Traefik + Let's Encrypt

Migration guide available; bug fix: deprecate the experimental flag for the Kubernetes Ingress NGINX provider.

Bug fixes: auto-negotiate Docker API, multi-layer routing with models, UDP allocation fix, Safari navigation fix, and Hub button component restoration; Documentation: fix Kubernetes Nginx provider docs and Gateway API version/features.

Bug fix: Docker and Docker Swarm now auto-negotiate the Docker API version.

Announces v3.6 RC1 with new certificatesresolvers options, enhanced health checks (TCP, passive), HighestRandomWeight LB, multi-layer routing, K8s GatewayAPI v1.4.0, Knative provider, ECS IPv6, Docker non-running containers, UI tweaks, plus fixes/docs.

Bug fixes: upgrade lego to v4.28.0 and refine deprecation loader to filter unknown nodes via file/env; Documentation: add ACME options, fix default encodings in compress middleware, and refresh Configuration Overview.

Release includes bug fixes for ACME (lego), HTTP/3, KV, OTEL, TLS stapling; stdout logging with OTLP; metric naming; and numerous docs/UI improvements, plus dependency bumps.

Bug fixes: update quic-go to v0.55.0, fix KV alive-check key name, bump golang.org/x/net to v0.46.0, and update dd-trace-go.v1 to v1.74.6.

Bug fixes across k8s CRD, plugins, server proxy header, and web UI; plus extensive docs updates including broken links, a new governance section, k8s CRD and IngressRouteTCP pages, typo fixes, config examples, and menu reorganizations.

Bug fixes: add GenericCLF access logs, fix customerrors URL replacement, send proxy protocol before TLS, and restore empty webui/static; docs: fixes to accesslogs path, OCSP/Swarm CLI examples, KV links, ratelimit options, HTTP3 link, and migration path.

Bug fixes across access logs, ACME, k8s gateway, OTEL, server, and tracing; UI deps updated; docs corrections; refactor to use reflect.TypeFor; plus branch merges.

Bug fixes: update lego to v4.25.2 and docker to v28.3.3; Documentation: fix broken links and update v3.5 release docs.

This release adds ACME improvements (OCSP, httpChallenge delay, provider timeouts), healthcheck options, k8s updates (gateway-api, ingress behavior, NGINX provider), forwardAuth cancellation handling, unsafe yaegi in plugins, Post-Quantum TLS, a React dashboard, plus assorted fixes and docs.

Bug fix: http3 upgrades quic-go to v0.54.0; Documentation: typo fixed on entrypoints page; Misc: merged v2.11 into v3.4 (two PRs).

Bug fixes: redact install config in logs, fix zip-slip in plugin archive extraction, disable MPTCP by default; Docs: remove TLSOption CurvePreferences ordering mentions.

Bug fixes for k8s gatewayapi annotation respect and balancer status concurrency; documentation adds Expose/Setup guides, swarm label fix, OTLP logs docs, Traefik Platform context page, and branch merge v2.11 into v3.4.

Bug fix: update github.com/go-viper/mapstructure/v2 to v2.3.0 to address related issues (PR #11880).

Bug fix: HTTP/3 dependency updated to quic-go v0.49.0 (PR #11848).

This release updates documentation across acme, docker/k8s, logs/metrics/tracing, middleware, service, and websocket; adds new observe guides and Ingress Backend note, removes obsolete docker compose version field, clarifies mirroring default, and merges v2.11 into v3.4.

Bug fix: middleware stops logging Redis Sentinel credentials. Documentation: fix KV reference rendering and a typo in redirect middleware docs; update supported versions.

Addresses CVE-2025-47952 and fixes several bugs: docker network warning, Kubernetes CEL validation, scoped rate-limit keys, v3 path matchers, thread-safe P2C, UI RemoveHeader, plus documentation tweaks and merges from v2.11.

Fixes CVE-2025-47952; bug fixes for Kubernetes ingress panic with backend resources and normalized server request paths; documentation updates include multi-tenant TLS guidance, note on disabling connection reuse, broken link fix, and path sanitization migration version change.

Traefik 3.4 adds ACME profile/emailAddresses, label-configured server URLs, extensive Kubernetes CRD/gatewayapi tweaks, middleware improvements (forwardAuth, error page codes, Redis limiter), p2c LB, sticky cookies, TLS/UDP systemd support, plus UI theme and RC docs.

Bug fix: accessLogs now expose SpanID and TraceID fields only when tracing is enabled (logs, middleware, accesslogs) to avoid unnecessary data.

Fixes for CVE-2025-32431, -22868, -22871; v3.3.6 sanitizes incoming request paths (removing /../, /./ and duplicate slashes) before routing; plus docs updates and v2.11 → v3.3 merge activity.

Fixes: three CVEs resolved; incoming request paths are sanitized (collapse /../, /./, duplicates) since v2.11.24 with migration guide; bug fixes include ACME, metrics, middleware Content-Length, server path sanitization; several dependency bumps and docs updates.

Release fixes: enforce HTTPS scheme for k8s gateway API, restore v2 compression priority, avoid abort on malformed response, ensure compression on flush; plus updated docs (forwarded headers FAQ, routing reference) and merges from v2.11 into v3.3.

Bug fixes and docs: update AWS SDK v2, TLS error logging, HostSNI underscore support, component bumps (

This release fixes fastproxy issues (HTTP headers, WS support, chunked responses), updates metrics unit to seconds, fixes tracing and sticky-cookie hash, updates ACME/docs, and merges v2.11 into v3.3.

Bug fixes: upgrade lego to v4.22.2, bump paerser to v0.2.2, enable retry middleware in proxy, and ensure retry sends headers on Write.

Bug fixes: disable default observability model; fix content-length header checks and handling of responses without length; add missing headerField in Middleware CRD; restore TraceID/SpanID in access logs. Misc: merge v2.11 into v3.3.

Fix: graceful shutdown for ACME JSON write; Docs: update docker-compose to docker compose.

Bug fixes: reduce log noise for missing client certs to debug, avoid per-proxy logger creation, and fix web UI auto-refresh not clearing on unmount; docs: remove awesome.traefik.io reference.

Bug fixes: avoid reading the body on HEAD, fix observability config on EntryPoints, and set WebUI content-type; Documentation: fix ACME dnsChallenge logging and add trailing s to propagation.delayBeforeCheck; Misc: merge v2.11 into v3.3.

Bug fix: disable the HTTP/2 connect setting by default for WebSocket (server/websocket) to prevent related issues.

Bug fix: disable HTTP2 connect setting for WebSocket by default (websocket,server).

Bug fix: WebSocket and server components now disable the HTTP/2 connect setting by default to simplify websocket connections.

This release brings extensive enhancements across ACME, API, HTTP, Kubernetes CRD/Ingress, observability (logs/tracing), middleware auth, plugins, sticky sessions and UI base path, plus a bug fix for fenced k8s ingress status.

Fixes the websocket upgrade issue via GODEBUG hint; bug fixes include empty core API group in k8s/gatewayapi, pass TLS bool to TCPService, SPIFFE v2 upgrade, and dedup of systemd, plus docs updates and v2.11→v3.2 merge housekeeping.

This release addresses websocket upgrade with GODEBUG, updates lego to v4.21.0 and x/net to v0.33.0, fixes basicauth note and ReverseProxy ErrorLog, and updates docs for allowACMEByPass and 2025 copyright.

Documentation updated to reflect the current chart default; two merges from v2.11 into v3.2 were completed.

Bug fix: server component updates golang.org/x dependencies (PR #11336) to resolve related issues.

Addressed CVE-2024-53259 with bug fixes including renaming Docker Swarm labels to traefik.swarm.*, updating gateway-api to v1.2.1, correcting WASM settings, and fixing default rule syntax, plus docs updates for entrypoint footer, v3 migration links, and install reference.

Addressed CVE-2024-53259; bug fixes include updating go-acme/lego to v4.20.4 and quic-go to v0.48.2.

Fixes k8s HostRegexp rule syntax v2, lowers first-byte log level to DEBUG for Postgres, fixes websocket upgrade case, and adds docs updates (cert-manager TLS, swarm, Compress in migration) plus merges v2.11 into v3.2.

Security: addressed CVE-2024-45410; fixes include upgrading go-acme/lego to v4.20.2, DEBUG logging for first-byte errors, dropping untrusted X-Forwarded-Prefix, applying keepalive to h2c, and ServiceBuilder fixes; plus documentation improvements.

Traefik v3.2 release: ACME enhancements (no same-email, custom CA certs, 30d certs), Docker BasicAuth for endpoints, expanded GatewayAPI/K8s features, metrics/middleware improvements, Nomad watching, performance/server tweaks, plus bug fixes and docs.

Bug fix: preserve HTTPRoute filters order; Documentation: fix broken links in Kubernetes Gateway provider page; Misc: merge v2.11 into v3.1 (two merges).

Fix panic on aborted requests to ensure connections close; also update business callouts in the documentation.

Bug fixes: reuse compression writers; fix Accept-Encoding default weight; close wasm middleware to prevent memory leak. Misc: merge v2.11 into v3.1 branches.

Bug fixes: update compression (middleware), Node.js 22.9 and yarn lock for WebUI vulnerabilities, and improved WebUI layout for many entrypoint ports. Docs: clarify redacted access-logs header fields and update business callout.

Bug fixes: disable IngressClass lookup when disableClusterScopeResources is on; adjust server timeout logging to avoid logs. Misc: merge v2.11 into v3.1 (two merges).

Bug fixes include setting Subject CN for defaultGeneratedCert, cleaning forward-auth connection headers, updating the compress library, changing timeout logging, and removing unused WebUI boot files; docs add default access log format and API pagination.

Bug fix: guess Datadog socket type when unix prefix; Documentation: readme now mentions v3; Misc: merged v2.11 into v3.1.

Bug fixes: update http3/quic-go to v0.47.0 and fix server ACME resolver nil check.

Bug fixes: Kubernetes Ingress rule syntax and empty config, middleware/metrics capture wrap; plugins remove goexport and add _initialize. Docs: APIVersion removal, Kubernetes permissions, tracing/metrics notes. Misc: merge v2.11 into v3.1.

Bug fixes: include gateway status addresses, disable cluster-scope k8s resource discovery, stdout logs, grafana dashboards for >15s scrape; Docs: add access logs migration, fix HTTP docs and Gateway API channel default; Misc: Merge v2.11 into v3.1.

Bug fixes: docker updated to v27.1.1 and webui dependencies upgraded; Documentation: fixed embedded YouTube video and updated index.md to include the video.

Bug fixes: upgrade grpc to v1.64.1, avoid route status updates when unchanged, fix Grafana dashboards for longer scrape intervals, update open connections metric and ServiceName gauge, and remove duplicated kubectl apply in Kubernetes Gateway docs.

Bug fixes improve version log accuracy and enforce default cipher suites; documentation updates cover ACME duration, API exposition, sensitive data in labels, router-service linkage, Docker port selection, v3.1 versions table, and PR approval workflow.

Adds major Kubernetes Gateway API enhancements (status handling, v1.1, route attachments, matching, rewrite, backends, priorities, regex paths), HealthCheck for ExternalName, NodePort/internal IP support, middleware/plugin improvements, systemd activation, OpenTelemetry bumps, plus fixes and docs.

Addresses CVE-2024-39321; docs fixes and updated maintainers; and merges of v2.11 into v3.0 across three PRs.

CVE-2024-39321 patch: fix ECS OIDC/IRSA config, disable HTTP/3 QUIC 0-RTT, remove IPv6 interface names; plus docs updates for ACME/docker typo, capabilities, maintainers, Semaphore badge, and readme typos.

Fixes vulnerability CVE-2024-35255 (GHSA-rvj4-q8q5-8grf) and merges v2.11 into v3.0 via two PRs to consolidate the release.

Security advisory GHSA-rvj4-q8q5-8grf for CVE-2024-35255; bug fix updates go-acme/lego to v4.17.4; documentation updates to the supported versions table.

Addresses CVE-2024-24790; fixes logs OTel deps, appends to existing log files, corrects metrics label_replace, fixes Brotli/Accept-Encoding handling, updates v2→v3 migration docs, and merges v2.11 into v3.0.

Security: address CVE-2024-24790 via GHSA-7jmw-8259-q9jx; bug fix: acme updates lego to v4.17.3; docs: correct domain examples, clarify Ratelimit header behavior, add getting-started guide, remove deprecated Helm warning.

Addresses CVE-2024-24788; bug fixes across k8s ingress rule syntax, OpenTelemetry empty config, TLS/TCP rule handling, PostgreSQL deadlines, Web UI IP allowlist, plus numerous documentation updates.

Addresses CVE-2024-24788; fixes UI CSP overflow and provider icon sizing, removes deadlines for non-TLS connections, and includes multiple Kubernetes docs and gatewayapi/CLI migration polish.

Traefik v3 release introduces extensive enhancements across Consul, Docker providers, k8s gatewayapi, ECS, HTTP/3, metrics tracing OpenTelemetry, and UI improvements, plus migration and deprecations, with numerous bug fixes.

Release includes migration notes, patches for CVE-2023-45288 and CVE-2024-28869, and server fixes reverting LingeringTimeout and setting ReadTimeout default to 60s.

This release fixes ACME/TLS challenges, updates dependencies (lego, quic-go, Yaegi), adds TLSStore/middleware improvements, fixes logs and ECS detection, enhances UI/docs, and includes minor misc tweaks.

Adds Redis Sentinel support, KeepAlive options on entrypoints, and hashed WRR sticky cookies; deprecates IPWhiteList in favor of IPAllowList; plus numerous bug fixes and documentation updates.

Bug fix: Datadog logs now emit correct JSON format, resolving the JSON formatting issue in logs (PR #10233 by sssash18).

Push includes CVEs 2023-45283/45284; fixes: remove http-challenge backoff, update Consul API and quic-go, fix stripPrefix on retries, refuse recursive requests, deny URL fragments, remove deprecated Datadog tracing, plus governance/docs improvements.

This release fixes access log origin field placement and preflight status, updates core deps (lego, quic-go, x/net/grpc-go), and includes fixes for KV not found, forward auth leaks, CNAME/logs, X-Forwarded-For delete, plus docs.

Bug fixes: lego upgrades (v4.13.2/v4.13.0); fix backend resource panic; improve middleware plugin traceability. Docs: update maintainer guidelines and release docs. Misc: web UI hub tooltip uses a web component with a disable option.

Bug fix: update go-acme/lego to v4.12.2 in the acme module to address ACME-related issues.

Bug fixes: lego updates to v4.11–v4.12.x, wildcard DNS check fix, k8s CRD/ingress fixes, Hub cleanup, Prometheus cleanup, middleware improvements (semicolons, trailers, headers),

Bug fix: update vulcand/oxy to be5cf38; Documentation: fix the v2.10 migration guide.

Traefik 2.10 adds Kubernetes CRD/RBAC migration, plus new features across Docker, Kubernetes (service load balancer, CRDs, metrics), Nomad namespaces, tracing, WebUI tweaks, plus fixes and docs updates.

This release patches CVE-2023-29013 and CVE-2023-24534, mitigating security vulnerabilities and hardening input validation and related security controls.

Bug fixes: updated go-acme/lego and quic-go, improved metrics by exposing default cert, refreshed vulcand/oxy and Nomad TLS defaults, and removed the User-Agent header from ReverseProxy; docs clarify ratelimiting and TCP router variable naming.

Bug fix: server updated golang.org/x/net to v0.7.0 to address CVE-2022-41724.

Bug fixes include updating go-acme/lego, preventing panics with no network interfaces, more resilient file config, clearer UDP/TCP logs, safer rate limiting and header handling in middleware, IPv6 TCP HostSNI matching, plus various docs updates.

Addresses three CVEs; fixes include updating lego to v4.9.1, improving k8s CRD allowEmptyServices, reducing log noise, increasing plugin download timeout, TLS handling, updated tracing, and UI/documentation enhancements.

Fix: create a new capture instance per request; Docs: update Helm repo, improve building-testing page wording, add link descriptions, and remove experimental tag from Traefik Hub header.

Release 2.9.0 adds broad enhancements (ACME default cert, Docker/Podman host networking, IPv6, ECS Anywhere, health check option, ALPN for TCP/TLS, random load balancer order, improved metrics, TLS defaults, Datadog tracing), plus bug fix and docs.

Bug fix: update golang.org/x/net; docs: fix Docker watch option, document ECS autoDiscoverClusters, and clarify Kubernetes publishedService/IP options.

Bug fixes include Yaegi v0.14.2, IPv6 address/bracket handling, and dashboard showing default TLS options; docs add docker healthcheck timeout, Pilot deprecation notes, and business resources.

Bug fixes: resolve Docker retry memory leak, panic-safe retry middleware, allow startup with unavailable plugin service, and update paerser to v0.1.9; Documentation fixes for ACME, serversTransport CRD/docs, Kubernetes RBAC networking, and Pilot deprecation notes.

Bug fixes: update parser to v0.1.8 and add missing context in Marathon backoff.

Bug fixes across Kubernetes ingress key handling, KV store update, logging/tracing cleanup, metrics improvements, and plugins; plus YAML inline tag fix and various docs updates (K8s guides, Plugins Catalog, branding, and contribution pages).

Bug fixes include upgrading valkeyrie to v0.4.1, faster Prometheus metrics handling, and RedirectScheme supporting forwarded websocket protocol; docs updated for advocating page, commercial-app callout, and deprecation notices.

Adds multi-namespace support for Consul providers, upgrades quic-go, enhances logs, deprecates caOptional, adds URL-replace in errors, extends CircuitBreaker options, adds Nomad provider, HTTP/2 max streams, TLSStore CRD certs, Hub button, catalog access, token fix, and release/merge prep.

Bug fix: ensure Datadog client is cleanly stopped; Documentation: add middleware, k8s/crd CRD field docs (main, SANs, plugin).

Bug fixes: update go-acme/lego to v4.7.0 and fix log placeholder; Documentation: refresh Hub and k8s Gateway API links/versions, fix middleware/docs typos and rule rendering, update contributor swag link, bump Traefik version string, and clarify contributing docs.

Release adds config rebuild on Consul events, healthcheck failover

Bug fixes: corrected ExternalName log, fixed initial TCP lookup, TLS store panic, updated Yaegi to v0.12.0 and jaeger-client-go to v2.30.0; Docs: camelCase browserXssFilter, fix entrypoint redirection priority, correct maintainers guideline typo.

Fixes: ACME RenewInterval, ECS log duplicates and IDs, middleware header/large page handling and redirect regex; Yaegi updated to v0.11.3; plus docs tweaks for k8s gateway, logs fields, buffering defaults, preflight, and metadata.