Update module github.com/traefik/traefik/v2 to v2.11.28 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/traefik/traefik/v2	v2.11.10 -> v2.11.28

GitHub Vulnerability Alerts

CVE-2024-52003

Impact

There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.14
• https://github.com/traefik/traefik/releases/tag/v3.2.1

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description

Summary

The previously reported open redirect (GHSA-6qq8-5wq3-86rp) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.

Details

The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:

http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)

func safePrefix(req *http.Request) string {
	prefix := req.Header.Get("X-Forwarded-Prefix")
	if prefix == "" {
		return ""
	}

	parse, err := url.Parse(prefix)
	if err != nil {
		return ""
	}

	return parse.Path
}

PoC

An attacker can bypass this by sending the following payload:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

or similar:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

Impact

Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable.

GHSA-hxr6-2p24-hf98

There is a potential vulnerability in Traefik managing HTTP/3 connections.

More details in the CVE-2024-53259.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.15
• https://github.com/traefik/traefik/releases/tag/v3.2.2

Workarounds

No workaround

For more information

If you have any questions or comments about this advisory, please open an issue.

GHSA-3wqc-mwfx-672p

Summary

We have encountered a security vulnerability being reported by our scanners for Traefik 2.11.22.

• https://security.snyk.io/vuln/SNYK-CHAINGUARDLATEST-TRAEFIK33-9403297

Details

It seems to target oauth2/jws library.

PoC

No steps to replicate this vulnerability

Impact

We have a strict control on security and we always try to stay up-to-date with the fixes received for third-party solutions.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.24
• https://github.com/traefik/traefik/releases/tag/v3.3.6
• https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2

GHSA-5423-jcjm-2gpv

Summary

net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. [CVE-2025-22871] Vendor Affected Components: Go: 1.23.x < 1.23.8

More Details: CVE-2025-22871

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.24
• https://github.com/traefik/traefik/releases/tag/v3.3.6
• https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2

CVE-2025-32431

Impact

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.

Example

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: my-service
spec:
  routes:
    - match: PathPrefix(‘/service’)
      kind: Rule
      services:
        - name: service-a
          port: 8080
      middlewares:
        - name: my-middleware-a
    - match: PathPrefix(‘/service/sub-path’)
      kind: Rule
      services:
        - name: service-a
          port: 8080

In such a case, the request http://mydomain.example.com/service/sub-path/../other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.24
• https://github.com/traefik/traefik/releases/tag/v3.3.6
• https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2

Workaround

Add a PathRegexp rule to the matcher to prevent matching a route with a /../ in the path.

Example:

match: PathPrefix(`/service`) && !PathRegexp(`(?:(/\.\./)+.*)`)

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2025-47952

Impact

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.

Example

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: my-service
spec:
  routes:
    - match: PathPrefix(‘/service’)
      kind: Rule
      services:
        - name: service-a
          port: 8080
      middlewares:
        - name: my-middleware-a
    - match: PathPrefix(‘/service/sub-path’)
      kind: Rule
      services:
        - name: service-a
          port: 8080

In such a case, the request http://mydomain.example.com/service/sub-path/%2e%2e/other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.25
• https://github.com/traefik/traefik/releases/tag/v3.4.1

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description

Summary

Path traversal with "/../" using URL encodings ("/%2e%2e") allows for circumventing routing rules.

Details

When having defined a route, you can path traverse using the URL encoded variant of /../ and reach endpoints that are not made publicly available. This issue has been found and fixed earlier with regular /../ and has been fixed in this CVE. This URL encoding trick works around that
https://nvd.nist.gov/vuln/detail/CVE-2025-32431

Simply implementing a check on the URL encoding won't be sufficient as path traversal can take numerous formats. See examples here:
https://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html

PoC

Setup a service with two endpoints: "/public" and "/private", which returns a 200 OK for both
Setup a Traefik proxy with a single route which points to the service using path /public

Regular requests to traefik /public will return 200 OK and to /private should return 404 (response by Traefik)
When making a request to /public/%2e%2e/private you should receive a 200 OK.

Impact

Impacts all traefik implementations with path prefix routes that expose only part of the downstream api

Suggestion

Provide configuration property which disables all path traversals. Steps:

1. Decode URL
2. Evaluate and construct relative path (do traversal before route evaluation)
3. Compare relative/evaluated path to configured routes (PathPrefix/pathRegexp)

CVE-2025-54386

Summary

A path traversal vulnerability was discovered in WASM Traefik’s plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.
✅ After investigation, it is confirmed that no plugins on the Catalog were affected. There is no known impact.

Details

The vulnerability resides in the WASM plugin extraction logic, specifically in the unzipFile function (/plugins/client.go). The application constructs file paths during ZIP extraction using filepath.Join(destDir, f.Name) without validating or sanitizing f.Name. If the ZIP archive contains entries with ../, the resulting path can escape the intended directory, allowing writes to arbitrary locations on the host filesystem.

Attack Requirements

There are several requirements needed to make this attack possible:

• The Traefik server should be deployed with plugins enabled with a WASM plugin (yaegi plugins are not impacted).
• The attacker should have write access to a remote plugin asset loaded by the Traefik server
• The attacker should craft a malicious version of this plugin

Warning

As clearly stated in the documentation, plugins are experimental in Traefik, and unsafe plugins could damage your infrastructure:

Experimental Features
Plugins can change the behavior of Traefik in unforeseen ways. Exercise caution when adding new plugins to production Traefik instances.

Impact

This vulnerability did not affect any plugin from the catalog. There is no known impact.
Additionally, the catalog will also prevent any compromised plugin to be available across all Traefik versions.
This vulnerability could allow an attacker to perform arbitrary file write outside the intended plugin extraction directory by crafting a malicious ZIP archive that includes ../ (directory traversal) in file paths.

---

Release Notes

traefik/traefik (github.com/traefik/traefik/v2)

v2.11.28

Compare Source

All Commits

Bug fixes:

• [logs] Redact logged install configuration (#​11907 by jspdown)
• [plugins] Fix client arbitrary file access during archive extraction zipslip (#​11911 by odaysec)
• [server] Disable MPTCP by default (#​11918 by rtribotte)

Documentation:

• [k8s/crd,k8s] Remove all mentions of ordering for TLSOption CurvePreferences field (#​11924 by jnoordsij)

v2.11.27

Compare Source

All Commits

Bug fixes:

• Bump github.com/go-viper/mapstructure/v2 to v2.3.0 (#​11880 by kevinpollet)

v2.11.26

Compare Source

All Commits

Bug fixes:

• [middleware] Do not log redis sentinel username and password (#​11819 by kevinpollet)

Documentation:

• [kv] Fix KV reference rendering (#​11815 by rtribotte)
• [middleware,k8s/crd] Fix typo in redirect middleware documentation (#​11830 by rtribotte)
• Update supported versions (#​11811 by jnoordsij)

v2.11.25

Compare Source

All Commits

Bug fixes:

• [k8s/ingress] Fix panic for ingress with backend resource (#​11777 by rtribotte)
• [server] Normalize request path (#​11768 by kevinpollet)

Documentation:

• [middleware,k8s] Add multi-tenant TLS guidance to the docs (#​11724 by sheddy-traefik)
• [service] Add a note about how to disable connection reuse with backends (#​11716 by rtribotte)
• Fix broken link in documentation (#​11761 by sheddy-traefik)
• Change version for path sanitization migration guide (#​11702 by rtribotte)

v2.11.24

Compare Source

All Commits

Bug fixes:

• [acme] Bump github.com/go-acme/lego/v4 to v4.23.1 (#​11690 by ldez)
• [metrics] Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.72.2 (#​11693 by kevinpollet)
• [middleware] Add Content-Length header to preflight response (#​11682 by lbenguigui)
• [server] Sanitize request path (#​11684 by rtribotte)
• Bump github.com/redis/go-redis/v9 to v9.7.3 (#​11695 by kevinpollet)
• Bump golang.org/x/net to v0.38.0 (#​11691 by kevinpollet)
• Bump golang.org/x/oauth2 to v0.28.0 (#​11689 by rtribotte)

Documentation:

• [middleware] Add content-length best practice documentation (#​11697 by sheddy-traefik)
• Typo fix on the Explanation Section for User Guide HTTP Challenge. (#​11676 by YapWC)

v2.11.23

Compare Source

All Commits

Release canceled.

v2.11.22

Compare Source

All Commits

Bug fixes:

• [ecs,logs] Bump AWS SDK to v2 (#​11359 by Juneezee)
• [logs,tls] Error level log for configuration-related TLS errors with backends (#​11611 by rtribotte)
• [rules] Allow underscore character in HostSNI matcher (#​11557 by rohitlohar45)
• [server] Bump github.com/vulcand/oxy/v2 to v2.0.3 (#​11649 by adamvduke)
• [server] Bump golang.org/x/net to v0.37.0 (#​11632 by kevinpollet)
• [webui] Change boolean module properties default value to undefined (#​11639 by rtribotte)
• Bump github.com/golang-jwt/jwt to v4.5.2 and v5.2.2 (#​11634 by kevinpollet)
• Bump github.com/redis/go-redis/v9 to v9.6.3 (#​11633 by kevinpollet)
• Bump golang.org/x/net to v0.36.0 (#​11608 by kevinpollet)
• Bump github.com/go-jose/go-jose/v4 to v4.0.5 (#​11571 by kevinpollet)

Documentation:

• [accesslogs] Remove documentation for OriginStatusLine and DownstreamStatusLine accessLogs fields (#​11599 by rtribotte)
• [middleware] Clarifies that retry middleware uses TCP, not HTTP status codes (#​11603 by geraldcroes)
• [redis] Add tip for dynamic configuration updates of Redis (#​11577 by Alanxtl)
• Add Security Support (#​11610 by nmengin)

v2.11.21

Compare Source

All Commits

Bug fixes:

• [acme] Bump github.com/go-acme/lego/v4 to v4.22.2 (#​11537 by ldez)
• [cli] Bump github.com/traefik/paerser to v0.2.2 (#​11530 by kevinpollet)
• [middleware] Enable the retry middleware in the proxy (#​11536 by kevinpollet)
• [middleware] Retry should send headers on Write (#​11534 by kevinpollet)

v3.3.3 (2025-01-31)

All Commits

Bug fixes:

• [api] Do not create observability model by default (#​11476 by rtribotte)
• [fastproxy] Fix content-length header assertion (#​11498 by kevinpollet)
• [fastproxy] Handle responses without content length header (#​11458 by rtribotte)
• [k8s/crd,k8s] Add missing headerField in Middleware CRD (#​11499 by jspdown)
• [tracing,accesslogs] Bring back TraceID and SpanID fields in access logs (#​11450 by rtribotte)

Misc:

• Merge branch v2.11 into v3.3 (#​11502 by rtribotte)
• Merge branch v2.11 into v3.3 (#​11491 by rtribotte)

v2.11.20 (2025-01-31)

All Commits

Bug fixes:

• [acme] Graceful shutdown for ACME JSON write operation (#​11497 by juliens)

Documentation:

• Change docker-compose to docker compose (#​11496 by khai-pi)

v2.11.19 (2025-01-29)

All Commits

Bug fixes:

• [middleware] Changing log message when client cert is not available to debug (#​11453 by Nelwhix)
• [service] Do not create a logger instance for each proxy (#​11487 by kevinpollet)
• [webui] Fix auto refresh not clearing on component unmount (#​11477 by DoubleREW)

Documentation:

• Remove awesome.traefik.io reference in documentation section (#​11435 by kevinpollet)

v3.3.2 (2025-01-14)

All Commits

Bug fixes:

• [fastproxy] Do not read response body for HEAD requests (#​11442 by kevinpollet)
• [metrics,tracing,accesslogs] Fix observability configuration on EntryPoints (#​11446 by rtribotte)
• [webui] Set content-type when serving webui index (#​11428 by kevinpollet)

Documentation:

• [acme] Fix deprecated dnsChallenge propagation logging and documentation (#​11433 by thomscode)
• [acme] Add missing trailing s to propagation.delayBeforeCheck option (#​11417 by jspiers)

Misc:

• Merge branch v2.11 into v3.3 (#​11419 by kevinpollet)

v3.3.1 (2025-01-07)

All Commits

Bug fixes:

• [websocket,server] Disable http2 connect setting for websocket by default (#​11408 by rtribotte)

v3.2.5 (2025-01-07)

All Commits

Bug fixes:

• [websocket,server] Disable http2 connect setting for websocket by default (#​11408 by rtribotte)

v2.11.18 (2025-01-07)

All Commits

Bug fixes:

• [websocket,server] Disable http2 connect setting for websocket by default (#​11412 by rtribotte)

v3.3.0 (2025-01-06)

All Commits

Enhancements:

• [acme] Add options to control ACME propagation checks (#​11241 by ldez)
• [api] Add support dump API endpoint (#​11328 by mmatur)
• [http] Set Host header in HTTP provider request (#​11237 by nikonhub)
• [k8s/crd,k8s] Make the IngressRoute kind optional (#​11177 by skirtan1)
• [k8s/ingress,sticky-session,k8s/crd,k8s] Support serving endpoints (#​11121 by BZValoche)
• [logs,accesslogs] OpenTelemetry Logs and Access Logs (#​11319 by rtribotte)
• [logs,accesslogs] Add experimental flag for OTLP logs integration (#​11335 by kevinpollet)
• [metrics,tracing,accesslogs] Manage observability at entrypoint and router level (#​11308 by rtribotte)
• [middleware,authentication] Add an option to preserve the ForwardAuth Server Location header (#​11318 by Nelwhix)
• [middleware,authentication] Only calculate basic auth hashes once for concurrent requests (#​11143 by michelheusschen)
• [middleware,authentication] Send request body to authorization server for forward auth (#​11097 by kyo-ke)
• [plugins] Add AbortOnPluginFailure option to abort startup on plugin load failure (#​11228 by bmagic)
• [sticky-session] Configurable path for sticky cookies (#​11166 by IIpragmaII)
• [webui,api] Configurable API & Dashboard base path (#​11250 by rtribotte)

Bug fixes:

• [k8s/ingress,k8s/crd] Fix fenced server status computation (#​11361 by kevinpollet)

Documentation:

• Prepare release v3.3.0-rc2 (#​11362 by rtribotte)
• Prepare Release v3.3.0-rc1 (#​11349 by rtribotte)

Misc:

• Merge branch v3.2 into v3.3 (#​11402 by kevinpollet)
• Merge branch v3.2 into v3.3 (#​11393 by mmatur)
• Merge branch v3.2 into v3.3 (#​11389 by mmatur)
• Merge branch v3.2 into v3.3 (#​11367 by kevinpollet)
• Merge branch v3.2 into master (#​11340 by kevinpollet)
• Merge branch v3.2 into master (#​11293 by kevinpollet)
• Merge branch v3.2 into master (#​11239 by kevinpollet)
• Merge branch v3.2 into master (#​11187 by kevinpollet)

v3.2.4 (2025-01-06)

All Commits

Bug fixes:

• [k8s/gatewayapi] Support empty value for core Kubernetes API group (#​11386 by rtribotte)
• [tcp,k8s/crd] Pass TLS bool from IngressRouteTCP to TCPService (#​11343 by lipmem)
• [tls] Upgrade github.com/spiffe/go-spiffe/v2 to v2.4.0 (#​11385 by mmatur)
• Remove duplicate github.com/coreos/go-systemd dependency (#​11354 by Juneezee)

Documentation:

• [k8s/gatewayapi] Update Gateway API version support to v1.2.1 (#​11357 by kevinpollet)
• Add @​jnoordsij to maintainers (#​11352 by emilevauge)

Misc:

• Merge branch v2.11 into v3.2 (#​11400 by kevinpollet)
• Merge branch v2.11 into v3.2 (#​11392 by rtribotte)
• Merge branch v2.11 into v3.2 (#​11388 by mmatur)
• Merge branch v2.11 into v3.2 (#​11366 by kevinpollet)

v2.11.17 (2025-01-06)

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.21.0 (#​11368 by ldez)
• [middleware] Fix typo in basicauth note (#​11397 by tieje)
• [service] Configure ErrorLog in httputil.ReverseProxy (#​11344 by peacewalker122)
• Bump golang.org/x/net to v0.33.0 (#​11365 by kevinpollet)

Documentation:

• [acme] Fix allowACMEByPass TOML example (#​11370 by hannesbraun)
• [k8s/crd] Update copyright for 2025 (#​11383 by kevinpollet)

v3.3.0-rc2 (2024-12-20)

All Commits

Bug fixes:

• [k8s/ingress,k8s/crd] Fix fenced server status computation (#​11361 by kevinpollet)

v3.3.0-rc1 (2024-12-16)

All Commits

Enhancements:

• [acme] Add options to control ACME propagation checks (#​11241 by ldez)
• [api] Add support dump API endpoint (#​11328 by mmatur)
• [http] Set Host header in HTTP provider request (#​11237 by nikonhub)
• [k8s/crd,k8s] Make the IngressRoute kind optional (#​11177 by skirtan1)
• [logs,accesslogs] OpenTelemetry Logs and Access Logs (#​11319 by rtribotte)
• [logs,accesslogs] Add experimental flag for OTLP logs integration (#​11335 by kevinpollet)
• [metrics,tracing,accesslogs] Manage observability at entrypoint and router level (#​11308 by rtribotte)
• [middleware,authentication] Add an option to preserve the ForwardAuth Server Location header (#​11318 by Nelwhix)
• [middleware,authentication] Only calculate basic auth hashes once for concurrent requests (#​11143 by michelheusschen)
• [middleware,authentication] Send request body to authorization server for forward auth (#​11097 by kyo-ke)
• [plugins] Add AbortOnPluginFailure option to abort startup on plugin load failure (#​11228 by bmagic)
• [sticky-session] Configurable path for sticky cookies (#​11166 by IIpragmaII)
• [sticky-session,k8s/ingress,k8s/crd,k8s] Support serving endpoints (#​11121 by BZValoche)
• [webui,api] Configurable API & Dashboard base path (#​11250 by rtribotte)

Misc:

• Merge branch v3.2 into master (#​11340 by kevinpollet)
• Merge branch v3.2 into master (#​11293 by kevinpollet)
• Merge branch v3.2 into master (#​11239 by kevinpollet)
• Merge branch v3.2 into master (#​11187 by kevinpollet)

v3.2.3 (2024-12-16)

All Commits

Documentation:

• Update reference install documentation with current chart default (#​11332 by mloiseleur)

Misc:

• Merge branch v2.11 into v3.2 (#​11346 by kevinpollet)
• Merge branch v2.11 into v3.2 (#​11337 by kevinpollet)

v2.11.16 (2024-12-16)

All Commits

Bug fixes:

• [server] Update golang.org/x dependencies (#​11336 by rtribotte)

v3.2.2 (2024-12-10)

All Commits

Bug fixes:

• [docker,docker/swarm] Rename traefik.docker.* labels for Docker Swarm to traefik.swarm.* (#​11247 by anchal00)
• [k8s/gatewayapi] Update sigs.k8s.io/gateway-api to v1.2.1 (#​11314 by kevinpollet)
• [plugins] Fix WASM settings (#​11321 by juliens)
• [rules] Fix models mechanism for default rule syntax (#​11300 by rtribotte)

Documentation:

• Move callout to the entrypoint page footer (#​11305 by kevinpollet)
• Fix incorrect links in v3 migration sections (#​11297 by kevinpollet)
• New Install Reference Documentation (#​11213 by sheddy-traefik)

v2.11.15 (2024-12-06)

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.20.4 (#​11295 by ldez)
• [http3] Update github.com/quic-go/quic-go to v0.48.2 (#​11320 by kevinpollet)

v3.2.1 (2024-11-20)

All Commits

Bug fixes:

• [k8s/ingress,k8s] Fix HostRegexp config for rule syntax v2 (#​11288 by kevinpollet)
• [logs] Change level of peeking first byte error log to DEBUG for Postgres (#​11270 by rtribotte)
• [service,fastproxy] Fix case problem for websocket upgrade (#​11246 by juliens)

Documentation:

• [acme,tls] Document how to use Certificates of cert-manager (#​11053 by mloiseleur)
• [docker/swarm] Add tips about the use of docker in dynamic configuration for swarm provider (#​11207 by webash)
• [middleware] Add Compress middleware to migration guide (#​11229 by logica0419)

Misc:

• Merge branch v2.11 into v3.2 (#​11290 by kevinpollet)
• Merge branch v2.11 into v3.2 (#​11287 by rtribotte)
• Merge branch v2.11 into v3.2 (#​11285 by juliens)
• Merge branch v2.11 into v3.2 (#​11268 by kevinpollet)

v2.11.14 (2024-11-20)

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.20.2 (#​11263 by ldez)
• [logs,server] Change level of peeking first byte error log to DEBUG (#​11254 by rtribotte)
• [middleware,server] Drop untrusted X-Forwarded-Prefix header (#​11253 by rtribotte)
• [server] Apply keepalive config to h2c entrypoints (#​11276 by davefu113)
• [service] Fix internal handlers ServiceBuilder composition (#​11281 by juliens)

Documentation:

• [accesslogs] Update access-logs.md, add examples for accesslog.format (#​11275 by bluepuma77)
• Fix the defaultRule CLI examples (#​11282 by kevinpollet)
• Fix spelling, grammar, and rephrase sections for clarity in some documentation pages (#​11280 by AntoineDeveloper)
• Fix absolute link in the migration guide (#​11269 by kevinpollet)
• Add X-Forwarded-Prefix to the migration guide (#​11267 by kevinpollet)
• Fix a small typo in entrypoints documentation (#​11261 by quiode)
• Add a warning about environment variables casing for static configuration (#​11226 by anchal00)
• Improve documentation on dashboard (#​11220 by mloiseleur)

v3.2.0 (2024-10-28)

All Commits

Enhancements:

• [acme] Remove same email requirement for certresolvers (#​11019 by Emrio)
• [acme] Add support for custom CA certificates by certificate resolver (#​10816 by ldez)
• [acme] Add 30 day certificatesDuration step (#​10970 by luker983)
• [docker] Support HTTP BasicAuth for docker and swarm endpoint (#​10776 by 985492783)
• [k8s,k8s/gatewayapi] Add supported features to the Gateway API GatewayClass status (#​11056 by rtribotte)
• [k8s,k8s/gatewayapi] Update sigs.k8s.io/gateway-api to v1.2.0-rc1 (#​11124 by rtribotte)
• [k8s,k8s/gatewayapi] Add support for backend protocol selection in HTTP and GRPC routes (#​11051 by rtribotte)
• [k8s,k8s/gatewayapi] Improve Kubernetes GatewayAPI TCPRoute and TLSRoute support (#​11042 by rtribotte)
• [k8s,k8s/gatewayapi] Support HTTPRoute destination port matching (#​11134 by kevinpollet)
• [k8s,k8s/gatewayapi] Bump sigs.k8s.io/gateway-api to v1.2.0-rc2 (#​11131 by kevinpollet)
• [k8s,k8s/gatewayapi] Add support for Gateway API BackendTLSPolicies (#​11009 by rtribotte)
• [k8s,k8s/gatewayapi] Support NativeLB option in GatewayAPI provider (#​11147 by rtribotte)
• [k8s,k8s/gatewayapi] Support ResponseHeaderModifier filter (#​10987 by kevinpollet)
• [k8s,k8s/gatewayapi] Support GRPC routes (#​10975 by kevinpollet)
• [k8s,k8s/gatewayapi] Bump sigs.k8s.io/gateway-api to v1.2.0 (#​11167 by rtribotte)
• [metrics,otel] Allow setting service.name for OTLP metrics (#​10917 by cmartell-at-ocp)
• [middleware,accesslogs] Record trace id and EntryPoint span id into access log (#​10921 by weijiany)
• [middleware,authentication] Support LogUserHeader with forwardAuth middleware (#​10833 by GaleHuang)
• [middleware] Add encodings option to the compression middleware (#​10943 by wollomatic)
• [middleware] Add support for ipv6 subnet in ipStrategy (#​9747 by michal-kralik)
• [nomad] Support for watching instead of polling Nomad (#​10997 by deverton-godaddy)
• [server,performance] Introduce a fast proxy mode to improve HTTP/1.1 performances with backends (#​11122 by kevinpollet)
• [server] Configurable max request header size (#​10995 by lucasrod16)
• [service] Add mirrorBody option to HTTP mirroring (#​11032 by MatteoPaier)
• [service] Add an option to preserve server path (#​11193 by mmatur)

Bug fixes:

• [k8s,k8s/gatewayapi] Ensuring Gateway API reflected Traefik resource name unicity (#​11222 by rtribotte)
• [k8s,k8s/gatewayapi] Preserve GRPCRoute filters order (#​11199 by kevinpollet)
• [k8s,k8s/gatewayapi] Support http and https appProtocol for Kubernetes Service (#​11176 by WillDaSilva)
• [k8s,k8s/gatewayapi] Avoid updating Accepted status for routes matching no Gateways (#​11170 by rtribotte)
• [k8s,k8s/gatewayapi] Do not update gateway status when not selected by a gateway class (#​11169 by kevinpollet)
• [service] Detect and drop broken conns in the fastproxy pool (#​11212 by kevinpollet)

Documentation:

• [k8s,k8s/gatewayapi] Document nativeLBByDefault annotation on Kubernetes Gateway provider (#​11209 by mloiseleur)
• [k8s/crd,k8s] Detail CRD update with v3.2 in the migration guide (#​11164 by mloiseleur)
• [k8s/gatewayapi] Add missing RBAC in the migration guide (#​11189 by mloiseleur)
• [k8s] Fix instructions for downloading CRDs of Gateway API v1.2 (#​11191 by mloiseleur)
• Prepare release v3.2.0-rc2 (#​11182 by kevinpollet)
• Prepare Release v3.2.0-rc1 (#​11154 by rtribotte)

Misc:

• Merge branch v3.1 into v3.2 (#​11219 by kevinpollet)
• Merge branch v3.1 into v3.2 (#​11181 by kevinpollet)
• Merge branch v3.1 into master (#​11153 by kevinpollet)
• Merge branch v3.1 into master (#​11110 by kevinpollet)
• Merge branch v3.1 into master (#​11066 by mmatur)
• Merge branch v3.1 into master (#​11047 by mmatur)
• Merge branch v3.1 into master (#​10980 by kevinpollet)
• Merge branch v3.1 into master (#​10952 by mmatur)
• Merge branch v3.1 into master (#​10906 by rtribotte)

v3.1.7 (2024-10-28)

All Commits

Bug fixes:

• [k8s,k8s/gatewayapi] Preserve HTTPRoute filters order ([#​11

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 17 additional dependencies were updated

Details:

Package	Change
github.com/cloudflare/cloudflare-go	v0.104.0 -> v0.115.0
github.com/goccy/go-json	v0.10.3 -> v0.10.5
github.com/google/go-cmp	v0.6.0 -> v0.7.0
github.com/gorilla/websocket	v1.5.0 -> v1.5.3
github.com/miekg/dns	v1.1.59 -> v1.1.64
github.com/traefik/paerser	v0.2.1 -> v0.2.2
golang.org/x/crypto	v0.27.0 -> v0.36.0
golang.org/x/mod	v0.21.0 -> v0.23.0
golang.org/x/net	v0.29.0 -> v0.38.0
golang.org/x/oauth2	v0.21.0 -> v0.28.0
golang.org/x/sync	v0.8.0 -> v0.12.0
golang.org/x/sys	v0.25.0 -> v0.31.0
golang.org/x/term	v0.24.0 -> v0.30.0
golang.org/x/text	v0.18.0 -> v0.23.0
golang.org/x/time	v0.6.0 -> v0.11.0
golang.org/x/tools	v0.25.0 -> v0.30.0
google.golang.org/protobuf	v1.34.2 -> v1.36.5

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -t ./...
go: module github.com/traefik/traefik/v2@v2.11.28 requires go >= 1.24.0; switching to go1.24.8
go: downloading go1.24.8 (linux/amd64)
go: download go1.24.8: golang.org/toolchain@v0.0.1-go1.24.8.linux-amd64: verifying module: checksum database disabled by GOSUMDB=off