diff --git a/.github/workflows/check_doc.yaml b/.github/workflows/check_doc.yaml
new file mode 100644
index 000000000..5fea9809c
--- /dev/null
+++ b/.github/workflows/check_doc.yaml
@@ -0,0 +1,63 @@
+name: Check Documentation
+
+on:
+ pull_request:
+ branches:
+ - '*'
+ paths:
+ - '.github/workflows/check_doc.yaml'
+ - 'docs/**'
+
+jobs:
+
+ docs:
+ name: lint, build and verify
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Check out code
+ uses: actions/checkout@v5
+ with:
+ fetch-depth: 0
+
+ - name: Install markdownlint
+ run: |
+ npm install --global markdownlint@0.29.0 markdownlint-cli@0.35.0
+
+ - name: Lint
+ run: ./docs/scripts/lint.sh docs
+
+ - name: Setup python
+ uses: actions/setup-python@v6
+ with:
+ python-version: '3.12'
+ cache: 'pip'
+ cache-dependency-path: "./docs/requirements.txt"
+
+ - name: Build documentation
+ working-directory: ./docs
+ run: |
+ pip install -r requirements.txt
+ mkdocs build --strict
+
+ - name: Setup ruby
+ uses: ruby/setup-ruby@v1
+ with:
+ ruby-version: '3.4'
+
+ - name: Install html-proofer
+ run: |
+ gem install nokogiri --version 1.18.6 --no-document -- --use-system-libraries
+ gem install html-proofer --version 5.0.10 --no-document -- --use-system-libraries
+ env:
+ NOKOGIRI_USE_SYSTEM_LIBRARIES: "true"
+
+ # Comes from https://github.com/gjtorikian/html-proofer?tab=readme-ov-file#caching-with-continuous-integration
+ - name: Cache HTMLProofer
+ uses: actions/cache@v4
+ with:
+ path: tmp/.htmlproofer
+ key: ${{ runner.os }}-htmlproofer
+
+ - name: Verify
+ run: ./docs/scripts/verify.sh docs/site
diff --git a/.github/workflows/check_doc.yml b/.github/workflows/check_doc.yml
deleted file mode 100644
index 9c11c5f26..000000000
--- a/.github/workflows/check_doc.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: Check Documentation
-
-on:
- pull_request:
- branches:
- - '*'
-
-jobs:
-
- docs:
- name: Check, verify and build documentation
- runs-on: ubuntu-latest
- timeout-minutes: 10
-
- steps:
- - name: Check out code
- uses: actions/checkout@v6
- with:
- fetch-depth: 0
-
- - name: Check documentation
- run: make docs-pull-images docs
- env:
- # These variables are not passed to workflows that are triggered by a pull request from a fork.
- DOCS_VERIFY_SKIP: ${{ vars.DOCS_VERIFY_SKIP }}
- DOCS_LINT_SKIP: ${{ vars.DOCS_LINT_SKIP }}
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yaml
similarity index 100%
rename from .github/workflows/documentation.yml
rename to .github/workflows/documentation.yaml
diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml
index 85e4bafc6..27b8b4c3a 100644
--- a/.github/workflows/validate.yaml
+++ b/.github/workflows/validate.yaml
@@ -8,7 +8,7 @@ on:
env:
GO_VERSION: '1.24'
GOLANGCI_LINT_VERSION: v2.0.2
- MISSPELL_VERSION: v0.6.0
+ MISSPELL_VERSION: v0.7.0
jobs:
diff --git a/docs/check.Dockerfile b/docs/check.Dockerfile
index d9593e5ed..d89f9efa9 100644
--- a/docs/check.Dockerfile
+++ b/docs/check.Dockerfile
@@ -34,6 +34,7 @@ RUN apk --no-cache --no-progress add \
COPY ./scripts/verify.sh /verify.sh
COPY ./scripts/lint.sh /lint.sh
+COPY ./scripts/lint-yaml.sh /lint-yaml.sh
WORKDIR /app
VOLUME ["/tmp","/app"]
diff --git a/docs/content/assets/css/code-copy.css b/docs/content/assets/css/code-copy.css
new file mode 100644
index 000000000..3273b0ec2
--- /dev/null
+++ b/docs/content/assets/css/code-copy.css
@@ -0,0 +1,18 @@
+/* Fix positioning of the built-in clipboard button for code blocks.
+ * In this theme, the button can end up positioned relative to ,
+ * so anchor it to the code block container instead.
+ */
+
+.md-typeset pre.highlight {
+ position: relative;
+}
+
+.md-typeset pre.highlight > button.md-clipboard {
+ position: absolute;
+ top: .25rem;
+ right: .25rem;
+ z-index: 10;
+ opacity: 1;
+ visibility: visible;
+}
+
diff --git a/docs/content/features/index.md b/docs/content/features/index.md
new file mode 100644
index 000000000..335b7408f
--- /dev/null
+++ b/docs/content/features/index.md
@@ -0,0 +1,148 @@
+---
+title: "Traefik Product Features Comparison"
+description: "Compare features across Traefik Proxy, Traefik Hub API Gateway (including AI Gateway capabilities), and Traefik Hub API Management to choose the right solution for your needs."
+---
+
+# Traefik Product Features Comparison
+
+The Traefik ecosystem offers multiple products designed to meet different requirements, from basic reverse proxy functionality to comprehensive API management and AI gateway capabilities. This comparison matrix helps you understand the features available in each product and choose the right solution for your use case.
+
+## Product Overview
+
+- **Traefik Proxy** is the open-source application proxy that serves as the foundation for all Traefik products. It provides essential reverse proxy, load balancing, and service discovery capabilities.
+
+- **[Traefik Hub API Gateway](https://traefik.io/solutions/api-gateway/)** builds on Traefik Proxy with enterprise-grade security, distributed features, and advanced access control for cloud-native API gateway scenarios. It includes **AI Gateway capabilities** that transform any AI endpoint into a managed API.
+
+- **[Traefik Hub API Management](https://traefik.io/solutions/api-management/)** adds comprehensive API lifecycle management, developer portals, and organizational features for teams managing multiple APIs across environments.
+
+- **[Traefik AI Gateway](https://traefik.io/solutions/ai-gateway/)** transforms any AI endpoint into a managed API with unified access to multiple LLMs, centralized credential management, semantic caching, local inferencing, and comprehensive AI governance features.
+
+- **[Traefik MCP Gateway](https://traefik.io/solutions/mcp-gateway/)** provides secure, governed access to Model Context Protocol (MCP) servers for AI agents with task-based access control (TBAC), session-smart routing, and comprehensive audit capabilities for enterprise AI workflows.
+
+## Features Matrix
+
+| Feature | Traefik Proxy | Traefik Hub API Gateway | Traefik Hub API Management |
+|---------|---------------|------------------------|---------------------------|
+| **Core Networking** | | | |
+| Services Auto-Discovery | ✓ | ✓ | ✓ |
+| Graceful Configuration Reload | ✓ | ✓ | ✓ |
+| Websockets, HTTP/2, HTTP/3, TCP, UDP, GRPC | ✓ | ✓ | ✓ |
+| Real-time Logs, Access Logs, Metrics & Distributed Tracing | ✓ | ✓ | ✓ |
+| Canary Deployments | ✓ | ✓ | ✓ |
+| Let's Encrypt | ✓ | ✓ | ✓ |
+| **Plugin Ecosystem** | | | |
+| [Plugin Support](https://plugins.traefik.io/plugins) ([Go](https://github.com/traefik/yaegi), [WASM](https://webassembly.org/)) | ✓ | ✓ | ✓ |
+| **Deployment & Operations** | | | |
+| Hybrid cloud, multi-cloud & on-prem compatible | ✓ | ✓ | ✓ |
+| Per-cluster dashboard | ✓ | ✓ | ✓ |
+| GitOps-native declarative configuration | ✓ | ✓ | ✓ |
+| **Authentication & Authorization** | | | |
+| JWT Authentication | ✗ | ✓ | ✓ |
+| OAuth 2.0 Token Introspection Authentication | ✗ | ✓ | ✓ |
+| OAuth 2.0 Client Credentials Authentication | ✗ | ✓ | ✓ |
+| OpenID Connect Authentication | ✗ | ✓ | ✓ |
+| Lightweight Directory Access Protocol (LDAP) | ✗ | ✓ | ✓ |
+| API Key Authentication | ✗ | ✓ | ✓ |
+| **Security & Policy** | | | |
+| Open Policy Agent | ✗ | ✓ | ✓ |
+| Native Coraza Web Application Firewall (WAF) | ✗ | ✓ | ✓ |
+| HashiCorp Vault Integration | ✗ | ✓ | ✓ |
+| **Distributed Features** | | | |
+| Distributed Let's Encrypt | ✗ | ✓ | ✓ |
+| Distributed Rate Limit | ✗ | ✓ | ✓ |
+| HTTP Caching | ✗ | ✓ | ✓ |
+| **Compliance** | | | |
+| FIPS 140-2 Compliance (Linux & Windows) | ✗ | ✓ | ✓ |
+| **AI Gateway Capabilities** | | | |
+| Unified Multi-LLM API Access | ✗ | ✓ | ✓ |
+| Centralized AI Credential Management | ✗ | ✓ | ✓ |
+| AI Provider Flexibility (OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, etc.) | ✗ | ✓ | ✓ |
+| Semantic Caching for AI Responses | ✗ | ✓ | ✓ |
+| Content Guard & PII Protection | ✗ | ✓ | ✓ |
+| AI-specific Observability & OpenTelemetry Integration | ✗ | ✓ | ✓ |
+| Support for Local/Self-hosted LLMs & Inference (Ollama, Mistral, etc.) | ✗ | ✓ | ✓ |
+| **MCP Gateway Capabilities** | | | |
+| Task-Based Access Control (TBAC) for AI Agents | ✗ | ✓ | ✓ |
+| MCP Servers Governance | ✗ | ✓ | ✓ |
+| Session-Smart Load Balancing for Agent Workflows | ✗ | ✓ | ✓ |
+| OAuth 2.1 / 2.0 Resource Server for MCP | ✗ | ✓ | ✓ |
+| Fine-grained Policy Enforcement for AI Tools | ✗ | ✓ | ✓ |
+| Audit-ready Observability for Agent Interactions | ✗ | ✓ | ✓ |
+| **API Management** | | | |
+| Flexible API grouping and versioning | ✗ | ✗ | ✓ |
+| API Developer Portal | ✗ | ✗ | ✓ |
+| OpenAPI Specifications Support | ✗ | ✗ | ✓ |
+| Multi-cluster dashboard | ✗ | ✗ | ✓ |
+| Built-in identity provider (or use your own) | ✗ | ✗ | ✓ |
+| Configuration linter & change impact analysis | ✗ | ✗ | ✓ |
+| Pre-built Grafana dashboards | ✗ | ✗ | ✓ |
+| Event correlation for quick incident mitigation | ✗ | ✗ | ✓ |
+| Traffic debugger | ✗ | ✓ | ✓ |
+| **Support** | | | |
+| Built-In Commercial Support | Add-on | ✓ | ✓ |
+
+## Choosing the Right Product
+
+### Start with Traefik Proxy
+
+Traefik Proxy is the ideal starting point for organizations looking for a reliable, open-source application proxy with essential networking capabilities. Deploy it as your default ingress tier if you need:
+
+- Basic reverse proxy and load balancing
+- Service discovery for containerized applications
+- Simple TLS termination and Let's Encrypt integration
+- Cost-effective solution with community support (can upgrade to Traefik Hub for more features)
+
+### Upgrade to Traefik Hub API Gateway
+
+Traefik Hub API Gateway layers enterprise security, distributed coordination, and AI Gateway capabilities on top of Traefik Proxy. Upgrade to it when you need:
+
+- Enterprise security requirements (JWT, OIDC, LDAP)
+- Distributed deployments across multiple clusters
+- Advanced rate limiting and caching
+- WAF and policy enforcement
+- AI Gateway capabilities
+- Commercial support
+
+### Consider Traefik AI Gateway
+
+Traefik AI Gateway unifies hosted and self-hosted LLM access under centralized control and observability. Consider it if you have:
+
+- Multi-LLM applications requiring unified API access
+- Organizations using multiple AI providers (OpenAI, Anthropic, Azure OpenAI, AWS Bedrock, etc.)
+- Local/self-hosted LLM deployments (Ollama, Mistral)
+- Centralized AI credential and security management
+- Cost optimization through semantic caching
+- PII protection and content filtering for AI interactions
+- Comprehensive AI observability and compliance requirements
+
+### Choose Traefik MCP Gateway
+
+Traefik MCP Gateway governs how AI agents interact with Model Context Protocol servers through task-aware policies and session-smart routing. Choose it if you need:
+
+- AI agent deployments requiring secure access to MCP servers
+- Task-based access control (TBAC) for AI workflows
+- Governance of Model Context Protocol interactions
+- Session-smart routing for long-running agent conversations
+- OAuth 2.1 / 2.0 compliant MCP server protection
+- Audit-ready observability for AI agent activities
+- Fine-grained policy enforcement for AI tools and resources
+
+### Choose Traefik Hub API Management
+
+Traefik Hub API Management extends the gateway foundation with API lifecycle tooling, developer experience features, and governance workflows. Choose it when you have:
+
+- Multiple APIs requiring centralized management
+- Developer teams needing self-service portals
+- Complex API versioning and lifecycle requirements
+- Multi-cluster environments requiring unified dashboards
+- Compliance and governance needs
+
+## Migration Path
+
+The Traefik ecosystem is designed for seamless upgrades. You can start with Traefik Proxy and add capabilities as your requirements grow:
+
+1. **Traefik Proxy** → **Hub API Gateway**: Add enterprise security, distributed features, and AI Gateway capabilities
+2. **Hub API Gateway** → **Hub API Management**: Add comprehensive API management and governance features
+3. **MCP Gateway**: Specialized solution for AI agent governance and Model Context Protocol management
+
+All products share the same core configuration concepts, making migration straightforward while preserving your existing configurations and operational knowledge.
diff --git a/docs/content/index.md b/docs/content/index.md
index de8516356..e8ebfc818 100644
--- a/docs/content/index.md
+++ b/docs/content/index.md
@@ -11,6 +11,8 @@ Traefik is an [open-source](https://github.com/traefik/traefik) Application Prox
If you start with Traefik for service discovery and routing, you can seamlessly add [API management](https://traefik.io/solutions/api-management/), [API gateway](https://traefik.io/solutions/api-gateway/), [AI gateway](https://traefik.io/solutions/ai-gateway/), and [API mocking](https://traefik.io/solutions/api-mocking/) capabilities as needed.
+For a detailed comparison of all Traefik products and their capabilities, see our [Product Features Comparison](./features/).
+
With 3.3 billion downloads and over 55k stars on GitHub, Traefik is used globally across hybrid cloud, multi-cloud, on prem, and bare metal environments running Kubernetes, Docker Swarm, AWS, [the list goes on](https://doc.traefik.io/traefik/reference/install-configuration/providers/overview/).
Here’s how it works—Traefik receives requests on behalf of your system, identifies which components are responsible for handling them, and routes them securely. It automatically discovers the right configuration for your services by inspecting your infrastructure to identify relevant information and which service serves which request.
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
index a2af326f9..65b560cb0 100644
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@@ -1,4 +1,3 @@
----
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml b/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
index c03dc0147..b2ab1e5db 100644
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
@@ -1,4 +1,3 @@
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml b/docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml
index d3b1bef20..4b860c4c5 100644
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-resource.yml
@@ -1,4 +1,3 @@
----
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml b/docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml
index 1f15ae429..886010b0b 100644
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-simple-https.yml
@@ -1,4 +1,3 @@
----
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml b/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
index 7907daadc..ee5394387 100644
--- a/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-gateway-traefik-lb-svc.yml
@@ -1,4 +1,3 @@
----
apiVersion: v1
kind: ServiceAccount
metadata:
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml b/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
index 57bd4afb6..ca36e2f41 100644
--- a/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-ingress-nginx-rbac.yml
@@ -1,4 +1,3 @@
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml b/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
index 00276e7ef..ea721ec12 100644
--- a/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-knative-rbac.yml
@@ -1,4 +1,3 @@
----
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
diff --git a/docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml b/docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml
index 32471e4c7..2a1b33be4 100644
--- a/docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-whoami-svc.yml
@@ -1,4 +1,3 @@
----
apiVersion: apps/v1
kind: Deployment
metadata:
diff --git a/docs/content/reference/install-configuration/api-dashboard.md b/docs/content/reference/install-configuration/api-dashboard.md
index deea2a815..c5736a9df 100644
--- a/docs/content/reference/install-configuration/api-dashboard.md
+++ b/docs/content/reference/install-configuration/api-dashboard.md
@@ -3,13 +3,27 @@ title: "Traefik API & Dashboard Documentation"
description: "Traefik Proxy exposes information through API handlers and showcase them on the Dashboard. Learn about the security, configuration, and endpoints of the APIs and Dashboard. Read the technical documentation."
---
-The dashboard is the central place that shows you the current active routes handled by Traefik.
+Traefik exposes a number of information through API endpoints, such as the configuration of your routers, services, middlewares, etc.
+
+The dashboard, which is the central place that displays the current active routes handled by Traefik, fetches the data from this API.
The dashboard in action
+## Security
+
+Enabling the API and the dashboard in production is not recommended, because it will expose all configuration elements,
+including sensitive data, for which access should be reserved to administrators.
+
+In production, it should be at least secured by authentication and authorizations.
+
+!!! info
+
+ It's recommended to NOT publicly exposing the API's port, keeping it restricted to internal networks
+ (as in the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege), applied to networks).
+
## Configuration Example
Enable the dashboard:
@@ -187,6 +201,7 @@ All the following endpoints must be accessed with a `GET` HTTP request.
| `/api/entrypoints` | Lists all the entry points information. |
| `/api/entrypoints/{name}` | Returns the information of the entry point specified by `name`. |
| `/api/overview` | Returns statistic information about HTTP, TCP and about enabled features and providers. |
+| `/api/support-dump` | Returns an archive that contains the anonymized static configuration and the runtime configuration. |
| `/api/rawdata` | Returns information about dynamic configurations, errors, status and dependency relations. |
| `/api/version` | Returns information about Traefik version. |
| `/debug/vars` | See the [expvar](https://golang.org/pkg/expvar/) Go documentation. |
@@ -203,14 +218,16 @@ All the following endpoints must be accessed with a `GET` HTTP request.
## Dashboard
-The dashboard is available at the same location as the API, but by default on the path `/dashboard/`.
+The dashboard is available by default on the path `/dashboard/`.
!!! note
- The trailing slash `/` in `/dashboard/` is mandatory. This limitation can be mitigated using the the [RedirectRegex Middleware](../../middlewares/http/redirectregex.md).
- - There is also a redirect from the path `/` to `/dashboard/`, but you should not rely on this behavior, as it is subject to change and may complicate routing rules.
+ - There is also a redirect from the path `/` to `/dashboard/`.
-To securely access the dashboard, you need to define a routing configuration within Traefik. This involves setting up a router attached to the service `api@internal`, which allows you to:
+As mentioned above in the [Security](#security) section, it is important to secure access to both the dashboard and the API.
+You need to define a routing configuration within Traefik.
+This involves setting up a router attached to the service `api@internal`, which allows you to:
- Implement security features using [middlewares](../../middlewares/overview.md), such as authentication ([basicAuth](../../middlewares/http/basicauth.md), [digestAuth](../../middlewares/http/digestauth.md),
[forwardAuth](../../middlewares/http/forwardauth.md)) or [allowlisting](../../middlewares/http/ipallowlist.md).
diff --git a/docs/content/reference/install-configuration/providers/docker.md b/docs/content/reference/install-configuration/providers/docker.md
index eff2a9297..dfc3dbab2 100644
--- a/docs/content/reference/install-configuration/providers/docker.md
+++ b/docs/content/reference/install-configuration/providers/docker.md
@@ -420,7 +420,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
- [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
- [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
- [Don't expose the Docker socket (not even to a container)](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/)
- - [A thread on Stack Overflow about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
+ - [A thread on Hacker News about sharing the `/var/run/docker.sock` file](https://news.ycombinator.com/item?id=17983623)
- [To DinD or not to DinD](https://blog.loof.fr/2018/01/to-dind-or-not-do-dind.html)
- [Traefik issue GH-4174 about security with Docker socket](https://github.com/traefik/traefik/issues/4174)
- [Inspecting Docker Activity with Socat](https://developers.redhat.com/blog/2015/02/25/inspecting-docker-activity-with-socat/)
diff --git a/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md b/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md
index 99128c104..412cdb5e5 100644
--- a/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md
+++ b/docs/content/reference/routing-configuration/kubernetes/ingress-nginx.md
@@ -283,9 +283,11 @@ The following annotations are organized by category for easier navigation.
| `nginx.ingress.kubernetes.io/affinity` | |
| `nginx.ingress.kubernetes.io/affinity-mode` | Only persistent mode supported; balanced/canary not supported. |
| `nginx.ingress.kubernetes.io/session-cookie-name` | |
+| `nginx.ingress.kubernetes.io/session-cookie-secure` | |
| `nginx.ingress.kubernetes.io/session-cookie-path` | |
| `nginx.ingress.kubernetes.io/session-cookie-domain` | |
| `nginx.ingress.kubernetes.io/session-cookie-samesite` | |
+| `nginx.ingress.kubernetes.io/session-cookie-max-age` | |
### Load Balancing & Backend
@@ -306,6 +308,7 @@ The following annotations are organized by category for easier navigation.
| | |
| `nginx.ingress.kubernetes.io/cors-allow-methods` | |
| `nginx.ingress.kubernetes.io/cors-allow-origin` | |
+| | |
| `nginx.ingress.kubernetes.io/cors-max-age` | |
### Routing
diff --git a/docs/content/setup/kubernetes.md b/docs/content/setup/kubernetes.md
index c54853e8c..024a48641 100644
--- a/docs/content/setup/kubernetes.md
+++ b/docs/content/setup/kubernetes.md
@@ -126,7 +126,7 @@ ingressRoute:
middlewares:
- name: dashboard-auth
-# Creates a BasiAuth Middleware and Secret for the Dashboard Security
+# Creates a BasicAuth Middleware and Secret for the Dashboard Security
extraObjects:
- apiVersion: v1
kind: Secret
diff --git a/docs/content/setup/swarm.md b/docs/content/setup/swarm.md
index 1b097831d..cb9af5965 100644
--- a/docs/content/setup/swarm.md
+++ b/docs/content/setup/swarm.md
@@ -61,7 +61,7 @@ In the same directory, create `docker‑compose‑swarm.yaml`:
```yaml
services:
traefik:
- image: traefik:v3.4
+ image: traefik:v3.6
networks:
# Connect to the 'traefik_proxy' overlay network for inter-container communication across nodes
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index d6c4ec0ad..9f26be973 100644
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -2,24 +2,27 @@ site_name: Traefik
site_description: Traefik Documentation
site_author: traefik.io
site_url: https://doc.traefik.io/traefik
-dev_addr: 0.0.0.0:8000
+dev_addr: localhost:8000
repo_name: 'GitHub'
repo_url: 'https://github.com/traefik/traefik'
docs_dir: 'content'
-product: proxy
-# https://squidfunk.github.io/mkdocs-material/
+# Use custom version of mkdocs-material
+# See https://github.com/traefik/mkdocs-material
theme:
name: 'traefik-labs'
+ product: proxy
language: en
include_sidebar: true
favicon: assets/img/traefikproxy-icon-color.png
logo: assets/img/traefikproxy-vertical-logo-color.svg
feature:
tabs: false
+ features:
+ - content.code.copy
palette:
primary: 'cyan'
accent: 'cyan'
@@ -35,6 +38,7 @@ extra_javascript:
extra_css:
- assets/css/menu-icons.css
+ - assets/css/code-copy.css
plugins:
- search
@@ -185,6 +189,7 @@ markdown_extensions:
# Page tree
nav:
- 'What is Traefik': 'index.md'
+ - 'Features': 'features/index.md'
- 'Getting Started':
- 'Overview': 'getting-started/index.md'
- 'Configuration Introduction': 'getting-started/configuration-overview.md'
diff --git a/docs/readme.md b/docs/readme.md
index de1d8b677..822c1cd6a 100644
--- a/docs/readme.md
+++ b/docs/readme.md
@@ -16,3 +16,15 @@
[pymdown-extensions]: https://facelessuser.github.io/pymdown-extensions "PyMdown Extensions"
[pymdown-extensions-src]: https://github.com/facelessuser/pymdown-extensions "PyMdown Extensions - Sources"
+
+## Build locally without docker
+
+```sh
+# Pre-requisite: python3, pip and virtualenv
+DOCS="/tmp/traefik-docs"
+mkdir "$DOCS"
+virtualenv "$DOCS"
+source "$DOCS/bin/activate"
+pip install -r requirements.txt
+mkdocs serve # or mkdocs build
+```
diff --git a/docs/scripts/lint-yaml.sh b/docs/scripts/lint-yaml.sh
new file mode 100755
index 000000000..d48e8b1a9
--- /dev/null
+++ b/docs/scripts/lint-yaml.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+# This script checks that YAML files with multiple Kubernetes resources
+# do not start with '---'
+#
+# Rule: If a YAML file contains more than one Kubernetes resource
+# (indicated by '---' separator in the middle of the file),
+# it should NOT start with '---'
+
+set -eu
+
+BASE_DIR="${1:-/app}"
+
+echo "== Linting YAML files (Kubernetes multi-resource format)"
+
+# Find all YAML files in the content directory
+find "${BASE_DIR}/content" -type f \( -name "*.yml" -o -name "*.yaml" \) | while read -r file; do
+ # Count the number of '---' lines in the file
+ separator_count=$(grep -c "^---" "$file" || true)
+
+ # Check if file starts with '---'
+ starts_with_separator=false
+ if head -1 "$file" | grep -q "^---"; then
+ starts_with_separator=true
+ fi
+
+ # If file has multiple resources (separator_count >= 1 when starting with ---, or >= 2 otherwise)
+ # and starts with '---', it's an error
+ #
+ # Logic:
+ # - If starts with '---' and has more than 1 separator -> multiple resources, error
+ # - If doesn't start with '---' and has 1+ separators -> multiple resources, ok
+ if [ "$starts_with_separator" = true ] && [ "$separator_count" -gt 1 ]; then
+ echo "ERROR: $file starts with '---' but contains multiple Kubernetes resources"
+ echo " Files with multiple resources should not start with '---'"
+ # We need to signal error but can't use EXIT_CODE in subshell
+ # So we output to a temp file
+ echo "1" > /tmp/yaml_lint_error
+ fi
+done
+
+# Check if any errors were found
+if [ -f /tmp/yaml_lint_error ]; then
+ rm -f /tmp/yaml_lint_error
+ exit 1
+fi
+
+echo "YAML lint passed"
+exit 0
diff --git a/docs/scripts/lint.sh b/docs/scripts/lint.sh
index a46066df8..89035b002 100755
--- a/docs/scripts/lint.sh
+++ b/docs/scripts/lint.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
# This script will run a couple of linter on the documentation
set -eu
@@ -6,14 +6,17 @@ set -eu
# We want to run all linters before returning success (exit 0) or failure (exit 1)
# So this variable holds the global exit code
EXIT_CODE=0
-readonly BASE_DIR=/app
+readonly BASE_DIR="${1:-/app}"
+
+# Run YAML linter for Kubernetes multi-resource files
+./docs/scripts/lint-yaml.sh "${BASE_DIR}" || EXIT_CODE=1
echo "== Linting Markdown"
# Uses the file ".markdownlint.json" for setup
cd "${BASE_DIR}" || exit 1
-LINTER_EXCLUSIONS="$(find "${BASE_DIR}/content" -type f -name '.markdownlint.json')"
-GLOBAL_LINT_OPTIONS="--config ${BASE_DIR}/.markdownlint.json"
+LINTER_EXCLUSIONS="$(find "content" -type f -name '.markdownlint.json')"
+GLOBAL_LINT_OPTIONS="--config .markdownlint.json"
# Lint the specific folders (containing linter specific rulesets)
for LINTER_EXCLUSION in ${LINTER_EXCLUSIONS}
@@ -24,6 +27,6 @@ do
done
# Lint all the content, excluding the previously done`
-eval markdownlint "${GLOBAL_LINT_OPTIONS}" "${BASE_DIR}/content/**/*.md" || EXIT_CODE=1
+eval markdownlint "${GLOBAL_LINT_OPTIONS}" "content/**/*.md" || EXIT_CODE=1
exit "${EXIT_CODE}"
diff --git a/pkg/api/dashboard/dashboard.go b/pkg/api/dashboard/dashboard.go
index b44a14bba..dd8c335b5 100644
--- a/pkg/api/dashboard/dashboard.go
+++ b/pkg/api/dashboard/dashboard.go
@@ -79,7 +79,13 @@ func Append(router *mux.Router, basePath string, customAssets fs.FS) error {
router.Methods(http.MethodGet).
Path(basePath).
HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
- prefix := strings.TrimSuffix(req.Header.Get("X-Forwarded-Prefix"), "/")
+ xfPrefix := req.Header.Get("X-Forwarded-Prefix")
+ if strings.Contains(xfPrefix, "//") {
+ log.Error().Msgf("X-Forwarded-Prefix contains an invalid value: %s, defaulting to empty prefix", xfPrefix)
+ xfPrefix = ""
+ }
+
+ prefix := strings.TrimSuffix(xfPrefix, "/")
http.Redirect(resp, req, prefix+dashboardPath, http.StatusFound)
})
diff --git a/pkg/api/dashboard/dashboard_test.go b/pkg/api/dashboard/dashboard_test.go
index b07bff4f6..f7d387e0c 100644
--- a/pkg/api/dashboard/dashboard_test.go
+++ b/pkg/api/dashboard/dashboard_test.go
@@ -9,7 +9,9 @@ import (
"testing/fstest"
"time"
+ "github.com/gorilla/mux"
"github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
)
func Test_ContentSecurityPolicy(t *testing.T) {
@@ -60,6 +62,52 @@ func Test_ContentSecurityPolicy(t *testing.T) {
}
}
+func Test_XForwardedPrefix(t *testing.T) {
+ testCases := []struct {
+ desc string
+ prefix string
+ expected string
+ }{
+ {
+ desc: "location in X-Forwarded-Prefix",
+ prefix: "//foobar/test",
+ expected: "/dashboard/",
+ },
+ {
+ desc: "scheme in X-Forwarded-Prefix",
+ prefix: "http://foobar",
+ expected: "/dashboard/",
+ },
+ {
+ desc: "path in X-Forwarded-Prefix",
+ prefix: "foobar",
+ expected: "/foobar/dashboard/",
+ },
+ }
+
+ router := mux.NewRouter()
+ err := Append(router, "/", fstest.MapFS{"index.html": &fstest.MapFile{
+ Mode: 0o755,
+ ModTime: time.Now(),
+ }})
+ require.NoError(t, err)
+
+ for _, test := range testCases {
+ t.Run(test.desc, func(t *testing.T) {
+ t.Parallel()
+
+ req := httptest.NewRequest(http.MethodGet, "/", http.NoBody)
+ req.Header.Set("X-Forwarded-Prefix", test.prefix)
+ rw := httptest.NewRecorder()
+
+ router.ServeHTTP(rw, req)
+
+ assert.Equal(t, http.StatusFound, rw.Code)
+ assert.Equal(t, test.expected, rw.Result().Header.Get("Location"))
+ })
+ }
+}
+
type errorFS struct{}
func (e errorFS) Open(name string) (fs.File, error) {
diff --git a/pkg/config/static/static_config.go b/pkg/config/static/static_config.go
index 59799c4e2..e5cf61c8f 100644
--- a/pkg/config/static/static_config.go
+++ b/pkg/config/static/static_config.go
@@ -317,6 +317,18 @@ func (c *Configuration) SetEffectiveConfiguration() {
c.Providers.KubernetesGateway.EntryPoints = entryPoints
}
+ // Configure Ingress NGINX provider.
+ if c.Providers.KubernetesIngressNGINX != nil {
+ var nonTLSEntryPoints []string
+ for epName, entryPoint := range c.EntryPoints {
+ if entryPoint.HTTP.TLS == nil {
+ nonTLSEntryPoints = append(nonTLSEntryPoints, epName)
+ }
+ }
+
+ c.Providers.KubernetesIngressNGINX.NonTLSEntryPoints = nonTLSEntryPoints
+ }
+
// Defines the default rule syntax for the Kubernetes Ingress Provider.
// This allows the provider to adapt the matcher syntax to the desired rule syntax version.
if c.Core != nil && c.Providers.KubernetesIngress != nil {
diff --git a/pkg/provider/acme/provider.go b/pkg/provider/acme/provider.go
index 6e5c99415..f8ab4ca1f 100644
--- a/pkg/provider/acme/provider.go
+++ b/pkg/provider/acme/provider.go
@@ -921,11 +921,11 @@ func (p *Provider) renewCertificates(ctx context.Context, renewPeriod time.Durat
for _, cert := range certificates {
client, err := p.getClient()
if err != nil {
- logger.Info().Err(err).Msgf("Error renewing certificate from LE : %+v", cert.Domain)
+ logger.Info().Err(err).Msgf("Error renewing ACME certificate: %+v", cert.Domain)
continue
}
- logger.Info().Msgf("Renewing certificate from LE : %+v", cert.Domain)
+ logger.Info().Msgf("Renewing ACME certificate: %+v", cert.Domain)
res := certificate.Resource{
Domain: cert.Domain.Main,
@@ -935,12 +935,14 @@ func (p *Provider) renewCertificates(ctx context.Context, renewPeriod time.Durat
opts := &certificate.RenewOptions{
Bundle: true,
+ EmailAddresses: p.EmailAddresses,
+ Profile: p.Profile,
PreferredChain: p.PreferredChain,
}
renewedCert, err := client.Certificate.RenewWithOptions(res, opts)
if err != nil {
- logger.Error().Err(err).Msgf("Error renewing certificate from LE: %v", cert.Domain)
+ logger.Error().Err(err).Msgf("Error renewing ACME certificate: %v", cert.Domain)
continue
}
diff --git a/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/00-ingress-with-no-annotation.yml b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/00-ingress-with-no-annotation.yml
new file mode 100644
index 000000000..8b92a5958
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/00-ingress-with-no-annotation.yml
@@ -0,0 +1,23 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-with-no-annotation
+ namespace: default
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: whoami.localhost
+ http:
+ paths:
+ - backend:
+ service:
+ name: whoami
+ port:
+ number: 80
+ path: /
+ pathType: Prefix
+ tls:
+ - hosts:
+ - whoami.localhost
+ secretName: whoami-tls
diff --git a/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/10-ingress-with-use-regex.yml b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/10-ingress-with-use-regex.yml
new file mode 100644
index 000000000..4cd26cff9
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress-nginx/fixtures/ingresses/10-ingress-with-use-regex.yml
@@ -0,0 +1,22 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: ingress-with-use-regex
+ namespace: default
+ annotations:
+ nginx.ingress.kubernetes.io/use-regex: "true"
+
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: use-regex.localhost
+ http:
+ paths:
+ - path: /test(.*)
+ pathType: ImplementationSpecific
+ backend:
+ service:
+ name: whoami
+ port:
+ number: 80
diff --git a/pkg/provider/kubernetes/ingress-nginx/kubernetes.go b/pkg/provider/kubernetes/ingress-nginx/kubernetes.go
index 51c5dc14d..f9360fbbd 100644
--- a/pkg/provider/kubernetes/ingress-nginx/kubernetes.go
+++ b/pkg/provider/kubernetes/ingress-nginx/kubernetes.go
@@ -80,6 +80,9 @@ type Provider struct {
DefaultBackendService string `description:"Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'." json:"defaultBackendService,omitempty" toml:"defaultBackendService,omitempty" yaml:"defaultBackendService,omitempty" export:"true"`
DisableSvcExternalName bool `description:"Disable support for Services of type ExternalName." json:"disableSvcExternalName,omitempty" toml:"disableSvcExternalName,omitempty" yaml:"disableSvcExternalName,omitempty" export:"true"`
+ // NonTLSEntryPoints contains the names of entrypoints that are configured without TLS.
+ NonTLSEntryPoints []string `json:"-" toml:"-" yaml:"-" label:"-" file:"-"`
+
defaultBackendServiceNamespace string
defaultBackendServiceName string
@@ -800,7 +803,7 @@ func (p *Provider) applyMiddlewares(namespace, routerKey string, ingressConfig i
// Apply SSL redirect is mandatory to be applied after all other middlewares.
// TODO: check how to remove this, and create the HTTP router elsewhere.
- applySSLRedirectConfiguration(routerKey, ingressConfig, hasTLS, rt, conf)
+ p.applySSLRedirectConfiguration(routerKey, ingressConfig, hasTLS, rt, conf)
applyUpstreamVhost(routerKey, ingressConfig, rt, conf)
@@ -1007,7 +1010,7 @@ func applyWhitelistSourceRangeConfiguration(routerName string, ingressConfig ing
rt.Middlewares = append(rt.Middlewares, whitelistSourceRangeMiddlewareName)
}
-func applySSLRedirectConfiguration(routerName string, ingressConfig ingressConfig, hasTLS bool, rt *dynamic.Router, conf *dynamic.Configuration) {
+func (p *Provider) applySSLRedirectConfiguration(routerName string, ingressConfig ingressConfig, hasTLS bool, rt *dynamic.Router, conf *dynamic.Configuration) {
var forceSSLRedirect bool
if ingressConfig.ForceSSLRedirect != nil {
forceSSLRedirect = *ingressConfig.ForceSSLRedirect
@@ -1019,7 +1022,9 @@ func applySSLRedirectConfiguration(routerName string, ingressConfig ingressConfi
// An Ingress with TLS configuration creates only a Traefik router with a TLS configuration,
// so no Non-TLS router exists to handle HTTP traffic, and we should create it.
httpRouter := &dynamic.Router{
- Rule: rt.Rule,
+ // Only attach to entryPoint which do not activate TLS.
+ EntryPoints: p.NonTLSEntryPoints,
+ Rule: rt.Rule,
// "default" stands for the default rule syntax in Traefik v3, i.e. the v3 syntax.
RuleSyntax: "default",
Middlewares: rt.Middlewares,
@@ -1133,7 +1138,7 @@ func buildRule(host string, pa netv1.HTTPIngressPath, config ingressConfig) stri
rules = append(rules, fmt.Sprintf("Path(`%s`)", pa.Path))
case netv1.PathTypePrefix:
if ptr.Deref(config.UseRegex, false) {
- rules = append(rules, fmt.Sprintf("PathRegexp(`^%s`)", regexp.QuoteMeta(pa.Path)))
+ rules = append(rules, fmt.Sprintf("PathRegexp(`^%s`)", pa.Path))
} else {
rules = append(rules, buildPrefixRule(pa.Path))
}
diff --git a/pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go b/pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go
index fa5d90f13..88383f464 100644
--- a/pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go
+++ b/pkg/provider/kubernetes/ingress-nginx/kubernetes_test.go
@@ -98,6 +98,76 @@ func TestLoadIngresses(t *testing.T) {
TLS: &dynamic.TLSConfiguration{},
},
},
+ {
+ desc: "No annotation",
+ paths: []string{
+ "ingresses/00-ingress-with-no-annotation.yml",
+ "ingressclasses.yml",
+ "services.yml",
+ "secrets.yml",
+ },
+ expected: &dynamic.Configuration{
+ TCP: &dynamic.TCPConfiguration{
+ Routers: map[string]*dynamic.TCPRouter{},
+ Services: map[string]*dynamic.TCPService{},
+ },
+ HTTP: &dynamic.HTTPConfiguration{
+ Routers: map[string]*dynamic.Router{
+ "default-ingress-with-no-annotation-rule-0-path-0": {
+ Rule: "Host(`whoami.localhost`) && PathPrefix(`/`)",
+ RuleSyntax: "default",
+ TLS: &dynamic.RouterTLSConfig{},
+ Service: "default-ingress-with-no-annotation-whoami-80",
+ },
+ "default-ingress-with-no-annotation-rule-0-path-0-http": {
+ EntryPoints: []string{"web"},
+ Rule: "Host(`whoami.localhost`) && PathPrefix(`/`)",
+ RuleSyntax: "default",
+ Middlewares: []string{"default-ingress-with-no-annotation-rule-0-path-0-redirect-scheme"},
+ Service: "noop@internal",
+ },
+ },
+ Middlewares: map[string]*dynamic.Middleware{
+ "default-ingress-with-no-annotation-rule-0-path-0-redirect-scheme": {
+ RedirectScheme: &dynamic.RedirectScheme{
+ Scheme: "https",
+ ForcePermanentRedirect: true,
+ },
+ },
+ },
+ Services: map[string]*dynamic.Service{
+ "default-ingress-with-no-annotation-whoami-80": {
+ LoadBalancer: &dynamic.ServersLoadBalancer{
+ Servers: []dynamic.Server{
+ {
+ URL: "http://10.10.0.1:80",
+ },
+ {
+ URL: "http://10.10.0.2:80",
+ },
+ },
+ Strategy: "wrr",
+ PassHostHeader: ptr.To(true),
+ ResponseForwarding: &dynamic.ResponseForwarding{
+ FlushInterval: dynamic.DefaultFlushInterval,
+ },
+ },
+ },
+ },
+ ServersTransports: map[string]*dynamic.ServersTransport{},
+ },
+ TLS: &dynamic.TLSConfiguration{
+ Certificates: []*tls.CertAndStores{
+ {
+ Certificate: tls.Certificate{
+ CertFile: "-----BEGIN CERTIFICATE-----",
+ KeyFile: "-----BEGIN CERTIFICATE-----",
+ },
+ },
+ },
+ },
+ },
+ },
{
desc: "Basic Auth",
paths: []string{
@@ -228,15 +298,17 @@ func TestLoadIngresses(t *testing.T) {
Service: "default-ingress-with-ssl-redirect-whoami-80",
},
"default-ingress-with-ssl-redirect-rule-0-path-0-http": {
+ EntryPoints: []string{"web"},
Rule: "Host(`sslredirect.localhost`) && Path(`/`)",
RuleSyntax: "default",
Middlewares: []string{"default-ingress-with-ssl-redirect-rule-0-path-0-redirect-scheme"},
Service: "noop@internal",
},
"default-ingress-without-ssl-redirect-rule-0-path-0-http": {
- Rule: "Host(`withoutsslredirect.localhost`) && Path(`/`)",
- RuleSyntax: "default",
- Service: "default-ingress-without-ssl-redirect-whoami-80",
+ EntryPoints: []string{"web"},
+ Rule: "Host(`withoutsslredirect.localhost`) && Path(`/`)",
+ RuleSyntax: "default",
+ Service: "default-ingress-without-ssl-redirect-whoami-80",
},
"default-ingress-without-ssl-redirect-rule-0-path-0": {
Rule: "Host(`withoutsslredirect.localhost`) && Path(`/`)",
@@ -637,6 +709,51 @@ func TestLoadIngresses(t *testing.T) {
TLS: &dynamic.TLSConfiguration{},
},
},
+ {
+ desc: "Use Regex",
+ paths: []string{
+ "services.yml",
+ "ingressclasses.yml",
+ "ingresses/10-ingress-with-use-regex.yml",
+ },
+ expected: &dynamic.Configuration{
+ TCP: &dynamic.TCPConfiguration{
+ Routers: map[string]*dynamic.TCPRouter{},
+ Services: map[string]*dynamic.TCPService{},
+ },
+ HTTP: &dynamic.HTTPConfiguration{
+ Routers: map[string]*dynamic.Router{
+ "default-ingress-with-use-regex-rule-0-path-0": {
+ Rule: "Host(`use-regex.localhost`) && PathRegexp(`^/test(.*)`)",
+ RuleSyntax: "default",
+ Service: "default-ingress-with-use-regex-whoami-80",
+ },
+ },
+ Middlewares: map[string]*dynamic.Middleware{},
+ Services: map[string]*dynamic.Service{
+ "default-ingress-with-use-regex-whoami-80": {
+ LoadBalancer: &dynamic.ServersLoadBalancer{
+ Servers: []dynamic.Server{
+ {
+ URL: "http://10.10.0.1:80",
+ },
+ {
+ URL: "http://10.10.0.2:80",
+ },
+ },
+ Strategy: "wrr",
+ PassHostHeader: ptr.To(true),
+ ResponseForwarding: &dynamic.ResponseForwarding{
+ FlushInterval: dynamic.DefaultFlushInterval,
+ },
+ },
+ },
+ },
+ ServersTransports: map[string]*dynamic.ServersTransport{},
+ },
+ TLS: &dynamic.TLSConfiguration{},
+ },
+ },
{
desc: "Default Backend",
defaultBackendServiceName: "whoami",
@@ -914,6 +1031,7 @@ func TestLoadIngresses(t *testing.T) {
k8sClient: client,
defaultBackendServiceName: test.defaultBackendServiceName,
defaultBackendServiceNamespace: test.defaultBackendServiceNamespace,
+ NonTLSEntryPoints: []string{"web"},
}
p.SetDefaults()
diff --git a/pkg/provider/kubernetes/ingress/fixtures/Ingress-with-defaultbackend-with-resource.yml b/pkg/provider/kubernetes/ingress/fixtures/Ingress-with-defaultbackend-with-resource.yml
new file mode 100644
index 000000000..2d21ccab4
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress/fixtures/Ingress-with-defaultbackend-with-resource.yml
@@ -0,0 +1,12 @@
+kind: Ingress
+apiVersion: networking.k8s.io/v1
+metadata:
+ name: defaultbackend
+ namespace: testing
+
+spec:
+ defaultBackend:
+ resource:
+ apiGroup: example.com
+ kind: SomeBackend
+ name: foo
diff --git a/pkg/provider/kubernetes/ingress/fixtures/Ingress-with-empty-defaultbackend.yml b/pkg/provider/kubernetes/ingress/fixtures/Ingress-with-empty-defaultbackend.yml
new file mode 100644
index 000000000..9eff4acd5
--- /dev/null
+++ b/pkg/provider/kubernetes/ingress/fixtures/Ingress-with-empty-defaultbackend.yml
@@ -0,0 +1,8 @@
+kind: Ingress
+apiVersion: networking.k8s.io/v1
+metadata:
+ name: defaultbackend
+ namespace: testing
+
+spec:
+ defaultBackend: {}
diff --git a/pkg/provider/kubernetes/ingress/kubernetes.go b/pkg/provider/kubernetes/ingress/kubernetes.go
index 775ff2a7d..fa0afe5d5 100644
--- a/pkg/provider/kubernetes/ingress/kubernetes.go
+++ b/pkg/provider/kubernetes/ingress/kubernetes.go
@@ -269,6 +269,17 @@ func (p *Provider) loadConfigurationFromIngresses(ctx context.Context, client Cl
continue
}
+ if ingress.Spec.DefaultBackend.Resource != nil {
+ // https://kubernetes.io/docs/concepts/services-networking/ingress/#resource-backend
+ logger.Error().Msg("Resource is not supported for default backend")
+ continue
+ }
+
+ if ingress.Spec.DefaultBackend.Service == nil {
+ logger.Error().Msg("Default backend is missing service definition")
+ continue
+ }
+
service, err := p.loadService(client, ingress.Namespace, *ingress.Spec.DefaultBackend)
if err != nil {
logger.Error().
diff --git a/pkg/provider/kubernetes/ingress/kubernetes_test.go b/pkg/provider/kubernetes/ingress/kubernetes_test.go
index 0b95bf173..c67e84e57 100644
--- a/pkg/provider/kubernetes/ingress/kubernetes_test.go
+++ b/pkg/provider/kubernetes/ingress/kubernetes_test.go
@@ -550,6 +550,26 @@ func TestLoadConfigurationFromIngresses(t *testing.T) {
},
},
},
+ {
+ desc: "Ingress with defaultbackend with resource",
+ expected: &dynamic.Configuration{
+ HTTP: &dynamic.HTTPConfiguration{
+ Middlewares: map[string]*dynamic.Middleware{},
+ Routers: map[string]*dynamic.Router{},
+ Services: map[string]*dynamic.Service{},
+ },
+ },
+ },
+ {
+ desc: "Ingress with empty defaultbackend",
+ expected: &dynamic.Configuration{
+ HTTP: &dynamic.HTTPConfiguration{
+ Middlewares: map[string]*dynamic.Middleware{},
+ Routers: map[string]*dynamic.Router{},
+ Services: map[string]*dynamic.Service{},
+ },
+ },
+ },
{
desc: "Ingress with one service without endpoint",
expected: &dynamic.Configuration{
diff --git a/pkg/server/router/tcp/router.go b/pkg/server/router/tcp/router.go
index 0f5c8f843..283f1364c 100644
--- a/pkg/server/router/tcp/router.go
+++ b/pkg/server/router/tcp/router.go
@@ -3,6 +3,7 @@ package tcp
import (
"bufio"
"bytes"
+ "context"
"crypto/tls"
"errors"
"io"
@@ -222,7 +223,17 @@ func (r *Router) acmeTLSALPNHandler() tcp.Handler {
}
return tcp.HandlerFunc(func(conn tcp.WriteCloser) {
- _ = tls.Server(conn, r.httpsTLSConfig).Handshake()
+ tlsConn := tls.Server(conn, r.httpsTLSConfig)
+ defer tlsConn.Close()
+
+ // This avoids stale connections when validating the ACME challenge,
+ // as we expect a validation request to complete in a short period of time.
+ ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+ defer cancel()
+
+ if err := tlsConn.HandshakeContext(ctx); err != nil {
+ log.Debug().Err(err).Msg("Error during ACME-TLS/1 handshake")
+ }
})
}
diff --git a/pkg/server/router/tcp/router_test.go b/pkg/server/router/tcp/router_test.go
index 1c2875776..768a78ea9 100644
--- a/pkg/server/router/tcp/router_test.go
+++ b/pkg/server/router/tcp/router_test.go
@@ -697,6 +697,64 @@ func Test_Routing(t *testing.T) {
}
}
+func Test_Router_acmeTLSALPNHandlerTimeout(t *testing.T) {
+ router, err := NewRouter()
+ require.NoError(t, err)
+
+ router.httpsTLSConfig = &tls.Config{}
+
+ listener, err := net.Listen("tcp", "127.0.0.1:0")
+ require.NoError(t, err)
+
+ acceptCh := make(chan struct{}, 1)
+ go func() {
+ close(acceptCh)
+
+ conn, err := listener.Accept()
+ require.NoError(t, err)
+
+ defer listener.Close()
+
+ router.acmeTLSALPNHandler().
+ ServeTCP(conn.(*net.TCPConn))
+ }()
+
+ <-acceptCh
+
+ conn, err := net.DialTimeout("tcp", listener.Addr().String(), 2*time.Second)
+ require.NoError(t, err)
+
+ // This is a minimal truncated Client Hello message
+ // to simulate a hanging connection during TLS handshake.
+ clientHello := []byte{
+ // TLS Record Header
+ 0x16, // Content Type: Handshake
+ 0x03, 0x01, // Version: TLS 1.0 (for compatibility)
+ 0x00, 0x50, // Length: 80 bytes
+ }
+
+ _, err = conn.Write(clientHello)
+ require.NoError(t, err)
+
+ errCh := make(chan error, 1)
+ go func() {
+ // This will return an EOF as the acmeTLSALPNHandler will close the connection
+ // after a timeout during the TLS handshake.
+ b := make([]byte, 256)
+ _, err = conn.Read(b)
+
+ errCh <- err
+ }()
+
+ select {
+ case err := <-errCh:
+ assert.ErrorIs(t, err, io.EOF)
+
+ case <-time.After(3 * time.Second):
+ t.Fatal("Error: Timeout waiting for acmeTLSALPNHandler to close the connection")
+ }
+}
+
// routerTCPCatchAll configures a TCP CatchAll No TLS - HostSNI(`*`) router.
func routerTCPCatchAll(conf *runtime.Configuration) {
conf.TCPRouters["tcp-catchall"] = &runtime.TCPRouterInfo{
diff --git a/pkg/server/service/loadbalancer/hrw/hrw_test.go b/pkg/server/service/loadbalancer/hrw/hrw_test.go
index d095bc361..a843fdb3d 100644
--- a/pkg/server/service/loadbalancer/hrw/hrw_test.go
+++ b/pkg/server/service/loadbalancer/hrw/hrw_test.go
@@ -12,11 +12,16 @@ import (
"github.com/stretchr/testify/assert"
)
+// newTestRand creates a deterministic random source for reproducible tests.
+func newTestRand() *rand.Rand {
+ return rand.New(rand.NewSource(12345))
+}
+
// genIPAddress generate randomly an IP address as a string.
-func genIPAddress() string {
+func genIPAddress(rng *rand.Rand) string {
buf := make([]byte, 4)
- ip := rand.Uint32()
+ ip := rng.Uint32()
binary.LittleEndian.PutUint32(buf, ip)
ipStr := net.IP(buf)
@@ -37,6 +42,7 @@ func initStatusArray(size int, value int) []int {
// The tests validate repartition using a margin of 10% of the number of requests
func TestBalancer(t *testing.T) {
+ rng := newTestRand()
balancer := New(false)
balancer.Add("first", http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
@@ -52,7 +58,7 @@ func TestBalancer(t *testing.T) {
recorder := &responseRecorder{ResponseRecorder: httptest.NewRecorder(), save: map[string]int{}}
req := httptest.NewRequest(http.MethodGet, "/", nil)
for range 100 {
- req.RemoteAddr = genIPAddress()
+ req.RemoteAddr = genIPAddress(rng)
balancer.ServeHTTP(recorder, req)
}
assert.InDelta(t, 80, recorder.save["first"], 10)
@@ -132,6 +138,7 @@ func TestBalancerOneServerDown(t *testing.T) {
}
func TestBalancerDownThenUp(t *testing.T) {
+ rng := newTestRand()
balancer := New(false)
balancer.Add("first", http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
@@ -155,7 +162,7 @@ func TestBalancerDownThenUp(t *testing.T) {
recorder = &responseRecorder{ResponseRecorder: httptest.NewRecorder(), save: map[string]int{}}
req := httptest.NewRequest(http.MethodGet, "/", nil)
for range 100 {
- req.RemoteAddr = genIPAddress()
+ req.RemoteAddr = genIPAddress(rng)
balancer.ServeHTTP(recorder, req)
}
assert.InDelta(t, 50, recorder.save["first"], 10)
@@ -163,6 +170,7 @@ func TestBalancerDownThenUp(t *testing.T) {
}
func TestBalancerPropagate(t *testing.T) {
+ rng := newTestRand()
balancer1 := New(true)
balancer1.Add("first", http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
@@ -188,8 +196,6 @@ func TestBalancerPropagate(t *testing.T) {
topBalancer.Add("balancer1", balancer1, Int(1), false)
_ = balancer1.RegisterStatusUpdater(func(up bool) {
topBalancer.SetStatus(context.WithValue(t.Context(), serviceName, "top"), "balancer1", up)
- // TODO(mpl): if test gets flaky, add channel or something here to signal that
- // propagation is done, and wait on it before sending request.
})
topBalancer.Add("balancer2", balancer2, Int(1), false)
_ = balancer2.RegisterStatusUpdater(func(up bool) {
@@ -199,7 +205,7 @@ func TestBalancerPropagate(t *testing.T) {
recorder := &responseRecorder{ResponseRecorder: httptest.NewRecorder(), save: map[string]int{}}
req := httptest.NewRequest(http.MethodGet, "/", nil)
for range 100 {
- req.RemoteAddr = genIPAddress()
+ req.RemoteAddr = genIPAddress(rng)
topBalancer.ServeHTTP(recorder, req)
}
assert.InDelta(t, 25, recorder.save["first"], 10)
@@ -214,7 +220,7 @@ func TestBalancerPropagate(t *testing.T) {
recorder = &responseRecorder{ResponseRecorder: httptest.NewRecorder(), save: map[string]int{}}
req = httptest.NewRequest(http.MethodGet, "/", nil)
for range 100 {
- req.RemoteAddr = genIPAddress()
+ req.RemoteAddr = genIPAddress(rng)
topBalancer.ServeHTTP(recorder, req)
}
assert.InDelta(t, 25, recorder.save["first"], 10)
@@ -230,7 +236,7 @@ func TestBalancerPropagate(t *testing.T) {
recorder = &responseRecorder{ResponseRecorder: httptest.NewRecorder(), save: map[string]int{}}
req = httptest.NewRequest(http.MethodGet, "/", nil)
for range 100 {
- req.RemoteAddr = genIPAddress()
+ req.RemoteAddr = genIPAddress(rng)
topBalancer.ServeHTTP(recorder, req)
}
assert.InDelta(t, 50, recorder.save["first"], 10)
@@ -254,6 +260,7 @@ func TestBalancerAllServersZeroWeight(t *testing.T) {
}
func TestSticky(t *testing.T) {
+ rng := newTestRand()
balancer := New(false)
balancer.Add("first", http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
@@ -269,7 +276,7 @@ func TestSticky(t *testing.T) {
recorder := &responseRecorder{ResponseRecorder: httptest.NewRecorder(), save: map[string]int{}}
req := httptest.NewRequest(http.MethodGet, "/", nil)
- req.RemoteAddr = genIPAddress()
+ req.RemoteAddr = genIPAddress(rng)
for range 10 {
for _, cookie := range recorder.Result().Cookies() {
req.AddCookie(cookie)
diff --git a/pkg/server/service/loadbalancer/leasttime/leasttime_test.go b/pkg/server/service/loadbalancer/leasttime/leasttime_test.go
index aae0d8240..53bb81505 100644
--- a/pkg/server/service/loadbalancer/leasttime/leasttime_test.go
+++ b/pkg/server/service/loadbalancer/leasttime/leasttime_test.go
@@ -972,23 +972,22 @@ func TestTrafficShiftsWhenPerformanceDegrades(t *testing.T) {
assert.InDelta(t, 25, recorder.save["server2"], 10) // 25 ± 10 requests
// Phase 2: server1 degrades (simulating GC pause, CPU spike, or network latency).
- server1Delay.Store(15) // Now 15ms (3x slower)
+ server1Delay.Store(50) // Now 50ms (10x slower) - dramatic degradation for reliable detection
// Make more requests to shift the moving average.
// Ring buffer has 100 samples, need significant new samples to shift average.
- // server1's average will climb from ~5ms toward 15ms.
+ // server1's average will climb from ~5ms toward 50ms.
recorder2 := &responseRecorder{ResponseRecorder: httptest.NewRecorder(), save: map[string]int{}}
for range 60 {
balancer.ServeHTTP(recorder2, httptest.NewRequest(http.MethodGet, "/", nil))
}
- // server2 should get significantly more traffic (>75%)
- // Score for server1: (~10-15ms × 1) / 1 = 10-15 (as average climbs)
- // Score for server2: (5ms × 1) / 1 = 5
+ // server2 should get significantly more traffic
+ // With 10x performance difference, server2 should dominate.
total2 := recorder2.save["server1"] + recorder2.save["server2"]
assert.Equal(t, 60, total2)
- assert.Greater(t, recorder2.save["server2"], 45) // At least 75% (45/60)
- assert.Less(t, recorder2.save["server1"], 15) // At most 25% (15/60)
+ assert.Greater(t, recorder2.save["server2"], 35) // At least ~60% (35/60)
+ assert.Less(t, recorder2.save["server1"], 25) // At most ~40% (25/60)
}
// TestMultipleServersWithSameScore tests WRR tie-breaking when multiple servers have identical scores.
diff --git a/script/code-gen-docker.sh b/script/code-gen-docker.sh
deleted file mode 100755
index e69de29bb..000000000
diff --git a/script/code-gen.sh b/script/code-gen.sh
index 529930801..59985a018 100755
--- a/script/code-gen.sh
+++ b/script/code-gen.sh
@@ -34,3 +34,6 @@ controller-gen crd:crdVersions=v1 \
echo "# Concatenate the CRD definitions for publication and integration tests ..."
cat "${CURRENT_DIR}"/docs/content/reference/dynamic-configuration/traefik.io_*.yaml > "${CURRENT_DIR}"/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
cp -f "${CURRENT_DIR}"/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml "${CURRENT_DIR}"/integration/fixtures/k8s/01-traefik-crd.yml
+
+# Remove leading '---' from the concatenated file (files with multiple resources should not start with ---)
+sed -i '1{/^---$/d;}' "${CURRENT_DIR}"/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml