' +
+ '';
+
+ var target =
+ document.querySelector('.md-content__inner') ||
+ document.querySelector('.md-main__inner') ||
+ document.querySelector('article') ||
+ document.querySelector('main');
+
+ if (target) {
+ target.insertBefore(banner, target.firstChild);
+ }
+
+ document.getElementById('migration-doc-banner-close').addEventListener('click', function () {
+ banner.remove();
+ sessionStorage.setItem(SESSION_KEY, '1');
+ });
+ }
+
+ if (document.readyState === 'loading') {
+ document.addEventListener('DOMContentLoaded', createBanner);
+ } else {
+ createBanner();
+ }
+})();
diff --git a/docs/content/contributing/maintainers-guidelines.md b/docs/content/contributing/maintainers-guidelines.md
index 4fa13a0f1..baaa42d5d 100644
--- a/docs/content/contributing/maintainers-guidelines.md
+++ b/docs/content/contributing/maintainers-guidelines.md
@@ -49,7 +49,7 @@ As a maintainer, you are granted a vote for the following:
- [Proposals](https://github.com/traefik/contributors-guide/blob/master/proposals.md).
Maintainers are also added to the maintainer's Discord server where happens the [issue triage](https://github.com/traefik/contributors-guide/blob/master/issue_triage.md)
-and appear on the [Maintainers](maintainers.md) page.
+and appear on the [Maintainers](./maintainers.md) page.
As a maintainer, you should:
diff --git a/docs/content/contributing/maintainers.md b/docs/content/contributing/maintainers.md
index a86671181..272101e0d 100644
--- a/docs/content/contributing/maintainers.md
+++ b/docs/content/contributing/maintainers.md
@@ -38,4 +38,4 @@ People who have had an incredibly positive impact on the project, and are now fo
## Maintainer's Guidelines
-Please read the [maintainer's guidelines](maintainers-guidelines.md).
+Please read the [maintainer's guidelines](./maintainers-guidelines.md).
diff --git a/docs/content/contributing/submitting-pull-requests.md b/docs/content/contributing/submitting-pull-requests.md
index d46e282c9..e9bd7f591 100644
--- a/docs/content/contributing/submitting-pull-requests.md
+++ b/docs/content/contributing/submitting-pull-requests.md
@@ -8,7 +8,7 @@ description: "Looking to contribute to Traefik Proxy? This guide will show you t
This guide is for contributors who already have a pull request to submit.
If you are looking for information on setting up your developer environment
and creating code to contribute to Traefik Proxy or related projects,
-see the [development guide](https://docs.traefik.io/contributing/building-testing/).
+see the [development guide](./building-testing.md).
Looking for a way to contribute to Traefik Proxy?
Check out this list of [Priority Issues](https://github.com/traefik/traefik/labels/contributor%2Fwanted),
@@ -46,7 +46,7 @@ Read more about the [Triage process](https://github.com/traefik/contributors-gui
Merging a PR requires the following steps to be completed before it is merged automatically.
* Make sure your pull request adheres to our best practices. These include:
- * [Following project conventions](https://github.com/traefik/traefik/blob/master/docs/content/contributing/maintainers-guidelines.md); including using the PR Template.
+ * [Following project conventions](./maintainers-guidelines.md); including using the PR Template.
* Make small pull requests.
* Solve only one problem at a time.
* Comment thoroughly.
diff --git a/docs/content/expose/swarm/advanced.md b/docs/content/expose/swarm/advanced.md
index efe93df3d..b2fdee725 100644
--- a/docs/content/expose/swarm/advanced.md
+++ b/docs/content/expose/swarm/advanced.md
@@ -402,4 +402,4 @@ Now that you've mastered both basic and advanced Traefik features with Docker Sw
- [Observability features](../../reference/install-configuration/observability/metrics.md) for monitoring and debugging your Traefik deployment
- [TCP services](../../reference/routing-configuration/tcp/service.md) for exposing TCP services
- [UDP services](../../reference/routing-configuration/udp/service.md) for exposing UDP services
-- [Docker provider documentation](../../reference/install-configuration/providers/docker.md) for more details about the Docker integration
+- [Docker Swarm provider documentation](../../reference/install-configuration/providers/swarm.md) for more details about the Docker Swarm integration
diff --git a/docs/content/getting-started/concepts.md b/docs/content/getting-started/concepts.md
deleted file mode 100644
index a2bd774f8..000000000
--- a/docs/content/getting-started/concepts.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: Concepts
-description: Traefik - base concepts and main features
----
-
-# Concepts
-
-This page explains the base concepts of Traefik.
-
----
-
-## Introduction
-
-Traefik is based on the concept of EntryPoints, Routers, Middlewares and Services.
-
-The main features include dynamic configuration, automatic service discovery, and support for multiple backends and protocols.
-
-1. [EntryPoints](../routing/entrypoints.md "Link to docs about EntryPoints"): EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP.
-
-2. [Routers](../routing/routers/index.md "Link to docs about routers"): A router is in charge of connecting incoming requests to the services that can handle them.
-
-3. [Middlewares](../middlewares/overview.md "Link to docs about middlewares"): Attached to the routers, middlewares can modify the requests or responses before they are sent to your service
-
-4. [Services](../routing/services/index.md "Link to docs about services"): Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
-
-## Edge Router
-
-Traefik is an *Edge Router*; this means that it's the door to your platform, and that it intercepts and routes every incoming request:
-it knows all the logic and every [rule](../routing/routers/index.md#rule "Link to docs about routing rules") that determine which services handle which requests (based on the *path*, the *host*, *headers*, etc.).
-
-
-
-## Auto Service Discovery
-
-Where traditionally edge routers (or reverse proxies) need a configuration file that contains every possible route to your services, Traefik gets them from the services themselves.
-
-Deploying your services, you attach information that tells Traefik the characteristics of the requests the services can handle.
-
-
-
-This means that when a service is deployed, Traefik detects it immediately and updates the routing rules in real time.
-Similarly, when a service is removed from the infrastructure, the corresponding route is deleted accordingly.
-
-You no longer need to create and synchronize configuration files cluttered with IP addresses or other rules.
-
-!!! info "Many different rules"
-
- In the example above, we used the request [path rule](../routing/routers/index.md#rule "Link to docs about routing rules") to determine which service was in charge.
- Certainly, you can use many other different [rules](../routing/routers/index.md#rule "Link to docs about routing rules").
-
-!!! info "Updating the requests"
-
- In the [middleware](../middlewares/overview.md "Link to middleware documentation") section, you can learn about how to update the requests before forwarding them to the services.
-
-!!! question "How does Traefik discover the services?"
-
- Traefik is able to use your cluster API to discover the services and read the attached information.
- In Traefik, these connectors are called [providers](../providers/overview.md "Link to overview about Traefik providers") because they *provide* the configuration to Traefik.
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/getting-started/configuration-overview.md b/docs/content/getting-started/configuration-overview.md
index 11b0e8cce..aa8cba15b 100644
--- a/docs/content/getting-started/configuration-overview.md
+++ b/docs/content/getting-started/configuration-overview.md
@@ -13,7 +13,7 @@ Configuration in Traefik can refer to two different things:
- The install (startup) configuration (formerly known as the _static configuration_)
- The routing configuration (formerly known as the _dynamic configuration_)
-Elements in the _install configuration_ set up connections to [providers](../providers/overview.md) and define the [entrypoints](../routing/entrypoints.md) Traefik will listen to (these elements don't change often).
+Elements in the _install configuration_ set up connections to [providers](../reference/install-configuration/providers/overview.md) and define the [entrypoints](../reference/install-configuration/entrypoints.md) Traefik will listen to (these elements don't change often).
The _routing configuration_ contains everything that defines how the requests are handled by your system.
This configuration can change and is seamlessly hot-reloaded, without any request interruption or connection loss.
@@ -24,13 +24,13 @@ This configuration can change and is seamlessly hot-reloaded, without any reques
## The Routing Configuration
-Traefik gets its _routing configuration_ from [providers](../providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file.
+Traefik gets its _routing configuration_ from [providers](../reference/install-configuration/providers/overview.md): whether an orchestrator, a service registry, or a plain old configuration file.
-Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../routing/overview.md).
+Since this configuration is specific to your infrastructure choices, we invite you to refer to the [dedicated section of this documentation](../reference/routing-configuration/dynamic-configuration-methods.md).
!!! info ""
- In the [Quick Start example](../getting-started/docker.md), the whoami application routing configuration comes from docker in the form of a label attached to the whoami container.
+ In the [Quick Start example](./docker.md), the whoami application routing configuration comes from docker in the form of a label attached to the whoami container.
!!! info "HTTPS Certificates also belong to the routing configuration."
@@ -90,6 +90,6 @@ All available environment variables can be found in the [install configuration e
All the configuration options are documented in their related section.
-You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.
+You can browse the available features in the menu, the [providers](../reference/install-configuration/providers/overview.md), or the [routing section](../reference/routing-configuration/dynamic-configuration-methods.md) to see them in action.
{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/getting-started/faq.md b/docs/content/getting-started/faq.md
index e808c4211..1d3518be8 100644
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@@ -12,10 +12,10 @@ and while the documentation often demonstrates configuration options through fil
the core feature of Traefik is its dynamic configurability,
directly reacting to changes from providers over time.
-Notably, a part of the configuration is [static](./configuration-overview.md#the-static-configuration),
+Notably, the [install configuration](./configuration-overview.md#the-install-configuration) is static,
and can be provided by a file on startup, whereas various providers,
such as the file provider,
-contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](./configuration-overview.md#the-dynamic-configuration) changes.
+contribute dynamically all along the traefik instance lifetime to its [routing configuration](./configuration-overview.md#the-routing-configuration) changes.
In addition, the configuration englobes concepts such as the EntryPoint which can be seen as a listener on the Transport Layer (TCP),
as apposed to the Router which is more about the Presentation (TLS) and Application layers (HTTP).
@@ -132,8 +132,8 @@ http:
## Why Is My TLS Certificate Not Reloaded When Its Contents Change?
-With the file provider,
-a configuration update is only triggered when one of the [watched](../providers/file.md#provider-configuration) configuration files is modified.
+With the [file provider](../reference/install-configuration/providers/others/file.md),
+a configuration update is only triggered when one of the watched configuration files is modified.
Which is why, when a certificate is defined by path,
and the actual contents of this certificate change,
@@ -156,14 +156,14 @@ By default, the following headers are automatically added when proxying requests
| Proxy Server's Hostname | `X-Forwarded-Server` |
For more details,
-please check out the [forwarded header](../routing/entrypoints.md#forwarded-headers) documentation.
+please check out the [forwarded header](../reference/install-configuration/entrypoints.md#opt-forwardedHeaders-connection) documentation.
## How Traefik is Storing and Serving TLS Certificates?
### Storing TLS Certificates
-[TLS](../https/tls.md "Link to Traefik TLS docs") certificates are either provided directly by the [dynamic configuration](./configuration-overview.md#the-dynamic-configuration "Link to dynamic configuration overview") from [providers](../https/tls.md#user-defined "Link to the TLS configuration"),
-or by [ACME resolvers](../https/acme.md#providers "Link to ACME resolvers"), which act themselves as providers internally.
+TLS certificates are either provided directly by the [routing configuration](../reference/routing-configuration/dynamic-configuration-methods.md "Link to routing configuration overview"),
+or by [Certificate resolvers](../reference/install-configuration/tls/certificate-resolvers/overview.md "Link to certificates resolvers").
For each TLS certificate, Traefik produces an identifier used as a key to store it.
This identifier is constructed as the alphabetically ordered concatenation of the SANs `DNSNames` and `IPAddresses` of the TLScertificate.
diff --git a/docs/content/getting-started/install-traefik.md b/docs/content/getting-started/install-traefik.md
deleted file mode 100644
index 4c2dae7cc..000000000
--- a/docs/content/getting-started/install-traefik.md
+++ /dev/null
@@ -1,147 +0,0 @@
----
-title: "Traefik Installation Documentation"
-description: "There are several flavors to choose from when installing Traefik Proxy. Get started with Traefik Proxy, and read the technical documentation."
----
-
-# Install Traefik
-
-You can install Traefik with the following flavors:
-
-* [Use the official Docker image](./#use-the-official-docker-image)
-* [Use the Helm Chart](./#use-the-helm-chart)
-* [Use the binary distribution](./#use-the-binary-distribution)
-* [Compile your binary from the sources](./#compile-your-binary-from-the-sources)
-
-## Use the Official Docker Image
-
-Choose one of the [official Docker images](https://hub.docker.com/_/traefik) and run it with one sample configuration file:
-
-* [YAML](https://raw.githubusercontent.com/traefik/traefik/v3.7/traefik.sample.yml)
-* [TOML](https://raw.githubusercontent.com/traefik/traefik/v3.7/traefik.sample.toml)
-
-```shell
-docker run -d -p 8080:8080 -p 80:80 \
- -v $PWD/traefik.yml:/etc/traefik/traefik.yml traefik:v3.7
-```
-
-For more details, go to the [Docker provider documentation](../providers/docker.md)
-
-!!! tip
-
- * Prefer a fixed version than the latest that could be an unexpected version.
- ex: `traefik:v3.7`
- * Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
- * Any orchestrator using docker images can fetch the official Traefik docker image.
-
-## Use the Helm Chart
-
-Traefik can be installed in Kubernetes using the Helm chart from .
-
-Ensure that the following requirements are met:
-
-* Kubernetes 1.22+
-* Helm version 3.9+ is [installed](https://helm.sh/docs/intro/install/)
-
-Add Traefik Labs chart repository to Helm:
-
-```bash
-helm repo add traefik https://traefik.github.io/charts
-```
-
-You can update the chart repository by running:
-
-```bash
-helm repo update
-```
-
-And install it with the Helm command line:
-
-```bash
-helm install traefik traefik/traefik
-```
-
-!!! tip "Helm Features"
-
- All [Helm features](https://helm.sh/docs/intro/using_helm/) are supported.
-
- Examples are provided [here](https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md).
-
- For instance, installing the chart in a dedicated namespace:
-
- ```bash tab="Install in a Dedicated Namespace"
- kubectl create ns traefik-v2
- # Install in the namespace "traefik-v2"
- helm install --namespace=traefik-v2 \
- traefik traefik/traefik
- ```
-
-??? example "Installing with Custom Values"
-
- You can customize the installation by specifying custom values,
- as with [any helm chart](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing).
- {: #helm-custom-values }
-
- All parameters are documented in the default [`values.yaml`](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml).
-
- You can also set Traefik command line flags using `additionalArguments`.
- Example of installation with logging set to `DEBUG`:
-
- ```bash tab="Using Helm CLI"
- helm install --namespace=traefik-v2 \
- --set="additionalArguments={--log.level=DEBUG}" \
- traefik traefik/traefik
- ```
-
- ```yml tab="With a custom values file"
- # File custom-values.yml
- ## Install with "helm install --values=./custom-values.yml traefik traefik/traefik
- additionalArguments:
- - "--log.level=DEBUG"
- ```
-
-## Use the Binary Distribution
-
-Grab the latest binary from the [releases](https://github.com/traefik/traefik/releases) page.
-
-??? info "Check the integrity of the downloaded file"
-
- ```bash tab="Linux"
- # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
- sha256sum ./traefik_${traefik_version}_linux_${arch}.tar.gz
- ```
-
- ```bash tab="macOS"
- # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
- shasum -a256 ./traefik_${traefik_version}_darwin_amd64.tar.gz
- ```
-
- ```powershell tab="Windows PowerShell"
- # Compare this value to the one found in traefik-${traefik_version}_checksums.txt
- Get-FileHash ./traefik_${traefik_version}_windows_${arch}.zip -Algorithm SHA256
- ```
-
-??? info "Extract the downloaded archive"
-
- ```bash tab="Linux"
- tar -zxvf traefik_${traefik_version}_linux_${arch}.tar.gz
- ```
-
- ```bash tab="macOS"
- tar -zxvf ./traefik_${traefik_version}_darwin_amd64.tar.gz
- ```
-
- ```powershell tab="Windows PowerShell"
- Expand-Archive traefik_${traefik_version}_windows_${arch}.zip
- ```
-
-And run it:
-
-```bash
-./traefik --help
-```
-
-## Compile your Binary from the Sources
-
-All the details are available in the [Contributing Guide](../contributing/building-testing.md)
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/getting-started/quick-start-with-kubernetes.md b/docs/content/getting-started/quick-start-with-kubernetes.md
deleted file mode 100644
index 7e0b6acca..000000000
--- a/docs/content/getting-started/quick-start-with-kubernetes.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: "Traefik Getting Started With Kubernetes"
-description: "Get started with Traefik Proxy and Kubernetes."
----
-
---8<-- "content/getting-started/kubernetes.md"
diff --git a/docs/content/getting-started/quick-start.md b/docs/content/getting-started/quick-start.md
deleted file mode 100644
index 0c1e2312e..000000000
--- a/docs/content/getting-started/quick-start.md
+++ /dev/null
@@ -1,6 +0,0 @@
----
-title: "Traefik Getting Started Quickly"
-description: "Get started with Traefik Proxy and Docker."
----
-
---8<-- "content/getting-started/docker.md"
diff --git a/docs/content/https/acme.md b/docs/content/https/acme.md
deleted file mode 100644
index 356bc8813..000000000
--- a/docs/content/https/acme.md
+++ /dev/null
@@ -1,1214 +0,0 @@
----
-title: "Traefik Let's Encrypt Documentation"
-description: "Learn how to configure Traefik Proxy to use an ACME provider like Let's Encrypt for automatic certificate generation. Read the technical documentation."
----
-
-# Let's Encrypt
-
-Automatic HTTPS
-{: .subtitle }
-
-You can configure Traefik to use an ACME provider (like Let's Encrypt) for automatic certificate generation.
-
-!!! warning "Let's Encrypt and Rate Limiting"
- Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits). These last up to **one week**, and cannot be overridden.
-
- When running Traefik in a container the `acme.json` file should be persisted across restarts.
- If Traefik requests new certificates each time it starts up, a crash-looping container can quickly reach Let's Encrypt's ratelimits.
- To configure where certificates are stored, please take a look at the [storage](#storage) configuration.
-
- Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
- when experimenting to avoid hitting this limit too fast.
-
-## Certificate Resolvers
-
-Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration),
-which are responsible for retrieving certificates from an ACME server.
-
-Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
-and is associated to a certificate resolver through the [`tls.certresolver` configuration option](../routing/routers/index.md#certresolver).
-
-Certificates are requested for domain names retrieved from the router's [dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration).
-
-You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
-
-!!! warning "Defining an [ACME challenge type](#the-different-acme-challenges) is a requirement for a certificate resolver to be functional."
-
-!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
-
-??? note "Configuration Reference"
-
- There are many available options for ACME.
- For a quick glance at what's possible, browse the configuration reference:
-
- ```yaml tab="File (YAML)"
- --8<-- "content/https/ref-acme.yaml"
- ```
-
- ```toml tab="File (TOML)"
- --8<-- "content/https/ref-acme.toml"
- ```
-
- ```bash tab="CLI"
- --8<-- "content/https/ref-acme.txt"
- ```
-
-## Domain Definition
-
-Certificate resolvers request certificates for a set of the domain names
-inferred from routers, with the following logic:
-
-- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
- then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.
-
-- If no [`tls.domains`](../routing/routers/index.md#domains) option is set,
- then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule),
- by checking the `Host()` matchers.
- Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.
-
-Please note that:
-
-- When multiple domain names are inferred from a given router,
- only **one** certificate is requested with the first domain name as the main domain,
- and the other domains as ["SANs" (Subject Alternative Name)](https://en.wikipedia.org/wiki/Subject_Alternative_Name).
-
-- As [ACME V2 supports "wildcard domains"](#wildcard-domains),
- any router can provide a [wildcard domain](https://en.wikipedia.org/wiki/Wildcard_certificate) name, as "main" domain or as "SAN" domain.
-
-Please check the [configuration examples below](#configuration-examples) for more details.
-
-## Configuration Examples
-
-??? example "Enabling ACME"
-
- ```yaml tab="File (YAML)"
- entryPoints:
- web:
- address: ":80"
-
- websecure:
- address: ":443"
-
- certificatesResolvers:
- myresolver:
- acme:
- email: your-email@example.com
- storage: acme.json
- httpChallenge:
- # used during the challenge
- entryPoint: web
- ```
-
- ```toml tab="File (TOML)"
- [entryPoints]
- [entryPoints.web]
- address = ":80"
-
- [entryPoints.websecure]
- address = ":443"
-
- [certificatesResolvers.myresolver.acme]
- email = "your-email@example.com"
- storage = "acme.json"
- [certificatesResolvers.myresolver.acme.httpChallenge]
- # used during the challenge
- entryPoint = "web"
- ```
-
- ```bash tab="CLI"
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443
- # ...
- --certificatesresolvers.myresolver.acme.email=your-email@example.com
- --certificatesresolvers.myresolver.acme.storage=acme.json
- # used during the challenge
- --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
- ```
-
-!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
-
-??? example "Single Domain from Router's Rule Example"
-
- * A certificate for the domain `example.com` is requested:
-
- --8<-- "content/https/include-acme-single-domain-example.md"
-
-??? example "Multiple Domains from Router's Rule Example"
-
- * A certificate for the domains `example.com` (main) and `blog.example.org`
- is requested:
-
- --8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
-
-??? example "Multiple Domains from Router's `tls.domain` Example"
-
- * A certificate for the domains `example.com` (main) and `*.example.org` (SAN)
- is requested:
-
- --8<-- "content/https/include-acme-multiple-domains-example.md"
-
-## Automatic Renewals
-
-Traefik automatically tracks the expiry date of ACME certificates it generates.
-
-By default, Traefik manages 90 days certificates,
-and starts to renew certificates 30 days before their expiry.
-
-When using a certificate resolver that issues certificates with custom durations,
-one can configure the certificates' duration with the [`certificatesDuration`](#certificatesduration) option.
-
-!!! info ""
- Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
-
-## Using LetsEncrypt with Kubernetes
-
-When using LetsEncrypt with kubernetes, there are some known caveats with both the [ingress](../providers/kubernetes-ingress.md) and [crd](../providers/kubernetes-crd.md) providers.
-
-!!! info ""
- If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.
-
-## The Different ACME Challenges
-
-!!! warning "Defining one ACME challenge is a requirement for a certificate resolver to be functional."
-
-!!! important "Defining a certificate resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
-
-### `tlsChallenge`
-
-Use the `TLS-ALPN-01` challenge to generate and renew ACME certificates by provisioning a TLS certificate.
-
-As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `TLS-ALPN-01` challenge, Traefik must be reachable by Let's Encrypt through port 443.
-
-??? example "Configuring the `tlsChallenge`"
-
- ```yaml tab="File (YAML)"
- certificatesResolvers:
- myresolver:
- acme:
- # ...
- tlsChallenge: {}
- ```
-
- ```toml tab="File (TOML)"
- [certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.tlsChallenge]
- ```
-
- ```bash tab="CLI"
- # ...
- --certificatesresolvers.myresolver.acme.tlschallenge=true
- ```
-
-#### `Delay`
-
-_Optional, Default=0_
-
-The delay between the creation of the challenge and the validation.
-A value lower than or equal to zero means no delay.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- tlsChallenge:
- # ...
- delay: 12
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.tlsChallenge]
- # ...
- delay = 12
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.tlschallenge.delay=12
-```
-
-### `httpChallenge`
-
-Use the `HTTP-01` challenge to generate and renew ACME certificates by provisioning an HTTP resource under a well-known URI.
-
-As described on the Let's Encrypt [community forum](https://community.letsencrypt.org/t/support-for-ports-other-than-80-and-443/3419/72),
-when using the `HTTP-01` challenge, `certificatesresolvers.myresolver.acme.httpchallenge.entrypoint` must be reachable by Let's Encrypt through port 80.
-
-??? example "Using an EntryPoint Called web for the `httpChallenge`"
-
- ```yaml tab="File (YAML)"
- entryPoints:
- web:
- address: ":80"
-
- websecure:
- address: ":443"
-
- certificatesResolvers:
- myresolver:
- acme:
- # ...
- httpChallenge:
- entryPoint: web
- ```
-
- ```toml tab="File (TOML)"
- [entryPoints]
- [entryPoints.web]
- address = ":80"
-
- [entryPoints.websecure]
- address = ":443"
-
- [certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.httpChallenge]
- entryPoint = "web"
- ```
-
- ```bash tab="CLI"
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443
- # ...
- --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
- ```
-
-!!! info ""
- Redirection is fully compatible with the `HTTP-01` challenge.
-
-#### `Delay`
-
-_Optional, Default=0_
-
-The delay between the creation of the challenge and the validation.
-A value lower than or equal to zero means no delay.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- httpChallenge:
- # ...
- delay: 12
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.httpChallenge]
- # ...
- delay = 12
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.httpchallenge.delay=12
-```
-
-### `dnsChallenge`
-
-Use the `DNS-01` challenge to generate and renew ACME certificates by provisioning a DNS record.
-
-??? example "Configuring a `dnsChallenge` with the DigitalOcean Provider"
-
- ```yaml tab="File (YAML)"
- certificatesResolvers:
- myresolver:
- acme:
- # ...
- dnsChallenge:
- provider: digitalocean
- delayBeforeCheck: 0
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.dnsChallenge]
- provider = "digitalocean"
- delayBeforeCheck = 0
- # ...
- ```
-
- ```bash tab="CLI"
- # ...
- --certificatesresolvers.myresolver.acme.dnschallenge.provider=digitalocean
- --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
- # ...
- ```
-
-!!! warning "`CNAME` support"
-
- `CNAME` are supported (and sometimes even [encouraged](https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname)),
- but there are a few cases where they can be [problematic](../getting-started/faq.md#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
-
- If needed, `CNAME` support can be disabled with the following environment variable:
-
- ```bash
- LEGO_DISABLE_CNAME_SUPPORT=true
- ```
-
-!!! warning "Multiple DNS Challenge provider"
-
- Multiple DNS challenge provider are not supported with Traefik, but you can use `CNAME` to handle that.
- For example, if you have `example.org` (account foo) and `example.com` (account bar) you can create a CNAME on `example.org` called `_acme-challenge.example.org` pointing to `challenge.example.com`.
- This way, you can obtain certificates for `example.org` with the `bar` account.
-
-!!! important
- A `provider` is mandatory.
-
-#### `providers`
-
-Here is a list of supported `providers`, that can automate the DNS verification,
-along with the required environment variables and their [wildcard & root domain support](#wildcard-domains).
-Do not hesitate to complete it.
-
-Many lego environment variables can be overridden by their respective `_FILE` counterpart, which should have a filepath to a file that contains the secret as its value.
-For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used to provide a Cloudflare API email address as a Docker secret named `traefik_cf-api-email`.
-
-For complete details, refer to your provider's _Additional configuration_ link.
-
-| Provider Name | Provider Code | Environment Variables | |
-|------------------------------------------------------------------------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
-| [ACME DNS](https://github.com/joohoi/acme-dns) | `acme-dns` | `ACME_DNS_API_BASE`, `ACME_DNS_STORAGE_PATH`, `ACME_DNS_STORAGE_BASE_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/acme-dns) |
-| [Active24](https://www.active24.cz) | `active24` | `ACTIVE24_API_KEY`, `ACTIVE24_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/active24) |
-| [Alibaba Cloud](https://www.alibabacloud.com) | `alidns` | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`, `ALICLOUD_REGION_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/alidns) |
-| [all-inkl](https://all-inkl.com) | `allinkl` | `ALL_INKL_LOGIN`, `ALL_INKL_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/allinkl) |
-| [ArvanCloud](https://www.arvancloud.ir/en) | `arvancloud` | `ARVANCLOUD_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud) |
-| [Auroradns](https://www.pcextreme.com/dns-health-checks) | `auroradns` | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT` | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns) |
-| [Autodns](https://www.internetx.com/domains/autodns/) | `autodns` | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/autodns) |
-| [Axelname](https://axelname.ru) | `axelname` | `AXELNAME_NICKNAME`, `AXELNAME_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/axelname) |
-| [Azion](https://www.azion.com/en/products/edge-dns/) | `azion` | `AZION_PERSONAL_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/azion) |
-| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED) | `azure` | DEPRECATED use `azuredns` instead. | [Additional configuration](https://go-acme.github.io/lego/dns/azure) |
-| [AzureDNS](https://azure.microsoft.com/services/dns/) | `azuredns` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns) |
-| [Baidu Cloud](https://cloud.baidu.com) | `baiducloud` | `BAIDUCLOUD_ACCESS_KEY_ID`, `BAIDUCLOUD_SECRET_ACCESS_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/baiducloud) |
-| [Beget](https://beget.com/) | `beget` | `BEGET_USERNAME`, `BEGET_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/beget) |
-| [Binary Lane](https://www.binarylane.com.au/) | `binarylane` | `BINARYLANE_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/binarylane) |
-| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook) | `bindman` | `BINDMAN_MANAGER_ADDRESS` | [Additional configuration](https://go-acme.github.io/lego/dns/bindman) |
-| [Blue Cat](https://www.bluecatnetworks.com/) | `bluecat` | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW` | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat) |
-| [BookMyName](https://www.bookmyname.com) | `bookmyname` | `BOOKMYNAME_USERNAME`, `BOOKMYNAME_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/bookmyname) |
-| [Brandit](https://www.brandit.com) (DEPRECATED) | `brandit` | DEPRECATED | [Additional configuration](https://go-acme.github.io/lego/dns/brandit) |
-| [Bunny](https://bunny.net) | `bunny` | `BUNNY_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/bunny) |
-| [Checkdomain](https://www.checkdomain.de/) | `checkdomain` | `CHECKDOMAIN_TOKEN`, | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
-| [Civo](https://www.civo.com/) | `civo` | `CIVO_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/civo) |
-| [Cloud.ru](https://cloud.ru) | `cloudru` | `CLOUDRU_SERVICE_INSTANCE_ID`, `CLOUDRU_KEY_ID`, `CLOUDRU_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudru) |
-| [CloudDNS](https://vshosting.eu/) | `clouddns` | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns) |
-| [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare) |
-| [ClouDNS](https://www.cloudns.net/) | `cloudns` | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns) |
-| [CloudXNS](https://www.cloudxns.net) (DEPRECATED) | `cloudxns` | DEPRECATED | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns) |
-| [ConoHa v3](https://www.conoha.jp/) | `conohav3` | `CONOHAV3_TENANT_ID`, `CONOHAV3_API_USER_ID`, `CONOHAV3_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/conohav3) |
-| [ConoHa](https://www.conoha.jp) | `conoha` | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/conoha) |
-| [Constellix](https://constellix.com) | `constellix` | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/constellix) |
-| [Core-Networks](https://www.core-networks.de) | `corenetworks` | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks) |
-| [CPanel and WHM](https://cpanel.net/) | `cpanel` | `CPANEL_MODE`, `CPANEL_USERNAME`, `CPANEL_TOKEN`, `CPANEL_BASE_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/cpanel) |
-| [Derak Cloud](https://derak.cloud/) | `derak` | `DERAK_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/derak) |
-| [deSEC](https://desec.io) | `desec` | `DESEC_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/desec) |
-| [DigitalOcean](https://www.digitalocean.com) | `digitalocean` | `DO_AUTH_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
-| [DirectAdmin](https://www.directadmin.com) | `directadmin` | `DIRECTADMIN_API_URL` , `DIRECTADMIN_USERNAME`, `DIRECTADMIN_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/directadmin) |
-| [DNS Made Easy](https://dnsmadeeasy.com) | `dnsmadeeasy` | `DNSMADEEASY_API_KEY`, `DNSMADEEASY_API_SECRET`, `DNSMADEEASY_SANDBOX` | [Additional configuration](https://go-acme.github.io/lego/dns/dnsmadeeasy) |
-| [dnsHome.de](https://www.dnshome.de) | `dnsHomede` | `DNSHOMEDE_CREDENTIALS` | [Additional configuration](https://go-acme.github.io/lego/dns/dnshomede) |
-| [DNSimple](https://dnsimple.com) | `dnsimple` | `DNSIMPLE_OAUTH_TOKEN`, `DNSIMPLE_BASE_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/dnsimple) |
-| [DNSPod](https://www.dnspod.com/) (DEPRECATED) | `dnspod` | DEPRECATED use `tencentcloud` instead. | [Additional configuration](https://go-acme.github.io/lego/dns/dnspod) |
-| [Domain Offensive (do.de)](https://www.do.de/) | `dode` | `DODE_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/dode) |
-| [Domeneshop](https://domene.shop) | `domeneshop` | `DOMENESHOP_API_TOKEN`, `DOMENESHOP_API_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/domeneshop) |
-| [DreamHost](https://www.dreamhost.com/) | `dreamhost` | `DREAMHOST_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/dreamhost) |
-| [Duck DNS](https://www.duckdns.org/) | `duckdns` | `DUCKDNS_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/duckdns) |
-| [Dyn](https://dyn.com) | `dyn` | `DYN_CUSTOMER_NAME`, `DYN_USER_NAME`, `DYN_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/dyn) |
-| [DynDnsFree.de](https://www.dyndnsfree.de) | `dyndnsfree` | `DYNDNSFREE_USERNAME`, `DYNDNSFREE_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/dyndnsfree) |
-| [Dynu](https://www.dynu.com) | `dynu` | `DYNU_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/dynu) |
-| [EasyDNS](https://easydns.com/) | `easydns` | `EASYDNS_TOKEN`, `EASYDNS_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/easydns) |
-| [EdgeDNS](https://www.akamai.com/) | `edgedns` | `AKAMAI_CLIENT_TOKEN`, `AKAMAI_CLIENT_SECRET`, `AKAMAI_ACCESS_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns) |
-| [Efficient IP](https://efficientip.com) | `efficientip` | `EFFICIENTIP_USERNAME`, `EFFICIENTIP_PASSWORD`, `EFFICIENTIP_HOSTNAME`, `EFFICIENTIP_DNS_NAME` | [Additional configuration](https://go-acme.github.io/lego/dns/efficientip) |
-| [Epik](https://www.epik.com) | `epik` | `EPIK_SIGNATURE` | [Additional configuration](https://go-acme.github.io/lego/dns/epik) |
-| [Exoscale](https://www.exoscale.com) | `exoscale` | `EXOSCALE_API_KEY`, `EXOSCALE_API_SECRET`, `EXOSCALE_ENDPOINT` | [Additional configuration](https://go-acme.github.io/lego/dns/exoscale) |
-| [F5 XC](https://www.f5.com/products/distributed-cloud-services) | `f5xc` | `F5XC_API_TOKEN`, `F5XC_TENANT_NAME`, `F5XC_GROUP_NAME` | [Additional configuration](https://go-acme.github.io/lego/dns/f5xc) |
-| [Fast DNS](https://www.akamai.com/) | `fastdns` | `AKAMAI_CLIENT_TOKEN`, `AKAMAI_CLIENT_SECRET`, `AKAMAI_ACCESS_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/edgedns) |
-| [Freemyip.com](https://freemyip.com) | `freemyip` | `FREEMYIP_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/freemyip) |
-| [G-Core](https://gcore.com/dns/) | `gcore` | `GCORE_PERMANENT_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/gcore) |
-| [Gandi v5](https://doc.livedns.gandi.net) | `gandiv5` | `GANDIV5_PERSONAL_ACCESS_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/gandiv5) |
-| [Gandi](https://www.gandi.net) | `gandi` | `GANDI_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/gandi) |
-| [Glesys](https://glesys.com/) | `glesys` | `GLESYS_API_USER`, `GLESYS_API_KEY`, `GLESYS_DOMAIN` | [Additional configuration](https://go-acme.github.io/lego/dns/glesys) |
-| [GoDaddy](https://www.godaddy.com) | `godaddy` | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/godaddy) |
-| [Google Cloud DNS](https://cloud.google.com/dns/docs/) | `gcloud` | `GCE_PROJECT`, Application Default Credentials [^2] [^3], [`GCE_SERVICE_ACCOUNT_FILE`] | [Additional configuration](https://go-acme.github.io/lego/dns/gcloud) |
-| [Google Domains](https://domains.google) (DEPRECATED) | `googledomains` | DEPRECATED | [Additional configuration](https://go-acme.github.io/lego/dns/googledomains) |
-| [Hetzner](https://hetzner.com) | `hetzner` | `HETZNER_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/hetzner) |
-| [hosting.de](https://www.hosting.de) | `hostingde` | `HOSTINGDE_API_KEY`, `HOSTINGDE_ZONE_NAME` | [Additional configuration](https://go-acme.github.io/lego/dns/hostingde) |
-| [Hostinger](https://www.hostinger.com/) | `hostinger` | `HOSTINGER_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/hostinger) |
-| [Hosttech](https://www.hosttech.eu) | `hosttech` | `HOSTTECH_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/hosttech) |
-| [http.net](https://www.http.net/) | `httpnet` | `HTTPNET_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/httpnet) |
-| [Huawei Cloud](https://huaweicloud.com) | `huaweicloud` | `HUAWEICLOUD_ACCESS_KEY_ID`, `HUAWEICLOUD_SECRET_ACCESS_KEY`, `HUAWEICLOUD_REGION` | [Additional configuration](https://go-acme.github.io/lego/dns/huaweicloud) |
-| [Hurricane Electric](https://dns.he.net) | `hurricane` | `HURRICANE_TOKENS` [^6] | [Additional configuration](https://go-acme.github.io/lego/dns/hurricane) |
-| [HyperOne](https://www.hyperone.com) | `hyperone` | `HYPERONE_PASSPORT_LOCATION`, `HYPERONE_LOCATION_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/hyperone) |
-| [IBM Cloud (SoftLayer)](https://www.ibm.com/cloud/) | `ibmcloud` | `SOFTLAYER_USERNAME`, `SOFTLAYER_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/ibmcloud) |
-| [IIJ DNS Platform Service](https://www.iij.ad.jp) | `iijdpf` | `IIJ_DPF_API_TOKEN` , `IIJ_DPF_DPM_SERVICE_CODE` | [Additional configuration](https://go-acme.github.io/lego/dns/iijdpf) |
-| [IIJ](https://www.iij.ad.jp/) | `iij` | `IIJ_API_ACCESS_KEY`, `IIJ_API_SECRET_KEY`, `IIJ_DO_SERVICE_CODE` | [Additional configuration](https://go-acme.github.io/lego/dns/iij) |
-| [Infoblox](https://www.infoblox.com/) | `infoblox` | `INFOBLOX_USERNAME`, `INFOBLOX_PASSWORD`, `INFOBLOX_HOST` | [Additional configuration](https://go-acme.github.io/lego/dns/infoblox) |
-| [Infomaniak](https://www.infomaniak.com) | `infomaniak` | `INFOMANIAK_ACCESS_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/infomaniak) |
-| [Internet.bs](https://internetbs.net) | `internetbs` | `INTERNET_BS_API_KEY`, `INTERNET_BS_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/internetbs) |
-| [INWX](https://www.inwx.de/en) | `inwx` | `INWX_USERNAME`, `INWX_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/inwx) |
-| [ionos](https://ionos.com/) | `ionos` | `IONOS_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/ionos) |
-| [IPv64](https://ipv64.net) | `ipv64` | `IPV64_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/ipv64) |
-| [iwantmyname](https://iwantmyname.com) | `iwantmyname` | `IWANTMYNAME_USERNAME` , `IWANTMYNAME_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/iwantmyname) |
-| [Joker.com](https://joker.com) | `joker` | `JOKER_API_MODE` with `JOKER_API_KEY` or `JOKER_USERNAME`, `JOKER_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/joker) |
-| [KeyHelp](https://www.keyweb.de/en/keyhelp/keyhelp/) | `keyhelp` | `KEYHELP_API_KEY`, `KEYHELP_BASE_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/keyhelp) |
-| [Liara](https://liara.ir) | `liara` | `LIARA_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/liara) |
-| [Lightsail](https://aws.amazon.com/lightsail/) | `lightsail` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `DNS_ZONE` | [Additional configuration](https://go-acme.github.io/lego/dns/lightsail) |
-| [Lima-City](https://www.lima-city.de) | `limacity` | `LIMACITY_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/limacity) |
-| [Linode v4](https://www.linode.com) | `linode` | `LINODE_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/linode) |
-| [Liquid Web](https://www.liquidweb.com/) | `liquidweb` | `LIQUID_WEB_PASSWORD`, `LIQUID_WEB_USERNAME`, `LIQUID_WEB_ZONE` | [Additional configuration](https://go-acme.github.io/lego/dns/liquidweb) |
-| [Loopia](https://loopia.com/) | `loopia` | `LOOPIA_API_PASSWORD`, `LOOPIA_API_USER` | [Additional configuration](https://go-acme.github.io/lego/dns/loopia) |
-| [LuaDNS](https://luadns.com) | `luadns` | `LUADNS_API_USERNAME`, `LUADNS_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/luadns) |
-| [Mail-in-a-Box](https://mailinabox.email) | `mailinabox` | `MAILINABOX_EMAIL`, `MAILINABOX_PASSWORD`, `MAILINABOX_BASE_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/mailinabox) |
-| [ManageEngine CloudDNS](https://clouddns.manageengine.com) | `manageengine` | `MANAGEENGINE_CLIENT_ID`, `MANAGEENGINE_CLIENT_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/manageengine) |
-| [Metaname](https://metaname.net) | `metaname` | `METANAME_ACCOUNT_REFERENCE`, `METANAME_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/metaname) |
-| [Metaregistrar](https://metaregistrar.com) | `metaregistrar` | `METAREGISTRAR_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/metaregistrar) |
-| [mijn.host](https://mijn.host/) | `mijnhost` | `MIJNHOST_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/mijnhost) |
-| [Mittwald](https://www.mittwald.de) | `mittwald` | `MITTWALD_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/mittwald) |
-| [myaddr.{tools,dev,io}](https://myaddr.tools/) | `myaddr` | `MYADDR_PRIVATE_KEYS_MAPPING` | [Additional configuration](https://go-acme.github.io/lego/dns/myaddr) |
-| [MyDNS.jp](https://www.mydns.jp/) | `mydnsjp` | `MYDNSJP_MASTER_ID`, `MYDNSJP_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/mydnsjp) |
-| [Mythic Beasts](https://www.mythic-beasts.com) | `mythicbeasts` | `MYTHICBEASTS_USER_NAME`, `MYTHICBEASTS_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/mythicbeasts) |
-| [name.com](https://www.name.com/) | `namedotcom` | `NAMECOM_USERNAME`, `NAMECOM_API_TOKEN`, `NAMECOM_SERVER` | [Additional configuration](https://go-acme.github.io/lego/dns/namedotcom) |
-| [Namecheap](https://www.namecheap.com) | `namecheap` | `NAMECHEAP_API_USER`, `NAMECHEAP_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/namecheap) |
-| [Namesilo](https://www.namesilo.com/) | `namesilo` | `NAMESILO_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/namesilo) |
-| [NearlyFreeSpeech.NET](https://www.nearlyfreespeech.net/) | `nearlyfreespeech` | `NEARLYFREESPEECH_API_KEY`, `NEARLYFREESPEECH_LOGIN` | [Additional configuration](https://go-acme.github.io/lego/dns/nearlyfreespeech) |
-| [Netcup](https://www.netcup.eu/) | `netcup` | `NETCUP_CUSTOMER_NUMBER`, `NETCUP_API_KEY`, `NETCUP_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/netcup) |
-| [Netlify](https://www.netlify.com) | `netlify` | `NETLIFY_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/netlify) |
-| [Nicmanager](https://www.nicmanager.com) | `nicmanager` | `NICMANAGER_API_EMAIL`, `NICMANAGER_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/nicmanager) |
-| [NIFCloud](https://cloud.nifty.com/service/dns.htm) | `nifcloud` | `NIFCLOUD_ACCESS_KEY_ID`, `NIFCLOUD_SECRET_ACCESS_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/nifcloud) |
-| [Njalla](https://njal.la) | `njalla` | `NJALLA_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/njalla) |
-| [Nodion](https://www.nodion.com) | `nodion` | `NODION_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/nodion) |
-| [NS1](https://ns1.com/) | `ns1` | `NS1_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/ns1) |
-| [Octenium](https://octenium.com/) | `octenium` | `OCTENIUM_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/octenium) |
-| [Open Telekom Cloud](https://cloud.telekom.de) | `otc` | `OTC_DOMAIN_NAME`, `OTC_USER_NAME`, `OTC_PASSWORD`, `OTC_PROJECT_NAME`, `OTC_IDENTITY_ENDPOINT` | [Additional configuration](https://go-acme.github.io/lego/dns/otc) |
-| [Openstack Designate](https://docs.openstack.org/designate) | `designate` | `OS_AUTH_URL`, `OS_USERNAME`, `OS_PASSWORD`, `OS_TENANT_NAME`, `OS_REGION_NAME` | [Additional configuration](https://go-acme.github.io/lego/dns/designate) |
-| [Oracle Cloud](https://cloud.oracle.com/home) | `oraclecloud` | `OCI_COMPARTMENT_OCID`, `OCI_PRIVKEY_FILE`, `OCI_PRIVKEY_PASS`, `OCI_PUBKEY_FINGERPRINT`, `OCI_REGION`, `OCI_TENANCY_OCID`, `OCI_USER_OCID` | [Additional configuration](https://go-acme.github.io/lego/dns/oraclecloud) |
-| [OVH](https://www.ovh.com) | `ovh` | `OVH_ENDPOINT`, `OVH_APPLICATION_KEY`, `OVH_APPLICATION_SECRET`, `OVH_CONSUMER_KEY`, `OVH_CLIENT_ID`, `OVH_CLIENT_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/ovh) |
-| [Plesk](https://www.plesk.com) | `plesk` | `PLESK_SERVER_BASE_URL`, `PLESK_USERNAME`, `PLESK_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/plesk) |
-| [Porkbun](https://porkbun.com/) | `porkbun` | `PORKBUN_SECRET_API_KEY`, `PORKBUN_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/porkbun) |
-| [PowerDNS](https://www.powerdns.com) | `pdns` | `PDNS_API_KEY`, `PDNS_API_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/pdns) |
-| [Rackspace](https://www.rackspace.com/cloud/dns) | `rackspace` | `RACKSPACE_USER`, `RACKSPACE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace) |
-| [Rainyun/雨云](https://www.rainyun.com) | `rainyun` | `RAINYUN_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/rainyun) |
-| [RcodeZero](https://www.rcodezero.at) | `rcodezero` | `RCODEZERO_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/rcodezero) |
-| [reg.ru](https://www.reg.ru) | `regru` | `REGRU_USERNAME`, `REGRU_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/regru) |
-| [Regfish](https://regfish.de) | `regfish` | `regfish` | [Additional configuration](https://go-acme.github.io/lego/dns/regfish) |
-| [RFC2136](https://tools.ietf.org/html/rfc2136) | `rfc2136` | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER` | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136) |
-| [RimuHosting](https://rimuhosting.com) | `rimuhosting` | `RIMUHOSTING_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting) |
-| [Route 53](https://aws.amazon.com/route53/) | `route53` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile. | [Additional configuration](https://go-acme.github.io/lego/dns/route53) |
-| [RU Center](https://nic.ru/) | `nicru` | `NICRU_USER`, `NICRU_PASSWORD`, `NICRU_SERVICE_ID`, `NICRU_SECRET`, `NICRU_SERVICE_NAME` | [Additional configuration](https://go-acme.github.io/lego/dns/nicru) |
-| [Sakura Cloud](https://cloud.sakura.ad.jp/) | `sakuracloud` | `SAKURACLOUD_ACCESS_TOKEN`, `SAKURACLOUD_ACCESS_TOKEN_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/sakuracloud) |
-| [Scaleway](https://www.scaleway.com) | `scaleway` | `SCW_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/scaleway) |
-| [Selectel v2](https://selectel.ru/en/) | `selectelv2` | `SELECTELV2_ACCOUNT_ID`, `SELECTELV2_PASSWORD`, `SELECTELV2_PROJECT_ID`, `SELECTELV2_USERNAME` | [Additional configuration](https://go-acme.github.io/lego/dns/selectelv2) |
-| [Selectel](https://selectel.ru/en/) | `selectel` | `SELECTEL_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/selectel) |
-| [SelfHost.(de/eu)](https://www.selfhost.de) | `selfhostde` | `SELFHOSTDE_USERNAME`, `SELFHOSTDE_PASSWORD`, `SELFHOSTDE_RECORDS_MAPPING` | [Additional configuration](https://go-acme.github.io/lego/dns/selfhostde) |
-| [Servercow](https://servercow.de) | `servercow` | `SERVERCOW_USERNAME`, `SERVERCOW_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/servercow) |
-| [Shellrent](https://www.shellrent.com) | `shellrent` | `SHELLRENT_USERNAME`, `SHELLRENT_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/shellrent) |
-| [Simply.com](https://www.simply.com/en/domains/) | `simply` | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/simply) |
-| [Sonic](https://www.sonic.com/) | `sonic` | `SONIC_USER_ID`, `SONIC_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/sonic) |
-| [Spaceship](https://spaceship.com) | `spaceship` | `SPACESHIP_API_KEY`, `SPACESHIP_API_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/spaceship) |
-| [Stackpath](https://www.stackpath.com/) | `stackpath` | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath) |
-| [Technitium](https://technitium.com) | `technitium` | `TECHNITIUM_SERVER_BASE_URL`, `TECHNITIUM_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/technitium) |
-| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns) | `tencentcloud` | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud) |
-| [Tencent EdgeOne](https://edgeone.ai/) | `edgeone` | `EDGEONE_SECRET_ID`, `EDGEONE_SECRET_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/edgeone) |
-| [Timeweb Cloud](https://timeweb.cloud) | `timewebcloud` | `TIMEWEBCLOUD_AUTH_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/timewebcloud) |
-| [TransIP](https://www.transip.nl/) | `transip` | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH` | [Additional configuration](https://go-acme.github.io/lego/dns/transip) |
-| [UKFast SafeDNS](https://docs.ukfast.co.uk/domains/safedns/index.html) | `safedns` | `SAFEDNS_AUTH_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/safedns) |
-| [Ultradns](https://neustarsecurityservices.com/dns-services) | `ultradns` | `ULTRADNS_USERNAME`, `ULTRADNS_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/ultradns) |
-| [Variomedia](https://www.variomedia.de/) | `variomedia` | `VARIOMEDIA_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/variomedia) |
-| [VegaDNS](https://github.com/shupp/VegaDNS-API) | `vegadns` | `SECRET_VEGADNS_KEY`, `SECRET_VEGADNS_SECRET`, `VEGADNS_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/vegadns) |
-| [Vercel](https://vercel.com) | `vercel` | `VERCEL_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/vercel) |
-| [Versio](https://www.versio.nl/domeinnamen) | `versio` | `VERSIO_USERNAME`, `VERSIO_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/versio) |
-| [VinylDNS](https://www.vinyldns.io) | `vinyldns` | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST` | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns) |
-| [VK Cloud](https://mcs.mail.ru/) | `vkcloud` | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME` | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud) |
-| [Volcano Engine](https://www.volcengine.com) | `volcengine` | `VOLC_ACCESSKEY`, `VOLC_SECRETKEY` | [Additional configuration](https://go-acme.github.io/lego/dns/volcengine) |
-| [Vscale](https://vscale.io/) | `vscale` | `VSCALE_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/vscale) |
-| [VULTR](https://www.vultr.com) | `vultr` | `VULTR_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/vultr) |
-| [Webnames](https://www.webnames.ru/) | `webnames` | `WEBNAMES_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/webnames) |
-| [Websupport](https://websupport.sk) | `websupport` | `WEBSUPPORT_API_KEY`, `WEBSUPPORT_SECRET` | [Additional configuration](https://go-acme.github.io/lego/dns/websupport) |
-| [WEDOS](https://www.wedos.com) | `wedos` | `WEDOS_USERNAME`, `WEDOS_WAPI_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/wedos) |
-| [West.cn/西部数码](https://www.west.cn) | `westcn` | `WESTCN_USERNAME`, `WESTCN_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/westcn) |
-| [Yandex 360](https://360.yandex.ru) | `yandex360` | `YANDEX360_OAUTH_TOKEN`, `YANDEX360_ORG_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/yandex360) |
-| [Yandex Cloud](https://cloud.yandex.com/en/) | `yandexcloud` | `YANDEX_CLOUD_FOLDER_ID`, `YANDEX_CLOUD_IAM_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/yandexcloud) |
-| [Yandex](https://yandex.com) | `yandex` | `YANDEX_PDD_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/yandex) |
-| [Zone.ee](https://www.zone.ee) | `zoneee` | `ZONEEE_API_USER`, `ZONEEE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/zoneee) |
-| [ZoneEdit](https://www.zoneedit.com) | `zoneedit` | `ZONEEDIT_USER`, `ZONEEDIT_AUTH_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/zoneedit) |
-| [Zonomi](https://zonomi.com) | `zonomi` | `ZONOMI_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/zonomi) |
-| External Program | `exec` | `EXEC_PATH` | [Additional configuration](https://go-acme.github.io/lego/dns/exec) |
-| HTTP request | `httpreq` | `HTTPREQ_ENDPOINT`, `HTTPREQ_MODE`, `HTTPREQ_USERNAME`, `HTTPREQ_PASSWORD` [^1] | [Additional configuration](https://go-acme.github.io/lego/dns/httpreq) |
-| manual | `manual` | none, but you need to run Traefik interactively [^4], turn on debug log to see instructions and press Enter. | |
-
-[^1]: More information about the HTTP message format can be found [here](https://go-acme.github.io/lego/dns/httpreq/).
-[^2]: [Providing credentials to your application](https://cloud.google.com/docs/authentication/production).
-[^3]: [google/default.go](https://github.com/golang/oauth2/blob/36a7019397c4c86cf59eeab3bc0d188bac444277/google/default.go#L61-L76)
-[^4]: `docker stack` remark: there is no way to support terminal attached to container when deploying with `docker stack`, so you might need to run container with `docker run -it` to generate certificates using `manual` provider.
-[^5]: The `Global API Key` needs to be used, not the `Origin CA Key`.
-[^6]: As explained in the [LEGO hurricane configuration](https://go-acme.github.io/lego/dns/hurricane/#credentials), each domain or wildcard (record name) needs a token. So each update of record name must be followed by an update of the `HURRICANE_TOKENS` variable, and a restart of Traefik.
-
-#### `resolvers`
-
-Use custom DNS servers to resolve the FQDN authority.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- dnsChallenge:
- # ...
- resolvers:
- - "1.1.1.1:53"
- - "8.8.8.8:53"
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.dnsChallenge]
- # ...
- resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
-```
-
-#### `propagation.delayBeforeChecks`
-
-By default, the `provider` verifies the TXT record _before_ letting ACME verify.
-
-You can delay this operation by specifying a delay (in seconds) with `delayBeforeChecks` (value must be greater than zero).
-
-This option is useful when internal networks block external DNS queries.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- dnsChallenge:
- # ...
- propagation:
- # ...
- delayBeforeChecks: 2s
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.dnsChallenge]
- # ...
- [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
- # ...
- delayBeforeChecks = "2s"
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.dnschallenge.propagation.delayBeforeChecks=2s
-```
-
-#### `propagation.disableChecks`
-
-Disables the challenge TXT record propagation checks, before notifying ACME that the DNS challenge is ready.
-
-Please note that disabling checks can prevent the challenge from succeeding.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- dnsChallenge:
- # ...
- propagation:
- # ...
- disableChecks: true
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.dnsChallenge]
- # ...
- [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
- # ...
- disableChecks = true
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableChecks=true
-```
-
-#### `propagation.requireAllRNS`
-
-Requires the challenge TXT record to be propagated to all recursive nameservers.
-
-!!! note
-
- If you have disabled authoritative nameservers checks (with `propagation.disableANSChecks`),
- it is recommended to check all recursive nameservers instead.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- dnsChallenge:
- # ...
- propagation:
- # ...
- requireAllRNS: true
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.dnsChallenge]
- # ...
- [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
- # ...
- requireAllRNS = true
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.dnschallenge.propagation.requireAllRNS=true
-```
-
-#### `propagation.disableANSChecks`
-
-Disables the challenge TXT record propagation checks against authoritative nameservers.
-
-This option will skip the propagation check against the nameservers of the authority (SOA).
-
-It should be used only if the nameservers of the authority are not reachable.
-
-!!! note
-
- If you have disabled authoritative nameservers checks,
- it is recommended to check all recursive nameservers instead.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- dnsChallenge:
- # ...
- propagation:
- # ...
- disableANSChecks: true
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.dnsChallenge]
- # ...
- [certificatesResolvers.myresolver.acme.dnsChallenge.propagation]
- # ...
- disableANSChecks = true
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.dnschallenge.propagation.disableANSChecks=true
-```
-
-#### Wildcard Domains
-
-[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
-As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
-
-## External Account Binding
-
-- `kid`: Key identifier from External CA
-- `hmacEncoded`: HMAC key from External CA, should be in Base64 URL Encoding without padding format
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- eab:
- kid: abc-keyID-xyz
- hmacEncoded: abc-hmac-xyz
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- [certificatesResolvers.myresolver.acme.eab]
- kid = "abc-keyID-xyz"
- hmacEncoded = "abc-hmac-xyz"
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.eab.kid=abc-keyID-xyz
---certificatesresolvers.myresolver.acme.eab.hmacencoded=abc-hmac-xyz
-```
-
-## More Configuration
-
-### `caServer`
-
-_Required, Default="https://acme-v02.api.letsencrypt.org/directory"_
-
-The CA server to use:
-
-- Let's Encrypt production server: https://acme-v02.api.letsencrypt.org/directory
-- Let's Encrypt staging server: https://acme-staging-v02.api.letsencrypt.org/directory
-
-??? example "Using the Let's Encrypt staging server"
-
- ```yaml tab="File (YAML)"
- certificatesResolvers:
- myresolver:
- acme:
- # ...
- caServer: https://acme-staging-v02.api.letsencrypt.org/directory
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [certificatesResolvers.myresolver.acme]
- # ...
- caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
- # ...
- ```
-
- ```bash tab="CLI"
- # ...
- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
- # ...
- ```
-
-### `storage`
-
-_Required, Default="acme.json"_
-
-The `storage` option sets the location where your ACME certificates are saved to.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- storage: acme.json
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- storage = "acme.json"
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.storage=acme.json
-# ...
-```
-
-ACME certificates are stored in a JSON file that needs to have a `600` file mode.
-
-In Docker you can mount either the JSON file, or the folder containing it:
-
-```bash
-docker run -v "/my/host/acme.json:/acme.json" traefik
-```
-
-```bash
-docker run -v "/my/host/acme:/etc/traefik/acme" traefik
-```
-
-!!! warning
- For concurrency reasons, this file cannot be shared across multiple instances of Traefik.
-
-### `certificatesDuration`
-
-_Optional, Default=2160_
-
-`certificatesDuration` specifies the duration (in hours) of the certificates issued by the CA server. It is used to determine when to renew the certificate, but it **doesn't** define the duration of the certificates, that is up to the CA server.
-
-`certificatesDuration` is used to calculate two durations:
-
-- `Renew Period`: the period before the end of the certificate duration, during which the certificate should be renewed.
-- `Renew Interval`: the interval between renew attempts.
-
-It defaults to `2160` (90 days) to follow Let's Encrypt certificates' duration.
-
-| Certificate Duration | Renew Period | Renew Interval |
-|----------------------|--------------|----------------|
-| >= 1 year | 4 months | 1 week |
-| >= 90 days | 30 days | 1 day |
-| >= 30 days | 10 days | 12 hours |
-| >= 6 days | 2 days | 2 hours |
-| >= 24 hours | 6 hours | 10 min |
-| < 24 hours | 20 min | 1 min |
-
-!!! warning "Traefik cannot manage certificates with a duration lower than 1 hour."
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- certificatesDuration: 72
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- certificatesDuration=72
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.certificatesduration=72
-# ...
-```
-
-### `clientTimeout`
-
-_Optional, Default=2m_
-
-`clientTimeout` is the total timeout for a complete HTTP transaction (including TCP connection, sending request and receiving response) with the ACME server.
-It defaults to 2 minutes.
-
-!!! warning "This timeout encompasses the entire request-response cycle, including the response headers timeout. It must be at least `clientResponseHeaderTimeout`, otherwise the certificate resolver will fail to start."
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- clientTimeout: 1m
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- clientTimeout=1m
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.clientTimeout=1m
-# ...
-```
-
-!!! warning
- This should not be confused with any timeouts used for validating challenges.
-
-### `clientResponseHeaderTimeout`
-
-_Optional, Default=30s_
-
-`clientResponseHeaderTimeout` defines how long the HTTP client waits for response headers when communicating with the `caServer`.
-It defaults to 30 seconds.
-
-!!! warning "It must be lower than `clientTimeout`, otherwise the certificate resolver will fail to start."
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- clientResponseHeaderTimeout: 1m
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- clientResponseHeaderTimeout=1m
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.clientResponseHeaderTimeout=1m
-# ...
-```
-
-### `preferredChain`
-
-_Optional, Default=""_
-
-Preferred chain to use.
-
-If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
-If no match, the default offered chain will be used.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- preferredChain: 'ISRG Root X1'
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- preferredChain = "ISRG Root X1"
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.preferredChain=ISRG Root X1
-# ...
-```
-
-### `profile`
-
-_Optional, Default=""_
-
-Certificate profile to use.
-
-For more information, please check out the [Let's Encrypt blog post](https://letsencrypt.org/2025/01/09/acme-profiles/) about certificate profile selection.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- profile: tlsserver
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- profile = "tlsserver"
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.profile=tlsserver
-# ...
-```
-
-### `emailAddresses`
-
-_Optional, Default=""_
-
-CSR email addresses to use.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- emailAddresses:
- - foo@example.com
- - bar@example.org
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- emailAddresses = ["foo@example.com", "bar@example.org"]
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.emailaddresses=foo@example.com,bar@example.org
-# ...
-```
-
-### `disableCommonName`
-
-_Optional, Default=false_
-
-Disable common name inside CSR and certificates.
-
-It's recommended to disable the common name and required to get a certificate for IP.
-
-- https://letsencrypt.org/docs/profiles/#certificate-common-name
-- https://community.letsencrypt.org/t/ip-san-error-csr-contains-ip-address-in-common-name/239012/7
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- disableCommonName: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- disableCommonName = true
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.disableCommonName=true
-# ...
-```
-
-### `keyType`
-
-_Optional, Default="RSA4096"_
-
-KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- keyType: 'RSA4096'
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- keyType = "RSA4096"
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.keyType=RSA4096
-# ...
-```
-
-### `caCertificates`
-
-_Optional, Default=[]_
-
-The `caCertificates` option specifies the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- caCertificates:
- - path/certificates1.pem
- - path/certificates2.pem
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- caCertificates = [ "path/certificates1.pem", "path/certificates2.pem" ]
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.caCertificates="path/certificates1.pem,path/certificates2.pem"
-# ...
-```
-
-??? note "LEGO Environment Variable"
-
- It can be defined globally by using the environment variable `LEGO_CA_CERTIFICATES`.
- This environment variable is neither a fallback nor an override of the configuration option.
-
-### `caSystemCertPool`
-
-_Optional, Default=false_
-
-The `caSystemCertPool` option defines if the certificates pool must use a copy of the system cert pool.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- caSystemCertPool: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- caSystemCertPool = true
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.caSystemCertPool=true
-# ...
-```
-
-??? note "LEGO Environment Variable"
-
- It can be defined globally by using the environment variable `LEGO_CA_SYSTEM_CERT_POOL`.
- `LEGO_CA_SYSTEM_CERT_POOL` is ignored if `LEGO_CA_CERTIFICATES` is not set or empty.
- This environment variable is neither a fallback nor an override of the configuration option.
-
-### `caServerName`
-
-_Optional, Default=""_
-
-The `caServerName` option specifies the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- acme:
- # ...
- caServerName: "my-server"
- # ...
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.acme]
- # ...
- caServerName = "my-server"
- # ...
-```
-
-```bash tab="CLI"
-# ...
---certificatesresolvers.myresolver.acme.caServerName="my-server"
-# ...
-```
-
-??? note "LEGO Environment Variable"
-
- It can be defined globally by using the environment variable `LEGO_CA_SERVER_NAME`.
- `LEGO_CA_SERVER_NAME` is ignored if `LEGO_CA_CERTIFICATES` is not set or empty.
- This environment variable is neither a fallback nor an override of the configuration option.
-
-## Fallback
-
-If Let's Encrypt is not reachable, the following certificates will apply:
-
- 1. Previously generated ACME certificates (before downtime)
- 2. Expired ACME certificates
- 3. Provided certificates
-
-!!! important
- For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/https/ocsp.md b/docs/content/https/ocsp.md
deleted file mode 100644
index a960d88d0..000000000
--- a/docs/content/https/ocsp.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: "Traefik OCSP Documentation"
-description: "Learn how to configure Traefik to use OCSP. Read the technical documentation."
----
-
-# OCSP
-
-Check certificate status and perform OCSP stapling.
-{: .subtitle }
-
-## Overview
-
-### OCSP Stapling
-
-When OCSP is enabled, Traefik checks the status of every certificate in the store that provides an OCSP responder URL,
-including the default certificate, and staples the OCSP response to the TLS handshake.
-The OCSP check is performed when the certificate is loaded,
-and once every hour until it is successful at the halfway point before the update date.
-
-### Caching
-
-Traefik caches the OCSP response as long as the associated certificate is provided by the configuration.
-When a certificate is no longer provided,
-the OCSP response has a 24 hour TTL waiting to be provided again or eventually removed.
-The OCSP response is cached in memory and is not persisted between Traefik restarts.
-
-## Configuration
-
-### General
-
-Enabling OCSP is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
-It can be defined by using a file (YAML or TOML) or CLI arguments:
-
-```yaml tab="File (YAML)"
-## Static configuration
-ocsp: {}
-```
-
-```toml tab="File (TOML)"
-## Static configuration
-[ocsp]
-```
-
-```bash tab="CLI"
-## Static configuration
---ocsp=true
-```
-
-### Responder Overrides
-
-The `responderOverrides` option defines the OCSP responder URLs to use instead of the one provided by the certificate.
-This is useful when you want to use a different OCSP responder.
-
-```yaml tab="File (YAML)"
-## Static configuration
-ocsp:
- responderOverrides:
- foo: bar
-```
-
-```toml tab="File (TOML)"
-## Static configuration
-[ocsp]
- [ocsp.responderOverrides]
- foo = "bar"
-```
-
-```bash tab="CLI"
-## Static configuration
--ocsp.responderoverrides.foo=bar
-```
diff --git a/docs/content/https/overview.md b/docs/content/https/overview.md
deleted file mode 100644
index ae07504d9..000000000
--- a/docs/content/https/overview.md
+++ /dev/null
@@ -1,23 +0,0 @@
----
-title: "Traefik Proxy HTTPS & TLS Overview |Traefik Docs"
-description: "Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration: routers, and the TLS connection. Read the documentation to learn more."
----
-
-# HTTPS & TLS
-
-Overview
-{: .subtitle }
-
-Traefik supports HTTPS & TLS, which concerns roughly two parts of the configuration:
-routers, and the TLS connection (and its underlying certificates).
-
-When a router has to handle HTTPS traffic,
-it should be specified with a `tls` field of the router definition.
-See the TLS section of the [routers documentation](../routing/routers/index.md#tls).
-
-The next sections of this documentation explain how to configure the TLS connection itself.
-That is to say, how to obtain [TLS certificates](./tls.md#certificates-definition):
-either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
-And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/https/spiffe.md b/docs/content/https/spiffe.md
deleted file mode 100644
index cf7a9cf88..000000000
--- a/docs/content/https/spiffe.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: "Traefik SPIFFE Documentation"
-description: "Learn how to configure Traefik to use SPIFFE. Read the technical documentation."
----
-
-# SPIFFE
-
-Secure the backend connection with SPIFFE.
-{: .subtitle }
-
-[SPIFFE](https://spiffe.io/docs/latest/spiffe-about/overview/) (Secure Production Identity Framework For Everyone),
-provides a secure identity in the form of a specially crafted X.509 certificate,
-to every workload in an environment.
-
-Traefik is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.
-
-## Configuration
-
-### General
-
-Enabling SPIFFE is part of the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
-It can be defined by using a file (YAML or TOML) or CLI arguments.
-
-### Workload API
-
-The `workloadAPIAddr` configuration defines the address of the SPIFFE [Workload API](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api).
-
-!!! info "Enabling SPIFFE in ServersTransports"
-
- Enabling SPIFFE does not imply that backend connections are going to use it automatically.
- Each [ServersTransport](../routing/services/index.md#serverstransport_1) or [TCPServersTransport](../routing/services/index.md#serverstransport_2),
- that is meant to be secured with SPIFFE,
- must explicitly enable it (see [SPIFFE with ServersTransport](../routing/services/index.md#spiffe) or [SPIFFE with TCPServersTransport](../routing/services/index.md#spiffe_1)).
-
-!!! warning "SPIFFE can cause Traefik to stall"
- When using SPIFFE,
- Traefik will wait for the first SVID to be delivered before starting.
- If Traefik is hanging when waiting on SPIFFE SVID delivery,
- please double check that it is correctly registered as workload in your SPIFFE infrastructure.
-
-```yaml tab="File (YAML)"
-## Static configuration
-spiffe:
- workloadAPIAddr: localhost
-```
-
-```toml tab="File (TOML)"
-## Static configuration
-[spiffe]
- workloadAPIAddr: localhost
-```
-
-```bash tab="CLI"
-## Static configuration
---spiffe.workloadAPIAddr=localhost
-```
diff --git a/docs/content/https/tailscale.md b/docs/content/https/tailscale.md
deleted file mode 100644
index d49c314c5..000000000
--- a/docs/content/https/tailscale.md
+++ /dev/null
@@ -1,207 +0,0 @@
----
-title: "Traefik Tailscale Documentation"
-description: "Learn how to configure Traefik Proxy to resolve TLS certificates for your Tailscale services. Read the technical documentation."
----
-
-# Tailscale
-
-Provision TLS certificates for your internal Tailscale services.
-{: .subtitle }
-
-To protect a service with TLS, a certificate from a public Certificate Authority is needed.
-In addition to its vpn role, Tailscale can also [provide certificates](https://tailscale.com/kb/1153/enabling-https/) for the machines in your Tailscale network.
-
-## Certificate resolvers
-
-To obtain a TLS certificate from the Tailscale daemon,
-a Tailscale certificate resolver needs to be configured as below.
-
-!!! info "Referencing a certificate resolver"
-
- Defining a certificate resolver does not imply that routers are going to use it automatically.
- Each router or entrypoint that is meant to use the resolver must explicitly [reference](../routing/routers/index.md#certresolver) it.
-
-```yaml tab="File (YAML)"
-certificatesResolvers:
- myresolver:
- tailscale: {}
-```
-
-```toml tab="File (TOML)"
-[certificatesResolvers.myresolver.tailscale]
-```
-
-```bash tab="CLI"
---certificatesresolvers.myresolver.tailscale=true
-```
-
-## Domain Definition
-
-A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:
-
-- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
- then the certificate resolver derives this router domain name from the `main` option of `tls.domains`.
-
-- Otherwise, the certificate resolver derives the domain name from any `Host()` or `HostSNI()` matchers
- in the [router's rule](../routing/routers/index.md#rule).
-
-!!! info "Tailscale Domain Format"
-
- The domain is only taken into account if it is a Tailscale-specific one,
- i.e. of the form `machine-name.domains-alias.ts.net`.
-
-## Configuration Example
-
-!!! example "Enabling Tailscale certificate resolution"
-
- ```yaml tab="File (YAML)"
- entryPoints:
- web:
- address: ":80"
-
- websecure:
- address: ":443"
-
- certificatesResolvers:
- myresolver:
- tailscale: {}
- ```
-
- ```toml tab="File (TOML)"
- [entryPoints]
- [entryPoints.web]
- address = ":80"
-
- [entryPoints.websecure]
- address = ":443"
-
- [certificatesResolvers.myresolver.tailscale]
- ```
-
- ```bash tab="CLI"
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- # ...
- --certificatesresolvers.myresolver.tailscale=true
- ```
-
-!!! example "Domain from Router's Rule Example"
-
- ```yaml tab="Docker & Swarm"
- ## Dynamic configuration
- labels:
- - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
- - traefik.http.routers.blog.tls.certresolver=myresolver
- ```
-
- ```yaml tab="Docker (Swarm)"
- ## Dynamic configuration
- deploy:
- labels:
- - traefik.http.routers.blog.rule=Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
- - traefik.http.routers.blog.tls.certresolver=myresolver
- ```
-
- ```yaml tab="Kubernetes"
- apiVersion: traefik.io/v1alpha1
- kind: IngressRoute
- metadata:
- name: blogtls
- spec:
- entryPoints:
- - websecure
- routes:
- - match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
- kind: Rule
- services:
- - name: blog
- port: 8080
- tls:
- certResolver: myresolver
- ```
-
- ```yaml tab="File (YAML)"
- ## Dynamic configuration
- http:
- routers:
- blog:
- rule: "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
- tls:
- certResolver: myresolver
- ```
-
- ```toml tab="File (TOML)"
- ## Dynamic configuration
- [http.routers]
- [http.routers.blog]
- rule = "Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)"
- [http.routers.blog.tls]
- certResolver = "myresolver"
- ```
-
-!!! example "Domain from Router's tls.domain Example"
-
- ```yaml tab="Docker & Swarm"
- ## Dynamic configuration
- labels:
- - traefik.http.routers.blog.rule=Path(`/metrics`)
- - traefik.http.routers.blog.tls.certresolver=myresolver
- - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
- ```
-
- ```yaml tab="Docker (Swarm)"
- ## Dynamic configuration
- deploy:
- labels:
- - traefik.http.routers.blog.rule=Path(`/metrics`)
- - traefik.http.routers.blog.tls.certresolver=myresolver
- - traefik.http.routers.blog.tls.domains[0].main=monitoring.yak-bebop.ts.net
- ```
-
- ```yaml tab="Kubernetes"
- apiVersion: traefik.io/v1alpha1
- kind: IngressRoute
- metadata:
- name: blogtls
- spec:
- entryPoints:
- - websecure
- routes:
- - match: Path(`/metrics`)
- kind: Rule
- services:
- - name: blog
- port: 8080
- tls:
- certResolver: myresolver
- domains:
- - main: monitoring.yak-bebop.ts.net
- ```
-
- ```yaml tab="File (YAML)"
- ## Dynamic configuration
- http:
- routers:
- blog:
- rule: "Path(`/metrics`)"
- tls:
- certResolver: myresolver
- domains:
- - main: "monitoring.yak-bebop.ts.net"
- ```
-
- ```toml tab="File (TOML)"
- ## Dynamic configuration
- [http.routers]
- [http.routers.blog]
- rule = "Path(`/metrics`)"
- [http.routers.blog.tls]
- certResolver = "myresolver"
- [[http.routers.blog.tls.domains]]
- main = "monitoring.yak-bebop.ts.net"
- ```
-
-## Automatic Renewals
-
-Traefik automatically tracks the expiry date of each Tailscale certificate it fetches,
-and starts to renew a certificate 14 days before its expiry to match Tailscale daemon renew policy.
diff --git a/docs/content/https/tls.md b/docs/content/https/tls.md
deleted file mode 100644
index abda2dd93..000000000
--- a/docs/content/https/tls.md
+++ /dev/null
@@ -1,590 +0,0 @@
----
-title: "Traefik TLS Documentation"
-description: "Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation."
----
-
-# TLS
-
-Transport Layer Security
-{: .subtitle }
-
-## Certificates Definition
-
-### Automated
-
-See the [Let's Encrypt](./acme.md) page.
-
-### User defined
-
-To add / remove TLS certificates, even when Traefik is already running, their definition can be added to the [dynamic configuration](../getting-started/configuration-overview.md), in the `[[tls.certificates]]` section:
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- certificates:
- - certFile: /path/to/domain.cert
- keyFile: /path/to/domain.key
- - certFile: /path/to/other-domain.cert
- keyFile: /path/to/other-domain.key
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[[tls.certificates]]
- certFile = "/path/to/domain.cert"
- keyFile = "/path/to/domain.key"
-
-[[tls.certificates]]
- certFile = "/path/to/other-domain.cert"
- keyFile = "/path/to/other-domain.key"
-```
-
-!!! important "Restriction"
-
- In the above example, we've used the [file provider](../providers/file.md) to handle these definitions.
- It is the only available method to configure the certificates (as well as the options and the stores).
- However, in [Kubernetes](../providers/kubernetes-crd.md), the certificates can and must be provided by [secrets](https://kubernetes.io/docs/concepts/configuration/secret/).
-
-## Certificates Stores
-
-In Traefik, certificates are grouped together in certificates stores, which are defined as such:
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- stores:
- default: {}
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.stores]
- [tls.stores.default]
-```
-
-!!! important "Restriction"
-
- Any store definition other than the default one (named `default`) will be ignored,
- and there is therefore only one globally available TLS store.
-
-In the `tls.certificates` section, a list of stores can then be specified to indicate where the certificates should be stored:
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- certificates:
- - certFile: /path/to/domain.cert
- keyFile: /path/to/domain.key
- stores:
- - default
- # Note that since no store is defined,
- # the certificate below will be stored in the `default` store.
- - certFile: /path/to/other-domain.cert
- keyFile: /path/to/other-domain.key
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[[tls.certificates]]
- certFile = "/path/to/domain.cert"
- keyFile = "/path/to/domain.key"
- stores = ["default"]
-
-[[tls.certificates]]
- # Note that since no store is defined,
- # the certificate below will be stored in the `default` store.
- certFile = "/path/to/other-domain.cert"
- keyFile = "/path/to/other-domain.key"
-```
-
-!!! important "Restriction"
-
- The `stores` list will actually be ignored and automatically set to `["default"]`.
-
-### Default Certificate
-
-Traefik can use a default certificate for connections without a SNI, or without a matching domain.
-This default certificate should be defined in a TLS store:
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- stores:
- default:
- defaultCertificate:
- certFile: path/to/cert.crt
- keyFile: path/to/cert.key
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.stores]
- [tls.stores.default]
- [tls.stores.default.defaultCertificate]
- certFile = "path/to/cert.crt"
- keyFile = "path/to/cert.key"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSStore
-metadata:
- name: default
- namespace: default
-
-spec:
- defaultCertificate:
- secretName: default-certificate
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: default-certificate
- namespace: default
-
-type: Opaque
-data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
- tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
-```
-
-If no `defaultCertificate` is provided, Traefik will use the generated one.
-
-### ACME Default Certificate
-
-You can configure Traefik to use an ACME provider (like Let's Encrypt) to generate the default certificate.
-The configuration to resolve the default certificate should be defined in a TLS store:
-
-!!! important "Precedence with the `defaultGeneratedCert` option"
-
- The `defaultGeneratedCert` definition takes precedence over the ACME default certificate configuration.
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- stores:
- default:
- defaultGeneratedCert:
- resolver: myresolver
- domain:
- main: example.org
- sans:
- - foo.example.org
- - bar.example.org
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.stores]
- [tls.stores.default.defaultGeneratedCert]
- resolver = "myresolver"
- [tls.stores.default.defaultGeneratedCert.domain]
- main = "example.org"
- sans = ["foo.example.org", "bar.example.org"]
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSStore
-metadata:
- name: default
- namespace: default
-
-spec:
- defaultGeneratedCert:
- resolver: myresolver
- domain:
- main: example.org
- sans:
- - foo.example.org
- - bar.example.org
-```
-
-```yaml tab="Docker & Swarm"
-## Dynamic configuration
-labels:
- - "traefik.tls.stores.default.defaultgeneratedcert.resolver=myresolver"
- - "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
- - "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org"
-```
-
-## TLS Options
-
-The TLS options allow one to configure some parameters of the TLS connection.
-
-!!! important "'default' TLS Option"
-
- The `default` option is special.
- When no tls options are specified in a tls router, the `default` option is used.
- When specifying the `default` option explicitly, make sure not to specify provider namespace as the `default` option does not have one.
- Conversely, for cross-provider references, for example, when referencing the file provider from a docker label,
- you must specify the provider namespace, for example:
- `traefik.http.routers.myrouter.tls.options=myoptions@file`
-
-!!! important "TLSOption in Kubernetes"
-
- When using the [TLSOption resource](../routing/providers/kubernetes-crd.md#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
- if not explicitly overwritten, should apply to all ingresses.
- To achieve that, you'll have to create a TLSOption resource with the name `default`.
- There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.
- To explicitly use a different TLSOption (and using the Kubernetes Ingress resources)
- you'll have to add an annotation to the Ingress in the following form:
- `traefik.ingress.kubernetes.io/router.tls.options: -@kubernetescrd`
-
-### Minimum TLS Version
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- options:
- default:
- minVersion: VersionTLS12
-
- mintls13:
- minVersion: VersionTLS13
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-
- [tls.options.default]
- minVersion = "VersionTLS12"
-
- [tls.options.mintls13]
- minVersion = "VersionTLS13"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
- name: default
- namespace: default
-
-spec:
- minVersion: VersionTLS12
-
----
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
- name: mintls13
- namespace: default
-
-spec:
- minVersion: VersionTLS13
-```
-
-### Maximum TLS Version
-
-We discourage the use of this setting to disable TLS1.3.
-
-The recommended approach is to update the clients to support TLS1.3.
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- options:
- default:
- maxVersion: VersionTLS13
-
- maxtls12:
- maxVersion: VersionTLS12
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
-
- [tls.options.default]
- maxVersion = "VersionTLS13"
-
- [tls.options.maxtls12]
- maxVersion = "VersionTLS12"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
- name: default
- namespace: default
-
-spec:
- maxVersion: VersionTLS13
-
----
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
- name: maxtls12
- namespace: default
-
-spec:
- maxVersion: VersionTLS12
-```
-
-### Cipher Suites
-
-See [cipherSuites](https://godoc.org/crypto/tls#pkg-constants) for more information.
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- options:
- default:
- cipherSuites:
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
- [tls.options.default]
- cipherSuites = [
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
- ]
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
- name: default
- namespace: default
-
-spec:
- cipherSuites:
- - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-```
-
-!!! important "TLS 1.3"
-
- Cipher suites defined for TLS 1.2 and below cannot be used in TLS 1.3, and vice versa. ()
- With TLS 1.3, the cipher suites are not configurable (all supported cipher suites are safe in this case).
-
-
-### Curve Preferences
-
-This option allows to set the enabled elliptic curves for key exchange.
-
-The names of the curves defined by [`crypto`](https://godoc.org/crypto/tls#CurveID) (e.g. `CurveP521`) and the [RFC defined names](https://tools.ietf.org/html/rfc8446#section-4.2.7) (e. g. `secp521r1`) can be used.
-
-See [CurvePreferences](https://godoc.org/crypto/tls#Config.CurvePreferences) and [CurveID](https://godoc.org/crypto/tls#CurveID) for more information.
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- options:
- default:
- curvePreferences:
- - CurveP521
- - CurveP384
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
- [tls.options.default]
- curvePreferences = ["CurveP521", "CurveP384"]
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
- name: default
- namespace: default
-
-spec:
- curvePreferences:
- - CurveP521
- - CurveP384
-```
-
-### Strict SNI Checking
-
-With strict SNI checking enabled, Traefik won't allow connections from clients that do not specify a server_name extension
-or don't match any of the configured certificates.
-The default certificate is irrelevant on that matter.
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- options:
- default:
- sniStrict: true
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
- [tls.options.default]
- sniStrict = true
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
- name: default
- namespace: default
-
-spec:
- sniStrict: true
-```
-
-### ALPN Protocols
-
-_Optional, Default="h2, http/1.1, acme-tls/1"_
-
-This option allows to specify the list of supported application level protocols for the TLS handshake,
-in order of preference.
-If the client supports ALPN, the selected protocol will be one from this list,
-and the connection will fail if there is no mutually supported protocol.
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- options:
- default:
- alpnProtocols:
- - http/1.1
- - h2
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
- [tls.options.default]
- alpnProtocols = ["http/1.1", "h2"]
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
- name: default
- namespace: default
-
-spec:
- alpnProtocols:
- - http/1.1
- - h2
-```
-
-### Client Authentication (mTLS)
-
-Traefik supports mutual authentication, through the `clientAuth` section.
-
-For authentication policies that require verification of the client certificate, the certificate authority for the certificates should be set in `clientAuth.caFiles`.
-
-In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../routing/providers/kubernetes-crd.md#kind-tlsoption) for more details.
-
-The `clientAuth.clientAuthType` option governs the behaviour as follows:
-
-- `NoClientCert`: disregards any client certificate.
-- `RequestClientCert`: asks for a certificate but proceeds anyway if none is provided.
-- `RequireAnyClientCert`: requires a certificate but does not verify if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`.
-- `VerifyClientCertIfGiven`: if a certificate is provided, verifies if it is signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`. Otherwise proceeds without any certificate.
-- `RequireAndVerifyClientCert`: requires a certificate, which must be signed by a CA listed in `clientAuth.caFiles` or in `clientAuth.secretNames`.
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- options:
- default:
- clientAuth:
- # in PEM format. each file can contain multiple CAs.
- caFiles:
- - tests/clientca1.crt
- - tests/clientca2.crt
- clientAuthType: RequireAndVerifyClientCert
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
- [tls.options.default]
- [tls.options.default.clientAuth]
- # in PEM format. each file can contain multiple CAs.
- caFiles = ["tests/clientca1.crt", "tests/clientca2.crt"]
- clientAuthType = "RequireAndVerifyClientCert"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
- name: default
- namespace: default
-
-spec:
- clientAuth:
- # the CA certificate is extracted from key `tls.ca` or `ca.crt` of the given secrets.
- secretNames:
- - secretCA
- clientAuthType: RequireAndVerifyClientCert
-```
-
-### Disable Session Tickets
-
-_Optional, Default="false"_
-
-When set to true, Traefik disables the use of session tickets, forcing every client to perform a full TLS handshake instead of resuming sessions.
-
-```yaml tab="File (YAML)"
-# Dynamic configuration
-
-tls:
- options:
- default:
- disableSessionTickets: true
-```
-
-```toml tab="File (TOML)"
-# Dynamic configuration
-
-[tls.options]
- [tls.options.default]
- disableSessionTickets = true
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: TLSOption
-metadata:
- name: default
- namespace: default
-
-spec:
- disableSessionTickets: true
-```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/routing/providers/service-by-label.md b/docs/content/includes/service-by-label.md
similarity index 100%
rename from docs/content/routing/providers/service-by-label.md
rename to docs/content/includes/service-by-label.md
diff --git a/docs/content/index.md b/docs/content/index.md
index e8ebfc818..dcb7dc47c 100644
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -11,7 +11,7 @@ Traefik is an [open-source](https://github.com/traefik/traefik) Application Prox
If you start with Traefik for service discovery and routing, you can seamlessly add [API management](https://traefik.io/solutions/api-management/), [API gateway](https://traefik.io/solutions/api-gateway/), [AI gateway](https://traefik.io/solutions/ai-gateway/), and [API mocking](https://traefik.io/solutions/api-mocking/) capabilities as needed.
-For a detailed comparison of all Traefik products and their capabilities, see our [Product Features Comparison](./features/).
+For a detailed comparison of all Traefik products and their capabilities, see our [Product Features Comparison](./features/index.md).
With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kubernetes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).
diff --git a/docs/content/middlewares/http/addprefix.md b/docs/content/middlewares/http/addprefix.md
deleted file mode 100644
index 668855d47..000000000
--- a/docs/content/middlewares/http/addprefix.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: "Traefik AddPrefix Documentation"
-description: "Learn how to implement the HTTP AddPrefix middleware in Traefik Proxy to updates request paths before being forwarded. Read the technical documentation."
----
-
-# Add Prefix
-
-Prefixing the Path
-{: .subtitle }
-
-The AddPrefix middleware updates the path of a request before forwarding it.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Prefixing with /foo
-labels:
- - "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
-```
-
-```yaml tab="Kubernetes"
-# Prefixing with /foo
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: add-foo
-spec:
- addPrefix:
- prefix: /foo
-```
-
-```yaml tab="Consul Catalog"
-# Prefixing with /foo
-- "traefik.http.middlewares.add-foo.addprefix.prefix=/foo"
-```
-
-```yaml tab="File (YAML)"
-# Prefixing with /foo
-http:
- middlewares:
- add-foo:
- addPrefix:
- prefix: "/foo"
-```
-
-```toml tab="File (TOML)"
-# Prefixing with /foo
-[http.middlewares]
- [http.middlewares.add-foo.addPrefix]
- prefix = "/foo"
-```
-
-## Configuration Options
-
-### `prefix`
-
-`prefix` is the string to add before the current path in the requested URL.
-It should include a leading slash (`/`).
diff --git a/docs/content/middlewares/http/basicauth.md b/docs/content/middlewares/http/basicauth.md
deleted file mode 100644
index 072183914..000000000
--- a/docs/content/middlewares/http/basicauth.md
+++ /dev/null
@@ -1,349 +0,0 @@
----
-title: "Traefik BasicAuth Documentation"
-description: "The HTTP basic authentication (BasicAuth) middleware in Traefik Proxy restricts access to your Services to known users. Read the technical documentation."
----
-
-# BasicAuth
-
-Adding Basic Authentication
-{: .subtitle }
-
-The BasicAuth middleware grants access to services to authorized users only.
-
-!!! warning "Timing attacks"
-
- The BasicAuth middleware is vulnerable to timing attacks when the configured users' password hashes do not use the same algorithm and cost.
- However, when the configured user's password hashes are of the same algorithm and cost, the middleware guarantees the same comparison time between existing and non-existing users.
- This prevents an attacker from leveraging the time difference to determine whether a user exists.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Declaring the user list
-#
-# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
-# To create user:password pair, it's possible to use this command:
-# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
-#
-# Also note that dollar signs should NOT be doubled when they are not being evaluated (e.g. Ansible docker_container module).
-labels:
- - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-```
-
-```yaml tab="Kubernetes"
-# Declaring the user list
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- basicAuth:
- secret: secretName
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-```
-
-```yaml tab="File (YAML)"
-# Declaring the user list
-http:
- middlewares:
- test-auth:
- basicAuth:
- users:
- - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-```
-
-```toml tab="File (TOML)"
-# Declaring the user list
-[http.middlewares]
- [http.middlewares.test-auth.basicAuth]
- users = [
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
- ]
-```
-
-## Configuration Options
-
-### General
-
-Passwords must be hashed using MD5, SHA1, or BCrypt.
-
-!!! tip
-
- Use `htpasswd` to generate the passwords.
-
-### `users`
-
-The `users` option is an array of authorized users. Each user must be declared using the `name:hashed-password` format.
-
-!!! note ""
-
- - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
- - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
-
-!!! note "Kubernetes kubernetes.io/basic-auth secret type"
-
- Kubernetes supports a special `kubernetes.io/basic-auth` secret type.
- This secret must contain two keys: `username` and `password`.
- Please note that these keys are not hashed or encrypted in any way, and therefore is less secure than other methods.
- You can find more information on the [Kubernetes Basic Authentication Secret Documentation](https://kubernetes.io/docs/concepts/configuration/secret/#basic-authentication-secret)
-
-```yaml tab="Docker & Swarm"
-# Declaring the user list
-#
-# Note: when used in docker-compose.yml all dollar signs in the hash need to be doubled for escaping.
-# To create a user:password pair, the following command can be used:
-# echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
-#
-# Also note that dollar signs should NOT be doubled when they not evaluated (e.g. Ansible docker_container module).
-labels:
- - "traefik.http.middlewares.test-auth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/,test2:$$apr1$$d9hr9HBB$$4HxwgUir3HP4EsggP/QNo0"
-```
-
-```yaml tab="Kubernetes"
-# Declaring the user list
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- basicAuth:
- secret: authsecret
-
----
-# Note: in a kubernetes secret the string (e.g. generated by htpasswd) must be base64-encoded first.
-# To create an encoded user:password pair, the following command can be used:
-# htpasswd -nb user password | openssl base64
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: authsecret
- namespace: default
-data:
- users: |2
- dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
- aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
-
----
-# This is an alternate auth secret that demonstrates the basic-auth secret type.
-# Note: the password is not hashed, and is merely base64 encoded.
-
-apiVersion: v1
-kind: Secret
-metadata:
- name: authsecret2
- namespace: default
-type: kubernetes.io/basic-auth
-data:
- username: dXNlcg== # username: user
- password: cGFzc3dvcmQ= # password: password
-```
-
-```yaml tab="Consul Catalog"
-# Declaring the user list
-- "traefik.http.middlewares.test-auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-```
-
-```yaml tab="File (YAML)"
-# Declaring the user list
-http:
- middlewares:
- test-auth:
- basicAuth:
- users:
- - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
-```
-
-```toml tab="File (TOML)"
-# Declaring the user list
-[http.middlewares]
- [http.middlewares.test-auth.basicAuth]
- users = [
- "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
- ]
-```
-
-### `usersFile`
-
-The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
-
-The file content is a list of `name:hashed-password`.
-
-!!! note ""
-
- - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
- - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- basicAuth:
- secret: authsecret
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: authsecret
- namespace: default
-
-data:
- users: |2
- dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
- aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.basicauth.usersfile=/path/to/my/usersfile"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- basicAuth:
- usersFile: "/path/to/my/usersfile"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.basicAuth]
- usersFile = "/path/to/my/usersfile"
-```
-
-??? example "A file containing test/test and test2/test2"
-
- ```txt
- test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
- test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
- ```
-
-### `realm`
-
-You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- basicAuth:
- realm: MyRealm
-```
-
-```json tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.basicauth.realm=MyRealm"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- basicAuth:
- realm: "MyRealm"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.basicAuth]
- realm = "MyRealm"
-```
-
-### `headerField`
-
-You can define a header field to store the authenticated user using the `headerField`option.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: my-auth
-spec:
- basicAuth:
- # ...
- headerField: X-WebAuth-User
-```
-
-```json tab="Consul Catalog"
-- "traefik.http.middlewares.my-auth.basicauth.headerField=X-WebAuth-User"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- my-auth:
- basicAuth:
- # ...
- headerField: "X-WebAuth-User"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares.my-auth.basicAuth]
- # ...
- headerField = "X-WebAuth-User"
-```
-
-### `removeHeader`
-
-Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- basicAuth:
- removeHeader: true
-```
-
-```json tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.basicauth.removeheader=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- basicAuth:
- removeHeader: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.basicAuth]
- removeHeader = true
-```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/middlewares/http/buffering.md b/docs/content/middlewares/http/buffering.md
deleted file mode 100644
index 4c861a8fe..000000000
--- a/docs/content/middlewares/http/buffering.md
+++ /dev/null
@@ -1,268 +0,0 @@
----
-title: "Traefik Buffering Documentation"
-description: "The HTTP buffering middleware in Traefik Proxy limits the size of requests that can be forwarded to Services. Read the technical documentation."
----
-
-# Buffering
-
-How to Read the Request before Forwarding It
-{: .subtitle }
-
-The Buffering middleware limits the size of requests that can be forwarded to services.
-
-With Buffering, Traefik reads the entire request into memory (possibly buffering large requests into disk), and rejects requests that are over a specified size limit.
-
-This can help services avoid large amounts of data (`multipart/form-data` for example), and can minimize the time spent sending data to a service.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Sets the maximum request body to 2MB
-labels:
- - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
-```
-
-```yaml tab="Kubernetes"
-# Sets the maximum request body to 2MB
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: limit
-spec:
- buffering:
- maxRequestBodyBytes: 2000000
-```
-
-```yaml tab="Consul Catalog"
-# Sets the maximum request body to 2MB
-- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
-```
-
-```yaml tab="File (YAML)"
-# Sets the maximum request body to 2MB
-http:
- middlewares:
- limit:
- buffering:
- maxRequestBodyBytes: 2000000
-```
-
-```toml tab="File (TOML)"
-# Sets the maximum request body to 2MB
-[http.middlewares]
- [http.middlewares.limit.buffering]
- maxRequestBodyBytes = 2000000
-```
-
-## Configuration Options
-
-### `maxRequestBodyBytes`
-
-_Optional, Default=0_
-
-The `maxRequestBodyBytes` option configures the maximum allowed body size for the request (in bytes).
-
-If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a `413` (Request Entity Too Large) response.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: limit
-spec:
- buffering:
- maxRequestBodyBytes: 2000000
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=2000000"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- limit:
- buffering:
- maxRequestBodyBytes: 2000000
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.limit.buffering]
- maxRequestBodyBytes = 2000000
-```
-
-### `memRequestBodyBytes`
-
-_Optional, Default=1048576_
-
-You can configure a threshold (in bytes) from which the request will be buffered on disk instead of in memory with the `memRequestBodyBytes` option.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: limit
-spec:
- buffering:
- memRequestBodyBytes: 2000000
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.limit.buffering.memRequestBodyBytes=2000000"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- limit:
- buffering:
- memRequestBodyBytes: 2000000
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.limit.buffering]
- memRequestBodyBytes = 2000000
-```
-
-### `maxResponseBodyBytes`
-
-_Optional, Default=0_
-
-The `maxResponseBodyBytes` option configures the maximum allowed response size from the service (in bytes).
-
-If the response exceeds the allowed size, it is not forwarded to the client. The client gets a `500` (Internal Server Error) response instead.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: limit
-spec:
- buffering:
- maxResponseBodyBytes: 2000000
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.limit.buffering.maxResponseBodyBytes=2000000"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- limit:
- buffering:
- maxResponseBodyBytes: 2000000
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.limit.buffering]
- maxResponseBodyBytes = 2000000
-```
-
-### `memResponseBodyBytes`
-
-_Optional, Default=1048576_
-
-You can configure a threshold (in bytes) from which the response will be buffered on disk instead of in memory with the `memResponseBodyBytes` option.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: limit
-spec:
- buffering:
- memResponseBodyBytes: 2000000
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.limit.buffering.memResponseBodyBytes=2000000"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- limit:
- buffering:
- memResponseBodyBytes: 2000000
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.limit.buffering]
- memResponseBodyBytes = 2000000
-```
-
-### `retryExpression`
-
-_Optional, Default=""_
-
-You can have the Buffering middleware replay the request using `retryExpression`.
-
-??? example "Retries once in the case of a network error"
-
- ```yaml tab="Docker & Swarm"
- labels:
- - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
- ```
-
- ```yaml tab="Kubernetes"
- apiVersion: traefik.io/v1alpha1
- kind: Middleware
- metadata:
- name: limit
- spec:
- buffering:
- retryExpression: "IsNetworkError() && Attempts() < 2"
- ```
-
- ```yaml tab="Consul Catalog"
- - "traefik.http.middlewares.limit.buffering.retryExpression=IsNetworkError() && Attempts() < 2"
- ```
-
- ```yaml tab="File (YAML)"
- http:
- middlewares:
- limit:
- buffering:
- retryExpression: "IsNetworkError() && Attempts() < 2"
- ```
-
- ```toml tab="File (TOML)"
- [http.middlewares]
- [http.middlewares.limit.buffering]
- retryExpression = "IsNetworkError() && Attempts() < 2"
- ```
-
-The retry expression is defined as a logical combination of the functions below with the operators AND (`&&`) and OR (`||`). At least one function is required:
-
-- `Attempts()` number of attempts (the first one counts)
-- `ResponseCode()` response code of the service
-- `IsNetworkError()` whether the response code is related to networking error
-
-### Content-Length
-
-See [Best Practices: Content‑Length](../../security/content-length.md)
diff --git a/docs/content/middlewares/http/chain.md b/docs/content/middlewares/http/chain.md
deleted file mode 100644
index 511409085..000000000
--- a/docs/content/middlewares/http/chain.md
+++ /dev/null
@@ -1,164 +0,0 @@
----
-title: "Traefik Command Line Documentation"
-description: "The HTTP chain middleware lets you define reusable combinations of other middleware, to reuse the same groups. Read the technical documentation."
----
-
-# Chain
-
-When One Isn't Enough
-{: .subtitle }
-
-The Chain middleware enables you to define reusable combinations of other pieces of middleware.
-It makes reusing the same groups easier.
-
-## Configuration Example
-
-Below is an example of a Chain containing `AllowList`, `BasicAuth`, and `RedirectScheme`.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.routers.router1.service=service1"
- - "traefik.http.routers.router1.middlewares=secured"
- - "traefik.http.routers.router1.rule=Host(`mydomain`)"
- - "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
- - "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
- - "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
- - "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
- - "traefik.http.services.service1.loadbalancer.server.port=80"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
- name: test
- namespace: default
-spec:
- entryPoints:
- - web
- routes:
- - match: Host(`mydomain`)
- kind: Rule
- services:
- - name: whoami
- port: 80
- middlewares:
- - name: secured
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: secured
-spec:
- chain:
- middlewares:
- - name: https-only
- - name: known-ips
- - name: auth-users
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: auth-users
-spec:
- basicAuth:
- users:
- - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: https-only
-spec:
- redirectScheme:
- scheme: https
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: known-ips
-spec:
- ipAllowList:
- sourceRange:
- - 192.168.1.7
- - 127.0.0.1/32
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.routers.router1.service=service1"
-- "traefik.http.routers.router1.middlewares=secured"
-- "traefik.http.routers.router1.rule=Host(`mydomain`)"
-- "traefik.http.middlewares.secured.chain.middlewares=https-only,known-ips,auth-users"
-- "traefik.http.middlewares.auth-users.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-- "traefik.http.middlewares.https-only.redirectscheme.scheme=https"
-- "traefik.http.middlewares.known-ips.ipallowlist.sourceRange=192.168.1.7,127.0.0.1/32"
-- "traefik.http.services.service1.loadbalancer.server.port=80"
-```
-
-```yaml tab="File (YAML)"
-# ...
-http:
- routers:
- router1:
- service: service1
- middlewares:
- - secured
- rule: "Host(`mydomain`)"
-
- middlewares:
- secured:
- chain:
- middlewares:
- - https-only
- - known-ips
- - auth-users
-
- auth-users:
- basicAuth:
- users:
- - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
-
- https-only:
- redirectScheme:
- scheme: https
-
- known-ips:
- ipAllowList:
- sourceRange:
- - "192.168.1.7"
- - "127.0.0.1/32"
-
- services:
- service1:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:80"
-```
-
-```toml tab="File (TOML)"
-# ...
-[http.routers]
- [http.routers.router1]
- service = "service1"
- middlewares = ["secured"]
- rule = "Host(`mydomain`)"
-
-[http.middlewares]
- [http.middlewares.secured.chain]
- middlewares = ["https-only", "known-ips", "auth-users"]
-
- [http.middlewares.auth-users.basicAuth]
- users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
-
- [http.middlewares.https-only.redirectScheme]
- scheme = "https"
-
- [http.middlewares.known-ips.ipAllowList]
- sourceRange = ["192.168.1.7", "127.0.0.1/32"]
-
-[http.services]
- [http.services.service1]
- [http.services.service1.loadBalancer]
- [[http.services.service1.loadBalancer.servers]]
- url = "http://127.0.0.1:80"
-```
diff --git a/docs/content/middlewares/http/circuitbreaker.md b/docs/content/middlewares/http/circuitbreaker.md
deleted file mode 100644
index 035de259e..000000000
--- a/docs/content/middlewares/http/circuitbreaker.md
+++ /dev/null
@@ -1,186 +0,0 @@
----
-title: "Traefik CircuitBreaker Documentation"
-description: "The HTTP circuit breaker in Traefik Proxy prevents stacking requests to unhealthy Services, resulting in cascading failures. Read the technical documentation."
----
-
-# CircuitBreaker
-
-Don't Waste Time Calling Unhealthy Services
-{: .subtitle }
-
-The circuit breaker protects your system from stacking requests to unhealthy services, resulting in cascading failures.
-
-When your system is healthy, the circuit is closed (normal operations).
-When your system becomes unhealthy, the circuit opens, and the requests are no longer forwarded, but instead are handled by a fallback mechanism.
-
-To assess if your system is healthy, the circuit breaker constantly monitors the services.
-
-!!! note ""
-
- The CircuitBreaker only analyzes what happens _after_ its position within the middleware chain. What happens _before_ has no impact on its state.
-
-!!! important
-
- Each router gets its own instance of a given circuit breaker.
- One circuit breaker instance can be open while the other remains closed: their state is not shared.
-
- This is the expected behavior, we want you to be able to define what makes a service healthy without having to declare a circuit breaker for each route.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Latency Check
-labels:
- - "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
-```
-
-```yaml tab="Kubernetes"
-# Latency Check
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: latency-check
-spec:
- circuitBreaker:
- expression: LatencyAtQuantileMS(50.0) > 100
-```
-
-```yaml tab="Consul Catalog"
-# Latency Check
-- "traefik.http.middlewares.latency-check.circuitbreaker.expression=LatencyAtQuantileMS(50.0) > 100"
-```
-
-```yaml tab="File (YAML)"
-# Latency Check
-http:
- middlewares:
- latency-check:
- circuitBreaker:
- expression: "LatencyAtQuantileMS(50.0) > 100"
-```
-
-```toml tab="File (TOML)"
-# Latency Check
-[http.middlewares]
- [http.middlewares.latency-check.circuitBreaker]
- expression = "LatencyAtQuantileMS(50.0) > 100"
-```
-
-## Possible States
-
-There are three possible states for your circuit breaker:
-
-- Closed (your service operates normally)
-- Open (the fallback mechanism takes over your service)
-- Recovering (the circuit breaker tries to resume normal operations by progressively sending requests to your service)
-
-### Closed
-
-While the circuit is closed, the circuit breaker only collects metrics to analyze the behavior of the requests.
-
-At specified intervals (`checkPeriod`), the circuit breaker evaluates `expression` to decide if its state must change.
-
-### Open
-
-While open, the fallback mechanism takes over the normal service calls for a duration of `FallbackDuration`.
-The fallback mechanism returns a `HTTP 503` (or `ResponseCode`) to the client.
-After this duration, it enters the recovering state.
-
-### Recovering
-
-While recovering, the circuit breaker sends linearly increasing amounts of requests to your service (for `RecoveryDuration`).
-If your service fails during recovery, the circuit breaker opens again.
-If the service operates normally during the entire recovery duration, then the circuit breaker closes.
-
-## Configuration Options
-
-### Configuring the Trigger
-
-You can specify an `expression` that, once matched, opens the circuit breaker and applies the fallback mechanism instead of calling your services.
-
-The `expression` option can check three different metrics:
-
-- The network error ratio (`NetworkErrorRatio`)
-- The status code ratio (`ResponseCodeRatio`)
-- The latency at a quantile in milliseconds (`LatencyAtQuantileMS`)
-
-#### `NetworkErrorRatio`
-
-If you want the circuit breaker to open at a 30% ratio of network errors, the `expression` is `NetworkErrorRatio() > 0.30`
-
-#### `ResponseCodeRatio`
-
-You can configure the circuit breaker to open based on the ratio of a given range of status codes.
-
-The `ResponseCodeRatio` accepts four parameters, `from`, `to`, `dividedByFrom`, `dividedByTo`.
-
-The operation that will be computed is sum(`to` -> `from`) / sum (`dividedByFrom` -> `dividedByTo`).
-
-!!! note ""
-
- If sum (`dividedByFrom` -> `dividedByTo`) equals 0, then `ResponseCodeRatio` returns 0.
-
- `from`is inclusive, `to` is exclusive.
-
-For example, the expression `ResponseCodeRatio(500, 600, 0, 600) > 0.25` will trigger the circuit breaker if 25% of the requests returned a 5XX status (amongst the request that returned a status code from 0 to 5XX).
-
-#### `LatencyAtQuantileMS`
-
-You can configure the circuit breaker to open when a given proportion of your requests become too slow.
-
-For example, the expression `LatencyAtQuantileMS(50.0) > 100` opens the circuit breaker when the median latency (quantile 50) reaches 100ms.
-
-!!! note ""
-
- You must provide a floating point number (with the trailing .0) for the quantile value
-
-#### Using Multiple Metrics
-
-You can combine multiple metrics using operators in your `expression`.
-
-Supported operators are:
-
-- AND (`&&`)
-- OR (`||`)
-
-For example, `ResponseCodeRatio(500, 600, 0, 600) > 0.30 || NetworkErrorRatio() > 0.10` triggers the circuit breaker when 30% of the requests return a 5XX status code, or when the ratio of network errors reaches 10%.
-
-#### Operators
-
-Here is the list of supported operators:
-
-- Greater than (`>`)
-- Greater or equal than (`>=`)
-- Lesser than (`<`)
-- Lesser or equal than (`<=`)
-- Equal (`==`)
-- Not Equal (`!=`)
-
-### Fallback mechanism
-
-By default the fallback mechanism returns a `HTTP 503 Service Unavailable` to the client instead of calling the target service.
-The response code can be configured.
-
-### `CheckPeriod`
-
-_Optional, Default="100ms"_
-
-The interval between successive checks of the circuit breaker condition (when in standby state).
-
-### `FallbackDuration`
-
-_Optional, Default="10s"_
-
-The duration for which the circuit breaker will wait before trying to recover (from a tripped state).
-
-### `RecoveryDuration`
-
-_Optional, Default="10s"_
-
-The duration for which the circuit breaker will try to recover (as soon as it is in recovering state).
-
-### `ResponseCode`
-
-_Optional, Default="503"_
-
-The status code that the circuit breaker will return while it is in the open state.
diff --git a/docs/content/middlewares/http/compress.md b/docs/content/middlewares/http/compress.md
deleted file mode 100644
index abb76c914..000000000
--- a/docs/content/middlewares/http/compress.md
+++ /dev/null
@@ -1,306 +0,0 @@
----
-title: "Traefik Compress Documentation"
-description: "Traefik Proxy's HTTP middleware lets you compress responses before sending them to the client. Read the technical documentation."
----
-
-# Compress
-
-Compress Allows Compressing Responses before Sending them to the Client
-{: .subtitle }
-
-The Compress middleware supports Gzip, Brotli and Zstandard compression.
-The activation of compression, and the compression method choice rely (among other things) on the request's `Accept-Encoding` header.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Enable compression
-labels:
- - "traefik.http.middlewares.test-compress.compress=true"
-```
-
-```yaml tab="Kubernetes"
-# Enable compression
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-compress
-spec:
- compress: {}
-```
-
-```yaml tab="Consul Catalog"
-# Enable compression
-- "traefik.http.middlewares.test-compress.compress=true"
-```
-
-```yaml tab="File (YAML)"
-# Enable compression
-http:
- middlewares:
- test-compress:
- compress: {}
-```
-
-```toml tab="File (TOML)"
-# Enable compression
-[http.middlewares]
- [http.middlewares.test-compress.compress]
-```
-
-!!! info
-
- Responses are compressed when the following criteria are all met:
-
- * The `Accept-Encoding` request header contains `gzip`, and/or `*`, and/or `br`, and/or `zstd` with or without [quality values](https://developer.mozilla.org/en-US/docs/Glossary/Quality_values).
- If the `Accept-Encoding` request header is absent and no [defaultEncoding](#defaultencoding) is configured, the response won't be encoded.
- If it is present, but its value is the empty string, then compression is disabled.
- * The response is not already compressed, i.e. the `Content-Encoding` response header is not already set.
- * The response`Content-Type` header is not one among the [excludedContentTypes options](#excludedcontenttypes), or is one among the [includedContentTypes options](#includedcontenttypes).
- * The response body is larger than the [configured minimum amount of bytes](#minresponsebodybytes) (default is `1024`).
-
-## Configuration Options
-
-### `excludedContentTypes`
-
-_Optional, Default=""_
-
-`excludedContentTypes` specifies a list of content types to compare the `Content-Type` header of the incoming requests and responses before compressing.
-
-The responses with content types defined in `excludedContentTypes` are not compressed.
-
-Content types are compared in a case-insensitive, whitespace-ignored manner.
-
-!!! info
-
- The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.
-
-!!! info "In the case of gzip"
-
- If the `Content-Type` header is not defined, or empty, the compress middleware will automatically [detect](https://mimesniff.spec.whatwg.org/) a content type.
- It will also set the `Content-Type` header according to the detected MIME type.
-
-!!! info "gRPC"
-
- Note that `application/grpc` is never compressed.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-compress
-spec:
- compress:
- excludedContentTypes:
- - text/event-stream
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-compress.compress.excludedcontenttypes=text/event-stream"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-compress:
- compress:
- excludedContentTypes:
- - text/event-stream
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-compress.compress]
- excludedContentTypes = ["text/event-stream"]
-```
-
-### `includedContentTypes`
-
-_Optional, Default=""_
-
-`includedContentTypes` specifies a list of content types to compare the `Content-Type` header of the responses before compressing.
-
-The responses with content types defined in `includedContentTypes` are compressed.
-
-Content types are compared in a case-insensitive, whitespace-ignored manner.
-
-!!! info
-
- The `excludedContentTypes` and `includedContentTypes` options are mutually exclusive.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-compress.compress.includedcontenttypes=application/json,text/html,text/plain"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-compress
-spec:
- compress:
- includedContentTypes:
- - application/json
- - text/html
- - text/plain
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-compress.compress.includedcontenttypes=application/json,text/html,text/plain"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-compress:
- compress:
- includedContentTypes:
- - application/json
- - text/html
- - text/plain
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-compress.compress]
- includedContentTypes = ["application/json","text/html","text/plain"]
-```
-
-### `minResponseBodyBytes`
-
-_Optional, Default=1024_
-
-`minResponseBodyBytes` specifies the minimum amount of bytes a response body must have to be compressed.
-Responses smaller than the specified values will not be compressed.
-
-!!! tip "Streaming"
-
- When data is sent to the client on flush, the `minResponseBodyBytes` configuration is ignored and the data is compressed.
- This is particularly the case when data is streamed to the client when using `Transfer-encoding: chunked` response.
-
-When chunked data is sent to the client on flush, it will be compressed by default even if the received data has not reached
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-compress
-spec:
- compress:
- minResponseBodyBytes: 1200
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-compress.compress.minresponsebodybytes=1200"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-compress:
- compress:
- minResponseBodyBytes: 1200
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-compress.compress]
- minResponseBodyBytes = 1200
-```
-
-### `defaultEncoding`
-
-_Optional, Default=""_
-
-`defaultEncoding` specifies the default encoding if the `Accept-Encoding` header is not in the request or contains a wildcard (`*`).
-
-There is no fallback on the `defaultEncoding` when the header value is empty or unsupported.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-compress.compress.defaultEncoding=gzip"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-compress
-spec:
- compress:
- defaultEncoding: gzip
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-compress.compress.defaultEncoding=gzip"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-compress:
- compress:
- defaultEncoding: gzip
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-compress.compress]
- defaultEncoding = "gzip"
-```
-
-### `encodings`
-
-_Optional, Default="gzip, br, zstd"_
-
-`encodings` specifies the list of supported compression encodings.
-At least one encoding value must be specified, and valid entries are `gzip` (Gzip), `br` (Brotli), and `zstd` (Zstandard).
-The order of the list also sets the priority, the top entry has the highest priority.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-compress.compress.encodings=zstd,br"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-compress
-spec:
- compress:
- encodings:
- - zstd
- - br
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-compress.compress.encodings=zstd,br"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-compress:
- compress:
- encodings:
- - zstd
- - br
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-compress.compress]
- encodings = ["zstd","br"]
-```
diff --git a/docs/content/middlewares/http/contenttype.md b/docs/content/middlewares/http/contenttype.md
deleted file mode 100644
index fd3759edf..000000000
--- a/docs/content/middlewares/http/contenttype.md
+++ /dev/null
@@ -1,67 +0,0 @@
----
-title: "Traefik ContentType Documentation"
-description: "Traefik Proxy's HTTP middleware automatically sets the `Content-Type` header value when it is not set by the backend. Read the technical documentation."
----
-
-# ContentType
-
-Handling Content-Type auto-detection
-{: .subtitle }
-
-The Content-Type middleware sets the `Content-Type` header value to the media type detected from the response content,
-when it is not set by the backend.
-
-!!! info
-
- The scope of the Content-Type middleware is the MIME type detection done by the core of Traefik (the server part).
- Therefore, it has no effect against any other `Content-Type` header modifications (e.g.: in another middleware such as compress).
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Enable auto-detection
-labels:
- - "traefik.http.middlewares.autodetect.contenttype=true"
-```
-
-```yaml tab="Kubernetes"
-# Enable auto-detection
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: autodetect
-spec:
- contentType: {}
-```
-
-```yaml tab="Consul Catalog"
-# Enable auto-detection
-- "traefik.http.middlewares.autodetect.contenttype=true"
-```
-
-```yaml tab="File (YAML)"
-# Enable auto-detection
-http:
- middlewares:
- autodetect:
- contentType: {}
-```
-
-```toml tab="File (TOML)"
-# Enable auto-detection
-[http.middlewares]
- [http.middlewares.autodetect.contentType]
-```
-
-## Configuration Options
-
-### `autoDetect`
-
-!!! warning
-
- `autoDetect` option is deprecated and should not be used.
- Moreover, it is redundant with an empty ContentType middleware declaration.
-
-`autoDetect` specifies whether to let the `Content-Type` header,
-if it has not been set by the backend,
-be automatically set to a value derived from the contents of the response.
diff --git a/docs/content/middlewares/http/digestauth.md b/docs/content/middlewares/http/digestauth.md
deleted file mode 100644
index cdb0128d4..000000000
--- a/docs/content/middlewares/http/digestauth.md
+++ /dev/null
@@ -1,296 +0,0 @@
----
-title: "Traefik DigestAuth Documentation"
-description: "Traefik Proxy's HTTP DigestAuth middleware restricts access to your services to known users. Read the technical documentation."
----
-
-# DigestAuth
-
-Adding Digest Authentication
-{: .subtitle }
-
-The DigestAuth middleware grants access to services to authorized users only.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Declaring the user list
-labels:
- - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-```
-
-```yaml tab="Kubernetes"
-# Declaring the user list
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- digestAuth:
- secret: userssecret
-```
-
-```yaml tab="Consul Catalog"
-# Declaring the user list
-- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-```
-
-```yaml tab="File (YAML)"
-# Declaring the user list
-http:
- middlewares:
- test-auth:
- digestAuth:
- users:
- - "test:traefik:a2688e031edb4be6a3797f3882655c05"
- - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-```
-
-```toml tab="File (TOML)"
-# Declaring the user list
-[http.middlewares]
- [http.middlewares.test-auth.digestAuth]
- users = [
- "test:traefik:a2688e031edb4be6a3797f3882655c05",
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
- ]
-```
-
-## Configuration Options
-
-!!! tip
-
- Use `htdigest` to generate passwords.
-
-### `users`
-
-The `users` option is an array of authorized users. Each user will be declared using the `name:realm:encoded-password` format.
-
-!!! note ""
-
- - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
- - For security reasons, the field `users` doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- digestAuth:
- secret: authsecret
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: authsecret
- namespace: default
-
-data:
- users: |2
- dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.digestauth.users=test:traefik:a2688e031edb4be6a3797f3882655c05,test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- digestAuth:
- users:
- - "test:traefik:a2688e031edb4be6a3797f3882655c05"
- - "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.digestAuth]
- users = [
- "test:traefik:a2688e031edb4be6a3797f3882655c05",
- "test2:traefik:518845800f9e2bfb1f1f740ec24f074e",
- ]
-```
-
-### `usersFile`
-
-The `usersFile` option is the path to an external file that contains the authorized users for the middleware.
-
-The file content is a list of `name:realm:encoded-password`.
-
-!!! note ""
-
- - If both `users` and `usersFile` are provided, the two are merged. The contents of `usersFile` have precedence over the values in `users`.
- - Because it does not make much sense to refer to a file path on Kubernetes, the `usersFile` field doesn't exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- digestAuth:
- secret: authsecret
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: authsecret
- namespace: default
-
-data:
- users: |2
- dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
- aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.digestauth.usersfile=/path/to/my/usersfile"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- digestAuth:
- usersFile: "/path/to/my/usersfile"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.digestAuth]
- usersFile = "/path/to/my/usersfile"
-```
-
-??? example "A file containing test/test and test2/test2"
-
- ```txt
- test:traefik:a2688e031edb4be6a3797f3882655c05
- test2:traefik:518845800f9e2bfb1f1f740ec24f074e
- ```
-
-### `realm`
-
-You can customize the realm for the authentication with the `realm` option. The default value is `traefik`.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- digestAuth:
- realm: MyRealm
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.digestauth.realm=MyRealm"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- digestAuth:
- realm: "MyRealm"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.digestAuth]
- realm = "MyRealm"
-```
-
-### `headerField`
-
-You can customize the header field for the authenticated user using the `headerField`option.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: my-auth
-spec:
- digestAuth:
- # ...
- headerField: X-WebAuth-User
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.my-auth.digestauth.headerField=X-WebAuth-User"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- my-auth:
- digestAuth:
- # ...
- headerField: "X-WebAuth-User"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares.my-auth.digestAuth]
- # ...
- headerField = "X-WebAuth-User"
-```
-
-### `removeHeader`
-
-Set the `removeHeader` option to `true` to remove the authorization header before forwarding the request to your service. (Default value is `false`.)
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- digestAuth:
- removeHeader: true
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.digestauth.removeheader=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- digestAuth:
- removeHeader: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.digestAuth]
- removeHeader = true
-```
diff --git a/docs/content/middlewares/http/errorpages.md b/docs/content/middlewares/http/errorpages.md
deleted file mode 100644
index d435dbcb5..000000000
--- a/docs/content/middlewares/http/errorpages.md
+++ /dev/null
@@ -1,141 +0,0 @@
----
-title: "Traefik Errors Documentation"
-description: "In Traefik Proxy, the Errors middleware returns custom pages according to configured ranges of HTTP Status codes. Read the technical documentation."
----
-
-# Errors
-
-It Has Never Been Easier to Say That Something Went Wrong
-{: .subtitle }
-
-The Errors middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
-
-!!! important
-
- The error page itself is _not_ hosted by Traefik.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Dynamic Custom Error Page for 5XX Status Code
-labels:
- - "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
- - "traefik.http.middlewares.test-errors.errors.service=serviceError"
- - "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-errors
-spec:
- errors:
- status:
- - "500"
- - "501"
- - "503"
- - "505-599"
- query: /{status}.html
- service:
- name: whoami
- port: 80
-```
-
-```yaml tab="Consul Catalog"
-# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
-- "traefik.http.middlewares.test-errors.errors.status=500,501,503,505-599"
-- "traefik.http.middlewares.test-errors.errors.service=serviceError"
-- "traefik.http.middlewares.test-errors.errors.query=/{status}.html"
-```
-
-```yaml tab="File (YAML)"
-# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
-http:
- middlewares:
- test-errors:
- errors:
- status:
- - "500"
- - "501"
- - "503"
- - "505-599"
- service: serviceError
- query: "/{status}.html"
-
- services:
- # ... definition of error-handler-service and my-service
-```
-
-```toml tab="File (TOML)"
-# Dynamic Custom Error Page for 5XX Status Code excluding 502 and 504
-[http.middlewares]
- [http.middlewares.test-errors.errors]
- status = ["500","501","503","505-599"]
- service = "serviceError"
- query = "/{status}.html"
-
-[http.services]
- # ... definition of error-handler-service and my-service
-```
-
-!!! note ""
-
- In this example, the error page URL is based on the status code (`query=/{status}.html`).
-
-## Configuration Options
-
-### `status`
-
-The `status` option defines which status or range of statuses should result in an error page.
-
-The status code ranges are inclusive (`505-599` will trigger with every code between `505` and `599`, `505` and `599` included).
-
-!!! note ""
-
- You can define either a status code as a number (`500`),
- as multiple comma-separated numbers (`500,502`),
- as ranges by separating two codes with a dash (`505-599`),
- or a combination of the two (`404,418,505-599`).
- The comma-separated syntax is only available for label-based providers.
- The examples above demonstrate which syntax is appropriate for each provider.
-
-### `statusRewrites`
-
-An optional mapping of status codes to be rewritten. For example, if a service returns a 418, you might want to rewrite it to a 404.
-You can map individual status codes or even ranges to a different status code. The syntax for ranges follows the same rules as the `status` option.
-
-Here is an example:
-
-```yml
-statusRewrites:
- "500-503": 500
- "418": 404
-```
-
-### `service`
-
-The service that will serve the new requested error page.
-
-!!! note ""
-
- In Kubernetes, you need to reference a Kubernetes Service instead of a Traefik service.
-
-!!! info "Host Header"
-
- By default, the client `Host` header value is forwarded to the configured error [service](#service).
- To forward the `Host` value corresponding to the configured error service URL, the [passHostHeader](../../../routing/services/#pass-host-header) option must be set to `false`.
-
-### `query`
-
-The URL for the error page (hosted by [`service`](#service))).
-
-There are multiple variables that can be placed in the `query` option to insert values in the URL.
-
-The table below lists all the available variables and their associated values.
-
-| Variable | Value |
-|--------------------|--------------------------------------------------------------------------------------------|
-| `{status}` | The response status code. It may be rewritten when using the `statusRewrites` option. |
-| `{originalStatus}` | The original response status code, if it has been modified by the `statusRewrites` option. |
-| `{url}` | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL. |
diff --git a/docs/content/middlewares/http/forwardauth.md b/docs/content/middlewares/http/forwardauth.md
deleted file mode 100644
index 85017a9d7..000000000
--- a/docs/content/middlewares/http/forwardauth.md
+++ /dev/null
@@ -1,838 +0,0 @@
----
-title: "Traefik ForwardAuth Documentation"
-description: "In Traefik Proxy, the HTTP ForwardAuth middleware delegates authentication to an external Service. Read the technical documentation."
----
-
-# ForwardAuth
-
-Using an External Service to Forward Authentication
-{: .subtitle }
-
-The ForwardAuth middleware delegates authentication to an external service.
-If the service answers with a 2XX code, access is granted, and the original request is performed.
-Otherwise, the response from the authentication server is returned.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Forward authentication to example.com
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
-```
-
-```yaml tab="Kubernetes"
-# Forward authentication to example.com
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
-```
-
-```yaml tab="Consul Catalog"
-# Forward authentication to example.com
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
-```
-
-```yaml tab="File (YAML)"
-# Forward authentication to example.com
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
-```
-
-```toml tab="File (TOML)"
-# Forward authentication to example.com
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
-```
-
-## Forward-Request Headers
-
-The following request properties are provided to the forward-auth target endpoint as `X-Forwarded-` headers.
-
-| Property | Forward-Request Header |
-|-------------------|------------------------|
-| HTTP Method | `X-Forwarded-Method` |
-| Protocol | `X-Forwarded-Proto` |
-| Host | `X-Forwarded-Host` |
-| Request URI | `X-Forwarded-Uri` |
-| Source IP-Address | `X-Forwarded-For` |
-
-## Configuration Options
-
-### `address`
-
-The `address` option defines the authentication server address.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.address=https://example.com/auth"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
-```
-
-### `trustForwardHeader`
-
-Set the `trustForwardHeader` option to `true` to trust all `X-Forwarded-*` headers.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- trustForwardHeader: true
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.trustForwardHeader=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- trustForwardHeader: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- trustForwardHeader = true
-```
-
-### `authResponseHeaders`
-
-The `authResponseHeaders` option is the list of headers to copy from the authentication server response and set on
-forwarded request, replacing any existing conflicting headers.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- authResponseHeaders:
- - X-Auth-User
- - X-Secret
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeaders=X-Auth-User, X-Secret"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- authResponseHeaders:
- - "X-Auth-User"
- - "X-Secret"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- authResponseHeaders = ["X-Auth-User", "X-Secret"]
-```
-
-### `authResponseHeadersRegex`
-
-The `authResponseHeadersRegex` option is the regex to match headers to copy from the authentication server response and
-set on forwarded request, after stripping all headers that match the regex.
-It allows partial matching of the regular expression against the header key.
-The start of string (`^`) and end of string (`$`) anchors should be used to ensure a full match against the header key.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- authResponseHeadersRegex: ^X-
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.authResponseHeadersRegex=^X-"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- authResponseHeadersRegex: "^X-"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- authResponseHeadersRegex = "^X-"
-```
-
-!!! tip
-
- Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
- When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
-
-### `authRequestHeaders`
-
-The `authRequestHeaders` option is the list of the headers to copy from the request to the authentication server.
-It allows filtering headers that should not be passed to the authentication server.
-If not set or empty then all request headers are passed.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- authRequestHeaders:
- - "Accept"
- - "X-CustomHeader"
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.authRequestHeaders=Accept,X-CustomHeader"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- authRequestHeaders:
- - "Accept"
- - "X-CustomHeader"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- authRequestHeaders = "Accept,X-CustomHeader"
-```
-
-### `addAuthCookiesToResponse`
-
-The `addAuthCookiesToResponse` option is the list of cookies to copy from the authentication server to the response,
-replacing any existing conflicting cookie from the forwarded response.
-
-!!! info
-
- Please note that all backend cookies matching the configured list will not be added to the response.
-
-```yaml tab="Docker"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.addAuthCookiesToResponse=Session-Cookie,State-Cookie"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- addAuthCookiesToResponse:
- - Session-Cookie
- - State-Cookie
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.addAuthCookiesToResponse=Session-Cookie,State-Cookie"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- addAuthCookiesToResponse:
- - "Session-Cookie"
- - "State-Cookie"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- addAuthCookiesToResponse = ["Session-Cookie", "State-Cookie"]
-```
-
-### `forwardBody`
-
-_Optional, Default=false_
-
-Set the `forwardBody` option to `true` to send Body.
-
-!!! info
-
- As body is read inside Traefik before forwarding, this breaks streaming.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- forwardBody: true
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.forwardBody=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- forwardBody: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- forwardBody = true
-```
-
-### `maxBodySize`
-
-_Optional, Default=-1_
-
-Set the `maxBodySize` to limit the body size in bytes.
-If body is bigger than this, it returns a 401 (unauthorized).
-Default is `-1`, which means no limit.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- forwardBody: true
- maxBodySize: 1000
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.maxBodySize=1000"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- maxBodySize: 1000
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- forwardBody = true
- maxBodySize = 1000
-```
-
-### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to the authentication server.
-
-#### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secured connection to the authentication server,
-it defaults to the system bundle.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- tls:
- caSecret: mycasercret
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: mycasercret
- namespace: default
-
-data:
- # Must contain a certificate under either a `tls.ca` or a `ca.crt` key.
- tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.ca=path/to/local.crt"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- tls:
- ca: "path/to/local.crt"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- [http.middlewares.test-auth.forwardAuth.tls]
- ca = "path/to/local.crt"
-```
-
-#### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the authentication server.
-When using this option, setting the `key` option is required.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
- - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- tls:
- certSecret: mytlscert
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: mytlscert
- namespace: default
-
-data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
- tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- tls:
- cert: "path/to/foo.cert"
- key: "path/to/foo.key"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- [http.middlewares.test-auth.forwardAuth.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-!!! info
-
- For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
-
-#### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the authentication server.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
- - "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- tls:
- certSecret: mytlscert
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: mytlscert
- namespace: default
-
-data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
- tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.cert=path/to/foo.cert"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.key=path/to/foo.key"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- tls:
- cert: "path/to/foo.cert"
- key: "path/to/foo.key"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- [http.middlewares.test-auth.forwardAuth.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-!!! info
-
- For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
-
-#### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.tls.insecureSkipVerify=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- tls:
- insecureSkipVerify: true
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.tls.InsecureSkipVerify=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- [http.middlewares.test-auth.forwardAuth.tls]
- insecureSkipVerify: true
-```
-
-### `headerField`
-
-_Optional_
-
-You can define a header field to store the authenticated user using the `headerField`option.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.headerField=X-WebAuth-User"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- # ...
- headerField: X-WebAuth-User
-```
-
-```json tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.headerField=X-WebAuth-User"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- # ...
- headerField: "X-WebAuth-User"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares.test-auth.forwardAuth]
- # ...
- headerField = "X-WebAuth-User"
-```
-
-### `preserveLocationHeader`
-
-_Optional, Default=false_
-
-`preserveLocationHeader` defines whether to forward the `Location` header to the client as is or prefix it with the domain name of the authentication server.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- # ...
- preserveLocationHeader: true
-```
-
-```json tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.preserveLocationHeader=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- # ...
- preserveLocationHeader: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares.test-auth.forwardAuth]
- # ...
- preserveLocationHeader = true
-```
-
-### `preserveRequestMethod`
-
-_Optional, Default=false_
-
-`preserveRequestMethod` defines whether to preserve the original request method while forwarding the request to the authentication server. By default, when this option is set to `false`, incoming requests are always forwarded as `GET` requests to the authentication server.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.preserveRequestMethod=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- # ...
- preserveRequestMethod: true
-```
-
-```json tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.preserveRequestMethod=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- # ...
- preserveRequestMethod: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares.test-auth.forwardAuth]
- # ...
- preserveRequestMethod = true
-```
-
-
-### `maxResponseBodySize`
-
-_Optional, Default=-1_
-
-The `maxResponseBodySize` option defines the maximum allowed response body size in bytes from the authentication server.
-If the response body exceeds the configured limit, the request is rejected with a 401 (Unauthorized) status.
-If left unset, the request body size is unrestricted which can have performance or security implications.
-
-```yaml tab="Docker"
-labels:
- - "traefik.http.middlewares.test-auth.forwardauth.maxResponseBodySize=10000"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-auth
-spec:
- forwardAuth:
- address: https://example.com/auth
- maxResponseBodySize: 10000
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-auth.forwardauth.maxResponseBodySize=10000"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-auth:
- forwardAuth:
- address: "https://example.com/auth"
- maxResponseBodySize: 10000
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-auth.forwardAuth]
- address = "https://example.com/auth"
- maxResponseBodySize = 10000
-```
-
-!!! warning
-
- It is strongly recommended to set this option to a suitable value.
- Not setting it (or setting it to `-1`) allows unlimited response body sizes which can lead to DoS attacks and memory exhaustion.
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/middlewares/http/grpcweb.md b/docs/content/middlewares/http/grpcweb.md
deleted file mode 100644
index f6bac73c2..000000000
--- a/docs/content/middlewares/http/grpcweb.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: "Traefik GrpcWeb Documentation"
-description: "In Traefik Proxy's HTTP middleware, GrpcWeb converts a gRPC Web requests to HTTP/2 gRPC requests. Read the technical documentation."
----
-
-# GrpcWeb
-
-Converting gRPC Web requests to HTTP/2 gRPC requests.
-{: .subtitle }
-
-The GrpcWeb middleware converts gRPC Web requests to HTTP/2 gRPC requests before forwarding them to the backends.
-
-!!! tip
-
- Please note, that Traefik needs to communicate using gRPC with the backends (h2c or HTTP/2 over TLS).
- Check out [Exposing gRPC Services](../../expose/overview.md#exposing-grpc-services) for more details.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-grpcweb.grpcweb.allowOrigins=*"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-grpcweb
-spec:
- grpcWeb:
- allowOrigins:
- - "*"
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-grpcweb.grpcWeb.allowOrigins=*"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-grpcweb:
- grpcWeb:
- allowOrigins:
- - "*"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-grpcweb.grpcWeb]
- allowOrigins = ["*"]
-```
-
-## Configuration Options
-
-### `allowOrigins`
-
-The `allowOrigins` contains the list of allowed origins.
-A wildcard origin `*` can also be configured to match all requests.
-
-More information including how to use the settings can be found at:
-
-- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
-- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
-- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
diff --git a/docs/content/middlewares/http/headers.md b/docs/content/middlewares/http/headers.md
deleted file mode 100644
index a302d6231..000000000
--- a/docs/content/middlewares/http/headers.md
+++ /dev/null
@@ -1,425 +0,0 @@
----
-title: "Traefik Headers Documentation"
-description: "In Traefik Proxy, the HTTP headers middleware manages the headers of requests and responses. Read the technical documentation."
----
-
-# Headers
-
-Managing Request/Response headers
-{: .subtitle }
-
-The Headers middleware manages the headers of requests and responses.
-
-A set of forwarded headers are automatically added by default. See the [FAQ](../../getting-started/faq.md#what-are-the-forwarded-headers-when-proxying-http-requests) for more information.
-
-## Configuration Examples
-
-### Adding Headers to the Request and the Response
-
-The following example adds the `X-Script-Name` header to the proxied request and the `X-Custom-Response-Header` header to the response
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.testHeader.headers.customrequestheaders.X-Script-Name=test"
- - "traefik.http.middlewares.testHeader.headers.customresponseheaders.X-Custom-Response-Header=value"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-header
-spec:
- headers:
- customRequestHeaders:
- X-Script-Name: "test"
- customResponseHeaders:
- X-Custom-Response-Header: "value"
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header=value"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- testHeader:
- headers:
- customRequestHeaders:
- X-Script-Name: "test"
- customResponseHeaders:
- X-Custom-Response-Header: "value"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.testHeader.headers]
- [http.middlewares.testHeader.headers.customRequestHeaders]
- X-Script-Name = "test"
- [http.middlewares.testHeader.headers.customResponseHeaders]
- X-Custom-Response-Header = "value"
-```
-
-### Adding and Removing Headers
-
-In the following example, requests are proxied with an extra `X-Script-Name` header while their `X-Custom-Request-Header` header gets stripped,
-and responses are stripped of their `X-Custom-Response-Header` header.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
- - "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
- - "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-header
-spec:
- headers:
- customRequestHeaders:
- X-Script-Name: "test" # Adds
- X-Custom-Request-Header: "" # Removes
- customResponseHeaders:
- X-Custom-Response-Header: "" # Removes
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Script-Name=test"
-- "traefik.http.middlewares.testheader.headers.customrequestheaders.X-Custom-Request-Header="
-- "traefik.http.middlewares.testheader.headers.customresponseheaders.X-Custom-Response-Header="
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- testHeader:
- headers:
- customRequestHeaders:
- X-Script-Name: "test" # Adds
- X-Custom-Request-Header: "" # Removes
- customResponseHeaders:
- X-Custom-Response-Header: "" # Removes
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.testHeader.headers]
- [http.middlewares.testHeader.headers.customRequestHeaders]
- X-Script-Name = "test" # Adds
- X-Custom-Request-Header = "" # Removes
- [http.middlewares.testHeader.headers.customResponseHeaders]
- X-Custom-Response-Header = "" # Removes
-```
-
-### Using Security Headers
-
-Security-related headers (HSTS headers, Browser XSS filter, etc) can be managed similarly to custom headers as shown above.
-This functionality makes it possible to easily use security features by adding headers.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.testHeader.headers.framedeny=true"
- - "traefik.http.middlewares.testHeader.headers.browserxssfilter=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-header
-spec:
- headers:
- frameDeny: true
- browserXssFilter: true
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.testheader.headers.framedeny=true"
-- "traefik.http.middlewares.testheader.headers.browserxssfilter=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- testHeader:
- headers:
- frameDeny: true
- browserXssFilter: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.testHeader.headers]
- frameDeny = true
- browserXssFilter = true
-```
-
-### CORS Headers
-
-CORS (Cross-Origin Resource Sharing) headers can be added and configured in a manner similar to the custom headers above.
-This functionality allows for more advanced security features to quickly be set.
-If CORS headers are set, then the middleware does not pass preflight requests to any service,
-instead the response will be generated and sent back to the client directly.
-Please note that the example below is by no means authoritative or exhaustive,
-and should not be used as is for production.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
- - "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
- - "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
- - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
- - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-header
-spec:
- headers:
- accessControlAllowMethods:
- - "GET"
- - "OPTIONS"
- - "PUT"
- accessControlAllowHeaders:
- - "*"
- accessControlAllowOriginList:
- - "https://foo.bar.org"
- - "https://example.org"
- accessControlMaxAge: 100
- addVaryHeader: true
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT"
-- "traefik.http.middlewares.testheader.headers.accesscontrolallowheaders=*"
-- "traefik.http.middlewares.testheader.headers.accesscontrolalloworiginlist=https://foo.bar.org,https://example.org"
-- "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
-- "traefik.http.middlewares.testheader.headers.addvaryheader=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- testHeader:
- headers:
- accessControlAllowMethods:
- - GET
- - OPTIONS
- - PUT
- accessControlAllowHeaders: "*"
- accessControlAllowOriginList:
- - https://foo.bar.org
- - https://example.org
- accessControlMaxAge: 100
- addVaryHeader: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.testHeader.headers]
- accessControlAllowMethods = ["GET", "OPTIONS", "PUT"]
- accessControlAllowHeaders = [ "*" ]
- accessControlAllowOriginList = ["https://foo.bar.org","https://example.org"]
- accessControlMaxAge = 100
- addVaryHeader = true
-```
-
-## Configuration Options
-
-### General
-
-!!! warning
-
- Custom headers will overwrite existing headers if they have identical names.
-
-!!! note ""
-
- The detailed documentation for security headers can be found in [unrolled/secure](https://github.com/unrolled/secure#available-options).
-
-### `customRequestHeaders`
-
-The `customRequestHeaders` option lists the header names and values to apply to the request.
-
-### `customResponseHeaders`
-
-The `customResponseHeaders` option lists the header names and values to apply to the response.
-
-### `accessControlAllowCredentials`
-
-The `accessControlAllowCredentials` indicates whether the request can include user credentials.
-
-### `accessControlAllowHeaders`
-
-The `accessControlAllowHeaders` indicates which header field names can be used as part of the request.
-
-### `accessControlAllowMethods`
-
-The `accessControlAllowMethods` indicates which methods can be used during requests.
-
-### `accessControlAllowOriginList`
-
-The `accessControlAllowOriginList` indicates whether a resource can be shared by returning different values.
-
-A wildcard origin `*` can also be configured, and matches all requests.
-If this value is set by a backend service, it will be overwritten by Traefik.
-
-This value can contain a list of allowed origins.
-
-More information including how to use the settings can be found at:
-
-- [Mozilla.org](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)
-- [w3](https://fetch.spec.whatwg.org/#http-access-control-allow-origin)
-- [IETF](https://tools.ietf.org/html/rfc6454#section-7.1)
-
-Traefik no longer supports the `null` value, as it is [no longer recommended as a return value](https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null).
-
-### `accessControlAllowOriginListRegex`
-
-The `accessControlAllowOriginListRegex` option is the counterpart of the `accessControlAllowOriginList` option with regular expressions instead of origin values.
-It allows all origins that contain any match of a regular expression in the `accessControlAllowOriginList`.
-
-!!! tip
-
- Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
- When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
-
-### `accessControlExposeHeaders`
-
-The `accessControlExposeHeaders` indicates which headers are safe to expose to the api of a CORS API specification.
-
-### `accessControlMaxAge`
-
-The `accessControlMaxAge` indicates how many seconds a preflight request can be cached for.
-
-### `addVaryHeader`
-
-The `addVaryHeader` is used in conjunction with `accessControlAllowOriginList` to determine whether the `Vary` header should be added or modified to demonstrate that server responses can differ based on the value of the origin header.
-
-### `allowedHosts`
-
-The `allowedHosts` option lists fully qualified domain names that are allowed.
-
-### `hostsProxyHeaders`
-
-The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
-
-### `sslRedirect`
-
-!!! warning
-
- Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-The `sslRedirect` only allow HTTPS requests when set to `true`.
-
-### `sslTemporaryRedirect`
-
-!!! warning
-
- Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
-
-Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
-
-### `sslHost`
-
-!!! warning
-
- Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.
-
-### `sslProxyHeaders`
-
-The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
-It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).
-
-### `sslForceHost`
-
-!!! warning
-
- Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
-
-Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
-
-### `stsSeconds`
-
-The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
-If set to `0`, the header is not set.
-
-### `stsIncludeSubdomains`
-
-If the `stsIncludeSubdomains` is set to `true`, the `includeSubDomains` directive is appended to the `Strict-Transport-Security` header.
-
-### `stsPreload`
-
-Set `stsPreload` to `true` to have the `preload` flag appended to the `Strict-Transport-Security` header.
-
-### `forceSTSHeader`
-
-Set `forceSTSHeader` to `true` to add the STS header even when the connection is HTTP.
-
-### `frameDeny`
-
-Set `frameDeny` to `true` to add the `X-Frame-Options` header with the value of `DENY`.
-
-### `customFrameOptionsValue`
-
-The `customFrameOptionsValue` allows the `X-Frame-Options` header value to be set with a custom value.
-This overrides the `FrameDeny` option.
-
-### `contentTypeNosniff`
-
-Set `contentTypeNosniff` to true to add the `X-Content-Type-Options` header with the value `nosniff`.
-
-### `browserXssFilter`
-
-Set `browserXssFilter` to true to add the `X-XSS-Protection` header with the value `1; mode=block`.
-
-### `customBrowserXSSValue`
-
-The `customBrowserXssValue` option allows the `X-XSS-Protection` header value to be set with a custom value.
-This overrides the `BrowserXssFilter` option.
-
-### `contentSecurityPolicy`
-
-The `contentSecurityPolicy` option allows the `Content-Security-Policy` header value to be set with a custom value.
-
-### `contentSecurityPolicyReportOnly`
-
-The `contentSecurityPolicyReportOnly` option allows the `Content-Security-Policy-Report-Only` header value to be set with a custom value.
-
-### `publicKey`
-
-The `publicKey` implements HPKP to prevent MITM attacks with forged certificates.
-
-### `referrerPolicy`
-
-The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.
-
-### `featurePolicy`
-
-!!! warning
-
- Deprecated in favor of [`permissionsPolicy`](#permissionsPolicy)
-
-The `featurePolicy` allows sites to control browser features.
-
-### `permissionsPolicy`
-
-The `permissionsPolicy` allows sites to control browser features.
-
-### `isDevelopment`
-
-Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options.
-Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
-If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/middlewares/http/inflightreq.md b/docs/content/middlewares/http/inflightreq.md
deleted file mode 100644
index bdde9b699..000000000
--- a/docs/content/middlewares/http/inflightreq.md
+++ /dev/null
@@ -1,357 +0,0 @@
----
-title: "Traefik InFlightReq Documentation"
-description: "Traefik Proxy's HTTP middleware lets you limit the number of simultaneous in-flight requests. Read the technical documentation."
----
-
-# InFlightReq
-
-Limiting the Number of Simultaneous In-Flight Requests
-{: .subtitle }
-
-To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous in-flight requests can be limited.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-inflightreq
-spec:
- inFlightReq:
- amount: 10
-```
-
-```yaml tab="Consul Catalog"
-# Limiting to 10 simultaneous connections
-- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
-```
-
-```yaml tab="File (YAML)"
-# Limiting to 10 simultaneous connections
-http:
- middlewares:
- test-inflightreq:
- inFlightReq:
- amount: 10
-```
-
-```toml tab="File (TOML)"
-# Limiting to 10 simultaneous connections
-[http.middlewares]
- [http.middlewares.test-inflightreq.inFlightReq]
- amount = 10
-```
-
-## Configuration Options
-
-### `amount`
-
-The `amount` option defines the maximum amount of allowed simultaneous in-flight request.
-The middleware responds with `HTTP 429 Too Many Requests` if there are already `amount` requests in progress (based on the same `sourceCriterion` strategy).
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-inflightreq
-spec:
- inFlightReq:
- amount: 10
-```
-
-```yaml tab="Consul Catalog"
-# Limiting to 10 simultaneous connections
-- "traefik.http.middlewares.test-inflightreq.inflightreq.amount=10"
-```
-
-```yaml tab="File (YAML)"
-# Limiting to 10 simultaneous connections
-http:
- middlewares:
- test-inflightreq:
- inFlightReq:
- amount: 10
-```
-
-```toml tab="File (TOML)"
-# Limiting to 10 simultaneous connections
-[http.middlewares]
- [http.middlewares.test-inflightreq.inFlightReq]
- amount = 10
-```
-
-### `sourceCriterion`
-
-The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
-If several strategies are defined at the same time, an error will be raised.
-If none are set, the default is to use the `requestHost`.
-
-#### `sourceCriterion.ipStrategy`
-
-The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.
-
-!!! important "As a middleware, InFlightReq happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through the middleware. Therefore, during InFlightReq, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be used and/or relied upon."
-
-##### `ipStrategy.depth`
-
-The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
-
-- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
-- `depth` is ignored if its value is less than or equal to 0.
-
-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
-!!! example "Example of Depth & `X-Forwarded-For`"
-
- If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
-
- | `X-Forwarded-For` | `depth` | clientIP |
- |-----------------------------------------|---------|--------------|
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-inflightreq
-spec:
- inFlightReq:
- sourceCriterion:
- ipStrategy:
- depth: 2
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.depth=2"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-inflightreq:
- inFlightReq:
- sourceCriterion:
- ipStrategy:
- depth: 2
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-inflightreq.inflightreq]
- [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
- depth = 2
-```
-
-##### `ipStrategy.excludedIPs`
-
-`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
-
-!!! important "If `depth` is specified, `excludedIPs` is ignored."
-
-!!! example "Example of ExcludedIPs & `X-Forwarded-For`"
-
- | `X-Forwarded-For` | `excludedIPs` | clientIP |
- |-----------------------------------------|-----------------------|--------------|
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
- | `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-inflightreq
-spec:
- inFlightReq:
- sourceCriterion:
- ipStrategy:
- excludedIPs:
- - 127.0.0.1/32
- - 192.168.1.7
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-inflightreq:
- inFlightReq:
- sourceCriterion:
- ipStrategy:
- excludedIPs:
- - "127.0.0.1/32"
- - "192.168.1.7"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-inflightreq.inflightreq]
- [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
- excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
-##### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
-- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
- If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
- | `IP` | `ipv6Subnet` | clientIP |
- |---------------------------|--------------|-----------------------|
- | `"::abcd:1111:2222:3333"` | `64` | `"::0:0:0:0"` |
- | `"::abcd:1111:2222:3333"` | `80` | `"::abcd:0:0:0:0"` |
- | `"::abcd:1111:2222:3333"` | `96` | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-inflightreq
-spec:
- inFlightReq:
- sourceCriterion:
- ipStrategy:
- ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-inflightreq:
- inFlightReq:
- sourceCriterion:
- ipStrategy:
- ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-inflightreq.inflightreq]
- [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion.ipStrategy]
- ipv6Subnet = 64
-```
-
-#### `sourceCriterion.requestHeaderName`
-
-Name of the header used to group incoming requests.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-inflightreq
-spec:
- inFlightReq:
- sourceCriterion:
- requestHeaderName: username
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requestheadername=username"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-inflightreq:
- inFlightReq:
- sourceCriterion:
- requestHeaderName: username
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-inflightreq.inflightreq]
- [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
- requestHeaderName = "username"
-```
-
-#### `sourceCriterion.requestHost`
-
-Whether to consider the request host as the source.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-inflightreq
-spec:
- inFlightReq:
- sourceCriterion:
- requestHost: true
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-inflightreq.inflightreq.sourcecriterion.requesthost=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-inflightreq:
- inFlightReq:
- sourceCriterion:
- requestHost: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-inflightreq.inflightreq]
- [http.middlewares.test-inflightreq.inFlightReq.sourceCriterion]
- requestHost = true
-```
diff --git a/docs/content/middlewares/http/ipallowlist.md b/docs/content/middlewares/http/ipallowlist.md
deleted file mode 100644
index 60565fd90..000000000
--- a/docs/content/middlewares/http/ipallowlist.md
+++ /dev/null
@@ -1,308 +0,0 @@
----
-title: "Traefik HTTP Middlewares IPAllowList"
-description: "Learn how to use IPAllowList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
----
-
-# IPAllowList
-
-Limiting Clients to Specific IPs
-{: .subtitle }
-
-IPAllowList limits allowed requests based on the client IP.
-
-## Configuration Examples
-
-```yaml tab="Docker"
-# Accepts request from defined IP
-labels:
- - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ipallowlist
-spec:
- ipAllowList:
- sourceRange:
- - 127.0.0.1/32
- - 192.168.1.7
-```
-
-```yaml tab="Consul Catalog"
-# Accepts request from defined IP
-- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="File (YAML)"
-# Accepts request from defined IP
-http:
- middlewares:
- test-ipallowlist:
- ipAllowList:
- sourceRange:
- - "127.0.0.1/32"
- - "192.168.1.7"
-```
-
-```toml tab="File (TOML)"
-# Accepts request from defined IP
-[http.middlewares]
- [http.middlewares.test-ipallowlist.ipAllowList]
- sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-```
-
-## Configuration Options
-
-### `sourceRange`
-
-_Required_
-
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
-
-### `ipStrategy`
-
-The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.
-If no strategy is set, the default behavior is to match `sourceRange` against the Remote address found in the request.
-
-!!! important "As a middleware, whitelisting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through whitelisting. Therefore, during whitelisting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be matched against `sourceRange`."
-
-#### `ipStrategy.depth`
-
-The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
-
-- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
-- `depth` is ignored if its value is less than or equal to 0.
-
-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
-!!! example "Examples of Depth & `X-Forwarded-For`"
-
- If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used is `"12.0.0.1"` (`depth=2`).
-
- | `X-Forwarded-For` | `depth` | clientIP |
- |-----------------------------------------|---------|--------------|
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
-
-```yaml tab="Docker"
-# Allowlisting Based on `X-Forwarded-For` with `depth=2`
-labels:
- - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
-```
-
-```yaml tab="Kubernetes"
-# Allowlisting Based on `X-Forwarded-For` with `depth=2`
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ipallowlist
-spec:
- ipAllowList:
- sourceRange:
- - 127.0.0.1/32
- - 192.168.1.7
- ipStrategy:
- depth: 2
-```
-
-```yaml tab="Consul Catalog"
-# Allowlisting Based on `X-Forwarded-For` with `depth=2`
-- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.depth=2"
-```
-
-```yaml tab="File (YAML)"
-# Allowlisting Based on `X-Forwarded-For` with `depth=2`
-http:
- middlewares:
- test-ipallowlist:
- ipAllowList:
- sourceRange:
- - "127.0.0.1/32"
- - "192.168.1.7"
- ipStrategy:
- depth: 2
-```
-
-```toml tab="File (TOML)"
-# Allowlisting Based on `X-Forwarded-For` with `depth=2`
-[http.middlewares]
- [http.middlewares.test-ipallowlist.ipAllowList]
- sourceRange = ["127.0.0.1/32", "192.168.1.7"]
- [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
- depth = 2
-```
-
-#### `ipStrategy.excludedIPs`
-
-`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
-
-!!! important "If `depth` is specified, `excludedIPs` is ignored."
-
-!!! example "Example of ExcludedIPs & `X-Forwarded-For`"
-
- | `X-Forwarded-For` | `excludedIPs` | clientIP |
- |-----------------------------------------|-----------------------|--------------|
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
- | `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
-
-```yaml tab="Docker"
-# Exclude from `X-Forwarded-For`
-labels:
- - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
- - "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="Kubernetes"
-# Exclude from `X-Forwarded-For`
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ipallowlist
-spec:
- ipAllowList:
- sourceRange:
- - 127.0.0.1/32
- - 192.168.1.0/24
- ipStrategy:
- excludedIPs:
- - 127.0.0.1/32
- - 192.168.1.7
-```
-
-```yaml tab="Consul Catalog"
-# Exclude from `X-Forwarded-For`
-- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
-- "traefik.http.middlewares.test-ipallowlist.ipallowlist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="File (YAML)"
-# Exclude from `X-Forwarded-For`
-http:
- middlewares:
- test-ipallowlist:
- ipAllowList:
- sourceRange:
- - 127.0.0.1/32
- - 192.168.1.0/24
- ipStrategy:
- excludedIPs:
- - 127.0.0.1/32
- - 192.168.1.7
-```
-
-```toml tab="File (TOML)"
-# Exclude from `X-Forwarded-For`
-[http.middlewares]
- [http.middlewares.test-ipallowlist.ipAllowList]
- sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
- [http.middlewares.test-ipallowlist.ipAllowList.ipStrategy]
- excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
-#### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
-- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
- If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
- | `IP` | `ipv6Subnet` | clientIP |
- |---------------------------|--------------|-----------------------|
- | `"::abcd:1111:2222:3333"` | `64` | `"::0:0:0:0"` |
- | `"::abcd:1111:2222:3333"` | `80` | `"::abcd:0:0:0:0"` |
- | `"::abcd:1111:2222:3333"` | `96` | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ipallowlist
-spec:
- ipallowlist:
- sourceCriterion:
- ipStrategy:
- ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ipallowlist.ipallowlist.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ipallowlist:
- ipallowlist:
- sourceCriterion:
- ipStrategy:
- ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ipallowlist.ipallowlist]
- [http.middlewares.test-ipallowlist.ipallowlist.sourceCriterion.ipStrategy]
- ipv6Subnet = 64
-```
-
-### `rejectStatusCode`
-
-The `rejectStatusCode` option sets HTTP status code for refused requests. If not set, the default is 403 (Forbidden).
-
-```yaml tab="Docker & Swarm"
-# Reject requests with a 404 rather than a 403
-labels:
- - "traefik.http.middlewares.test-ipallowlist.ipallowlist.rejectstatuscode=404"
-```
-
-```yaml tab="Kubernetes"
-# Reject requests with a 404 rather than a 403
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ipallowlist
-spec:
- ipAllowList:
- rejectStatusCode: 404
-```
-
-```yaml tab="Consul Catalog"
-# Reject requests with a 404 rather than a 403
-- "traefik.http.middlewares.test-ipallowlist.ipallowlist.rejectstatuscode=404"
-```
-
-```yaml tab="File (YAML)"
-# Reject requests with a 404 rather than a 403
-http:
- middlewares:
- test-ipallowlist:
- ipAllowList:
- rejectStatusCode: 404
-```
-
-```toml tab="File (TOML)"
-# Reject requests with a 404 rather than a 403
-[http.middlewares]
- [http.middlewares.test-ipallowlist.ipAllowList]
- rejectStatusCode = 404
-```
diff --git a/docs/content/middlewares/http/ipwhitelist.md b/docs/content/middlewares/http/ipwhitelist.md
deleted file mode 100644
index 894dfc316..000000000
--- a/docs/content/middlewares/http/ipwhitelist.md
+++ /dev/null
@@ -1,270 +0,0 @@
----
-title: "Traefik HTTP Middlewares IPWhiteList"
-description: "Learn how to use IPWhiteList in HTTP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
----
-
-# IPWhiteList
-
-Limiting Clients to Specific IPs
-{: .subtitle }
-
-IPWhiteList limits allowed requests based on the client IP.
-
-!!! warning
-
- This middleware is deprecated, please use the [IPAllowList](./ipallowlist.md) middleware instead.
-
-## Configuration Examples
-
-```yaml tab="Docker"
-# Accepts request from defined IP
-labels:
- - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ipwhitelist
-spec:
- ipWhiteList:
- sourceRange:
- - 127.0.0.1/32
- - 192.168.1.7
-```
-
-```yaml tab="Consul Catalog"
-# Accepts request from defined IP
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="File (YAML)"
-# Accepts request from defined IP
-http:
- middlewares:
- test-ipwhitelist:
- ipWhiteList:
- sourceRange:
- - "127.0.0.1/32"
- - "192.168.1.7"
-```
-
-```toml tab="File (TOML)"
-# Accepts request from defined IP
-[http.middlewares]
- [http.middlewares.test-ipwhitelist.ipWhiteList]
- sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-```
-
-## Configuration Options
-
-### `sourceRange`
-
-_Required_
-
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
-
-### `ipStrategy`
-
-The `ipStrategy` option defines two parameters that set how Traefik determines the client IP: `depth`, and `excludedIPs`.
-If no strategy is set, the default behavior is to match `sourceRange` against the Remote address found in the request.
-
-!!! important "As a middleware, whitelisting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through whitelisting. Therefore, during whitelisting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be matched against `sourceRange`."
-
-#### `ipStrategy.depth`
-
-The `depth` option tells Traefik to use the `X-Forwarded-For` header and take the IP located at the `depth` position (starting from the right).
-
-- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP will be empty.
-- `depth` is ignored if its value is less than or equal to 0.
-
-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
-!!! example "Examples of Depth & `X-Forwarded-For`"
-
- If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used for the whitelisting is `"12.0.0.1"` (`depth=2`).
-
- | `X-Forwarded-For` | `depth` | clientIP |
- |-----------------------------------------|---------|--------------|
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
-
-```yaml tab="Docker"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-labels:
- - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
- - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
-```
-
-```yaml tab="Kubernetes"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ipwhitelist
-spec:
- ipWhiteList:
- sourceRange:
- - 127.0.0.1/32
- - 192.168.1.7
- ipStrategy:
- depth: 2
-```
-
-```yaml tab="Consul Catalog"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.depth=2"
-```
-
-```yaml tab="File (YAML)"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-http:
- middlewares:
- test-ipwhitelist:
- ipWhiteList:
- sourceRange:
- - "127.0.0.1/32"
- - "192.168.1.7"
- ipStrategy:
- depth: 2
-```
-
-```toml tab="File (TOML)"
-# Whitelisting Based on `X-Forwarded-For` with `depth=2`
-[http.middlewares]
- [http.middlewares.test-ipwhitelist.ipWhiteList]
- sourceRange = ["127.0.0.1/32", "192.168.1.7"]
- [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
- depth = 2
-```
-
-#### `ipStrategy.excludedIPs`
-
-`excludedIPs` configures Traefik to scan the `X-Forwarded-For` header and select the first IP not in the list.
-
-!!! important "If `depth` is specified, `excludedIPs` is ignored."
-
-!!! example "Example of ExcludedIPs & `X-Forwarded-For`"
-
- | `X-Forwarded-For` | `excludedIPs` | clientIP |
- |-----------------------------------------|-----------------------|--------------|
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"12.0.0.1,13.0.0.1"` | `"11.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"10.0.0.1,13.0.0.1"` | `"12.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
- | `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
-
-```yaml tab="Docker"
-# Exclude from `X-Forwarded-For`
-labels:
- - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
- - "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="Kubernetes"
-# Exclude from `X-Forwarded-For`
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ipwhitelist
-spec:
- ipWhiteList:
- ipStrategy:
- sourceRange:
- - 127.0.0.1/32
- - 192.168.1.0/24
- excludedIPs:
- - 127.0.0.1/32
- - 192.168.1.7
-```
-
-```yaml tab="Consul Catalog"
-# Exclude from `X-Forwarded-For`
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.sourceRange=127.0.0.1/32, 192.168.1.0/24"
-- "traefik.http.middlewares.test-ipwhitelist.ipwhitelist.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="File (YAML)"
-# Exclude from `X-Forwarded-For`
-http:
- middlewares:
- test-ipwhitelist:
- ipWhiteList:
- sourceRange:
- - 127.0.0.1/32
- - 192.168.1.0/24
- ipStrategy:
- excludedIPs:
- - 127.0.0.1/32
- - 192.168.1.7
-```
-
-```toml tab="File (TOML)"
-# Exclude from `X-Forwarded-For`
-[http.middlewares]
- [http.middlewares.test-ipwhitelist.ipWhiteList]
- sourceRange = ["127.0.0.1/32", "192.168.1.0/24"]
- [http.middlewares.test-ipwhitelist.ipWhiteList.ipStrategy]
- excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
-#### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
-- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
- If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
- | `IP` | `ipv6Subnet` | clientIP |
- |---------------------------|--------------|-----------------------|
- | `"::abcd:1111:2222:3333"` | `64` | `"::0:0:0:0"` |
- | `"::abcd:1111:2222:3333"` | `80` | `"::abcd:0:0:0:0"` |
- | `"::abcd:1111:2222:3333"` | `96` | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ipWhiteList.ipWhiteList.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ipWhiteList
-spec:
- ipWhiteList:
- sourceCriterion:
- ipStrategy:
- ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ipWhiteList.ipWhiteList.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ipWhiteList:
- ipWhiteList:
- sourceCriterion:
- ipStrategy:
- ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ipWhiteList.ipWhiteList]
- [http.middlewares.test-ipWhiteList.ipWhiteList.sourceCriterion.ipStrategy]
- ipv6Subnet = 64
-```
diff --git a/docs/content/middlewares/http/overview.md b/docs/content/middlewares/http/overview.md
deleted file mode 100644
index 27f0d4fd2..000000000
--- a/docs/content/middlewares/http/overview.md
+++ /dev/null
@@ -1,130 +0,0 @@
----
-title: "Traefik Proxy HTTP Middleware Overview"
-description: "Read the official Traefik Proxy documentation for an overview of the available HTTP middleware."
----
-
-# HTTP Middlewares
-
-Controlling connections
-{: .subtitle }
-
-## Configuration Example
-
-```yaml tab="Docker & Swarm"
-# As a Docker Label
-whoami:
- # A container that exposes an API to show its IP address
- image: traefik/whoami
- labels:
- # Create a middleware named `foo-add-prefix`
- - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
- # Apply the middleware named `foo-add-prefix` to the router named `router1`
- - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
-```
-
-```yaml tab="IngressRoute"
-# As a Kubernetes Traefik IngressRoute
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: stripprefix
-spec:
- stripPrefix:
- prefixes:
- - /stripit
-
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
- name: ingressroute
-spec:
-# more fields...
- routes:
- # more fields...
- middlewares:
- - name: stripprefix
-```
-
-```yaml tab="Consul Catalog"
-# Create a middleware named `foo-add-prefix`
-- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
-# Apply the middleware named `foo-add-prefix` to the router named `router1`
-- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
-```
-
-```toml tab="File (TOML)"
-# As TOML Configuration File
-[http.routers]
- [http.routers.router1]
- service = "service1"
- middlewares = ["foo-add-prefix"]
- rule = "Host(`example.com`)"
-
-[http.middlewares]
- [http.middlewares.foo-add-prefix.addPrefix]
- prefix = "/foo"
-
-[http.services]
- [http.services.service1]
- [http.services.service1.loadBalancer]
-
- [[http.services.service1.loadBalancer.servers]]
- url = "http://127.0.0.1:80"
-```
-
-```yaml tab="File (YAML)"
-# As YAML Configuration File
-http:
- routers:
- router1:
- service: service1
- middlewares:
- - "foo-add-prefix"
- rule: "Host(`example.com`)"
-
- middlewares:
- foo-add-prefix:
- addPrefix:
- prefix: "/foo"
-
- services:
- service1:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:80"
-```
-
-## Available HTTP Middlewares
-
-| Middleware | Purpose | Area |
-|-------------------------------------------|---------------------------------------------------|-----------------------------|
-| [AddPrefix](addprefix.md) | Adds a Path Prefix | Path Modifier |
-| [BasicAuth](basicauth.md) | Adds Basic Authentication | Security, Authentication |
-| [Buffering](buffering.md) | Buffers the request/response | Request Lifecycle |
-| [Chain](chain.md) | Combines multiple pieces of middleware | Misc |
-| [CircuitBreaker](circuitbreaker.md) | Prevents calling unhealthy services | Request Lifecycle |
-| [Compress](compress.md) | Compresses the response | Content Modifier |
-| [ContentType](contenttype.md) | Handles Content-Type auto-detection | Misc |
-| [DigestAuth](digestauth.md) | Adds Digest Authentication | Security, Authentication |
-| [Errors](errorpages.md) | Defines custom error pages | Request Lifecycle |
-| [ForwardAuth](forwardauth.md) | Delegates Authentication | Security, Authentication |
-| [Headers](headers.md) | Adds / Updates headers | Security |
-| [IPAllowList](ipallowlist.md) | Limits the allowed client IPs | Security, Request lifecycle |
-| [InFlightReq](inflightreq.md) | Limits the number of simultaneous connections | Security, Request lifecycle |
-| [PassTLSClientCert](passtlsclientcert.md) | Adds Client Certificates in a Header | Security |
-| [RateLimit](ratelimit.md) | Limits the call frequency | Security, Request lifecycle |
-| [RedirectScheme](redirectscheme.md) | Redirects based on scheme | Request lifecycle |
-| [RedirectRegex](redirectregex.md) | Redirects based on regex | Request lifecycle |
-| [ReplacePath](replacepath.md) | Changes the path of the request | Path Modifier |
-| [ReplacePathRegex](replacepathregex.md) | Changes the path of the request | Path Modifier |
-| [Retry](retry.md) | Automatically retries in case of error | Request lifecycle |
-| [StripPrefix](stripprefix.md) | Changes the path of the request | Path Modifier |
-| [StripPrefixRegex](stripprefixregex.md) | Changes the path of the request | Path Modifier |
-
-## Community Middlewares
-
-Please take a look at the community-contributed plugins in the [plugin catalog](https://plugins.traefik.io/plugins).
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/middlewares/http/passtlsclientcert.md b/docs/content/middlewares/http/passtlsclientcert.md
deleted file mode 100644
index 8f74647d6..000000000
--- a/docs/content/middlewares/http/passtlsclientcert.md
+++ /dev/null
@@ -1,660 +0,0 @@
----
-title: "Traefik PassTLSClientCert Documentation"
-description: "In Traefik Proxy's HTTP middleware, the PassTLSClientCert adds selected data from passed client TLS certificates to headers. Read the technical documentation."
----
-
-# PassTLSClientCert
-
-Adding Client Certificates in a Header
-{: .subtitle }
-
-
-
-PassTLSClientCert adds the selected data from the passed client TLS certificate to a header.
-
-## Configuration Examples
-
-Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
-
-```yaml tab="Docker & Swarm"
-# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
-labels:
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-passtlsclientcert
-spec:
- passTLSClientCert:
- pem: true
-```
-
-```yaml tab="Consul Catalog"
-# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header
-- "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
-```
-
-```yaml tab="File (YAML)"
-# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
-http:
- middlewares:
- test-passtlsclientcert:
- passTLSClientCert:
- pem: true
-```
-
-```toml tab="File (TOML)"
-# Pass the pem in the `X-Forwarded-Tls-Client-Cert` header.
-[http.middlewares]
- [http.middlewares.test-passtlsclientcert.passTLSClientCert]
- pem = true
-```
-
-??? example "Pass the pem in the `X-Forwarded-Tls-Client-Cert` header"
-
- ```yaml tab="Docker & Swarm"
- # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
- labels:
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.serialnumber=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
- ```
-
- ```yaml tab="Kubernetes"
- # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
- apiVersion: traefik.io/v1alpha1
- kind: Middleware
- metadata:
- name: test-passtlsclientcert
- spec:
- passTLSClientCert:
- info:
- notAfter: true
- notBefore: true
- sans: true
- subject:
- country: true
- province: true
- locality: true
- organization: true
- organizationalUnit: true
- commonName: true
- serialNumber: true
- domainComponent: true
- issuer:
- country: true
- province: true
- locality: true
- organization: true
- commonName: true
- serialNumber: true
- domainComponent: true
- ```
-
- ```yaml tab="Consul Catalog"
- # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
- - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
- ```
-
- ```yaml tab="File (YAML)"
- # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
- http:
- middlewares:
- test-passtlsclientcert:
- passTLSClientCert:
- info:
- notAfter: true
- notBefore: true
- sans: true
- subject:
- country: true
- province: true
- locality: true
- organization: true
- organizationalUnit: true
- commonName: true
- serialNumber: true
- domainComponent: true
- issuer:
- country: true
- province: true
- locality: true
- organization: true
- commonName: true
- serialNumber: true
- domainComponent: true
- ```
-
- ```toml tab="File (TOML)"
- # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
- [http.middlewares]
- [http.middlewares.test-passtlsclientcert.passTLSClientCert]
- [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
- notAfter = true
- notBefore = true
- sans = true
- [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
- country = true
- province = true
- locality = true
- organization = true
- organizationalUnit = true
- commonName = true
- serialNumber = true
- domainComponent = true
- [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
- country = true
- province = true
- locality = true
- organization = true
- commonName = true
- serialNumber = true
- domainComponent = true
- ```
-
-## Configuration Options
-
-### General
-
-PassTLSClientCert can add two headers to the request:
-
-- `X-Forwarded-Tls-Client-Cert` that contains the pem.
-- `X-Forwarded-Tls-Client-Cert-Info` that contains all the selected certificate information in an escaped string.
-
-!!! info
-
- * `X-Forwarded-Tls-Client-Cert-Info` header value is a string that has been escaped in order to be a valid URL query.
- * These options only work accordingly to the [MutualTLS configuration](../../https/tls.md#client-authentication-mtls).
- That is to say, only the certificates that match the `clientAuth.clientAuthType` policy are passed.
-
-The following example shows a complete certificate and explains each of the middleware options.
-
-??? example "A complete client TLS certificate"
-
- ```
- Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 1 (0x1)
- Signature Algorithm: sha1WithRSAEncryption
- Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
- Validity
- Not Before: Dec 6 11:10:16 2018 GMT
- Not After : Dec 5 11:10:16 2020 GMT
- Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public-Key: (2048 bit)
- Modulus:
- 00:de:77:fa:8d:03:70:30:39:dd:51:1b:cc:60:db:
- a9:5a:13:b1:af:fe:2c:c6:38:9b:88:0a:0f:8e:d9:
- 1b:a1:1d:af:0d:66:e4:13:5b:bc:5d:36:92:d7:5e:
- d0:fa:88:29:d3:78:e1:81:de:98:b2:a9:22:3f:bf:
- 8a:af:12:92:63:d4:a9:c3:f2:e4:7e:d2:dc:a2:c5:
- 39:1c:7a:eb:d7:12:70:63:2e:41:47:e0:f0:08:e8:
- dc:be:09:01:ec:28:09:af:35:d7:79:9c:50:35:d1:
- 6b:e5:87:7b:34:f6:d2:31:65:1d:18:42:69:6c:04:
- 11:83:fe:44:ae:90:92:2d:0b:75:39:57:62:e6:17:
- 2f:47:2b:c7:53:dd:10:2d:c9:e3:06:13:d2:b9:ba:
- 63:2e:3c:7d:83:6b:d6:89:c9:cc:9d:4d:bf:9f:e8:
- a3:7b:da:c8:99:2b:ba:66:d6:8e:f8:41:41:a0:c9:
- d0:5e:c8:11:a4:55:4a:93:83:87:63:04:63:41:9c:
- fb:68:04:67:c2:71:2f:f2:65:1d:02:5d:15:db:2c:
- d9:04:69:85:c2:7d:0d:ea:3b:ac:85:f8:d4:8f:0f:
- c5:70:b2:45:e1:ec:b2:54:0b:e9:f7:82:b4:9b:1b:
- 2d:b9:25:d4:ab:ca:8f:5b:44:3e:15:dd:b8:7f:b7:
- ee:f9
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Key Usage: critical
- Digital Signature, Key Encipherment
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Extended Key Usage:
- TLS Web Server Authentication, TLS Web Client Authentication
- X509v3 Subject Key Identifier:
- 94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
- X509v3 Authority Key Identifier:
- keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
-
- X509v3 Subject Alternative Name:
- DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
- Signature Algorithm: sha1WithRSAEncryption
- 76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
- 16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
- ed:99:ab:f7:cd:fe:38:3f:c3:9a:22:31:1b:ac:8c:1c:c2:f9:
- 5d:d4:75:7a:2e:72:c7:85:a9:04:af:9f:2a:cc:d3:96:75:f0:
- 8e:c7:c6:76:48:ac:45:a4:b9:02:1e:2f:c0:15:c4:07:08:92:
- cb:27:50:67:a1:c8:05:c5:3a:b3:a6:48:be:eb:d5:59:ab:a2:
- 1b:95:30:71:13:5b:0a:9a:73:3b:60:cc:10:d0:6a:c7:e5:d7:
- 8b:2f:f9:2e:98:f2:ff:81:14:24:09:e3:4b:55:57:09:1a:22:
- 74:f1:f6:40:13:31:43:89:71:0a:96:1a:05:82:1f:83:3a:87:
- 9b:17:25:ef:5a:55:f2:2d:cd:0d:4d:e4:81:58:b6:e3:8d:09:
- 62:9a:0c:bd:e4:e5:5c:f0:95:da:cb:c7:34:2c:34:5f:6d:fc:
- 60:7b:12:5b:86:fd:df:21:89:3b:48:08:30:bf:67:ff:8c:e6:
- 9b:53:cc:87:36:47:70:40:3b:d9:90:2a:d2:d2:82:c6:9c:f5:
- d1:d8:e0:e6:fd:aa:2f:95:7e:39:ac:fc:4e:d4:ce:65:b3:ec:
- c6:98:8a:31
- -----BEGIN CERTIFICATE-----
- MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
- ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
- ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
- Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
- AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
- IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
- DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
- D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
- Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
- NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
- MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
- BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
- HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
- ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
- A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
- VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
- MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
- EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
- AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
- iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
- KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
- yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
- BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
- Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
- A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
- BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
- BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
- Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
- Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
- FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
- KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
- CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
- mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
- ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
- -----END CERTIFICATE-----
- ```
-
-### `pem`
-
-The `pem` option sets the `X-Forwarded-Tls-Client-Cert` header with the certificate.
-
-In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` delimiters:
-
-??? example "The data used by the pem option"
-
- ```
- -----BEGIN CERTIFICATE-----
- MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
- ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
- ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
- Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
- AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
- IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
- DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
- D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
- Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
- NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
- MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
- BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
- HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
- ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
- A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
- VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
- MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
- EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
- AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
- iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
- KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
- yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
- BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
- Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
- A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
- BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
- BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
- Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
- Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
- FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
- KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
- CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
- mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
- ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
- -----END CERTIFICATE-----
- ```
-
-!!! info "Extracted data"
-
- The delimiters and `\n` will be removed.
- If there are more than one certificate, they are separated by a "`,`".
-
-!!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
-
- The header size limit of web servers is commonly between 4kb and 8kb.
- If that turns out to be a problem, and if reconfiguring the server to allow larger headers is not an option,
- one can alleviate the problem by selecting only the interesting parts of the cert,
- through the use of the `info` options described below. (And by setting `pem` to false).
-
-### `info`
-
-The `info` option selects the specific client certificate details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
-
-The value of the header is an escaped concatenation of all the selected certificate details.
-But in the following, unless specified otherwise, all the header values examples are shown unescaped, for readability.
-
-The following example shows such a concatenation, when all the available fields are selected:
-
-```text
-Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
-```
-
-!!! info "Multiple certificates"
-
- If there are more than one certificate, they are separated by a `,`.
-
-#### `info.serialNumber`
-
-Set the `info.serialNumber` option to `true` to add the `Serial Number` of the certificate.
-
-The data is taken from the following certificate part:
-
-```text
-Serial Number:
- 6a:2f:20:f8:ce:8d:48:52:ba:d9:bb:be:60:ec:bf:79
-```
-
-And it is formatted as follows in the header (decimal representation):
-
-```text
-SerialNumber="141142874255168551917600297745052909433"
-```
-
-#### `info.notAfter`
-
-Set the `info.notAfter` option to `true` to add the `Not After` information from the `Validity` part.
-
-The data is taken from the following certificate part:
-
-```text
-Validity
- Not After : Dec 5 11:10:16 2020 GMT
-```
-
-And it is formatted as follows in the header:
-
-```text
-NA="1607166616"
-```
-
-#### `info.notBefore`
-
-Set the `info.notBefore` option to `true` to add the `Not Before` information from the `Validity` part.
-
-The data is taken from the following certificate part:
-
-```text
-Validity
- Not Before: Dec 6 11:10:16 2018 GMT
-```
-
-And it is formatted as follows in the header:
-
-```text
-NB="1544094616"
-```
-
-#### `info.sans`
-
-Set the `info.sans` option to `true` to add the `Subject Alternative Name` information from the `Subject Alternative Name` part.
-
-The data is taken from the following certificate part:
-
-```text
-X509v3 Subject Alternative Name:
- DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
-```
-
-And it is formatted as follows in the header:
-
-```text
-SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"
-```
-
-!!! info "Multiple values"
-
- The SANs are separated by a `,`.
-
-#### `info.subject`
-
-The `info.subject` selects the specific client certificate subject details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
-
-The data is taken from the following certificate part:
-
-```text
-Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
-```
-
-##### `info.subject.country`
-
-Set the `info.subject.country` option to `true` to add the `country` information into the subject.
-
-The data is taken from the subject part with the `C` key.
-
-And it is formatted as follows in the header:
-
-```text
-C=FR,C=US
-```
-
-##### `info.subject.province`
-
-Set the `info.subject.province` option to `true` to add the `province` information into the subject.
-
-The data is taken from the subject part with the `ST` key.
-
-And it is formatted as follows in the header:
-
-```text
-ST=Cheese org state,ST=Cheese com state
-```
-
-##### `info.subject.locality`
-
-Set the `info.subject.locality` option to `true` to add the `locality` information into the subject.
-
-The data is taken from the subject part with the `L` key.
-
-And it is formatted as follows in the header:
-
-```text
-L=TOULOUSE,L=LYON
-```
-
-##### `info.subject.organization`
-
-Set the `info.subject.organization` option to `true` to add the `organization` information into the subject.
-
-The data is taken from the subject part with the `O` key.
-
-And it is formatted as follows in the header:
-
-```text
-O=Cheese,O=Cheese 2
-```
-
-##### `info.subject.organizationalUnit`
-
-Set the `info.subject.organizationalUnit` option to `true` to add the `organizationalUnit` information into the subject.
-
-The data is taken from the subject part with the `OU` key.
-
-And it is formatted as follows in the header:
-
-```text
-OU=Cheese Section,OU=Cheese Section 2
-```
-
-##### `info.subject.commonName`
-
-Set the `info.subject.commonName` option to `true` to add the `commonName` information into the subject.
-
-The data is taken from the subject part with the `CN` key.
-
-And it is formatted as follows in the header:
-
-```text
-CN=*.example.com
-```
-
-##### `info.subject.serialNumber`
-
-Set the `info.subject.serialNumber` option to `true` to add the `serialNumber` information into the subject.
-
-The data is taken from the subject part with the `SN` key.
-
-And it is formatted as follows in the header:
-
-```text
-SN=1234567890
-```
-
-##### `info.subject.domainComponent`
-
-Set the `info.subject.domainComponent` option to `true` to add the `domainComponent` information into the subject.
-
-The data is taken from the subject part with the `DC` key.
-
-And it is formatted as follows in the header:
-
-```text
-DC=org,DC=cheese
-```
-
-#### `info.issuer`
-
-The `info.issuer` selects the specific client certificate issuer details you want to add to the `X-Forwarded-Tls-Client-Cert-Info` header.
-
-The data is taken from the following certificate part:
-
-```text
-Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
-```
-
-##### `info.issuer.country`
-
-Set the `info.issuer.country` option to `true` to add the `country` information into the issuer.
-
-The data is taken from the issuer part with the `C` key.
-
-And it is formatted as follows in the header:
-
-```text
-C=FR,C=US
-```
-
-##### `info.issuer.province`
-
-Set the `info.issuer.province` option to `true` to add the `province` information into the issuer.
-
-The data is taken from the issuer part with the `ST` key.
-
-And it is formatted as follows in the header:
-
-```text
-ST=Signing State,ST=Signing State 2
-```
-
-##### `info.issuer.locality`
-
-Set the `info.issuer.locality` option to `true` to add the `locality` information into the issuer.
-
-The data is taken from the issuer part with the `L` key.
-
-And it is formatted as follows in the header:
-
-```text
-L=TOULOUSE,L=LYON
-```
-
-##### `info.issuer.organization`
-
-Set the `info.issuer.organization` option to `true` to add the `organization` information into the issuer.
-
-The data is taken from the issuer part with the `O` key.
-
-And it is formatted as follows in the header:
-
-```text
-O=Cheese,O=Cheese 2
-```
-
-##### `info.issuer.commonName`
-
-Set the `info.issuer.commonName` option to `true` to add the `commonName` information into the issuer.
-
-The data is taken from the issuer part with the `CN` key.
-
-And it is formatted as follows in the header:
-
-```text
-CN=Simple Signing CA 2
-```
-
-##### `info.issuer.serialNumber`
-
-Set the `info.issuer.serialNumber` option to `true` to add the `serialNumber` information into the issuer.
-
-The data is taken from the issuer part with the `SN` key.
-
-And it is formatted as follows in the header:
-
-```text
-SN=1234567890
-```
-
-##### `info.issuer.domainComponent`
-
-Set the `info.issuer.domainComponent` option to `true` to add the `domainComponent` information into the issuer.
-
-The data is taken from the issuer part with the `DC` key.
-
-And it is formatted as follows in the header:
-
-```text
-DC=org,DC=cheese
-```
diff --git a/docs/content/middlewares/http/ratelimit.md b/docs/content/middlewares/http/ratelimit.md
deleted file mode 100644
index 12b4644c3..000000000
--- a/docs/content/middlewares/http/ratelimit.md
+++ /dev/null
@@ -1,1213 +0,0 @@
----
-title: "Traefik RateLimit Documentation"
-description: "Traefik Proxy's HTTP RateLimit middleware ensures Services receive fair amounts of requests. Read the technical documentation."
----
-
-# RateLimit
-
-To Control the Number of Requests Going to a Service
-{: .subtitle }
-
-The RateLimit middleware ensures that services will receive a _fair_ amount of requests, and allows one to define what fair is.
-
-It is based on a [token bucket](https://en.wikipedia.org/wiki/Token_bucket) implementation. In this analogy, the [average](#average) parameter (defined below) is the rate at which the bucket refills, and the [burst](#burst) is the size (volume) of the bucket.
-
-## Configuration Example
-
-```yaml tab="Docker & Swarm"
-# Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 200 requests is allowed.
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
- - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=200"
-```
-
-```yaml tab="Kubernetes"
-# Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 200 requests is allowed.
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- average: 100
- burst: 200
-```
-
-```yaml tab="Consul Catalog"
-# Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 200 requests is allowed.
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=50"
-```
-
-```yaml tab="File (YAML)"
-# Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 200 requests is allowed.
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- average: 100
- burst: 200
-```
-
-```toml tab="File (TOML)"
-# Here, an average of 100 requests per second is allowed.
-# In addition, a burst of 200 requests is allowed.
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- average = 100
- burst = 200
-```
-
-## Configuration Options
-
-### `average`
-
-`average` is the maximum rate, by default in requests per second, allowed from a given source.
-
-It defaults to `0`, which means no rate limiting.
-
-The rate is actually defined by dividing `average` by `period`.
-So for a rate below 1 req/s, one needs to define a `period` larger than a second.
-
-```yaml tab="Docker & Swarm"
-# 100 reqs/s
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-```
-
-```yaml tab="Kubernetes"
-# 100 reqs/s
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- average: 100
-```
-
-```yaml tab="Consul Catalog"
-# 100 reqs/s
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=100"
-```
-
-```yaml tab="File (YAML)"
-# 100 reqs/s
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- average: 100
-```
-
-```toml tab="File (TOML)"
-# 100 reqs/s
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- average = 100
-```
-
-### `period`
-
-`period`, in combination with `average`, defines the actual maximum rate, such as:
-
-```go
-r = average / period
-```
-
-It defaults to `1` second.
-
-```yaml tab="Docker & Swarm"
-# 6 reqs/minute
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
- - "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
-```
-
-```yaml tab="Kubernetes"
-# 6 reqs/minute
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- period: 1m
- average: 6
-```
-
-```yaml tab="Consul Catalog"
-# 6 reqs/minute
-- "traefik.http.middlewares.test-ratelimit.ratelimit.average=6"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.period=1m"
-```
-
-```yaml tab="File (YAML)"
-# 6 reqs/minute
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- average: 6
- period: 1m
-```
-
-```toml tab="File (TOML)"
-# 6 reqs/minute
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- average = 6
- period = "1m"
-```
-
-### `burst`
-
-`burst` is the maximum number of requests allowed to go through in the same arbitrarily small period of time.
-
-It defaults to `1`.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- burst: 100
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.burst=100"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- burst: 100
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- burst = 100
-```
-
-### `sourceCriterion`
-
-The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
-If several strategies are defined at the same time, an error will be raised.
-If none are set, the default is to use the request's remote address field (as an `ipStrategy`).
-
-#### `sourceCriterion.ipStrategy`
-
-The `ipStrategy` option defines three parameters that configures how Traefik determines the client IP: `depth`, `excludedIPs` and `ipv6Subnet`.
-
-!!! important "As a middleware, rate-limiting happens before the actual proxying to the backend takes place. In addition, the previous network hop only gets appended to `X-Forwarded-For` during the last stages of proxying, i.e. after it has already passed through rate-limiting. Therefore, during rate-limiting, as the previous network hop is not yet present in `X-Forwarded-For`, it cannot be found and/or relied upon."
-
-##### `ipStrategy.depth`
-
-The `depth` option tells Traefik to use the `X-Forwarded-For` header and select the IP located at the `depth` position (starting from the right).
-
-- If `depth` is greater than the total number of IPs in `X-Forwarded-For`, then the client IP is empty.
-- `depth` is ignored if its value is less than or equal to 0.
-
-If `ipStrategy.ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-See [ipStrategy.ipv6Subnet](#ipstrategyipv6subnet) for more details.
-
-!!! example "Example of Depth & `X-Forwarded-For`"
-
- If `depth` is set to 2, and the request `X-Forwarded-For` header is `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` then the "real" client IP is `"10.0.0.1"` (at depth 4) but the IP used as the criterion is `"12.0.0.1"` (`depth=2`).
-
- | `X-Forwarded-For` | `depth` | clientIP |
- |-----------------------------------------|---------|--------------|
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `1` | `"13.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `3` | `"11.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,12.0.0.1,13.0.0.1"` | `5` | `""` |
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- sourceCriterion:
- ipStrategy:
- depth: 2
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.depth=2"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- sourceCriterion:
- ipStrategy:
- depth: 2
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
- depth = 2
-```
-
-##### `ipStrategy.excludedIPs`
-
-!!! important "Contrary to what the name might suggest, this option is _not_ about excluding an IP from the rate limiter, and therefore cannot be used to deactivate rate limiting for some IPs."
-
-!!! important "If `depth` is specified, `excludedIPs` is ignored."
-
-`excludedIPs` is meant to address two classes of somewhat distinct use-cases:
-
-1. Distinguish IPs which are behind the same (set of) reverse-proxies so that each of them contributes, independently to the others,
- to its own rate-limit "bucket" (cf the [leaky bucket analogy](https://wikipedia.org/wiki/Leaky_bucket)).
- In this case, `excludedIPs` should be set to match the list of `X-Forwarded-For IPs` that are to be excluded,
- in order to find the actual clientIP.
-
- !!! example "Each IP as a distinct source"
-
- | `X-Forwarded-For` | excludedIPs | clientIP |
- |--------------------------------|-----------------------|--------------|
- | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.1"` |
- | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"11.0.0.1,12.0.0.1"` | `"10.0.0.2"` |
-
-2. Group together a set of IPs (also behind a common set of reverse-proxies) so that they are considered the same source,
- and all contribute to the same rate-limit bucket.
-
- !!! example "Group IPs together as same source"
-
- | `X-Forwarded-For` | excludedIPs | clientIP |
- |--------------------------------|--------------|--------------|
- | `"10.0.0.1,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
- | `"10.0.0.2,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
- | `"10.0.0.3,11.0.0.1,12.0.0.1"` | `"12.0.0.1"` | `"11.0.0.1"` |
-
-For completeness, below are additional examples to illustrate how the matching works.
-For a given request the list of `X-Forwarded-For` IPs is checked from most recent to most distant against the `excludedIPs` pool,
-and the first IP that is _not_ in the pool (if any) is returned.
-
-!!! example "Matching for clientIP"
-
- | `X-Forwarded-For` | excludedIPs | clientIP |
- |--------------------------------|-----------------------|--------------|
- | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"11.0.0.1"` | `"13.0.0.1"` |
- | `"10.0.0.1,11.0.0.1,13.0.0.1"` | `"15.0.0.1,16.0.0.1"` | `"13.0.0.1"` |
- | `"10.0.0.1,11.0.0.1"` | `"10.0.0.1,11.0.0.1"` | `""` |
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- sourceCriterion:
- ipStrategy:
- excludedIPs:
- - 127.0.0.1/32
- - 192.168.1.7
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.excludedips=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- sourceCriterion:
- ipStrategy:
- excludedIPs:
- - "127.0.0.1/32"
- - "192.168.1.7"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.sourceCriterion.ipStrategy]
- excludedIPs = ["127.0.0.1/32", "192.168.1.7"]
-```
-
-##### `ipStrategy.ipv6Subnet`
-
-This strategy applies to `Depth` and `RemoteAddr` strategy only.
-If `ipv6Subnet` is provided and the selected IP is IPv6, the IP is transformed into the first IP of the subnet it belongs to.
-
-This is useful for grouping IPv6 addresses into subnets to prevent bypassing this middleware by obtaining a new IPv6.
-
-- `ipv6Subnet` is ignored if its value is outside of 0-128 interval
-
-!!! example "Example of ipv6Subnet"
-
- If `ipv6Subnet` is provided, the IP is transformed in the following way.
-
- | `IP` | `ipv6Subnet` | clientIP |
- |---------------------------|--------------|-----------------------|
- | `"::abcd:1111:2222:3333"` | `64` | `"::0:0:0:0"` |
- | `"::abcd:1111:2222:3333"` | `80` | `"::abcd:0:0:0:0"` |
- | `"::abcd:1111:2222:3333"` | `96` | `"::abcd:1111:0:0:0"` |
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- ratelimit:
- sourceCriterion:
- ipStrategy:
- ipv6Subnet: 64
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.ipstrategy.ipv6Subnet=64"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- ratelimit:
- sourceCriterion:
- ipStrategy:
- ipv6Subnet: 64
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.ratelimit]
- [http.middlewares.test-ratelimit.ratelimit.sourceCriterion.ipStrategy]
- ipv6Subnet = 64
-```
-
-#### `sourceCriterion.requestHeaderName`
-
-Name of the header used to group incoming requests.
-
-!!! important "If the header is not present, rate limiting will still be applied, but all requests without the specified header will be grouped together."
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- sourceCriterion:
- requestHeaderName: username
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requestheadername=username"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- sourceCriterion:
- requestHeaderName: username
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
- requestHeaderName = "username"
-```
-
-#### `sourceCriterion.requestHost`
-
-Whether to consider the request host as the source.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- sourceCriterion:
- requestHost: true
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.sourcecriterion.requesthost=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- sourceCriterion:
- requestHost: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.sourceCriterion]
- requestHost = true
-```
-
-### `redis`
-
-Enables distributed rate limit using `redis` to store the tokens.
-If not set, Traefik's in-memory storage is used by default.
-
-#### `redis.endpoints`
-
-_Required, Default="127.0.0.1:6379"_
-
-Defines how to connect to the Redis server.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.endpoints=127.0.0.1:6379"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- endpoints:
- - "127.0.0.1:6379"
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.endpoints=127.0.0.1:6379"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- endpoints:
- - "127.0.0.1:6379"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- endpoints = ["127.0.0.1:6379"]
-```
-
-#### `redis.username`
-
-_Optional, Default=""_
-
-Defines the username used to authenticate with the Redis server.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.username=user"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- secret: mysecret
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: mysecret
- namespace: default
-
-data:
- username: dXNlcm5hbWU=
- password: cGFzc3dvcmQ=
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.username=user"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- username: user
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- username = "user"
-```
-
-#### `redis.password`
-
-_Optional, Default=""_
-
-Defines the password to authenticate against the Redis server.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.password=password"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- secret: mysecret
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: mysecret
- namespace: default
-
-data:
- username: dXNlcm5hbWU=
- password: cGFzc3dvcmQ=
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.password=password"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- password: password
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- password = "password"
-```
-
-#### `redis.db`
-
-_Optional, Default=0_
-
-Defines the database to select after connecting to the Redis.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.db=0"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- db: 0
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.db=0"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- db: 0
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- db = 0
-```
-
-#### `redis.tls`
-
-Same as this [config](https://doc.traefik.io/traefik/providers/redis/#tls)
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to Redis.
-
-##### `redis.tls.ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to Redis,
-it defaults to the system bundle.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.ca=path/to/ca.crt"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- tls:
- caSecret: mycasercret
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: mycasercret
- namespace: default
-
-data:
- # Must contain a certificate under either a `tls.ca` or a `ca.crt` key.
- tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.ca=path/to/ca.crt"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- rateLimit:
- # ...
- redis:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.redis.tls]
- ca = "path/to/ca.crt"
-```
-
-##### `redis.tls.cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to Redis.
-When this option is set, the `key` option is required.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- tls:
- certSecret: mytlscert
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: mytlscert
- namespace: default
-
-data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
- tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- redis:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- [http.middlewares.test-ratelimit.rateLimit.redis.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-##### `redis.tls.key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to Redis.
-When this option is set, the `cert` option is required.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- tls:
- certSecret: mytlscert
-
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: mytlscert
- namespace: default
-
-data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
- tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.cert=path/to/foo.cert"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.key=path/to/foo.key"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- redis:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- [http.middlewares.test-ratelimit.rateLimit.redis.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-##### `redis.tls.insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.insecureSkipVerify=true"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- tls:
- insecureSkipVerify: true
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.tls.insecureSkipVerify=true"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- [http.middlewares.test-ratelimit.rateLimit.redis.tls]
- insecureSkipVerify = true
-```
-
-#### `redis.poolSize`
-
-_Optional, Default=0_
-
-Defines the base number of socket connections.
-
-If there are not enough connections in the pool, new connections will be allocated beyond `redis.poolSize`.
-You can limit this using `redis.maxActiveConns`.
-
-Zero means 10 connections per every available CPU as reported by runtime.GOMAXPROCS.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.poolSize=42"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- poolSize: 42
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.poolSize=42"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- poolSize: 42
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- poolSize = 42
-```
-
-#### `redis.minIdleConns`
-
-_Optional, Default=0_
-
-Defines the minimum number of idle connections, which is useful when establishing new connections is slow.
-Zero means that idle connections are not closed.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.minIdleConns=42"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- minIdleConns: 42
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.minIdleConns=42"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- minIdleConns: 42
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- minIdleConns = 42
-```
-
-#### `redis.maxActiveConns`
-
-_Optional, Default=0_
-
-Defines the maximum number of connections the pool can allocate at a given time.
-Zero means no limit.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.maxActiveConns=42"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- maxActiveConns: 42
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.maxActiveConns=42"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- maxActiveConns: 42
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- maxActiveConns = 42
-```
-
-#### `redis.readTimeout`
-
-_Optional, Default=3s_
-
-Defines the timeout for socket reads.
-If reached, commands will fail with a timeout instead of blocking.
-Zero means no timeout.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.readTimeout=42s"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- readTimeout: 42s
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.readTimeout=42s"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- readTimeout: 42s
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- readTimeout = "42s"
-```
-
-#### `redis.writeTimeout`
-
-_Optional, Default=3s_
-
-Defines the timeout for socket writes.
-If reached, commands will fail with a timeout instead of blocking.
-Zero means no timeout.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.writeTimeout=42s"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- writeTimeout: 42s
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.writeTimeout=42s"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- writeTimeout: 42s
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- writeTimeout = "42s"
-```
-
-#### `redis.dialTimeout`
-
-_Optional, Default=5s_
-
-Defines the dial timeout for establishing new connections.
-Zero means no timeout.
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-ratelimit.ratelimit.redis.dialTimeout=42s"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-ratelimit
-spec:
- rateLimit:
- # ...
- redis:
- dialTimeout: 42s
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-ratelimit.ratelimit.redis.dialTimeout=42s"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-ratelimit:
- rateLimit:
- # ...
- redis:
- dialTimeout: 42s
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-ratelimit.rateLimit]
- [http.middlewares.test-ratelimit.rateLimit.redis]
- dialTimeout = "42s"
-```
diff --git a/docs/content/middlewares/http/redirectregex.md b/docs/content/middlewares/http/redirectregex.md
deleted file mode 100644
index a28fa0ada..000000000
--- a/docs/content/middlewares/http/redirectregex.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: "Traefik RedirectRegex Documentation"
-description: "In Traefik Proxy's HTTP middleware, RedirectRegex redirecting clients to different locations. Read the technical documentation."
----
-
-# RedirectRegex
-
-Redirecting the Client to a Different Location
-{: .subtitle }
-
-
-
-The RedirectRegex redirects a request using regex matching and replacement.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Redirect with domain replacement
-# Note: all dollar signs need to be doubled for escaping.
-labels:
- - "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
- - "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
-```
-
-```yaml tab="Kubernetes"
-# Redirect with domain replacement
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-redirectregex
-spec:
- redirectRegex:
- regex: ^http://localhost/(.*)
- replacement: http://mydomain/${1}
-```
-
-```yaml tab="Consul Catalog"
-# Redirect with domain replacement
-# Note: all dollar signs need to be doubled for escaping.
-- "traefik.http.middlewares.test-redirectregex.redirectregex.regex=^http://localhost/(.*)"
-- "traefik.http.middlewares.test-redirectregex.redirectregex.replacement=http://mydomain/$${1}"
-```
-
-```yaml tab="File (YAML)"
-# Redirect with domain replacement
-http:
- middlewares:
- test-redirectregex:
- redirectRegex:
- regex: "^http://localhost/(.*)"
- replacement: "http://mydomain/${1}"
-```
-
-```toml tab="File (TOML)"
-# Redirect with domain replacement
-[http.middlewares]
- [http.middlewares.test-redirectregex.redirectRegex]
- regex = "^http://localhost/(.*)"
- replacement = "http://mydomain/${1}"
-```
-
-## Configuration Options
-
-### `permanent`
-
-Set the `permanent` option to `true` to apply a permanent redirection.
-
-### `regex`
-
-The `regex` option is the regular expression to match and capture elements from the request URL.
-
-!!! tip
-
- Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
- When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
-
-### `replacement`
-
-The `replacement` option defines how to modify the URL to have the new target URL.
-
-!!! warning
-
- Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/middlewares/http/redirectscheme.md b/docs/content/middlewares/http/redirectscheme.md
deleted file mode 100644
index 15534a420..000000000
--- a/docs/content/middlewares/http/redirectscheme.md
+++ /dev/null
@@ -1,213 +0,0 @@
----
-title: "Traefik RedirectScheme Documentation"
-description: "In Traefik Proxy's HTTP middleware, RedirectScheme redirects clients to different schemes/ports. Read the technical documentation."
----
-
-# RedirectScheme
-
-Redirecting the Client to a Different Scheme/Port
-{: .subtitle }
-
-
-
-The RedirectScheme middleware redirects the request if the request scheme is different from the configured scheme.
-
-!!! warning "When behind another reverse-proxy"
-
- When there is at least one other reverse-proxy between the client and Traefik,
- the other reverse-proxy (i.e. the last hop) needs to be a [trusted](../../routing/entrypoints.md#forwarded-headers) one.
-
- Otherwise, Traefik would clean up the `X-Forwarded` headers coming from this last hop,
- and as the RedirectScheme middleware relies on them to determine the scheme used,
- it would not function as intended.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Redirect to https
-labels:
- - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
- - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
-```
-
-```yaml tab="Kubernetes"
-# Redirect to https
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-redirectscheme
-spec:
- redirectScheme:
- scheme: https
- permanent: true
-```
-
-```yaml tab="Consul Catalog"
-# Redirect to https
-labels:
- - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
- - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
-```
-
-```yaml tab="File (YAML)"
-# Redirect to https
-http:
- middlewares:
- test-redirectscheme:
- redirectScheme:
- scheme: https
- permanent: true
-```
-
-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
- [http.middlewares.test-redirectscheme.redirectScheme]
- scheme = "https"
- permanent = true
-```
-
-## Configuration Options
-
-### `permanent`
-
-Set the `permanent` option to `true` to apply a permanent redirection.
-
-```yaml tab="Docker & Swarm"
-# Redirect to https
-labels:
- # ...
- - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
-```
-
-```yaml tab="Kubernetes"
-# Redirect to https
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-redirectscheme
-spec:
- redirectScheme:
- # ...
- permanent: true
-```
-
-```yaml tab="Consul Catalog"
-# Redirect to https
-labels:
- # ...
- - "traefik.http.middlewares.test-redirectscheme.redirectscheme.permanent=true"
-```
-
-```yaml tab="File (YAML)"
-# Redirect to https
-http:
- middlewares:
- test-redirectscheme:
- redirectScheme:
- # ...
- permanent: true
-```
-
-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
- [http.middlewares.test-redirectscheme.redirectScheme]
- # ...
- permanent = true
-```
-
-### `scheme`
-
-The `scheme` option defines the scheme of the new URL.
-
-```yaml tab="Docker & Swarm"
-# Redirect to https
-labels:
- - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
-```
-
-```yaml tab="Kubernetes"
-# Redirect to https
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-redirectscheme
-spec:
- redirectScheme:
- scheme: https
-```
-
-```yaml tab="Consul Catalog"
-# Redirect to https
-labels:
- - "traefik.http.middlewares.test-redirectscheme.redirectscheme.scheme=https"
-```
-
-```yaml tab="File (YAML)"
-# Redirect to https
-http:
- middlewares:
- test-redirectscheme:
- redirectScheme:
- scheme: https
-```
-
-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
- [http.middlewares.test-redirectscheme.redirectScheme]
- scheme = "https"
-```
-
-### `port`
-
-The `port` option defines the port of the new URL.
-
-```yaml tab="Docker & Swarm"
-# Redirect to https
-labels:
- # ...
- - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
-```
-
-```yaml tab="Kubernetes"
-# Redirect to https
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-redirectscheme
-spec:
- redirectScheme:
- # ...
- port: "443"
-```
-
-```yaml tab="Consul Catalog"
-# Redirect to https
-labels:
- # ...
- - "traefik.http.middlewares.test-redirectscheme.redirectscheme.port=443"
-```
-
-```yaml tab="File (YAML)"
-# Redirect to https
-http:
- middlewares:
- test-redirectscheme:
- redirectScheme:
- # ...
- port: "443"
-```
-
-```toml tab="File (TOML)"
-# Redirect to https
-[http.middlewares]
- [http.middlewares.test-redirectscheme.redirectScheme]
- # ...
- port = 443
-```
-
-!!! info "Port in this configuration is a string, not a numeric value."
diff --git a/docs/content/middlewares/http/replacepath.md b/docs/content/middlewares/http/replacepath.md
deleted file mode 100644
index e7024dffe..000000000
--- a/docs/content/middlewares/http/replacepath.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: "Traefik ReplacePath Documentation"
-description: "In Traefik Proxy's HTTP middleware, ReplacePath updates paths before forwarding requests. Read the technical documentation."
----
-
-# ReplacePath
-
-Updating the Path Before Forwarding the Request
-{: .subtitle }
-
-
-
-Replace the path of the request URL.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Replace the path with /foo
-labels:
- - "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
-```
-
-```yaml tab="Kubernetes"
-# Replace the path with /foo
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-replacepath
-spec:
- replacePath:
- path: /foo
-```
-
-```yaml tab="Consul Catalog"
-# Replace the path with /foo
-- "traefik.http.middlewares.test-replacepath.replacepath.path=/foo"
-```
-
-```yaml tab="File (YAML)"
-# Replace the path with /foo
-http:
- middlewares:
- test-replacepath:
- replacePath:
- path: "/foo"
-```
-
-```toml tab="File (TOML)"
-# Replace the path with /foo
-[http.middlewares]
- [http.middlewares.test-replacepath.replacePath]
- path = "/foo"
-```
-
-## Configuration Options
-
-### General
-
-The ReplacePath middleware will:
-
-- replace the actual path with the specified one.
-- store the original path in a `X-Replaced-Path` header.
-
-### `path`
-
-The `path` option defines the path to use as replacement in the request URL.
diff --git a/docs/content/middlewares/http/replacepathregex.md b/docs/content/middlewares/http/replacepathregex.md
deleted file mode 100644
index 7b0f956d3..000000000
--- a/docs/content/middlewares/http/replacepathregex.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: "Traefik ReplacePathRegex Documentation"
-description: "In Traefik Proxy's HTTP middleware, ReplacePathRegex updates paths before forwarding requests, using a regex. Read the technical documentation."
----
-
-# ReplacePathRegex
-
-Updating the Path Before Forwarding the Request (Using a Regex)
-{: .subtitle }
-
-
-
-The ReplaceRegex replaces the path of a URL using regex matching and replacement.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Replace path with regex
-labels:
- - "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
- - "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$$1"
-```
-
-```yaml tab="Kubernetes"
-# Replace path with regex
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-replacepathregex
-spec:
- replacePathRegex:
- regex: ^/foo/(.*)
- replacement: /bar/$1
-```
-
-```yaml tab="Consul Catalog"
-# Replace path with regex
-- "traefik.http.middlewares.test-replacepathregex.replacepathregex.regex=^/foo/(.*)"
-- "traefik.http.middlewares.test-replacepathregex.replacepathregex.replacement=/bar/$1"
-```
-
-```yaml tab="File (YAML)"
-# Replace path with regex
-http:
- middlewares:
- test-replacepathregex:
- replacePathRegex:
- regex: "^/foo/(.*)"
- replacement: "/bar/$1"
-```
-
-```toml tab="File (TOML)"
-# Replace path with regex
-[http.middlewares]
- [http.middlewares.test-replacepathregex.replacePathRegex]
- regex = "^/foo/(.*)"
- replacement = "/bar/$1"
-```
-
-## Configuration Options
-
-### General
-
-The ReplacePathRegex middleware will:
-
-- replace the matching path with the specified one.
-- store the original path in a `X-Replaced-Path` header.
-
-!!! tip
-
- Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
- When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
-
-### `regex`
-
-The `regex` option is the regular expression to match and capture the path from the request URL.
-
-### `replacement`
-
-The `replacement` option defines the replacement path format, which can include captured variables.
-
-!!! warning
-
- Care should be taken when defining replacement expand variables: `$1x` is equivalent to `${1x}`, not `${1}x` (see [Regexp.Expand](https://golang.org/pkg/regexp/#Regexp.Expand)), so use `${1}` syntax.
diff --git a/docs/content/middlewares/http/retry.md b/docs/content/middlewares/http/retry.md
deleted file mode 100644
index 3c838bef8..000000000
--- a/docs/content/middlewares/http/retry.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: "Traefik HTTP Retry Documentation"
-description: "Configure Traefik Proxy's HTTP Retry middleware, so you can retry requests to a backend server until it succeeds. Read the technical documentation."
----
-
-# Retry
-
-Retrying until it Succeeds
-{: .subtitle }
-
-
-
-The Retry middleware reissues requests a given number of times when it cannot contact the backend service.
-This applies at the transport level (TCP).
-If the service does not respond to the initial connection attempt, the middleware retries.
-However, once the service responds, regardless of the HTTP status code, the middleware considers it operational and stops retrying.
-This means that the retry mechanism does not handle HTTP errors; it only retries when there is no response at the TCP level.
-The Retry middleware has an optional configuration to enable an exponential backoff.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Retry 4 times with exponential backoff
-labels:
- - "traefik.http.middlewares.test-retry.retry.attempts=4"
- - "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
-```
-
-```yaml tab="Kubernetes"
-# Retry 4 times with exponential backoff
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-retry
-spec:
- retry:
- attempts: 4
- initialInterval: 100ms
-```
-
-```yaml tab="Consul Catalog"
-# Retry 4 times with exponential backoff
-- "traefik.http.middlewares.test-retry.retry.attempts=4"
-- "traefik.http.middlewares.test-retry.retry.initialinterval=100ms"
-```
-
-```yaml tab="File (YAML)"
-# Retry 4 times with exponential backoff
-http:
- middlewares:
- test-retry:
- retry:
- attempts: 4
- initialInterval: 100ms
-```
-
-```toml tab="File (TOML)"
-# Retry 4 times with exponential backoff
-[http.middlewares]
- [http.middlewares.test-retry.retry]
- attempts = 4
- initialInterval = "100ms"
-```
-
-## Configuration Options
-
-### `attempts`
-
-_mandatory_
-
-The `attempts` option defines how many times the request should be retried.
-
-### `initialInterval`
-
-The `initialInterval` option defines the first wait time in the exponential backoff series. The maximum interval is
-calculated as twice the `initialInterval`. If unspecified, requests will be retried immediately.
-
-The value of initialInterval should be provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
diff --git a/docs/content/middlewares/http/stripprefix.md b/docs/content/middlewares/http/stripprefix.md
deleted file mode 100644
index a68e813fc..000000000
--- a/docs/content/middlewares/http/stripprefix.md
+++ /dev/null
@@ -1,149 +0,0 @@
----
-title: "Traefik StripPrefix Documentation"
-description: "In Traefik Proxy's HTTP middleware, StripPrefix removes prefixes from paths before forwarding requests. Read the technical documentation."
----
-
-# StripPrefix
-
-Removing Prefixes From the Path Before Forwarding the Request
-{: .subtitle }
-
-
-
-Remove the specified prefixes from the URL path.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Strip prefix /foobar and /fiibar
-labels:
- - "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
-```
-
-```yaml tab="Kubernetes"
-# Strip prefix /foobar and /fiibar
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-stripprefix
-spec:
- stripPrefix:
- prefixes:
- - /foobar
- - /fiibar
-```
-
-```yaml tab="Consul Catalog"
-# Strip prefix /foobar and /fiibar
-- "traefik.http.middlewares.test-stripprefix.stripprefix.prefixes=/foobar,/fiibar"
-```
-
-```yaml tab="File (YAML)"
-# Strip prefix /foobar and /fiibar
-http:
- middlewares:
- test-stripprefix:
- stripPrefix:
- prefixes:
- - "/foobar"
- - "/fiibar"
-```
-
-```toml tab="File (TOML)"
-# Strip prefix /foobar and /fiibar
-[http.middlewares]
- [http.middlewares.test-stripprefix.stripPrefix]
- prefixes = ["/foobar", "/fiibar"]
-```
-
-## Configuration Options
-
-### General
-
-The StripPrefix middleware strips the matching path prefix and stores it in a `X-Forwarded-Prefix` header.
-
-!!! tip
-
- Use a `StripPrefix` middleware if your backend listens on the root path (`/`) but should be exposed on a specific prefix.
-
-### `prefixes`
-
-The `prefixes` option defines the prefixes to strip from the request URL.
-
-For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
-
-If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
-Using the previous example, the backend should return `/products/shoes/image.png` (and not `/image.png`, which Traefik would likely not be able to associate with the same backend).
-
-### `forceSlash`
-
-_Optional, Default=true_
-
-!!! warning
-
- `forceSlash` option is deprecated and should not be used.
-
-The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
-
-??? info "Behavior examples"
-
- - `forceSlash=true`
-
- | Path | Prefix to strip | Result |
- |------------|-----------------|--------|
- | `/` | `/` | `/` |
- | `/foo` | `/foo` | `/` |
- | `/foo/` | `/foo` | `/` |
- | `/foo/` | `/foo/` | `/` |
- | `/bar` | `/foo` | `/bar` |
- | `/foo/bar` | `/foo` | `/bar` |
-
- - `forceSlash=false`
-
- | Path | Prefix to strip | Result |
- |------------|-----------------|--------|
- | `/` | `/` | empty |
- | `/foo` | `/foo` | empty |
- | `/foo/` | `/foo` | `/` |
- | `/foo/` | `/foo/` | empty |
- | `/bar` | `/foo` | `/bar` |
- | `/foo/bar` | `/foo` | `/bar` |
-
-```yaml tab="Docker"
-labels:
- - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
- - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: example
-spec:
- stripPrefix:
- prefixes:
- - "/foobar"
- forceSlash: false
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- example:
- stripPrefix:
- prefixes:
- - "/foobar"
- forceSlash: false
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.example.stripPrefix]
- prefixes = ["/foobar"]
- forceSlash = false
-```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/middlewares/http/stripprefixregex.md b/docs/content/middlewares/http/stripprefixregex.md
deleted file mode 100644
index 1e8b10ee8..000000000
--- a/docs/content/middlewares/http/stripprefixregex.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: "Traefik StripPrefixRegex Documentation"
-description: "In Traefik Proxy's HTTP middleware, StripPrefixRegex removes prefixes from paths before forwarding requests, using regex. Read the technical documentation."
----
-
-# StripPrefixRegex
-
-Removing Prefixes From the Path Before Forwarding the Request (Using a Regex)
-{: .subtitle }
-
-Remove the matching prefixes from the URL path.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: test-stripprefixregex
-spec:
- stripPrefixRegex:
- regex:
- - "/foo/[a-z0-9]+/[0-9]+/"
-```
-
-```yaml tab="Consul Catalog"
-- "traefik.http.middlewares.test-stripprefixregex.stripprefixregex.regex=/foo/[a-z0-9]+/[0-9]+/"
-```
-
-```yaml tab="File (YAML)"
-http:
- middlewares:
- test-stripprefixregex:
- stripPrefixRegex:
- regex:
- - "/foo/[a-z0-9]+/[0-9]+/"
-```
-
-```toml tab="File (TOML)"
-[http.middlewares]
- [http.middlewares.test-stripprefixregex.stripPrefixRegex]
- regex = ["/foo/[a-z0-9]+/[0-9]+/"]
-```
-
-## Configuration Options
-
-### General
-
-The StripPrefixRegex middleware strips the matching path prefix and stores it in a `X-Forwarded-Prefix` header.
-
-!!! tip
-
- Use a `stripPrefixRegex` middleware if your backend listens on the root path (`/`) but should be exposed on a specific prefix.
-
-### `regex`
-
-The `regex` option is the regular expression to match the path prefix from the request URL.
-
-For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
-
-If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
-Using the previous example, the backend should return `/products/shoes/image.png` (and not `/images.png`, which Traefik would likely not be able to associate with the same backend).
-
-!!! tip
-
- Regular expressions and replacements can be tested using online tools such as [Go Playground](https://play.golang.org/p/mWU9p-wk2ru) or the [Regex101](https://regex101.com/r/58sIgx/2).
-
- When defining a regular expression within YAML, any escaped character needs to be escaped twice: `example\.com` needs to be written as `example\\.com`.
diff --git a/docs/content/middlewares/overview.md b/docs/content/middlewares/overview.md
deleted file mode 100644
index 5a2971791..000000000
--- a/docs/content/middlewares/overview.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-title: "Traefik Proxy Middleware Overview"
-description: "There are several available middleware in Traefik Proxy used to modify requests or headers, take charge of redirections, add authentication, and so on."
----
-
-# Middlewares
-
-Tweaking the Request
-{: .subtitle }
-
-Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your [service](../routing/services/index.md) (or before the answer from the services are sent to the clients).
-
-There are several available middleware in Traefik, some can modify the request, the headers, some are in charge of redirections, some add authentication, and so on.
-
-Middlewares that use the same protocol can be combined into chains to fit every scenario.
-
-!!! warning "Provider Namespace"
-
- Be aware of the concept of Providers Namespace described in the [Configuration Discovery](../providers/overview.md#provider-namespace) section.
- It also applies to Middlewares.
-
-## Configuration Example
-
-```yaml tab="Docker & Swarm"
-# As a Docker Label
-whoami:
- # A container that exposes an API to show its IP address
- image: traefik/whoami
- labels:
- # Create a middleware named `foo-add-prefix`
- - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
- # Apply the middleware named `foo-add-prefix` to the router named `router1`
- - "traefik.http.routers.router1.middlewares=foo-add-prefix@docker"
-```
-
-```yaml tab="IngressRoute"
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
- name: stripprefix
-spec:
- stripPrefix:
- prefixes:
- - /stripit
-
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
- name: ingressroute
-spec:
-# more fields...
- routes:
- # more fields...
- middlewares:
- - name: stripprefix
-```
-
-```yaml tab="Consul Catalog"
-# Create a middleware named `foo-add-prefix`
-- "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
-# Apply the middleware named `foo-add-prefix` to the router named `router1`
-- "traefik.http.routers.router1.middlewares=foo-add-prefix@consulcatalog"
-```
-
-```yaml tab="File (YAML)"
-# As YAML Configuration File
-http:
- routers:
- router1:
- service: myService
- middlewares:
- - "foo-add-prefix"
- rule: "Host(`example.com`)"
-
- middlewares:
- foo-add-prefix:
- addPrefix:
- prefix: "/foo"
-
- services:
- service1:
- loadBalancer:
- servers:
- - url: "http://127.0.0.1:80"
-```
-
-```toml tab="File (TOML)"
-# As TOML Configuration File
-[http.routers]
- [http.routers.router1]
- service = "myService"
- middlewares = ["foo-add-prefix"]
- rule = "Host(`example.com`)"
-
-[http.middlewares]
- [http.middlewares.foo-add-prefix.addPrefix]
- prefix = "/foo"
-
-[http.services]
- [http.services.service1]
- [http.services.service1.loadBalancer]
-
- [[http.services.service1.loadBalancer.servers]]
- url = "http://127.0.0.1:80"
-```
-
-## Available Middlewares
-
-A list of HTTP middlewares can be found [here](http/overview.md).
-
-A list of TCP middlewares can be found [here](tcp/overview.md).
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/middlewares/tcp/inflightconn.md b/docs/content/middlewares/tcp/inflightconn.md
deleted file mode 100644
index 38ad09f65..000000000
--- a/docs/content/middlewares/tcp/inflightconn.md
+++ /dev/null
@@ -1,51 +0,0 @@
-# InFlightConn
-
-Limiting the Number of Simultaneous connections.
-{: .subtitle }
-
-To proactively prevent services from being overwhelmed with high load, the number of allowed simultaneous connections by IP can be limited.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-labels:
- - "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: MiddlewareTCP
-metadata:
- name: test-inflightconn
-spec:
- inFlightConn:
- amount: 10
-```
-
-```yaml tab="Consul Catalog"
-# Limiting to 10 simultaneous connections
-- "traefik.tcp.middlewares.test-inflightconn.inflightconn.amount=10"
-```
-
-```yaml tab="File (YAML)"
-# Limiting to 10 simultaneous connections.
-tcp:
- middlewares:
- test-inflightconn:
- inFlightConn:
- amount: 10
-```
-
-```toml tab="File (TOML)"
-# Limiting to 10 simultaneous connections
-[tcp.middlewares]
- [tcp.middlewares.test-inflightconn.inFlightConn]
- amount = 10
-```
-
-## Configuration Options
-
-### `amount`
-
-The `amount` option defines the maximum amount of allowed simultaneous connections.
-The middleware closes the connection if there are already `amount` connections opened.
diff --git a/docs/content/middlewares/tcp/ipallowlist.md b/docs/content/middlewares/tcp/ipallowlist.md
deleted file mode 100644
index 39e014ef7..000000000
--- a/docs/content/middlewares/tcp/ipallowlist.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-title: "Traefik TCP Middlewares IPAllowList"
-description: "Learn how to use IPAllowList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
----
-
-# IPAllowList
-
-Limiting Clients to Specific IPs
-{: .subtitle }
-
-IPAllowList limits allowed requests based on the client IP.
-
-## Configuration Examples
-
-```yaml tab="Docker & Swarm"
-# Accepts connections from defined IP
-labels:
- - "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: MiddlewareTCP
-metadata:
- name: test-ipallowlist
-spec:
- ipAllowList:
- sourceRange:
- - 127.0.0.1/32
- - 192.168.1.7
-```
-
-```yaml tab="Consul Catalog"
-# Accepts request from defined IP
-- "traefik.tcp.middlewares.test-ipallowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
-```toml tab="File (TOML)"
-# Accepts request from defined IP
-[tcp.middlewares]
- [tcp.middlewares.test-ipallowlist.ipAllowList]
- sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-```
-
-```yaml tab="File (YAML)"
-# Accepts request from defined IP
-tcp:
- middlewares:
- test-ipallowlist:
- ipAllowList:
- sourceRange:
- - "127.0.0.1/32"
- - "192.168.1.7"
-```
-
-## Configuration Options
-
-### `sourceRange`
-
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
diff --git a/docs/content/middlewares/tcp/ipwhitelist.md b/docs/content/middlewares/tcp/ipwhitelist.md
deleted file mode 100644
index c3d1ccb43..000000000
--- a/docs/content/middlewares/tcp/ipwhitelist.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: "Traefik TCP Middlewares IPWhiteList"
-description: "Learn how to use IPWhiteList in TCP middleware for limiting clients to specific IPs in Traefik Proxy. Read the technical documentation."
----
-
-# IPWhiteList
-
-Limiting Clients to Specific IPs
-{: .subtitle }
-
-IPWhiteList accepts / refuses connections based on the client IP.
-
-!!! warning
-
- This middleware is deprecated, please use the [IPAllowList](./ipallowlist.md) middleware instead.
-
-## Configuration Examples
-
-```yaml tab="Docker"
-# Accepts connections from defined IP
-labels:
- - "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
-```yaml tab="Kubernetes"
-apiVersion: traefik.io/v1alpha1
-kind: MiddlewareTCP
-metadata:
- name: test-ipwhitelist
-spec:
- ipWhiteList:
- sourceRange:
- - 127.0.0.1/32
- - 192.168.1.7
-```
-
-```yaml tab="Consul Catalog"
-# Accepts request from defined IP
-- "traefik.tcp.middlewares.test-ipwhitelist.ipwhitelist.sourcerange=127.0.0.1/32, 192.168.1.7"
-```
-
-```toml tab="File (TOML)"
-# Accepts request from defined IP
-[tcp.middlewares]
- [tcp.middlewares.test-ipwhitelist.ipWhiteList]
- sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-```
-
-```yaml tab="File (YAML)"
-# Accepts request from defined IP
-tcp:
- middlewares:
- test-ipwhitelist:
- ipWhiteList:
- sourceRange:
- - "127.0.0.1/32"
- - "192.168.1.7"
-```
-
-## Configuration Options
-
-### `sourceRange`
-
-The `sourceRange` option sets the allowed IPs (or ranges of allowed IPs by using CIDR notation).
diff --git a/docs/content/middlewares/tcp/overview.md b/docs/content/middlewares/tcp/overview.md
deleted file mode 100644
index 415a1716c..000000000
--- a/docs/content/middlewares/tcp/overview.md
+++ /dev/null
@@ -1,109 +0,0 @@
----
-title: "Traefik Proxy TCP Middleware Overview"
-description: "Read the official Traefik Proxy documentation for an overview of the available TCP middleware."
----
-
-# TCP Middlewares
-
-Controlling connections
-{: .subtitle }
-
-## Configuration Example
-
-```yaml tab="Docker & Swarm"
-# As a Docker Label
-whoami:
- # A container that exposes an API to show its IP address
- image: traefik/whoami
- labels:
- # Create a middleware named `foo-ip-allowlist`
- - "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
- # Apply the middleware named `foo-ip-allowlist` to the router named `router1`
- - "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@docker"
-```
-
-```yaml tab="IngressRoute"
-# As a Kubernetes Traefik IngressRoute
----
-apiVersion: traefik.io/v1alpha1
-kind: MiddlewareTCP
-metadata:
- name: foo-ip-allowlist
-spec:
- ipAllowList:
- sourcerange:
- - 127.0.0.1/32
- - 192.168.1.7
-
----
-apiVersion: traefik.io/v1alpha1
-kind: IngressRouteTCP
-metadata:
- name: ingressroute
-spec:
-# more fields...
- routes:
- # more fields...
- middlewares:
- - name: foo-ip-allowlist
-```
-
-```yaml tab="Consul Catalog"
-# Create a middleware named `foo-ip-allowlist`
-- "traefik.tcp.middlewares.foo-ip-allowlist.ipallowlist.sourcerange=127.0.0.1/32, 192.168.1.7"
-# Apply the middleware named `foo-ip-allowlist` to the router named `router1`
-- "traefik.tcp.routers.router1.middlewares=foo-ip-allowlist@consulcatalog"
-```
-
-```toml tab="File (TOML)"
-# As TOML Configuration File
-[tcp.routers]
- [tcp.routers.router1]
- service = "myService"
- middlewares = ["foo-ip-allowlist"]
- rule = "Host(`example.com`)"
-
-[tcp.middlewares]
- [tcp.middlewares.foo-ip-allowlist.ipAllowList]
- sourceRange = ["127.0.0.1/32", "192.168.1.7"]
-
-[tcp.services]
- [tcp.services.service1]
- [tcp.services.service1.loadBalancer]
- [[tcp.services.service1.loadBalancer.servers]]
- address = "10.0.0.10:4000"
- [[tcp.services.service1.loadBalancer.servers]]
- address = "10.0.0.11:4000"
-```
-
-```yaml tab="File (YAML)"
-# As YAML Configuration File
-tcp:
- routers:
- router1:
- service: myService
- middlewares:
- - "foo-ip-allowlist"
- rule: "Host(`example.com`)"
-
- middlewares:
- foo-ip-allowlist:
- ipAllowList:
- sourceRange:
- - "127.0.0.1/32"
- - "192.168.1.7"
-
- services:
- service1:
- loadBalancer:
- servers:
- - address: "10.0.0.10:4000"
- - address: "10.0.0.11:4000"
-```
-
-## Available TCP Middlewares
-
-| Middleware | Purpose | Area |
-|-------------------------------------------|---------------------------------------------------|-----------------------------|
-| [InFlightConn](inflightconn.md) | Limits the number of simultaneous connections. | Security, Request lifecycle |
-| [IPAllowList](ipallowlist.md) | Limit the allowed client IPs. | Security, Request lifecycle |
diff --git a/docs/content/migrate/v2-to-v3-details.md b/docs/content/migrate/v2-to-v3-details.md
index b78ca8223..8876ce99e 100644
--- a/docs/content/migrate/v2-to-v3-details.md
+++ b/docs/content/migrate/v2-to-v3-details.md
@@ -78,7 +78,7 @@ Docker provider `tls.CAOptional` option has been removed in v3, as TLS client au
##### Remediation
-The `tls.caOptional` option should be removed from the Docker provider static configuration.
+The `tls.caOptional` option should be removed from the Docker provider install configuration.
### Kubernetes Gateway API
@@ -134,8 +134,8 @@ It is now unsupported and would prevent Traefik to start.
##### Remediation
-The `http3` option should be removed from the static configuration experimental section.
-To configure `http3`, please checkout the [entrypoint configuration documentation](../reference/install-configuration/entrypoints.md#http3).
+The `http3` option should be removed from the install configuration experimental section.
+To configure `http3`, please checkout the [entrypoint configuration documentation](../reference/install-configuration/entrypoints.md#opt-http3).
### Consul provider
@@ -205,7 +205,7 @@ Consul provider `tls.CAOptional` option has been removed in v3, as TLS client au
##### Remediation
-The `tls.caOptional` option should be removed from the Consul provider static configuration.
+The `tls.caOptional` option should be removed from the Consul provider install configuration.
### ConsulCatalog provider
@@ -276,7 +276,7 @@ ConsulCatalog provider `endpoint.tls.CAOptional` option has been removed in v3,
##### Remediation
-The `endpoint.tls.caOptional` option should be removed from the ConsulCatalog provider static configuration.
+The `endpoint.tls.caOptional` option should be removed from the ConsulCatalog provider install configuration.
### Nomad provider
@@ -347,7 +347,7 @@ Nomad provider `endpoint.tls.CAOptional` option has been removed in v3, as TLS c
##### Remediation
-The `endpoint.tls.caOptional` option should be removed from the Nomad provider static configuration.
+The `endpoint.tls.caOptional` option should be removed from the Nomad provider install configuration.
### Rancher v1 Provider
@@ -374,9 +374,9 @@ This configuration is now unsupported and would prevent Traefik to start.
#### Remediation
Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
-As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](../providers/kubernetes-crd.md) directly.
+As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md) directly.
-Also, all Rancher provider related configuration should be removed from the static configuration.
+Also, all Rancher provider related configuration should be removed from the install configuration.
### Marathon provider
@@ -402,7 +402,7 @@ This configuration is now unsupported and would prevent Traefik to start.
#### Remediation
-All Marathon provider related configuration should be removed from the static configuration.
+All Marathon provider related configuration should be removed from the install configuration.
### HTTP Provider
@@ -430,7 +430,7 @@ HTTP provider `tls.CAOptional` option has been removed in v3, as TLS client auth
##### Remediation
-The `tls.caOptional` option should be removed from the HTTP provider static configuration.
+The `tls.caOptional` option should be removed from the HTTP provider install configuration.
### ETCD Provider
@@ -458,7 +458,7 @@ ETCD provider `tls.CAOptional` option has been removed in v3, as TLS client auth
##### Remediation
-The `tls.caOptional` option should be removed from the ETCD provider static configuration.
+The `tls.caOptional` option should be removed from the ETCD provider install configuration.
### Redis Provider
@@ -486,7 +486,7 @@ Redis provider `tls.CAOptional` option has been removed in v3, as TLS client aut
##### Remediation
-The `tls.caOptional` option should be removed from the Redis provider static configuration.
+The `tls.caOptional` option should be removed from the Redis provider install configuration.
### InfluxDB v1
@@ -512,7 +512,7 @@ This configuration is now unsupported and would prevent Traefik to start.
#### Remediation
-All InfluxDB v1 metrics provider related configuration should be removed from the static configuration.
+All InfluxDB v1 metrics provider related configuration should be removed from the install configuration.
### Pilot
@@ -539,7 +539,7 @@ it is now unsupported and would prevent Traefik to start.
#### Remediation
-All Pilot related configuration should be removed from the static configuration.
+All Pilot related configuration should be removed from the install configuration.
### Kubernetes Ingress Path Matching
@@ -550,16 +550,16 @@ In v3, the Kubernetes Ingress default path matching does not support regexes any
Two levels of remediation are possible:
- Interpret the default path matcher `PathPrefix` with v2 syntax.
-This can done globally for all routers with the [static configuration](#configure-the-default-syntax-in-static-configuration) or on a per-router basis by using the [traefik.ingress.kubernetes.io/router.rulesyntax](../routing/providers/kubernetes-ingress.md#annotations) annotation.
+This can done globally for all routers with the [install configuration](#configure-the-default-syntax-in-install-configuration) or on a per-router basis by using the [traefik.ingress.kubernetes.io/router.rulesyntax](../reference/routing-configuration/kubernetes/ingress.md#annotations) annotation.
-- Adapt the path regex to be compatible with the Go regex syntax and change the default path matcher to use the `PathRegexp` matcher with the [`traefik.ingress.kubernetes.io/router.pathmatcher`](../routing/providers/kubernetes-ingress.md#annotations) annotation.
+- Adapt the path regex to be compatible with the Go regex syntax and change the default path matcher to use the `PathRegexp` matcher with the [`traefik.ingress.kubernetes.io/router.pathmatcher`](../reference/routing-configuration/kubernetes/ingress.md#annotations) annotation.
## Operations Changes
### Traefik RBAC Update
In v3, the support of `TCPServersTransport` has been introduced.
-When using the KubernetesCRD provider, it is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) manifests.
+When using the KubernetesCRD provider, it is therefore necessary to update RBAC and CRDs ([See requirements](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md#requirements)).
### Content-Type Auto-Detection
@@ -602,7 +602,7 @@ Here are two possible transition strategies:
using OpenTelemetry (OTel) collectors with appropriate exporters configuration is a viable solution.
This allows continued compatibility with the existing infrastructure.
-Please check the [OpenTelemetry Tracing provider documention](../observability/tracing/opentelemetry.md) for more information.
+Please check the [OpenTelemetry Tracing provider documentation](../reference/install-configuration/observability/tracing.md) for more information.
#### Internal Resources Observability
@@ -610,9 +610,9 @@ In v3, observability for internal routers or services (e.g.: `ping@internal`) is
To enable it one should use the new `addInternals` option for AccessLogs, Metrics or Tracing.
Please take a look at the observability documentation for more information:
-- [AccessLogs](../observability/access-logs.md#addinternals)
-- [Metrics](../observability/metrics/overview.md#addinternals)
-- [Tracing](../observability/tracing/overview.md#addinternals)
+- [AccessLogs](../reference/install-configuration/observability/logs-and-accesslogs.md#accesslogs)
+- [Metrics](../reference/install-configuration/observability/metrics.md)
+- [Tracing](../reference/install-configuration/observability/tracing.md)
#### Access logs
@@ -628,7 +628,7 @@ The default rule matchers syntax is now the v3 one, but for backward compatibili
The v2 rule matchers syntax is deprecated and its support will be removed in the next major version.
For this reason, we encourage migrating to the new syntax.
-By default, the `defaultRuleSyntax` static option is automatically set to `v3`, meaning that the default rule is the new one.
+By default, the `defaultRuleSyntax` install option is automatically set to `v3`, meaning that the default rule is the new one.
#### New V3 Syntax Notable Changes
@@ -653,27 +653,27 @@ and should be explicitly combined using logical operators to mimic previous beha
#### Remediation
-##### Configure the Default Syntax In Static Configuration
+##### Configure the Default Syntax In Install Configuration
The default rule matchers syntax is the expected syntax for any router that is not self opt-out from this default value.
-It can be configured in the static configuration.
+It can be configured in the install configuration.
??? example "An example configuration for the default rule matchers syntax"
```yaml tab="File (YAML)"
- # static configuration
+ # install configuration
core:
defaultRuleSyntax: v2
```
```toml tab="File (TOML)"
- # static configuration
+ # install configuration
[core]
defaultRuleSyntax="v2"
```
```bash tab="CLI"
- # static configuration
+ # install configuration
--core.defaultRuleSyntax=v2
```
@@ -769,7 +769,7 @@ In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing
### TCP LoadBalancer `terminationDelay` option
The TCP LoadBalancer `terminationDelay` option has been deprecated.
-This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../routing/services/index.md#terminationdelay)
+This option can now be configured directly on the `TCPServersTransport` level, please take a look at this [documentation](../reference/routing-configuration/tcp/serverstransport.md#opt-serverstransport-terminationDelay)
### Kubernetes CRDs API Group `traefik.containo.us`
diff --git a/docs/content/migrate/v2-to-v3.md b/docs/content/migrate/v2-to-v3.md
index 2c09f86f9..2fe034811 100644
--- a/docs/content/migrate/v2-to-v3.md
+++ b/docs/content/migrate/v2-to-v3.md
@@ -9,9 +9,9 @@ How to Migrate from Traefik v2 to Traefik v3.
{: .subtitle }
!!! success "Streamlined Migration Process"
- Traefik v3 introduces minimal breaking changes and maintains backward compatibility with v2 syntax in dynamic configuration, offering a gradual migration path.
+ Traefik v3 introduces minimal breaking changes and maintains backward compatibility with v2 syntax in routing configuration, offering a gradual migration path.
-With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#install-configuration-changes "Link to install configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.
+With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [install configuration](./v2-to-v3-details.md#install-configuration-changes "Link to install configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [routing configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.
## Migration Overview
@@ -20,33 +20,33 @@ The migration process consists of three progressive steps designed to minimize r
!!! abstract "Migration Steps"
**Step 1:** [Prepare configurations and test v3](#step-1-prepare-configurations-and-test-v3)
**Step 2:** [Migrate production instances to Traefik v3](#step-2-migrate-production-instances-to-traefik-v3)
- **Step 3:** [Progressively migrate dynamic configuration](#step-3-progressively-migrate-dynamic-configuration)
+ **Step 3:** [Progressively migrate routing configuration](#step-3-progressively-migrate-routing-configuration)
---
## Step 1: Prepare Configurations and Test v3
!!! info "Preparation Phase"
- This step focuses on updating static configurations and enabling backward compatibility for a safe testing environment.
+ This step focuses on updating install configurations and enabling backward compatibility for a safe testing environment.
### Configuration Updates
-**Review and Update Static Configuration**
+**Review and Update install Configuration**
-Check the changes in [static configurations](./v2-to-v3-details.md#install-configuration-changes "Link to install configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3. Modify your configurations accordingly.
+Check the changes in [install configurations](./v2-to-v3-details.md#install-configuration-changes "Link to install configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3. Modify your configurations accordingly.
**Enable v2 Compatibility Mode**
Add the following configuration to maintain v2 syntax compatibility:
```yaml
-# static configuration
+# install configuration
core:
defaultRuleSyntax: v2
```
!!! note "Backward Compatibility"
- This snippet in the static configuration makes the [v2 format](../migrate/v2-to-v3-details.md#configure-the-default-syntax-in-static-configuration "Link to configure default syntax in static config") the default rule matchers syntax.
+ This snippet in the install configuration makes the [v2 format](./v2-to-v3-details.md#configure-the-default-syntax-in-install-configuration "Link to configure default syntax in install config") the default rule matchers syntax.
### Testing Phase
@@ -107,16 +107,16 @@ We strongly advise you to follow a progressive migration strategy ([Kubernetes r
---
-## Step 3: Progressively Migrate Dynamic Configuration
+## Step 3: Progressively Migrate Routing Configuration
!!! info "Optional Immediate Step"
- This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes"). Enable Traefik logs to get some help if any deprecated option is in use.
+ This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [routing configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes"). Enable Traefik logs to get some help if any deprecated option is in use.
### Migration Process
-**Review Dynamic Configuration Changes**
+**Review Routing Configuration Changes**
-Check the changes in [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes") to understand what updates are needed.
+Check the changes in [routing configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes") to understand what updates are needed.
**Progressive Router Migration**
@@ -140,7 +140,7 @@ Check the changes in [dynamic configuration](./v2-to-v3-details.md#routing-confi
Once all Ingress resources are migrated to v3 syntax, remove the compatibility configuration:
```yaml
-# Remove this from static configuration
+# Remove this from install configuration
core:
defaultRuleSyntax: v2 # ← Delete this entire section
```
diff --git a/docs/content/migrate/v3.md b/docs/content/migrate/v3.md
index 25e4dde1b..7d6a917bf 100644
--- a/docs/content/migrate/v3.md
+++ b/docs/content/migrate/v3.md
@@ -51,9 +51,9 @@ The following RBAC updates are required for all Kubernetes providers:
!!! note "Affected Providers"
These changes apply to:
- - [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example) provider
- - [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac) provider
- - [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider
+ - [KubernetesIngress](../reference/install-configuration/providers/kubernetes/kubernetes-ingress.md) provider
+ - [KubernetesCRD](../reference/install-configuration/providers/kubernetes/kubernetes-crd.md#requirements) provider
+ - [KubernetesGateway](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md#requirements) provider
#### Gateway API: KubernetesGateway Provider
@@ -80,7 +80,7 @@ The KubernetesGateway Provider is no longer experimental in v3.1 and can be enab
**Migration Steps:**
1. Remove the `kubernetesgateway` option from the experimental section
-2. Configure the provider using the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md)
+2. Configure the provider using the [KubernetesGateway Provider documentation](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md)
---
@@ -113,15 +113,15 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/con
**Updated Resources:**
-- [TraefikService](../routing/services/index.md#mirroring-service) ([PR #11032](https://github.com/traefik/traefik/pull/11032))
-- [RateLimit](../middlewares/http/ratelimit.md) & [InFlightReq](../middlewares/http/inflightreq.md) middlewares ([PR #9747](https://github.com/traefik/traefik/pull/9747))
-- [Compress](../middlewares/http/compress.md) middleware ([PR #10943](https://github.com/traefik/traefik/pull/10943))
+- [TraefikService](../reference/routing-configuration/kubernetes/crd/http/traefikservice.md#opt-mirrorBody) ([PR #11032](https://github.com/traefik/traefik/pull/11032))
+- [RateLimit](../reference/routing-configuration/http/middlewares/ratelimit.md#opt-sourceCriterion-ipStrategy-ipv6Subnet) & [InFlightReq](../reference/routing-configuration/http/middlewares/inflightreq.md#opt-sourceCriterion-ipStrategy-ipv6Subnet) middlewares ([PR #9747](https://github.com/traefik/traefik/pull/9747))
+- [Compress](../reference/routing-configuration/http/middlewares/compress.md#opt-encodings) middleware ([PR #10943](https://github.com/traefik/traefik/pull/10943))
### Kubernetes Gateway Provider Standard Channel
Starting with v3.2, the Kubernetes Gateway Provider now supports [GRPCRoute](https://gateway-api.sigs.k8s.io/api-types/grpcroute/) resources.
-Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
+Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md#requirements) provider RBACs),
the `grcroutes` and `grpcroutes/status` rights have to be added.
**Required RBAC Updates:**
@@ -153,7 +153,7 @@ Due to breaking changes in Kubernetes Gateway [v1.2.0-rc1](https://github.com/ku
The provider now supports [BackendTLSPolicy](https://gateway-api.sigs.k8s.io/api-types/backendtlspolicy/) resources.
-Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs),
+Therefore, in the corresponding RBACs (see [KubernetesGateway](../reference/install-configuration/providers/kubernetes/kubernetes-gateway.md#requirements) provider RBACs),
the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added.
**Required RBAC Updates:**
@@ -193,7 +193,7 @@ the `backendtlspolicies` and `backendtlspolicies/status` rights have to be added
In v3.2.1, the `X-Forwarded-Prefix` header is now handled like other `X-Forwarded-*` headers - Traefik removes it when sent from untrusted sources.
-This change improves security by preventing header spoofing from untrusted clients. Refer to the [Forwarded headers documentation](../routing/entrypoints.md#forwarded-headers) for configuration details.
+This change improves security by preventing header spoofing from untrusted clients. Refer to the [Forwarded headers documentation](../reference/install-configuration/entrypoints.md#forwarded-headers) for configuration details.
---
@@ -326,7 +326,7 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/con
!!! warning "Deprecation"
The `RoundRobin` strategy is deprecated but still supported (equivalent to `wrr`). It will be removed in the next major release.
-Refer to the [HTTP Services Load Balancing documentation](../routing/services/index.md#load-balancing-strategy) for detailed information.
+Refer to the [HTTP Services Load Balancing documentation](../reference/routing-configuration/http/load-balancing/service.md#opt-strategy) for detailed information.
#### ServersTransport CA Certificate Configuration
@@ -452,7 +452,7 @@ Possible values are:
- `minimal`: produces a single server span and one client span for each request processed by a router.
- `detailed`: enables the creation of additional spans for each middleware executed for each request processed by a router.
-See the updated documentation for [entrypoints](../reference/install-configuration/entrypoints.md) and [dynamic routers](../reference/routing-configuration/http/routing/observability.md#traceverbosity).
+See the updated documentation for [entrypoints](../reference/install-configuration/entrypoints.md#opt-observability-traceVerbosity) and [dynamic routers](../reference/routing-configuration/http/routing/observability.md#opt-traceVerbosity).
#### K8s Resource Attributes
@@ -478,7 +478,7 @@ For that purpose, the following right has to be added to the Traefik Kubernetes
### Deprecation of ProxyProtocol option
Starting with `v3.5.2`, the `proxyProtocol` option for TCP LoadBalancer is deprecated.
-This option can now be configured at the `TCPServersTransport` level, please check out the [documentation](../reference/routing-configuration/tcp/serverstransport.md) for more details.
+This option can now be configured at the `TCPServersTransport` level, please check out the [documentation](../reference/routing-configuration/tcp/serverstransport.md#opt-serverstransport-proxyProtocol) for more details.
#### Kubernetes CRD Provider
@@ -601,7 +601,7 @@ Note: This check is not done against query parameters,
but only against the request path as defined
in [RFC3986 section-3](https://datatracker.ietf.org/doc/html/rfc3986#section-3).
-Please check out the entrypoint [encodedCharacters option](../routing/entrypoints.md#encoded-characters) documentation
+Please check out the entrypoint [encodedCharacters option](../reference/install-configuration/entrypoints.md#encoded-characters) documentation
for more details.
## v3.6.8
@@ -619,7 +619,7 @@ The default value for this option is -1, which means there is no limit to the re
However, it is strongly recommended to set this option to a suitable value to avoid performance and security issues,
such as DoS attacks and memory exhaustion.
-Please check out the [ForwardAuth](../reference/routing-configuration/http/middlewares/forwardauth.md#maxresponsebodysize) middleware documentation for more details.
+Please check out the [ForwardAuth](../reference/routing-configuration/http/middlewares/forwardauth.md#opt-maxResponseBodySize) middleware documentation for more details.
### Kubernetes CRD Provider
diff --git a/docs/content/observability/access-logs.md b/docs/content/observability/access-logs.md
deleted file mode 100644
index 1352c60de..000000000
--- a/docs/content/observability/access-logs.md
+++ /dev/null
@@ -1,785 +0,0 @@
----
-title: "Traefik Access Logs Documentation"
-description: "Access logs are a key part of observability in Traefik Proxy. Read the technical documentation to learn their configurations, rotations, and time zones."
----
-
-# Access Logs
-
-Who Calls Whom?
-{.subtitle}
-
-By default, logs are written to stdout, in text format.
-
-## Configuration
-
-To enable the access logs:
-
-```yaml tab="File (YAML)"
-accessLog: {}
-```
-
-```toml tab="File (TOML)"
-[accessLog]
-```
-
-```bash tab="CLI"
---accesslog=true
-```
-
-### `addInternals`
-
-_Optional, Default="false"_
-
-Enables access logs for internal resources (e.g.: `ping@internal`).
-
-```yaml tab="File (YAML)"
-accesslog:
- addInternals: true
-```
-
-```toml tab="File (TOML)"
-[accesslog]
- addInternals = true
-```
-
-```bash tab="CLI"
---accesslog.addinternals
-```
-
-### `filePath`
-
-By default access logs are written to the standard output.
-To write the logs into a log file, use the `filePath` option.
-
-```yaml tab="File (YAML)"
-accessLog:
- filePath: "/path/to/access.log"
-```
-
-```toml tab="File (TOML)"
-[accessLog]
- filePath = "/path/to/access.log"
-```
-
-```bash tab="CLI"
---accesslog.filepath=/path/to/access.log
-```
-
-### `format`
-
-_Optional, Default="common"_
-
-By default, logs are written using the Traefik Common Log Format (CLF).
-The available log formats are:
-
-- `common` - Traefik's extended CLF format (default)
-- `genericCLF` - Generic CLF format compatible with standard log analyzers
-- `json` - JSON format for structured logging
-
-If the given format is unsupported, the default (`common`) is used instead.
-
-!!! info "Traefik Common Log Format vs Generic CLF"
-
- **Traefik Common Log Format (`common`):**
- ```html
- - [] "" "" "" "" "" ms
- ```
-
- **Generic CLF Format (`genericCLF`):**
- ```html
- - [] "" "" ""
- ```
-
- The `genericCLF` format omits Traefik-specific fields (request count, router name, service URL, and duration) for better compatibility with standard CLF parsers.
-
-```yaml tab="File (YAML)"
-# JSON format
-accessLog:
- format: "json"
-```
-
-```toml tab="File (TOML)"
-# JSON format
-[accessLog]
- format = "json"
-```
-
-```bash tab="CLI"
-# JSON format
---accesslog.format=json
-```
-
-### `bufferingSize`
-
-To write the logs in an asynchronous fashion, specify a `bufferingSize` option.
-This option represents the number of log lines Traefik will keep in memory before writing them to the selected output.
-In some cases, this option can greatly help performances.
-
-```yaml tab="File (YAML)"
-# Configuring a buffer of 100 lines
-accessLog:
- filePath: "/path/to/access.log"
- bufferingSize: 100
-```
-
-```toml tab="File (TOML)"
-# Configuring a buffer of 100 lines
-[accessLog]
- filePath = "/path/to/access.log"
- bufferingSize = 100
-```
-
-```bash tab="CLI"
-# Configuring a buffer of 100 lines
---accesslog.filepath=/path/to/access.log
---accesslog.bufferingsize=100
-```
-
-### Filtering
-
-To filter logs, you can specify a set of filters which are logically "OR-connected".
-Thus, specifying multiple filters will keep more access logs than specifying only one.
-
-The available filters are:
-
-- `statusCodes`, to limit the access logs to requests with a status codes in the specified range
-- `retryAttempts`, to keep the access logs when at least one retry has happened
-- `minDuration`, to keep access logs when requests take longer than the specified duration (provided in seconds or as a valid duration format, see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration))
-
-```yaml tab="File (YAML)"
-# Configuring Multiple Filters
-accessLog:
- filePath: "/path/to/access.log"
- format: json
- filters:
- statusCodes:
- - "200"
- - "300-302"
- retryAttempts: true
- minDuration: "10ms"
-```
-
-```toml tab="File (TOML)"
-# Configuring Multiple Filters
-[accessLog]
- filePath = "/path/to/access.log"
- format = "json"
-
- [accessLog.filters]
- statusCodes = ["200", "300-302"]
- retryAttempts = true
- minDuration = "10ms"
-```
-
-```bash tab="CLI"
-# Configuring Multiple Filters
---accesslog.filepath=/path/to/access.log
---accesslog.format=json
---accesslog.filters.statuscodes=200,300-302
---accesslog.filters.retryattempts
---accesslog.filters.minduration=10ms
-```
-
-### Limiting the Fields/Including Headers
-
-You can decide to limit the logged fields/headers to a given list with the `fields.names` and `fields.headers` options.
-
-Each field can be set to:
-
-- `keep` to keep the value
-- `drop` to drop the value
-
-Header fields may also optionally be set to `redact` to replace the value with "REDACTED".
-
-The `defaultMode` for `fields.names` is `keep`.
-
-The `defaultMode` for `fields.headers` is `drop`.
-
-```yaml tab="File (YAML)"
-# Limiting the Logs to Specific Fields
-accessLog:
- filePath: "/path/to/access.log"
- format: json
- fields:
- defaultMode: keep
- names:
- ClientUsername: drop
- headers:
- defaultMode: keep
- names:
- User-Agent: redact
- Authorization: drop
- Content-Type: keep
-```
-
-```toml tab="File (TOML)"
-# Limiting the Logs to Specific Fields
-[accessLog]
- filePath = "/path/to/access.log"
- format = "json"
-
- [accessLog.fields]
- defaultMode = "keep"
-
- [accessLog.fields.names]
- "ClientUsername" = "drop"
-
- [accessLog.fields.headers]
- defaultMode = "keep"
-
- [accessLog.fields.headers.names]
- "User-Agent" = "redact"
- "Authorization" = "drop"
- "Content-Type" = "keep"
-```
-
-```bash tab="CLI"
-# Limiting the Logs to Specific Fields
---accesslog.filepath=/path/to/access.log
---accesslog.format=json
---accesslog.fields.defaultmode=keep
---accesslog.fields.names.ClientUsername=drop
---accesslog.fields.headers.defaultmode=keep
---accesslog.fields.headers.names.User-Agent=redact
---accesslog.fields.headers.names.Authorization=drop
---accesslog.fields.headers.names.Content-Type=keep
-```
-
-??? info "Available Fields"
-
- | Field | Description |
- |-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
- | `StartUTC` | The time at which request processing started. |
- | `StartLocal` | The local time at which request processing started. |
- | `Duration` | The total time taken (in nanoseconds) by processing the response, including the origin server's time but not the log writing time. |
- | `RouterName` | The name of the Traefik router. |
- | `ServiceName` | The name of the Traefik backend. |
- | `ServiceURL` | The URL of the Traefik backend. |
- | `ServiceAddr` | The IP:port of the Traefik backend (extracted from `ServiceURL`) |
- | `ClientAddr` | The remote address in its original form (usually IP:port). |
- | `ClientHost` | The remote IP address from which the client request was received. |
- | `ClientPort` | The remote TCP port from which the client request was received. |
- | `ClientUsername` | The username provided in the URL, if present. |
- | `RequestAddr` | The HTTP Host header (usually IP:port). This is treated as not a header by the Go API. |
- | `RequestHost` | The HTTP Host server name (not including port). |
- | `RequestPort` | The TCP port from the HTTP Host. |
- | `RequestMethod` | The HTTP method. |
- | `RequestPath` | The HTTP request URI, not including the scheme, host or port. |
- | `RequestProtocol` | The version of HTTP requested. |
- | `RequestScheme` | The HTTP scheme requested `http` or `https`. |
- | `RequestLine` | `RequestMethod` + `RequestPath` + `RequestProtocol` |
- | `RequestContentSize` | The number of bytes in the request entity (a.k.a. body) sent by the client. |
- | `OriginDuration` | The time taken (in nanoseconds) by the origin server ('upstream') to return its response. |
- | `OriginContentSize` | The content length specified by the origin server, or 0 if unspecified. |
- | `OriginStatus` | The HTTP status code returned by the origin server. If the request was handled by this Traefik instance (e.g. with a redirect), then this value will be absent (0). |
- | `DownstreamStatus` | The HTTP status code returned to the client. |
- | `DownstreamContentSize` | The number of bytes in the response entity returned to the client. This is in addition to the "Content-Length" header, which may be present in the origin response. |
- | `RequestCount` | The number of requests received since the Traefik instance started. |
- | `GzipRatio` | The response body compression ratio achieved. |
- | `Overhead` | The processing time overhead (in nanoseconds) caused by Traefik. |
- | `RetryAttempts` | The amount of attempts the request was retried. |
- | `TLSVersion` | The TLS version used by the connection (e.g. `1.2`) (if connection is TLS). |
- | `TLSCipher` | The TLS cipher used by the connection (e.g. `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`) (if connection is TLS) |
- | `TLSClientSubject` | The string representation of the TLS client certificate's Subject (e.g. `CN=username,O=organization`) |
- | `TraceId` | (Deprecated) A consistent identifier for tracking requests across services, including upstream ones managed by Traefik, shown as a 32-hex digit string |
- | `SpanId` | (Deprecated) A unique identifier for Traefik’s root span (EntryPoint) within a request trace, formatted as a 16-hex digit string. |
- | `trace_id` | OTel-conformant trace identifier for tracking requests across services, including upstream ones managed by Traefik, shown as a 32-hex digit string |
- | `span_id` | OTel-conformant span identifier for Traefik’s root span (EntryPoint) within a request trace, formatted as a 16-hex digit string. |
-
-## Log Rotation
-
-Traefik will close and reopen its log files, assuming they're configured, on receipt of a USR1 signal.
-This allows the logs to be rotated and processed by an external program, such as `logrotate`.
-
-!!! warning
- This does not work on Windows due to the lack of USR signals.
-
-## Time Zones
-
-Traefik will timestamp each log line in UTC time by default.
-
-It is possible to configure the Traefik to timestamp in a specific timezone by ensuring the following configuration has been made in your environment:
-
-1. Provide time zone data to `/etc/localtime` or `/usr/share/zoneinfo` (based on your distribution) or set the environment variable TZ to the desired timezone
-2. Specify the field `StartLocal` by dropping the field named `StartUTC` (available on the default Common Log Format (CLF) as well as JSON)
-
-Example utilizing Docker Compose:
-
-```yaml
-services:
- traefik:
- image: traefik:v3.7
- environment:
- - TZ=US/Alaska
- command:
- - --accesslog.fields.names.StartUTC=drop
- - --providers.docker
- ports:
- - 80:80
- volumes:
- - /var/run/docker.sock:/var/run/docker.sock
-```
-
-## OpenTelemetry
-
-!!! warning "Experimental Feature"
-
- The OpenTelemetry access logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
-
- ```yaml tab="File (YAML)"
- experimental:
- otlpLogs: true
- ```
-
- ```toml tab="File (TOML)"
- [experimental.otlpLogs]
- ```
-
- ```bash tab="CLI"
- --experimental.otlpLogs=true
- ```
-
-To enable the OpenTelemetry Logger for access logs:
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp: {}
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp]
-```
-
-```bash tab="CLI"
---accesslog.otlp=true
-```
-
-!!! info "Default protocol"
-
- The OpenTelemetry Logger exporter will export access logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
-
-### `serviceName`
-
-_Optional, Default="traefik"_
-
-Defines the service name resource attribute.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- serviceName: name
-```
-
-```toml tab="File (TOML)"
-[accesslog]
- [accesslog.otlp]
- serviceName = "name"
-```
-
-```bash tab="CLI"
---accesslog.otlp.serviceName=name
-```
-
-### `resourceAttributes`
-
-_Optional, Default=empty_
-
-Defines additional resource attributes to be sent to the collector.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- resourceAttributes:
- attr1: foo
- attr2: bar
-```
-
-```toml tab="File (TOML)"
-[accesslog]
- [accesslog.otlp.resourceAttributes]
- attr1 = "foo"
- attr2 = "bar"
-```
-
-```bash tab="CLI"
---accesslog.otlp.resourceAttributes.attr1=foo
---accesslog.otlp.resourceAttributes.attr2=bar
-```
-
-### HTTP configuration
-
-_Optional_
-
-This instructs the exporter to send access logs to the OpenTelemetry Collector using HTTP.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- http: {}
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http]
-```
-
-```bash tab="CLI"
---accesslog.otlp.http=true
-```
-
-#### `endpoint`
-
-_Optional, Default="`https://localhost:4318/v1/logs`", Format="`://:`"_
-
-URL of the OpenTelemetry Collector to send access logs to.
-
-!!! info "Insecure mode"
-
- To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- http:
- endpoint: https://collector:4318/v1/logs
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http]
- endpoint = "https://collector:4318/v1/logs"
-```
-
-```bash tab="CLI"
---accesslog.otlp.http.endpoint=https://collector:4318/v1/logs
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- http:
- headers:
- foo: bar
- baz: buz
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http.headers]
- foo = "bar"
- baz = "buz"
-```
-
-```bash tab="CLI"
---accesslog.otlp.http.headers.foo=bar --accesslog.otlp.http.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- http:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---accesslog.otlp.http.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- http:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---accesslog.otlp.http.tls.cert=path/to/foo.cert
---accesslog.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- http:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---accesslog.otlp.http.tls.cert=path/to/foo.cert
---accesslog.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- http:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.http.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---accesslog.otlp.http.tls.insecureSkipVerify=true
-```
-
-### gRPC configuration
-
-_Optional_
-
-This instructs the exporter to send access logs to the OpenTelemetry Collector using gRPC.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- grpc: {}
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc]
-```
-
-```bash tab="CLI"
---accesslog.otlp.grpc=true
-```
-
-#### `endpoint`
-
-_Required, Default="localhost:4317", Format="`:`"_
-
-Address of the OpenTelemetry Collector to send access logs to.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- grpc:
- endpoint: localhost:4317
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc]
- endpoint = "localhost:4317"
-```
-
-```bash tab="CLI"
---accesslog.otlp.grpc.endpoint=localhost:4317
-```
-
-#### `insecure`
-
-_Optional, Default=false_
-
-Allows exporter to send access logs to the OpenTelemetry Collector without using a secured protocol.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- grpc:
- insecure: true
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc]
- insecure = true
-```
-
-```bash tab="CLI"
---accesslog.otlp.grpc.insecure=true
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with access logs by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- grpc:
- headers:
- foo: bar
- baz: buz
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc.headers]
- foo = "bar"
- baz = "buz"
-```
-
-```bash tab="CLI"
---accesslog.otlp.grpc.headers.foo=bar --accesslog.otlp.grpc.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send access logs to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- grpc:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---accesslog.otlp.grpc.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- grpc:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---accesslog.otlp.grpc.tls.cert=path/to/foo.cert
---accesslog.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- grpc:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---accesslog.otlp.grpc.tls.cert=path/to/foo.cert
---accesslog.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-accesslog:
- otlp:
- grpc:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[accesslog.otlp.grpc.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---accesslog.otlp.grpc.tls.insecureSkipVerify=true
-```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/observability/logs.md b/docs/content/observability/logs.md
deleted file mode 100644
index 8c39edc04..000000000
--- a/docs/content/observability/logs.md
+++ /dev/null
@@ -1,647 +0,0 @@
----
-title: "Traefik Logs Documentation"
-description: "Logs are a key part of observability in Traefik Proxy. Read the technical documentation to learn their configurations, rotations, and time zones."
----
-
-# Logs
-
-Reading What's Happening
-{: .subtitle }
-
-By default, logs are written to stdout, in text format.
-
-## Configuration
-
-### General
-
-Traefik logs concern everything that happens to Traefik itself (startup, configuration, events, shutdown, and so on).
-
-#### `filePath`
-
-By default, the logs are written to the standard output.
-You can configure a file path instead using the `filePath` option.
-When `filePath` is specified, Traefik will write logs only to that file (not to standard output).
-
-```yaml tab="File (YAML)"
-# Writing Logs to a File
-log:
- filePath: "/path/to/traefik.log"
-```
-
-```toml tab="File (TOML)"
-# Writing Logs to a File
-[log]
- filePath = "/path/to/traefik.log"
-```
-
-```bash tab="CLI"
-# Writing Logs to a File
---log.filePath=/path/to/traefik.log
-```
-
-#### `format`
-
-By default, the logs use a text format (`common`), but you can also ask for the `json` format in the `format` option.
-
-```yaml tab="File (YAML)"
-# Writing Logs to a File, in JSON
-log:
- filePath: "/path/to/log-file.log"
- format: json
-```
-
-```toml tab="File (TOML)"
-# Writing Logs to a File, in JSON
-[log]
- filePath = "/path/to/log-file.log"
- format = "json"
-```
-
-```bash tab="CLI"
-# Writing Logs to a File, in JSON
---log.filePath=/path/to/traefik.log
---log.format=json
-```
-
-#### `level`
-
-By default, the `level` is set to `ERROR`.
-
-Alternative logging levels are `TRACE`, `DEBUG`, `INFO`, `WARN`, `ERROR`, `FATAL`, and `PANIC`.
-
-```yaml tab="File (YAML)"
-log:
- level: DEBUG
-```
-
-```toml tab="File (TOML)"
-[log]
- level = "DEBUG"
-```
-
-```bash tab="CLI"
---log.level=DEBUG
-```
-
-#### `noColor`
-
-When using the 'common' format, disables the colorized output.
-
-```yaml tab="File (YAML)"
-log:
- noColor: true
-```
-
-```toml tab="File (TOML)"
-[log]
- noColor = true
-```
-
-```bash tab="CLI"
---log.nocolor=true
-```
-
-## Log Rotation
-
-The rotation of the log files can be configured with the following options.
-
-### `maxSize`
-
-`maxSize` is the maximum size in megabytes of the log file before it gets rotated.
-It defaults to 100 megabytes.
-
-```yaml tab="File (YAML)"
-log:
- maxSize: 1
-```
-
-```toml tab="File (TOML)"
-[log]
- maxSize = 1
-```
-
-```bash tab="CLI"
---log.maxsize=1
-```
-
-### `maxBackups`
-
-`maxBackups` is the maximum number of old log files to retain.
-The default is to retain all old log files (though `maxAge` may still cause them to get deleted).
-
-```yaml tab="File (YAML)"
-log:
- maxBackups: 3
-```
-
-```toml tab="File (TOML)"
-[log]
- maxBackups = 3
-```
-
-```bash tab="CLI"
---log.maxbackups=3
-```
-
-### `maxAge`
-
-`maxAge` is the maximum number of days to retain old log files based on the timestamp encoded in their filename.
-Note that a day is defined as 24 hours and may not exactly correspond to calendar days due to daylight savings, leap seconds, etc.
-The default is not to remove old log files based on age.
-
-```yaml tab="File (YAML)"
-log:
- maxAge: 3
-```
-
-```toml tab="File (TOML)"
-[log]
- maxAge = 3
-```
-
-```bash tab="CLI"
---log.maxage=3
-```
-
-### `compress`
-
-`compress` determines if the rotated log files should be compressed using gzip.
-The default is not to perform compression.
-
-```yaml tab="File (YAML)"
-log:
- compress: true
-```
-
-```toml tab="File (TOML)"
-[log]
- compress = true
-```
-
-```bash tab="CLI"
---log.compress=true
-```
-
-## OpenTelemetry
-
-!!! warning "Experimental Feature"
-
- The OpenTelemetry logs feature is currently experimental and must be explicitly enabled in the experimental section prior to use.
-
- ```yaml tab="File (YAML)"
- experimental:
- otlpLogs: true
- ```
-
- ```toml tab="File (TOML)"
- [experimental.otlpLogs]
- ```
-
- ```bash tab="CLI"
- --experimental.otlpLogs=true
- ```
-
-To enable the OpenTelemetry Logger for logs:
-
-```yaml tab="File (YAML)"
-log:
- otlp: {}
-```
-
-```toml tab="File (TOML)"
-[log.otlp]
-```
-
-```bash tab="CLI"
---log.otlp=true
-```
-
-!!! info "Default protocol"
-
- The OpenTelemetry Logger exporter will export logs to the collector using HTTPS by default to https://localhost:4318/v1/logs, see the [gRPC Section](#grpc-configuration) to use gRPC.
-
-### `serviceName`
-
-_Optional, Default="traefik"_
-
-Defines the service name resource attribute.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- serviceName: name
-```
-
-```toml tab="File (TOML)"
-[log]
- [log.otlp]
- serviceName = "name"
-```
-
-```bash tab="CLI"
---log.otlp.serviceName=name
-```
-
-### `resourceAttributes`
-
-_Optional, Default=empty_
-
-Defines additional resource attributes to be sent to the collector.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- resourceAttributes:
- attr1: foo
- attr2: bar
-```
-
-```toml tab="File (TOML)"
-[log]
- [log.otlp.resourceAttributes]
- attr1 = "foo"
- attr2 = "bar"
-```
-
-```bash tab="CLI"
---log.otlp.resourceAttributes.attr1=foo
---log.otlp.resourceAttributes.attr2=bar
-```
-
-### HTTP configuration
-
-_Optional_
-
-This instructs the exporter to send logs to the OpenTelemetry Collector using HTTP.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- http: {}
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http]
-```
-
-```bash tab="CLI"
---log.otlp.http=true
-```
-
-#### `endpoint`
-
-_Optional, Default="`https://localhost:4318/v1/logs`", Format="`://:`"_
-
-URL of the OpenTelemetry Collector to send logs to.
-
-!!! info "Insecure mode"
-
- To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- http:
- endpoint: https://collector:4318/v1/logs
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http]
- endpoint = "https://collector:4318/v1/logs"
-```
-
-```bash tab="CLI"
---log.otlp.http.endpoint=https://collector:4318/v1/logs
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- http:
- headers:
- foo: bar
- baz: buz
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http.headers]
- foo = "bar"
- baz = "buz"
-```
-
-```bash tab="CLI"
---log.otlp.http.headers.foo=bar --log.otlp.http.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- http:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---log.otlp.http.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- http:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---log.otlp.http.tls.cert=path/to/foo.cert
---log.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- http:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---log.otlp.http.tls.cert=path/to/foo.cert
---log.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- http:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[log.otlp.http.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---log.otlp.http.tls.insecureSkipVerify=true
-```
-
-### gRPC configuration
-
-_Optional_
-
-This instructs the exporter to send logs to the OpenTelemetry Collector using gRPC.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- grpc: {}
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc]
-```
-
-```bash tab="CLI"
---log.otlp.grpc=true
-```
-
-#### `endpoint`
-
-_Required, Default="localhost:4317", Format="`:`"_
-
-Address of the OpenTelemetry Collector to send logs to.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- grpc:
- endpoint: localhost:4317
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc]
- endpoint = "localhost:4317"
-```
-
-```bash tab="CLI"
---log.otlp.grpc.endpoint=localhost:4317
-```
-
-#### `insecure`
-
-_Optional, Default=false_
-
-Allows exporter to send logs to the OpenTelemetry Collector without using a secured protocol.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- grpc:
- insecure: true
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc]
- insecure = true
-```
-
-```bash tab="CLI"
---log.otlp.grpc.insecure=true
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with logs by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- grpc:
- headers:
- foo: bar
- baz: buz
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc.headers]
- foo = "bar"
- baz = "buz"
-```
-
-```bash tab="CLI"
---log.otlp.grpc.headers.foo=bar --log.otlp.grpc.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send logs to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- grpc:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---log.otlp.grpc.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- grpc:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---log.otlp.grpc.tls.cert=path/to/foo.cert
---log.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- grpc:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---log.otlp.grpc.tls.cert=path/to/foo.cert
---log.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-log:
- otlp:
- grpc:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[log.otlp.grpc.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---log.otlp.grpc.tls.insecureSkipVerify=true
-```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/observability/metrics/datadog.md b/docs/content/observability/metrics/datadog.md
deleted file mode 100644
index fa3ac4592..000000000
--- a/docs/content/observability/metrics/datadog.md
+++ /dev/null
@@ -1,158 +0,0 @@
----
-title: "Traefik Datadog Metrics Documentation"
-description: "Traefik Proxy supports Datadog for backend metrics. Read the technical documentation to enable Datadog for observability."
----
-
-# Datadog
-
-To enable the Datadog:
-
-```yaml tab="File (YAML)"
-metrics:
- datadog: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.datadog]
-```
-
-```bash tab="CLI"
---metrics.datadog=true
-```
-
-#### `address`
-
-_Required, Default="127.0.0.1:8125"_
-
-Address instructs exporter to send metrics to datadog-agent at this address.
-
-This address can be a Unix Domain Socket (UDS) in the following format: `unix:///path/to/datadog.socket`.
-When the prefix is set to `unix`, the socket type will be automatically determined.
-To explicitly define the socket type and avoid automatic detection, you can use the prefixes `unixgram` for `SOCK_DGRAM` (datagram sockets) and `unixstream` for `SOCK_STREAM` (stream sockets), respectively.
-
-```yaml tab="File (YAML)"
-metrics:
- datadog:
- address: 127.0.0.1:8125
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.datadog]
- address = "127.0.0.1:8125"
-```
-
-```bash tab="CLI"
---metrics.datadog.address=127.0.0.1:8125
-```
-
-#### `addEntryPointsLabels`
-
-_Optional, Default=true_
-
-Enable metrics on entry points.
-
-```yaml tab="File (YAML)"
-metrics:
- datadog:
- addEntryPointsLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.datadog]
- addEntryPointsLabels = true
-```
-
-```bash tab="CLI"
---metrics.datadog.addEntryPointsLabels=true
-```
-
-#### `addRoutersLabels`
-
-_Optional, Default=false_
-
-Enable metrics on routers.
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.datadog]
- addRoutersLabels = true
-```
-
-```yaml tab="File (YAML)"
-metrics:
- datadog:
- addRoutersLabels: true
-```
-
-```bash tab="CLI"
---metrics.datadog.addrouterslabels=true
-```
-
-#### `addServicesLabels`
-
-_Optional, Default=true_
-
-Enable metrics on services.
-
-```yaml tab="File (YAML)"
-metrics:
- datadog:
- addServicesLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.datadog]
- addServicesLabels = true
-```
-
-```bash tab="CLI"
---metrics.datadog.addServicesLabels=true
-```
-
-#### `pushInterval`
-
-_Optional, Default=10s_
-
-The interval used by the exporter to push metrics to datadog-agent.
-
-```yaml tab="File (YAML)"
-metrics:
- datadog:
- pushInterval: 10s
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.datadog]
- pushInterval = "10s"
-```
-
-```bash tab="CLI"
---metrics.datadog.pushInterval=10s
-```
-
-#### `prefix`
-
-_Optional, Default="traefik"_
-
-The prefix to use for metrics collection.
-
-```yaml tab="File (YAML)"
-metrics:
- datadog:
- prefix: traefik
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.datadog]
- prefix = "traefik"
-```
-
-```bash tab="CLI"
---metrics.datadog.prefix=traefik
-```
diff --git a/docs/content/observability/metrics/influxdb2.md b/docs/content/observability/metrics/influxdb2.md
deleted file mode 100644
index 22a139746..000000000
--- a/docs/content/observability/metrics/influxdb2.md
+++ /dev/null
@@ -1,219 +0,0 @@
-# InfluxDB v2
-
-To enable the InfluxDB2:
-
-```yaml tab="File (YAML)"
-metrics:
- influxDB2: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.influxDB2]
-```
-
-```bash tab="CLI"
---metrics.influxdb2=true
-```
-
-#### `address`
-
-_Required, Default="http://localhost:8086"_
-
-Address of the InfluxDB v2 instance.
-
-```yaml tab="File (YAML)"
-metrics:
- influxDB2:
- address: http://localhost:8086
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.influxDB2]
- address = "http://localhost:8086"
-```
-
-```bash tab="CLI"
---metrics.influxdb2.address=http://localhost:8086
-```
-
-#### `token`
-
-_Required, Default=""_
-
-Token with which to connect to InfluxDB v2. It accepts either a token value or a file path to the token.
-
-```yaml tab="File (YAML)"
-metrics:
- influxDB2:
- token: secret
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.influxDB2]
- token = "secret"
-```
-
-```bash tab="CLI"
---metrics.influxdb2.token=secret
-```
-
-#### `org`
-
-_Required, Default=""_
-
-Organisation where metrics will be stored.
-
-```yaml tab="File (YAML)"
-metrics:
- influxDB2:
- org: my-org
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.influxDB2]
- org = "my-org"
-```
-
-```bash tab="CLI"
---metrics.influxdb2.org=my-org
-```
-
-#### `bucket`
-
-_Required, Default=""_
-
-Bucket where metrics will be stored.
-
-```yaml tab="File (YAML)"
-metrics:
- influxDB2:
- bucket: my-bucket
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.influxDB2]
- bucket = "my-bucket"
-```
-
-```bash tab="CLI"
---metrics.influxdb2.bucket=my-bucket
-```
-
-#### `addEntryPointsLabels`
-
-_Optional, Default=true_
-
-Enable metrics on entry points.
-
-```yaml tab="File (YAML)"
-metrics:
- influxDB2:
- addEntryPointsLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.influxDB2]
- addEntryPointsLabels = true
-```
-
-```bash tab="CLI"
---metrics.influxdb2.addEntryPointsLabels=true
-```
-
-#### `addRoutersLabels`
-
-_Optional, Default=false_
-
-Enable metrics on routers.
-
-```yaml tab="File (YAML)"
-metrics:
- influxDB2:
- addRoutersLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.influxDB2]
- addRoutersLabels = true
-```
-
-```bash tab="CLI"
---metrics.influxdb2.addrouterslabels=true
-```
-
-#### `addServicesLabels`
-
-_Optional, Default=true_
-
-Enable metrics on services.
-
-```yaml tab="File (YAML)"
-metrics:
- influxDB2:
- addServicesLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.influxDB2]
- addServicesLabels = true
-```
-
-```bash tab="CLI"
---metrics.influxdb2.addServicesLabels=true
-```
-
-#### `pushInterval`
-
-_Optional, Default=10s_
-
-The interval used by the exporter to push metrics to InfluxDB server.
-
-```yaml tab="File (YAML)"
-metrics:
- influxDB2:
- pushInterval: 10s
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.influxDB2]
- pushInterval = "10s"
-```
-
-```bash tab="CLI"
---metrics.influxdb2.pushInterval=10s
-```
-
-#### `additionalLabels`
-
-_Optional, Default={}_
-
-Additional labels (InfluxDB tags) on all metrics.
-
-```yaml tab="File (YAML)"
-metrics:
- influxDB2:
- additionalLabels:
- host: example.com
- environment: production
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.influxDB2]
- [metrics.influxDB2.additionalLabels]
- host = "example.com"
- environment = "production"
-```
-
-```bash tab="CLI"
---metrics.influxdb2.additionallabels.host=example.com --metrics.influxdb2.additionallabels.environment=production
-```
diff --git a/docs/content/observability/metrics/opentelemetry.md b/docs/content/observability/metrics/opentelemetry.md
deleted file mode 100644
index 1967b1800..000000000
--- a/docs/content/observability/metrics/opentelemetry.md
+++ /dev/null
@@ -1,570 +0,0 @@
----
-title: "Traefik OpenTelemetry Documentation"
-description: "Traefik supports several metrics backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
----
-
-# OpenTelemetry
-
-To enable the OpenTelemetry metrics:
-
-```yaml tab="File (YAML)"
-metrics:
- otlp: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp]
-```
-
-```bash tab="CLI"
---metrics.otlp=true
-```
-
-!!! info "Default protocol"
-
- The OpenTelemetry exporter will export metrics to the collector using HTTPS by default to https://localhost:4318/v1/metrics, see the [gRPC Section](#grpc-configuration) to use gRPC.
-
-#### `addEntryPointsLabels`
-
-_Optional, Default=true_
-
-Enable metrics on entry points.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- addEntryPointsLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp]
- addEntryPointsLabels = true
-```
-
-```bash tab="CLI"
---metrics.otlp.addEntryPointsLabels=true
-```
-
-#### `addRoutersLabels`
-
-_Optional, Default=false_
-
-Enable metrics on routers.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- addRoutersLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp]
- addRoutersLabels = true
-```
-
-```bash tab="CLI"
---metrics.otlp.addRoutersLabels=true
-```
-
-#### `addServicesLabels`
-
-_Optional, Default=true_
-
-Enable metrics on services.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- addServicesLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp]
- addServicesLabels = true
-```
-
-```bash tab="CLI"
---metrics.otlp.addServicesLabels=true
-```
-
-#### `explicitBoundaries`
-
-_Optional, Default=".005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10"_
-
-Explicit boundaries for Histogram data points.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- explicitBoundaries:
- - 0.1
- - 0.3
- - 1.2
- - 5.0
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp]
- explicitBoundaries = [0.1,0.3,1.2,5.0]
-```
-
-```bash tab="CLI"
---metrics.otlp.explicitBoundaries=0.1,0.3,1.2,5.0
-```
-
-#### `pushInterval`
-
-_Optional, Default=10s_
-
-Interval at which metrics are sent to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- pushInterval: 10s
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp]
- pushInterval = "10s"
-```
-
-```bash tab="CLI"
---metrics.otlp.pushInterval=10s
-```
-
-#### `serviceName`
-
-_Optional, Default="traefik"_
-
-Defines the service name resource attribute.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- serviceName: name
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp]
- serviceName = "name"
-```
-
-```bash tab="CLI"
---metrics.otlp.serviceName=name
-```
-#### `resourceAttributes`
-
-_Optional, Default=empty_
-
-Defines additional resource attributes to be sent to the collector.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- resourceAttributes:
- attr1: foo
- attr2: bar
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp.resourceAttributes]
- attr1 = "foo"
- attr2 = "bar"
-```
-
-```bash tab="CLI"
---metrics.otlp.resourceAttributes.attr1=foo
---metrics.otlp.resourceAttributes.attr2=bar
-```
-
-### HTTP configuration
-
-_Optional_
-
-This instructs the exporter to send the metrics to the OpenTelemetry Collector using HTTP.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- http: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp.http]
-```
-
-```bash tab="CLI"
---metrics.otlp.http=true
-```
-
-#### `endpoint`
-
-_Optional, Default="https://localhost:4318/v1/metrics", Format="`://:`"_
-
-URL of the OpenTelemetry Collector to send metrics to.
-
-!!! info "Insecure mode"
-
- To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- http:
- endpoint: https://collector:4318/v1/metrics
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp.http]
- endpoint = "https://collector:4318/v1/metrics"
-```
-
-```bash tab="CLI"
---metrics.otlp.http.endpoint=https://collector:4318/v1/metrics
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with metrics by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- http:
- headers:
- foo: bar
- baz: buz
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp.http.headers]
- foo = "bar"
- baz = "buz"
-```
-
-```bash tab="CLI"
---metrics.otlp.http.headers.foo=bar --metrics.otlp.http.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send metrics to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- http:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[metrics.otlp.http.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---metrics.otlp.http.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- http:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[metrics.otlp.http.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---metrics.otlp.http.tls.cert=path/to/foo.cert
---metrics.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- http:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[metrics.otlp.http.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---metrics.otlp.http.tls.cert=path/to/foo.cert
---metrics.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- http:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[metrics.otlp.http.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---metrics.otlp.http.tls.insecureSkipVerify=true
-```
-
-### gRPC configuration
-
-_Optional_
-
-This instructs the exporter to send metrics to the OpenTelemetry Collector using gRPC.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- grpc: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp.grpc]
-```
-
-```bash tab="CLI"
---metrics.otlp.grpc=true
-```
-
-#### `endpoint`
-
-_Required, Default="localhost:4317", Format="`:`"_
-
-Address of the OpenTelemetry Collector to send metrics to.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- grpc:
- endpoint: localhost:4317
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp.grpc]
- endpoint = "localhost:4317"
-```
-
-```bash tab="CLI"
---metrics.otlp.grpc.endpoint=localhost:4317
-```
-
-#### `insecure`
-
-_Optional, Default=false_
-
-Allows exporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- grpc:
- insecure: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp.grpc]
- insecure = true
-```
-
-```bash tab="CLI"
---metrics.otlp.grpc.insecure=true
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with metrics by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- grpc:
- headers:
- foo: bar
- baz: buz
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.otlp.grpc.headers]
- foo = "bar"
- baz = "buz"
-```
-
-```bash tab="CLI"
---metrics.otlp.grpc.headers.foo=bar --metrics.otlp.grpc.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send metrics to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- grpc:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[metrics.otlp.grpc.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---metrics.otlp.grpc.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- grpc:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[metrics.otlp.grpc.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---metrics.otlp.grpc.tls.cert=path/to/foo.cert
---metrics.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- grpc:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[metrics.otlp.grpc.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---metrics.otlp.grpc.tls.cert=path/to/foo.cert
---metrics.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-metrics:
- otlp:
- grpc:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[metrics.otlp.grpc.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---metrics.otlp.grpc.tls.insecureSkipVerify=true
-```
diff --git a/docs/content/observability/metrics/overview.md b/docs/content/observability/metrics/overview.md
deleted file mode 100644
index c4b57a3d2..000000000
--- a/docs/content/observability/metrics/overview.md
+++ /dev/null
@@ -1,332 +0,0 @@
----
-title: "Traefik Metrics Overview"
-description: "Traefik Proxy supports these metrics backend systems: Datadog, InfluxDB 2.X, Prometheus, and StatsD. Read the full documentation to get started."
----
-
-# Metrics
-
-Traefik provides metrics in the [OpenTelemetry](./opentelemetry.md) format as well as the following vendor specific backends:
-
-- [Datadog](./datadog.md)
-- [InfluxDB2](./influxdb2.md)
-- [Prometheus](./prometheus.md)
-- [StatsD](./statsd.md)
-
-Traefik Proxy hosts an official Grafana dashboard for both [on-premises](https://grafana.com/grafana/dashboards/17346)
-and [Kubernetes](https://grafana.com/grafana/dashboards/17347) deployments.
-
-## Common Options
-
-### `addInternals`
-
-_Optional, Default="false"_
-
-Enables metrics for internal resources (e.g.: `ping@internals`).
-
-```yaml tab="File (YAML)"
-metrics:
- addInternals: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
-addInternals = true
-```
-
-```bash tab="CLI"
---metrics.addinternals
-```
-
-## Global Metrics
-
-| Metric | Type | [Labels](#labels) | Description |
-|----------------------------|-------|--------------------------|--------------------------------------------------------------------|
-| Config reload total | Count | | The total count of configuration reloads. |
-| Config reload last success | Gauge | | The timestamp of the last configuration reload success. |
-| Open connections | Gauge | `entrypoint`, `protocol` | The current count of open connections, by entrypoint and protocol. |
-| TLS certificates not after | Gauge | | The expiration date of certificates. |
-
-```opentelemetry tab="OpenTelemetry"
-traefik_config_reloads_total
-traefik_config_last_reload_success
-traefik_open_connections
-traefik_tls_certs_not_after
-```
-
-```prom tab="Prometheus"
-traefik_config_reloads_total
-traefik_config_last_reload_success
-traefik_open_connections
-traefik_tls_certs_not_after
-```
-
-```dd tab="Datadog"
-config.reload.total
-config.reload.lastSuccessTimestamp
-open.connections
-tls.certs.notAfterTimestamp
-```
-
-```influxdb tab="InfluxDB2"
-traefik.config.reload.total
-traefik.config.reload.lastSuccessTimestamp
-traefik.open.connections
-traefik.tls.certs.notAfterTimestamp
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.config.reload.total
-{prefix}.config.reload.lastSuccessTimestamp
-{prefix}.open.connections
-{prefix}.tls.certs.notAfterTimestamp
-```
-
-### Labels
-
-Here is a comprehensive list of labels that are provided by the global metrics:
-
-| Label | Description | example |
-|--------------|----------------------------------------|----------------------|
-| `entrypoint` | Entrypoint that handled the connection | "example_entrypoint" |
-| `protocol` | Connection protocol | "TCP" |
-
-## OpenTelemetry Semantic Conventions
-
-Traefik Proxy follows [official OpenTelemetry semantic conventions v1.23.1](https://github.com/open-telemetry/semantic-conventions/blob/v1.23.1/docs/http/http-metrics.md).
-
-### HTTP Server
-
-| Metric | Type | [Labels](#labels) | Description |
-|-------------------------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|
-| http.server.request.duration | Histogram | `error.type`, `http.request.method`, `http.response.status_code`, `network.protocol.name`, `server.address`, `server.port`, `url.scheme` | Duration of HTTP server requests |
-
-#### Labels
-
-Here is a comprehensive list of labels that are provided by the metrics:
-
-| Label | Description | example |
-|-----------------------------|--------------------------------------------------------------|---------------|
-| `error.type` | Describes a class of error the operation ended with | "500" |
-| `http.request.method` | HTTP request method | "GET" |
-| `http.response.status_code` | HTTP response status code | "200" |
-| `network.protocol.name` | OSI application layer or non-OSI equivalent | "http/1.1" |
-| `network.protocol.version` | Version of the protocol specified in `network.protocol.name` | "1.1" |
-| `server.address` | Name of the local HTTP server that received the request | "example.com" |
-| `server.port` | Port of the local HTTP server that received the request | "80" |
-| `url.scheme` | The URI scheme component identifying the used protocol | "http" |
-
-### HTTP Client
-
-| Metric | Type | [Labels](#labels) | Description |
-|-------------------------------|-----------|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------|
-| http.client.request.duration | Histogram | `error.type`, `http.request.method`, `http.response.status_code`, `network.protocol.name`, `server.address`, `server.port`, `url.scheme` | Duration of HTTP client requests |
-
-#### Labels
-
-Here is a comprehensive list of labels that are provided by the metrics:
-
-| Label | Description | example |
-|-----------------------------|--------------------------------------------------------------|---------------|
-| `error.type` | Describes a class of error the operation ended with | "500" |
-| `http.request.method` | HTTP request method | "GET" |
-| `http.response.status_code` | HTTP response status code | "200" |
-| `network.protocol.name` | OSI application layer or non-OSI equivalent | "http/1.1" |
-| `network.protocol.version` | Version of the protocol specified in `network.protocol.name` | "1.1" |
-| `server.address` | Name of the local HTTP server that received the request | "example.com" |
-| `server.port` | Port of the local HTTP server that received the request | "80" |
-| `url.scheme` | The URI scheme component identifying the used protocol | "http" |
-
-## HTTP Metrics
-
-On top of the official OpenTelemetry semantic conventions, Traefik provides its own metrics to monitor the incoming traffic.
-
-### EntryPoint Metrics
-
-| Metric | Type | [Labels](#labels) | Description |
-|-----------------------|-----------|--------------------------------------------|---------------------------------------------------------------------|
-| Requests total | Count | `code`, `method`, `protocol`, `entrypoint` | The total count of HTTP requests received by an entrypoint. |
-| Requests TLS total | Count | `tls_version`, `tls_cipher`, `entrypoint` | The total count of HTTPS requests received by an entrypoint. |
-| Request duration | Histogram | `code`, `method`, `protocol`, `entrypoint` | Request processing duration histogram on an entrypoint. |
-| Requests bytes total | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP requests in bytes handled by an entrypoint. |
-| Responses bytes total | Count | `code`, `method`, `protocol`, `entrypoint` | The total size of HTTP responses in bytes handled by an entrypoint. |
-
-```opentelemetry tab="OpenTelemetry"
-traefik_entrypoint_requests_total
-traefik_entrypoint_requests_tls_total
-traefik_entrypoint_request_duration_seconds
-traefik_entrypoint_requests_bytes_total
-traefik_entrypoint_responses_bytes_total
-```
-
-```prom tab="Prometheus"
-traefik_entrypoint_requests_total
-traefik_entrypoint_requests_tls_total
-traefik_entrypoint_request_duration_seconds
-traefik_entrypoint_requests_bytes_total
-traefik_entrypoint_responses_bytes_total
-```
-
-```dd tab="Datadog"
-entrypoint.request.total
-entrypoint.request.tls.total
-entrypoint.request.duration
-entrypoint.requests.bytes.total
-entrypoint.responses.bytes.total
-```
-
-```influxdb tab="InfluxDB2"
-traefik.entrypoint.requests.total
-traefik.entrypoint.requests.tls.total
-traefik.entrypoint.request.duration
-traefik.entrypoint.requests.bytes.total
-traefik.entrypoint.responses.bytes.total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.entrypoint.request.total
-{prefix}.entrypoint.request.tls.total
-{prefix}.entrypoint.request.duration
-{prefix}.entrypoint.requests.bytes.total
-{prefix}.entrypoint.responses.bytes.total
-```
-
-### Router Metrics
-
-| Metric | Type | [Labels](#labels) | Description |
-|-----------------------|-----------|---------------------------------------------------|----------------------------------------------------------------|
-| Requests total | Count | `code`, `method`, `protocol`, `router`, `service` | The total count of HTTP requests handled by a router. |
-| Requests TLS total | Count | `tls_version`, `tls_cipher`, `router`, `service` | The total count of HTTPS requests handled by a router. |
-| Request duration | Histogram | `code`, `method`, `protocol`, `router`, `service` | Request processing duration histogram on a router. |
-| Requests bytes total | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP requests in bytes handled by a router. |
-| Responses bytes total | Count | `code`, `method`, `protocol`, `router`, `service` | The total size of HTTP responses in bytes handled by a router. |
-
-```opentelemetry tab="OpenTelemetry"
-traefik_router_requests_total
-traefik_router_requests_tls_total
-traefik_router_request_duration_seconds
-traefik_router_requests_bytes_total
-traefik_router_responses_bytes_total
-```
-
-```prom tab="Prometheus"
-traefik_router_requests_total
-traefik_router_requests_tls_total
-traefik_router_request_duration_seconds
-traefik_router_requests_bytes_total
-traefik_router_responses_bytes_total
-```
-
-```dd tab="Datadog"
-router.request.total
-router.request.tls.total
-router.request.duration
-router.requests.bytes.total
-router.responses.bytes.total
-```
-
-```influxdb tab="InfluxDB2"
-traefik.router.requests.total
-traefik.router.requests.tls.total
-traefik.router.request.duration
-traefik.router.requests.bytes.total
-traefik.router.responses.bytes.total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.router.request.total
-{prefix}.router.request.tls.total
-{prefix}.router.request.duration
-{prefix}.router.requests.bytes.total
-{prefix}.router.responses.bytes.total
-```
-
-### Service Metrics
-
-| Metric | Type | Labels | Description |
-|-----------------------|-----------|-----------------------------------------|-------------------------------------------------------------|
-| Requests total | Count | `code`, `method`, `protocol`, `service` | The total count of HTTP requests processed on a service. |
-| Requests TLS total | Count | `tls_version`, `tls_cipher`, `service` | The total count of HTTPS requests processed on a service. |
-| Request duration | Histogram | `code`, `method`, `protocol`, `service` | Request processing duration histogram on a service. |
-| Retries total | Count | `service` | The count of requests retries on a service. |
-| Server UP | Gauge | `service`, `url` | Current service's server status, 0 for a down or 1 for up. |
-| Requests bytes total | Count | `code`, `method`, `protocol`, `service` | The total size of requests in bytes received by a service. |
-| Responses bytes total | Count | `code`, `method`, `protocol`, `service` | The total size of responses in bytes returned by a service. |
-
-```opentelemetry tab="OpenTelemetry"
-traefik_service_requests_total
-traefik_service_requests_tls_total
-traefik_service_request_duration_seconds
-traefik_service_retries_total
-traefik_service_server_up
-traefik_service_requests_bytes_total
-traefik_service_responses_bytes_total
-```
-
-```prom tab="Prometheus"
-traefik_service_requests_total
-traefik_service_requests_tls_total
-traefik_service_request_duration_seconds
-traefik_service_retries_total
-traefik_service_server_up
-traefik_service_requests_bytes_total
-traefik_service_responses_bytes_total
-```
-
-```dd tab="Datadog"
-service.request.total
-router.service.tls.total
-service.request.duration
-service.retries.total
-service.server.up
-service.requests.bytes.total
-service.responses.bytes.total
-```
-
-```influxdb tab="InfluxDB2"
-traefik.service.requests.total
-traefik.service.requests.tls.total
-traefik.service.request.duration
-traefik.service.retries.total
-traefik.service.server.up
-traefik.service.requests.bytes.total
-traefik.service.responses.bytes.total
-```
-
-```statsd tab="StatsD"
-# Default prefix: "traefik"
-{prefix}.service.request.total
-{prefix}.service.request.tls.total
-{prefix}.service.request.duration
-{prefix}.service.retries.total
-{prefix}.service.server.up
-{prefix}.service.requests.bytes.total
-{prefix}.service.responses.bytes.total
-```
-
-### Labels
-
-Here is a comprehensive list of labels that are provided by the metrics:
-
-| Label | Description | example |
-|---------------|---------------------------------------|----------------------------|
-| `cn` | Certificate Common Name | "example.com" |
-| `code` | Request code | "200" |
-| `entrypoint` | Entrypoint that handled the request | "example_entrypoint" |
-| `method` | Request Method | "GET" |
-| `protocol` | Request protocol | "http" |
-| `router` | Router that handled the request | "example_router" |
-| `sans` | Certificate Subject Alternative NameS | "example.com" |
-| `serial` | Certificate Serial Number | "123..." |
-| `service` | Service that handled the request | "example_service@provider" |
-| `tls_cipher` | TLS cipher used for the request | "TLS_FALLBACK_SCSV" |
-| `tls_version` | TLS version used for the request | "1.0" |
-| `url` | Service server url | "http://example.com" |
-
-!!! info "`method` label value"
-
- If the HTTP method verb on a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
- or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
- then the value for the method label becomes `EXTENSION_METHOD`.
diff --git a/docs/content/observability/metrics/prometheus.md b/docs/content/observability/metrics/prometheus.md
deleted file mode 100644
index 9c610332c..000000000
--- a/docs/content/observability/metrics/prometheus.md
+++ /dev/null
@@ -1,238 +0,0 @@
----
-title: "Traefik Prometheus Documentation"
-description: "Traefik supports several metrics backends, including Prometheus. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
----
-
-# Prometheus
-
-To enable the Prometheus:
-
-```yaml tab="File (YAML)"
-metrics:
- prometheus: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.prometheus]
-```
-
-```bash tab="CLI"
---metrics.prometheus=true
-```
-
-#### `buckets`
-
-_Optional, Default="0.100000, 0.300000, 1.200000, 5.000000"_
-
-Buckets for latency metrics.
-
-```yaml tab="File (YAML)"
-metrics:
- prometheus:
- buckets:
- - 0.1
- - 0.3
- - 1.2
- - 5.0
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.prometheus]
- buckets = [0.1,0.3,1.2,5.0]
-```
-
-```bash tab="CLI"
---metrics.prometheus.buckets=0.1,0.3,1.2,5.0
-```
-
-#### `addEntryPointsLabels`
-
-_Optional, Default=true_
-
-Enable metrics on entry points.
-
-```yaml tab="File (YAML)"
-metrics:
- prometheus:
- addEntryPointsLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.prometheus]
- addEntryPointsLabels = true
-```
-
-```bash tab="CLI"
---metrics.prometheus.addEntryPointsLabels=true
-```
-
-#### `addRoutersLabels`
-
-_Optional, Default=false_
-
-Enable metrics on routers.
-
-```yaml tab="File (YAML)"
-metrics:
- prometheus:
- addRoutersLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.prometheus]
- addRoutersLabels = true
-```
-
-```bash tab="CLI"
---metrics.prometheus.addrouterslabels=true
-```
-
-#### `addServicesLabels`
-
-_Optional, Default=true_
-
-Enable metrics on services.
-
-```yaml tab="File (YAML)"
-metrics:
- prometheus:
- addServicesLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.prometheus]
- addServicesLabels = true
-```
-
-```bash tab="CLI"
---metrics.prometheus.addServicesLabels=true
-```
-
-#### `entryPoint`
-
-_Optional, Default=traefik_
-
-Entry point used to expose metrics.
-
-```yaml tab="File (YAML)"
-entryPoints:
- metrics:
- address: :8082
-
-metrics:
- prometheus:
- entryPoint: metrics
-```
-
-```toml tab="File (TOML)"
-[entryPoints]
- [entryPoints.metrics]
- address = ":8082"
-
-[metrics]
- [metrics.prometheus]
- entryPoint = "metrics"
-```
-
-```bash tab="CLI"
---entryPoints.metrics.address=:8082
---metrics.prometheus.entryPoint=metrics
-```
-
-#### `manualRouting`
-
-_Optional, Default=false_
-
-If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `prometheus@internal` service.
-
-```yaml tab="File (YAML)"
-metrics:
- prometheus:
- manualRouting: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.prometheus]
- manualRouting = true
-```
-
-```bash tab="CLI"
---metrics.prometheus.manualrouting=true
-```
-
-#### `headerLabels`
-
-_Optional_
-
-Defines the extra labels for the `requests_total` metrics, and for each of them, the request header containing the value for this label.
-Please note that if the header is not present in the request it will be added nonetheless with an empty value.
-In addition, the label should be a valid label name for Prometheus metrics,
-otherwise, the Prometheus metrics provider will fail to serve any Traefik-related metric.
-
-```yaml tab="File (YAML)"
-metrics:
- prometheus:
- headerLabels:
- label: headerKey
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.prometheus]
- [metrics.prometheus.headerLabels]
- label = "headerKey"
-```
-
-```bash tab="CLI"
---metrics.prometheus.headerlabels.label=headerKey
-```
-
-##### Example
-
-Here is an example of the entryPoint `requests_total` metric with an additional "useragent" label.
-
-When configuring the label in Static Configuration:
-
-```yaml tab="File (YAML)"
-metrics:
- prometheus:
- headerLabels:
- useragent: User-Agent
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.prometheus]
- [metrics.prometheus.headerLabels]
- useragent = "User-Agent"
-```
-
-```bash tab="CLI"
---metrics.prometheus.headerlabels.useragent=User-Agent
-```
-
-And performing a request with a custom User-Agent:
-
-```bash
-curl -H "User-Agent: foobar" http://localhost
-```
-
-The following metric is produced :
-
-```bash
-traefik_entrypoint_requests_total{code="200",entrypoint="web",method="GET",protocol="http",useragent="foobar"} 1
-```
-
-!!! info "`Host` header value"
-
- The `Host` header is never present in the Header map of a request, as per go documentation says:
- // For incoming requests, the Host header is promoted to the
- // Request.Host field and removed from the Header map.
-
- As a workaround, to obtain the Host of a request as a label, one should use instead the `X-Forwarded-Host` header.
diff --git a/docs/content/observability/metrics/statsd.md b/docs/content/observability/metrics/statsd.md
deleted file mode 100644
index 042e937cd..000000000
--- a/docs/content/observability/metrics/statsd.md
+++ /dev/null
@@ -1,154 +0,0 @@
----
-title: "Traefik StatsD Documentation"
-description: "Traefik supports several metrics backends, including StatsD. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
----
-
-# StatsD
-
-To enable the Statsd:
-
-```yaml tab="File (YAML)"
-metrics:
- statsD: {}
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.statsD]
-```
-
-```bash tab="CLI"
---metrics.statsd=true
-```
-
-#### `address`
-
-_Required, Default="localhost:8125"_
-
-Address instructs exporter to send metrics to statsd at this address.
-
-```yaml tab="File (YAML)"
-metrics:
- statsD:
- address: localhost:8125
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.statsD]
- address = "localhost:8125"
-```
-
-```bash tab="CLI"
---metrics.statsd.address=localhost:8125
-```
-
-#### `addEntryPointsLabels`
-
-_Optional, Default=true_
-
-Enable metrics on entry points.
-
-```yaml tab="File (YAML)"
-metrics:
- statsD:
- addEntryPointsLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.statsD]
- addEntryPointsLabels = true
-```
-
-```bash tab="CLI"
---metrics.statsd.addEntryPointsLabels=true
-```
-
-#### `addRoutersLabels`
-
-_Optional, Default=false_
-
-Enable metrics on routers.
-
-```yaml tab="File (YAML)"
-metrics:
- statsD:
- addRoutersLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.statsD]
- addRoutersLabels = true
-```
-
-```bash tab="CLI"
---metrics.statsd.addrouterslabels=true
-```
-
-#### `addServicesLabels`
-
-_Optional, Default=true_
-
-Enable metrics on services.
-
-```yaml tab="File (YAML)"
-metrics:
- statsD:
- addServicesLabels: true
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.statsD]
- addServicesLabels = true
-```
-
-```bash tab="CLI"
---metrics.statsd.addServicesLabels=true
-```
-
-#### `pushInterval`
-
-_Optional, Default=10s_
-
-The interval used by the exporter to push metrics to statsD.
-
-```yaml tab="File (YAML)"
-metrics:
- statsD:
- pushInterval: 10s
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.statsD]
- pushInterval = "10s"
-```
-
-```bash tab="CLI"
---metrics.statsd.pushInterval=10s
-```
-
-#### `prefix`
-
-_Optional, Default="traefik"_
-
-The prefix to use for metrics collection.
-
-```yaml tab="File (YAML)"
-metrics:
- statsD:
- prefix: traefik
-```
-
-```toml tab="File (TOML)"
-[metrics]
- [metrics.statsD]
- prefix = "traefik"
-```
-
-```bash tab="CLI"
---metrics.statsd.prefix=traefik
-```
diff --git a/docs/content/observability/overview.md b/docs/content/observability/overview.md
deleted file mode 100644
index bcd4385dd..000000000
--- a/docs/content/observability/overview.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: "Traefik Observability Overview"
-description: "Traefik provides Logs, Access Logs, Metrics and Tracing. Read the full documentation to get started."
----
-
-# Overview
-
-Traefik’s observability features include logs, access logs, metrics, and tracing. You can configure these options globally or at more specific levels, such as per router or per entry point.
-
-## Configuration Example
-
-Enable access logs, metrics, and tracing globally
-
-```yaml tab="File (YAML)"
-accessLog: {}
-
-metrics:
- otlp: {}
-
-tracing: {}
-```
-
-```yaml tab="File (TOML)"
-[accessLog]
-
-[metrics]
- [metrics.otlp]
-
-[tracing]
-```
-
-```bash tab="CLI"
---accesslog=true
---metrics.otlp=true
---tracing=true
-```
-
-You can disable access logs, metrics, and tracing for a specific entrypoint attached to a router:
-
-```yaml tab="File (YAML)"
-# Static Configuration
-entryPoints:
- EntryPoint0:
- address: ':8000/udp'
- observability:
- accessLogs: false
- tracing: false
- metrics: false
-```
-
-```toml tab="File (TOML)"
-# Static Configuration
-[entryPoints.EntryPoint0]
- address = ":8000/udp"
-
- [entryPoints.EntryPoint0.observability]
- accessLogs = false
- tracing = false
- metrics = false
-```
-
-```bash tab="CLI"
-# Static Configuration
---entryPoints.EntryPoint0.address=:8000/udp
---entryPoints.EntryPoint0.observability.accessLogs=false
---entryPoints.EntryPoint0.observability.metrics=false
---entryPoints.EntryPoint0.observability.tracing=false
-```
-
-!!!note "Default Behavior"
- A router with its own observability configuration will override the global default.
-
-## Configuration Options
-
-### Logs
-
-Traefik logs informs about everything that happens within Traefik (startup, configuration, events, shutdown, and so on).
-
-Read the [Logs documentation](./logs.md) to learn how to configure it.
-
-### Access Logs
-
-Access logs are a key part of observability in Traefik.
-
-They are providing valuable insights about incoming traffic, and allow to monitor it.
-The access logs record detailed information about each request received by Traefik,
-including the source IP address, requested URL, response status code, and more.
-
-Read the [Access Logs documentation](./access-logs.md) to learn how to configure it.
-
-### Metrics
-
-Traefik offers a metrics feature that provides valuable insights about the performance and usage.
-These metrics include the number of requests received, the requests duration, and more.
-
-On top of supporting metrics in the OpenTelemetry format, Traefik supports the following vendor specific metrics systems: Prometheus, Datadog, InfluxDB 2.X, and StatsD.
-
-Read the [Metrics documentation](./metrics/overview.md) to learn how to configure it.
-
-### Tracing
-
-The Traefik tracing system allows developers to gain deep visibility into the flow of requests through their infrastructure.
-
-Traefik provides tracing information in the OpenTelemery format.
-
-Read the [Tracing documentation](./tracing/overview.md) to learn how to configure it.
diff --git a/docs/content/observability/tracing/opentelemetry.md b/docs/content/observability/tracing/opentelemetry.md
deleted file mode 100644
index 23c7166ae..000000000
--- a/docs/content/observability/tracing/opentelemetry.md
+++ /dev/null
@@ -1,432 +0,0 @@
----
-title: "Traefik OpenTelemetry Documentation"
-description: "Traefik supports several tracing backends, including OpenTelemetry. Learn how to implement it for observability in Traefik Proxy. Read the technical documentation."
----
-
-# OpenTelemetry
-
-Traefik Proxy follows [official OpenTelemetry semantic conventions v1.37.0](https://github.com/open-telemetry/semantic-conventions/blob/v1.37.0/docs/http/http-spans.md).
-
-To enable the OpenTelemetry tracer:
-
-```yaml tab="File (YAML)"
-tracing:
- otlp: {}
-```
-
-```toml tab="File (TOML)"
-[tracing]
- [tracing.otlp]
-```
-
-```bash tab="CLI"
---tracing.otlp=true
-```
-
-!!! info "Default protocol"
-
- The OpenTelemetry trace exporter will export traces to the collector using HTTPS by default to https://localhost:4318/v1/traces, see the [gRPC Section](#grpc-configuration) to use gRPC.
-
-!!! info "Trace sampling"
-
- By default, the OpenTelemetry trace exporter will sample 100% of traces.
- See [OpenTelemetry's SDK configuration](https://opentelemetry.io/docs/reference/specification/sdk-environment-variables/#general-sdk-configuration) to customize the sampling strategy.
-
-!!! info "Propagation"
-
- Traefik supports the `OTEL_PROPAGATORS` env variable to set up the propragators. The supported propagators are:
-
- - tracecontext (default)
- - baggage (default)
- - b3
- - b3multi
- - jaeger
- - xray
- - ottrace
-
- Example of configuration:
-
- OTEL_PROPAGATORS=b3,jaeger
-
-
-### HTTP configuration
-
-_Optional_
-
-This instructs the exporter to send spans to the OpenTelemetry Collector using HTTP.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- http: {}
-```
-
-```toml tab="File (TOML)"
-[tracing]
- [tracing.otlp.http]
-```
-
-```bash tab="CLI"
---tracing.otlp.http=true
-```
-
-#### `endpoint`
-
-_Optional, Default="https://localhost:4318/v1/traces", Format="`://:`"_
-
-URL of the OpenTelemetry Collector to send spans to.
-
-!!! info "Insecure mode"
-
- To disable TLS, use `http://` instead of `https://` in the `endpoint` configuration.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- http:
- endpoint: https://collector:4318/v1/traces
-```
-
-```toml tab="File (TOML)"
-[tracing]
- [tracing.otlp.http]
- endpoint = "https://collector:4318/v1/traces"
-```
-
-```bash tab="CLI"
---tracing.otlp.http.endpoint=https://collector:4318/v1/traces
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with traces by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- http:
- headers:
- foo: bar
- baz: buz
-```
-
-```toml tab="File (TOML)"
-[tracing]
- [tracing.otlp.http.headers]
- foo = "bar"
- baz = "buz"
-```
-
-```bash tab="CLI"
---tracing.otlp.http.headers.foo=bar --tracing.otlp.http.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send spans to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- http:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[tracing.otlp.http.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---tracing.otlp.http.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- http:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[tracing.otlp.http.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---tracing.otlp.http.tls.cert=path/to/foo.cert
---tracing.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- http:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[tracing.otlp.http.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---tracing.otlp.http.tls.cert=path/to/foo.cert
---tracing.otlp.http.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- http:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[tracing.otlp.http.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---tracing.otlp.http.tls.insecureSkipVerify=true
-```
-
-### gRPC configuration
-
-_Optional_
-
-This instructs the exporter to send spans to the OpenTelemetry Collector using gRPC.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- grpc: {}
-```
-
-```toml tab="File (TOML)"
-[tracing]
- [tracing.otlp.grpc]
-```
-
-```bash tab="CLI"
---tracing.otlp.grpc=true
-```
-
-#### `endpoint`
-
-_Required, Default="localhost:4317", Format="`:`"_
-
-Address of the OpenTelemetry Collector to send spans to.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- grpc:
- endpoint: localhost:4317
-```
-
-```toml tab="File (TOML)"
-[tracing]
- [tracing.otlp.grpc]
- endpoint = "localhost:4317"
-```
-
-```bash tab="CLI"
---tracing.otlp.grpc.endpoint=localhost:4317
-```
-#### `insecure`
-
-_Optional, Default=false_
-
-Allows exporter to send spans to the OpenTelemetry Collector without using a secured protocol.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- grpc:
- insecure: true
-```
-
-```toml tab="File (TOML)"
-[tracing]
- [tracing.otlp.grpc]
- insecure = true
-```
-
-```bash tab="CLI"
---tracing.otlp.grpc.insecure=true
-```
-
-#### `headers`
-
-_Optional, Default={}_
-
-Additional headers sent with traces by the exporter to the OpenTelemetry Collector.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- grpc:
- headers:
- foo: bar
- baz: buz
-```
-
-```toml tab="File (TOML)"
-[tracing]
- [tracing.otlp.grpc.headers]
- foo = "bar"
- baz = "buz"
-```
-
-```bash tab="CLI"
---tracing.otlp.grpc.headers.foo=bar --tracing.otlp.grpc.headers.baz=buz
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the Client TLS configuration used by the exporter to send spans to the OpenTelemetry Collector.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the OpenTelemetry Collector,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- grpc:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[tracing.otlp.grpc.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---tracing.otlp.grpc.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- grpc:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[tracing.otlp.grpc.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---tracing.otlp.grpc.tls.cert=path/to/foo.cert
---tracing.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the OpenTelemetry Collector.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- grpc:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[tracing.otlp.grpc.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---tracing.otlp.grpc.tls.cert=path/to/foo.cert
---tracing.otlp.grpc.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`,
-the TLS connection to the OpenTelemetry Collector accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-tracing:
- otlp:
- grpc:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[tracing.otlp.grpc.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---tracing.otlp.grpc.tls.insecureSkipVerify=true
-```
diff --git a/docs/content/observability/tracing/overview.md b/docs/content/observability/tracing/overview.md
deleted file mode 100644
index ed14f6ac3..000000000
--- a/docs/content/observability/tracing/overview.md
+++ /dev/null
@@ -1,187 +0,0 @@
----
-title: "Traefik Tracing Overview"
-description: "The Traefik Proxy tracing system allows developers to visualize call flows in their infrastructure. Read the full documentation."
----
-
-# Tracing
-
-Visualize the Requests Flow
-{: .subtitle }
-
-The tracing system allows developers to visualize call flows in their infrastructure.
-
-Traefik uses [OpenTelemetry](https://opentelemetry.io/ "Link to website of OTel"), an open standard designed for distributed tracing.
-
-Please check our dedicated [OTel docs](./opentelemetry.md) to learn more.
-
-## Configuration
-
-To enable the tracing:
-
-```yaml tab="File (YAML)"
-tracing: {}
-```
-
-```toml tab="File (TOML)"
-[tracing]
-```
-
-```bash tab="CLI"
---tracing=true
-```
-
-### Common Options
-
-#### `addInternals`
-
-_Optional, Default="false"_
-
-Enables tracing for internal resources (e.g.: `ping@internal`).
-
-```yaml tab="File (YAML)"
-tracing:
- addInternals: true
-```
-
-```toml tab="File (TOML)"
-[tracing]
- addInternals = true
-```
-
-```bash tab="CLI"
---tracing.addinternals
-```
-
-#### `serviceName`
-
-_Required, Default="traefik"_
-
-Service name used in selected backend.
-
-```yaml tab="File (YAML)"
-tracing:
- serviceName: traefik
-```
-
-```toml tab="File (TOML)"
-[tracing]
- serviceName = "traefik"
-```
-
-```bash tab="CLI"
---tracing.serviceName=traefik
-```
-
-#### `sampleRate`
-
-_Optional, Default=1.0_
-
-The proportion of requests to trace, specified between 0.0 and 1.0.
-
-```yaml tab="File (YAML)"
-tracing:
- sampleRate: 0.2
-```
-
-```toml tab="File (TOML)"
-[tracing]
- sampleRate = 0.2
-```
-
-```bash tab="CLI"
---tracing.sampleRate=0.2
-```
-
-#### `resourceAttributes`
-
-_Optional, Default=empty_
-
-Defines additional resource attributes to be sent to the collector.
-
-```yaml tab="File (YAML)"
-tracing:
- resourceAttributes:
- attr1: foo
- attr2: bar
-```
-
-```toml tab="File (TOML)"
-[tracing]
- [tracing.resourceAttributes]
- attr1 = "foo"
- attr2 = "bar"
-```
-
-```bash tab="CLI"
---tracing.resourceAttributes.attr1=foo
---tracing.resourceAttributes.attr2=bar
-```
-
-#### `capturedRequestHeaders`
-
-_Optional, Default=empty_
-
-Defines the list of request headers to add as attributes.
-It applies to client and server kind spans.
-
-```yaml tab="File (YAML)"
-tracing:
- capturedRequestHeaders:
- - X-CustomHeader
- - X-OtherHeader
-```
-
-```toml tab="File (TOML)"
-[tracing]
- capturedRequestHeaders = ["X-CustomHeader", "X-OtherHeader"]
-```
-
-```bash tab="CLI"
---tracing.capturedRequestHeaders="X-CustomHeader,X-OtherHeader"
-```
-
-#### `capturedResponseHeaders`
-
-_Optional, Default=empty_
-
-Defines the list of response headers to add as attributes.
-It applies to client and server kind spans.
-
-```yaml tab="File (YAML)"
-tracing:
- capturedResponseHeaders:
- - X-CustomHeader
- - X-OtherHeader
-```
-
-```toml tab="File (TOML)"
-[tracing]
- capturedResponseHeaders = ["X-CustomHeader", "X-OtherHeader"]
-```
-
-```bash tab="CLI"
---tracing.capturedResponseHeaders="X-CustomHeader,X-OtherHeader"
-```
-
-#### `safeQueryParams`
-
-_Optional, Default=[]_
-
-By default, all query parameters are redacted.
-Defines the list of query parameters to not redact.
-
-```yaml tab="File (YAML)"
-tracing:
- safeQueryParams:
- - bar
- - buz
-```
-
-```toml tab="File (TOML)"
-[tracing]
- safeQueryParams = ["bar", "buz"]
-```
-
-```bash tab="CLI"
---tracing.safeQueryParams=bar,buz
-```
diff --git a/docs/content/operations/api.md b/docs/content/operations/api.md
deleted file mode 100644
index f4fcb03e2..000000000
--- a/docs/content/operations/api.md
+++ /dev/null
@@ -1,179 +0,0 @@
----
-title: "Traefik API Documentation"
-description: "Traefik Proxy exposes information through API handlers. Learn about the security, configuration, and endpoints of APIs. Read the technical documentation."
----
-
-# API
-
-Traefik exposes a number of information through an API handler, such as the configuration of all routers, services, middlewares, etc.
-
-As with all features of Traefik, this handler can be enabled with the [static configuration](../getting-started/configuration-overview.md#the-static-configuration).
-
-## Security
-
-Enabling the API in production is not recommended, because it will expose all configuration elements,
-including sensitive data.
-
-In production, it should be at least secured by authentication and authorizations.
-
-!!! info
- It's recommended to NOT publicly exposing the API's port, keeping it restricted to internal networks
- (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
-
-## Configuration
-
-If you enable the API, a new special `service` named `api@internal` is created and can then be referenced in a router.
-
-To enable the API handler, use the following option on the
-[static configuration](../getting-started/configuration-overview.md#the-static-configuration):
-
-```yaml tab="File (YAML)"
-# Static Configuration
-api: {}
-```
-
-```toml tab="File (TOML)"
-# Static Configuration
-[api]
-```
-
-```bash tab="CLI"
---api=true
-```
-
-And then define a routing configuration on Traefik itself with the
-[dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration):
-
---8<-- "content/operations/include-api-examples.md"
-
-??? warning "The router's [rule](../routing/routers/index.md#rule) must catch requests for the URI path `/api`"
- Using an "Host" rule is recommended, by catching all the incoming traffic on this host domain to the API.
- However, you can also use "path prefix" rule or any combination or rules.
-
- ```bash tab="Host Rule"
- # Matches http://traefik.example.com, http://traefik.example.com/api
- # or http://traefik.example.com/hello
- rule = "Host(`traefik.example.com`)"
- ```
-
- ```bash tab="Path Prefix Rule"
- # Matches http://api.traefik.example.com/api or http://example.com/api
- # but does not match http://api.traefik.example.com/hello
- rule = "PathPrefix(`/api`)"
- ```
-
- ```bash tab="Combination of Rules"
- # Matches http://traefik.example.com/api or http://traefik.example.com/dashboard
- # but does not match http://traefik.example.com/hello
- rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- ```
-
-### `insecure`
-
-Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`, on path `/api`.
-
-!!! info
- If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.
-
-```yaml tab="File (YAML)"
-api:
- insecure: true
-```
-
-```toml tab="File (TOML)"
-[api]
- insecure = true
-```
-
-```bash tab="CLI"
---api.insecure=true
-```
-
-### `dashboard`
-
-_Optional, Default=true_
-
-Enable the dashboard. More about the dashboard features [here](./dashboard.md).
-
-```yaml tab="File (YAML)"
-api:
- dashboard: true
-```
-
-```toml tab="File (TOML)"
-[api]
- dashboard = true
-```
-
-```bash tab="CLI"
---api.dashboard=true
-```
-
-!!! warning "With Dashboard enabled, the router [rule](../routing/routers/index.md#rule) must catch requests for both `/api` and `/dashboard`"
- Please check the [Dashboard documentation](./dashboard.md#dashboard-router-rule) to learn more about this and to get examples.
-
-### `debug`
-
-_Optional, Default=false_
-
-Enable additional [endpoints](./api.md#endpoints) for debugging and profiling, served under `/debug/`.
-
-```yaml tab="File (YAML)"
-api:
- debug: true
-```
-
-```toml tab="File (TOML)"
-[api]
- debug = true
-```
-
-```bash tab="CLI"
---api.debug=true
-```
-
-## Endpoints
-
-All the following endpoints must be accessed with a `GET` HTTP request.
-
-!!! info "Pagination"
-
- By default, up to 100 results are returned per page, and the next page can be checked using the `X-Next-Page` HTTP Header.
- To control pagination, use the `page` and `per_page` query parameters.
-
- ```bash
- curl https://traefik.example.com:8080/api/http/routers?page=2&per_page=20
- ```
-
-| Path | Description |
-|--------------------------------|-----------------------------------------------------------------------------------------------------|
-| `/api/http/routers` | Lists all the HTTP routers information. |
-| `/api/http/routers/{name}` | Returns the information of the HTTP router specified by `name`. |
-| `/api/http/services` | Lists all the HTTP services information. |
-| `/api/http/services/{name}` | Returns the information of the HTTP service specified by `name`. |
-| `/api/http/middlewares` | Lists all the HTTP middlewares information. |
-| `/api/http/middlewares/{name}` | Returns the information of the HTTP middleware specified by `name`. |
-| `/api/tcp/routers` | Lists all the TCP routers information. |
-| `/api/tcp/routers/{name}` | Returns the information of the TCP router specified by `name`. |
-| `/api/tcp/services` | Lists all the TCP services information. |
-| `/api/tcp/services/{name}` | Returns the information of the TCP service specified by `name`. |
-| `/api/tcp/middlewares` | Lists all the TCP middlewares information. |
-| `/api/tcp/middlewares/{name}` | Returns the information of the TCP middleware specified by `name`. |
-| `/api/udp/routers` | Lists all the UDP routers information. |
-| `/api/udp/routers/{name}` | Returns the information of the UDP router specified by `name`. |
-| `/api/udp/services` | Lists all the UDP services information. |
-| `/api/udp/services/{name}` | Returns the information of the UDP service specified by `name`. |
-| `/api/entrypoints` | Lists all the entry points information. |
-| `/api/entrypoints/{name}` | Returns the information of the entry point specified by `name`. |
-| `/api/overview` | Returns statistic information about http and tcp as well as enabled features and providers. |
-| `/api/support-dump` | Returns an archive that contains the anonymized static configuration and the runtime configuration. |
-| `/api/rawdata` | Returns information about dynamic configurations, errors, status and dependency relations. |
-| `/api/version` | Returns information about Traefik version. |
-| `/debug/vars` | See the [expvar](https://golang.org/pkg/expvar/) Go documentation. |
-| `/debug/pprof/` | See the [pprof Index](https://golang.org/pkg/net/http/pprof/#Index) Go documentation. |
-| `/debug/pprof/cmdline` | See the [pprof Cmdline](https://golang.org/pkg/net/http/pprof/#Cmdline) Go documentation. |
-| `/debug/pprof/profile` | See the [pprof Profile](https://golang.org/pkg/net/http/pprof/#Profile) Go documentation. |
-| `/debug/pprof/symbol` | See the [pprof Symbol](https://golang.org/pkg/net/http/pprof/#Symbol) Go documentation. |
-| `/debug/pprof/trace` | See the [pprof Trace](https://golang.org/pkg/net/http/pprof/#Trace) Go documentation. |
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/operations/cli.md b/docs/content/operations/cli.md
deleted file mode 100644
index 1f20a8f10..000000000
--- a/docs/content/operations/cli.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: "Traefik CLI Documentation"
-description: "Learn the basics of the Traefik Proxy command line interface (CLI). Read the technical documentation."
----
-
-# CLI
-
-The Traefik Command Line
-{: .subtitle }
-
-## General
-
-```bash
-traefik [command] [flags] [arguments]
-```
-
-Use `traefik [command] --help` for help on any command.
-
-Commands:
-
-- `healthcheck` Calls Traefik `/ping` to check the health of Traefik (the API must be enabled).
-- `version` Shows the current Traefik version.
-
-Flag's usage:
-
-```bash
-# set flag_argument to flag(s)
-traefik [--flag=flag_argument] [-f [flag_argument]]
-
-# set true/false to boolean flag(s)
-traefik [--flag[=true|false| ]] [-f [true|false| ]]
-```
-
-All flags are documented in the [(static configuration) CLI reference](../reference/install-configuration/configuration-options.md).
-
-!!! info "Flags are case-insensitive."
-
-### `healthcheck`
-
-Calls Traefik `/ping` to check the health of Traefik.
-Its exit status is `0` if Traefik is healthy and `1` otherwise.
-
-This can be used with Docker [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction
-or any other health check orchestration mechanism.
-
-!!! info
- The [`ping` endpoint](../operations/ping.md) must be enabled to allow the `healthcheck` command to call `/ping`.
-
-Usage:
-
-```bash
-traefik healthcheck [command] [flags] [arguments]
-```
-
-Example:
-
-```bash
-$ traefik healthcheck
-OK: http://:8082/ping
-```
-
-### `version`
-
-Shows the current Traefik version.
-
-Usage:
-
-```bash
-traefik version
-```
diff --git a/docs/content/operations/dashboard.md b/docs/content/operations/dashboard.md
deleted file mode 100644
index 6b086a272..000000000
--- a/docs/content/operations/dashboard.md
+++ /dev/null
@@ -1,171 +0,0 @@
----
-title: "Traefik Dashboard Documentation"
-description: "The dashboard shows you the current active routes handled by Traefik Proxy in one central place. Read the technical documentation to learn its operations."
----
-
-# The Dashboard
-
-See What's Going On
-{: .subtitle }
-
-The dashboard is the central place that shows you the current active routes handled by Traefik.
-
-
-
- The dashboard in action
-
-
-The dashboard is available at the same location as the [API](./api.md) but on the path `/dashboard/` by default.
-
-!!! warning "The trailing slash `/` in `/dashboard/` is mandatory"
-
-There are 2 ways to configure and access the dashboard:
-
-- [Secure mode (Recommended)](#secure-mode)
-- [Insecure mode](#insecure-mode)
-
-!!! note ""
- There is also a redirect of the path `/` to the path `/dashboard/`,
- but one should not rely on that property as it is bound to change,
- and it might make for confusing routing rules anyway.
-
-## Secure Mode
-
-This is the **recommended** method.
-
-Start by enabling the dashboard by using the following option from [Traefik's API](./api.md)
-on the [static configuration](../getting-started/configuration-overview.md#the-static-configuration):
-
-```yaml tab="File (YAML)"
-api: {}
-```
-
-```toml tab="File (TOML)"
-[api]
-```
-
-```bash tab="CLI"
---api=true
-```
-
-Then define a routing configuration on Traefik itself,
-with a router attached to the service `api@internal` in the
-[dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration),
-to allow defining:
-
-- One or more security features through [middlewares](../middlewares/overview.md)
- like authentication ([basicAuth](../middlewares/http/basicauth.md), [digestAuth](../middlewares/http/digestauth.md),
- [forwardAuth](../middlewares/http/forwardauth.md)) or [allowlisting](../middlewares/http/ipallowlist.md).
-
-- A [router rule](#dashboard-router-rule) for accessing the dashboard,
- through Traefik itself (sometimes referred to as "Traefik-ception").
-
-### Dashboard Router Rule
-
-As underlined in the [documentation for the `api.dashboard` option](./api.md#dashboard),
-the [router rule](../routing/routers/index.md#rule) defined for Traefik must match
-the path prefixes `/api` and `/dashboard`.
-
-We recommend using a "Host Based rule" as ```Host(`traefik.example.com`)``` to match everything on the host domain,
-or to make sure that the defined rule captures both prefixes:
-
-```bash tab="Host Rule"
-# The dashboard can be accessed on http://traefik.example.com/dashboard/
-rule = "Host(`traefik.example.com`)"
-```
-
-```bash tab="Path Prefix Rule"
-# The dashboard can be accessed on http://example.com/dashboard/ or http://traefik.example.com/dashboard/
-rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
-```
-
-```bash tab="Combination of Rules"
-# The dashboard can be accessed on http://traefik.example.com/dashboard/
-rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
-```
-
-??? example "Dashboard Dynamic Configuration Examples"
- --8<-- "content/operations/include-dashboard-examples.md"
-
-### Custom API Base Path
-
-As shown above, by default Traefik exposes its API and Dashboard under the `/` base path,
-which means that respectively the API is served under the `/api` path,
-and the dashboard under the `/dashboard` path.
-
-However, it is possible to configure this base path:
-
-```yaml tab="File (YAML)"
-api:
- # Customizes the base path:
- # - Serving API under `/traefik/api`
- # - Serving Dashboard under `/traefik/dashboard`
- basePath: /traefik
-```
-
-```toml tab="File (TOML)"
-[api]
- # Customizes the base path:
- # - Serving API under `/traefik/api`
- # - Serving Dashboard under `/traefik/dashboard`
- basePath = "/traefik"
-```
-
-```bash tab="CLI"
-# Customizes the base path:
-# - Serving API under `/traefik/api`
-# - Serving Dashboard under `/traefik/dashboard`
---api.basePath=/traefik
-```
-
-??? example "Dashboard Under Custom Path Dynamic Configuration Examples"
- --8<-- "content/operations/include-dashboard-custom-path-examples.md"
-
-## Insecure Mode
-
-!!! warning "Please note that this mode is incompatible with the [custom API base path option](#custom-api-base-path)."
-
-When _insecure_ mode is enabled, one can access the dashboard on the `traefik` port (default: `8080`) of the Traefik instance,
-at the following URL: `http://:8080/dashboard/` (trailing slash is mandatory).
-
-This mode is **not** recommended because it does not allow security features.
-For example, it is not possible to add an authentication middleware with this mode.
-
-It should be used for testing purpose **only**.
-
-To enable the _insecure_ mode, use the following options from [Traefik's API](./api.md#insecure):
-
-```yaml tab="File (YAML)"
-api:
- insecure: true
-```
-
-```toml tab="File (TOML)"
-[api]
- insecure = true
-```
-
-```bash tab="CLI"
---api.insecure=true
-```
-
-## Disable The Dashboard
-
-By default, the dashboard is enabled when the API is enabled.
-If necessary, the dashboard can be disabled by using the following option.
-
-```yaml tab="File (YAML)"
-api:
- dashboard: false
-```
-
-```toml tab="File (TOML)"
-[api]
- dashboard = false
-```
-
-```bash tab="CLI"
---api.dashboard=false
-```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/operations/ping.md b/docs/content/operations/ping.md
deleted file mode 100644
index a2b4577f3..000000000
--- a/docs/content/operations/ping.md
+++ /dev/null
@@ -1,114 +0,0 @@
----
-title: "Traefik Ping Documentation"
-description: "In Traefik Proxy, Ping lets you check the health of your Traefik instances. Read the technical documentation for configuration examples and options."
----
-
-# Ping
-
-Checking the Health of Your Traefik Instances
-{: .subtitle }
-
-## Configuration Examples
-
-To enable the API handler:
-
-```yaml tab="File (YAML)"
-ping: {}
-```
-
-```toml tab="File (TOML)"
-[ping]
-```
-
-```bash tab="CLI"
---ping=true
-```
-
-## Configuration Options
-
-The `/ping` health-check URL is enabled with the command-line `--ping` or config file option `[ping]`.
-
-The `entryPoint` where the `/ping` is active can be customized with the `entryPoint` option,
-whose default value is `traefik` (port `8080`).
-
-| Path | Method | Description |
-|---------|---------------|-----------------------------------------------------------------------------------------------------|
-| `/ping` | `GET`, `HEAD` | An endpoint to check for Traefik process liveness. Return a code `200` with the content: `OK` |
-
-!!! note
- The `cli` comes with a [`healthcheck`](./cli.md#healthcheck) command which can be used for calling this endpoint.
-
-### `entryPoint`
-
-_Optional, Default="traefik"_
-
-Enabling /ping on a dedicated EntryPoint.
-
-```yaml tab="File (YAML)"
-entryPoints:
- ping:
- address: ":8082"
-
-ping:
- entryPoint: "ping"
-```
-
-```toml tab="File (TOML)"
-[entryPoints]
- [entryPoints.ping]
- address = ":8082"
-
-[ping]
- entryPoint = "ping"
-```
-
-```bash tab="CLI"
---entryPoints.ping.address=:8082
---ping.entryPoint=ping
-```
-
-### `manualRouting`
-
-_Optional, Default=false_
-
-If `manualRouting` is `true`, it disables the default internal router in order to allow one to create a custom router for the `ping@internal` service.
-
-```yaml tab="File (YAML)"
-ping:
- manualRouting: true
-```
-
-```toml tab="File (TOML)"
-[ping]
- manualRouting = true
-```
-
-```bash tab="CLI"
---ping.manualrouting=true
-```
-
-### `terminatingStatusCode`
-
-_Optional, Default=503_
-
-During the period in which Traefik is gracefully shutting down, the ping handler
-returns a `503` status code by default.
-If Traefik is behind, for example a load-balancer
-doing health checks (such as the Kubernetes LivenessProbe), another code might
-be expected as the signal for graceful termination.
-In that case, the terminatingStatusCode can be used to set the code returned by the ping
-handler during termination.
-
-```yaml tab="File (YAML)"
-ping:
- terminatingStatusCode: 204
-```
-
-```toml tab="File (TOML)"
-[ping]
- terminatingStatusCode = 204
-```
-
-```bash tab="CLI"
---ping.terminatingStatusCode=204
-```
diff --git a/docs/content/plugins/index.md b/docs/content/plugins/index.md
deleted file mode 100644
index b3172a9a8..000000000
--- a/docs/content/plugins/index.md
+++ /dev/null
@@ -1,34 +0,0 @@
----
-title: "Traefik Plugins Documentation"
-description: "Learn how to use Traefik Plugins. Read the technical documentation."
----
-
-# Traefik Plugins and the Plugin Catalog
-
-Plugins are a powerful feature for extending Traefik with custom features and behaviors.
-The [Plugin Catalog](https://plugins.traefik.io/) is a software-as-a-service (SaaS) platform that provides an exhaustive list of the existing plugins.
-
-??? note "Plugin Catalog Access"
- You can reach the [Plugin Catalog](https://plugins.traefik.io/) from the Traefik Dashboard using the `Plugins` menu entry.
-
-To add a new plugin to a Traefik instance, you must change that instance's static configuration.
-Each plugin's **Install** section provides a static configuration example.
-Many plugins have their own section in the Traefik dynamic configuration.
-
-To learn more about Traefik plugins, consult the [documentation](https://plugins.traefik.io/install).
-
-!!! danger "Experimental Features"
- Plugins can change the behavior of Traefik in unforeseen ways.
- Exercise caution when adding new plugins to production Traefik instances.
-
-## Build Your Own Plugins
-
-Traefik users can create their own plugins and share them with the community using the Plugin Catalog.
-
-Traefik will load plugins dynamically.
-They need not be compiled, and no complex toolchain is necessary to build them.
-The experience of implementing a Traefik plugin is comparable to writing a web browser extension.
-
-To learn more about Traefik plugin creation, please refer to the [developer documentation](https://plugins.traefik.io/create).
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/providers/consul-catalog.md b/docs/content/providers/consul-catalog.md
deleted file mode 100644
index 34b81f0ed..000000000
--- a/docs/content/providers/consul-catalog.md
+++ /dev/null
@@ -1,765 +0,0 @@
----
-title: "Consul Catalog Configuration Discovery"
-description: "Learn how to use Consul Catalog as a provider for configuration discovery in Traefik Proxy. Read the technical documentation."
----
-
-# Traefik & Consul Catalog
-
-A Story of Tags, Services & Instances
-{: .subtitle }
-
-
-
-Attach tags to your services and let Traefik do the rest!
-
-## Configuration Examples
-
-??? example "Configuring Consul Catalog & Deploying / Exposing Services"
-
- Enabling the consul catalog provider
-
- ```yaml tab="File (YAML)"
- providers:
- consulCatalog: {}
- ```
-
- ```toml tab="File (TOML)"
- [providers.consulCatalog]
- ```
-
- ```bash tab="CLI"
- --providers.consulcatalog=true
- ```
-
- Attaching tags to services
-
- ```yaml
- - traefik.http.routers.my-router.rule=Host(`example.com`)
- ```
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/consul-catalog.md).
-
-## Provider Configuration
-
-### `refreshInterval`
-
-_Optional, Default=15s_
-
-Defines the polling interval.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- refreshInterval: 30s
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- refreshInterval = "30s"
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.refreshInterval=30s
-# ...
-```
-
-### `prefix`
-
-_required, Default="traefik"_
-
-The prefix for Consul Catalog tags defining Traefik labels.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- prefix: test
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- prefix = "test"
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.prefix=test
-# ...
-```
-
-### `requireConsistent`
-
-_Optional, Default=false_
-
-Forces the read to be fully consistent.
-
-!!! note ""
-
- It is more expensive due to an extra round-trip but prevents ever performing a stale read.
-
- For more information, see the consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- requireConsistent: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- requireConsistent = true
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.requireConsistent=true
-# ...
-```
-
-### `stale`
-
-_Optional, Default=false_
-
-Use stale consistency for catalog reads.
-
-!!! note ""
-
- This makes reads very fast and scalable at the cost of a higher likelihood of stale values.
-
- For more information, see the consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- stale: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- stale = true
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.stale=true
-# ...
-```
-
-### `cache`
-
-_Optional, Default=false_
-
-Use local agent caching for catalog reads.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- cache: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- cache = true
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.cache=true
-# ...
-```
-
-### `endpoint`
-
-Defines the Consul server endpoint.
-
-#### `address`
-
-Defines the address of the Consul server.
-
-_Optional, Default="127.0.0.1:8500"_
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- address: 127.0.0.1:8500
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- [providers.consulCatalog.endpoint]
- address = "127.0.0.1:8500"
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.address=127.0.0.1:8500
-# ...
-```
-
-#### `scheme`
-
-_Optional, Default=""_
-
-Defines the URI scheme for the Consul server.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- scheme: https
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- [providers.consulCatalog.endpoint]
- scheme = "https"
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.scheme=https
-# ...
-```
-
-#### `datacenter`
-
-_Optional, Default=""_
-
-Defines the datacenter to use.
-If not provided in Traefik, Consul uses the default agent datacenter.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- datacenter: test
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- [providers.consulCatalog.endpoint]
- datacenter = "test"
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.datacenter=test
-# ...
-```
-
-#### `token`
-
-_Optional, Default=""_
-
-Token is used to provide a per-request ACL token which overwrites the agent's default token.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- token: test
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- [providers.consulCatalog.endpoint]
- token = "test"
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.token=test
-# ...
-```
-
-#### `endpointWaitTime`
-
-_Optional, Default=""_
-
-Limits the duration for which a Watch can block.
-If not provided, the agent default values will be used.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- endpointWaitTime: 15s
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- [providers.consulCatalog.endpoint]
- endpointWaitTime = "15s"
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.endpointwaittime=15s
-# ...
-```
-
-#### `httpAuth`
-
-_Optional_
-
-Used to authenticate the HTTP client using HTTP Basic Authentication.
-
-##### `username`
-
-_Optional, Default=""_
-
-Username to use for HTTP Basic Authentication.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- httpAuth:
- username: test
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.httpAuth]
- username = "test"
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.httpauth.username=test
-```
-
-##### `password`
-
-_Optional, Default=""_
-
-Password to use for HTTP Basic Authentication.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- httpAuth:
- password: test
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.httpAuth]
- password = "test"
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.httpauth.password=test
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to Consul Catalog.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to Consul Catalog,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to Consul Catalog.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.tls.cert=path/to/foo.cert
---providers.consulcatalog.endpoint.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to Consul Catalog.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.tls.cert=path/to/foo.cert
---providers.consulcatalog.endpoint.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- endpoint:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog.endpoint.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---providers.consulcatalog.endpoint.tls.insecureskipverify=true
-```
-
-### `exposedByDefault`
-
-_Optional, Default=true_
-
-Expose Consul Catalog services by default in Traefik.
-If set to `false`, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- exposedByDefault: false
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- exposedByDefault = false
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.exposedByDefault=false
-# ...
-```
-
-### `defaultRule`
-
-_Optional, Default=```Host(`{{ normalize .Name }}`)```_
-
-The default host rule for all services.
-
-For a given service, if no routing rule was defined by a tag, it is defined by this `defaultRule` instead.
-The `defaultRule` must be set to a valid [Go template](https://pkg.go.dev/text/template/),
-and can include [sprig template functions](https://masterminds.github.io/sprig/).
-The service name can be accessed with the `Name` identifier,
-and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
-
-The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
-# ...
-```
-
-??? info "Default rule and Traefik service"
-
- The exposure of the Traefik container, combined with the default rule mechanism,
- can lead to create a router targeting itself in a loop.
- In this case, to prevent an infinite loop,
- Traefik adds an internal middleware to refuse the request if it comes from the same router.
-
-### `connectAware`
-
-_Optional, Default=false_
-
-Enable Consul Connect support.
-If set to `true`, Traefik will be enabled to communicate with Connect services.
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- connectAware = true
- # ...
-```
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- connectAware: true
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.connectAware=true
-# ...
-```
-
-### `connectByDefault`
-
-_Optional, Default=false_
-
-Consider every service as Connect capable by default.
-If set to `true`, Traefik will consider every Consul Catalog service to be Connect capable by default.
-The option can be overridden on an instance basis with the `traefik.consulcatalog.connect` tag.
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- connectByDefault = true
- # ...
-```
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- connectByDefault: true
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.connectByDefault=true
-# ...
-```
-
-### `serviceName`
-
-_Optional, Default="traefik"_
-
-Name of the Traefik service in Consul Catalog.
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- serviceName = "test"
- # ...
-```
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- serviceName: test
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.serviceName=test
-# ...
-```
-
-### `constraints`
-
-_Optional, Default=""_
-
-The `constraints` option can be set to an expression that Traefik matches against the service tags to determine whether
-to create any route for that service. If none of the service tags match the expression, no route for that service is
-created. If the expression is empty, all detected services are included.
-
-The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
-as well as the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
- ```toml
- # Includes only services having the tag `a.tag.name=foo`
- constraints = "Tag(`a.tag.name=foo`)"
- ```
-
- ```toml
- # Excludes services having any tag `a.tag.name=foo`
- constraints = "!Tag(`a.tag.name=foo`)"
- ```
-
- ```toml
- # With logical AND.
- constraints = "Tag(`a.tag.name`) && Tag(`another.tag.name`)"
- ```
-
- ```toml
- # With logical OR.
- constraints = "Tag(`a.tag.name`) || Tag(`another.tag.name`)"
- ```
-
- ```toml
- # With logical AND and OR, with precedence set by parentheses.
- constraints = "Tag(`a.tag.name`) && (Tag(`another.tag.name`) || Tag(`yet.another.tag.name`))"
- ```
-
- ```toml
- # Includes only services having a tag matching the `a\.tag\.t.+` regular expression.
- constraints = "TagRegex(`a\.tag\.t.+`)"
- ```
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- constraints: "Tag(`a.tag.name`)"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- constraints = "Tag(`a.tag.name`)"
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.constraints="Tag(`a.tag.name`)"
-# ...
-```
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
-
-### `namespaces`
-
-_Optional, Default=""_
-
-The `namespaces` option defines the namespaces in which the consul catalog services will be discovered.
-When using the `namespaces` option, the discovered configuration object names will be suffixed as shown below:
-
-```text
-@consulcatalog-
-```
-
-!!! warning
-
- The namespaces option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
- which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-
-!!! warning
-
- One should only define either the `namespaces` option or the `namespace` option.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- namespaces:
- - "ns1"
- - "ns2"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- namespaces = ["ns1", "ns2"]
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.namespaces=ns1,ns2
-# ...
-```
-
-### `strictChecks`
-
-_Optional, Default="passing,warning"_
-
-Define which [Consul Service health checks](https://developer.hashicorp.com/consul/docs/services/usage/checks#define-initial-health-check-status) are allowed to take on traffic.
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- strictChecks:
- - "passing"
- - "warning"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- strictChecks = ["passing", "warning"]
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.strictChecks=passing,warning
-# ...
-```
-
-### `watch`
-
-_Optional, Default=false_
-
-When set to `true`, watches for Consul changes ([Consul watches checks](https://www.consul.io/docs/dynamic-app-config/watches#checks)).
-
-```yaml tab="File (YAML)"
-providers:
- consulCatalog:
- watch: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consulCatalog]
- watch = true
- # ...
-```
-
-```bash tab="CLI"
---providers.consulcatalog.watch=true
-# ...
-```
diff --git a/docs/content/providers/consul.md b/docs/content/providers/consul.md
deleted file mode 100644
index ba961fd54..000000000
--- a/docs/content/providers/consul.md
+++ /dev/null
@@ -1,272 +0,0 @@
----
-title: "Traefik Consul Documentation"
-description: "Use Consul as a provider for configuration discovery in Traefik Proxy. Automate and store your configurations with Consul. Read the technical documentation."
----
-
-# Traefik & Consul
-
-A Story of KV store & Containers
-{: .subtitle }
-
-Store your configuration in Consul and let Traefik do the rest!
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/kv.md).
-
-## Provider Configuration
-
-### `endpoints`
-
-_Required, Default="127.0.0.1:8500"_
-
-Defines how to access Consul.
-
-```yaml tab="File (YAML)"
-providers:
- consul:
- endpoints:
- - "127.0.0.1:8500"
-```
-
-```toml tab="File (TOML)"
-[providers.consul]
- endpoints = ["127.0.0.1:8500"]
-```
-
-```bash tab="CLI"
---providers.consul.endpoints=127.0.0.1:8500
-```
-
-### `rootKey`
-
-_Required, Default="traefik"_
-
-Defines the root key of the configuration.
-
-```yaml tab="File (YAML)"
-providers:
- consul:
- rootKey: "traefik"
-```
-
-```toml tab="File (TOML)"
-[providers.consul]
- rootKey = "traefik"
-```
-
-```bash tab="CLI"
---providers.consul.rootkey=traefik
-```
-
-### `namespaces`
-
-_Optional, Default=""_
-
-The `namespaces` option defines the namespaces to query.
-When using the `namespaces` option, the discovered configuration object names will be suffixed as shown below:
-
-```text
-@consul-
-```
-
-!!! warning
-
- The namespaces option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
- which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
-
-!!! warning
-
- One should only define either the `namespaces` option or the `namespace` option.
-
-```yaml tab="File (YAML)"
-providers:
- consul:
- namespaces:
- - "ns1"
- - "ns2"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.consul]
- namespaces = ["ns1", "ns2"]
- # ...
-```
-
-```bash tab="CLI"
---providers.consul.namespaces=ns1,ns2
-# ...
-```
-
-### `username`
-
-_Optional, Default=""_
-
-Defines a username to connect to Consul with.
-
-```yaml tab="File (YAML)"
-providers:
- consul:
- # ...
- username: "foo"
-```
-
-```toml tab="File (TOML)"
-[providers.consul]
- # ...
- username = "foo"
-```
-
-```bash tab="CLI"
---providers.consul.username=foo
-```
-
-### `password`
-
-_Optional, Default=""_
-
-Defines a password with which to connect to Consul.
-
-```yaml tab="File (YAML)"
-providers:
- consul:
- # ...
- password: "bar"
-```
-
-```toml tab="File (TOML)"
-[providers.consul]
- # ...
- password = "bar"
-```
-
-```bash tab="CLI"
---providers.consul.password=bar
-```
-
-### `token`
-
-_Optional, Default=""_
-
-Defines a token with which to connect to Consul.
-
-```yaml tab="File (YAML)"
-providers:
- consul:
- # ...
- token: "bar"
-```
-
-```toml tab="File (TOML)"
-[providers.consul]
- # ...
- token = "bar"
-```
-
-```bash tab="CLI"
---providers.consul.token=bar
-```
-
-### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to Consul.
-
-#### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to Consul,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
- consul:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.consul.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---providers.consul.tls.ca=path/to/ca.crt
-```
-
-#### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to Consul.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- consul:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.consul.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.consul.tls.cert=path/to/foo.cert
---providers.consul.tls.key=path/to/foo.key
-```
-
-#### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to Consul.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- consul:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.consul.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.consul.tls.cert=path/to/foo.cert
---providers.consul.tls.key=path/to/foo.key
-```
-
-#### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
- consul:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.consul.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---providers.consul.tls.insecureSkipVerify=true
-```
diff --git a/docs/content/providers/docker.md b/docs/content/providers/docker.md
deleted file mode 100644
index ead62884a..000000000
--- a/docs/content/providers/docker.md
+++ /dev/null
@@ -1,705 +0,0 @@
----
-title: "Traefik Docker Documentation"
-description: "Learn how to achieve configuration discovery in Traefik through Docker. Read the technical documentation."
----
-
-# Traefik & Docker
-
-A Story of Labels & Containers
-{: .subtitle }
-
-
-
-Attach labels to your containers and let Traefik do the rest!
-
-This provider works with [Docker (standalone) Engine](https://docs.docker.com/engine/).
-
-!!! tip "The Quick Start Uses Docker"
-
- If you have not already read it, maybe you would like to go through the [quick start guide](../getting-started/quick-start.md) that uses the Docker provider.
-
-## Configuration Examples
-
-??? example "Configuring Docker & Deploying / Exposing one Service"
-
- Enabling the docker provider
-
- ```yaml tab="File (YAML)"
- providers:
- docker: {}
- ```
-
- ```toml tab="File (TOML)"
- [providers.docker]
- ```
-
- ```bash tab="CLI"
- --providers.docker=true
- ```
-
- Attaching labels to containers (in your docker compose file)
-
- ```yaml
- services:
- my-container:
- # ...
- labels:
- - traefik.http.routers.my-container.rule=Host(`example.com`)
- ```
-
-## Routing Configuration
-
-When using Docker as a [provider](./overview.md),
-Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#label) to retrieve its routing configuration.
-
-See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.
-
-### Routing Configuration with Labels
-
-By default, Traefik watches for [container level labels](https://docs.docker.com/config/labels-custom-metadata/) on a standalone Docker Engine.
-
-When using Docker Compose, labels are specified by the directive
-[`labels`](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels) from the
-["services" objects](https://docs.docker.com/compose/compose-file/compose-file-v3/#service-configuration-reference).
-
-!!! tip "Not Only Docker"
-
- Please note that any tool like Nomad, Terraform, Ansible, etc.
- that is able to define a Docker container with labels can work
- with Traefik and the Docker provider.
-
-### Port Detection
-
-Traefik retrieves the private IP and port of containers from the Docker API.
-
-Port detection for private communication works as follows:
-
-- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) a single port,
- then Traefik uses this port.
-- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports,
- then Traefik uses the lowest port. E.g. if `80` and `8080` are exposed, Traefik will use `80`.
-- If a container does not expose any port, or the selection from multiple ports does not fit,
- then you must manually specify which port Traefik should use for communication
- by using the label `traefik.http.services..loadbalancer.server.port`
- (Read more on this label in the dedicated section in [routing](../routing/providers/docker.md#services)).
-
-### Host networking
-
-When exposing containers that are configured with [host networking](https://docs.docker.com/network/host/),
-the IP address of the host is resolved as follows:
-
-- try a lookup of `host.docker.internal`
-- if the lookup was unsuccessful, try a lookup of `host.containers.internal`, ([Podman](https://docs.podman.io/en/latest/) equivalent of `host.docker.internal`)
-- if that lookup was also unsuccessful, fall back to `127.0.0.1`
-
-On Linux, for versions of Docker older than 20.10.0, for `host.docker.internal` to be defined, it should be provided
-as an `extra_host` to the Traefik container, using the `--add-host` flag. For example, to set it to the IP address of
-the bridge interface (`docker0` by default): `--add-host=host.docker.internal:172.17.0.1`
-
-### IPv4 && IPv6
-
-When using a docker stack that uses IPv6,
-Traefik will use the IPv4 container IP before its IPv6 counterpart.
-Therefore, on an IPv6 Docker stack,
-Traefik will use the IPv6 container IP.
-
-### Docker API Access
-
-Traefik requires access to the docker socket to get its dynamic configuration.
-
-You can specify which Docker API Endpoint to use with the directive [`endpoint`](#endpoint).
-
-!!! warning "Security Note"
-
- Accessing the Docker API without any restriction is a security concern:
- If Traefik is attacked, then the attacker might get access to the underlying host.
- {: #security-note }
-
- As explained in the [Docker Daemon Attack Surface documentation](https://docs.docker.com/engine/security/#docker-daemon-attack-surface):
-
- !!! quote
-
- [...] only **trusted** users should be allowed to control your Docker daemon [...]
-
- ??? success "Solutions"
-
- Expose the Docker socket over TCP or SSH, instead of the default Unix socket file.
- It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
-
- - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/protect-access/)
- - Authorize and filter requests to restrict possible actions with [the TecnativaDocker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy).
- - Authorization with the [Docker Authorization Plugin Mechanism](https://web.archive.org/web/20190920092526/https://docs.docker.com/engine/extend/plugins_authorization/)
- - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
- - Accounting at container level, by exposing the socket on a another container than Traefik's.
- - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
- - SSH public key authentication (SSH is supported with Docker > 18.09)
- - Authentication using HTTP Basic authentication through an HTTP proxy that exposes the Docker daemon socket.
-
- ??? info "More Resources and Examples"
-
- - ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
- - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
- - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
- - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
- - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
- - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
- - [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
- - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
- - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
- - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
-
-## Provider Configuration
-
-### `endpoint`
-
-_Required, Default="unix:///var/run/docker.sock"_
-
-See the [Docker API Access](#docker-api-access) section for more information.
-
-??? example "Using the docker.sock"
-
- The docker-compose file shares the docker sock with the Traefik container
-
- ```yaml
- services:
- traefik:
- image: traefik:v3.7 # The official v3 Traefik docker image
- ports:
- - "80:80"
- volumes:
- - /var/run/docker.sock:/var/run/docker.sock
- ```
-
- We specify the docker.sock in traefik's configuration file.
-
- ```yaml tab="File (YAML)"
- providers:
- docker:
- endpoint: "unix:///var/run/docker.sock"
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [providers.docker]
- endpoint = "unix:///var/run/docker.sock"
- # ...
- ```
-
- ```bash tab="CLI"
- --providers.docker.endpoint=unix:///var/run/docker.sock
- # ...
- ```
-
-??? example "Using SSH"
-
- Using Docker 18.09+ you can connect Traefik to daemon using SSH.
- We specify the SSH host and user in Traefik's configuration file.
- Note that if the server requires public keys for authentication, you must have them accessible for the user running Traefik.
-
- ```yaml tab="File (YAML)"
- providers:
- docker:
- endpoint: "ssh://traefik@192.168.2.5:2022"
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [providers.docker]
- endpoint = "ssh://traefik@192.168.2.5:2022"
- # ...
- ```
-
- ```bash tab="CLI"
- --providers.docker.endpoint=ssh://traefik@192.168.2.5:2022
- # ...
- ```
-
-??? example "Using HTTP"
-
- Using Docker Engine API you can connect Traefik to remote daemon using HTTP.
-
- ```yaml tab="File (YAML)"
- providers:
- docker:
- endpoint: "http://127.0.0.1:2375"
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [providers.docker]
- endpoint = "http://127.0.0.1:2375"
- # ...
- ```
-
- ```bash tab="CLI"
- --providers.docker.endpoint=http://127.0.0.1:2375
- # ...
- ```
-
-??? example "Using TCP"
-
- Using Docker Engine API you can connect Traefik to remote daemon using TCP.
-
- ```yaml tab="File (YAML)"
- providers:
- docker:
- endpoint: "tcp://127.0.0.1:2375"
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [providers.docker]
- endpoint = "tcp://127.0.0.1:2375"
- # ...
- ```
-
- ```bash tab="CLI"
- --providers.docker.endpoint=tcp://127.0.0.1:2375
- # ...
- ```
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- endpoint: "unix:///var/run/docker.sock"
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- endpoint = "unix:///var/run/docker.sock"
-```
-
-```bash tab="CLI"
---providers.docker.endpoint=unix:///var/run/docker.sock
-```
-
-### `username`
-
-_Optional, Default=""_
-
-Defines the username for Basic HTTP authentication.
-This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- username: foo
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- username = "foo"
- # ...
-```
-
-```bash tab="CLI"
---providers.docker.username="foo"
-# ...
-```
-
-### `password`
-
-_Optional, Default=""_
-
-Defines the password for Basic HTTP authentication.
-This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- password: foo
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- password = "foo"
- # ...
-```
-
-```bash tab="CLI"
---providers.docker.password="foo"
-# ...
-```
-
-### `useBindPortIP`
-
-_Optional, Default=false_
-
-Traefik routes requests to the IP/port of the matching container.
-When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
-
-When used in conjunction with the `traefik.http.services..loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
-Traefik tries to find a binding on port `traefik.http.services..loadbalancer.server.port`.
-If it cannot find such a binding, Traefik falls back on the internal network IP of the container,
-but still uses the `traefik.http.services..loadbalancer.server.port` that is set in the label.
-
-??? example "Examples of `usebindportip` in different situations."
-
- | port label | Container's binding | Routes to |
- |--------------------|----------------------------------------------------|----------------|
- | - | - | IntIP:IntPort |
- | - | ExtPort:IntPort | IntIP:IntPort |
- | - | ExtIp:ExtPort:IntPort | ExtIp:ExtPort |
- | LblPort | - | IntIp:LblPort |
- | LblPort | ExtIp:ExtPort:LblPort | ExtIp:ExtPort |
- | LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort |
- | LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
-
- !!! info ""
- In the above table:
-
- - `ExtIp` stands for "external IP found in the binding"
- - `IntIp` stands for "internal network container's IP",
- - `ExtPort` stands for "external Port found in the binding"
- - `IntPort` stands for "internal network container's port."
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- useBindPortIP: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- useBindPortIP = true
- # ...
-```
-
-```bash tab="CLI"
---providers.docker.useBindPortIP=true
-# ...
-```
-
-### `exposedByDefault`
-
-_Optional, Default=true_
-
-Expose containers by default through Traefik.
-If set to `false`, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- exposedByDefault: false
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- exposedByDefault = false
- # ...
-```
-
-```bash tab="CLI"
---providers.docker.exposedByDefault=false
-# ...
-```
-
-### `network`
-
-_Optional, Default=""_
-
-Defines a default docker network to use for connections to all containers.
-
-This option can be overridden on a per-container basis with the `traefik.docker.network` label.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- network: test
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- network = "test"
- # ...
-```
-
-```bash tab="CLI"
---providers.docker.network=test
-# ...
-```
-
-### `defaultRule`
-
-_Optional, Default=```Host(`{{ normalize .Name }}`)```_
-
-The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
-
-It must be a valid [Go template](https://pkg.go.dev/text/template/),
-and can use [sprig template functions](https://masterminds.github.io/sprig/).
-The container name can be accessed with the `ContainerName` identifier.
-The service name can be accessed with the `Name` identifier.
-The template has access to all the labels defined on this container with the `Labels` identifier.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
- # ...
-```
-
-```bash tab="CLI"
---providers.docker.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
-# ...
-```
-
-??? info "Default rule and Traefik service"
-
- The exposure of the Traefik container, combined with the default rule mechanism,
- can lead to create a router targeting itself in a loop.
- In this case, to prevent an infinite loop,
- Traefik adds an internal middleware to refuse the request if it comes from the same router.
-
-### `httpClientTimeout`
-
-_Optional, Default=0_
-
-Defines the client timeout (in seconds) for HTTP connections. If its value is `0`, no timeout is set.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- httpClientTimeout: 300
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- httpClientTimeout = 300
- # ...
-```
-
-```bash tab="CLI"
---providers.docker.httpClientTimeout=300
-# ...
-```
-
-### `watch`
-
-_Optional, Default=true_
-
-Watch Docker events.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- watch: false
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- watch = false
- # ...
-```
-
-```bash tab="CLI"
---providers.docker.watch=false
-# ...
-```
-
-### `constraints`
-
-_Optional, Default=""_
-
-The `constraints` option can be set to an expression that Traefik matches against the container labels to determine whether
-to create any route for that container. If none of the container labels match the expression, no route for that container is
-created. If the expression is empty, all detected containers are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions,
-as well as the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
- ```toml
- # Includes only containers having a label with key `a.label.name` and value `foo`
- constraints = "Label(`a.label.name`, `foo`)"
- ```
-
- ```toml
- # Excludes containers having any label with key `a.label.name` and value `foo`
- constraints = "!Label(`a.label.name`, `value`)"
- ```
-
- ```toml
- # With logical AND.
- constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
- ```
-
- ```toml
- # With logical OR.
- constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
- ```
-
- ```toml
- # With logical AND and OR, with precedence set by parentheses.
- constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
- ```
-
- ```toml
- # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
- constraints = "LabelRegex(`a.label.name`, `a.+`)"
- ```
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- constraints: "Label(`a.label.name`,`foo`)"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- constraints = "Label(`a.label.name`,`foo`)"
- # ...
-```
-
-```bash tab="CLI"
---providers.docker.constraints=Label(`a.label.name`,`foo`)
-# ...
-```
-
-### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to Docker.
-
-#### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to Docker,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.docker.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---providers.docker.tls.ca=path/to/ca.crt
-```
-
-#### `cert`
-
-`cert` is the path to the public certificate used for the secure connection to Docker.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.docker.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.docker.tls.cert=path/to/foo.cert
---providers.docker.tls.key=path/to/foo.key
-```
-
-#### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection Docker.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.docker.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.docker.tls.cert=path/to/foo.cert
---providers.docker.tls.key=path/to/foo.key
-```
-
-#### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to Docker accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.docker.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---providers.docker.tls.insecureSkipVerify=true
-```
-
-### `allowEmptyServices`
-
-_Optional, Default=false_
-
-If the parameter is set to `true`,
-any [servers load balancer](../routing/services/index.md#servers-load-balancer) defined for Docker containers is created
-regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers.
-It also then stays alive and responsive even at times when it becomes empty,
-i.e. when all its children containers become unhealthy.
-This results in `503` HTTP responses instead of `404` ones,
-in the above cases.
-
-```yaml tab="File (YAML)"
-providers:
- docker:
- allowEmptyServices: true
-```
-
-```toml tab="File (TOML)"
-[providers.docker]
- allowEmptyServices = true
-```
-
-```bash tab="CLI"
---providers.docker.allowEmptyServices=true
-```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/providers/ecs.md b/docs/content/providers/ecs.md
deleted file mode 100644
index 420e8c695..000000000
--- a/docs/content/providers/ecs.md
+++ /dev/null
@@ -1,356 +0,0 @@
----
-title: "Traefik AWS ECS Documentation"
-description: "Configuration discovery in Traefik is achieved through Providers. Read the technical documentation for leveraging AWS ECS in Traefik."
----
-
-# Traefik & AWS ECS
-
-A Story of Labels & Elastic Containers
-{: .subtitle }
-
-Attach labels to your ECS containers and let Traefik do the rest!
-
-## Configuration Examples
-
-??? example "Configuring ECS provider"
-
- Enabling the ECS provider:
-
- ```yaml tab="File (YAML)"
- providers:
- ecs: {}
- ```
-
- ```toml tab="File (TOML)"
- [providers.ecs]
- ```
-
- ```bash tab="CLI"
- --providers.ecs=true
- ```
-
-## Policy
-
-Traefik needs the following policy to read ECS information:
-
-```json
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "TraefikECSReadAccess",
- "Effect": "Allow",
- "Action": [
- "ecs:ListClusters",
- "ecs:DescribeClusters",
- "ecs:ListTasks",
- "ecs:DescribeTasks",
- "ecs:DescribeContainerInstances",
- "ecs:DescribeTaskDefinition",
- "ec2:DescribeInstances",
- "ssm:DescribeInstanceInformation"
- ],
- "Resource": [
- "*"
- ]
- }
- ]
-}
-```
-
-!!! info "ECS Anywhere"
-
- Please note that the `ssm:DescribeInstanceInformation` action is required for ECS anywhere instances discovery.
-
-## Provider Configuration
-
-### `autoDiscoverClusters`
-
-_Optional, Default=false_
-
-Search for services in cluster list.
-
-- If set to `true` service discovery is enabled for all clusters.
-- If set to `false` service discovery is enabled on configured clusters only.
-
-```yaml tab="File (YAML)"
-providers:
- ecs:
- autoDiscoverClusters: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.ecs]
- autoDiscoverClusters = true
- # ...
-```
-
-```bash tab="CLI"
---providers.ecs.autoDiscoverClusters=true
-# ...
-```
-
-### `ecsAnywhere`
-
-_Optional, Default=false_
-
-Enable ECS Anywhere support.
-
-- If set to `true` service discovery is enabled for ECS Anywhere instances.
-- If set to `false` service discovery is disabled for ECS Anywhere instances.
-
-```yaml tab="File (YAML)"
-providers:
- ecs:
- ecsAnywhere: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.ecs]
- ecsAnywhere = true
- # ...
-```
-
-```bash tab="CLI"
---providers.ecs.ecsAnywhere=true
-# ...
-```
-
-### `clusters`
-
-_Optional, Default=["default"]_
-
-Search for services in cluster list.
-This option is ignored if `autoDiscoverClusters` is set to `true`.
-
-```yaml tab="File (YAML)"
-providers:
- ecs:
- clusters:
- - default
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.ecs]
- clusters = ["default"]
- # ...
-```
-
-```bash tab="CLI"
---providers.ecs.clusters=default
-# ...
-```
-
-### `exposedByDefault`
-
-_Optional, Default=true_
-
-Expose ECS services by default in Traefik.
-
-If set to `false`, services that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
-
-```yaml tab="File (YAML)"
-providers:
- ecs:
- exposedByDefault: false
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.ecs]
- exposedByDefault = false
- # ...
-```
-
-```bash tab="CLI"
---providers.ecs.exposedByDefault=false
-# ...
-```
-
-### `constraints`
-
-_Optional, Default=""_
-
-The `constraints` option can be set to an expression that Traefik matches against the container labels (task),
-to determine whether to create any route for that container.
-If none of the container labels match the expression, no route for that container is created.
-If the expression is empty, all detected containers are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions,
-as well as the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
- ```toml
- # Includes only containers having a label with key `a.label.name` and value `foo`
- constraints = "Label(`a.label.name`, `foo`)"
- ```
-
- ```toml
- # Excludes containers having any label with key `a.label.name` and value `foo`
- constraints = "!Label(`a.label.name`, `value`)"
- ```
-
- ```toml
- # With logical AND.
- constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
- ```
-
- ```toml
- # With logical OR.
- constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
- ```
-
- ```toml
- # With logical AND and OR, with precedence set by parentheses.
- constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
- ```
-
- ```toml
- # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
- constraints = "LabelRegex(`a.label.name`, `a.+`)"
- ```
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
-
-```yaml tab="File (YAML)"
-providers:
- ecs:
- constraints: "Label(`a.label.name`,`foo`)"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.ecs]
- constraints = "Label(`a.label.name`,`foo`)"
- # ...
-```
-
-```bash tab="CLI"
---providers.ecs.constraints=Label(`a.label.name`,`foo`)
-# ...
-```
-
-### `healthyTasksOnly`
-
-_Optional, Default=false_
-
-Determines whether Traefik discovers only healthy tasks (`HEALTHY` healthStatus).
-
-```yaml tab="File (YAML)"
-providers:
- ecs:
- healthyTasksOnly: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.ecs]
- healthyTasksOnly = true
- # ...
-```
-
-```bash tab="CLI"
---providers.ecs.healthyTasksOnly=true
-# ...
-```
-
-### `defaultRule`
-
-_Optional, Default=```Host(`{{ normalize .Name }}`)```_
-
-The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
-
-It must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
-[sprig template functions](https://masterminds.github.io/sprig/).
-The container service name can be accessed with the `Name` identifier,
-and the template has access to all the labels defined on this container.
-
-```yaml tab="File (YAML)"
-providers:
- ecs:
- defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.ecs]
- defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
- # ...
-```
-
-```bash tab="CLI"
---providers.ecs.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
-# ...
-```
-
-??? info "Default rule and Traefik service"
-
- The exposure of the Traefik container, combined with the default rule mechanism,
- can lead to create a router targeting itself in a loop.
- In this case, to prevent an infinite loop,
- Traefik adds an internal middleware to refuse the request if it comes from the same router.
-
-### `refreshSeconds`
-
-_Optional, Default=15_
-
-Polling interval (in seconds).
-
-```yaml tab="File (YAML)"
-providers:
- ecs:
- refreshSeconds: 15
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.ecs]
- refreshSeconds = 15
- # ...
-```
-
-```bash tab="CLI"
---providers.ecs.refreshSeconds=15
-# ...
-```
-
-### Credentials
-
-_Optional_
-
-If `region` is not provided, it is resolved from the EC2 metadata endpoint for EC2 tasks.
-In a FARGATE context it is resolved from the `AWS_REGION` environment variable.
-
-If `accessKeyID` and `secretAccessKey` are not provided, credentials are resolved in the order specified by the
-[default credential chain of AWS SDK for Go V2](https://docs.aws.amazon.com/sdk-for-go/v2/developer-guide/configure-gosdk.html#specifying-credentials):
-
-- Using the environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
-- Using shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
-- Using EC2 instance role or ECS task role
-
-```yaml tab="File (YAML)"
-providers:
- ecs:
- region: us-east-1
- accessKeyID: "abc"
- secretAccessKey: "123"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.ecs]
- region = "us-east-1"
- accessKeyID = "abc"
- secretAccessKey = "123"
-```
-
-```bash tab="CLI"
---providers.ecs.region="us-east-1"
---providers.ecs.accessKeyID="abc"
---providers.ecs.secretAccessKey="123"
-# ...
-```
diff --git a/docs/content/providers/etcd.md b/docs/content/providers/etcd.md
deleted file mode 100644
index 6bfaef7b7..000000000
--- a/docs/content/providers/etcd.md
+++ /dev/null
@@ -1,209 +0,0 @@
----
-title: "Traefik Etcd Documentation"
-description: "Use Etcd as a provider for configuration discovery in Traefik Proxy. Automate and store your configurations with Etcd. Read the technical documentation."
----
-
-# Traefik & Etcd
-
-A Story of KV store & Containers
-{: .subtitle }
-
-Store your configuration in etcd and let Traefik do the rest!
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/kv.md).
-
-## Provider Configuration
-
-### `endpoints`
-
-_Required, Default="127.0.0.1:2379"_
-
-Defines how to access etcd.
-
-```yaml tab="File (YAML)"
-providers:
- etcd:
- endpoints:
- - "127.0.0.1:2379"
-```
-
-```toml tab="File (TOML)"
-[providers.etcd]
- endpoints = ["127.0.0.1:2379"]
-```
-
-```bash tab="CLI"
---providers.etcd.endpoints=127.0.0.1:2379
-```
-
-### `rootKey`
-
-_Required, Default="traefik"_
-
-Defines the root key of the configuration.
-
-```yaml tab="File (YAML)"
-providers:
- etcd:
- rootKey: "traefik"
-```
-
-```toml tab="File (TOML)"
-[providers.etcd]
- rootKey = "traefik"
-```
-
-```bash tab="CLI"
---providers.etcd.rootkey=traefik
-```
-
-### `username`
-
-_Optional, Default=""_
-
-Defines a username with which to connect to etcd.
-
-```yaml tab="File (YAML)"
-providers:
- etcd:
- # ...
- username: "foo"
-```
-
-```toml tab="File (TOML)"
-[providers.etcd]
- # ...
- username = "foo"
-```
-
-```bash tab="CLI"
---providers.etcd.username=foo
-```
-
-### `password`
-
-_Optional, Default=""_
-
-Defines a password with which to connect to etcd.
-
-```yaml tab="File (YAML)"
-providers:
- etcd:
- # ...
- password: "bar"
-```
-
-```toml tab="File (TOML)"
-[providers.etcd]
- # ...
- password = "bar"
-```
-
-```bash tab="CLI"
---providers.etcd.password=foo
-```
-
-### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to etcd.
-
-#### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to etcd,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
- etcd:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.etcd.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---providers.etcd.tls.ca=path/to/ca.crt
-```
-
-#### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to etcd.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- etcd:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.etcd.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.etcd.tls.cert=path/to/foo.cert
---providers.etcd.tls.key=path/to/foo.key
-```
-
-#### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to etcd.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- etcd:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.etcd.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.etcd.tls.cert=path/to/foo.cert
---providers.etcd.tls.key=path/to/foo.key
-```
-
-#### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to etcd accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
- etcd:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.etcd.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---providers.etcd.tls.insecureSkipVerify=true
-```
diff --git a/docs/content/providers/file.md b/docs/content/providers/file.md
deleted file mode 100644
index 1fbab2b99..000000000
--- a/docs/content/providers/file.md
+++ /dev/null
@@ -1,295 +0,0 @@
----
-title: "Traefik File Documentation"
-description: "The file provider in Traefik Proxy lets you define the dynamic configuration in a YAML or TOML file. Read the technical documentation."
----
-
-# Traefik & File
-
-Good Old Configuration File
-{: .subtitle }
-
-The file provider lets you define the [dynamic configuration](./overview.md) in a YAML or TOML file.
-
-It supports providing configuration through a [single configuration file](#filename) or [multiple separate files](#directory).
-
-!!! info
-
- The file provider is the default format used throughout the documentation to show samples of the configuration for many features.
-
-!!! tip
-
- The file provider can be a good solution for reusing common elements from other providers (e.g. declaring allowlist middlewares, basic authentication, ...)
-
-## Configuration Examples
-
-??? example "Declaring Routers, Middlewares & Services"
-
- Enabling the file provider:
-
- ```yaml tab="File (YAML)"
- providers:
- file:
- directory: "/path/to/dynamic/conf"
- ```
-
- ```toml tab="File (TOML)"
- [providers.file]
- directory = "/path/to/dynamic/conf"
- ```
-
- ```bash tab="CLI"
- --providers.file.directory=/path/to/dynamic/conf
- ```
-
- Declaring Routers, Middlewares & Services:
-
- ```yaml tab="YAML"
- http:
- # Add the router
- routers:
- router0:
- entryPoints:
- - web
- middlewares:
- - my-basic-auth
- service: service-foo
- rule: Path(`/foo`)
-
- # Add the middleware
- middlewares:
- my-basic-auth:
- basicAuth:
- users:
- - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
- - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
- usersFile: etc/traefik/.htpasswd
-
- # Add the service
- services:
- service-foo:
- loadBalancer:
- servers:
- - url: http://foo/
- - url: http://bar/
- passHostHeader: false
- ```
-
- ```toml tab="TOML"
- [http]
- # Add the router
- [http.routers]
- [http.routers.router0]
- entryPoints = ["web"]
- middlewares = ["my-basic-auth"]
- service = "service-foo"
- rule = "Path(`/foo`)"
-
- # Add the middleware
- [http.middlewares]
- [http.middlewares.my-basic-auth.basicAuth]
- users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
- "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
- usersFile = "etc/traefik/.htpasswd"
-
- # Add the service
- [http.services]
- [http.services.service-foo]
- [http.services.service-foo.loadBalancer]
- [[http.services.service-foo.loadBalancer.servers]]
- url = "http://foo/"
- [[http.services.service-foo.loadBalancer.servers]]
- url = "http://bar/"
- ```
-
-## Provider Configuration
-
-For an overview of all the options that can be set with the file provider, see the [routing configuration](../reference/routing-configuration/other-providers/file.md) and [install configuration](../reference/install-configuration/configuration-options.md) references.
-
-!!! warning "Limitations"
-
- With the file provider, Traefik listens for file system notifications to update the dynamic configuration.
-
- If you use a mounted/bound file system in your orchestrator (like docker or kubernetes), the way the files are linked may be a source of errors.
- If the link between the file systems is broken, when a source file/directory is changed/renamed, nothing will be reported to the linked file/directory, so the file system notifications will be neither triggered nor caught.
-
- For example, in Docker, if the host file is renamed, the link to the mounted file is broken and the container's file is no longer updated.
- To avoid this kind of issue, it is recommended to:
-
- * set the Traefik [**directory**](#directory) configuration with the parent directory
- * mount/bind the parent directory
-
- As it is very difficult to listen to all file system notifications, Traefik uses [fsnotify](https://github.com/fsnotify/fsnotify).
- If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
-
-### `filename`
-
-Defines the path to the configuration file.
-
-!!! warning ""
-
- The `filename` and `directory` options are mutually exclusive.
- It is recommended to use `directory`.
-
-```yaml tab="File (YAML)"
-providers:
- file:
- filename: /path/to/config/dynamic_conf.yml
-```
-
-```toml tab="File (TOML)"
-[providers]
- [providers.file]
- filename = "/path/to/config/dynamic_conf.toml"
-```
-
-```bash tab="CLI"
---providers.file.filename=/path/to/config/dynamic_conf.yml
-```
-
-### `directory`
-
-Defines the path to the directory that contains the configuration files.
-
-!!! warning ""
-
- The `filename` and `directory` options are mutually exclusive.
- It is recommended to use `directory`.
-
-```yaml tab="File (YAML)"
-providers:
- file:
- directory: /path/to/config
-```
-
-```toml tab="File (TOML)"
-[providers]
- [providers.file]
- directory = "/path/to/config"
-```
-
-```bash tab="CLI"
---providers.file.directory=/path/to/config
-```
-
-### `watch`
-
-Set the `watch` option to `true` to allow Traefik to automatically watch for file changes.
-It works with both the `filename` and the `directory` options.
-
-```yaml tab="File (YAML)"
-providers:
- file:
- directory: /path/to/dynamic/conf
- watch: true
-```
-
-```toml tab="File (TOML)"
-[providers]
- [providers.file]
- directory = "/path/to/dynamic/conf"
- watch = true
-```
-
-```bash tab="CLI"
---providers.file.directory=/my/path/to/dynamic/conf
---providers.file.watch=true
-```
-
-### Go Templating
-
-!!! warning
-
- Go Templating only works with dedicated dynamic configuration files.
- Templating does not work in the Traefik main static configuration file.
-
-Traefik supports using Go templating to automatically generate repetitive sections of configuration files.
-These sections must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
-[sprig template functions](https://masterminds.github.io/sprig/).
-
-To illustrate, it is possible to easily define multiple routers, services, and TLS certificates as described in the following examples:
-
-??? example "Configuring Using Templating"
-
- ```yaml tab="YAML"
- http:
- routers:
- {{range $i, $e := until 100 }}
- router{{ $e }}-{{ env "MY_ENV_VAR" }}:
- # ...
- {{end}}
-
- services:
- {{range $i, $e := until 100 }}
- application{{ $e }}:
- # ...
- {{end}}
-
- tcp:
- routers:
- {{range $i, $e := until 100 }}
- router{{ $e }}:
- # ...
- {{end}}
-
- services:
- {{range $i, $e := until 100 }}
- service{{ $e }}:
- # ...
- {{end}}
-
- tls:
- certificates:
- {{ range $i, $e := until 10 }}
- - certFile: "/etc/traefik/cert-{{ $e }}.pem"
- keyFile: "/etc/traefik/cert-{{ $e }}.key"
- store:
- - "my-store-foo-{{ $e }}"
- - "my-store-bar-{{ $e }}"
- {{end}}
- ```
-
- ```toml tab="TOML"
- # template-rules.toml
- [http]
-
- [http.routers]
- {{ range $i, $e := until 100 }}
- [http.routers.router{{ $e }}-{{ env "MY_ENV_VAR" }}]
- # ...
- {{ end }}
-
- [http.services]
- {{ range $i, $e := until 100 }}
- [http.services.service{{ $e }}]
- # ...
- {{ end }}
-
- [tcp]
-
- [tcp.routers]
- {{ range $i, $e := until 100 }}
- [tcp.routers.router{{ $e }}]
- # ...
- {{ end }}
-
- [tcp.services]
- {{ range $i, $e := until 100 }}
- [http.services.service{{ $e }}]
- # ...
- {{ end }}
-
- {{ range $i, $e := until 10 }}
- [[tls.certificates]]
- certFile = "/etc/traefik/cert-{{ $e }}.pem"
- keyFile = "/etc/traefik/cert-{{ $e }}.key"
- stores = ["my-store-foo-{{ $e }}", "my-store-bar-{{ $e }}"]
- {{ end }}
-
- [tls.config]
- {{ range $i, $e := until 10 }}
- [tls.config.TLS{{ $e }}]
- # ...
- {{ end }}
- ```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/providers/http.md b/docs/content/providers/http.md
deleted file mode 100644
index 8f5c5f4d0..000000000
--- a/docs/content/providers/http.md
+++ /dev/null
@@ -1,224 +0,0 @@
----
-title: "Traefik HTTP Documentation"
-description: "Provide your dynamic configuration via an HTTP(S) endpoint and let Traefik Proxy do the rest. Read the technical documentation."
----
-
-# Traefik & HTTP
-
-Provide your [dynamic configuration](./overview.md) via an HTTP(S) endpoint and let Traefik do the rest!
-
-## Routing Configuration
-
-The HTTP provider uses the same configuration as the [File Provider](./file.md) in YAML or JSON format.
-
-## Provider Configuration
-
-### `endpoint`
-
-_Required_
-
-Defines the HTTP(S) endpoint to poll.
-
-```yaml tab="File (YAML)"
-providers:
- http:
- endpoint: "http://127.0.0.1:9000/api"
-```
-
-```toml tab="File (TOML)"
-[providers.http]
- endpoint = "http://127.0.0.1:9000/api"
-```
-
-```bash tab="CLI"
---providers.http.endpoint=http://127.0.0.1:9000/api
-```
-
-### `pollInterval`
-
-_Optional, Default="5s"_
-
-Defines the polling interval.
-
-```yaml tab="File (YAML)"
-providers:
- http:
- pollInterval: "5s"
-```
-
-```toml tab="File (TOML)"
-[providers.http]
- pollInterval = "5s"
-```
-
-```bash tab="CLI"
---providers.http.pollInterval=5s
-```
-
-### `pollTimeout`
-
-_Optional, Default="5s"_
-
-Defines the polling timeout when connecting to the endpoint.
-
-```yaml tab="File (YAML)"
-providers:
- http:
- pollTimeout: "5s"
-```
-
-```toml tab="File (TOML)"
-[providers.http]
- pollTimeout = "5s"
-```
-
-```bash tab="CLI"
---providers.http.pollTimeout=5s
-```
-
-### `headers`
-
-_Optional_
-
-Defines custom headers to be sent to the endpoint.
-
-```yaml tab="File (YAML)"
-providers:
- http:
- headers:
- name: value
-```
-
-```toml tab="File (TOML)"
-[providers.http.headers]
- name = "value"
-```
-
-```bash tab="CLI"
---providers.http.headers.name=value
-```
-
-### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to the endpoint.
-
-#### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to the endpoint,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
- http:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.http.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---providers.http.tls.ca=path/to/ca.crt
-```
-
-#### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the endpoint.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- http:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.http.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.http.tls.cert=path/to/foo.cert
---providers.http.tls.key=path/to/foo.key
-```
-
-#### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the endpoint.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- http:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.http.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.http.tls.cert=path/to/foo.cert
---providers.http.tls.key=path/to/foo.key
-```
-
-#### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to the endpoint accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
- http:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.http.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---providers.http.tls.insecureSkipVerify=true
-```
-
-### `maxResponseBodySize`
-
-_Optional, Default=-1_
-
-Defines the maximum size of the response body in bytes.
-If left unset (or set to -1), the response body size is unrestricted which can have performance implications.
-
-```yaml tab="File (YAML)"
-providers:
- http:
- maxResponseBodySize: -1
-```
-
-```toml tab="File (TOML)"
-[providers.http]
- maxResponseBodySize = -1
-```
-
-```bash tab="CLI"
---providers.http.maxResponseBodySize=-1
-```
diff --git a/docs/content/providers/kubernetes-crd.md b/docs/content/providers/kubernetes-crd.md
deleted file mode 100644
index c1132e9d3..000000000
--- a/docs/content/providers/kubernetes-crd.md
+++ /dev/null
@@ -1,368 +0,0 @@
----
-title: "Kubernetes IngressRoute & Traefik CRD"
-description: "The Traefik team developed a Custom Resource Definition (CRD) for an IngressRoute type, to provide a better way to configure access to a Kubernetes cluster."
----
-
-# Traefik & Kubernetes
-
-The Kubernetes Ingress Controller, The Custom Resource Way.
-{: .subtitle }
-
-In early versions, Traefik supported Kubernetes only through the [Kubernetes Ingress provider](./kubernetes-ingress.md), which is a Kubernetes Ingress controller in the strict sense of the term.
-
-However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
-the Traefik engineering team developed a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
-(CRD) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
-
-## Requirements
-
-{% include-markdown "includes/kubernetes-requirements.md" %}
-
-!!! tip "All Steps for a Successful Deployment"
-
- * Add/update **all** the Traefik resources [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions)
- * Add/update the [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for the Traefik custom resources
- * Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment
- * Enable the kubernetesCRD provider
- * Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
- * Add all necessary Traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
-
-!!! example "Installing Resource Definition and RBAC"
-
- ```bash
- # Install Traefik Resource Definitions:
- kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
-
- # Install RBAC for Traefik:
- kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
- ```
-
-## Resource Configuration
-
-When using KubernetesCRD as a provider,
-Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to retrieve its routing configuration.
-Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:
-
-* The usage of `name` **and** `namespace` to refer to another Kubernetes resource.
-* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensitive data (TLS certificates and credentials).
-* The structure of the configuration.
-* The requirement to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
-
-The Traefik CRDs are building blocks that you can assemble according to your needs.
-See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md).
-
-## LetsEncrypt Support with the Custom Resource Definition Provider
-
-By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
-For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
-
-When using a single instance of Traefik with Let's Encrypt, you should encounter no issues. However, this could be a single point of failure.
-Unfortunately, it is not possible to run multiple instances of Traefik Proxy 2.0 with Let's Encrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request and subsequent responses.
-Early versions (v1.x) of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance that feature was dropped in 2.0.
-
-If you need Let's Encrypt with HA in a Kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/), which includes distributed Let's Encrypt as a supported feature.
-
-If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://cert-manager.io/docs/).
-When using Cert-Manager to manage certificates, it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
-When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs.
-A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
-Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once the certificates are created, Cert-Manager keeps them renewed.
-
-## Provider Configuration
-
-### `endpoint`
-
-_Optional, Default=""_
-
-The Kubernetes server endpoint URL.
-
-When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
-
-The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
-Both are mounted automatically when deployed inside Kubernetes.
-
-The endpoint may be specified to override the environment variable values inside a cluster.
-
-When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
-In this case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- endpoint: "http://localhost:8080"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- endpoint = "http://localhost:8080"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetescrd.endpoint=http://localhost:8080
-```
-
-### `token`
-
-_Optional, Default=""_
-
-Bearer token used for the Kubernetes client configuration.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- token: "mytoken"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- token = "mytoken"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetescrd.token=mytoken
-```
-
-### `certAuthFilePath`
-
-_Optional, Default=""_
-
-Path to the certificate authority file.
-Used for the Kubernetes client configuration.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- certAuthFilePath: "/my/ca.crt"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- certAuthFilePath = "/my/ca.crt"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetescrd.certauthfilepath=/my/ca.crt
-```
-
-### `namespaces`
-
-_Optional, Default: []_
-
-Array of namespaces to watch.
-If left empty, Traefik watches all namespaces.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- namespaces:
- - "default"
- - "production"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- namespaces = ["default", "production"]
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetescrd.namespaces=default,production
-```
-
-### `labelselector`
-
-_Optional, Default: ""_
-
-A label selector can be defined to filter on specific resource objects only,
-this applies only to Traefik [Custom Resources](../routing/providers/kubernetes-crd.md#custom-resource-definition-crd)
-and has no effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`.
-If left empty, Traefik processes all resource objects in the configured namespaces.
-
-See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
-
-!!! warning
-
- Because the label selector is applied to all Traefik Custom Resources, they all must match the filter.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- labelSelector: "app=traefik"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- labelSelector = "app=traefik"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetescrd.labelselector="app=traefik"
-```
-
-### `ingressClass`
-
-_Optional, Default: ""_
-
-Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.
-
-If the parameter is set, only resources containing an annotation with the same value are processed.
-Otherwise, resources missing the annotation, having an empty value, or the value `traefik` are processed.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- ingressClass: "traefik-internal"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- ingressClass = "traefik-internal"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetescrd.ingressclass=traefik-internal
-```
-
-### `throttleDuration`
-
-_Optional, Default: 0_
-
-The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
-a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
-
-If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
-
-The value of `throttleDuration` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- throttleDuration: "10s"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- throttleDuration = "10s"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetescrd.throttleDuration=10s
-```
-
-### `allowEmptyServices`
-
-_Optional, Default: false_
-
-If the parameter is set to `true`,
-it allows the creation of an empty [servers load balancer](../routing/services/index.md#servers-load-balancer) if the targeted Kubernetes service has no endpoints available.
-With IngressRoute resources,
-this results in `503` HTTP responses instead of `404` ones.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- allowEmptyServices: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- allowEmptyServices = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesCRD.allowEmptyServices=true
-```
-
-### `allowCrossNamespace`
-
-_Optional, Default: false_
-
-If the parameter is set to `true`,
-IngressRoute are able to reference resources in namespaces other than theirs.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- allowCrossNamespace: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- allowCrossNamespace = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetescrd.allowCrossNamespace=true
-```
-
-### `allowExternalNameServices`
-
-_Optional, Default: false_
-
-If the parameter is set to `true`, IngressRoutes are able to reference ExternalName services.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- allowExternalNameServices: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- allowExternalNameServices = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetescrd.allowexternalnameservices=true
-```
-
-### `nativeLBByDefault`
-
-_Optional, Default: false_
-
-Defines whether to use Native Kubernetes load-balancing mode by default.
-For more information, please check out the IngressRoute `nativeLB` option [documentation](../routing/providers/kubernetes-crd.md#load-balancing).
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesCRD:
- nativeLBByDefault: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesCRD]
- nativeLBByDefault = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetescrd.nativeLBByDefault=true
-```
-
-## Full Example
-
-For additional information on exposing services with Kubernetes, refer to the [Kubernetes guide](../expose/kubernetes/basic.md).
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/providers/kubernetes-gateway.md b/docs/content/providers/kubernetes-gateway.md
deleted file mode 100644
index ffe5c1687..000000000
--- a/docs/content/providers/kubernetes-gateway.md
+++ /dev/null
@@ -1,360 +0,0 @@
----
-title: "Traefik Kubernetes Gateway API Documentation"
-description: "Learn how to use the Kubernetes Gateway API as a provider for configuration discovery in Traefik Proxy. Read the technical documentation."
----
-
-# Traefik & Kubernetes with Gateway API
-
-The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/)
-specification from the Kubernetes Special Interest Groups (SIGs).
-
-This provider supports Standard version [v1.5.1](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.5.1) of the Gateway API specification.
-
-It fully supports all HTTP core and some extended features, as well as `TLSRoute` (Standard channel) and `TCPRoute` (Experimental channel via the [`experimentalChannel`](#experimentalchannel) option).
-
-For more details, check out the conformance [report](https://github.com/kubernetes-sigs/gateway-api/tree/main/conformance/reports/v1.5.1/traefik-traefik).
-
-## Requirements
-
-{% include-markdown "includes/kubernetes-requirements.md" %}
-
-!!! info "Helm Chart"
-
- When using the Traefik [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
- The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L323).
-
-1. Install/update the Kubernetes Gateway API CRDs.
-
- ```bash
- # Install Gateway API CRDs from the Standard channel.
- kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/standard-install.yaml
- ```
-
-2. Install the additional Traefik RBAC required for Gateway API.
-
- ```bash
- # Install Traefik RBACs.
- kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.7/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
- ```
-
-3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:
-
- ```yaml tab="File (YAML)"
- providers:
- kubernetesGateway: {}
- ```
-
- ```toml tab="File (TOML)"
- [providers.kubernetesGateway]
- ```
-
- ```bash tab="CLI"
- --providers.kubernetesgateway=true
- ```
-
-## Routing Configuration
-
-When using the Kubernetes Gateway API provider, Traefik uses the Gateway API CRDs to retrieve its routing configuration.
-Check out the Gateway API concepts [documentation](https://gateway-api.sigs.k8s.io/concepts/api-overview/),
-and the dedicated [routing section](../routing/providers/kubernetes-gateway.md) in the Traefik documentation.
-
-## Provider Configuration
-
-### `endpoint`
-
-_Optional, Default=""_
-
-The Kubernetes server endpoint URL.
-
-When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
-
-The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
-Both are mounted automatically when deployed inside Kubernetes.
-
-The endpoint may be specified to override the environment variable values inside a cluster.
-
-When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
-In this case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- endpoint: "http://localhost:8080"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
- endpoint = "http://localhost:8080"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.endpoint=http://localhost:8080
-```
-
-### `token`
-
-_Optional, Default=""_
-
-Bearer token used for the Kubernetes client configuration.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- token: "mytoken"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
- token = "mytoken"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.token=mytoken
-```
-
-### `certAuthFilePath`
-
-_Optional, Default=""_
-
-Path to the certificate authority file.
-Used for the Kubernetes client configuration.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- certAuthFilePath: "/my/ca.crt"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
- certAuthFilePath = "/my/ca.crt"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.certauthfilepath=/my/ca.crt
-```
-
-### `namespaces`
-
-_Optional, Default: []_
-
-Array of namespaces to watch.
-If left empty, Traefik watches all namespaces.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- namespaces:
- - "default"
- - "production"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
- namespaces = ["default", "production"]
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.namespaces=default,production
-```
-
-### `statusAddress`
-
-#### `ip`
-
-_Optional, Default: ""_
-
-This IP will get copied to the Gateway `status.addresses`, and currently only supports one IP value (IPv4 or IPv6).
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- statusAddress:
- ip: "1.2.3.4"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway.statusAddress]
- ip = "1.2.3.4"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.statusaddress.ip=1.2.3.4
-```
-
-#### `hostname`
-
-_Optional, Default: ""_
-
-This Hostname will get copied to the Gateway `status.addresses`.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- statusAddress:
- hostname: "example.net"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway.statusAddress]
- hostname = "example.net"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.statusaddress.hostname=example.net
-```
-
-#### `service`
-
-_Optional_
-
-The Kubernetes service to copy status addresses from.
-When using third parties tools like External-DNS, this option can be used to copy the service `loadbalancer.status` (containing the service's endpoints IPs) to the gateways.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- statusAddress:
- service:
- namespace: default
- name: foo
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway.statusAddress.service]
- namespace = "default"
- name = "foo"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.statusaddress.service.namespace=default
---providers.kubernetesgateway.statusaddress.service.name=foo
-```
-
-### `experimentalChannel`
-
-_Optional, Default: false_
-
-Toggles support for the Experimental Channel resources ([Gateway API release channels documentation](https://gateway-api.sigs.k8s.io/concepts/versioning/#release-channels)).
-This option currently enables support for `TCPRoute`.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- experimentalChannel: true
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
- experimentalChannel = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.experimentalchannel=true
-```
-
-!!! info "Experimental Channel"
-
- When enabling experimental channel resources support, the experimental CRDs (Custom Resource Definitions) needs to be deployed too.
-
- ```bash
- # Install Gateway API CRDs from the Experimental channel.
- kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.1/experimental-install.yaml
- ```
-
-### `labelselector`
-
-_Optional, Default: ""_
-
-A label selector can be defined to filter on specific GatewayClass objects only.
-If left empty, Traefik processes all GatewayClass objects in the configured namespaces.
-
-See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- labelSelector: "app=traefik"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
- labelSelector = "app=traefik"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.labelselector="app=traefik"
-```
-
-### `nativeLBByDefault`
-
-_Optional, Default: false_
-
-Defines whether to use Native Kubernetes load-balancing mode by default.
-For more information, please check out the `traefik.io/service.nativelb` [service annotation documentation](../routing/providers/kubernetes-gateway.md#native-load-balancing).
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- nativeLBByDefault: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
- nativeLBByDefault = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.nativeLBByDefault=true
-```
-
-### `throttleDuration`
-
-_Optional, Default: 0_
-
-The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
-a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
-
-If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
-
-The value of `throttleDuration` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesGateway:
- throttleDuration: "10s"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesGateway]
- throttleDuration = "10s"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesgateway.throttleDuration=10s
-```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/providers/kubernetes-ingress.md b/docs/content/providers/kubernetes-ingress.md
deleted file mode 100644
index d3721de81..000000000
--- a/docs/content/providers/kubernetes-ingress.md
+++ /dev/null
@@ -1,560 +0,0 @@
----
-title: "Traefik Kubernetes Ingress Documentation"
-description: "Understand the requirements, routing configuration, and how to set up Traefik Proxy as your Kubernetes Ingress Controller. Read the technical documentation."
----
-
-# Traefik & Kubernetes
-
-The Kubernetes Ingress Controller.
-{: .subtitle }
-
-The Traefik Kubernetes Ingress provider is a Kubernetes Ingress controller; that is to say,
-it manages access to cluster services by supporting the [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) specification.
-
-## Requirements
-
-{% include-markdown "includes/kubernetes-requirements.md" %}
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/kubernetes-ingress.md).
-
-## Enabling and Using the Provider
-
-You can enable the provider in the static configuration:
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress: {}
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
-```
-
-```bash tab="CLI"
---providers.kubernetesingress=true
-```
-
-The provider then watches for incoming ingresses events, such as the example below,
-and derives the corresponding dynamic configuration from it,
-which in turn creates the resulting routers, services, handlers, etc.
-
-```yaml tab="Ingress"
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: foo
- namespace: production
-
-spec:
- rules:
- - host: example.net
- http:
- paths:
- - path: /bar
- pathType: Exact
- backend:
- service:
- name: service1
- port:
- number: 80
- - path: /foo
- pathType: Exact
- backend:
- service:
- name: service1
- port:
- number: 80
-```
-
-## LetsEncrypt Support with the Ingress Provider
-
-By design, Traefik is a stateless application,
-meaning that it only derives its configuration from the environment it runs in,
-without additional configuration.
-For this reason, users can run multiple instances of Traefik at the same time to achieve HA,
-as is a common pattern in the kubernetes ecosystem.
-
-When using a single instance of Traefik Proxy with Let's Encrypt, you should encounter no issues.
-However, this could be a single point of failure.
-Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with Let's Encrypt enabled,
-because there is no way to ensure that the correct instance of Traefik receives the challenge request, and subsequent responses.
-Early versions (v1.x) of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this,
-but due to sub-optimal performance that feature was dropped in 2.0.
-
-If you need Let's Encrypt with high availability in a Kubernetes environment,
-we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) which includes distributed Let's Encrypt as a supported feature.
-
-If you want to keep using Traefik Proxy,
-LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://cert-manager.io/docs/).
-When using Cert-Manager to manage certificates,
-it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
-
-## Provider Configuration
-
-### `endpoint`
-
-_Optional, Default=""_
-
-The Kubernetes server endpoint URL.
-
-When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
-
-The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
-Both are mounted automatically when deployed inside Kubernetes.
-
-The endpoint may be specified to override the environment variable values inside a cluster.
-
-When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
-In this case, the endpoint is required.
-Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- endpoint: "http://localhost:8080"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- endpoint = "http://localhost:8080"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.endpoint=http://localhost:8080
-```
-
-### `token`
-
-_Optional, Default=""_
-
-Bearer token used for the Kubernetes client configuration.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- token: "mytoken"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- token = "mytoken"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.token=mytoken
-```
-
-### `certAuthFilePath`
-
-_Optional, Default=""_
-
-Path to the certificate authority file.
-Used for the Kubernetes client configuration.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- certAuthFilePath: "/my/ca.crt"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- certAuthFilePath = "/my/ca.crt"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.certauthfilepath=/my/ca.crt
-```
-
-### `namespaces`
-
-_Optional, Default: []_
-
-Array of namespaces to watch.
-If left empty, Traefik watches all namespaces.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- namespaces:
- - "default"
- - "production"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- namespaces = ["default", "production"]
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.namespaces=default,production
-```
-
-### `labelSelector`
-
-_Optional, Default: ""_
-
-A label selector can be defined to filter on specific Ingress objects only.
-If left empty, Traefik processes all Ingress objects in the configured namespaces.
-
-See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- labelSelector: "app=traefik"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- labelSelector = "app=traefik"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.labelselector="app=traefik"
-```
-
-### `ingressClass`
-
-_Optional, Default: ""_
-
-Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
-
-If the parameter is set, only Ingresses containing an annotation with the same value are processed.
-Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
-
-??? info "Example"
-
- ```yaml tab="IngressClass"
- apiVersion: networking.k8s.io/v1
- kind: IngressClass
- metadata:
- name: traefik-lb
- spec:
- controller: traefik.io/ingress-controller
- ```
-
- ```yaml tab="Ingress"
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- name: example-ingress
- spec:
- ingressClassName: traefik-lb
- rules:
- - host: "*.example.com"
- http:
- paths:
- - path: /example
- pathType: Exact
- backend:
- service:
- name: example-service
- port:
- number: 80
- ```
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- ingressClass: "traefik-internal"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- ingressClass = "traefik-internal"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.ingressclass=traefik-internal
-```
-
-### `disableIngressClassLookup`
-
-_Optional, Default: false_
-
-??? warning "Deprecated"
-
- The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1, and will be removed in the next major version.
- Please use the `disableClusterScopeResources` option instead.
-
-If the parameter is set to `true`,
-Traefik will not discover IngressClasses in the cluster.
-By doing so, it alleviates the requirement of giving Traefik the rights to look IngressClasses up.
-Furthermore, when this option is set to `true`,
-Traefik is not able to handle Ingresses with IngressClass references,
-therefore such Ingresses will be ignored.
-Please note that annotations are not affected by this option.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- disableIngressClassLookup: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- disableIngressClassLookup = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.disableingressclasslookup=true
-```
-
-### `disableClusterScopeResources`
-
-_Optional, Default: false_
-
-When this parameter is set to `true`,
-Traefik will not discover cluster scope resources (`IngressClass` and `Nodes`).
-By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.
-Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).
-This will also prevent from using the `NodePortLB` options on services.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- disableClusterScopeResources: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- disableClusterScopeResources = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.disableClusterScopeResources=true
-```
-
-### `ingressEndpoint`
-
-#### `hostname`
-
-_Optional, Default: ""_
-
-Hostname used for Kubernetes Ingress endpoints.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- ingressEndpoint:
- hostname: "example.net"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress.ingressEndpoint]
- hostname = "example.net"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.hostname=example.net
-```
-
-#### `ip`
-
-_Optional, Default: ""_
-
-This IP will get copied to Ingress `status.loadbalancer.ip`, and currently only supports one IP value (IPv4 or IPv6).
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- ingressEndpoint:
- ip: "1.2.3.4"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress.ingressEndpoint]
- ip = "1.2.3.4"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.ip=1.2.3.4
-```
-
-#### `publishedService`
-
-_Optional, Default: ""_
-
-Format: `namespace/servicename`.
-
-The Kubernetes service to copy status from,
-depending on the service type:
-
-- **ClusterIP:** The ExternalIPs of the service will be propagated to the ingress status.
-- **NodePort:** The ExternalIP addresses of the nodes in the cluster will be propagated to the ingress status.
-- **LoadBalancer:** The IPs from the service's `loadBalancer.status` field (which contains the endpoints provided by the load balancer) will be propagated to the ingress status.
-
-When using third-party tools such as External-DNS, this option enables the copying of external service IPs to the ingress resources.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- ingressEndpoint:
- publishedService: "namespace/foo-service"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress.ingressEndpoint]
- publishedService = "namespace/foo-service"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service
-```
-
-### `throttleDuration`
-
-_Optional, Default: 0_
-
-The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
-a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
-
-If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
-
-The value of `throttleDuration` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- throttleDuration: "10s"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- throttleDuration = "10s"
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.throttleDuration=10s
-```
-
-### `allowEmptyServices`
-
-_Optional, Default: false_
-
-If the parameter is set to `true`,
-it allows the creation of an empty [servers load balancer](../routing/services/index.md#servers-load-balancer) if the targeted Kubernetes service has no endpoints available.
-This results in `503` HTTP responses instead of `404` ones.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- allowEmptyServices: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- allowEmptyServices = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.allowEmptyServices=true
-```
-
-### `allowExternalNameServices`
-
-_Optional, Default: false_
-
-If the parameter is set to `true`,
-Ingresses are able to reference ExternalName services.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- allowExternalNameServices: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- allowExternalNameServices = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.allowexternalnameservices=true
-```
-
-### `nativeLBByDefault`
-
-_Optional, Default: false_
-
-Defines whether to use Native Kubernetes load-balancing mode by default.
-For more information, please check out the `traefik.ingress.kubernetes.io/service.nativelb` [service annotation documentation](../routing/providers/kubernetes-ingress.md#on-service).
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- nativeLBByDefault: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- nativeLBByDefault = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.nativeLBByDefault=true
-```
-
-### `strictPrefixMatching`
-
-_Optional, Default: false_
-
-Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). For example, a PathPrefix of `/foo` will match `/foo`, `/foo/`, and `/foo/bar` but not `/foobar`.
-
-```yaml tab="File (YAML)"
-providers:
- kubernetesIngress:
- strictPrefixMatching: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.kubernetesIngress]
- strictPrefixMatching = true
- # ...
-```
-
-```bash tab="CLI"
---providers.kubernetesingress.strictPrefixMatching=true
-```
-
-### Further
-
-To learn more about the various aspects of the Ingress specification that Traefik supports,
-many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v3.7/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/providers/nomad.md b/docs/content/providers/nomad.md
deleted file mode 100644
index ef28d8c98..000000000
--- a/docs/content/providers/nomad.md
+++ /dev/null
@@ -1,596 +0,0 @@
----
-title: "Nomad Service Discovery"
-description: "Learn how to use Nomad as a provider for configuration discovery in Traefik Proxy. Read the technical documentation."
----
-
-# Traefik & Nomad Service Discovery
-
-A Story of Tags, Services & Nomads
-{: .subtitle }
-
-
-
-Attach tags to your Nomad services and let Traefik do the rest!
-
-## Configuration Examples
-
-??? example "Configuring Nomad & Deploying Services"
-
- Enabling the nomad provider
-
- ```yaml tab="File (YAML)"
- providers:
- nomad: {}
- ```
-
- ```toml tab="File (TOML)"
- [providers.nomad]
- ```
-
- ```bash tab="CLI"
- --providers.nomad=true
- ```
-
- Attaching tags to services:
-
- ```
- ...
- service {
- name = "myService"
- tags = [
- "traefik.http.routers.my-router.rule=Host(`example.com`)",
- ]
- }
- ...
- ```
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/nomad.md).
-
-## Provider Configuration
-
-### `refreshInterval`
-
-_Optional, Default=15s_
-
-Defines the polling interval.
-
-!!! note "This option is ignored when the [watch](#watch) mode is enabled."
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- refreshInterval: 30s
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- refreshInterval = "30s"
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.refreshInterval=30s
-# ...
-```
-
-### `watch`
-
-_Optional, Default=false_
-
-Enables the watch mode to refresh the configuration on a per-event basis.
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- watch: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- watch = true
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.watch
-# ...
-```
-
-### `throttleDuration`
-
-_Optional, Default=0s_
-
-The `throttleDuration` option defines how often the provider is allowed to handle service events from Nomad.
-This prevents a Nomad cluster that updates many times per second from continuously changing your Traefik configuration.
-
-If left empty, the provider does not apply any throttling and does not drop any Nomad service events.
-
-The value of `throttleDuration` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-!!! warning "This option is only compatible with the [watch](#watch) mode."
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- throttleDuration: 2s
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- throttleDuration = "2s"
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.throttleDuration=2s
-# ...
-```
-
-### `prefix`
-
-_required, Default="traefik"_
-
-The prefix for Nomad service tags defining Traefik labels.
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- prefix: test
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- prefix = "test"
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.prefix=test
-# ...
-```
-
-### `stale`
-
-_Optional, Default=false_
-
-Use stale consistency for Nomad service API reads.
-
-!!! note ""
-
- This makes reads very fast and scalable at the cost of a higher likelihood of stale values.
-
- For more information, see the Nomad [documentation on consistency](https://www.nomadproject.io/api-docs#consistency-modes).
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- stale: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- stale = true
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.stale=true
-# ...
-```
-
-### `endpoint`
-
-Defines the Nomad server endpoint.
-
-#### `address`
-
-Defines the address of the Nomad server.
-
-_Optional, Default="http://127.0.0.1:4646"_
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- endpoint:
- address: http://127.0.0.1:4646
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- [providers.nomad.endpoint]
- address = "http://127.0.0.1:4646"
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.endpoint.address=http://127.0.0.1:4646
-# ...
-```
-
-#### `token`
-
-_Optional, Default=""_
-
-Token is used to provide a per-request ACL token, if Nomad ACLs are enabled.
-The appropriate ACL privilege for this token is 'read-job', as outlined in the [Nomad documentation on ACL](https://developer.hashicorp.com/nomad/tutorials/access-control/access-control-policies).
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- endpoint:
- token: test
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- [providers.nomad.endpoint]
- token = "test"
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.endpoint.token=test
-# ...
-```
-
-#### `endpointWaitTime`
-
-_Optional, Default=""_
-
-Limits the duration for which a Watch can block.
-If not provided, the agent default values will be used.
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- endpoint:
- endpointWaitTime: 15s
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- [providers.nomad.endpoint]
- endpointWaitTime = "15s"
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.endpoint.endpointwaittime=15s
-# ...
-```
-
-#### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to the Nomad API.
-
-##### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to Nomad,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- endpoint:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.nomad.endpoint.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---providers.nomad.endpoint.tls.ca=path/to/ca.crt
-```
-
-##### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to the Nomad API.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- endpoint:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.nomad.endpoint.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.nomad.endpoint.tls.cert=path/to/foo.cert
---providers.nomad.endpoint.tls.key=path/to/foo.key
-```
-
-##### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to the Nomad API.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- endpoint:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.nomad.endpoint.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.nomad.endpoint.tls.cert=path/to/foo.cert
---providers.nomad.endpoint.tls.key=path/to/foo.key
-```
-
-##### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to Nomad accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- endpoint:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.nomad.endpoint.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---providers.nomad.endpoint.tls.insecureskipverify=true
-```
-
-### `exposedByDefault`
-
-_Optional, Default=true_
-
-Expose Nomad services by default in Traefik.
-If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- exposedByDefault: false
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- exposedByDefault = false
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.exposedByDefault=false
-# ...
-```
-
-### `defaultRule`
-
-_Optional, Default=```Host(`{{ normalize .Name }}`)```_
-
-The default host rule for all services.
-
-For a given service, if no routing rule was defined by a tag, it is defined by this `defaultRule` instead.
-The `defaultRule` must be set to a valid [Go template](https://pkg.go.dev/text/template/),
-and can include [sprig template functions](https://masterminds.github.io/sprig/).
-The service name can be accessed with the `Name` identifier,
-and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
-
-The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
-# ...
-```
-
-??? info "Default rule and Traefik service"
-
- The exposure of the Traefik container, combined with the default rule mechanism,
- can lead to create a router targeting itself in a loop.
- In this case, to prevent an infinite loop,
- Traefik adds an internal middleware to refuse the request if it comes from the same router.
-
-### `constraints`
-
-_Optional, Default=""_
-
-The `constraints` option can be set to an expression that Traefik matches against the service tags to determine whether
-to create any route for that service. If none of the service tags match the expression, no route for that service is
-created. If the expression is empty, all detected services are included.
-
-The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
-as well as the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
- ```toml
- # Includes only services having the tag `a.tag.name=foo`
- constraints = "Tag(`a.tag.name=foo`)"
- ```
-
- ```toml
- # Excludes services having any tag `a.tag.name=foo`
- constraints = "!Tag(`a.tag.name=foo`)"
- ```
-
- ```toml
- # With logical AND.
- constraints = "Tag(`a.tag.name`) && Tag(`another.tag.name`)"
- ```
-
- ```toml
- # With logical OR.
- constraints = "Tag(`a.tag.name`) || Tag(`another.tag.name`)"
- ```
-
- ```toml
- # With logical AND and OR, with precedence set by parentheses.
- constraints = "Tag(`a.tag.name`) && (Tag(`another.tag.name`) || Tag(`yet.another.tag.name`))"
- ```
-
- ```toml
- # Includes only services having a tag matching the `a\.tag\.t.+` regular expression.
- constraints = "TagRegex(`a\.tag\.t.+`)"
- ```
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- constraints: "Tag(`a.tag.name`)"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- constraints = "Tag(`a.tag.name`)"
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.constraints="Tag(`a.tag.name`)"
-# ...
-```
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
-
-### `namespaces`
-
-??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
-
- _Optional, Default=""_
-
- The `namespace` option defines the namespace in which the Nomad services will be discovered.
-
- !!! warning
-
- One should only define either the `namespaces` option or the `namespace` option.
-
- ```yaml tab="File (YAML)"
- providers:
- nomad:
- namespace: "production"
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [providers.nomad]
- namespace = "production"
- # ...
- ```
-
- ```bash tab="CLI"
- --providers.nomad.namespace=production
- # ...
- ```
-
-### `namespaces`
-
-_Optional, Default=""_
-
-The `namespaces` option defines the namespaces in which the nomad services will be discovered.
-When using the `namespaces` option, the discovered object names will be suffixed as shown below:
-
-```text
-@nomad-
-```
-
-!!! warning
-
- One should only define either the `namespaces` option or the `namespace` option.
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- namespaces:
- - "ns1"
- - "ns2"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- namespaces = ["ns1", "ns2"]
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.namespaces=ns1,ns2
-# ...
-```
-
-### `allowEmptyServices`
-
-_Optional, Default: false_
-
-If the parameter is set to `true`,
-it allows the creation of an empty [servers load balancer](../routing/services/index.md#servers-load-balancer) if the targeted Nomad service has no endpoints available. This results in a `503` HTTP response instead of a `404`.
-
-```yaml tab="File (YAML)"
-providers:
- nomad:
- allowEmptyServices: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.nomad]
- allowEmptyServices = true
- # ...
-```
-
-```bash tab="CLI"
---providers.nomad.allowEmptyServices=true
-```
diff --git a/docs/content/providers/overview.md b/docs/content/providers/overview.md
deleted file mode 100644
index 8723f58a7..000000000
--- a/docs/content/providers/overview.md
+++ /dev/null
@@ -1,230 +0,0 @@
----
-title: "Traefik Configuration Discovery Overview"
-description: "Configuration discovery in Traefik is achieved through Providers. The providers are infrastructure components. Read the documentation to learn more."
----
-
-# Overview
-
-Traefik's Many Friends
-{: .subtitle }
-
-
-
-Configuration discovery in Traefik is achieved through _Providers_.
-
-The _providers_ are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores.
-The idea is that Traefik queries the provider APIs in order to find relevant information about routing,
-and when Traefik detects a change, it dynamically updates the routes.
-
-## Orchestrators
-
-While each provider is different, you can think of each as belonging to one of four categories:
-
-- Label-based: each deployed container has a set of labels attached to it
-- Key-Value-based: each deployed container updates a key-value store with relevant information
-- Annotation-based: a separate object, with annotations, defines the characteristics of the container
-- File-based: uses files to define configuration
-
-## Provider Namespace
-
-When you declare certain objects in the Traefik dynamic configuration,
-such as middleware, services, TLS options or server transports, they reside in their provider's namespace.
-For example, if you declare a middleware using a Docker label, it resides in the Docker provider namespace.
-
-If you use multiple providers and wish to reference such an object declared in another provider
-(e.g. referencing a cross-provider object like middleware), then the object name should be suffixed by the `@`
-separator, and the provider name.
-
-For the list of the providers names, see the [supported providers](#supported-providers) table below.
-
-```text
-@
-```
-
-!!! important "Kubernetes Namespace"
-
- As Kubernetes also has its own notion of namespace,
- one should not confuse the _provider namespace_ with the _Kubernetes Namespace_ of a resource when in the context of cross-provider usage.
-
- In this case, since the definition of a Traefik dynamic configuration object is not in Kubernetes,
- specifying a Kubernetes Namespace when referring to the resource does not make any sense.
-
- On the other hand, if you were to declare a middleware as a Custom Resource in Kubernetes and use the non-CRD Ingress objects,
- you would have to add the Kubernetes Namespace of the middleware to the annotation like this `-@kubernetescrd`.
-
-!!! abstract "Referencing a Traefik Dynamic Configuration Object from Another Provider"
-
- Declaring the add-foo-prefix in the file provider.
-
- ```yaml tab="File (YAML)"
- http:
- middlewares:
- add-foo-prefix:
- addPrefix:
- prefix: "/foo"
- ```
-
- ```toml tab="File (TOML)"
- [http.middlewares]
- [http.middlewares.add-foo-prefix.addPrefix]
- prefix = "/foo"
- ```
-
- Using the add-foo-prefix middleware from other providers:
-
- ```yaml tab="Docker & Swarm"
- your-container: #
- image: your-docker-image
-
- labels:
- # Attach add-foo-prefix@file middleware (declared in file)
- - "traefik.http.routers.my-container.middlewares=add-foo-prefix@file"
- ```
-
- ```yaml tab="IngressRoute"
- apiVersion: traefik.io/v1alpha1
- kind: IngressRoute
- metadata:
- name: ingressroutestripprefix
-
- spec:
- entryPoints:
- - web
- routes:
- - match: Host(`example.com`)
- kind: Rule
- services:
- - name: whoami
- port: 80
- middlewares:
- - name: add-foo-prefix@file
- # namespace: bar
- # A namespace specification such as above is ignored
- # when the cross-provider syntax is used.
- ```
-
- ```yaml tab="Ingress"
- apiVersion: traefik.io/v1alpha1
- kind: Middleware
- metadata:
- name: stripprefix
- namespace: appspace
- spec:
- stripPrefix:
- prefixes:
- - /stripit
-
- ---
- apiVersion: networking.k8s.io/v1
- kind: Ingress
- metadata:
- name: ingress
- namespace: appspace
- annotations:
- # referencing a middleware from Kubernetes CRD provider:
- # -@kubernetescrd
- "traefik.ingress.kubernetes.io/router.middlewares": appspace-stripprefix@kubernetescrd
- spec:
- # ... regular ingress definition
- ```
-
-## Supported Providers
-
-Below is the list of the currently supported providers in Traefik.
-
-| Provider | Type | Configuration Type | Provider Name |
-|---------------------------------------------------|--------------|----------------------|---------------------|
-| [Docker](./docker.md) | Orchestrator | Label | `docker` |
-| [Kubernetes IngressRoute](./kubernetes-crd.md) | Orchestrator | Custom Resource | `kubernetescrd` |
-| [Kubernetes Ingress](./kubernetes-ingress.md) | Orchestrator | Ingress | `kubernetes` |
-| [Kubernetes Gateway API](./kubernetes-gateway.md) | Orchestrator | Gateway API Resource | `kubernetesgateway` |
-| [Consul Catalog](./consul-catalog.md) | Orchestrator | Label | `consulcatalog` |
-| [Nomad](./nomad.md) | Orchestrator | Label | `nomad` |
-| [ECS](./ecs.md) | Orchestrator | Label | `ecs` |
-| [File](./file.md) | Manual | YAML/TOML format | `file` |
-| [Consul](./consul.md) | KV | KV | `consul` |
-| [Etcd](./etcd.md) | KV | KV | `etcd` |
-| [ZooKeeper](./zookeeper.md) | KV | KV | `zookeeper` |
-| [Redis](./redis.md) | KV | KV | `redis` |
-| [HTTP](./http.md) | Manual | JSON format | `http` |
-
-!!! info "More Providers"
-
- The current version of Traefik does not yet support every provider that Traefik v2.11 did.
- See the [previous version (v2.11)](https://doc.traefik.io/traefik/v2.11/) for more information.
-
-### Configuration Reload Frequency
-
-#### `providers.providersThrottleDuration`
-
-_Optional, Default: 2s_
-
-In some cases, some providers might undergo a sudden burst of changes,
-which would generate a lot of configuration change events.
-If Traefik took them all into account,
-that would trigger a lot more configuration reloads than is necessary,
-or even useful.
-
-In order to mitigate that, the `providers.providersThrottleDuration` option can be set.
-It is the duration that Traefik waits for, after a configuration reload,
-before taking into account any new configuration refresh event.
-If multiple events occur within this time, only the most recent one is taken into account,
-and all others are discarded.
-
-This option cannot be set per provider,
-but the throttling algorithm applies to each of them independently.
-
-The value of `providers.providersThrottleDuration` should be provided in seconds or as a valid duration format,
-see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
-
-```yaml tab="File (YAML)"
-providers:
- providersThrottleDuration: 10s
-```
-
-```toml tab="File (TOML)"
-[providers]
- providers.providersThrottleDuration = 10s
-```
-
-```bash tab="CLI"
---providers.providersThrottleDuration=10s
-```
-
-
-
-## Restrict the Scope of Service Discovery
-
-By default, Traefik creates routes for all detected containers.
-
-If you want to limit the scope of the Traefik service discovery,
-i.e. disallow route creation for some containers,
-you can do so in two different ways:
-
-- the generic configuration option `exposedByDefault`,
-- a finer granularity mechanism based on constraints.
-
-### `exposedByDefault` and `traefik.enable`
-
-List of providers that support these features:
-
-- [Docker](./docker.md#exposedbydefault)
-- [ECS](./ecs.md#exposedbydefault)
-- [Consul Catalog](./consul-catalog.md#exposedbydefault)
-- [Nomad](./nomad.md#exposedbydefault)
-
-### Constraints
-
-List of providers that support constraints:
-
-- [Docker](./docker.md#constraints)
-- [ECS](./ecs.md#constraints)
-- [Consul Catalog](./consul-catalog.md#constraints)
-- [Nomad](./nomad.md#constraints)
-- [Kubernetes CRD](./kubernetes-crd.md#labelselector)
-- [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
-- [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/providers/redis.md b/docs/content/providers/redis.md
deleted file mode 100644
index 6dded2637..000000000
--- a/docs/content/providers/redis.md
+++ /dev/null
@@ -1,400 +0,0 @@
----
-title: "Traefik Redis Documentation"
-description: "For configuration discovery in Traefik Proxy, you can store your configurations in Redis. Read the technical documentation."
----
-
-# Traefik & Redis
-
-A Story of KV store & Containers
-{: .subtitle }
-
-Store your configuration in Redis and let Traefik do the rest!
-
-!!! tip "Dynamic configuration updates"
-
- Dynamic configuration updates require Redis [keyspace notifications](https://redis.io/docs/latest/develop/use/keyspace-notifications) to be enabled.
- Cloud-managed Redis services (e.g., GCP Memorystore, AWS ElastiCache) may disable this by default due to CPU performance issues.
- For more information, see the [Redis](https://redis.io/docs/latest/develop/use/keyspace-notifications/) documentation or refer to your cloud provider's documentation for specific configuration steps.
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/kv.md).
-
-## Provider Configuration
-
-### `endpoints`
-
-_Required, Default="127.0.0.1:6379"_
-
-Defines how to access Redis.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- endpoints:
- - "127.0.0.1:6379"
-```
-
-```toml tab="File (TOML)"
-[providers.redis]
- endpoints = ["127.0.0.1:6379"]
-```
-
-```bash tab="CLI"
---providers.redis.endpoints=127.0.0.1:6379
-```
-
-### `rootKey`
-
-_Required, Default="traefik"_
-
-Defines the root key of the configuration.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- rootKey: "traefik"
-```
-
-```toml tab="File (TOML)"
-[providers.redis]
- rootKey = "traefik"
-```
-
-```bash tab="CLI"
---providers.redis.rootkey=traefik
-```
-
-### `username`
-
-_Optional, Default=""_
-
-Defines a username to connect with Redis.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- # ...
- username: "foo"
-```
-
-```toml tab="File (TOML)"
-[providers.redis]
- # ...
- username = "foo"
-```
-
-```bash tab="CLI"
---providers.redis.username=foo
-```
-
-### `password`
-
-_Optional, Default=""_
-
-Defines a password to connect with Redis.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- # ...
- password: "bar"
-```
-
-```toml tab="File (TOML)"
-[providers.redis]
- # ...
- password = "bar"
-```
-
-```bash tab="CLI"
---providers.redis.password=foo
-```
-
-### `db`
-
-_Optional, Default=0_
-
-Defines the database to be selected after connecting to the Redis.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- # ...
- db: 0
-```
-
-```toml tab="File (TOML)"
-[providers.redis]
- db = 0
-```
-
-```bash tab="CLI"
---providers.redis.db=0
-```
-
-### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to Redis.
-
-#### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to Redis,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.redis.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---providers.redis.tls.ca=path/to/ca.crt
-```
-
-#### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to Redis.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.redis.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.redis.tls.cert=path/to/foo.cert
---providers.redis.tls.key=path/to/foo.key
-```
-
-#### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to Redis.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.redis.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.redis.tls.cert=path/to/foo.cert
---providers.redis.tls.key=path/to/foo.key
-```
-
-#### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.redis.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---providers.redis.tls.insecureSkipVerify=true
-```
-
-### `sentinel`
-
-_Optional_
-
-Defines the Sentinel configuration used to interact with Redis Sentinel.
-
-#### `masterName`
-
-_Required_
-
-`masterName` is the name of the Sentinel master.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- sentinel:
- masterName: my-master
-```
-
-```toml tab="File (TOML)"
-[providers.redis.sentinel]
- masterName = "my-master"
-```
-
-```bash tab="CLI"
---providers.redis.sentinel.masterName=my-master
-```
-
-#### `username`
-
-_Optional_
-
-`username` is the username for Sentinel authentication.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- sentinel:
- username: user
-```
-
-```toml tab="File (TOML)"
-[providers.redis.sentinel]
- username = "user"
-```
-
-```bash tab="CLI"
---providers.redis.sentinel.username=user
-```
-
-#### `password`
-
-_Optional_
-
-`password` is the password for Sentinel authentication.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- sentinel:
- password: password
-```
-
-```toml tab="File (TOML)"
-[providers.redis.sentinel]
- password = "password"
-```
-
-```bash tab="CLI"
---providers.redis.sentinel.password=password
-```
-
-#### `latencyStrategy`
-
-_Optional, Default=false_
-
-`latencyStrategy` defines whether to route commands to the closest master or replica nodes
-(mutually exclusive with RandomStrategy and ReplicaStrategy).
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- sentinel:
- latencyStrategy: true
-```
-
-```toml tab="File (TOML)"
-[providers.redis.sentinel]
-latencyStrategy = true
-```
-
-```bash tab="CLI"
---providers.redis.sentinel.latencyStrategy=true
-```
-
-#### `randomStrategy`
-
-_Optional, Default=false_
-
-`randomStrategy` defines whether to route commands randomly to master or replica nodes
-(mutually exclusive with LatencyStrategy and ReplicaStrategy).
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- sentinel:
- randomStrategy: true
-```
-
-```toml tab="File (TOML)"
-[providers.redis.sentinel]
-randomStrategy = true
-```
-
-```bash tab="CLI"
---providers.redis.sentinel.randomStrategy=true
-```
-
-#### `replicaStrategy`
-
-_Optional, Default=false_
-
-`replicaStrategy` Defines whether to route all commands to replica nodes
-(mutually exclusive with LatencyStrategy and RandomStrategy).
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- sentinel:
- replicaStrategy: true
-```
-
-```toml tab="File (TOML)"
-[providers.redis.sentinel]
-replicaStrategy = true
-```
-
-```bash tab="CLI"
---providers.redis.sentinel.replicaStrategy=true
-```
-
-#### `useDisconnectedReplicas`
-
-_Optional, Default=false_
-
-`useDisconnectedReplicas` defines whether to use replicas disconnected with master when cannot get connected replicas.
-
-```yaml tab="File (YAML)"
-providers:
- redis:
- sentinel:
- useDisconnectedReplicas: true
-```
-
-```toml tab="File (TOML)"
-[providers.redis.sentinel]
-useDisconnectedReplicas = true
-```
-
-```bash tab="CLI"
---providers.redis.sentinel.useDisconnectedReplicas=true
-```
diff --git a/docs/content/providers/swarm.md b/docs/content/providers/swarm.md
deleted file mode 100644
index 26a2c7e97..000000000
--- a/docs/content/providers/swarm.md
+++ /dev/null
@@ -1,772 +0,0 @@
----
-title: "Traefik Docker Swarm Documentation"
-description: "Learn how to achieve configuration discovery in Traefik through Docker Swarm. Read the technical documentation."
----
-
-# Traefik & Docker Swarm
-
-A Story of Labels & Containers
-{: .subtitle }
-
-
-
-Attach labels to your containers and let Traefik do the rest!
-
-This provider works with [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
-
-!!! tip "The Quick Start Uses Docker"
-
- If you have not already read it, maybe you would like to go through the [quick start guide](../getting-started/quick-start.md) that uses the Docker provider.
-
-## Configuration Examples
-
-??? example "Configuring Docker Swarm & Deploying / Exposing one Service"
-
- Enabling the Swarm provider
-
- ```yaml tab="File (YAML)"
- providers:
- swarm:
- # swarm classic (1.12-)
- # endpoint: "tcp://127.0.0.1:2375"
- # docker swarm mode (1.12+)
- endpoint: "tcp://127.0.0.1:2377"
- ```
-
- ```toml tab="File (TOML)"
- [providers.swarm]
- # swarm classic (1.12-)
- # endpoint = "tcp://127.0.0.1:2375"
- # docker swarm mode (1.12+)
- endpoint = "tcp://127.0.0.1:2377"
- ```
-
- ```bash tab="CLI"
- # swarm classic (1.12-)
- # --providers.swarm.endpoint=tcp://127.0.0.1:2375
- # docker swarm mode (1.12+)
- --providers.swarm.endpoint=tcp://127.0.0.1:2377
- ```
-
- Attach labels to a single service (not containers) while in Swarm mode (in your Docker compose file).
- When there is only one service, and the router does not specify a service,
- then that service is automatically assigned to the router.
-
- ```yaml
- services:
- my-container:
- deploy:
- labels:
- - traefik.http.routers.my-container.rule=Host(`example.com`)
- - traefik.http.services.my-container-service.loadbalancer.server.port=8080
- ```
-
-## Routing Configuration
-
-When using Docker as a [provider](./overview.md),
-Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#label) to retrieve its routing configuration.
-
-See the list of labels in the dedicated [routing](../routing/providers/docker.md) section.
-
-### Routing Configuration with Labels
-
-By default, Traefik watches for [container level labels](https://docs.docker.com/config/labels-custom-metadata/) on a standalone Docker Engine.
-
-When using Docker Compose, labels are specified by the directive
-[`labels`](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels) from the
-["services" objects](https://docs.docker.com/compose/compose-file/compose-file-v3/#service-configuration-reference).
-
-!!! tip "Not Only Docker"
-
- Please note that any tool like Nomad, Terraform, Ansible, etc.
- that is able to define a Docker container with labels can work
- with Traefik and the Swarm provider.
-
-While in Swarm Mode, Traefik uses labels found on services, not on individual containers.
-
-Therefore, if you use a compose file with Swarm Mode, labels should be defined in the
-[`deploy`](https://docs.docker.com/compose/compose-file/compose-file-v3/#labels-1) part of your service.
-
-This behavior is only enabled for docker-compose version 3+ ([Compose file reference](https://docs.docker.com/compose/compose-file/compose-file-v3/)).
-
-### Port Detection
-
-Traefik retrieves the private IP and port of containers from the Docker API.
-
-Docker Swarm does not provide any port detection information to Traefik.
-
-Therefore, you **must** specify the port to use for communication by using the label `traefik.http.services..loadbalancer.server.port`
-(Check the reference for this label in the [routing section for Swarm](../routing/providers/swarm.md#services)).
-
-### Host networking
-
-When exposing containers that are configured with [host networking](https://docs.docker.com/network/host/),
-the IP address of the host is resolved as follows:
-
-
-- try a lookup of `host.docker.internal`
-- if the lookup was unsuccessful, try a lookup of `host.containers.internal`, ([Podman](https://docs.podman.io/en/latest/) equivalent of `host.docker.internal`)
-- if that lookup was also unsuccessful, fall back to `127.0.0.1`
-
-On Linux, for versions of Docker older than 20.10.0, for `host.docker.internal` to be defined, it should be provided
-as an `extra_host` to the Traefik container, using the `--add-host` flag. For example, to set it to the IP address of
-the bridge interface (`docker0` by default): `--add-host=host.docker.internal:172.17.0.1`
-
-### IPv4 && IPv6
-
-When using a docker stack that uses IPv6,
-Traefik will use the IPv4 container IP before its IPv6 counterpart.
-Therefore, on an IPv6 Docker stack,
-Traefik will use the IPv6 container IP.
-
-### Docker API Access
-
-Traefik requires access to the docker socket to get its dynamic configuration.
-
-You can specify which Docker API Endpoint to use with the directive [`endpoint`](#endpoint).
-
-!!! warning "Security Note"
-
- Accessing the Docker API without any restriction is a security concern:
- If Traefik is attacked, then the attacker might get access to the underlying host.
- {: #security-note }
-
- As explained in the [Docker Daemon Attack Surface documentation](https://docs.docker.com/engine/security/#docker-daemon-attack-surface):
-
- !!! quote
-
- [...] only **trusted** users should be allowed to control your Docker daemon [...]
-
- ??? success "Solutions"
-
- Expose the Docker socket over TCP or SSH, instead of the default Unix socket file.
- It allows different implementation levels of the [AAA (Authentication, Authorization, Accounting) concepts](https://en.wikipedia.org/wiki/AAA_(computer_security)), depending on your security assessment:
-
- - Authentication with Client Certificates as described in ["Protect the Docker daemon socket."](https://docs.docker.com/engine/security/protect-access/)
- - Authorize and filter requests to restrict possible actions with [the TecnativaDocker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy).
- - Authorization with the [Docker Authorization Plugin Mechanism](https://web.archive.org/web/20190920092526/https://docs.docker.com/engine/extend/plugins_authorization/)
- - Accounting at networking level, by exposing the socket only inside a Docker private network, only available for Traefik.
- - Accounting at container level, by exposing the socket on a another container than Traefik's.
- It allows scheduling of Traefik on worker nodes, with only the "socket exposer" container on the manager nodes.
- - Accounting at kernel level, by enforcing kernel calls with mechanisms like [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), to only allows an identified set of actions for Traefik's process (or the "socket exposer" process).
- - SSH public key authentication (SSH is supported with Docker > 18.09)
- - Authentication using HTTP Basic authentication through an HTTP proxy that exposes the Docker daemon socket.
-
- ??? info "More Resources and Examples"
-
- - ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
- - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
- - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
- - [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
- - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
- - [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
- - [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
- - [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
- - [Letting Traefik run on Worker Nodes](https://blog.mikesir87.io/2018/07/letting-traefik-run-on-worker-nodes/)
- - [Docker Socket Proxy from Tecnativa](https://github.com/Tecnativa/docker-socket-proxy)
-
-Since the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes),
-these are the nodes that Traefik should be scheduled on by deploying Traefik with a constraint on the node "role":
-
-```shell tab="With Docker CLI"
-docker service create \
- --constraint=node.role==manager \
- #... \
-```
-
-```yml tab="With Docker Compose"
-services:
- traefik:
- # ...
- deploy:
- placement:
- constraints:
- - node.role == manager
-```
-
-!!! tip "Scheduling Traefik on Worker Nodes"
-
- Following the guidelines given in the previous section ["Docker API Access"](#docker-api-access),
- if you expose the Docker API through TCP, then Traefik can be scheduled on any node if the TCP
- socket is reachable.
-
- Please consider the security implications by reading the [Security Note](#security-note).
-
- A good example can be found on [Bret Fisher's repository](https://github.com/BretFisher/dogvscat/blob/master/stack-proxy-global.yml#L124).
-
-### `endpoint`
-
-_Required, Default="unix:///var/run/docker.sock"_
-
-See the [Docker Swarm API Access](#docker-api-access) section for more information.
-
-??? example "Using the docker.sock"
-
- The docker-compose file shares the docker sock with the Traefik container
-
- ```yaml
- services:
- traefik:
- image: traefik:v3.4 # The official v3 Traefik docker image
- ports:
- - "80:80"
- volumes:
- - /var/run/docker.sock:/var/run/docker.sock
- ```
-
- We specify the docker.sock in traefik's configuration file.
-
- ```yaml tab="File (YAML)"
- providers:
- swarm:
- endpoint: "unix:///var/run/docker.sock"
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [providers.swarm]
- endpoint = "unix:///var/run/docker.sock"
- # ...
- ```
-
- ```bash tab="CLI"
- --providers.swarm.endpoint=unix:///var/run/docker.sock
- # ...
- ```
-
-??? example "Using SSH"
-
- Using Docker 18.09+ you can connect Traefik to daemon using SSH
- We specify the SSH host and user in Traefik's configuration file.
- Note that is server requires public keys for authentication you must have those accessible for user who runs Traefik.
-
- ```yaml tab="File (YAML)"
- providers:
- swarm:
- endpoint: "ssh://traefik@192.168.2.5:2022"
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [providers.swarm]
- endpoint = "ssh://traefik@192.168.2.5:2022"
- # ...
- ```
-
- ```bash tab="CLI"
- --providers.swarm.endpoint=ssh://traefik@192.168.2.5:2022
- # ...
- ```
-
-??? example "Using HTTP"
-
- Using Docker Engine API you can connect Traefik to remote daemon using HTTP.
-
- ```yaml tab="File (YAML)"
- providers:
- swarm:
- endpoint: "http://127.0.0.1:2375"
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [providers.swarm]
- swarm = "http://127.0.0.1:2375"
- # ...
- ```
-
- ```bash tab="CLI"
- --providers.swarm.endpoint=http://127.0.0.1:2375
- # ...
- ```
-
-??? example "Using TCP"
-
- Using Docker Engine API you can connect Traefik to remote daemon using TCP.
-
- ```yaml tab="File (YAML)"
- providers:
- swarm:
- endpoint: "tcp://127.0.0.1:2375"
- # ...
- ```
-
- ```toml tab="File (TOML)"
- [providers.swarm]
- swarm = "tcp://127.0.0.1:2375"
- # ...
- ```
-
- ```bash tab="CLI"
- --providers.swarm.endpoint=tcp://127.0.0.1:2375
- # ...
- ```
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- endpoint: "unix:///var/run/docker.sock"
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- endpoint = "unix:///var/run/docker.sock"
-```
-
-```bash tab="CLI"
---providers.swarm.endpoint=unix:///var/run/docker.sock
-```
-
-### `username`
-
-_Optional, Default=""_
-
-Defines the username for Basic HTTP authentication.
-This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- username: foo
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- username = "foo"
- # ...
-```
-
-```bash tab="CLI"
---providers.swarm.username="foo"
-# ...
-```
-
-### `password`
-
-_Optional, Default=""_
-
-Defines the password for Basic HTTP authentication.
-This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- password: foo
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- password = "foo"
- # ...
-```
-
-```bash tab="CLI"
---providers.swarm.password="foo"
-# ...
-```
-
-### `useBindPortIP`
-
-_Optional, Default=false_
-
-Traefik routes requests to the IP/port of the matching container.
-When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
-
-When used in conjunction with the `traefik.http.services..loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
-Traefik tries to find a binding on port `traefik.http.services..loadbalancer.server.port`.
-If it cannot find such a binding, Traefik falls back on the internal network IP of the container,
-but still uses the `traefik.http.services..loadbalancer.server.port` that is set in the label.
-
-??? example "Examples of `usebindportip` in different situations."
-
- | port label | Container's binding | Routes to |
- |--------------------|----------------------------------------------------|----------------|
- | - | - | IntIP:IntPort |
- | - | ExtPort:IntPort | IntIP:IntPort |
- | - | ExtIp:ExtPort:IntPort | ExtIp:ExtPort |
- | LblPort | - | IntIp:LblPort |
- | LblPort | ExtIp:ExtPort:LblPort | ExtIp:ExtPort |
- | LblPort | ExtIp:ExtPort:OtherPort | IntIp:LblPort |
- | LblPort | ExtIp1:ExtPort1:IntPort1 & ExtIp2:LblPort:IntPort2 | ExtIp2:LblPort |
-
- !!! info ""
- In the above table:
-
- - `ExtIp` stands for "external IP found in the binding"
- - `IntIp` stands for "internal network container's IP",
- - `ExtPort` stands for "external Port found in the binding"
- - `IntPort` stands for "internal network container's port."
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- useBindPortIP: true
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- useBindPortIP = true
- # ...
-```
-
-```bash tab="CLI"
---providers.swarm.useBindPortIP=true
-# ...
-```
-
-### `exposedByDefault`
-
-_Optional, Default=true_
-
-Expose containers by default through Traefik.
-If set to `false`, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- exposedByDefault: false
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- exposedByDefault = false
- # ...
-```
-
-```bash tab="CLI"
---providers.swarm.exposedByDefault=false
-# ...
-```
-
-### `network`
-
-_Optional, Default=""_
-
-Defines a default docker network to use for connections to all containers.
-
-This option can be overridden on a per-container basis with the `traefik.swarm.network` [routing label](../routing/providers/swarm.md#traefikswarmnetwork).
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- network: test
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- network = "test"
- # ...
-```
-
-```bash tab="CLI"
---providers.swarm.network=test
-# ...
-```
-
-### `defaultRule`
-
-_Optional, Default=```Host(`{{ normalize .Name }}`)```_
-
-The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
-
-It must be a valid [Go template](https://pkg.go.dev/text/template/), and can use
-[sprig template functions](https://masterminds.github.io/sprig/).
-The container service name can be accessed with the `Name` identifier,
-and the template has access to all the labels defined on this container.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- defaultRule: "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
- # ...
-```
-
-```bash tab="CLI"
---providers.swarm.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
-# ...
-```
-
-??? info "Default rule and Traefik service"
-
- The exposure of the Traefik container, combined with the default rule mechanism,
- can lead to create a router targeting itself in a loop.
- In this case, to prevent an infinite loop,
- Traefik adds an internal middleware to refuse the request if it comes from the same router.
-
-### `refreshSeconds`
-
-_Optional, Default=15_
-
-Defines the polling interval (in seconds) for Swarm Mode.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- refreshSeconds: 30
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- refreshSeconds = 30
- # ...
-```
-
-```bash tab="CLI"
---providers.swarm.refreshSeconds=30
-# ...
-```
-
-### `httpClientTimeout`
-
-_Optional, Default=0_
-
-Defines the client timeout (in seconds) for HTTP connections. If its value is `0`, no timeout is set.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- httpClientTimeout: 300
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- httpClientTimeout = 300
- # ...
-```
-
-```bash tab="CLI"
---providers.swarm.httpClientTimeout=300
-# ...
-```
-
-### `watch`
-
-_Optional, Default=true_
-
-Watch Docker events.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- watch: false
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- watch = false
- # ...
-```
-
-```bash tab="CLI"
---providers.swarm.watch=false
-# ...
-```
-
-### `constraints`
-
-_Optional, Default=""_
-
-The `constraints` option can be set to an expression that Traefik matches against the container labels to determine whether
-to create any route for that container. If none of the container labels match the expression, no route for that container is
-created. If the expression is empty, all detected containers are included.
-
-The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions,
-as well as the usual boolean logic, as shown in examples below.
-
-??? example "Constraints Expression Examples"
-
- ```toml
- # Includes only containers having a label with key `a.label.name` and value `foo`
- constraints = "Label(`a.label.name`, `foo`)"
- ```
-
- ```toml
- # Excludes containers having any label with key `a.label.name` and value `foo`
- constraints = "!Label(`a.label.name`, `value`)"
- ```
-
- ```toml
- # With logical AND.
- constraints = "Label(`a.label.name`, `valueA`) && Label(`another.label.name`, `valueB`)"
- ```
-
- ```toml
- # With logical OR.
- constraints = "Label(`a.label.name`, `valueA`) || Label(`another.label.name`, `valueB`)"
- ```
-
- ```toml
- # With logical AND and OR, with precedence set by parentheses.
- constraints = "Label(`a.label.name`, `valueA`) && (Label(`another.label.name`, `valueB`) || Label(`yet.another.label.name`, `valueC`))"
- ```
-
- ```toml
- # Includes only containers having a label with key `a.label.name` and a value matching the `a.+` regular expression.
- constraints = "LabelRegex(`a.label.name`, `a.+`)"
- ```
-
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- constraints: "Label(`a.label.name`,`foo`)"
- # ...
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- constraints = "Label(`a.label.name`,`foo`)"
- # ...
-```
-
-```bash tab="CLI"
---providers.swarm.constraints=Label(`a.label.name`,`foo`)
-# ...
-```
-
-### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to Docker.
-
-#### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to Docker,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.swarm.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---providers.swarm.tls.ca=path/to/ca.crt
-```
-
-#### `cert`
-
-`cert` is the path to the public certificate used for the secure connection to Docker.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.swarm.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.swarm.tls.cert=path/to/foo.cert
---providers.swarm.tls.key=path/to/foo.key
-```
-
-#### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection Docker.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.swarm.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.swarm.tls.cert=path/to/foo.cert
---providers.swarm.tls.key=path/to/foo.key
-```
-
-#### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to Docker accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.swarm.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---providers.swarm.tls.insecureSkipVerify=true
-```
-
-### `allowEmptyServices`
-
-_Optional, Default=false_
-
-If the parameter is set to `true`,
-any [servers load balancer](../routing/services/index.md#servers-load-balancer) defined for Docker containers is created
-regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers.
-It also then stays alive and responsive even at times when it becomes empty,
-i.e. when all its children containers become unhealthy.
-This results in `503` HTTP responses instead of `404` ones,
-in the above cases.
-
-```yaml tab="File (YAML)"
-providers:
- swarm:
- allowEmptyServices: true
-```
-
-```toml tab="File (TOML)"
-[providers.swarm]
- allowEmptyServices = true
-```
-
-```bash tab="CLI"
---providers.swarm.allowEmptyServices=true
-```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/providers/zookeeper.md b/docs/content/providers/zookeeper.md
deleted file mode 100644
index 7b7483f98..000000000
--- a/docs/content/providers/zookeeper.md
+++ /dev/null
@@ -1,209 +0,0 @@
----
-title: "Traefik ZooKeeper Documentation"
-description: "For configuration discovery in Traefik Proxy, you can store your configurations in ZooKeeper. Read the technical documentation."
----
-
-# Traefik & ZooKeeper
-
-A Story of KV Store & Containers
-{: .subtitle }
-
-Store your configuration in ZooKeeper and let Traefik do the rest!
-
-## Routing Configuration
-
-See the dedicated section in [routing](../routing/providers/kv.md).
-
-## Provider Configuration
-
-### `endpoints`
-
-_Required, Default="127.0.0.1:2181"_
-
-Defines how to access ZooKeeper.
-
-```yaml tab="File (YAML)"
-providers:
- zooKeeper:
- endpoints:
- - "127.0.0.1:2181"
-```
-
-```toml tab="File (TOML)"
-[providers.zooKeeper]
- endpoints = ["127.0.0.1:2181"]
-```
-
-```bash tab="CLI"
---providers.zookeeper.endpoints=127.0.0.1:2181
-```
-
-### `rootKey`
-
-_Required, Default="traefik"_
-
-Defines the root key of the configuration.
-
-```yaml tab="File (YAML)"
-providers:
- zooKeeper:
- rootKey: "traefik"
-```
-
-```toml tab="File (TOML)"
-[providers.zooKeeper]
- rootKey = "traefik"
-```
-
-```bash tab="CLI"
---providers.zookeeper.rootkey=traefik
-```
-
-### `username`
-
-_Optional, Default=""_
-
-Defines a username to connect with ZooKeeper.
-
-```yaml tab="File (YAML)"
-providers:
- zooKeeper:
- # ...
- username: "foo"
-```
-
-```toml tab="File (TOML)"
-[providers.zooKeeper]
- # ...
- username = "foo"
-```
-
-```bash tab="CLI"
---providers.zookeeper.username=foo
-```
-
-### `password`
-
-_Optional, Default=""_
-
-Defines a password to connect with ZooKeeper.
-
-```yaml tab="File (YAML)"
-providers:
- zooKeeper:
- # ...
- password: "bar"
-```
-
-```toml tab="File (TOML)"
-[providers.zooKeeper]
- # ...
- password = "bar"
-```
-
-```bash tab="CLI"
---providers.zookeeper.password=foo
-```
-
-### `tls`
-
-_Optional_
-
-Defines the TLS configuration used for the secure connection to ZooKeeper.
-
-#### `ca`
-
-_Optional_
-
-`ca` is the path to the certificate authority used for the secure connection to ZooKeeper,
-it defaults to the system bundle.
-
-```yaml tab="File (YAML)"
-providers:
- zooKeeper:
- tls:
- ca: path/to/ca.crt
-```
-
-```toml tab="File (TOML)"
-[providers.zooKeeper.tls]
- ca = "path/to/ca.crt"
-```
-
-```bash tab="CLI"
---providers.zookeeper.tls.ca=path/to/ca.crt
-```
-
-#### `cert`
-
-_Optional_
-
-`cert` is the path to the public certificate used for the secure connection to ZooKeeper.
-When using this option, setting the `key` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- zooKeeper:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.zooKeeper.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.zookeeper.tls.cert=path/to/foo.cert
---providers.zookeeper.tls.key=path/to/foo.key
-```
-
-#### `key`
-
-_Optional_
-
-`key` is the path to the private key used for the secure connection to ZooKeeper.
-When using this option, setting the `cert` option is required.
-
-```yaml tab="File (YAML)"
-providers:
- zooKeeper:
- tls:
- cert: path/to/foo.cert
- key: path/to/foo.key
-```
-
-```toml tab="File (TOML)"
-[providers.zooKeeper.tls]
- cert = "path/to/foo.cert"
- key = "path/to/foo.key"
-```
-
-```bash tab="CLI"
---providers.zookeeper.tls.cert=path/to/foo.cert
---providers.zookeeper.tls.key=path/to/foo.key
-```
-
-#### `insecureSkipVerify`
-
-_Optional, Default=false_
-
-If `insecureSkipVerify` is `true`, the TLS connection to Zookeeper accepts any certificate presented by the server regardless of the hostnames it covers.
-
-```yaml tab="File (YAML)"
-providers:
- zooKeeper:
- tls:
- insecureSkipVerify: true
-```
-
-```toml tab="File (TOML)"
-[providers.zooKeeper.tls]
- insecureSkipVerify = true
-```
-
-```bash tab="CLI"
---providers.zookeeper.tls.insecureSkipVerify=true
-```
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd.md b/docs/content/reference/dynamic-configuration/kubernetes-crd.md
deleted file mode 100644
index aec00bee1..000000000
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: "Traefik Kubernetes CRD Documentation"
-description: "Learn about the definitions, resources, and RBAC of dynamic configuration with Kubernetes CRD in Traefik Proxy. Read the technical documentation."
----
-
-# Kubernetes Configuration Reference
-
-Dynamic configuration with Kubernetes Custom Resource
-{: .subtitle }
-
-## Definitions
-
-```yaml tab="apiextensions.k8s.io/v1 (Kubernetes v1.16+)"
---8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml"
-```
-
-## Resources
-
-```yaml
---8<-- "content/reference/dynamic-configuration/kubernetes-crd-resource.yml"
-```
-
-## RBAC
-
-```yaml
---8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
-```
-
-{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/reference/dynamic-configuration/kv-ref.md b/docs/content/reference/dynamic-configuration/kv-ref.md
deleted file mode 100644
index 441f5854f..000000000
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ /dev/null
@@ -1,482 +0,0 @@
-
-
-| Key (Path) | Value |
-|------------|-------|
-| `traefik/http/middlewares/Middleware01/addPrefix/prefix` | `foobar` |
-| `traefik/http/middlewares/Middleware02/basicAuth/headerField` | `foobar` |
-| `traefik/http/middlewares/Middleware02/basicAuth/realm` | `foobar` |
-| `traefik/http/middlewares/Middleware02/basicAuth/removeHeader` | `true` |
-| `traefik/http/middlewares/Middleware02/basicAuth/users/0` | `foobar` |
-| `traefik/http/middlewares/Middleware02/basicAuth/users/1` | `foobar` |
-| `traefik/http/middlewares/Middleware02/basicAuth/usersFile` | `foobar` |
-| `traefik/http/middlewares/Middleware03/buffering/maxRequestBodyBytes` | `42` |
-| `traefik/http/middlewares/Middleware03/buffering/maxResponseBodyBytes` | `42` |
-| `traefik/http/middlewares/Middleware03/buffering/memRequestBodyBytes` | `42` |
-| `traefik/http/middlewares/Middleware03/buffering/memResponseBodyBytes` | `42` |
-| `traefik/http/middlewares/Middleware03/buffering/retryExpression` | `foobar` |
-| `traefik/http/middlewares/Middleware04/chain/middlewares/0` | `foobar` |
-| `traefik/http/middlewares/Middleware04/chain/middlewares/1` | `foobar` |
-| `traefik/http/middlewares/Middleware05/circuitBreaker/checkPeriod` | `42s` |
-| `traefik/http/middlewares/Middleware05/circuitBreaker/expression` | `foobar` |
-| `traefik/http/middlewares/Middleware05/circuitBreaker/fallbackDuration` | `42s` |
-| `traefik/http/middlewares/Middleware05/circuitBreaker/recoveryDuration` | `42s` |
-| `traefik/http/middlewares/Middleware05/circuitBreaker/responseCode` | `42` |
-| `traefik/http/middlewares/Middleware06/compress/defaultEncoding` | `foobar` |
-| `traefik/http/middlewares/Middleware06/compress/encodings/0` | `foobar` |
-| `traefik/http/middlewares/Middleware06/compress/encodings/1` | `foobar` |
-| `traefik/http/middlewares/Middleware06/compress/excludedContentTypes/0` | `foobar` |
-| `traefik/http/middlewares/Middleware06/compress/excludedContentTypes/1` | `foobar` |
-| `traefik/http/middlewares/Middleware06/compress/includedContentTypes/0` | `foobar` |
-| `traefik/http/middlewares/Middleware06/compress/includedContentTypes/1` | `foobar` |
-| `traefik/http/middlewares/Middleware06/compress/minResponseBodyBytes` | `42` |
-| `traefik/http/middlewares/Middleware07/contentType/autoDetect` | `true` |
-| `traefik/http/middlewares/Middleware08/digestAuth/headerField` | `foobar` |
-| `traefik/http/middlewares/Middleware08/digestAuth/realm` | `foobar` |
-| `traefik/http/middlewares/Middleware08/digestAuth/removeHeader` | `true` |
-| `traefik/http/middlewares/Middleware08/digestAuth/users/0` | `foobar` |
-| `traefik/http/middlewares/Middleware08/digestAuth/users/1` | `foobar` |
-| `traefik/http/middlewares/Middleware08/digestAuth/usersFile` | `foobar` |
-| `traefik/http/middlewares/Middleware09/errors/query` | `foobar` |
-| `traefik/http/middlewares/Middleware09/errors/service` | `foobar` |
-| `traefik/http/middlewares/Middleware09/errors/status/0` | `foobar` |
-| `traefik/http/middlewares/Middleware09/errors/status/1` | `foobar` |
-| `traefik/http/middlewares/Middleware09/errors/statusRewrites/name0` | `42` |
-| `traefik/http/middlewares/Middleware09/errors/statusRewrites/name1` | `42` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/addAuthCookiesToResponse/0` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/addAuthCookiesToResponse/1` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/address` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/authRequestHeaders/0` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/authRequestHeaders/1` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/0` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeaders/1` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/authResponseHeadersRegex` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/forwardBody` | `true` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/headerField` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/maxBodySize` | `42` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/maxResponseBodySize` | `42` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/preserveLocationHeader` | `true` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/preserveRequestMethod` | `true` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/tls/ca` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/tls/caOptional` | `true` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/tls/cert` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/tls/insecureSkipVerify` | `true` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/tls/key` | `foobar` |
-| `traefik/http/middlewares/Middleware10/forwardAuth/trustForwardHeader` | `true` |
-| `traefik/http/middlewares/Middleware11/grpcWeb/allowOrigins/0` | `foobar` |
-| `traefik/http/middlewares/Middleware11/grpcWeb/allowOrigins/1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlAllowCredentials` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlAllowHeaders/0` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlAllowHeaders/1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlAllowMethods/0` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlAllowMethods/1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginList/0` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginList/1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginListRegex/0` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlAllowOriginListRegex/1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlExposeHeaders/0` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlExposeHeaders/1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/accessControlMaxAge` | `42` |
-| `traefik/http/middlewares/Middleware12/headers/addVaryHeader` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/allowedHosts/0` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/allowedHosts/1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/browserXssFilter` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/contentSecurityPolicy` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/contentSecurityPolicyReportOnly` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/contentTypeNosniff` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/customBrowserXSSValue` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/customFrameOptionsValue` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/customRequestHeaders/name0` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/customRequestHeaders/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/customResponseHeaders/name0` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/customResponseHeaders/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/featurePolicy` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/forceSTSHeader` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/frameDeny` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/hostsProxyHeaders/0` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/hostsProxyHeaders/1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/isDevelopment` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/permissionsPolicy` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/publicKey` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/referrerPolicy` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/sslForceHost` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/sslHost` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/sslProxyHeaders/name0` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/sslProxyHeaders/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware12/headers/sslRedirect` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/sslTemporaryRedirect` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/stsIncludeSubdomains` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/stsPreload` | `true` |
-| `traefik/http/middlewares/Middleware12/headers/stsSeconds` | `42` |
-| `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/depth` | `42` |
-| `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/excludedIPs/0` | `foobar` |
-| `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/excludedIPs/1` | `foobar` |
-| `traefik/http/middlewares/Middleware13/ipAllowList/ipStrategy/ipv6Subnet` | `42` |
-| `traefik/http/middlewares/Middleware13/ipAllowList/rejectStatusCode` | `42` |
-| `traefik/http/middlewares/Middleware13/ipAllowList/sourceRange/0` | `foobar` |
-| `traefik/http/middlewares/Middleware13/ipAllowList/sourceRange/1` | `foobar` |
-| `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/depth` | `42` |
-| `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/excludedIPs/0` | `foobar` |
-| `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/excludedIPs/1` | `foobar` |
-| `traefik/http/middlewares/Middleware14/ipWhiteList/ipStrategy/ipv6Subnet` | `42` |
-| `traefik/http/middlewares/Middleware14/ipWhiteList/sourceRange/0` | `foobar` |
-| `traefik/http/middlewares/Middleware14/ipWhiteList/sourceRange/1` | `foobar` |
-| `traefik/http/middlewares/Middleware15/inFlightReq/amount` | `42` |
-| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/depth` | `42` |
-| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
-| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/excludedIPs/1` | `foobar` |
-| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/ipStrategy/ipv6Subnet` | `42` |
-| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/requestHeaderName` | `foobar` |
-| `traefik/http/middlewares/Middleware15/inFlightReq/sourceCriterion/requestHost` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/commonName` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/country` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/domainComponent` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/locality` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/organization` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/province` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/issuer/serialNumber` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/notAfter` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/notBefore` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/sans` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/serialNumber` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/commonName` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/country` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/domainComponent` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/locality` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/organization` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/organizationalUnit` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/province` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/info/subject/serialNumber` | `true` |
-| `traefik/http/middlewares/Middleware16/passTLSClientCert/pem` | `true` |
-| `traefik/http/middlewares/Middleware17/plugin/PluginConf0/name0` | `foobar` |
-| `traefik/http/middlewares/Middleware17/plugin/PluginConf0/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware17/plugin/PluginConf1/name0` | `foobar` |
-| `traefik/http/middlewares/Middleware17/plugin/PluginConf1/name1` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/average` | `42` |
-| `traefik/http/middlewares/Middleware18/rateLimit/burst` | `42` |
-| `traefik/http/middlewares/Middleware18/rateLimit/period` | `42s` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/db` | `42` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/dialTimeout` | `42s` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/endpoints/0` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/endpoints/1` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/maxActiveConns` | `42` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/minIdleConns` | `42` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/password` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/poolSize` | `42` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/readTimeout` | `42s` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/ca` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/cert` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/insecureSkipVerify` | `true` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/tls/key` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/username` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/redis/writeTimeout` | `42s` |
-| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/depth` | `42` |
-| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/0` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/excludedIPs/1` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/ipStrategy/ipv6Subnet` | `42` |
-| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/requestHeaderName` | `foobar` |
-| `traefik/http/middlewares/Middleware18/rateLimit/sourceCriterion/requestHost` | `true` |
-| `traefik/http/middlewares/Middleware19/redirectRegex/permanent` | `true` |
-| `traefik/http/middlewares/Middleware19/redirectRegex/regex` | `foobar` |
-| `traefik/http/middlewares/Middleware19/redirectRegex/replacement` | `foobar` |
-| `traefik/http/middlewares/Middleware20/redirectScheme/permanent` | `true` |
-| `traefik/http/middlewares/Middleware20/redirectScheme/port` | `foobar` |
-| `traefik/http/middlewares/Middleware20/redirectScheme/scheme` | `foobar` |
-| `traefik/http/middlewares/Middleware21/replacePath/path` | `foobar` |
-| `traefik/http/middlewares/Middleware22/replacePathRegex/regex` | `foobar` |
-| `traefik/http/middlewares/Middleware22/replacePathRegex/replacement` | `foobar` |
-| `traefik/http/middlewares/Middleware23/retry/attempts` | `42` |
-| `traefik/http/middlewares/Middleware23/retry/initialInterval` | `42s` |
-| `traefik/http/middlewares/Middleware24/stripPrefix/forceSlash` | `true` |
-| `traefik/http/middlewares/Middleware24/stripPrefix/prefixes/0` | `foobar` |
-| `traefik/http/middlewares/Middleware24/stripPrefix/prefixes/1` | `foobar` |
-| `traefik/http/middlewares/Middleware25/stripPrefixRegex/regex/0` | `foobar` |
-| `traefik/http/middlewares/Middleware25/stripPrefixRegex/regex/1` | `foobar` |
-| `traefik/http/routers/Router0/entryPoints/0` | `foobar` |
-| `traefik/http/routers/Router0/entryPoints/1` | `foobar` |
-| `traefik/http/routers/Router0/middlewares/0` | `foobar` |
-| `traefik/http/routers/Router0/middlewares/1` | `foobar` |
-| `traefik/http/routers/Router0/observability/accessLogs` | `true` |
-| `traefik/http/routers/Router0/observability/metrics` | `true` |
-| `traefik/http/routers/Router0/observability/traceVerbosity` | `foobar` |
-| `traefik/http/routers/Router0/observability/tracing` | `true` |
-| `traefik/http/routers/Router0/priority` | `42` |
-| `traefik/http/routers/Router0/rule` | `foobar` |
-| `traefik/http/routers/Router0/ruleSyntax` | `foobar` |
-| `traefik/http/routers/Router0/service` | `foobar` |
-| `traefik/http/routers/Router0/tls/certResolver` | `foobar` |
-| `traefik/http/routers/Router0/tls/domains/0/main` | `foobar` |
-| `traefik/http/routers/Router0/tls/domains/0/sans/0` | `foobar` |
-| `traefik/http/routers/Router0/tls/domains/0/sans/1` | `foobar` |
-| `traefik/http/routers/Router0/tls/domains/1/main` | `foobar` |
-| `traefik/http/routers/Router0/tls/domains/1/sans/0` | `foobar` |
-| `traefik/http/routers/Router0/tls/domains/1/sans/1` | `foobar` |
-| `traefik/http/routers/Router0/tls/options` | `foobar` |
-| `traefik/http/routers/Router1/entryPoints/0` | `foobar` |
-| `traefik/http/routers/Router1/entryPoints/1` | `foobar` |
-| `traefik/http/routers/Router1/middlewares/0` | `foobar` |
-| `traefik/http/routers/Router1/middlewares/1` | `foobar` |
-| `traefik/http/routers/Router1/observability/accessLogs` | `true` |
-| `traefik/http/routers/Router1/observability/metrics` | `true` |
-| `traefik/http/routers/Router1/observability/traceVerbosity` | `foobar` |
-| `traefik/http/routers/Router1/observability/tracing` | `true` |
-| `traefik/http/routers/Router1/priority` | `42` |
-| `traefik/http/routers/Router1/rule` | `foobar` |
-| `traefik/http/routers/Router1/ruleSyntax` | `foobar` |
-| `traefik/http/routers/Router1/service` | `foobar` |
-| `traefik/http/routers/Router1/tls/certResolver` | `foobar` |
-| `traefik/http/routers/Router1/tls/domains/0/main` | `foobar` |
-| `traefik/http/routers/Router1/tls/domains/0/sans/0` | `foobar` |
-| `traefik/http/routers/Router1/tls/domains/0/sans/1` | `foobar` |
-| `traefik/http/routers/Router1/tls/domains/1/main` | `foobar` |
-| `traefik/http/routers/Router1/tls/domains/1/sans/0` | `foobar` |
-| `traefik/http/routers/Router1/tls/domains/1/sans/1` | `foobar` |
-| `traefik/http/routers/Router1/tls/options` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/certificates/0/certFile` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/certificates/0/keyFile` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/certificates/1/certFile` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/certificates/1/keyFile` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/cipherSuites/0` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/cipherSuites/1` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/disableHTTP2` | `true` |
-| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/dialTimeout` | `42s` |
-| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/idleConnTimeout` | `42s` |
-| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/pingTimeout` | `42s` |
-| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/readIdleTimeout` | `42s` |
-| `traefik/http/serversTransports/ServersTransport0/forwardingTimeouts/responseHeaderTimeout` | `42s` |
-| `traefik/http/serversTransports/ServersTransport0/insecureSkipVerify` | `true` |
-| `traefik/http/serversTransports/ServersTransport0/maxIdleConnsPerHost` | `42` |
-| `traefik/http/serversTransports/ServersTransport0/maxVersion` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/minVersion` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/peerCertURI` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/rootCAs/0` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/rootCAs/1` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/serverName` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/spiffe/ids/0` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/spiffe/ids/1` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport0/spiffe/trustDomain` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/certificates/0/certFile` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/certificates/0/keyFile` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/certificates/1/certFile` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/certificates/1/keyFile` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/cipherSuites/0` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/cipherSuites/1` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/disableHTTP2` | `true` |
-| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/dialTimeout` | `42s` |
-| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/idleConnTimeout` | `42s` |
-| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/pingTimeout` | `42s` |
-| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/readIdleTimeout` | `42s` |
-| `traefik/http/serversTransports/ServersTransport1/forwardingTimeouts/responseHeaderTimeout` | `42s` |
-| `traefik/http/serversTransports/ServersTransport1/insecureSkipVerify` | `true` |
-| `traefik/http/serversTransports/ServersTransport1/maxIdleConnsPerHost` | `42` |
-| `traefik/http/serversTransports/ServersTransport1/maxVersion` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/minVersion` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/peerCertURI` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/rootCAs/0` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/rootCAs/1` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/serverName` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/spiffe/ids/0` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/spiffe/ids/1` | `foobar` |
-| `traefik/http/serversTransports/ServersTransport1/spiffe/trustDomain` | `foobar` |
-| `traefik/http/services/Service01/failover/fallback` | `foobar` |
-| `traefik/http/services/Service01/failover/healthCheck` | `` |
-| `traefik/http/services/Service01/failover/service` | `foobar` |
-| `traefik/http/services/Service02/highestRandomWeight/healthCheck` | `` |
-| `traefik/http/services/Service02/highestRandomWeight/services/0/name` | `foobar` |
-| `traefik/http/services/Service02/highestRandomWeight/services/0/weight` | `42` |
-| `traefik/http/services/Service02/highestRandomWeight/services/1/name` | `foobar` |
-| `traefik/http/services/Service02/highestRandomWeight/services/1/weight` | `42` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/followRedirects` | `true` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/headers/name0` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/headers/name1` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/hostname` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/interval` | `42s` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/method` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/mode` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/path` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/port` | `42` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/scheme` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/status` | `42` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/timeout` | `42s` |
-| `traefik/http/services/Service03/loadBalancer/healthCheck/unhealthyInterval` | `42s` |
-| `traefik/http/services/Service03/loadBalancer/passHostHeader` | `true` |
-| `traefik/http/services/Service03/loadBalancer/passiveHealthCheck/failureWindow` | `42s` |
-| `traefik/http/services/Service03/loadBalancer/passiveHealthCheck/maxFailedAttempts` | `42` |
-| `traefik/http/services/Service03/loadBalancer/responseForwarding/flushInterval` | `42s` |
-| `traefik/http/services/Service03/loadBalancer/servers/0/preservePath` | `true` |
-| `traefik/http/services/Service03/loadBalancer/servers/0/url` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/servers/0/weight` | `42` |
-| `traefik/http/services/Service03/loadBalancer/servers/1/preservePath` | `true` |
-| `traefik/http/services/Service03/loadBalancer/servers/1/url` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/servers/1/weight` | `42` |
-| `traefik/http/services/Service03/loadBalancer/serversTransport` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/sticky/cookie/domain` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/sticky/cookie/httpOnly` | `true` |
-| `traefik/http/services/Service03/loadBalancer/sticky/cookie/maxAge` | `42` |
-| `traefik/http/services/Service03/loadBalancer/sticky/cookie/name` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/sticky/cookie/path` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/sticky/cookie/sameSite` | `foobar` |
-| `traefik/http/services/Service03/loadBalancer/sticky/cookie/secure` | `true` |
-| `traefik/http/services/Service03/loadBalancer/strategy` | `foobar` |
-| `traefik/http/services/Service04/mirroring/healthCheck` | `` |
-| `traefik/http/services/Service04/mirroring/maxBodySize` | `42` |
-| `traefik/http/services/Service04/mirroring/mirrorBody` | `true` |
-| `traefik/http/services/Service04/mirroring/mirrors/0/name` | `foobar` |
-| `traefik/http/services/Service04/mirroring/mirrors/0/percent` | `42` |
-| `traefik/http/services/Service04/mirroring/mirrors/1/name` | `foobar` |
-| `traefik/http/services/Service04/mirroring/mirrors/1/percent` | `42` |
-| `traefik/http/services/Service04/mirroring/service` | `foobar` |
-| `traefik/http/services/Service05/weighted/healthCheck` | `` |
-| `traefik/http/services/Service05/weighted/services/0/name` | `foobar` |
-| `traefik/http/services/Service05/weighted/services/0/weight` | `42` |
-| `traefik/http/services/Service05/weighted/services/1/name` | `foobar` |
-| `traefik/http/services/Service05/weighted/services/1/weight` | `42` |
-| `traefik/http/services/Service05/weighted/sticky/cookie/domain` | `foobar` |
-| `traefik/http/services/Service05/weighted/sticky/cookie/httpOnly` | `true` |
-| `traefik/http/services/Service05/weighted/sticky/cookie/maxAge` | `42` |
-| `traefik/http/services/Service05/weighted/sticky/cookie/name` | `foobar` |
-| `traefik/http/services/Service05/weighted/sticky/cookie/path` | `foobar` |
-| `traefik/http/services/Service05/weighted/sticky/cookie/sameSite` | `foobar` |
-| `traefik/http/services/Service05/weighted/sticky/cookie/secure` | `true` |
-| `traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/0` | `foobar` |
-| `traefik/tcp/middlewares/TCPMiddleware01/ipAllowList/sourceRange/1` | `foobar` |
-| `traefik/tcp/middlewares/TCPMiddleware02/ipWhiteList/sourceRange/0` | `foobar` |
-| `traefik/tcp/middlewares/TCPMiddleware02/ipWhiteList/sourceRange/1` | `foobar` |
-| `traefik/tcp/middlewares/TCPMiddleware03/inFlightConn/amount` | `42` |
-| `traefik/tcp/routers/TCPRouter0/entryPoints/0` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/entryPoints/1` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/middlewares/0` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/middlewares/1` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/priority` | `42` |
-| `traefik/tcp/routers/TCPRouter0/rule` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/ruleSyntax` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/service` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/tls/certResolver` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/tls/domains/0/main` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/tls/domains/0/sans/0` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/tls/domains/0/sans/1` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/tls/domains/1/main` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/tls/domains/1/sans/0` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/tls/domains/1/sans/1` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/tls/options` | `foobar` |
-| `traefik/tcp/routers/TCPRouter0/tls/passthrough` | `true` |
-| `traefik/tcp/routers/TCPRouter1/entryPoints/0` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/entryPoints/1` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/middlewares/0` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/middlewares/1` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/priority` | `42` |
-| `traefik/tcp/routers/TCPRouter1/rule` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/ruleSyntax` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/service` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/tls/certResolver` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/tls/domains/0/main` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/tls/domains/0/sans/0` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/tls/domains/0/sans/1` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/tls/domains/1/main` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/tls/domains/1/sans/0` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/tls/domains/1/sans/1` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/tls/options` | `foobar` |
-| `traefik/tcp/routers/TCPRouter1/tls/passthrough` | `true` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/dialKeepAlive` | `42s` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/dialTimeout` | `42s` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/terminationDelay` | `42s` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/certFile` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/0/keyFile` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/1/certFile` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/certificates/1/keyFile` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/insecureSkipVerify` | `true` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/peerCertURI` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/rootCAs/0` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/rootCAs/1` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/serverName` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/ids/0` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/ids/1` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport0/tls/spiffe/trustDomain` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/dialKeepAlive` | `42s` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/dialTimeout` | `42s` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/terminationDelay` | `42s` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/certFile` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/0/keyFile` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/1/certFile` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/certificates/1/keyFile` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/insecureSkipVerify` | `true` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/peerCertURI` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/rootCAs/0` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/rootCAs/1` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/serverName` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/spiffe/ids/0` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/spiffe/ids/1` | `foobar` |
-| `traefik/tcp/serversTransports/TCPServersTransport1/tls/spiffe/trustDomain` | `foobar` |
-| `traefik/tcp/services/TCPService01/loadBalancer/proxyProtocol/version` | `42` |
-| `traefik/tcp/services/TCPService01/loadBalancer/servers/0/address` | `foobar` |
-| `traefik/tcp/services/TCPService01/loadBalancer/servers/0/tls` | `true` |
-| `traefik/tcp/services/TCPService01/loadBalancer/servers/1/address` | `foobar` |
-| `traefik/tcp/services/TCPService01/loadBalancer/servers/1/tls` | `true` |
-| `traefik/tcp/services/TCPService01/loadBalancer/serversTransport` | `foobar` |
-| `traefik/tcp/services/TCPService01/loadBalancer/terminationDelay` | `42` |
-| `traefik/tcp/services/TCPService02/weighted/services/0/name` | `foobar` |
-| `traefik/tcp/services/TCPService02/weighted/services/0/weight` | `42` |
-| `traefik/tcp/services/TCPService02/weighted/services/1/name` | `foobar` |
-| `traefik/tcp/services/TCPService02/weighted/services/1/weight` | `42` |
-| `traefik/tls/certificates/0/certFile` | `foobar` |
-| `traefik/tls/certificates/0/keyFile` | `foobar` |
-| `traefik/tls/certificates/0/stores/0` | `foobar` |
-| `traefik/tls/certificates/0/stores/1` | `foobar` |
-| `traefik/tls/certificates/1/certFile` | `foobar` |
-| `traefik/tls/certificates/1/keyFile` | `foobar` |
-| `traefik/tls/certificates/1/stores/0` | `foobar` |
-| `traefik/tls/certificates/1/stores/1` | `foobar` |
-| `traefik/tls/options/Options0/alpnProtocols/0` | `foobar` |
-| `traefik/tls/options/Options0/alpnProtocols/1` | `foobar` |
-| `traefik/tls/options/Options0/cipherSuites/0` | `foobar` |
-| `traefik/tls/options/Options0/cipherSuites/1` | `foobar` |
-| `traefik/tls/options/Options0/clientAuth/caFiles/0` | `foobar` |
-| `traefik/tls/options/Options0/clientAuth/caFiles/1` | `foobar` |
-| `traefik/tls/options/Options0/clientAuth/clientAuthType` | `foobar` |
-| `traefik/tls/options/Options0/curvePreferences/0` | `foobar` |
-| `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
-| `traefik/tls/options/Options0/disableSessionTickets` | `true` |
-| `traefik/tls/options/Options0/maxVersion` | `foobar` |
-| `traefik/tls/options/Options0/minVersion` | `foobar` |
-| `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
-| `traefik/tls/options/Options0/sniStrict` | `true` |
-| `traefik/tls/options/Options1/alpnProtocols/0` | `foobar` |
-| `traefik/tls/options/Options1/alpnProtocols/1` | `foobar` |
-| `traefik/tls/options/Options1/cipherSuites/0` | `foobar` |
-| `traefik/tls/options/Options1/cipherSuites/1` | `foobar` |
-| `traefik/tls/options/Options1/clientAuth/caFiles/0` | `foobar` |
-| `traefik/tls/options/Options1/clientAuth/caFiles/1` | `foobar` |
-| `traefik/tls/options/Options1/clientAuth/clientAuthType` | `foobar` |
-| `traefik/tls/options/Options1/curvePreferences/0` | `foobar` |
-| `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
-| `traefik/tls/options/Options1/disableSessionTickets` | `true` |
-| `traefik/tls/options/Options1/maxVersion` | `foobar` |
-| `traefik/tls/options/Options1/minVersion` | `foobar` |
-| `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
-| `traefik/tls/options/Options1/sniStrict` | `true` |
-| `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
-| `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |
-| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/main` | `foobar` |
-| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/0` | `foobar` |
-| `traefik/tls/stores/Store0/defaultGeneratedCert/domain/sans/1` | `foobar` |
-| `traefik/tls/stores/Store0/defaultGeneratedCert/resolver` | `foobar` |
-| `traefik/tls/stores/Store1/defaultCertificate/certFile` | `foobar` |
-| `traefik/tls/stores/Store1/defaultCertificate/keyFile` | `foobar` |
-| `traefik/tls/stores/Store1/defaultGeneratedCert/domain/main` | `foobar` |
-| `traefik/tls/stores/Store1/defaultGeneratedCert/domain/sans/0` | `foobar` |
-| `traefik/tls/stores/Store1/defaultGeneratedCert/domain/sans/1` | `foobar` |
-| `traefik/tls/stores/Store1/defaultGeneratedCert/resolver` | `foobar` |
-| `traefik/udp/routers/UDPRouter0/entryPoints/0` | `foobar` |
-| `traefik/udp/routers/UDPRouter0/entryPoints/1` | `foobar` |
-| `traefik/udp/routers/UDPRouter0/service` | `foobar` |
-| `traefik/udp/routers/UDPRouter1/entryPoints/0` | `foobar` |
-| `traefik/udp/routers/UDPRouter1/entryPoints/1` | `foobar` |
-| `traefik/udp/routers/UDPRouter1/service` | `foobar` |
-| `traefik/udp/services/UDPService01/loadBalancer/servers/0/address` | `foobar` |
-| `traefik/udp/services/UDPService01/loadBalancer/servers/1/address` | `foobar` |
-| `traefik/udp/services/UDPService02/weighted/services/0/name` | `foobar` |
-| `traefik/udp/services/UDPService02/weighted/services/0/weight` | `42` |
-| `traefik/udp/services/UDPService02/weighted/services/1/name` | `foobar` |
-| `traefik/udp/services/UDPService02/weighted/services/1/weight` | `42` |
diff --git a/docs/content/reference/install-configuration/api-dashboard.md b/docs/content/reference/install-configuration/api-dashboard.md
index b345fb504..ccffb2999 100644
--- a/docs/content/reference/install-configuration/api-dashboard.md
+++ b/docs/content/reference/install-configuration/api-dashboard.md
@@ -222,21 +222,21 @@ The dashboard is available by default on the path `/dashboard/`.
!!! note
- - The trailing slash `/` in `/dashboard/` is mandatory. This limitation can be mitigated using the the [RedirectRegex Middleware](../../middlewares/http/redirectregex.md).
- - There is also a redirect from the path `/` to `/dashboard/`.
+ - The trailing slash `/` in `/dashboard/` is mandatory. This limitation can be mitigated using the the [RedirectRegex Middleware](../../reference/routing-configuration/http/middlewares/redirectregex.md).
+ - There is also a redirect from the path `/` to `/dashboard/`, but you should not rely on this behavior, as it is subject to change and may complicate routing rules.
As mentioned above in the [Security](#security) section, it is important to secure access to both the dashboard and the API.
You need to define a routing configuration within Traefik.
This involves setting up a router attached to the service `api@internal`, which allows you to:
-- Implement security features using [middlewares](../../middlewares/overview.md), such as authentication ([basicAuth](../../middlewares/http/basicauth.md), [digestAuth](../../middlewares/http/digestauth.md),
- [forwardAuth](../../middlewares/http/forwardauth.md)) or [allowlisting](../../middlewares/http/ipallowlist.md).
+- Implement security features using [middlewares](../../reference/routing-configuration/http/middlewares/overview.md), such as authentication ([basicAuth](../../reference/routing-configuration/http/middlewares/basicauth.md), [digestAuth](../../reference/routing-configuration/http/middlewares/digestauth.md),
+ [forwardAuth](../../reference/routing-configuration/http/middlewares/forwardauth.md)) or [allowlisting](../../reference/routing-configuration/http/middlewares/ipallowlist.md).
- Define a [router rule](#dashboard-router-rule) for accessing the dashboard through Traefik.
### Dashboard Router Rule
-To ensure proper access to the dashboard, the [router rule](../../routing/routers/index.md#rule) you define must match requests intended for the `/api` and `/dashboard` paths.
+To ensure proper access to the dashboard, the [router rule](../../reference/routing-configuration/http/routing/rules-and-priority.md#rules) you define must match requests intended for the `/api` and `/dashboard` paths.
We recommend using either a *Host-based rule* to match all requests on the desired domain or explicitly defining a rule that includes both path prefixes.
Here are some examples:
diff --git a/docs/content/reference/install-configuration/cli-options-list.md b/docs/content/reference/install-configuration/cli-options-list.md
deleted file mode 100644
index e69de29bb..000000000
diff --git a/docs/content/reference/install-configuration/entrypoints.md b/docs/content/reference/install-configuration/entrypoints.md
index 7900fda9e..39d496164 100644
--- a/docs/content/reference/install-configuration/entrypoints.md
+++ b/docs/content/reference/install-configuration/entrypoints.md
@@ -88,8 +88,9 @@ additionalArguments:
| `address` | Define the port, and optionally the hostname, on which to listen for incoming connections and packets. It also defines the protocol to use (TCP or UDP). If no protocol is specified, the default is TCP. The format is:`[host]:port[/tcp\|/udp] | - | Yes |
| `asDefault` | Mark the `entryPoint` to be in the list of default `entryPoints`. `entryPoints`in this list are used (by default) on HTTP and TCP routers that do not define their own `entryPoints` option. More information [here](#asdefault). | false | No |
| `allowACMEByPass` | Enables handling of ACME TLS and HTTP challenges with custom routers instead of the internal ACME router. | false | No |
-| `forwardedHeaders.trustedIPs` | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
-| `forwardedHeaders.insecure` | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`). We recommend to use this option only for tests purposes, not in production. | false | No |
+| `forwardedHeaders.` `connection` | List of Connection headers that are allowed to pass through the middleware chain before being removed. | false | No |
+| `forwardedHeaders.` `insecure` | Set the insecure mode to always trust the forwarded headers information (`X-Forwarded-*`). We recommend to use this option only for tests purposes, not in production. | false | No |
+| `forwardedHeaders.` `trustedIPs` | Set the IPs or CIDR from where Traefik trusts the forwarded headers information (`X-Forwarded-*`). | - | No |
| `forwardedHeaders.` `notAppendXForwardedFor` | When set to `true`, Traefik will not append the client's `RemoteAddr` to the `X-Forwarded-For` header. The existing header is preserved as-is. If no `X-Forwarded-For` header exists, none will be added. | false | No |
| `http.redirections.` `entryPoint.to` | The target element to enable (permanent) redirecting of all incoming requests on an entry point to another one. The target element can be an entry point name (ex: `websecure`), or a port (`:443`). | - | Yes |
| `http.redirections.` `entryPoint.scheme` | The target scheme to use for (permanent) redirection of all incoming requests. | https | No |
@@ -108,19 +109,19 @@ additionalArguments:
| `http.maxHeaderBytes` | Set the maximum size of request headers in bytes. | 1048576 | No |
| `http.middlewares` | Set the list of middlewares that are prepended by default to the list of middlewares of each router associated to the named entry point. More information [here](#httpmiddlewares). | - | No |
| `http.tls` | Enable TLS on every router attached to the `entryPoint`. If no certificate are set, a default self-signed certificate is generated by Traefik. We recommend to not use self signed certificates in production. | - | No |
-| `http.tls.options` | Apply TLS options on every router attached to the `entryPoint`. The TLS options can be overidden per router. More information in the [dedicated section](../../routing/providers/kubernetes-crd.md#kind-tlsoption). | - | No |
-| `http.tls.certResolver` | Apply a certificate resolver on every router attached to the `entryPoint`. The TLS options can be overidden per router. More information in the [dedicated section](../install-configuration/tls/certificate-resolvers/overview.md). | - | No |
-| `http2.maxConcurrentStreams` | Set the number of concurrent streams per connection that each client is allowed to initiate. The value must be greater than zero. | 250 | No |
-| `http2.maxDecoderHeaderTableSize` | Set the maximum size of the decoder header compression table. This controls the maximum size of the header cache that the server is willing to maintain so the client does not need to repeatedly send the same header across requests in the same http2 connection. This value is only a maximum, the other end of the connection can use a lower size. | 4096 | No |
-| `http2.maxEncoderHeaderTableSize` | Set the maximum size of the encoder header compression table. This controls the maximum size of the header cache that the server is willing to maintain when sending headers to the client, allowing the server to reduce the amount of duplicate headers it is sending in responses. This value is only a maximum, the other end of the connection can use a lower size. | 4096 | No |
+| `http.tls.options` | Apply TLS options on every router attached to the `entryPoint`. The TLS options can be overidden per router. More information in the [dedicated section](../../reference/routing-configuration/http/tls/tls-options.md). | - | No |
+| `http.tls.certResolver` | Apply a certificate resolver on every router attached to the `entryPoint`. The TLS options can be overidden per router. More information in the [dedicated section](./tls/certificate-resolvers/overview.md). | - | No |
+| `http2.` `maxConcurrentStreams` | Set the number of concurrent streams per connection that each client is allowed to initiate. The value must be greater than zero. | 250 | No |
+| `http2.` `maxDecoderHeaderTableSize` | Set the maximum size of the decoder header compression table. This controls the maximum size of the header cache that the server is willing to maintain so the client does not need to repeatedly send the same header across requests in the same http2 connection. This value is only a maximum, the other end of the connection can use a lower size. | 4096 | No |
+| `http2.` `maxEncoderHeaderTableSize` | Set the maximum size of the encoder header compression table. This controls the maximum size of the header cache that the server is willing to maintain when sending headers to the client, allowing the server to reduce the amount of duplicate headers it is sending in responses. This value is only a maximum, the other end of the connection can use a lower size. | 4096 | No |
| `http3` | Enable HTTP/3 protocol on the `entryPoint`. HTTP/3 requires a TCP `entryPoint`. as HTTP/3 always starts as a TCP connection that then gets upgraded to UDP. In most scenarios, this `entryPoint` is the same as the one used for TLS traffic. More information [here](#http3). | - | No |
| `http3.advertisedPort` | Set the UDP port to advertise as the HTTP/3 authority. It defaults to the entryPoint's address port. It can be used to override the authority in the `alt-svc` header, for example if the public facing port is different from where Traefik is listening. | - | No |
-| `observability.accessLogs` | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
-| `observability.metrics` | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
-| `observability.tracing` | Defines whether a router attached to this EntryPoint produces traces by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
-| `observability.traceVerbosity` | Defines the tracing verbosity level for routers attached to this EntryPoint. Possible values: `minimal` (default), `detailed`. Routers can override this value in their own observability configuration. More information [here](#traceverbosity). | minimal | No |
-| `proxyProtocol.trustedIPs` | Enable PROXY protocol with Trusted IPs. Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. If the PROXY protocol header is passed, then the version is determined automatically. More information [here](#proxyprotocol-and-load-balancers). | - | No |
-| `proxyProtocol.insecure` | Enable PROXY protocol trusting every incoming connection. Every remote client address will be replaced (`trustedIPs`) won't have any effect). Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. If the PROXY protocol header is passed, then the version is determined automatically. We recommend to use this option only for tests purposes, not in production. More information [here](#proxyprotocol-and-load-balancers). | - | No |
+| `observability.` `accessLogs` | Defines whether a router attached to this EntryPoint produces access-logs by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
+| `observability.` `metrics` | Defines whether a router attached to this EntryPoint produces metrics by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
+| `observability.` `tracing` | Defines whether a router attached to this EntryPoint produces traces by default. Nonetheless, a router defining its own observability configuration will opt-out from this default. | true | No |
+| `observability.` `traceVerbosity` | Defines the tracing verbosity level for routers attached to this EntryPoint. Possible values: `minimal` (default), `detailed`. Routers can override this value in their own observability configuration. More information [here](#traceverbosity). | minimal | No |
+| `proxyProtocol.` `trustedIPs` | Enable PROXY protocol with Trusted IPs. Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. If the PROXY protocol header is passed, then the version is determined automatically. More information [here](#proxyprotocol-and-load-balancers). | - | No |
+| `proxyProtocol.` `insecure` | Enable PROXY protocol trusting every incoming connection. Every remote client address will be replaced (`trustedIPs`) won't have any effect). Traefik supports [PROXY protocol](https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt) version 1 and 2. If PROXY protocol header parsing is enabled for the entry point, this entry point can accept connections with or without PROXY protocol headers. If the PROXY protocol header is passed, then the version is determined automatically. We recommend to use this option only for tests purposes, not in production. More information [here](#proxyprotocol-and-load-balancers). | - | No |
| `reusePort` | Enable `entryPoints` from the same or different processes listening on the same TCP/UDP port by utilizing the `SO_REUSEPORT` socket option. It also allows the kernel to act like a load balancer to distribute incoming connections between entry points. More information [here](#reuseport). | false | No |
| `transport.` `respondingTimeouts.` `readTimeout` | Set the timeouts for incoming requests to the Traefik instance. This is the maximum duration for reading the entire request, including the body. Setting them has no effect for UDP `entryPoints`. If zero, no timeout exists. Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits). If no units are provided, the value is parsed assuming seconds. | 60s (seconds) | No |
| `transport.` `respondingTimeouts.` `writeTimeout` | Maximum duration before timing out writes of the response. It covers the time from the end of the request header read to the end of the response write. If zero, no timeout exists. Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits). If no units are provided, the value is parsed assuming seconds. | 0s (seconds) | No |
@@ -195,14 +196,14 @@ entryPoints:
### http.middlewares
-- You can attach a list of [middlewares](../../middlewares/http/overview.md)
+- You can attach a list of [middlewares](../../reference/routing-configuration/http/middlewares/overview.md)
to each entryPoint.
- The middlewares will take effect only if the rule matches, and before forwarding
the request to the service.
- Middlewares are applied in the same order as their declaration.
- Middlewares are applied by default to every router exposed through the EntryPoint
-(the Middlewares declared on the [IngressRoute](../../routing/routers/index.md#middlewares)
-or the [Ingress](../../routing/providers/kubernetes-ingress.md#on-ingress)
+(the Middlewares declared on the [IngressRoute](../../reference/routing-configuration/kubernetes/crd/http/ingressroute.md#middleware)
+or the [Ingress](../../reference/routing-configuration/kubernetes/ingress.md#on-ingress)
are applied after the ones declared on the Entrypoint)
- The option allows attaching a list of middleware using the format
`middlewarename@providername` as described in the example below:
@@ -292,6 +293,105 @@ Here is the list of the encoded characters that are allowed by default:
| `%3f` or `%3F` | `?` (question mark) |
| `%23` | `#` (hash) |
+
+### Forwarded Headers
+
+You can configure Traefik to trust the forwarded headers information (`X-Forwarded-*`).
+
+??? info "`forwardedHeaders.trustedIPs`"
+
+ Trusting Forwarded Headers from specific IPs.
+
+ ```yaml tab="File (YAML)"
+ ## Static configuration
+ entryPoints:
+ web:
+ address: ":80"
+ forwardedHeaders:
+ trustedIPs:
+ - "127.0.0.1/32"
+ - "192.168.1.7"
+ ```
+
+ ```toml tab="File (TOML)"
+ ## Static configuration
+ [entryPoints]
+ [entryPoints.web]
+ address = ":80"
+
+ [entryPoints.web.forwardedHeaders]
+ trustedIPs = ["127.0.0.1/32", "192.168.1.7"]
+ ```
+
+ ```bash tab="CLI"
+ ## Static configuration
+ --entryPoints.web.address=:80
+ --entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,192.168.1.7
+ ```
+
+??? info "`forwardedHeaders.insecure`"
+
+ Insecure Mode (Always Trusting Forwarded Headers).
+
+ ```yaml tab="File (YAML)"
+ ## Static configuration
+ entryPoints:
+ web:
+ address: ":80"
+ forwardedHeaders:
+ insecure: true
+ ```
+
+ ```toml tab="File (TOML)"
+ ## Static configuration
+ [entryPoints]
+ [entryPoints.web]
+ address = ":80"
+
+ [entryPoints.web.forwardedHeaders]
+ insecure = true
+ ```
+
+ ```bash tab="CLI"
+ ## Static configuration
+ --entryPoints.web.address=:80
+ --entryPoints.web.forwardedHeaders.insecure
+ ```
+
+??? info "`forwardedHeaders.connection`"
+
+ As per RFC7230, Traefik respects the Connection options from the client request.
+ By doing so, it removes any header field(s) listed in the request Connection header and the Connection header field itself when empty.
+ The removal happens as soon as the request is handled by Traefik,
+ thus the removed headers are not available when the request passes through the middleware chain.
+ The `connection` option lists the Connection headers allowed to passthrough the middleware chain before their removal.
+
+ ```yaml tab="File (YAML)"
+ ## Static configuration
+ entryPoints:
+ web:
+ address: ":80"
+ forwardedHeaders:
+ connection:
+ - foobar
+ ```
+
+ ```toml tab="File (TOML)"
+ ## Static configuration
+ [entryPoints]
+ [entryPoints.web]
+ address = ":80"
+
+ [entryPoints.web.forwardedHeaders]
+ connection = ["foobar"]
+ ```
+
+ ```bash tab="CLI"
+ ## Static configuration
+ --entryPoints.web.address=:80
+ --entryPoints.web.forwardedHeaders.connection=foobar
+ ```
+
### HTTP3
As HTTP/3 actually uses UDP, when Traefik is configured with a TCP `entryPoint`
diff --git a/docs/content/reference/install-configuration/experimental/fastproxy.md b/docs/content/reference/install-configuration/experimental/fastproxy.md
index 20d3d1fa9..885e48f68 100644
--- a/docs/content/reference/install-configuration/experimental/fastproxy.md
+++ b/docs/content/reference/install-configuration/experimental/fastproxy.md
@@ -12,7 +12,7 @@ This guide provides instructions on how to configure and use the new experimenta
!!! info "Limitations"
Please note that the new fast proxy implementation does not work with HTTP/2.
- This means that when a H2C or HTTPS request with [HTTP2 enabled](../../routing-configuration/http/load-balancing/service.md#disablehttp2) is sent to a backend, the fallback proxy is the regular one.
+ This means that when a H2C or HTTPS request with [HTTP2 enabled](../../routing-configuration/http/load-balancing/serverstransport.md#opt-disableHTTP2) is sent to a backend, the fallback proxy is the regular one.
Additionnaly, observability features like tracing and OTEL semconv metrics are not supported for the moment.
diff --git a/docs/content/reference/install-configuration/observability/healthcheck/cli.md b/docs/content/reference/install-configuration/observability/healthcheck/cli.md
deleted file mode 100644
index a68f80d83..000000000
--- a/docs/content/reference/install-configuration/observability/healthcheck/cli.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: "Traefik Health Check CLI Command Documentation"
-description: "In Traefik Proxy, the healthcheck CLI command lets you check the health of your Traefik instances. Read the technical documentation for configuration examples and options."
----
-
-# Healthcheck Command
-
-Checking the Health of your Traefik Instances.
-{: .subtitle }
-
-## Usage
-
-The healthcheck command allows you to make a request to the `/ping` endpoint (defined in the install (static) configuration) to check the health of Traefik. Its exit status is `0` if Traefik is healthy and `1` otherwise.
-
-This can be used with [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) instruction or any other health check orchestration mechanism.
-
-```sh
-traefik healthcheck [command] [flags] [arguments]
-```
-
-Example:
-
-```sh
-$ traefik healthcheck
-OK: http://:8082/ping
-```
-
-The command uses the [ping](./ping.md) endpoint that is defined in the Traefik install (static) configuration.
diff --git a/docs/content/reference/install-configuration/observability/healthcheck/ping.md b/docs/content/reference/install-configuration/observability/healthcheck/ping.md
deleted file mode 100644
index 7b8372129..000000000
--- a/docs/content/reference/install-configuration/observability/healthcheck/ping.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: "Traefik Ping Option Documentation"
-description: "In Traefik Proxy, the option Ping lets you check the health of your Traefik instances. Read the technical documentation for configuration examples and options."
----
-
-# Ping
-
-Checking the Health of your Traefik Instances
-{: .subtitle }
-
-The `ping` options allows you to enable the ping endpoint to check Traefik liveness.
-
-The ping endpoint is reachable using the path `/ping` and the methods `GET`and `HEAD`.
-
-If the Traefik instance is alive, it returns the `200` HTTP code with the content: `OK`.
-
-## Configuration Example
-
-To enable the API handler:
-
-```yaml tab="File (YAML)"
-ping: {}
-```
-
-```toml tab="File (TOML)"
-[ping]
-```
-
-```bash tab="CLI"
---ping=true
-```
-
-## Configuration Options
-
-The `ping` option is defined in the install (static) configuration.
-You can define it using the same [configuration methods](../../boot-environment.md#configuration-methods) as Traefik.
-
-| Field | Description | Default | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
-| `ping.entryPoint` | Enables `/ping` on a dedicated EntryPoint. | traefik | No |
-| `ping.manualRouting` | Disables the default internal router in order to allow one to create a custom router for the `ping@internal` service when set to `true`. | false | No |
-| `ping.terminatingStatusCode` | Defines the status code for the ping handler during a graceful shut down. See more information [here](#terminatingstatuscode) | 503 | No |
-
-### `terminatingStatusCode`
-
-During the period in which Traefik is gracefully shutting down, the ping handler
-returns a `503` status code by default.
-If Traefik is behind, for example a load-balancer
-doing health checks (such as the Kubernetes LivenessProbe), another code might
-be expected as the signal for graceful termination.
-In that case, the terminatingStatusCode can be used to set the code returned by the ping
-handler during termination.
-
-```yaml tab="File (YAML)"
-ping:
- terminatingStatusCode: 204
-```
-
-```toml tab="File (TOML)"
-[ping]
- terminatingStatusCode = 204
-```
-
-```bash tab="CLI"
---ping.terminatingStatusCode=204
-```
diff --git a/docs/content/reference/install-configuration/observability/options-list.md b/docs/content/reference/install-configuration/observability/options-list.md
deleted file mode 100644
index e69de29bb..000000000
diff --git a/docs/content/reference/install-configuration/providers/docker.md b/docs/content/reference/install-configuration/providers/docker.md
index 47354ae91..4f4e8c9de 100644
--- a/docs/content/reference/install-configuration/providers/docker.md
+++ b/docs/content/reference/install-configuration/providers/docker.md
@@ -7,7 +7,7 @@ description: "Learn how to achieve configuration discovery in Traefik through Do
!!! tip "The Quick Start Uses Docker"
- If you have not already read it, maybe you would like to go through the [quick start guide](../../../getting-started/quick-start.md) that uses the Docker provider.
+ If you have not already read it, maybe you would like to go through the [quick start guide](../../../getting-started/index.md) that uses the Docker provider.
## Configuration Example
@@ -51,7 +51,7 @@ services:
| `providers.docker.httpClientTimeout` | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set. | 0 | No |
| `providers.docker.watch` | Instructs Traefik to watch Docker events or not. | True | No |
| `providers.docker.constraints` | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
-| `providers.docker.allowEmptyServices` | Instructs the provider to create any [servers load balancer](../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
+| `providers.docker.allowEmptyServices` | Instructs the provider to create any [servers load balancer](../../../reference/routing-configuration/http/load-balancing/service.md#service-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| `providers.docker.tls.ca` | Defines the path to the certificate authority used for the secure connection to Docker, it defaults to the system bundle. | "" | No |
| `providers.docker.tls.cert` | Defines the path to the public certificate used for the secure connection to Docker. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.docker.tls.key` | Defines the path to the private key used for the secure connection to Docker. When using this option, setting the `cert` option is required. | "" | Yes |
@@ -331,7 +331,7 @@ providers:
When using Docker as a [provider](./overview.md),
Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#label) to retrieve its routing configuration.
-See the list of labels in the dedicated [routing](../../../routing/providers/docker.md) section.
+See the list of labels in the dedicated [routing](../../../reference/routing-configuration/other-providers/docker.md) section.
### Routing Configuration with Labels
@@ -360,7 +360,7 @@ Port detection for private communication works as follows:
- If a container does not expose any port, or the selection from multiple ports does not fit,
then you must manually specify which port Traefik should use for communication
by using the label `traefik.http.services..loadbalancer.server.port`
- (Read more on this label in the dedicated section in [routing](../../../routing/providers/docker.md#services)).
+ (Read more on this label in the dedicated section in [routing](../../../reference/routing-configuration/other-providers/docker.md#services)).
### Host networking
diff --git a/docs/content/reference/install-configuration/providers/hashicorp/consul-catalog.md b/docs/content/reference/install-configuration/providers/hashicorp/consul-catalog.md
index e69717389..5104731ca 100644
--- a/docs/content/reference/install-configuration/providers/hashicorp/consul-catalog.md
+++ b/docs/content/reference/install-configuration/providers/hashicorp/consul-catalog.md
@@ -206,4 +206,4 @@ providers:
## Routing Configuration
-See the dedicated section in [routing](../../../../routing/providers/consul-catalog.md).
+See the dedicated section in [routing](../../../../reference/routing-configuration/other-providers/consul-catalog.md).
diff --git a/docs/content/reference/install-configuration/providers/hashicorp/consul.md b/docs/content/reference/install-configuration/providers/hashicorp/consul.md
index 1f72646ce..cd6517d16 100644
--- a/docs/content/reference/install-configuration/providers/hashicorp/consul.md
+++ b/docs/content/reference/install-configuration/providers/hashicorp/consul.md
@@ -79,4 +79,4 @@ providers:
## Routing Configuration
-See the dedicated section in [routing](../../../../routing/providers/kv.md).
+See the dedicated section in [routing](../../../../reference/routing-configuration/other-providers/kv.md).
diff --git a/docs/content/reference/install-configuration/providers/hashicorp/nomad.md b/docs/content/reference/install-configuration/providers/hashicorp/nomad.md
index 29ddc764e..7d5e6cdcd 100644
--- a/docs/content/reference/install-configuration/providers/hashicorp/nomad.md
+++ b/docs/content/reference/install-configuration/providers/hashicorp/nomad.md
@@ -47,7 +47,7 @@ service {
| `providers.nomad.defaultRule` | The Default Host rule for all services. See [here](#defaultrule) for more information | ```"Host(`{{ normalize .Name }}`)"``` | No |
| `providers.nomad.constraints` | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
| `providers.nomad.exposedByDefault` | Expose Nomad services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#exposedbydefault-and-traefikenable) for additional information | true | No |
-| `providers.nomad.allowEmptyServices` | Instructs the provider to create any [servers load balancer](../../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
+| `providers.nomad.allowEmptyServices` | Instructs the provider to create any [servers load balancer](../../../../reference/routing-configuration/http/load-balancing/service.md#service-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| `providers.nomad.prefix` | Defines the prefix for Nomad service tags defining Traefik labels. | `traefik` | yes |
| `providers.nomad.stale` | Instructs Traefik to use stale consistency for Nomad service API reads. See [here](#stale) for more information | false | No |
| `providers.nomad.endpoint.address` | Defines the Address of the Nomad server. | `http://127.0.0.1:4646` | No |
@@ -249,4 +249,4 @@ For additional information, refer to [Restrict the Scope of Service Discovery](.
## Routing Configuration
-See the dedicated section in [routing](../../../../routing/providers/nomad.md).
+See the dedicated section in [routing](../../../../reference/routing-configuration/other-providers/nomad.md).
diff --git a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md
index 0c8d3ace0..837801d5b 100644
--- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md
@@ -7,7 +7,7 @@ Traefik provides some Kubernetes Custom Resources, such as `IngressRoute`, `Midd
When using KubernetesCRD as a provider,
Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to retrieve its routing configuration.
-Traefik Custom Resource Definitions are [listed below](#list-of-resources).
+Traefik Custom Resource Definitions are [listed below](#routing-configuration).
When Traefik is installed using the Helm Chart, by default, the provider `kubernetesCRD` is enabled.
@@ -59,13 +59,13 @@ providers:
| `providers.kubernetesCRD.token` | Bearer token used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesCRD.certAuthFilePath` | Path to the certificate authority file. Used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesCRD.namespaces` | Array of namespaces to watch. If left empty, watch all namespaces. | [] | No |
-| `providers.kubernetesCRD.labelSelector` | Allow filtering on specific resource objects only using label selectors. Only to Traefik [Custom Resources](#list-of-resources) (they all must match the filter). No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`. See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | "" | No |
+| `providers.kubernetesCRD.labelSelector` | Allow filtering on specific resource objects only using label selectors. Only to Traefik [Custom Resources](#routing-configuration) (they all must match the filter). No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`. See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | "" | No |
| `providers.kubernetesCRD.ingressClass` | Value of `spec.ingressClassName` field (or the deprecated `kubernetes.io/ingress.class` annotation) that identifies resource objects to be processed. If empty, resources missing the field/annotation, having an empty value, or the value `traefik` are processed. The `spec.ingressClassName` field takes precedence over the annotation. | "" | No |
| `providers.kubernetesCRD.throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration. This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration. If empty, every event is caught. | 0s | No |
| `providers.kubernetesCRD.allowEmptyServices` | Allows creating a route to reach a service that has no endpoint available. It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status. | false | No |
| `providers.kubernetesCRD.allowCrossNamespace` | Allows the `IngressRoutes` to reference resources in namespaces other than theirs. | false | No |
| `providers.kubernetesCRD.allowExternalNameServices` | Allows the `IngressRoutes` to reference ExternalName services. | false | No |
-| `providers.kubernetesCRD.nativeLBByDefault` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `IngressRoute` by default. It can br overridden in the [`ServerTransport`](../../../../routing/services/index.md#serverstransport). | false | No |
+| `providers.kubernetesCRD.nativeLBByDefault` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `IngressRoute` by default. It can be overridden in the [`Service`](../../../../reference/routing-configuration/kubernetes/crd/http/service.md#opt-nativeLB). | false | No |
| `providers.kubernetesCRD.disableClusterScopeResources` | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`). By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources. Furthermore, Traefik will not handle IngressRoutes with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option). This will also prevent from using the `NodePortLB` options on services. | false | No |
### endpoint
@@ -102,9 +102,9 @@ providers:
## Routing Configuration
-See the dedicated section in [routing](../../../../routing/providers/kubernetes-crd.md).
+Traefik CRDs are building blocks that you can assemble according to your needs.
-## List of Resources
+The available custom resources are in the table below:
diff --git a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md
index b43b2b9fd..a79e2d6fd 100644
--- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-gateway.md
@@ -16,7 +16,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
!!! info "Using The Helm Chart"
- When using the Traefik [Helm Chart](../../../../getting-started/install-traefik.md#use-the-helm-chart), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
+ When using the Traefik [Helm Chart](../../../../getting-started/kubernetes.md#install-traefik), the CRDs (Custom Resource Definitions) and RBAC (Role-Based Access Control) are automatically managed for you.
The only remaining task is to enable the `kubernetesGateway` in the chart [values](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L323).
## Requirements
@@ -75,7 +75,7 @@ providers:
| `providers.kubernetesGateway.token` | Bearer token used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesGateway.certAuthFilePath` | Path to the certificate authority file. Used for the Kubernetes client configuration. | "" | No |
| `providers.kubernetesGateway.namespaces` | Array of namespaces to watch. If left empty, watch all namespaces. | [] | No |
-| `providers.kubernetesGateway.labelSelector` | Allow filtering on specific resource objects only using label selectors. Only to Traefik [Custom Resources](./kubernetes-crd.md#list-of-resources) (they all must match the filter). No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`. See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | "" | No |
+| `providers.kubernetesGateway.labelSelector` | Allow filtering on specific resource objects only using label selectors. Only to Traefik [Custom Resources](./kubernetes-crd.md#routing-configuration) (they all must match the filter). No effect on Kubernetes `Secrets`, `EndpointSlices` and `Services`. See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details. | "" | No |
| `providers.kubernetesGateway.throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration. This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration. If empty, every event is caught. | 0s | No |
| `providers.kubernetesGateway.nativeLBByDefault` | Defines whether to use Native Kubernetes load-balancing mode by default. For more information, please check out the `traefik.io/service.nativelb` service annotation documentation. | false | No |
| `providers.kubernetesGateway.` `statusAddress.hostname` | Hostname copied to the Gateway `status.addresses`. | "" | No |
@@ -127,14 +127,14 @@ providers:
## Routing Configuration
-See the dedicated section in [routing](../../../../routing/providers/kubernetes-gateway.md).
+See the dedicated section in [routing](../../../../reference/routing-configuration/kubernetes/gateway-api.md).
!!! tip "Routing Configuration"
When using the Kubernetes Gateway API provider, Traefik uses the Gateway API
CRDs to retrieve its routing configuration.
Check out the Gateway API concepts [documentation](https://gateway-api.sigs.k8s.io/concepts/api-overview/),
- and the dedicated [routing section](../../../../routing/providers/kubernetes-gateway.md)
+ and the dedicated [routing section](../../../../reference/routing-configuration/kubernetes/gateway-api.md)
in the Traefik documentation.
{% include-markdown "includes/traefik-for-business-applications.md" %}
diff --git a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md
index c601e8166..db5522e7c 100644
--- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-ingress.md
@@ -61,7 +61,7 @@ which in turn creates the resulting routers, services, handlers, etc.
| `providers.kubernetesIngress.throttleDuration` | Minimum amount of time to wait between two Kubernetes events before producing a new configuration. This prevents a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration. If empty, every event is caught. | 0s | No |
| `providers.kubernetesIngress.allowEmptyServices` | Allows creating a route to reach a service that has no endpoint available. It allows Traefik to handle the requests and responses targeting this service (applying middleware or observability operations) before returning a `503` HTTP Status. | false | No |
| `providers.kubernetesIngress.allowExternalNameServices` | Allows the `Ingress` to reference ExternalName services. | false | No |
-| `providers.kubernetesIngress.nativeLBByDefault` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `Ingress` by default. It can br overridden in the [`ServerTransport`](../../../../routing/services/index.md#serverstransport). | false | No |
+| `providers.kubernetesIngress.nativeLBByDefault` | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik for every `Ingress` by default. It can be overridden in the [`Service`](../../../../reference/routing-configuration/kubernetes/crd/http/service.md#opt-nativeLB) | false | No |
| `providers.kubernetesIngress.disableClusterScopeResources` | Prevent from discovering cluster scope resources (`IngressClass` and `Nodes`). By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources. Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option). This will also prevent from using the `NodePortLB` options on services. | false | No |
| `providers.kubernetesIngress.strictPrefixMatching` | Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). For example, a PathPrefix of `/foo` will match `/foo`, `/foo/`, and `/foo/bar` but not `/foobar`. | false | No |
@@ -139,7 +139,7 @@ providers:
## Routing Configuration
-See the dedicated section in [routing](../../../../routing/providers/kubernetes-ingress.md).
+See the dedicated section in [routing](../../../../reference/routing-configuration/kubernetes/ingress.md).
## Further
diff --git a/docs/content/reference/install-configuration/providers/kv/etcd.md b/docs/content/reference/install-configuration/providers/kv/etcd.md
index 9cc848604..ee409315a 100644
--- a/docs/content/reference/install-configuration/providers/kv/etcd.md
+++ b/docs/content/reference/install-configuration/providers/kv/etcd.md
@@ -39,4 +39,4 @@ providers:
## Routing Configuration
-See the dedicated section in [routing](../../../../routing/providers/kv.md).
+See the dedicated section in [routing](../../../../reference/routing-configuration/other-providers/kv.md).
diff --git a/docs/content/reference/install-configuration/providers/kv/redis.md b/docs/content/reference/install-configuration/providers/kv/redis.md
index ae5f25b18..8209ab09d 100644
--- a/docs/content/reference/install-configuration/providers/kv/redis.md
+++ b/docs/content/reference/install-configuration/providers/kv/redis.md
@@ -48,4 +48,4 @@ providers:
## Routing Configuration
-See the dedicated section in [routing](../../../../routing/providers/kv.md).
+See the dedicated section in [routing](../../../../reference/routing-configuration/other-providers/kv.md).
diff --git a/docs/content/reference/install-configuration/providers/kv/zk.md b/docs/content/reference/install-configuration/providers/kv/zk.md
index b77e5a23d..646f2b431 100644
--- a/docs/content/reference/install-configuration/providers/kv/zk.md
+++ b/docs/content/reference/install-configuration/providers/kv/zk.md
@@ -39,4 +39,4 @@ providers:
## Routing Configuration
-See the dedicated section in [routing](../../../../routing/providers/kv.md).
+See the dedicated section in [routing](../../../../reference/routing-configuration/other-providers/kv.md).
diff --git a/docs/content/reference/install-configuration/providers/swarm.md b/docs/content/reference/install-configuration/providers/swarm.md
index e1d57e14b..66d404a13 100644
--- a/docs/content/reference/install-configuration/providers/swarm.md
+++ b/docs/content/reference/install-configuration/providers/swarm.md
@@ -9,7 +9,7 @@ This provider works with [Docker Swarm Mode](https://docs.docker.com/engine/swar
!!! tip "The Quick Start Uses Docker"
- If you have not already read it, maybe you would like to go through the [quick start guide](../../../getting-started/quick-start.md) that uses the Docker provider.
+ If you have not already read it, maybe you would like to go through the [quick start guide](../../../getting-started/index.md) that uses the Docker provider.
## Configuration Example
@@ -57,7 +57,7 @@ services:
| `providers.swarm.httpClientTimeout` | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set. | 0 | No |
| `providers.swarm.watch` | Instructs Traefik to watch Docker events or not. | True | No |
| `providers.swarm.constraints` | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information. | "" | No |
-| `providers.swarm.allowEmptyServices` | Instructs the provider to create any [servers load balancer](../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
+| `providers.swarm.allowEmptyServices` | Instructs the provider to create any [servers load balancer](../../../reference/routing-configuration/http/load-balancing/service.md#service-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. | false | No |
| `providers.swarm.tls.ca` | Defines the path to the certificate authority used for the secure connection to Docker, it defaults to the system bundle. | "" | No |
| `providers.swarm.tls.cert` | Defines the path to the public certificate used for the secure connection to Docker. When using this option, setting the `key` option is required. | "" | Yes |
| `providers.swarm.tls.key` | Defines the path to the private key used for the secure connection to Docker. When using this option, setting the `cert` option is required. | "" | Yes |
@@ -337,7 +337,7 @@ providers:
When using Docker as a [provider](./overview.md),
Traefik uses [container labels](https://docs.docker.com/engine/reference/commandline/run/#label) to retrieve its routing configuration.
-See the list of labels in the dedicated [routing](../../../routing/providers/docker.md) section.
+See the list of labels in the dedicated [routing](../../../reference/routing-configuration/other-providers/docker.md) section.
### Routing Configuration with Labels
@@ -367,7 +367,7 @@ Traefik retrieves the private IP and port of containers from the Docker API.
Docker Swarm does not provide any port detection information to Traefik.
Therefore, you **must** specify the port to use for communication by using the label `traefik.http.services..loadbalancer.server.port`
-(Check the reference for this label in the [routing section for Swarm](../../../routing/providers/swarm.md#services)).
+(Check the reference for this label in the [routing section for Swarm](../../../reference/routing-configuration/other-providers/swarm.md#services)).
### Host networking
diff --git a/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md b/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
index 79f5abfe0..5cffbfd87 100644
--- a/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
+++ b/docs/content/reference/install-configuration/tls/certificate-resolvers/acme.md
@@ -140,7 +140,7 @@ with instructions about which environment variables need to be setup.
Multiple DNS challenge provider are not supported with Traefik, but you can use CNAME to handle that.
For example, if you have `example.org` (account foo) and `example.com` (account bar) you can create a CNAME on `example.org` called `_acme-challenge.example.org` pointing to `challenge.example.com`.
- This way, you can obtain certificates for `example.com` with the foo account.
+ This way, you can obtain certificates for `example.org` with the bar account.
??? info "`delayBeforeCheck`"
By default, the `provider` verifies the TXT record _before_ letting ACME verify.
diff --git a/docs/content/reference/install-configuration/tls/certificate-resolvers/tailscale.md b/docs/content/reference/install-configuration/tls/certificate-resolvers/tailscale.md
index 747805c1b..f6fdfe718 100644
--- a/docs/content/reference/install-configuration/tls/certificate-resolvers/tailscale.md
+++ b/docs/content/reference/install-configuration/tls/certificate-resolvers/tailscale.md
@@ -163,7 +163,7 @@ a Tailscale certificate resolver needs to be configured as below.
!!! info "Referencing a certificate resolver"
Defining a certificate resolver does not imply that routers are going to use it automatically.
- Each router or entrypoint that is meant to use the resolver must explicitly [reference](../../../../routing/routers/index.md#certresolver) it.
+ Each router or entrypoint that is meant to use the resolver must explicitly [reference](../../../routing-configuration/http/routing/router.md#opt-tls-certResolver) it.
## Domain Definition
diff --git a/docs/content/reference/routing-configuration/http/middlewares/errorpages.md b/docs/content/reference/routing-configuration/http/middlewares/errorpages.md
index 7e17d480b..9f95b0acd 100644
--- a/docs/content/reference/routing-configuration/http/middlewares/errorpages.md
+++ b/docs/content/reference/routing-configuration/http/middlewares/errorpages.md
@@ -104,7 +104,7 @@ spec:
By default, the client `Host` header value is forwarded to the configured error service.
To forward the `Host` value corresponding to the configured error service URL,
-the [`passHostHeader`](../../../../routing/services/index.md#pass-host-header) option must be set to `false`.
+the [`passHostHeader`](../load-balancing/service.md#opt-passHostHeader) option must be set to `false`.
!!!info "Kubernetes"
When specifying a service in Kubernetes (e.g., in an IngressRoute), you need to reference the `name`, `namespace`, and `port` of your Kubernetes Service resource. For example, `my-service.my-namespace@kubernetescrd` (or `my-service.my-namespace@kubernetescrd:80`) ensures that requests go to the correct service and port.
diff --git a/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md b/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md
index a89655859..94ea3a2ff 100644
--- a/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md
+++ b/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md
@@ -25,7 +25,7 @@ which may lead to duplicated routers if you are also using the standard Kubernet
**Best Practices:**
- Use IngressClass to specify which Ingresses should be handled by this provider
-- Configure `watchNamespace` to limit discovery to specific namespaces
+- Configure `watchNamespace` to limit discovery to a single namespace
- Use `watchNamespaceSelector` to target Ingresses based on namespace labels
## Routing Configuration
diff --git a/docs/content/reference/routing-configuration/kubernetes/ingress.md b/docs/content/reference/routing-configuration/kubernetes/ingress.md
index b13d9b617..dd7c4f22c 100644
--- a/docs/content/reference/routing-configuration/kubernetes/ingress.md
+++ b/docs/content/reference/routing-configuration/kubernetes/ingress.md
@@ -51,210 +51,39 @@ spec:
### On Ingress
-??? info "`traefik.ingress.kubernetes.io/router.entrypoints`"
-
- See [entry points](../../install-configuration/entrypoints.md) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/router.entrypoints: ep1,ep2
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.middlewares`"
-
- See [middlewares overview](../http/middlewares/overview.md) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/router.middlewares: auth@file,default-prefix@kubernetescrd
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.priority`"
-
- See [priority](../http/routing/rules-and-priority.md#priority-calculation) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/router.priority: "42"
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.rulesyntax`"
-
- !!! warning
-
- RuleSyntax option is deprecated and will be removed in the next major version.
- Please do not use this field and rewrite the router rules to use the v3 syntax.
-
- See [rule syntax](../http/routing/rules-and-priority.md#rulesyntax) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/router.rulesyntax: "v2"
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.pathmatcher`"
-
- Overrides the default router rule type used for a path.
- Only path-related matcher name should be specified: `Path`, `PathPrefix` or `PathRegexp`.
-
- Default `PathPrefix`
-
- ```yaml
- traefik.ingress.kubernetes.io/router.pathmatcher: Path
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.tls`"
-
-
-
- ```yaml
- traefik.ingress.kubernetes.io/router.tls: "true"
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.tls.certresolver`"
-
-
-
- ```yaml
- traefik.ingress.kubernetes.io/router.tls.certresolver: myresolver
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.tls.domains.n.main`"
-
-
-
- ```yaml
- traefik.ingress.kubernetes.io/router.tls.domains.0.main: example.org
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.tls.domains.n.sans`"
-
-
-
- ```yaml
- traefik.ingress.kubernetes.io/router.tls.domains.0.sans: test.example.org,dev.example.org
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.tls.options`"
-
- See [options](../kubernetes/crd/tls/tlsoption.md) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/router.tls.options: foobar@file
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.observability.accesslogs`"
-
- See [here](../http/routing/observability.md) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/router.observability.accesslogs: true
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.observability.metrics`"
-
- See [here](../http/routing/observability.md) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/router.observability.metrics: true
- ```
-
-??? info "`traefik.ingress.kubernetes.io/router.observability.tracing`"
-
- See [here](../http/routing/observability.md) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/router.observability.tracing: true
- ```
+| Annotation | Description | Value |
+|------------|-------------|-------|
+| `traefik.ingress.kubernetes.io/router.entrypoints` | See [entry points](../../install-configuration/entrypoints.md) for more information. | `ep1,ep2` |
+| `traefik.ingress.kubernetes.io/router.middlewares` | See [middlewares overview](../http/middlewares/overview.md) for more information. | `auth@file,default-prefix@kubernetescrd` |
+| `traefik.ingress.kubernetes.io/router.priority` | See [priority](../http/routing/rules-and-priority.md#priority-calculation) for more information. | `"42"` |
+| `traefik.ingress.kubernetes.io/router.rulesyntax` | See [rule syntax](../http/routing/rules-and-priority.md#rulesyntax) for more information. **Deprecated:** RuleSyntax option is deprecated and will be removed in the next major version. Please do not use this field and rewrite the router rules to use the v3 syntax. | `"v2"` |
+| `traefik.ingress.kubernetes.io/router.pathmatcher` | Overrides the default router rule type used for a path. Only path-related matcher name should be specified: `Path`, `PathPrefix` or `PathRegexp`. Default: `PathPrefix` | `Path` |
+| `traefik.ingress.kubernetes.io/router.tls` | Enables TLS for the router. | `"true"` |
+| `traefik.ingress.kubernetes.io/router.tls.certresolver` | Specifies the certificate resolver to use for TLS certificates. | `myresolver` |
+| `traefik.ingress.kubernetes.io/router.tls.domains.n.main` | Defines the main domain for TLS certificate (where n is the domain index). | `example.org` |
+| `traefik.ingress.kubernetes.io/router.tls.domains.n.sans` | Defines the Subject Alternative Names (SANs) for TLS certificate (where n is the domain index). | `test.example.org,dev.example.org` |
+| `traefik.ingress.kubernetes.io/router.tls.options` | See [TLS options](../kubernetes/crd/tls/tlsoption.md) for more information. | `foobar@file` |
+| `traefik.ingress.kubernetes.io/router.observability.accesslogs` | Controls whether the router produces access logs. See [observability](../http/routing/observability.md) for more information. | `true` |
+| `traefik.ingress.kubernetes.io/router.observability.metrics` | Controls whether the router produces metrics. See [observability](../http/routing/observability.md) for more information. | `true` |
+| `traefik.ingress.kubernetes.io/router.observability.tracing` | Controls whether the router produces traces. See [observability](../http/routing/observability.md) for more information. | `true` |
### On Service
-??? info "`traefik.ingress.kubernetes.io/service.nativelb`"
-
- Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
- The Kubernetes Service itself does load-balance to the pods.
- Please note that, by default, Traefik reuses the established connections to the backends for performance purposes. This can prevent the requests load balancing between the replicas from behaving as one would expect when the option is set.
- By default, NativeLB is false.
-
- ```yaml
- traefik.ingress.kubernetes.io/service.nativelb: "true"
- ```
-
-??? info "`traefik.ingress.kubernetes.io/service.nodeportlb`"
-
- Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.
- It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.
- By default, NodePortLB is false.
-
- ```yaml
- traefik.ingress.kubernetes.io/service.nodeportlb: "true"
- ```
-
-??? info "`traefik.ingress.kubernetes.io/service.serversscheme`"
-
- Overrides the default scheme.
-
- ```yaml
- traefik.ingress.kubernetes.io/service.serversscheme: h2c
- ```
-
-??? info "`traefik.ingress.kubernetes.io/service.serverstransport`"
-
- See [ServersTransport](../kubernetes/crd/http/serverstransport.md) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/service.serverstransport: foobar@file
- ```
-
-??? info "`traefik.ingress.kubernetes.io/service.passhostheader`"
-
- ```yaml
- traefik.ingress.kubernetes.io/service.passhostheader: "true"
- ```
-
-??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie`"
-
- See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
- ```
-
-??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.name`"
-
- See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/service.sticky.cookie.name: foobar
- ```
-
-??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.secure`"
-
- See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/service.sticky.cookie.secure: "true"
- ```
-
-??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.samesite`"
-
- See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/service.sticky.cookie.samesite: "none"
- ```
-
-??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.httponly`"
-
- See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: "true"
- ```
-
-??? info "`traefik.ingress.kubernetes.io/service.sticky.cookie.maxage`"
-
- See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information.
-
- ```yaml
- traefik.ingress.kubernetes.io/service.sticky.cookie.maxage: 42
- ```
+| Annotation | Description | Value |
+|------------|-------------|-------|
+| `traefik.ingress.kubernetes.io/service.nativelb` | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. The Kubernetes Service itself does load-balance to the pods. Please note that, by default, Traefik reuses the established connections to the backends for performance purposes. This can prevent the requests load balancing between the replicas from behaving as one would expect when the option is set. Default: `false` | `"true"` |
+| `traefik.ingress.kubernetes.io/service.nodeportlb` | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. Default: `false` | `"true"` |
+| `traefik.ingress.kubernetes.io/service.serversscheme` | Overrides the default scheme. | `h2c` |
+| `traefik.ingress.kubernetes.io/service.serverstransport` | See [ServersTransport](../kubernetes/crd/http/serverstransport.md) for more information. | `foobar@file` |
+| `traefik.ingress.kubernetes.io/service.passhostheader` | Controls whether to forward the Host header to the backend. | `"true"` |
+| `traefik.ingress.kubernetes.io/service.sticky.cookie` | Enables sticky sessions using cookies. See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `"true"` |
+| `traefik.ingress.kubernetes.io/service.sticky.cookie.name` | Defines the cookie name for sticky sessions. See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `foobar` |
+| `traefik.ingress.kubernetes.io/service.sticky.cookie.secure` | Sets the Secure flag on the sticky session cookie. See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `"true"` |
+| `traefik.ingress.kubernetes.io/service.sticky.cookie.samesite` | Sets the SameSite attribute on the sticky session cookie. See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `"none"` |
+| `traefik.ingress.kubernetes.io/service.sticky.cookie.domain` | Sets the Domain attribute on the sticky session cookie, defining the host to which the cookie will be sent. See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `"foo.com"` |
+| `traefik.ingress.kubernetes.io/service.sticky.cookie.httponly` | Sets the HttpOnly flag on the sticky session cookie. See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `"true"` |
+| `traefik.ingress.kubernetes.io/service.sticky.cookie.maxage` | Sets the Max-Age attribute (in seconds) on the sticky session cookie. See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `42` |
+| `traefik.ingress.kubernetes.io/service.sticky.cookie.path` | Sets the Path attribute on the sticky session cookie, defining the path that must exist in the requested URL. See [sticky sessions](../kubernetes/crd/http/traefikservice.md#stickiness-on-multiple-levels) for more information. | `/foobar` |
## TLS
diff --git a/docs/content/reference/routing-configuration/other-providers/docker.md b/docs/content/reference/routing-configuration/other-providers/docker.md
index 6b9953b00..091604982 100644
--- a/docs/content/reference/routing-configuration/other-providers/docker.md
+++ b/docs/content/reference/routing-configuration/other-providers/docker.md
@@ -100,7 +100,7 @@ and the router automatically gets a rule defined by `defaultRule` (if no rule fo
#### Service definition
---8<-- "content/routing/providers/service-by-label.md"
+{% include-markdown "includes/service-by-label.md" %}
??? example "Automatic assignment with one Service"
diff --git a/docs/content/reference/routing-configuration/other-providers/swarm.md b/docs/content/reference/routing-configuration/other-providers/swarm.md
index a49e6c861..0869cb622 100644
--- a/docs/content/reference/routing-configuration/other-providers/swarm.md
+++ b/docs/content/reference/routing-configuration/other-providers/swarm.md
@@ -123,7 +123,7 @@ and the router automatically gets a rule defined by `defaultRule` (if no rule fo
#### Service definition
---8<-- "content/routing/providers/service-by-label.md"
+{% include-markdown "includes/service-by-label.md" %}
??? example "Automatic service assignment with labels"
diff --git a/docs/content/reference/static-configuration/cli-ref.md b/docs/content/reference/static-configuration/cli-ref.md
deleted file mode 100644
index 43c2dd537..000000000
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ /dev/null
@@ -1,1450 +0,0 @@
-
-
-`--accesslog`:
-Access log settings. (Default: ```false```)
-
-`--accesslog.addinternals`:
-Enables access log for internal services (ping, dashboard, etc...). (Default: ```false```)
-
-`--accesslog.bufferingsize`:
-Number of access log lines to process in a buffered way. (Default: ```0```)
-
-`--accesslog.fields.defaultmode`:
-Default mode for fields: keep | drop (Default: ```keep```)
-
-`--accesslog.fields.headers.defaultmode`:
-Default mode for fields: keep | drop | redact (Default: ```drop```)
-
-`--accesslog.fields.headers.names.`:
-Override mode for headers
-
-`--accesslog.fields.names.`:
-Override mode for fields
-
-`--accesslog.filepath`:
-Access log file path. Stdout is used when omitted or empty.
-
-`--accesslog.filters.minduration`:
-Keep access logs when request took longer than the specified duration. (Default: ```0```)
-
-`--accesslog.filters.retryattempts`:
-Keep access logs when at least one retry happened. (Default: ```false```)
-
-`--accesslog.filters.statuscodes`:
-Keep access logs with status codes in the specified range.
-
-`--accesslog.format`:
-Access log format: json | common (Default: ```common```)
-
-`--accesslog.otlp`:
-Settings for OpenTelemetry. (Default: ```false```)
-
-`--accesslog.otlp.grpc`:
-gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
-
-`--accesslog.otlp.grpc.endpoint`:
-Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
-
-`--accesslog.otlp.grpc.headers.`:
-Headers sent with payload.
-
-`--accesslog.otlp.grpc.insecure`:
-Disables client transport security for the exporter. (Default: ```false```)
-
-`--accesslog.otlp.grpc.tls.ca`:
-TLS CA
-
-`--accesslog.otlp.grpc.tls.cert`:
-TLS cert
-
-`--accesslog.otlp.grpc.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--accesslog.otlp.grpc.tls.key`:
-TLS key
-
-`--accesslog.otlp.http`:
-HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
-
-`--accesslog.otlp.http.endpoint`:
-Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
-
-`--accesslog.otlp.http.headers.`:
-Headers sent with payload.
-
-`--accesslog.otlp.http.tls.ca`:
-TLS CA
-
-`--accesslog.otlp.http.tls.cert`:
-TLS cert
-
-`--accesslog.otlp.http.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--accesslog.otlp.http.tls.key`:
-TLS key
-
-`--accesslog.otlp.resourceattributes.`:
-Defines additional resource attributes (key:value).
-
-`--accesslog.otlp.servicename`:
-Defines the service name resource attribute. (Default: ```traefik```)
-
-`--api`:
-Enable api/dashboard. (Default: ```false```)
-
-`--api.basepath`:
-Defines the base path where the API and Dashboard will be exposed. (Default: ```/```)
-
-`--api.dashboard`:
-Activate dashboard. (Default: ```true```)
-
-`--api.debug`:
-Enable additional endpoints for debugging and profiling. (Default: ```false```)
-
-`--api.disabledashboardad`:
-Disable ad in the dashboard. (Default: ```false```)
-
-`--api.insecure`:
-Activate API directly on the entryPoint named traefik. (Default: ```false```)
-
-`--certificatesresolvers.`:
-Certificates resolvers configuration. (Default: ```false```)
-
-`--certificatesresolvers..acme.cacertificates`:
-Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
-
-`--certificatesresolvers..acme.caserver`:
-CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
-
-`--certificatesresolvers..acme.caservername`:
-Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
-
-`--certificatesresolvers..acme.casystemcertpool`:
-Define if the certificates pool must use a copy of the system cert pool. (Default: ```false```)
-
-`--certificatesresolvers..acme.certificatesduration`:
-Certificates' duration in hours. (Default: ```2160```)
-
-`--certificatesresolvers..acme.clientresponseheadertimeout`:
-Timeout for receiving the response headers when communicating with the ACME server. (Default: ```30```)
-
-`--certificatesresolvers..acme.clienttimeout`:
-Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
-
-`--certificatesresolvers..acme.disablecommonname`:
-Disable the common name in the CSR. (Default: ```false```)
-
-`--certificatesresolvers..acme.dnschallenge`:
-Activate DNS-01 Challenge. (Default: ```false```)
-
-`--certificatesresolvers..acme.dnschallenge.delaybeforecheck`:
-(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
-
-`--certificatesresolvers..acme.dnschallenge.disablepropagationcheck`:
-(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
-
-`--certificatesresolvers..acme.dnschallenge.propagation`:
-DNS propagation checks configuration (Default: ```false```)
-
-`--certificatesresolvers..acme.dnschallenge.propagation.delaybeforechecks`:
-Defines the delay before checking the challenge TXT record propagation. (Default: ```0```)
-
-`--certificatesresolvers..acme.dnschallenge.propagation.disableanschecks`:
-Disables the challenge TXT record propagation checks against authoritative nameservers. (Default: ```false```)
-
-`--certificatesresolvers..acme.dnschallenge.propagation.disablechecks`:
-Disables the challenge TXT record propagation checks (not recommended). (Default: ```false```)
-
-`--certificatesresolvers..acme.dnschallenge.propagation.requireallrns`:
-Requires the challenge TXT record to be propagated to all recursive nameservers. (Default: ```false```)
-
-`--certificatesresolvers..acme.dnschallenge.provider`:
-Use a DNS-01 based challenge provider rather than HTTPS.
-
-`--certificatesresolvers..acme.dnschallenge.resolvers`:
-Use following DNS servers to resolve the FQDN authority.
-
-`--certificatesresolvers..acme.eab.hmacencoded`:
-Base64 encoded HMAC key from External CA.
-
-`--certificatesresolvers..acme.eab.kid`:
-Key identifier from External CA.
-
-`--certificatesresolvers..acme.email`:
-Email address used for registration.
-
-`--certificatesresolvers..acme.emailaddresses`:
-CSR email addresses to use.
-
-`--certificatesresolvers..acme.httpchallenge`:
-Activate HTTP-01 Challenge. (Default: ```false```)
-
-`--certificatesresolvers..acme.httpchallenge.delay`:
-Delay between the creation of the challenge and the validation. (Default: ```0```)
-
-`--certificatesresolvers..acme.httpchallenge.entrypoint`:
-HTTP challenge EntryPoint
-
-`--certificatesresolvers..acme.keytype`:
-KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
-
-`--certificatesresolvers..acme.preferredchain`:
-Preferred chain to use.
-
-`--certificatesresolvers..acme.profile`:
-Certificate profile to use.
-
-`--certificatesresolvers..acme.storage`:
-Storage to use. (Default: ```acme.json```)
-
-`--certificatesresolvers..acme.tlschallenge`:
-Activate TLS-ALPN-01 Challenge. (Default: ```false```)
-
-`--certificatesresolvers..acme.tlschallenge.delay`:
-Delay between the creation of the challenge and the validation. (Default: ```0```)
-
-`--certificatesresolvers..tailscale`:
-Enables Tailscale certificate resolution. (Default: ```true```)
-
-`--core.defaultrulesyntax`:
-Defines the rule parser default syntax (v2 or v3) (Default: ```v3```)
-
-`--entrypoints.`:
-Entry points definition. (Default: ```false```)
-
-`--entrypoints..address`:
-Entry point address.
-
-`--entrypoints..allowacmebypass`:
-Enables handling of ACME TLS and HTTP challenges with custom routers. (Default: ```false```)
-
-`--entrypoints..asdefault`:
-Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. (Default: ```false```)
-
-`--entrypoints..forwardedheaders.connection`:
-List of Connection headers that are allowed to pass through the middleware chain before being removed.
-
-`--entrypoints..forwardedheaders.insecure`:
-Trust all forwarded headers. (Default: ```false```)
-
-`--entrypoints..forwardedheaders.trustedips`:
-Trust only forwarded headers from selected IPs.
-
-`--entrypoints..http`:
-HTTP configuration.
-
-`--entrypoints..http.encodedcharacters.allowencodedbackslash`:
-Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```true```)
-
-`--entrypoints..http.encodedcharacters.allowencodedhash`:
-Defines whether requests with encoded hash characters in the path are allowed. (Default: ```true```)
-
-`--entrypoints..http.encodedcharacters.allowencodednullcharacter`:
-Defines whether requests with encoded null characters in the path are allowed. (Default: ```true```)
-
-`--entrypoints..http.encodedcharacters.allowencodedpercent`:
-Defines whether requests with encoded percent characters in the path are allowed. (Default: ```true```)
-
-`--entrypoints..http.encodedcharacters.allowencodedquestionmark`:
-Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```true```)
-
-`--entrypoints..http.encodedcharacters.allowencodedsemicolon`:
-Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```true```)
-
-`--entrypoints..http.encodedcharacters.allowencodedslash`:
-Defines whether requests with encoded slash characters in the path are allowed. (Default: ```true```)
-
-`--entrypoints..http.encodequerysemicolons`:
-Defines whether request query semicolons should be URLEncoded. (Default: ```false```)
-
-`--entrypoints..http.maxheaderbytes`:
-Maximum size of request headers in bytes. (Default: ```1048576```)
-
-`--entrypoints..http.middlewares`:
-Default middlewares for the routers linked to the entry point.
-
-`--entrypoints..http.redirections.entrypoint.permanent`:
-Applies a permanent redirection. (Default: ```true```)
-
-`--entrypoints..http.redirections.entrypoint.priority`:
-Priority of the generated router. (Default: ```9223372036854775806```)
-
-`--entrypoints..http.redirections.entrypoint.scheme`:
-Scheme used for the redirection. (Default: ```https```)
-
-`--entrypoints..http.redirections.entrypoint.to`:
-Targeted entry point of the redirection.
-
-`--entrypoints..http.sanitizepath`:
-Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences). (Default: ```true```)
-
-`--entrypoints..http.tls`:
-Default TLS configuration for the routers linked to the entry point. (Default: ```false```)
-
-`--entrypoints..http.tls.certresolver`:
-Default certificate resolver for the routers linked to the entry point.
-
-`--entrypoints..http.tls.domains`:
-Default TLS domains for the routers linked to the entry point.
-
-`--entrypoints..http.tls.domains[n].main`:
-Default subject name.
-
-`--entrypoints..http.tls.domains[n].sans`:
-Subject alternative names.
-
-`--entrypoints..http.tls.options`:
-Default TLS options for the routers linked to the entry point.
-
-`--entrypoints..http2.maxconcurrentstreams`:
-Specifies the number of concurrent streams per connection that each client is allowed to initiate. (Default: ```250```)
-
-`--entrypoints..http3`:
-HTTP/3 configuration. (Default: ```false```)
-
-`--entrypoints..http3.advertisedport`:
-UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)
-
-`--entrypoints..observability.accesslogs`:
-Enables access-logs for this entryPoint. (Default: ```true```)
-
-`--entrypoints..observability.metrics`:
-Enables metrics for this entryPoint. (Default: ```true```)
-
-`--entrypoints..observability.traceverbosity`:
-Defines the tracing verbosity level for this entryPoint. (Default: ```minimal```)
-
-`--entrypoints..observability.tracing`:
-Enables tracing for this entryPoint. (Default: ```true```)
-
-`--entrypoints..proxyprotocol`:
-Proxy-Protocol configuration. (Default: ```false```)
-
-`--entrypoints..proxyprotocol.insecure`:
-Trust all. (Default: ```false```)
-
-`--entrypoints..proxyprotocol.trustedips`:
-Trust only selected IPs.
-
-`--entrypoints..reuseport`:
-Enables EntryPoints from the same or different processes listening on the same TCP/UDP port. (Default: ```false```)
-
-`--entrypoints..transport.keepalivemaxrequests`:
-Maximum number of requests before closing a keep-alive connection. (Default: ```0```)
-
-`--entrypoints..transport.keepalivemaxtime`:
-Maximum duration before closing a keep-alive connection. (Default: ```0```)
-
-`--entrypoints..transport.lifecycle.gracetimeout`:
-Duration to give active requests a chance to finish before Traefik stops. (Default: ```10```)
-
-`--entrypoints..transport.lifecycle.requestacceptgracetimeout`:
-Duration to keep accepting requests before Traefik initiates the graceful shutdown procedure. (Default: ```0```)
-
-`--entrypoints..transport.respondingtimeouts.idletimeout`:
-IdleTimeout is the maximum amount duration an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout is set. (Default: ```180```)
-
-`--entrypoints..transport.respondingtimeouts.readtimeout`:
-ReadTimeout is the maximum duration for reading the entire request, including the body. If zero, no timeout is set. (Default: ```60```)
-
-`--entrypoints..transport.respondingtimeouts.writetimeout`:
-WriteTimeout is the maximum duration before timing out writes of the response. If zero, no timeout is set. (Default: ```0```)
-
-`--entrypoints..udp.timeout`:
-Timeout defines how long to wait on an idle session before releasing the related resources. (Default: ```3```)
-
-`--experimental.abortonpluginfailure`:
-Defines whether all plugins must be loaded successfully for Traefik to start. (Default: ```false```)
-
-`--experimental.fastproxy`:
-Enables the FastProxy implementation. (Default: ```false```)
-
-`--experimental.fastproxy.debug`:
-Enable debug mode for the FastProxy implementation. (Default: ```false```)
-
-`--experimental.kubernetesgateway`:
-(Deprecated) Allow the Kubernetes gateway api provider usage. (Default: ```false```)
-
-`--experimental.kubernetesingressnginx`:
-Allow the Kubernetes Ingress NGINX provider usage. (Default: ```false```)
-
-`--experimental.localplugins.`:
-Local plugins configuration. (Default: ```false```)
-
-`--experimental.localplugins..modulename`:
-Plugin's module name.
-
-`--experimental.localplugins..settings`:
-Plugin's settings (works only for wasm plugins).
-
-`--experimental.localplugins..settings.envs`:
-Environment variables to forward to the wasm guest.
-
-`--experimental.localplugins..settings.mounts`:
-Directory to mount to the wasm guest.
-
-`--experimental.localplugins..settings.useunsafe`:
-Allow the plugin to use unsafe and syscall packages. (Default: ```false```)
-
-`--experimental.otlplogs`:
-Enables the OpenTelemetry logs integration. (Default: ```false```)
-
-`--experimental.plugins..modulename`:
-plugin's module name.
-
-`--experimental.plugins..settings`:
-Plugin's settings (works only for wasm plugins).
-
-`--experimental.plugins..settings.envs`:
-Environment variables to forward to the wasm guest.
-
-`--experimental.plugins..settings.mounts`:
-Directory to mount to the wasm guest.
-
-`--experimental.plugins..settings.useunsafe`:
-Allow the plugin to use unsafe and syscall packages. (Default: ```false```)
-
-`--experimental.plugins..version`:
-plugin's version.
-
-`--global.checknewversion`:
-Periodically check if a new version has been released. (Default: ```true```)
-
-`--global.sendanonymoususage`:
-Periodically send anonymous usage statistics. If the option is not specified, it will be disabled by default. (Default: ```false```)
-
-`--hostresolver`:
-Enable CNAME Flattening. (Default: ```false```)
-
-`--hostresolver.cnameflattening`:
-A flag to enable/disable CNAME flattening (Default: ```false```)
-
-`--hostresolver.resolvconfig`:
-resolv.conf used for DNS resolving (Default: ```/etc/resolv.conf```)
-
-`--hostresolver.resolvdepth`:
-The maximal depth of DNS recursive resolving (Default: ```5```)
-
-`--log`:
-Traefik log settings. (Default: ```false```)
-
-`--log.compress`:
-Determines if the rotated log files should be compressed using gzip. (Default: ```false```)
-
-`--log.filepath`:
-Traefik log file path. Stdout is used when omitted or empty.
-
-`--log.format`:
-Traefik log format: json | common (Default: ```common```)
-
-`--log.level`:
-Log level set to traefik logs. (Default: ```ERROR```)
-
-`--log.maxage`:
-Maximum number of days to retain old log files based on the timestamp encoded in their filename. (Default: ```0```)
-
-`--log.maxbackups`:
-Maximum number of old log files to retain. (Default: ```0```)
-
-`--log.maxsize`:
-Maximum size in megabytes of the log file before it gets rotated. (Default: ```0```)
-
-`--log.nocolor`:
-When using the 'common' format, disables the colorized output. (Default: ```false```)
-
-`--log.otlp`:
-Settings for OpenTelemetry. (Default: ```false```)
-
-`--log.otlp.grpc`:
-gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
-
-`--log.otlp.grpc.endpoint`:
-Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
-
-`--log.otlp.grpc.headers.`:
-Headers sent with payload.
-
-`--log.otlp.grpc.insecure`:
-Disables client transport security for the exporter. (Default: ```false```)
-
-`--log.otlp.grpc.tls.ca`:
-TLS CA
-
-`--log.otlp.grpc.tls.cert`:
-TLS cert
-
-`--log.otlp.grpc.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--log.otlp.grpc.tls.key`:
-TLS key
-
-`--log.otlp.http`:
-HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
-
-`--log.otlp.http.endpoint`:
-Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
-
-`--log.otlp.http.headers.`:
-Headers sent with payload.
-
-`--log.otlp.http.tls.ca`:
-TLS CA
-
-`--log.otlp.http.tls.cert`:
-TLS cert
-
-`--log.otlp.http.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--log.otlp.http.tls.key`:
-TLS key
-
-`--log.otlp.resourceattributes.`:
-Defines additional resource attributes (key:value).
-
-`--log.otlp.servicename`:
-Defines the service name resource attribute. (Default: ```traefik```)
-
-`--metrics.addinternals`:
-Enables metrics for internal services (ping, dashboard, etc...). (Default: ```false```)
-
-`--metrics.datadog`:
-Datadog metrics exporter type. (Default: ```false```)
-
-`--metrics.datadog.addentrypointslabels`:
-Enable metrics on entry points. (Default: ```true```)
-
-`--metrics.datadog.address`:
-Datadog's address. (Default: ```localhost:8125```)
-
-`--metrics.datadog.addrouterslabels`:
-Enable metrics on routers. (Default: ```false```)
-
-`--metrics.datadog.addserviceslabels`:
-Enable metrics on services. (Default: ```true```)
-
-`--metrics.datadog.prefix`:
-Prefix to use for metrics collection. (Default: ```traefik```)
-
-`--metrics.datadog.pushinterval`:
-Datadog push interval. (Default: ```10```)
-
-`--metrics.influxdb2`:
-InfluxDB v2 metrics exporter type. (Default: ```false```)
-
-`--metrics.influxdb2.addentrypointslabels`:
-Enable metrics on entry points. (Default: ```true```)
-
-`--metrics.influxdb2.additionallabels.`:
-Additional labels (influxdb tags) on all metrics
-
-`--metrics.influxdb2.address`:
-InfluxDB v2 address. (Default: ```http://localhost:8086```)
-
-`--metrics.influxdb2.addrouterslabels`:
-Enable metrics on routers. (Default: ```false```)
-
-`--metrics.influxdb2.addserviceslabels`:
-Enable metrics on services. (Default: ```true```)
-
-`--metrics.influxdb2.bucket`:
-InfluxDB v2 bucket ID.
-
-`--metrics.influxdb2.org`:
-InfluxDB v2 org ID.
-
-`--metrics.influxdb2.pushinterval`:
-InfluxDB v2 push interval. (Default: ```10```)
-
-`--metrics.influxdb2.token`:
-InfluxDB v2 access token.
-
-`--metrics.otlp`:
-OpenTelemetry metrics exporter type. (Default: ```false```)
-
-`--metrics.otlp.addentrypointslabels`:
-Enable metrics on entry points. (Default: ```true```)
-
-`--metrics.otlp.addrouterslabels`:
-Enable metrics on routers. (Default: ```false```)
-
-`--metrics.otlp.addserviceslabels`:
-Enable metrics on services. (Default: ```true```)
-
-`--metrics.otlp.explicitboundaries`:
-Boundaries for latency metrics. (Default: ```0.005000, 0.010000, 0.025000, 0.050000, 0.075000, 0.100000, 0.250000, 0.500000, 0.750000, 1.000000, 2.500000, 5.000000, 7.500000, 10.000000```)
-
-`--metrics.otlp.grpc`:
-gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
-
-`--metrics.otlp.grpc.endpoint`:
-Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
-
-`--metrics.otlp.grpc.headers.`:
-Headers sent with payload.
-
-`--metrics.otlp.grpc.insecure`:
-Disables client transport security for the exporter. (Default: ```false```)
-
-`--metrics.otlp.grpc.tls.ca`:
-TLS CA
-
-`--metrics.otlp.grpc.tls.cert`:
-TLS cert
-
-`--metrics.otlp.grpc.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--metrics.otlp.grpc.tls.key`:
-TLS key
-
-`--metrics.otlp.http`:
-HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
-
-`--metrics.otlp.http.endpoint`:
-Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
-
-`--metrics.otlp.http.headers.`:
-Headers sent with payload.
-
-`--metrics.otlp.http.tls.ca`:
-TLS CA
-
-`--metrics.otlp.http.tls.cert`:
-TLS cert
-
-`--metrics.otlp.http.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--metrics.otlp.http.tls.key`:
-TLS key
-
-`--metrics.otlp.pushinterval`:
-Period between calls to collect a checkpoint. (Default: ```10```)
-
-`--metrics.otlp.resourceattributes.`:
-Defines additional resource attributes (key:value).
-
-`--metrics.otlp.servicename`:
-Defines the service name resource attribute. (Default: ```traefik```)
-
-`--metrics.prometheus`:
-Prometheus metrics exporter type. (Default: ```false```)
-
-`--metrics.prometheus.addentrypointslabels`:
-Enable metrics on entry points. (Default: ```true```)
-
-`--metrics.prometheus.addrouterslabels`:
-Enable metrics on routers. (Default: ```false```)
-
-`--metrics.prometheus.addserviceslabels`:
-Enable metrics on services. (Default: ```true```)
-
-`--metrics.prometheus.buckets`:
-Buckets for latency metrics. (Default: ```0.100000, 0.300000, 1.200000, 5.000000```)
-
-`--metrics.prometheus.entrypoint`:
-EntryPoint (Default: ```traefik```)
-
-`--metrics.prometheus.headerlabels.`:
-Defines the extra labels for the requests_total metrics, and for each of them, the request header containing the value for this label.
-
-`--metrics.prometheus.manualrouting`:
-Manual routing (Default: ```false```)
-
-`--metrics.statsd`:
-StatsD metrics exporter type. (Default: ```false```)
-
-`--metrics.statsd.addentrypointslabels`:
-Enable metrics on entry points. (Default: ```true```)
-
-`--metrics.statsd.address`:
-StatsD address. (Default: ```localhost:8125```)
-
-`--metrics.statsd.addrouterslabels`:
-Enable metrics on routers. (Default: ```false```)
-
-`--metrics.statsd.addserviceslabels`:
-Enable metrics on services. (Default: ```true```)
-
-`--metrics.statsd.prefix`:
-Prefix to use for metrics collection. (Default: ```traefik```)
-
-`--metrics.statsd.pushinterval`:
-StatsD push interval. (Default: ```10```)
-
-`--ocsp`:
-OCSP configuration. (Default: ```false```)
-
-`--ocsp.responderoverrides.`:
-Defines a map of OCSP responders to replace for querying OCSP servers.
-
-`--ping`:
-Enable ping. (Default: ```false```)
-
-`--ping.entrypoint`:
-EntryPoint (Default: ```traefik```)
-
-`--ping.manualrouting`:
-Manual routing (Default: ```false```)
-
-`--ping.terminatingstatuscode`:
-Terminating status code (Default: ```503```)
-
-`--providers.consul`:
-Enable Consul backend with default settings. (Default: ```false```)
-
-`--providers.consul.endpoints`:
-KV store endpoints. (Default: ```127.0.0.1:8500```)
-
-`--providers.consul.namespaces`:
-Sets the namespaces used to discover the configuration (Consul Enterprise only).
-
-`--providers.consul.rootkey`:
-Root key used for KV store. (Default: ```traefik```)
-
-`--providers.consul.tls.ca`:
-TLS CA
-
-`--providers.consul.tls.cert`:
-TLS cert
-
-`--providers.consul.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--providers.consul.tls.key`:
-TLS key
-
-`--providers.consul.token`:
-Per-request ACL token.
-
-`--providers.consulcatalog`:
-Enable ConsulCatalog backend with default settings. (Default: ```false```)
-
-`--providers.consulcatalog.cache`:
-Use local agent caching for catalog reads. (Default: ```false```)
-
-`--providers.consulcatalog.connectaware`:
-Enable Consul Connect support. (Default: ```false```)
-
-`--providers.consulcatalog.connectbydefault`:
-Consider every service as Connect capable by default. (Default: ```false```)
-
-`--providers.consulcatalog.constraints`:
-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-
-`--providers.consulcatalog.defaultrule`:
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`--providers.consulcatalog.endpoint.address`:
-The address of the Consul server
-
-`--providers.consulcatalog.endpoint.datacenter`:
-Data center to use. If not provided, the default agent data center is used
-
-`--providers.consulcatalog.endpoint.endpointwaittime`:
-WaitTime limits how long a Watch will block. If not provided, the agent default values will be used (Default: ```0```)
-
-`--providers.consulcatalog.endpoint.httpauth.password`:
-Basic Auth password
-
-`--providers.consulcatalog.endpoint.httpauth.username`:
-Basic Auth username
-
-`--providers.consulcatalog.endpoint.scheme`:
-The URI scheme for the Consul server
-
-`--providers.consulcatalog.endpoint.tls.ca`:
-TLS CA
-
-`--providers.consulcatalog.endpoint.tls.cert`:
-TLS cert
-
-`--providers.consulcatalog.endpoint.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--providers.consulcatalog.endpoint.tls.key`:
-TLS key
-
-`--providers.consulcatalog.endpoint.token`:
-Token is used to provide a per-request ACL token which overrides the agent's default token
-
-`--providers.consulcatalog.exposedbydefault`:
-Expose containers by default. (Default: ```true```)
-
-`--providers.consulcatalog.namespaces`:
-Sets the namespaces used to discover services (Consul Enterprise only).
-
-`--providers.consulcatalog.prefix`:
-Prefix for consul service tags. (Default: ```traefik```)
-
-`--providers.consulcatalog.refreshinterval`:
-Interval for check Consul API. (Default: ```15```)
-
-`--providers.consulcatalog.requireconsistent`:
-Forces the read to be fully consistent. (Default: ```false```)
-
-`--providers.consulcatalog.servicename`:
-Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). (Default: ```traefik```)
-
-`--providers.consulcatalog.stale`:
-Use stale consistency for catalog reads. (Default: ```false```)
-
-`--providers.consulcatalog.strictchecks`:
-A list of service health statuses to allow taking traffic. (Default: ```passing, warning```)
-
-`--providers.consulcatalog.watch`:
-Watch Consul API events. (Default: ```false```)
-
-`--providers.docker`:
-Enable Docker backend with default settings. (Default: ```false```)
-
-`--providers.docker.allowemptyservices`:
-Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. (Default: ```false```)
-
-`--providers.docker.constraints`:
-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-
-`--providers.docker.defaultrule`:
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`--providers.docker.endpoint`:
-Docker server endpoint. Can be a TCP or a Unix socket endpoint. (Default: ```unix:///var/run/docker.sock```)
-
-`--providers.docker.exposedbydefault`:
-Expose containers by default. (Default: ```true```)
-
-`--providers.docker.httpclienttimeout`:
-Client timeout for HTTP connections. (Default: ```0```)
-
-`--providers.docker.network`:
-Default Docker network used.
-
-`--providers.docker.password`:
-Password for Basic HTTP authentication.
-
-`--providers.docker.tls.ca`:
-TLS CA
-
-`--providers.docker.tls.cert`:
-TLS cert
-
-`--providers.docker.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--providers.docker.tls.key`:
-TLS key
-
-`--providers.docker.usebindportip`:
-Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
-
-`--providers.docker.username`:
-Username for Basic HTTP authentication.
-
-`--providers.docker.watch`:
-Watch Docker events. (Default: ```true```)
-
-`--providers.ecs`:
-Enable AWS ECS backend with default settings. (Default: ```false```)
-
-`--providers.ecs.accesskeyid`:
-AWS credentials access key ID to use for making requests.
-
-`--providers.ecs.autodiscoverclusters`:
-Auto discover cluster. (Default: ```false```)
-
-`--providers.ecs.clusters`:
-ECS Cluster names. (Default: ```default```)
-
-`--providers.ecs.constraints`:
-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-
-`--providers.ecs.defaultrule`:
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`--providers.ecs.ecsanywhere`:
-Enable ECS Anywhere support. (Default: ```false```)
-
-`--providers.ecs.exposedbydefault`:
-Expose services by default. (Default: ```true```)
-
-`--providers.ecs.healthytasksonly`:
-Determines whether to discover only healthy tasks. (Default: ```false```)
-
-`--providers.ecs.refreshseconds`:
-Polling interval (in seconds). (Default: ```15```)
-
-`--providers.ecs.region`:
-AWS region to use for requests.
-
-`--providers.ecs.secretaccesskey`:
-AWS credentials access key to use for making requests.
-
-`--providers.etcd`:
-Enable Etcd backend with default settings. (Default: ```false```)
-
-`--providers.etcd.endpoints`:
-KV store endpoints. (Default: ```127.0.0.1:2379```)
-
-`--providers.etcd.password`:
-Password for authentication.
-
-`--providers.etcd.rootkey`:
-Root key used for KV store. (Default: ```traefik```)
-
-`--providers.etcd.tls.ca`:
-TLS CA
-
-`--providers.etcd.tls.cert`:
-TLS cert
-
-`--providers.etcd.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--providers.etcd.tls.key`:
-TLS key
-
-`--providers.etcd.username`:
-Username for authentication.
-
-`--providers.file.debugloggeneratedtemplate`:
-Enable debug logging of generated configuration template. (Default: ```false```)
-
-`--providers.file.directory`:
-Load dynamic configuration from one or more .yml or .toml files in a directory.
-
-`--providers.file.filename`:
-Load dynamic configuration from a file.
-
-`--providers.file.watch`:
-Watch provider. (Default: ```true```)
-
-`--providers.http`:
-Enable HTTP backend with default settings. (Default: ```false```)
-
-`--providers.http.endpoint`:
-Load configuration from this endpoint.
-
-`--providers.http.headers.`:
-Define custom headers to be sent to the endpoint.
-
-`--providers.http.maxresponsebodysize`:
-Defines the maximum size of the response body in bytes. (Default: ```-1```)
-
-`--providers.http.pollinterval`:
-Polling interval for endpoint. (Default: ```5```)
-
-`--providers.http.polltimeout`:
-Polling timeout for endpoint. (Default: ```5```)
-
-`--providers.http.tls.ca`:
-TLS CA
-
-`--providers.http.tls.cert`:
-TLS cert
-
-`--providers.http.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--providers.http.tls.key`:
-TLS key
-
-`--providers.kubernetescrd`:
-Enable Kubernetes backend with default settings. (Default: ```false```)
-
-`--providers.kubernetescrd.allowcrossnamespace`:
-Allow cross namespace resource reference. (Default: ```false```)
-
-`--providers.kubernetescrd.allowemptyservices`:
-Allow the creation of services without endpoints. (Default: ```false```)
-
-`--providers.kubernetescrd.allowexternalnameservices`:
-Allow ExternalName services. (Default: ```false```)
-
-`--providers.kubernetescrd.certauthfilepath`:
-Kubernetes certificate authority file path (not needed for in-cluster client).
-
-`--providers.kubernetescrd.disableclusterscoperesources`:
-Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). (Default: ```false```)
-
-`--providers.kubernetescrd.endpoint`:
-Kubernetes server endpoint (required for external cluster client).
-
-`--providers.kubernetescrd.ingressclass`:
-Value of kubernetes.io/ingress.class annotation to watch for.
-
-`--providers.kubernetescrd.labelselector`:
-Kubernetes label selector to use.
-
-`--providers.kubernetescrd.namespaces`:
-Kubernetes namespaces.
-
-`--providers.kubernetescrd.nativelbbydefault`:
-Defines whether to use Native Kubernetes load-balancing mode by default. (Default: ```false```)
-
-`--providers.kubernetescrd.throttleduration`:
-Ingress refresh throttle duration (Default: ```0```)
-
-`--providers.kubernetescrd.token`:
-Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token.
-
-`--providers.kubernetesgateway`:
-Enable Kubernetes gateway api provider with default settings. (Default: ```false```)
-
-`--providers.kubernetesgateway.certauthfilepath`:
-Kubernetes certificate authority file path (not needed for in-cluster client).
-
-`--providers.kubernetesgateway.endpoint`:
-Kubernetes server endpoint (required for external cluster client).
-
-`--providers.kubernetesgateway.experimentalchannel`:
-Toggles Experimental Channel resources support (TCPRoute, TLSRoute...). (Default: ```false```)
-
-`--providers.kubernetesgateway.labelselector`:
-Kubernetes label selector to select specific GatewayClasses.
-
-`--providers.kubernetesgateway.namespaces`:
-Kubernetes namespaces.
-
-`--providers.kubernetesgateway.nativelbbydefault`:
-Defines whether to use Native Kubernetes load-balancing by default. (Default: ```false```)
-
-`--providers.kubernetesgateway.statusaddress.hostname`:
-Hostname used for Kubernetes Gateway status address.
-
-`--providers.kubernetesgateway.statusaddress.ip`:
-IP used to set Kubernetes Gateway status address.
-
-`--providers.kubernetesgateway.statusaddress.service`:
-Published Kubernetes Service to copy status addresses from.
-
-`--providers.kubernetesgateway.statusaddress.service.name`:
-Name of the Kubernetes service.
-
-`--providers.kubernetesgateway.statusaddress.service.namespace`:
-Namespace of the Kubernetes service.
-
-`--providers.kubernetesgateway.throttleduration`:
-Kubernetes refresh throttle duration (Default: ```0```)
-
-`--providers.kubernetesgateway.token`:
-Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token.
-
-`--providers.kubernetesingress`:
-Enable Kubernetes backend with default settings. (Default: ```false```)
-
-`--providers.kubernetesingress.allowemptyservices`:
-Allow creation of services without endpoints. (Default: ```false```)
-
-`--providers.kubernetesingress.allowexternalnameservices`:
-Allow ExternalName services. (Default: ```false```)
-
-`--providers.kubernetesingress.certauthfilepath`:
-Kubernetes certificate authority file path (not needed for in-cluster client).
-
-`--providers.kubernetesingress.disableclusterscoperesources`:
-Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). (Default: ```false```)
-
-`--providers.kubernetesingress.disableingressclasslookup`:
-Disables the lookup of IngressClasses (Deprecated, please use DisableClusterScopeResources). (Default: ```false```)
-
-`--providers.kubernetesingress.endpoint`:
-Kubernetes server endpoint (required for external cluster client).
-
-`--providers.kubernetesingress.ingressclass`:
-Value of kubernetes.io/ingress.class annotation or IngressClass name to watch for.
-
-`--providers.kubernetesingress.ingressendpoint.hostname`:
-Hostname used for Kubernetes Ingress endpoints.
-
-`--providers.kubernetesingress.ingressendpoint.ip`:
-IP used for Kubernetes Ingress endpoints.
-
-`--providers.kubernetesingress.ingressendpoint.publishedservice`:
-Published Kubernetes Service to copy status from.
-
-`--providers.kubernetesingress.labelselector`:
-Kubernetes Ingress label selector to use.
-
-`--providers.kubernetesingress.namespaces`:
-Kubernetes namespaces.
-
-`--providers.kubernetesingress.nativelbbydefault`:
-Defines whether to use Native Kubernetes load-balancing mode by default. (Default: ```false```)
-
-`--providers.kubernetesingress.strictprefixmatching`:
-Make prefix matching strictly comply with the Kubernetes Ingress specification (path-element-wise matching instead of character-by-character string matching). (Default: ```false```)
-
-`--providers.kubernetesingress.throttleduration`:
-Ingress refresh throttle duration (Default: ```0```)
-
-`--providers.kubernetesingress.token`:
-Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token.
-
-`--providers.kubernetesingressnginx`:
-Enable Kubernetes Ingress NGINX provider. (Default: ```false```)
-
-`--providers.kubernetesingressnginx.certauthfilepath`:
-Kubernetes certificate authority file path (not needed for in-cluster client).
-
-`--providers.kubernetesingressnginx.controllerclass`:
-Ingress Class Controller value this controller satisfies. (Default: ```k8s.io/ingress-nginx```)
-
-`--providers.kubernetesingressnginx.defaultbackendservice`:
-Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'.
-
-`--providers.kubernetesingressnginx.disablesvcexternalname`:
-Disable support for Services of type ExternalName. (Default: ```false```)
-
-`--providers.kubernetesingressnginx.endpoint`:
-Kubernetes server endpoint (required for external cluster client).
-
-`--providers.kubernetesingressnginx.ingressclass`:
-Name of the ingress class this controller satisfies. (Default: ```nginx```)
-
-`--providers.kubernetesingressnginx.ingressclassbyname`:
-Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class. (Default: ```false```)
-
-`--providers.kubernetesingressnginx.publishservice`:
-Service fronting the Ingress controller. Takes the form 'namespace/name'.
-
-`--providers.kubernetesingressnginx.publishstatusaddress`:
-Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies.
-
-`--providers.kubernetesingressnginx.throttleduration`:
-Ingress refresh throttle duration. (Default: ```0```)
-
-`--providers.kubernetesingressnginx.token`:
-Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token.
-
-`--providers.kubernetesingressnginx.watchingresswithoutclass`:
-Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified. (Default: ```false```)
-
-`--providers.kubernetesingressnginx.watchnamespace`:
-Namespace the controller watches for updates to Kubernetes objects. All namespaces are watched if this parameter is left empty.
-
-`--providers.kubernetesingressnginx.watchnamespaceselector`:
-Selector selects namespaces the controller watches for updates to Kubernetes objects.
-
-`--providers.nomad`:
-Enable Nomad backend with default settings. (Default: ```false```)
-
-`--providers.nomad.allowemptyservices`:
-Allow the creation of services without endpoints. (Default: ```false```)
-
-`--providers.nomad.constraints`:
-Constraints is an expression that Traefik matches against the Nomad service's tags to determine whether to create route(s) for that service.
-
-`--providers.nomad.defaultrule`:
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`--providers.nomad.endpoint.address`:
-The address of the Nomad server, including scheme and port. (Default: ```http://127.0.0.1:4646```)
-
-`--providers.nomad.endpoint.endpointwaittime`:
-WaitTime limits how long a Watch will block. If not provided, the agent default values will be used (Default: ```0```)
-
-`--providers.nomad.endpoint.region`:
-Nomad region to use. If not provided, the local agent region is used.
-
-`--providers.nomad.endpoint.tls.ca`:
-TLS CA
-
-`--providers.nomad.endpoint.tls.cert`:
-TLS cert
-
-`--providers.nomad.endpoint.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--providers.nomad.endpoint.tls.key`:
-TLS key
-
-`--providers.nomad.endpoint.token`:
-Token is used to provide a per-request ACL token.
-
-`--providers.nomad.exposedbydefault`:
-Expose Nomad services by default. (Default: ```true```)
-
-`--providers.nomad.namespaces`:
-Sets the Nomad namespaces used to discover services.
-
-`--providers.nomad.prefix`:
-Prefix for nomad service tags. (Default: ```traefik```)
-
-`--providers.nomad.refreshinterval`:
-Interval for polling Nomad API. (Default: ```15```)
-
-`--providers.nomad.stale`:
-Use stale consistency for catalog reads. (Default: ```false```)
-
-`--providers.nomad.throttleduration`:
-Watch throttle duration. (Default: ```0```)
-
-`--providers.nomad.watch`:
-Watch Nomad Service events. (Default: ```false```)
-
-`--providers.plugin.`:
-Plugins configuration.
-
-`--providers.providersthrottleduration`:
-Backends throttle duration: minimum duration between 2 events from providers before applying a new configuration. It avoids unnecessary reloads if multiples events are sent in a short amount of time. (Default: ```2```)
-
-`--providers.redis`:
-Enable Redis backend with default settings. (Default: ```false```)
-
-`--providers.redis.db`:
-Database to be selected after connecting to the server. (Default: ```0```)
-
-`--providers.redis.endpoints`:
-KV store endpoints. (Default: ```127.0.0.1:6379```)
-
-`--providers.redis.password`:
-Password for authentication.
-
-`--providers.redis.rootkey`:
-Root key used for KV store. (Default: ```traefik```)
-
-`--providers.redis.sentinel.latencystrategy`:
-Defines whether to route commands to the closest master or replica nodes (mutually exclusive with RandomStrategy and ReplicaStrategy). (Default: ```false```)
-
-`--providers.redis.sentinel.mastername`:
-Name of the master.
-
-`--providers.redis.sentinel.password`:
-Password for Sentinel authentication.
-
-`--providers.redis.sentinel.randomstrategy`:
-Defines whether to route commands randomly to master or replica nodes (mutually exclusive with LatencyStrategy and ReplicaStrategy). (Default: ```false```)
-
-`--providers.redis.sentinel.replicastrategy`:
-Defines whether to route all commands to replica nodes (mutually exclusive with LatencyStrategy and RandomStrategy). (Default: ```false```)
-
-`--providers.redis.sentinel.usedisconnectedreplicas`:
-Use replicas disconnected with master when cannot get connected replicas. (Default: ```false```)
-
-`--providers.redis.sentinel.username`:
-Username for Sentinel authentication.
-
-`--providers.redis.tls.ca`:
-TLS CA
-
-`--providers.redis.tls.cert`:
-TLS cert
-
-`--providers.redis.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--providers.redis.tls.key`:
-TLS key
-
-`--providers.redis.username`:
-Username for authentication.
-
-`--providers.rest`:
-Enable Rest backend with default settings. (Default: ```false```)
-
-`--providers.rest.insecure`:
-Activate REST Provider directly on the entryPoint named traefik. (Default: ```false```)
-
-`--providers.swarm`:
-Enable Docker Swarm backend with default settings. (Default: ```false```)
-
-`--providers.swarm.allowemptyservices`:
-Disregards the Docker containers health checks with respect to the creation or removal of the corresponding services. (Default: ```false```)
-
-`--providers.swarm.constraints`:
-Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
-
-`--providers.swarm.defaultrule`:
-Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)
-
-`--providers.swarm.endpoint`:
-Docker server endpoint. Can be a TCP or a Unix socket endpoint. (Default: ```unix:///var/run/docker.sock```)
-
-`--providers.swarm.exposedbydefault`:
-Expose containers by default. (Default: ```true```)
-
-`--providers.swarm.httpclienttimeout`:
-Client timeout for HTTP connections. (Default: ```0```)
-
-`--providers.swarm.network`:
-Default Docker network used.
-
-`--providers.swarm.password`:
-Password for Basic HTTP authentication.
-
-`--providers.swarm.refreshseconds`:
-Polling interval for swarm mode. (Default: ```15```)
-
-`--providers.swarm.tls.ca`:
-TLS CA
-
-`--providers.swarm.tls.cert`:
-TLS cert
-
-`--providers.swarm.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--providers.swarm.tls.key`:
-TLS key
-
-`--providers.swarm.usebindportip`:
-Use the ip address from the bound port, rather than from the inner network. (Default: ```false```)
-
-`--providers.swarm.username`:
-Username for Basic HTTP authentication.
-
-`--providers.swarm.watch`:
-Watch Docker events. (Default: ```true```)
-
-`--providers.zookeeper`:
-Enable ZooKeeper backend with default settings. (Default: ```false```)
-
-`--providers.zookeeper.endpoints`:
-KV store endpoints. (Default: ```127.0.0.1:2181```)
-
-`--providers.zookeeper.password`:
-Password for authentication.
-
-`--providers.zookeeper.rootkey`:
-Root key used for KV store. (Default: ```traefik```)
-
-`--providers.zookeeper.username`:
-Username for authentication.
-
-`--serverstransport.forwardingtimeouts.dialtimeout`:
-The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
-
-`--serverstransport.forwardingtimeouts.idleconntimeout`:
-The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself (Default: ```90```)
-
-`--serverstransport.forwardingtimeouts.responseheadertimeout`:
-The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. (Default: ```0```)
-
-`--serverstransport.insecureskipverify`:
-Disable SSL certificate verification. (Default: ```false```)
-
-`--serverstransport.maxidleconnsperhost`:
-If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used (Default: ```200```)
-
-`--serverstransport.rootcas`:
-Add cert file for self-signed certificate.
-
-`--serverstransport.spiffe`:
-Defines the SPIFFE configuration. (Default: ```false```)
-
-`--serverstransport.spiffe.ids`:
-Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
-
-`--serverstransport.spiffe.trustdomain`:
-Defines the allowed SPIFFE trust domain.
-
-`--spiffe.workloadapiaddr`:
-Defines the workload API address.
-
-`--tcpserverstransport.dialkeepalive`:
-Defines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled (Default: ```15```)
-
-`--tcpserverstransport.dialtimeout`:
-Defines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
-
-`--tcpserverstransport.terminationdelay`:
-Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. (Default: ```0```)
-
-`--tcpserverstransport.tls`:
-Defines the TLS configuration. (Default: ```false```)
-
-`--tcpserverstransport.tls.insecureskipverify`:
-Disables SSL certificate verification. (Default: ```false```)
-
-`--tcpserverstransport.tls.rootcas`:
-Defines a list of CA secret used to validate self-signed certificate
-
-`--tcpserverstransport.tls.spiffe`:
-Defines the SPIFFE TLS configuration. (Default: ```false```)
-
-`--tcpserverstransport.tls.spiffe.ids`:
-Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
-
-`--tcpserverstransport.tls.spiffe.trustdomain`:
-Defines the allowed SPIFFE trust domain.
-
-`--tracing`:
-Tracing configuration. (Default: ```false```)
-
-`--tracing.addinternals`:
-Enables tracing for internal services (ping, dashboard, etc...). (Default: ```false```)
-
-`--tracing.capturedrequestheaders`:
-Request headers to add as attributes for server and client spans.
-
-`--tracing.capturedresponseheaders`:
-Response headers to add as attributes for server and client spans.
-
-`--tracing.globalattributes.`:
-(Deprecated) Defines additional resource attributes (key:value).
-
-`--tracing.otlp`:
-Settings for OpenTelemetry. (Default: ```false```)
-
-`--tracing.otlp.grpc`:
-gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
-
-`--tracing.otlp.grpc.endpoint`:
-Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
-
-`--tracing.otlp.grpc.headers.`:
-Headers sent with payload.
-
-`--tracing.otlp.grpc.insecure`:
-Disables client transport security for the exporter. (Default: ```false```)
-
-`--tracing.otlp.grpc.tls.ca`:
-TLS CA
-
-`--tracing.otlp.grpc.tls.cert`:
-TLS cert
-
-`--tracing.otlp.grpc.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--tracing.otlp.grpc.tls.key`:
-TLS key
-
-`--tracing.otlp.http`:
-HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
-
-`--tracing.otlp.http.endpoint`:
-Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
-
-`--tracing.otlp.http.headers.`:
-Headers sent with payload.
-
-`--tracing.otlp.http.tls.ca`:
-TLS CA
-
-`--tracing.otlp.http.tls.cert`:
-TLS cert
-
-`--tracing.otlp.http.tls.insecureskipverify`:
-TLS insecure skip verify (Default: ```false```)
-
-`--tracing.otlp.http.tls.key`:
-TLS key
-
-`--tracing.resourceattributes.`:
-Defines additional resource attributes (key:value).
-
-`--tracing.safequeryparams`:
-Query params to not redact.
-
-`--tracing.samplerate`:
-Sets the rate between 0.0 and 1.0 of requests to trace. (Default: ```1.000000```)
-
-`--tracing.servicename`:
-Defines the service name resource attribute. (Default: ```traefik```)
diff --git a/docs/content/reference/static-configuration/env-ref.md b/docs/content/reference/static-configuration/env-ref.md
deleted file mode 100644
index f3ad394e2..000000000
--- a/docs/content/reference/static-configuration/env-ref.md
+++ /dev/null
@@ -1,1450 +0,0 @@
-
-
-`TRAEFIK_ACCESSLOG`:
-Access log settings. (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_ADDINTERNALS`:
-Enables access log for internal services (ping, dashboard, etc...). (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_BUFFERINGSIZE`:
-Number of access log lines to process in a buffered way. (Default: ```0```)
-
-`TRAEFIK_ACCESSLOG_FIELDS_DEFAULTMODE`:
-Default mode for fields: keep | drop (Default: ```keep```)
-
-`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_DEFAULTMODE`:
-Default mode for fields: keep | drop | redact (Default: ```drop```)
-
-`TRAEFIK_ACCESSLOG_FIELDS_HEADERS_NAMES_`:
-Override mode for headers
-
-`TRAEFIK_ACCESSLOG_FIELDS_NAMES_`:
-Override mode for fields
-
-`TRAEFIK_ACCESSLOG_FILEPATH`:
-Access log file path. Stdout is used when omitted or empty.
-
-`TRAEFIK_ACCESSLOG_FILTERS_MINDURATION`:
-Keep access logs when request took longer than the specified duration. (Default: ```0```)
-
-`TRAEFIK_ACCESSLOG_FILTERS_RETRYATTEMPTS`:
-Keep access logs when at least one retry happened. (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_FILTERS_STATUSCODES`:
-Keep access logs with status codes in the specified range.
-
-`TRAEFIK_ACCESSLOG_FORMAT`:
-Access log format: json | common (Default: ```common```)
-
-`TRAEFIK_ACCESSLOG_OTLP`:
-Settings for OpenTelemetry. (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_OTLP_GRPC`:
-gRPC configuration for the OpenTelemetry collector. (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_OTLP_GRPC_ENDPOINT`:
-Sets the gRPC endpoint (host:port) of the collector. (Default: ```localhost:4317```)
-
-`TRAEFIK_ACCESSLOG_OTLP_GRPC_HEADERS_`:
-Headers sent with payload.
-
-`TRAEFIK_ACCESSLOG_OTLP_GRPC_INSECURE`:
-Disables client transport security for the exporter. (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_OTLP_GRPC_TLS_CA`:
-TLS CA
-
-`TRAEFIK_ACCESSLOG_OTLP_GRPC_TLS_CERT`:
-TLS cert
-
-`TRAEFIK_ACCESSLOG_OTLP_GRPC_TLS_INSECURESKIPVERIFY`:
-TLS insecure skip verify (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_OTLP_GRPC_TLS_KEY`:
-TLS key
-
-`TRAEFIK_ACCESSLOG_OTLP_HTTP`:
-HTTP configuration for the OpenTelemetry collector. (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_OTLP_HTTP_ENDPOINT`:
-Sets the HTTP endpoint (scheme://host:port/path) of the collector. (Default: ```https://localhost:4318```)
-
-`TRAEFIK_ACCESSLOG_OTLP_HTTP_HEADERS_`:
-Headers sent with payload.
-
-`TRAEFIK_ACCESSLOG_OTLP_HTTP_TLS_CA`:
-TLS CA
-
-`TRAEFIK_ACCESSLOG_OTLP_HTTP_TLS_CERT`:
-TLS cert
-
-`TRAEFIK_ACCESSLOG_OTLP_HTTP_TLS_INSECURESKIPVERIFY`:
-TLS insecure skip verify (Default: ```false```)
-
-`TRAEFIK_ACCESSLOG_OTLP_HTTP_TLS_KEY`:
-TLS key
-
-`TRAEFIK_ACCESSLOG_OTLP_RESOURCEATTRIBUTES_`:
-Defines additional resource attributes (key:value).
-
-`TRAEFIK_ACCESSLOG_OTLP_SERVICENAME`:
-Defines the service name resource attribute. (Default: ```traefik```)
-
-`TRAEFIK_API`:
-Enable api/dashboard. (Default: ```false```)
-
-`TRAEFIK_API_BASEPATH`:
-Defines the base path where the API and Dashboard will be exposed. (Default: ```/```)
-
-`TRAEFIK_API_DASHBOARD`:
-Activate dashboard. (Default: ```true```)
-
-`TRAEFIK_API_DEBUG`:
-Enable additional endpoints for debugging and profiling. (Default: ```false```)
-
-`TRAEFIK_API_DISABLEDASHBOARDAD`:
-Disable ad in the dashboard. (Default: ```false```)
-
-`TRAEFIK_API_INSECURE`:
-Activate API directly on the entryPoint named traefik. (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS_`:
-Certificates resolvers configuration. (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_CACERTIFICATES`:
-Specify the paths to PEM encoded CA Certificates that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_CASERVER`:
-CA server to use. (Default: ```https://acme-v02.api.letsencrypt.org/directory```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_CASERVERNAME`:
-Specify the CA server name that can be used to authenticate an ACME server with an HTTPS certificate not issued by a CA in the system-wide trusted root list.
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_CASYSTEMCERTPOOL`:
-Define if the certificates pool must use a copy of the system cert pool. (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_CERTIFICATESDURATION`:
-Certificates' duration in hours. (Default: ```2160```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_CLIENTRESPONSEHEADERTIMEOUT`:
-Timeout for receiving the response headers when communicating with the ACME server. (Default: ```30```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_CLIENTTIMEOUT`:
-Timeout for a complete HTTP transaction with the ACME server. (Default: ```120```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DISABLECOMMONNAME`:
-Disable the common name in the CSR. (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE`:
-Activate DNS-01 Challenge. (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE_DELAYBEFORECHECK`:
-(Deprecated) Assume DNS propagates after a delay in seconds rather than finding and querying nameservers. (Default: ```0```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE_DISABLEPROPAGATIONCHECK`:
-(Deprecated) Disable the DNS propagation checks before notifying ACME that the DNS challenge is ready. [not recommended] (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE_PROPAGATION`:
-DNS propagation checks configuration (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE_PROPAGATION_DELAYBEFORECHECKS`:
-Defines the delay before checking the challenge TXT record propagation. (Default: ```0```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE_PROPAGATION_DISABLEANSCHECKS`:
-Disables the challenge TXT record propagation checks against authoritative nameservers. (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE_PROPAGATION_DISABLECHECKS`:
-Disables the challenge TXT record propagation checks (not recommended). (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE_PROPAGATION_REQUIREALLRNS`:
-Requires the challenge TXT record to be propagated to all recursive nameservers. (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE_PROVIDER`:
-Use a DNS-01 based challenge provider rather than HTTPS.
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_DNSCHALLENGE_RESOLVERS`:
-Use following DNS servers to resolve the FQDN authority.
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_EAB_HMACENCODED`:
-Base64 encoded HMAC key from External CA.
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_EAB_KID`:
-Key identifier from External CA.
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_EMAIL`:
-Email address used for registration.
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_EMAILADDRESSES`:
-CSR email addresses to use.
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_HTTPCHALLENGE`:
-Activate HTTP-01 Challenge. (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_HTTPCHALLENGE_DELAY`:
-Delay between the creation of the challenge and the validation. (Default: ```0```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_HTTPCHALLENGE_ENTRYPOINT`:
-HTTP challenge EntryPoint
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_KEYTYPE`:
-KeyType used for generating certificate private key. Allow value 'EC256', 'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. (Default: ```RSA4096```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_PREFERREDCHAIN`:
-Preferred chain to use.
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_PROFILE`:
-Certificate profile to use.
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_STORAGE`:
-Storage to use. (Default: ```acme.json```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_TLSCHALLENGE`:
-Activate TLS-ALPN-01 Challenge. (Default: ```false```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__ACME_TLSCHALLENGE_DELAY`:
-Delay between the creation of the challenge and the validation. (Default: ```0```)
-
-`TRAEFIK_CERTIFICATESRESOLVERS__TAILSCALE`:
-Enables Tailscale certificate resolution. (Default: ```true```)
-
-`TRAEFIK_CORE_DEFAULTRULESYNTAX`:
-Defines the rule parser default syntax (v2 or v3) (Default: ```v3```)
-
-`TRAEFIK_ENTRYPOINTS_`:
-Entry points definition. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS__ADDRESS`:
-Entry point address.
-
-`TRAEFIK_ENTRYPOINTS__ALLOWACMEBYPASS`:
-Enables handling of ACME TLS and HTTP challenges with custom routers. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS__ASDEFAULT`:
-Adds this EntryPoint to the list of default EntryPoints to be used on routers that don't have any Entrypoint defined. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS__FORWARDEDHEADERS_CONNECTION`:
-List of Connection headers that are allowed to pass through the middleware chain before being removed.
-
-`TRAEFIK_ENTRYPOINTS__FORWARDEDHEADERS_INSECURE`:
-Trust all forwarded headers. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS__FORWARDEDHEADERS_TRUSTEDIPS`:
-Trust only forwarded headers from selected IPs.
-
-`TRAEFIK_ENTRYPOINTS__HTTP`:
-HTTP configuration.
-
-`TRAEFIK_ENTRYPOINTS__HTTP2_MAXCONCURRENTSTREAMS`:
-Specifies the number of concurrent streams per connection that each client is allowed to initiate. (Default: ```250```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP3`:
-HTTP/3 configuration. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP3_ADVERTISEDPORT`:
-UDP port to advertise, on which HTTP/3 is available. (Default: ```0```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_ENCODEDCHARACTERS_ALLOWENCODEDBACKSLASH`:
-Defines whether requests with encoded back slash characters in the path are allowed. (Default: ```true```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_ENCODEDCHARACTERS_ALLOWENCODEDHASH`:
-Defines whether requests with encoded hash characters in the path are allowed. (Default: ```true```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_ENCODEDCHARACTERS_ALLOWENCODEDNULLCHARACTER`:
-Defines whether requests with encoded null characters in the path are allowed. (Default: ```true```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_ENCODEDCHARACTERS_ALLOWENCODEDPERCENT`:
-Defines whether requests with encoded percent characters in the path are allowed. (Default: ```true```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_ENCODEDCHARACTERS_ALLOWENCODEDQUESTIONMARK`:
-Defines whether requests with encoded question mark characters in the path are allowed. (Default: ```true```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSEMICOLON`:
-Defines whether requests with encoded semicolon characters in the path are allowed. (Default: ```true```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_ENCODEDCHARACTERS_ALLOWENCODEDSLASH`:
-Defines whether requests with encoded slash characters in the path are allowed. (Default: ```true```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_ENCODEQUERYSEMICOLONS`:
-Defines whether request query semicolons should be URLEncoded. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_MAXHEADERBYTES`:
-Maximum size of request headers in bytes. (Default: ```1048576```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_MIDDLEWARES`:
-Default middlewares for the routers linked to the entry point.
-
-`TRAEFIK_ENTRYPOINTS__HTTP_REDIRECTIONS_ENTRYPOINT_PERMANENT`:
-Applies a permanent redirection. (Default: ```true```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_REDIRECTIONS_ENTRYPOINT_PRIORITY`:
-Priority of the generated router. (Default: ```9223372036854775806```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_REDIRECTIONS_ENTRYPOINT_SCHEME`:
-Scheme used for the redirection. (Default: ```https```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_REDIRECTIONS_ENTRYPOINT_TO`:
-Targeted entry point of the redirection.
-
-`TRAEFIK_ENTRYPOINTS__HTTP_SANITIZEPATH`:
-Defines whether to enable request path sanitization (removal of /./, /../ and multiple slash sequences). (Default: ```true```)
-
-`TRAEFIK_ENTRYPOINTS__HTTP_TLS`:
-Default TLS configuration for the routers linked to the entry point. (Default: ```false```)
-
-`TRAEFIK_ENTRYPOINTS_
-