Traefik + CloudFlare

Deprecates the Kubernetes Ingress NGINX provider’s experimental flag, aligning with the migration guide.

This update fixes Docker API auto-negotiation, multi-layer routing with models, UDP readLoop allocations, Safari navigation, remote Upgrade button in Web UI, and corrects Kubernetes Nginx provider docs and Gateway API version features.

Bug fix: Traefik now auto-negotiates the Docker API version for Docker and Docker Swarm.

This release adds new certificates resolvers options, enhanced health checks and load balancing (including HighestRandomWeight and least-time strategies), Docker non-running container discovery, ECS IPv6 support, Kubernetes CRD/gatewayapi updates, and UI improvements.

Bug fixes include upgrading lego to v4.28.0 and filtering unknown nodes for the deprecation loader; docs add missing ACME options, fix default encodings in compress middleware, and update the Configuration Overview Page.

Upgrades several dependencies (lego v4, quic-go, etcd v1.0.3) with bug fixes across acme, http3, logs/otel, tls, metrics; improves OTLP logging, continuous TLS staples, and docs.

Bug fixes: update quic-go to v0.55.0, fix KV alive-check key name, bump golang.org/x/net to v0.46.0, and upgrade dd-trace-go.v1 to v1.74.6.

Bug fixes: adjust max idle conns per host, plugins refactor, use client conn for proxy header, web UI script; Docs: fix links, add CRD docs, IngressRouteTCP fix, typos, governance, entrypoint examples, menu reorg, new Secure section.

This release fixes several bugs (GenericCLF access log format, customerrors URL replacement, proxy protocol before TLS handshake, and restoring empty WebUI as a library) and updates docs with typo fixes, links, and rate-limit/HTTP3 migration notes.

Bug fixes for OTEL access logs, ACME Lego bump, gatewayAPI app protocol case-insensitive, tracing header canonicalization and root-span naming, and sigterm handling; plus docs, UI updates, and repository merges.

Bug fixes: update lego to v4.25.2 and docker to v28.3.3; Documentation: fix invalid links and update v3.5 release docs.

Release adds ACME OCSP stapling and timeout controls, healthcheck URL/interval options, k8s gateway v1.3, Ingress prefix consistency, NGINX Ingress Provider, ForwardAuth cancellation handling, unsafe yaegi plugin manifest, PQ TLS X25519MLKEM768, and React UI migration.

Bug fixes: http3 quic-go bumped to v0.54.0; Documentation: typo fixed on entrypoints page; Misc: merged v2.11 into v3.4.

Bug fixes: redact install config in logs, fix zip-slip during archive extraction in plugins, disable MPTCP by default; Documentation: remove mentions of TLSOption CurvePreferences ordering.

Bug fixes for k8s gateway nativeLB flag and concurrent balancer status access; new/exposed setup guides and expose guides; updated docs for logs/accesslogs OTLP and Traefik Platform context; merge v2.11 into v3.4.

Bug fix: update github.com/go-viper/mapstructure/v2 to v2.3.0.

Bug fix: bump quic-go to v0.49.0 for HTTP/3.

Documentation updates across certificatesDuration, Docker/Kubernetes tutorials, Ingress Backend note, updated Logs/Metrics/Tracing/AccessLogs docs and new Observe guides, plus cleanup in middleware, service defaults, and a new WebSocket guide; plus branch merges.

Bug fix: middleware stops logging Redis Sentinel credentials; Documentation: fix KV reference rendering, fix typo in redirect middleware docs, and update supported versions.

Fixes CVE-2025-47952 and numerous bug fixes (docker warning, k8s CRD CEL validation, rate-limit scoping, routing path matchers, P2C thread-safety, UI RemoveHeader display) plus docs tweaks and v2.11-to-v3.4 merges.

Security: fixes CVE-2025-47952; Bug fixes: k8s ingress backend panic and server path normalization; Docs: multi-tenant TLS guidance, note on disabling backend connection reuse, broken link fix, and path sanitization migration guide version change.

Traefik 3.4 adds ACME profile and emailAddresses, configurable server URLs, enhanced Kubernetes CRD validation and rule handling, TLS/session ticket improvements, Redis rate limiter, p2c load-balancing, domain-configurable sticky cookies, and UI auto theme, with RC releases.

Bug fix: accessLogs now include SpanID and TraceID fields only when tracing is enabled, affecting logs, middleware, and accesslogs.

Fixed three CVEs (CVE-2025-32431, -22868, -22871) and added v3.3.6 request-path sanitization to normalize /.., /./, and duplicates, plus docs updates and merging v2.11 into v3.3.

Three CVEs fixed; request paths are sanitized before routing (collapse ..//./ and duplicates); plus bug fixes across acme, metrics, middleware, server, Redis, net/x/oauth2, and updated docs.

Bug fixes: k8s gateway now uses https scheme; revert middleware compression priority; don’t abort on malformed response content-type; compress data on flush when not started. Documentation: add forwarded headers FAQ and new Routing Reference. Misc: merge v2.11 into v3.3.

Release fixes include multiple dependency bumps (AWS SDK v2, oxy, x/net, jwt, redis, jose), TLS config error logging improvement, HostSNI underscore support, web UI default change, plus docs clarifications on retry middleware, Redis dynamic config tips, and added security support.

Release includes fastproxy fixes (WebSocket headers, chunked responses, fasthttp upgrade), metrics in seconds, sticky-cookie fix, tracing ResourceAttributes, docs updates, and a v2–v3 branch merge.

Bug fixes: update lego to v4.22.2 and paerser to v0.2.2; enable retry middleware in proxy and ensure headers are sent on Write during retries.

Bug fixes: avoid default observability model, fix content-length header handling, support responses without content length, add missing headerField in Middleware CRD, restore TraceID/SpanID in access logs. Misc: merge v2.11 into v3.3.

Bug fix: added graceful shutdown for ACME JSON write; Documentation: switch from docker-compose to docker compose.

Bug fixes: reduce log noise when client cert is missing, avoid per-proxy logger creation, fix web UI auto-refresh on unmount; docs: remove awesome.traefik.io reference.

Bug fixes: avoid reading HEAD responses, fix observability config on EntryPoints, serve webui with proper content-type; Documentation: ACME dnsChallenge logging and propagation.delayBeforeCheck updates; Misc: merge v2.11 into v3.3.

Bug fix: Disable the HTTP/2 connect setting for WebSocket on the server by default.

Bug fix: WebSocket/Server now disables the HTTP/2 connect setting by default.

Bug fix: WebSocket handling now disables the HTTP/2 connect setting by default.

Bug fixes: k8s gatewayapi supports empty core API group; TLS bool from IngressRouteTCP to TCPService; SPIFFE upgraded to v2.4.0; removed duplicate systemd dep. Docs: gatewayapi v1.2.1; new maintainer. Misc: merge v2.11 into v3.2.

Fixes websocket upgrade issue via GODEBUG flag; updates acme lego to v4.21.0, fixes basicauth note typo, configures ErrorLog in ReverseProxy, bumps Go x/net to v0.33.0, and updates docs.

Documentation: update reference install docs with the current chart default; Misc: merge v2.11 into v3.2 across two PRs.

Bug fix: server updates to golang.org/x dependencies (PR #11336).

Addressed CVE-2024-53259; fixes include Docker Swarm label rename to traefik.swarm.*, K8s gateway-api v1.2.1, WASM settings in plugins, default rule syntax models, plus documentation and install/reference improvements.

Security advisory CVE-2024-53259: fixes include updating go-acme/lego to v4.20.4 and quic-go to v0.48.2.

CVE-2024-45410 patched; fixes include HostRegexp rule syntax v2, Postgres first-byte log to DEBUG, websocket upgrade case, plus docs for cert-manager, docker/swarm tips, and Compress middleware in migration; and merges v2.11 into v3.2.

Patches CVE-2024-45410; updates acme to lego v4.20.2; lowers peeking-first-byte log to DEBUG; drops untrusted X-Forwarded-Prefix; applies keepalive to h2c entrypoints; fixes internal ServiceBuilder, plus related docs and access-logs improvements.

Traefik v3.2 introduces ACME improvements (no same-email requirement, custom CA certs, 30-day certs), Docker BasicAuth, extensive Gateway API/k8s updates, metrics/middleware enhancements, Nomad watch, server performance gains, and assorted fixes.

Bug fix: preserve HTTPRoute filters order; Documentation: fix broken Kubernetes Gateway provider links; Misc: merge v2.11 into v3.1 (two merges).

Fix: panic on aborted requests in middleware/service now closes the connection; Documentation: update business callouts.

Bug fixes: reuse compression writers, fix default Accept-Encoding weight, and close wasm middleware to prevent memory leak; Misc: merge v2.11 into v3.1.

Bug fixes: update compression library, Web UI dependencies, and port-number layout; Documentation: clarify redaction of header fields in access logs and update business callout.

Bug fixes: disable IngressClass lookup when disableClusterScopeResources is enabled; rework server timeout logging condition. Misc: merged v2.11 into v3.1 (two merges).

Bug fixes: correct Subject CN in default cert, forward-auth header cleanup, compression dependency bump, avoid logging on timeout, and removal of unused webui boot files. Documentation: clarify access log default format and add API pagination.

Bug fix: Datadog socket type guessed when unix prefix; Documentation: readme now mentions v3; Misc: merged v2.11 into v3.1.

Bug fixes: update quic-go to v0.47.0 for http3 and fix server to ensure ACME certificate resolver is not nil.

Bug fixes include Kubernetes Ingress rule syntax and allowing empty config, middleware service-capture wrapping, and plugin initialisation changes; documentation updates cover Kubernetes API references, required permissions, tracing notes, and migration mentions; plus merges from v2.11 into v3.1.

Fixes for CVE-2024-45410 across ACME, logs, middleware, server and plugins, including lego v4.18.0, custom ACME router handling, case-insensitive log field names, proper aborted streaming logs, cleaned Connection headers, parser/web UI upgrades, and several docs tweaks.

Bug fixes: align Gateway statuses with addresses, allow disabling cluster-scoped resource discovery, output logs to stdout, and fix Grafana scrape interval; docs updates for access logs, HTTP discovery, HTTP headers, and default Gateway API channel, plus branch merges.

Bug fixes: update docker to v27.1.1 and upgrade webui dependencies; Documentation: fix embedded YouTube video and update index.md to include video.

Bug fixes: update gRPC to v1.64.1; don't update route status when nothing changed; metrics improvements for Grafana scrape interval, open connections gauge, and ServiceName metric; Kubernetes Gateway docs remove duplicated kubectl apply.

Bug fixes: more accurate version log; enforce default cipher suites. Documentation: updated ACME cert duration, API exposition, storing sensitive data in labels, router-service link, Docker port selection on multi-ports, v3.1 versions table, and PR approval process.

Traefik 3.1 delivers major Kubernetes Gateway API improvements (v1.1, non-experimental provider, route status handling, HTTPRoute matching/redirects/priorities, ReferenceGrant, HealthCheck, EndpointSlices migration) plus notable fixes, plugins enhancements, and docs updates.

Fix CVE-2024-39321; update docs and maintainers; and merge current v2.11 into v3.0 across three PRs.

Address CVE-2024-39321 with bug fixes: ECS config for OIDC/IRSA; disable QUIC 0-RTT; remove IPv6 interface names; plus several docs improvements.

Fixes for CVE-2024-35255 (GHSA-rvj4-q8q5-8grf) and merging v2.11 into v3.0 to align releases.

Addresses CVE-2024-35255 (GHSA-rvj4-q8q5-8grf); fixes bug by updating acme/lego to v4.17.4; updates supported versions table in docs.

Addresses CVE-2024-24790; fixes logs (OTel bump, append to log), metrics label fix, middleware Brotli status when disabled and Accept-Encoding weights, docs migration update, and merges v2.11 into v3.0.

Addresses CVE-2024-24790 (GHSA advisory); fixes bug by updating acme to go-acme/lego v4.17.3, plus docs updates for domain examples, Ratelimit header behavior, getting-started guide, and removal of the deprecated Helm repo warning.

Addresses CVE-2024-24788; fixes rule syntax for k8s ingresses and TCP, allows empty OTEL config, bumps TLS tscert, removes PostgreSQL deadlines, adds WebUI IP allowlist, plus several docs updates.

Addresses CVE-2024-24788; fixes include removing deadlines for non-TLS, UI CSP overflow, provider icon sizing; and docs/k8s migrations and GatewayAPI path/type improvements, plus entryPoints capitalization.

Traefik v3.0 brings extensive enhancements across providers (Consul StrictChecks, Docker split, ECS healthy tasks, file reload on SIGHUP, HTTP3), k8s gatewayapi upgrades, improved observability and middleware, plus numerous bug fixes.

Migration: follow the guide; patch CVEs GHSA-7f4j-64p6-5h5v and CVE-2024-28869; bug fixes revert LingeringTimeout and set ReadTimeout default to 60s.

Several bugfixes across ACME/TLS, DNS/logging, ECS, TCP; dependency upgrades (lego v4.16.1, quic-go v0.42.0, Yaegi v0.16.1); better TLSStore labeling and UI/docs improvements.

Adds Redis Sentinel support, IPAllowList replaces IPWhiteList, new KeepAlive options on entrypoints, and WRR sticky cookies; fixes auth, file watcher, PROXY ReadHeaderTimeout, HTTP3, Nomad API, UI issues, and updates docs.

Bug fix: Corrected the Datadog logs JSON format issue.

Addresses CVEs 2023-45283/45284; bug fixes include removing http challenge backoff, updating Consul API, updating quic-go, fixing stripPrefix retries, refusing recursive requests, denying URL fragments, and removing deprecated Datadog tracing usage, plus governance/docs updates.

Release includes multiple bug fixes (access logs, preflight, KV, forward auth, CNAME flattening, X-Forwarded-For delete, healthcheck), dependency updates (lego, quic-go, x/net/grpc-go), and documentation improvements.

Fixes include updating lego to v4.13.2/v4.13.0, preventing resource backend panics, and improving middleware plugin traceability, plus maintainer/release doc updates and a WebUI hub tooltip enhancement with a disable option.

Bug fix: upgrade go-acme/lego to v4.12.2 (ACME).

Release includes multiple go-acme/lego updates, fixes for wildcard checks and Kubernetes subsets, code cleanup for Hub, metric/provider tweaks, middleware enhancements, plugin error messages, tracing upgrade, and various docs improvements.

Bug fix: update vulcand/oxy to be5cf38 (middleware/oxy); Documentation: fix the v2.10 migration guide.

Traefik v2.10 adds Kubernetes CRD/RBAC migration, plus broad enhancements (Docker, Kubernetes CRDs, native service load-balancing, metrics, Nomad, tracing, Web UI) and bug fixes (docker network warnings, k8s client-go, plugins, server) and docs.

I don’t have the release notes text—please share the notes or key changes so I can condense them into a single concise sentence.

Bug fixes span updates to go-acme/lego v4.10.2, quic-go v0.33.0, metrics default cert, oxy, Nomad TLS/defaults, and removal of the User-Agent header; plus docs clarifications for ratelimit middleware and TCP router variable naming.

Bug fix: server updated golang.org/x/net to v0.7.0 to address CVE-2022-41724.

This release fixes several bugs (lego update, ECS nil nets, file config resilience, log differentiation, rate limiting, error header, X-Forwarded-Proto, IPv6 in TCP HostSNI) and updates plugins, TLS quic-go, and documentation.

Fixes include three CVEs (CVE-2022-23469, CVE-2022-46153, CVE-2022-41717); bug fixes across acme, k8s/crd, logs, plugins, server, tls, tracing, and webui; plus documentation updates for docker, hub, k8s/helm, and middleware.

Bug fix: create a new capture instance per request; Documentation: update Helm repo, improve build/testing wording, add link descriptions, and remove the experimental tag on the Traefik Hub header.

Bug fixes include updating go-acme/lego to v4.9.0, Redis type fix, handling redefined http.responseWriters, removing raw cert escape, Yaegi upgrade, and tests side-effect removal; docs adjust gateway API links, dashboard rule, and add v2.9 to release page.

Release adds ACME default cert, ECS Anywhere, health-API-driven enhancements, Docker/Podman improvements (IPv6, host networking, empty services), TLS defaults and ALPN, metrics, plugin-secrets in K8s, and Pilot removal, plus a bugfix for ACME panic.

Bug fix: update golang.org/x/net to latest; Documentation updates correcting Docker watch option, ECS autoDiscoverClusters option, and Kubernetes publishedService/IP options.

Bug fixes: fix Consul Catalog UDP tags, simplify AddServer, allow empty plugin config, correct query-param equals matching, and optimize websocket headers. Documentation: add ECS constraints doc, fix RouteNamespaces link, add FAQ on json schema validation, and regex case-insensitivity note.

Bug fixes: Yaegi v0.14.2, IPv6 bracket address fix, and default TLS options shown in dashboard; Documentation updates: docker healthcheck timeout, Pilot deprecation notes, and added business resources.

Bug fixes: Docker mem leak on retries, retry middleware panic, and start when plugin service is unavailable; update paerser to v0.1.9. Docs: fix Infoblox ACME, k8s

Bug fixes: update the parser to v0.1.8 and add missing context in Marathon backoff.

Bug fixes across Kubernetes ingress key ordering, KV store, logging, metrics and service gauges, plus plugin and YAML serialization updates; and documentation improvements for Kubernetes, plugins catalog, branding and contribution guidelines.

Bug fixes, upgrade valkeyrie to v0.4.1, performance improvements for Prometheus metrics, and forwarded WebSocket support in RedirectScheme; docs update on advocating page language, commercial apps callout, and deprecation notices.

Adds multi-namespace support for Consul providers, upgrades quic-go, logs destination address, deprecates caOptional TLS option, enhances errors and circuit breaker config, adds Nomad provider, HTTP/2 max streams, TLSStore CRD, Traefik Hub, catalog access, plus release/docs/merge housekeeping.

Bug fix: cleanly stop the Datadog client; Documentation: add CRD field docs for main, SANs, and plugin in middleware/k8s.

Bug fixes for healthcheck, Gateway API listeners, RedirectScheme, rules muxers, plugins (Yaegi 0.13.0), and tracing; plus docs updates for CRD properties, PassTLSClientCert, TCP server-first notes, info relevance, and commercial links.

Bug fixes: update lego to v4.7.0 and fix log placeholder; Documentation: hub, Gateway API v1alpha1→v1alpha2 links, docs typos, rule rendering, contributor swag link, Traefik version s/2.6/2.7/, and contributing guide updates.

Adds Consul-driven dynamic config rebuild, health-check failover, HTTP/3 tweaks (advertised port, quic-go v0.25), experimental Traefik Hub, empty Kubernetes services, InfluxDB v2 metrics, relaxed plugin token constraint, reload throttling refactor, TCP HostSNIRegexp/muxer, and Hub/UI access changes.

Bug fixes across logs, TCP lookups, TLS store panics, and tracing; Yaegi updated to v0.12.0, Jaeger-client-go to v2.30.0; plus docs tweaks for browserXssFilter camelCase, entrypoint redirect priority, and maintainer guidelines typo.

Bug fixes include ACME RenewInterval, ECS duplicate logs and ID filtering, middleware header/redirect/page-size issues, and Yaegi updated to v0.11.3; plus docs tweaks for k8s/gatewayapi, logs fields, buffering defaults, preflight, and metadata.