Merge branch v3.6 into v3.7

docs/content/migrate/v3.md

@@ -80,6 +80,15 @@ Note: TLSOptions for `HostRegexp` matchers remains unsupported. Use wildcard `Ho
 
 ---
 
+## v3.6.15
+
+In `v3.6.15`, a new `errorRequestHeaders` option has been added to the Errors middleware.
+
+By default, the behavior is unchanged: all original request headers are forwarded to the error page service.
+If the error page service is in a separate trust domain, consider using `errorRequestHeaders` to restrict which headers are forwarded.
+
+Please check out the [Error Pages](../reference/routing-configuration/http/middlewares/errorpages.md#errorRequestHeaders) middleware documentation for more details.
+
 ## v3.6.14
 
 ### Kubernetes CRD: Chain middleware and `allowCrossNamespace`

docs/content/reference/dynamic-configuration/docker-labels.yml

@@ -30,6 +30,7 @@
 - "traefik.http.middlewares.middleware08.digestauth.removeheader=true"
 - "traefik.http.middlewares.middleware08.digestauth.users=foobar, foobar"
 - "traefik.http.middlewares.middleware08.digestauth.usersfile=foobar"
+- "traefik.http.middlewares.middleware09.errors.errorrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware09.errors.query=foobar"
 - "traefik.http.middlewares.middleware09.errors.service=foobar"
 - "traefik.http.middlewares.middleware09.errors.status=foobar, foobar"

docs/content/reference/dynamic-configuration/file.toml

@@ -193,6 +193,7 @@
         status = ["foobar", "foobar"]
         service = "foobar"
         query = "foobar"
+        errorRequestHeaders = ["foobar", "foobar"]
         [http.middlewares.Middleware09.errors.statusRewrites]
           name0 = 42
           name1 = 42

docs/content/reference/dynamic-configuration/file.yaml

@@ -208,6 +208,9 @@ http:
           name1: 42
         service: foobar
         query: foobar
+        errorRequestHeaders:
+          - foobar
+          - foobar
     Middleware10:
       forwardAuth:
         address: foobar

docs/content/reference/routing-configuration/http/middlewares/errorpages.md

@@ -129,3 +129,12 @@ The table below lists all the available variables and their associated values.
 | <a id="opt-status-2" href="#opt-status-2" title="#opt-status-2">`{status}`</a> | The response status code.                                        |
 | <a id="opt-originalStatus" href="#opt-originalStatus" title="#opt-originalStatus">`{originalStatus}`</a> | The original response status code, if it has been modified by the `statusRewrites` option. |
 | <a id="opt-url" href="#opt-url" title="#opt-url">`{url}`</a> | The [escaped](https://pkg.go.dev/net/url#QueryEscape) request URL.|
+
+### `errorRequestHeaders`
+
+Defines the list of original request headers forwarded to the error page service.
+
+By default (`errorRequestHeaders` not set), all request headers — including authentication material such as `Authorization` and `Cookie` — are forwarded.
+If the error page service is in a separate trust domain, use this option to restrict which headers cross the service boundary.
+
+Set to an explicit list to forward only those headers, or set to an empty list (`errorRequestHeaders: []`) to forward no headers.

docs/content/reference/routing-configuration/other-providers/file.toml

@@ -209,6 +209,7 @@
         status = ["foobar", "foobar"]
         service = "foobar"
         query = "foobar"
+        errorRequestHeaders = ["foobar", "foobar"]
         [http.middlewares.Middleware10.errors.statusRewrites]
           name0 = 42
           name1 = 42

docs/content/reference/routing-configuration/other-providers/file.yaml

@@ -232,6 +232,9 @@ http:
           name1: 42
         service: foobar
         query: foobar
+        errorRequestHeaders:
+          - foobar
+          - foobar
     Middleware11:
       forwardAuth:
         address: foobar