3.4"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"

docs/content/user-guides/docker-compose/acme-http/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v3.3"
+    image: "traefik:v3.4"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"

docs/content/user-guides/docker-compose/acme-tls/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v3.3"
+    image: "traefik:v3.4"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"

docs/content/user-guides/docker-compose/basic-example/docker-compose.yml

@@ -3,7 +3,7 @@ version: "3.3"
 services:
 
   traefik:
-    image: "traefik:v3.3"
+    image: "traefik:v3.4"
     container_name: "traefik"
     command:
       #- "--log.level=DEBUG"

docs/content/user-guides/docker-compose/basic-example/index.md

@@ -31,7 +31,7 @@ Create a `docker-compose.yml` file with the following content:
     services:
 
       traefik:
-        image: "traefik:v3.3"
+        image: "traefik:v3.4"
         ...
         networks:
           - traefiknet

go.mod

@@ -56,6 +56,7 @@ require (
 	github.com/prometheus/client_golang v1.19.1
 	github.com/prometheus/client_model v0.6.1
 	github.com/quic-go/quic-go v0.48.2
+	github.com/redis/go-redis/v9 v9.7.3
 	github.com/rs/zerolog v1.33.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spiffe/go-spiffe/v2 v2.4.0
@@ -76,6 +77,7 @@ require (
 	github.com/valyala/fasthttp v1.58.0
 	github.com/vulcand/oxy/v2 v2.0.3
 	github.com/vulcand/predicate v1.2.0
+	github.com/yuin/gopher-lua v1.1.1
 	go.opentelemetry.io/collector/pdata v1.10.0
 	go.opentelemetry.io/contrib/bridges/otellogrus v0.7.0
 	go.opentelemetry.io/contrib/propagators/autoprop v0.53.0
@@ -305,7 +307,6 @@ require (
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
-	github.com/redis/go-redis/v9 v9.7.3 // indirect
 	github.com/regfish/regfish-dnsapi-go v0.1.1 // indirect
 	github.com/rs/cors v1.7.0 // indirect
 	github.com/sacloud/api-client-go v0.2.10 // indirect

go.sum

@@ -1267,6 +1267,8 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
+github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
 github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=

integration/conformance-reports/v1.2.1/experimental-v3.4-default-report.yaml

@@ -8,7 +8,7 @@ implementation:
   organization: traefik
   project: traefik
   url: https://traefik.io/
-  version: v3.3
+  version: v3.4
 kind: ConformanceReport
 mode: default
 profiles:

integration/consul_catalog_test.go

@@ -170,8 +170,6 @@ func (s *ConsulCatalogSuite) TestByLabels() {
 		Tags: []string{
 			"traefik.enable=true",
 			"traefik.http.routers.router1.rule=Path(`/whoami`)",
-			"traefik.http.routers.router1.service=service1",
-			"traefik.http.services.service1.loadBalancer.server.url=http://" + containerIP,
 		},
 		Port:    80,
 		Address: containerIP,
@@ -576,8 +574,6 @@ func (s *ConsulCatalogSuite) TestConsulServiceWithHealthCheck() {
 	tags := []string{
 		"traefik.enable=true",
 		"traefik.http.routers.router1.rule=Path(`/whoami`)",
-		"traefik.http.routers.router1.service=service1",
-		"traefik.http.services.service1.loadBalancer.server.url=http://" + whoamiIP,
 	}
 
 	reg1 := &api.AgentServiceRegistration{
@@ -658,8 +654,6 @@ func (s *ConsulCatalogSuite) TestConsulConnect() {
 			"traefik.enable=true",
 			"traefik.consulcatalog.connect=true",
 			"traefik.http.routers.router1.rule=Path(`/`)",
-			"traefik.http.routers.router1.service=service1",
-			"traefik.http.services.service1.loadBalancer.server.url=https://" + connectIP,
 		},
 		Connect: &api.AgentServiceConnect{
 			Native: true,
@@ -718,8 +712,6 @@ func (s *ConsulCatalogSuite) TestConsulConnect_ByDefault() {
 		Tags: []string{
 			"traefik.enable=true",
 			"traefik.http.routers.router1.rule=Path(`/`)",
-			"traefik.http.routers.router1.service=service1",
-			"traefik.http.services.service1.loadBalancer.server.url=https://" + connectIP,
 		},
 		Connect: &api.AgentServiceConnect{
 			Native: true,
@@ -800,8 +792,6 @@ func (s *ConsulCatalogSuite) TestConsulConnect_NotAware() {
 			"traefik.enable=true",
 			"traefik.consulcatalog.connect=true",
 			"traefik.http.routers.router1.rule=Path(`/`)",
-			"traefik.http.routers.router1.service=service1",
-			"traefik.http.services.service1.loadBalancer.server.url=https://" + connectIP,
 		},
 		Connect: &api.AgentServiceConnect{
 			Native: true,

integration/error_pages_test.go

@@ -69,6 +69,30 @@ func (s *ErrorPagesSuite) TestErrorPage() {
 	require.NoError(s.T(), err)
 }
 
+func (s *ErrorPagesSuite) TestStatusRewrites() {
+	// The `statusRewrites.toml` file contains a misconfigured backend host and some status code rewrites.
+	file := s.adaptFile("fixtures/error_pages/statusRewrites.toml", struct {
+		Server1 string
+		Server2 string
+	}{s.BackendIP, s.ErrorPageIP})
+
+	s.traefikCmd(withConfigFile(file))
+
+	frontendReq, err := http.NewRequest(http.MethodGet, "http://127.0.0.1:8080", nil)
+	require.NoError(s.T(), err)
+	frontendReq.Host = "test502.local"
+
+	err = try.Request(frontendReq, 2*time.Second, try.BodyContains("An error occurred."), try.StatusCodeIs(404))
+	require.NoError(s.T(), err)
+
+	frontendReq, err = http.NewRequest(http.MethodGet, "http://127.0.0.1:8080", nil)
+	require.NoError(s.T(), err)
+	frontendReq.Host = "test418.local"
+
+	err = try.Request(frontendReq, 2*time.Second, try.BodyContains("An error occurred."), try.StatusCodeIs(400))
+	require.NoError(s.T(), err)
+}
+
 func (s *ErrorPagesSuite) TestErrorPageFlush() {
 	srv := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header().Add("Transfer-Encoding", "chunked")

integration/fixtures/error_pages/statusRewrites.toml

@@ -0,0 +1,45 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8080"
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.router1]
+    rule = "Host(`test502.local`)"
+    service = "service1"
+    middlewares = ["error"]
+  [http.routers.router2]
+    rule = "Host(`test418.local`)"
+    service = "noop@internal"
+    middlewares = ["error"]
+
+[http.middlewares]
+  [http.middlewares.error.errors]
+    status = ["500-502", "503-599", "418"]
+    service = "error"
+    query = "/50x.html"
+    [http.middlewares.error.errors.statusRewrites]
+      "418" = 400
+      "500-502" = 404
+
+[http.services]
+  [http.services.service1.loadBalancer]
+    passHostHeader = true
+    [[http.services.service1.loadBalancer.servers]]
+      url = "http://{{.Server1}}:8989474"
+
+  [http.services.error.loadBalancer]
+    [[http.services.error.loadBalancer.servers]]
+      url = "http://{{.Server2}}:80"

integration/fixtures/ratelimit/simple_redis.toml

@@ -0,0 +1,39 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[api]
+  insecure = true
+
+[log]
+  level = "DEBUG"
+  noColor = true
+
+[entryPoints]
+  [entryPoints.web]
+    address = ":8081"
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[http.routers]
+  [http.routers.router1]
+    service = "service1"
+    middlewares = [ "ratelimit" ]
+    rule = "Path(`/`)"
+
+[http.middlewares]
+  [http.middlewares.ratelimit.rateLimit]
+    average = 100
+    burst = 1
+    [http.middlewares.ratelimit.rateLimit.redis]
+      endpoints = ["{{ .RedisEndpoint }}"]
+
+[http.services]
+  [http.services.service1]
+    [http.services.service1.loadBalancer]
+      passHostHeader = true
+      [[http.services.service1.loadBalancer.servers]]
+        url = "http://{{.Server1}}:80"

integration/ratelimit_test.go

@@ -1,6 +1,7 @@
 package integration
 
 import (
+	"net"
 	"net/http"
 	"testing"
 	"time"
@@ -13,6 +14,7 @@ import (
 type RateLimitSuite struct {
 	BaseSuite
 	ServerIP      string
+	RedisEndpoint string
 }
 
 func TestRateLimitSuite(t *testing.T) {
@@ -26,6 +28,7 @@ func (s *RateLimitSuite) SetupSuite() {
 	s.composeUp()
 
 	s.ServerIP = s.getComposeServiceIP("whoami1")
+	s.RedisEndpoint = net.JoinHostPort(s.getComposeServiceIP("redis"), "6379")
 }
 
 func (s *RateLimitSuite) TearDownSuite() {
@@ -58,3 +61,34 @@ func (s *RateLimitSuite) TestSimpleConfiguration() {
 		s.T().Fatalf("requests throughput was too fast wrt to rate limiting: 100 requests in %v", elapsed)
 	}
 }
+
+func (s *RateLimitSuite) TestRedisRateLimitSimpleConfiguration() {
+	file := s.adaptFile("fixtures/ratelimit/simple_redis.toml", struct {
+		Server1       string
+		RedisEndpoint string
+	}{
+		Server1:       s.ServerIP,
+		RedisEndpoint: s.RedisEndpoint,
+	})
+
+	s.traefikCmd(withConfigFile(file))
+
+	err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("ratelimit", "redis"))
+	require.NoError(s.T(), err)
+
+	start := time.Now()
+	count := 0
+	for {
+		err = try.GetRequest("http://127.0.0.1:8081/", 500*time.Millisecond, try.StatusCodeIs(http.StatusOK))
+		require.NoError(s.T(), err)
+		count++
+		if count > 100 {
+			break
+		}
+	}
+	stop := time.Now()
+	elapsed := stop.Sub(start)
+	if elapsed < time.Second*99/100 {
+		s.T().Fatalf("requests throughput was too fast wrt to rate limiting: 100 requests in %v", elapsed)
+	}
+}

integration/resources/compose/ratelimit.yml

@@ -2,3 +2,10 @@ version: "3.8"
 services:
   whoami1:
     image: traefik/whoami
+
+  redis:
+    image: redis:5.0
+    command:
+      - redis-server
+      - --port
+      - 6379

integration/testdata/rawdata-consul.json

@@ -63,7 +63,7 @@
       ],
       "service": "api@internal",
       "rule": "PathPrefix(`/api`)",
-      "ruleSyntax": "v3",
+      "ruleSyntax": "default",
       "priority": 9223372036854775806,
       "observability": {
         "accessLogs": true,
@@ -85,7 +85,7 @@
       ],
       "service": "dashboard@internal",
       "rule": "PathPrefix(`/`)",
-      "ruleSyntax": "v3",
+      "ruleSyntax": "default",
       "priority": 9223372036854775805,
       "observability": {
         "accessLogs": true,
@@ -200,6 +200,7 @@
             "url": "http://10.0.1.1:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"
@@ -225,6 +226,7 @@
             "url": "http://10.0.1.2:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"
@@ -242,6 +244,7 @@
             "url": "http://10.0.1.3:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"

integration/testdata/rawdata-crd-label-selector.json

@@ -58,6 +58,7 @@
 						"url": "http://10.42.0.5:80"
 					}
 				],
+				"strategy": "wrr",
 				"passHostHeader": true,
 				"responseForwarding": {
 					"flushInterval": "100ms"

integration/testdata/rawdata-crd.json

@@ -172,6 +172,7 @@
 						"url": "http://10.42.0.5:80"
 					}
 				],
+				"strategy": "wrr",
 				"passHostHeader": true,
 				"responseForwarding": {
 					"flushInterval": "100ms"
@@ -196,6 +197,7 @@
 						"url": "http://10.42.0.5:80"
 					}
 				],
+				"strategy": "wrr",
 				"passHostHeader": true,
 				"responseForwarding": {
 					"flushInterval": "100ms"
@@ -220,6 +222,7 @@
 						"url": "http://10.42.0.5:80"
 					}
 				],
+				"strategy": "wrr",
 				"passHostHeader": true,
 				"responseForwarding": {
 					"flushInterval": "100ms"
@@ -245,6 +248,7 @@
 						"url": "http://10.42.0.5:80"
 					}
 				],
+				"strategy": "wrr",
 				"passHostHeader": true,
 				"responseForwarding": {
 					"flushInterval": "100ms"

integration/testdata/rawdata-etcd.json

@@ -63,7 +63,7 @@
       ],
       "service": "api@internal",
       "rule": "PathPrefix(`/api`)",
-      "ruleSyntax": "v3",
+      "ruleSyntax": "default",
       "priority": 9223372036854775806,
       "observability": {
         "accessLogs": true,
@@ -85,7 +85,7 @@
       ],
       "service": "dashboard@internal",
       "rule": "PathPrefix(`/`)",
-      "ruleSyntax": "v3",
+      "ruleSyntax": "default",
       "priority": 9223372036854775805,
       "observability": {
         "accessLogs": true,
@@ -200,6 +200,7 @@
             "url": "http://10.0.1.1:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"
@@ -225,6 +226,7 @@
             "url": "http://10.0.1.2:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"
@@ -242,6 +244,7 @@
             "url": "http://10.0.1.3:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"

integration/testdata/rawdata-gateway.json

@@ -6,7 +6,7 @@
 			],
 			"service": "api@internal",
 			"rule": "PathPrefix(`/api`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 9223372036854775806,
 			"observability": {
 				"accessLogs": true,
@@ -28,7 +28,7 @@
 			],
 			"service": "dashboard@internal",
 			"rule": "PathPrefix(`/`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 9223372036854775805,
 			"observability": {
 				"accessLogs": true,
@@ -46,7 +46,7 @@
 			],
 			"service": "httproute-default-http-app-1-gw-default-my-gateway-ep-web-0-1c0cf64bde37d9d0df06-wrr",
 			"rule": "Host(`foo.com`) \u0026\u0026 Path(`/bar`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 100008,
 			"observability": {
 				"accessLogs": true,
@@ -64,7 +64,7 @@
 			],
 			"service": "httproute-default-http-app-1-gw-default-my-https-gateway-ep-websecure-0-1c0cf64bde37d9d0df06-wrr",
 			"rule": "Host(`foo.com`) \u0026\u0026 Path(`/bar`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 100008,
 			"tls": {},
 			"observability": {
@@ -126,6 +126,7 @@
 						"url": "http://10.42.0.6:80"
 					}
 				],
+				"strategy": "wrr",
 				"passHostHeader": true,
 				"responseForwarding": {
 					"flushInterval": "100ms"
@@ -176,7 +177,7 @@
 			],
 			"service": "tcproute-default-tcp-app-1-gw-default-my-tcp-gateway-ep-footcp-0-e3b0c44298fc1c149afb-wrr",
 			"rule": "HostSNI(`*`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": -1,
 			"status": "enabled",
 			"using": [
@@ -189,7 +190,7 @@
 			],
 			"service": "tcproute-default-tcp-app-1-gw-default-my-tls-gateway-ep-footlsterminate-0-e3b0c44298fc1c149afb-wrr",
 			"rule": "HostSNI(`*`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": -1,
 			"tls": {
 				"passthrough": false
@@ -205,8 +206,8 @@
 			],
 			"service": "tlsroute-default-tls-app-1-gw-default-my-tls-gateway-ep-footlspassthrough-0-e3b0c44298fc1c149afb-wrr",
 			"rule": "HostSNI(`foo.bar`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
-			"priority": 18,
+			"priority": 7,
 			"tls": {
 				"passthrough": true
 			},

integration/testdata/rawdata-ingress-label-selector.json

@@ -6,7 +6,7 @@
 			],
 			"service": "api@internal",
 			"rule": "PathPrefix(`/api`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 9223372036854775806,
 			"observability": {
 				"accessLogs": true,
@@ -28,7 +28,7 @@
 			],
 			"service": "dashboard@internal",
 			"rule": "PathPrefix(`/`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 9223372036854775805,
 			"observability": {
 				"accessLogs": true,
@@ -106,6 +106,7 @@
 						"url": "http://10.42.0.5:80"
 					}
 				],
+				"strategy": "wrr",
 				"passHostHeader": true,
 				"responseForwarding": {
 					"flushInterval": "100ms"

integration/testdata/rawdata-ingress.json

@@ -6,7 +6,7 @@
 			],
 			"service": "api@internal",
 			"rule": "PathPrefix(`/api`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 9223372036854775806,
 			"observability": {
 				"accessLogs": true,
@@ -28,7 +28,7 @@
 			],
 			"service": "dashboard@internal",
 			"rule": "PathPrefix(`/`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 9223372036854775805,
 			"observability": {
 				"accessLogs": true,
@@ -157,6 +157,7 @@
 						"url": "http://10.42.0.5:80"
 					}
 				],
+				"strategy": "wrr",
 				"passHostHeader": true,
 				"responseForwarding": {
 					"flushInterval": "100ms"
@@ -182,6 +183,7 @@
 						"url": "http://10.42.0.5:80"
 					}
 				],
+				"strategy": "wrr",
 				"passHostHeader": true,
 				"responseForwarding": {
 					"flushInterval": "100ms"

integration/testdata/rawdata-ingressclass-disabled.json

@@ -6,7 +6,7 @@
 			],
 			"service": "api@internal",
 			"rule": "PathPrefix(`/api`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 9223372036854775806,
 			"observability": {
 				"accessLogs": true,
@@ -28,7 +28,7 @@
 			],
 			"service": "dashboard@internal",
 			"rule": "PathPrefix(`/`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 9223372036854775805,
 			"observability": {
 				"accessLogs": true,

integration/testdata/rawdata-ingressclass.json

@@ -6,7 +6,7 @@
 			],
 			"service": "api@internal",
 			"rule": "PathPrefix(`/api`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 9223372036854775806,
 			"observability": {
 				"accessLogs": true,
@@ -28,7 +28,7 @@
 			],
 			"service": "dashboard@internal",
 			"rule": "PathPrefix(`/`)",
-			"ruleSyntax": "v3",
+			"ruleSyntax": "default",
 			"priority": 9223372036854775805,
 			"observability": {
 				"accessLogs": true,
@@ -106,6 +106,7 @@
 						"url": "http://10.42.0.5:80"
 					}
 				],
+				"strategy": "wrr",
 				"passHostHeader": true,
 				"responseForwarding": {
 					"flushInterval": "100ms"

integration/testdata/rawdata-redis.json

@@ -63,7 +63,7 @@
       ],
       "service": "api@internal",
       "rule": "PathPrefix(`/api`)",
-      "ruleSyntax": "v3",
+      "ruleSyntax": "default",
       "priority": 9223372036854775806,
       "observability": {
         "accessLogs": true,
@@ -85,7 +85,7 @@
       ],
       "service": "dashboard@internal",
       "rule": "PathPrefix(`/`)",
-      "ruleSyntax": "v3",
+      "ruleSyntax": "default",
       "priority": 9223372036854775805,
       "observability": {
         "accessLogs": true,
@@ -200,6 +200,7 @@
             "url": "http://10.0.1.1:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"
@@ -225,6 +226,7 @@
             "url": "http://10.0.1.2:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"

integration/testdata/rawdata-zk.json

@@ -63,7 +63,7 @@
       ],
       "service": "api@internal",
       "rule": "PathPrefix(`/api`)",
-      "ruleSyntax": "v3",
+      "ruleSyntax": "default",
       "priority": 9223372036854775806,
       "observability": {
         "accessLogs": true,
@@ -85,7 +85,7 @@
       ],
       "service": "dashboard@internal",
       "rule": "PathPrefix(`/`)",
-      "ruleSyntax": "v3",
+      "ruleSyntax": "default",
       "priority": 9223372036854775805,
       "observability": {
         "accessLogs": true,
@@ -200,6 +200,7 @@
             "url": "http://10.0.1.1:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"
@@ -225,6 +226,7 @@
             "url": "http://10.0.1.2:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"
@@ -242,6 +244,7 @@
             "url": "http://10.0.1.3:8889"
           }
         ],
+        "strategy": "wrr",
         "passHostHeader": true,
         "responseForwarding": {
           "flushInterval": "100ms"

pkg/cli/deprecation.go

@@ -179,6 +179,7 @@ func findTypedField(rType reflect.Type, node *parser.Node) (reflect.StructField,
 
 // configuration holds the static configuration removed/deprecated options.
 type configuration struct {
+	Core         *core          `json:"core,omitempty" toml:"core,omitempty" yaml:"core,omitempty" label:"allowEmpty" file:"allowEmpty"`
 	Experimental *experimental  `json:"experimental,omitempty" toml:"experimental,omitempty" yaml:"experimental,omitempty" label:"allowEmpty" file:"allowEmpty"`
 	Pilot        map[string]any `json:"pilot,omitempty" toml:"pilot,omitempty" yaml:"pilot,omitempty" label:"allowEmpty" file:"allowEmpty"`
 	Providers    *providers     `json:"providers,omitempty" toml:"providers,omitempty" yaml:"providers,omitempty" label:"allowEmpty" file:"allowEmpty"`
@@ -194,13 +195,28 @@ func (c *configuration) deprecationNotice(logger zerolog.Logger) bool {
 	if c.Pilot != nil {
 		incompatible = true
 		logger.Error().Msg("Pilot configuration has been removed in v3, please remove all Pilot-related static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#pilot")
+			" For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#pilot")
 	}
 
+	incompatibleCore := c.Core.deprecationNotice(logger)
 	incompatibleExperimental := c.Experimental.deprecationNotice(logger)
 	incompatibleProviders := c.Providers.deprecationNotice(logger)
 	incompatibleTracing := c.Tracing.deprecationNotice(logger)
-	return incompatible || incompatibleExperimental || incompatibleProviders || incompatibleTracing
+	return incompatible || incompatibleCore || incompatibleExperimental || incompatibleProviders || incompatibleTracing
+}
+
+type core struct {
+	DefaultRuleSyntax string `json:"defaultRuleSyntax,omitempty" toml:"defaultRuleSyntax,omitempty" yaml:"defaultRuleSyntax,omitempty" label:"allowEmpty" file:"allowEmpty"`
+}
+
+func (c *core) deprecationNotice(logger zerolog.Logger) bool {
+	if c != nil && c.DefaultRuleSyntax != "" {
+		logger.Error().Msg("`Core.DefaultRuleSyntax` option has been deprecated in v3.4, and will be removed in the next major version." +
+			" Please consider migrating all router rules to v3 syntax." +
+			" For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v3/#rule-syntax")
+	}
+
+	return false
 }
 
 type providers struct {
@@ -227,13 +243,13 @@ func (p *providers) deprecationNotice(logger zerolog.Logger) bool {
 	if p.Marathon != nil {
 		incompatible = true
 		logger.Error().Msg("Marathon provider has been removed in v3, please remove all Marathon-related static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#marathon-provider")
+			" For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#marathon-provider")
 	}
 
 	if p.Rancher != nil {
 		incompatible = true
 		logger.Error().Msg("Rancher provider has been removed in v3, please remove all Rancher-related static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#rancher-v1-provider")
+			" For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#rancher-v1-provider")
 	}
 
 	dockerIncompatible := p.Docker.deprecationNotice(logger)
@@ -275,14 +291,14 @@ func (d *docker) deprecationNotice(logger zerolog.Logger) bool {
 	if d.SwarmMode != nil {
 		incompatible = true
 		logger.Error().Msg("Docker provider `swarmMode` option has been removed in v3, please use the Swarm Provider instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#docker-docker-swarm")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#docker-docker-swarm")
 	}
 
 	if d.TLS != nil && d.TLS.CAOptional != nil {
 		incompatible = true
 		logger.Error().Msg("Docker provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tlscaoptional")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tlscaoptional")
 	}
 
 	return incompatible
@@ -323,7 +339,7 @@ func (e *etcd) deprecationNotice(logger zerolog.Logger) bool {
 		incompatible = true
 		logger.Error().Msg("ETCD provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tlscaoptional_3")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tlscaoptional_3")
 	}
 
 	return incompatible
@@ -344,7 +360,7 @@ func (r *redis) deprecationNotice(logger zerolog.Logger) bool {
 		incompatible = true
 		logger.Error().Msg("Redis provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tlscaoptional_4")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tlscaoptional_4")
 	}
 
 	return incompatible
@@ -365,14 +381,14 @@ func (c *consul) deprecationNotice(logger zerolog.Logger) bool {
 	if c.Namespace != nil {
 		incompatible = true
 		logger.Error().Msg("Consul provider `namespace` option has been removed, please use the `namespaces` option instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#consul-provider")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#consul-provider")
 	}
 
 	if c.TLS != nil && c.TLS.CAOptional != nil {
 		incompatible = true
 		logger.Error().Msg("Consul provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tlscaoptional_1")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tlscaoptional_1")
 	}
 
 	return incompatible
@@ -397,14 +413,14 @@ func (c *consulCatalog) deprecationNotice(logger zerolog.Logger) bool {
 	if c.Namespace != nil {
 		incompatible = true
 		logger.Error().Msg("ConsulCatalog provider `namespace` option has been removed, please use the `namespaces` option instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#consulcatalog-provider")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#consulcatalog-provider")
 	}
 
 	if c.Endpoint != nil && c.Endpoint.TLS != nil && c.Endpoint.TLS.CAOptional != nil {
 		incompatible = true
 		logger.Error().Msg("ConsulCatalog provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#endpointtlscaoptional")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#endpointtlscaoptional")
 	}
 
 	return incompatible
@@ -425,14 +441,14 @@ func (n *nomad) deprecationNotice(logger zerolog.Logger) bool {
 	if n.Namespace != nil {
 		incompatible = true
 		logger.Error().Msg("Nomad provider `namespace` option has been removed, please use the `namespaces` option instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#nomad-provider")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#nomad-provider")
 	}
 
 	if n.Endpoint != nil && n.Endpoint.TLS != nil && n.Endpoint.TLS.CAOptional != nil {
 		incompatible = true
 		logger.Error().Msg("Nomad provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#endpointtlscaoptional_1")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#endpointtlscaoptional_1")
 	}
 
 	return incompatible
@@ -453,7 +469,7 @@ func (h *http) deprecationNotice(logger zerolog.Logger) bool {
 		incompatible = true
 		logger.Error().Msg("HTTP provider `tls.CAOptional` option has been removed in v3, as TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634)." +
 			"Please remove all occurrences from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tlscaoptional_2")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tlscaoptional_2")
 	}
 
 	return incompatible
@@ -471,7 +487,7 @@ func (i *ingress) deprecationNotice(logger zerolog.Logger) {
 	if i.DisableIngressClassLookup != nil {
 		logger.Error().Msg("Kubernetes Ingress provider `disableIngressClassLookup` option has been deprecated in v3.1, and will be removed in the next major version." +
 			"Please use the `disableClusterScopeResources` option instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v3/#ingressclasslookup")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v3/#ingressclasslookup")
 	}
 }
 
@@ -488,7 +504,7 @@ func (e *experimental) deprecationNotice(logger zerolog.Logger) bool {
 	if e.HTTP3 != nil {
 		logger.Error().Msg("HTTP3 is not an experimental feature in v3 and the associated enablement has been removed." +
 			"Please remove its usage from the static configuration for Traefik to start." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3-details/#http3")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3-details/#http3")
 
 		return true
 	}
@@ -496,7 +512,7 @@ func (e *experimental) deprecationNotice(logger zerolog.Logger) bool {
 	if e.KubernetesGateway != nil {
 		logger.Error().Msg("KubernetesGateway provider is not an experimental feature starting with v3.1." +
 			"Please remove its usage from the static configuration." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v3/#gateway-api-kubernetesgateway-provider")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v3/#gateway-api-kubernetesgateway-provider")
 	}
 
 	return false
@@ -523,7 +539,7 @@ func (t *tracing) deprecationNotice(logger zerolog.Logger) bool {
 	if t.SpanNameLimit != nil {
 		incompatible = true
 		logger.Error().Msg("SpanNameLimit option for Tracing has been removed in v3, as Span names are now of a fixed length." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tracing")
 	}
 
 	if t.GlobalAttributes != nil {
@@ -531,49 +547,49 @@ func (t *tracing) deprecationNotice(logger zerolog.Logger) bool {
 
 		logger.Error().Msg("`tracing.globalAttributes` option has been deprecated in v3.3, and will be removed in the next major version." +
 			"Please use the `tracing.resourceAttributes` option instead." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v3/#tracing-global-attributes")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v3/#tracing-global-attributes")
 	}
 
 	if t.Jaeger != nil {
 		incompatible = true
 		logger.Error().Msg("Jaeger Tracing backend has been removed in v3, please remove all Jaeger-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tracing")
 	}
 
 	if t.Zipkin != nil {
 		incompatible = true
 		logger.Error().Msg("Zipkin Tracing backend has been removed in v3, please remove all Zipkin-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tracing")
 	}
 
 	if t.Datadog != nil {
 		incompatible = true
 		logger.Error().Msg("Datadog Tracing backend has been removed in v3, please remove all Datadog-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tracing")
 	}
 
 	if t.Instana != nil {
 		incompatible = true
 		logger.Error().Msg("Instana Tracing backend has been removed in v3, please remove all Instana-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tracing")
 	}
 
 	if t.Haystack != nil {
 		incompatible = true
 		logger.Error().Msg("Haystack Tracing backend has been removed in v3, please remove all Haystack-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tracing")
 	}
 
 	if t.Elastic != nil {
 		incompatible = true
 		logger.Error().Msg("Elastic Tracing backend has been removed in v3, please remove all Elastic-related Tracing static configuration for Traefik to start." +
 			"In v3, Open Telemetry replaces specific tracing backend implementations, and an collector/exporter can be used to export metrics in a vendor specific format." +
-			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.3/migration/v2-to-v3/#tracing")
+			"For more information please read the migration guide: https://doc.traefik.io/traefik/v3.4/migration/v2-to-v3/#tracing")
 	}
 
 	return incompatible

pkg/cli/deprecation_test.go

@@ -274,6 +274,15 @@ func TestDeprecationNotice(t *testing.T) {
 				},
 			},
 		},
+		{
+			desc: "Core DefaultRuleSyntax configuration is compatible",
+			config: configuration{
+				Core: &core{
+					DefaultRuleSyntax: "foobar",
+				},
+			},
+			wantCompatible: true,
+		},
 	}
 
 	for _, test := range tests {

pkg/config/dynamic/http_config.go

@@ -67,6 +67,7 @@ type Router struct {
 	Middlewares []string `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
 	Service     string   `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"`
 	Rule        string   `json:"rule,omitempty" toml:"rule,omitempty" yaml:"rule,omitempty"`
+	// Deprecated: Please do not use this field and rewrite the router rules to use the v3 syntax.
 	RuleSyntax    string                     `json:"ruleSyntax,omitempty" toml:"ruleSyntax,omitempty" yaml:"ruleSyntax,omitempty" export:"true"`
 	Priority      int                        `json:"priority,omitempty" toml:"priority,omitempty,omitzero" yaml:"priority,omitempty" export:"true"`
 	TLS           *RouterTLSConfig           `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
@@ -190,6 +191,7 @@ type Cookie struct {
 	HTTPOnly bool `json:"httpOnly,omitempty" toml:"httpOnly,omitempty" yaml:"httpOnly,omitempty" export:"true"`
 	// SameSite defines the same site policy.
 	// More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
+	// +kubebuilder:validation:Enum=none;lax;strict
 	SameSite string `json:"sameSite,omitempty" toml:"sameSite,omitempty" yaml:"sameSite,omitempty" export:"true"`
 	// MaxAge defines the number of seconds until the cookie expires.
 	// When set to a negative number, the cookie expires immediately.
@@ -199,6 +201,9 @@ type Cookie struct {
 	// When not provided the cookie will be sent on every request to the domain.
 	// More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value
 	Path *string `json:"path,omitempty" toml:"path,omitempty" yaml:"path,omitempty" export:"true"`
+	// Domain defines the host to which the cookie will be sent.
+	// More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#domaindomain-value
+	Domain string `json:"domain,omitempty" toml:"domain,omitempty" yaml:"domain,omitempty"`
 }
 
 // SetDefaults set the default values for a Cookie.
@@ -207,12 +212,22 @@ func (c *Cookie) SetDefaults() {
 	c.Path = &defaultPath
 }
 
+type BalancerStrategy string
+
+const (
+	// BalancerStrategyWRR is the weighted round-robin strategy.
+	BalancerStrategyWRR BalancerStrategy = "wrr"
+	// BalancerStrategyP2C is the power of two choices strategy.
+	BalancerStrategyP2C BalancerStrategy = "p2c"
+)
+
 // +k8s:deepcopy-gen=true
 
 // ServersLoadBalancer holds the ServersLoadBalancer configuration.
 type ServersLoadBalancer struct {
 	Sticky   *Sticky          `json:"sticky,omitempty" toml:"sticky,omitempty" yaml:"sticky,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
 	Servers  []Server         `json:"servers,omitempty" toml:"servers,omitempty" yaml:"servers,omitempty" label-slice-as-struct:"server" export:"true"`
+	Strategy BalancerStrategy `json:"strategy,omitempty" toml:"strategy,omitempty" yaml:"strategy,omitempty" export:"true"`
 	// HealthCheck enables regular active checks of the responsiveness of the
 	// children servers of this load-balancer. To propagate status changes (e.g. all
 	// servers of this service are down) upwards, HealthCheck must also be enabled on
@@ -245,6 +260,7 @@ func (l *ServersLoadBalancer) SetDefaults() {
 	defaultPassHostHeader := DefaultPassHostHeader
 	l.PassHostHeader = &defaultPassHostHeader
 
+	l.Strategy = BalancerStrategyWRR
 	l.ResponseForwarding = &ResponseForwarding{}
 	l.ResponseForwarding.SetDefaults()
 }
@@ -270,17 +286,13 @@ func (r *ResponseForwarding) SetDefaults() {
 
 // Server holds the server configuration.
 type Server struct {
-	URL          string `json:"url,omitempty" toml:"url,omitempty" yaml:"url,omitempty" label:"-"`
+	URL          string `json:"url,omitempty" toml:"url,omitempty" yaml:"url,omitempty"`
-	Weight       *int   `json:"weight,omitempty" toml:"weight,omitempty" yaml:"weight,omitempty" label:"weight" export:"true"`
+	Weight       *int   `json:"weight,omitempty" toml:"weight,omitempty" yaml:"weight,omitempty" export:"true"`
-	PreservePath bool   `json:"preservePath,omitempty" toml:"preservePath,omitempty" yaml:"preservePath,omitempty" label:"-" export:"true"`
+	PreservePath bool   `json:"preservePath,omitempty" toml:"preservePath,omitempty" yaml:"preservePath,omitempty" export:"true"`
 	Fenced       bool   `json:"fenced,omitempty" toml:"-" yaml:"-" label:"-" file:"-" kv:"-"`
-	Scheme       string `json:"-" toml:"-" yaml:"-" file:"-"`
+	// Scheme can only be defined with label Providers.
-	Port         string `json:"-" toml:"-" yaml:"-" file:"-"`
+	Scheme string `json:"-" toml:"-" yaml:"-" file:"-" kv:"-"`
-}
+	Port   string `json:"-" toml:"-" yaml:"-" file:"-" kv:"-"`
-
-// SetDefaults Default values for a Server.
-func (s *Server) SetDefaults() {
-	s.Scheme = "http"
 }
 
 // +k8s:deepcopy-gen=true
@@ -294,6 +306,7 @@ type ServerHealthCheck struct {
 	Status            int               `json:"status,omitempty" toml:"status,omitempty" yaml:"status,omitempty" export:"true"`
 	Port              int               `json:"port,omitempty" toml:"port,omitempty,omitzero" yaml:"port,omitempty" export:"true"`
 	Interval          ptypes.Duration   `json:"interval,omitempty" toml:"interval,omitempty" yaml:"interval,omitempty" export:"true"`
+	UnhealthyInterval *ptypes.Duration  `json:"unhealthyInterval,omitempty" toml:"unhealthyInterval,omitempty" yaml:"unhealthyInterval,omitempty" export:"true"`
 	Timeout           ptypes.Duration   `json:"timeout,omitempty" toml:"timeout,omitempty" yaml:"timeout,omitempty" export:"true"`
 	Hostname          string            `json:"hostname,omitempty" toml:"hostname,omitempty" yaml:"hostname,omitempty"`
 	FollowRedirects   *bool             `json:"followRedirects,omitempty" toml:"followRedirects,omitempty" yaml:"followRedirects,omitempty" export:"true"`
@@ -320,8 +333,8 @@ type HealthCheck struct{}
 type ServersTransport struct {
 	ServerName          string                  `description:"Defines the serverName used to contact the server." json:"serverName,omitempty" toml:"serverName,omitempty" yaml:"serverName,omitempty"`
 	InsecureSkipVerify  bool                    `description:"Disables SSL certificate verification." json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
-	RootCAs             []types.FileOrContent   `description:"Defines a list of CA secret used to validate self-signed certificate" json:"rootCAs,omitempty" toml:"rootCAs,omitempty" yaml:"rootCAs,omitempty"`
+	RootCAs             []types.FileOrContent   `description:"Defines a list of CA certificates used to validate server certificates." json:"rootCAs,omitempty" toml:"rootCAs,omitempty" yaml:"rootCAs,omitempty"`
-	Certificates        traefiktls.Certificates `description:"Defines a list of secret storing client certificates for mTLS." json:"certificates,omitempty" toml:"certificates,omitempty" yaml:"certificates,omitempty" export:"true"`
+	Certificates        traefiktls.Certificates `description:"Defines a list of client certificates for mTLS." json:"certificates,omitempty" toml:"certificates,omitempty" yaml:"certificates,omitempty" export:"true"`
 	MaxIdleConnsPerHost int                     `description:"If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used" json:"maxIdleConnsPerHost,omitempty" toml:"maxIdleConnsPerHost,omitempty" yaml:"maxIdleConnsPerHost,omitempty" export:"true"`
 	ForwardingTimeouts  *ForwardingTimeouts     `description:"Defines the timeouts for requests forwarded to the backend servers." json:"forwardingTimeouts,omitempty" toml:"forwardingTimeouts,omitempty" yaml:"forwardingTimeouts,omitempty" export:"true"`
 	DisableHTTP2        bool                    `description:"Disables HTTP/2 for connections with backend servers." json:"disableHTTP2,omitempty" toml:"disableHTTP2,omitempty" yaml:"disableHTTP2,omitempty" export:"true"`