Update module github.com/traefik/traefik/v2 to v2.11.25 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/traefik/traefik/v2	v2.11.10 -> v2.11.25

GitHub Vulnerability Alerts

CVE-2024-52003

Impact

There is a vulnerability in Traefik that allows the client to provide the X-Forwarded-Prefix header from an untrusted source.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.14
• https://github.com/traefik/traefik/releases/tag/v3.2.1

Workarounds

No workaround.

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description

Summary

The previously reported open redirect (GHSA-6qq8-5wq3-86rp) is not fixed correctly. The safePrefix function can be tricked to return an absolute URL.

Details

The Traefik API dashboard component tries to validate that the value of the header X-Forwarded-Prefix is a site relative path:

http.Redirect(resp, req, safePrefix(req)+"/dashboard/", http.StatusFound)

func safePrefix(req *http.Request) string {
	prefix := req.Header.Get("X-Forwarded-Prefix")
	if prefix == "" {
		return ""
	}

	parse, err := url.Parse(prefix)
	if err != nil {
		return ""
	}

	return parse.Path
}

PoC

An attacker can bypass this by sending the following payload:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %0d//a.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

or similar:

curl -v 'http://traefik.localhost' -H 'X-Forwarded-Prefix: %2f%2fa.com'
[...]
> HTTP/1.1 302 Found
> Location: //a.com/dashboard/

Impact

Similar to the previously reported bug. In cache poisoning scenarios this may be exploitable.

GHSA-hxr6-2p24-hf98

There is a potential vulnerability in Traefik managing HTTP/3 connections.

More details in the CVE-2024-53259.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.15
• https://github.com/traefik/traefik/releases/tag/v3.2.2

Workarounds

No workaround

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2025-22868

Summary

We have encountered a security vulnerability being reported by our scanners for Traefik 2.11.22.

• https://security.snyk.io/vuln/SNYK-CHAINGUARDLATEST-TRAEFIK33-9403297

Details

It seems to target oauth2/jws library.

PoC

No steps to replicate this vulnerability

Impact

We have a strict control on security and we always try to stay up-to-date with the fixes received for third-party solutions.

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.24
• https://github.com/traefik/traefik/releases/tag/v3.3.6
• https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2

GHSA-5423-jcjm-2gpv

Summary

net/http: request smuggling through invalid chunked data: The net/http package accepts data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permit request smuggling. [CVE-2025-22871] Vendor Affected Components: Go: 1.23.x < 1.23.8

More Details: CVE-2025-22871

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.24
• https://github.com/traefik/traefik/releases/tag/v3.3.6
• https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2

CVE-2025-32431

Impact

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.

Example

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: my-service
spec:
  routes:
    - match: PathPrefix(‘/service’)
      kind: Rule
      services:
        - name: service-a
          port: 8080
      middlewares:
        - name: my-middleware-a
    - match: PathPrefix(‘/service/sub-path’)
      kind: Rule
      services:
        - name: service-a
          port: 8080

In such a case, the request http://mydomain.example.com/service/sub-path/../other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.24
• https://github.com/traefik/traefik/releases/tag/v3.3.6
• https://github.com/traefik/traefik/releases/tag/v3.4.0-rc2

Workaround

Add a PathRegexp rule to the matcher to prevent matching a route with a /../ in the path.

Example:

match: PathPrefix(`/service`) && !PathRegexp(`(?:(/\.\./)+.*)`)

For more information

If you have any questions or comments about this advisory, please open an issue.

CVE-2025-47952

Impact

There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher.

When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a URL encoded string in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain.

Example

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: my-service
spec:
  routes:
    - match: PathPrefix(‘/service’)
      kind: Rule
      services:
        - name: service-a
          port: 8080
      middlewares:
        - name: my-middleware-a
    - match: PathPrefix(‘/service/sub-path’)
      kind: Rule
      services:
        - name: service-a
          port: 8080

In such a case, the request http://mydomain.example.com/service/sub-path/%2e%2e/other-path will reach the backend my-service-a without operating the middleware my-middleware-a unless the computed path is http://mydomain.example.com/service/other-path and should be computes by the first router (operating my-middleware-a).

Patches

• https://github.com/traefik/traefik/releases/tag/v2.11.25
• https://github.com/traefik/traefik/releases/tag/v3.4.1

For more information

If you have any questions or comments about this advisory, please open an issue.

Original Description

Summary

Path traversal with "/../" using URL encodings ("/%2e%2e") allows for circumventing routing rules.

Details

When having defined a route, you can path traverse using the URL encoded variant of /../ and reach endpoints that are not made publicly available. This issue has been found and fixed earlier with regular /../ and has been fixed in this CVE. This URL encoding trick works around that
https://nvd.nist.gov/vuln/detail/CVE-2025-32431

Simply implementing a check on the URL encoding won't be sufficient as path traversal can take numerous formats. See examples here:
https://book.hacktricks.wiki/en/pentesting-web/file-inclusion/index.html

PoC

Setup a service with two endpoints: "/public" and "/private", which returns a 200 OK for both
Setup a Traefik proxy with a single route which points to the service using path /public

Regular requests to traefik /public will return 200 OK and to /private should return 404 (response by Traefik)
When making a request to /public/%2e%2e/private you should receive a 200 OK.

Impact

Impacts all traefik implementations with path prefix routes that expose only part of the downstream api

Suggestion

Provide configuration property which disables all path traversals. Steps:

1. Decode URL
2. Evaluate and construct relative path (do traversal before route evaluation)
3. Compare relative/evaluated path to configured routes (PathPrefix/pathRegexp)

---

Release Notes

traefik/traefik (github.com/traefik/traefik/v2)

v2.11.25

Compare Source

Important: Please read the migration guide.

CVE's fixed:

• CVE-2025-47952 (Advisory GHSA-vrch-868g-9jx5)

Bug fixes:

• [k8s/ingress] Fix panic for ingress with backend resource (#​11777 by rtribotte)
• [server] Normalize request path (#​11768 by kevinpollet)

Documentation:

• [middleware,k8s] Add multi-tenant TLS guidance to the docs (#​11724 by sheddy-traefik)
• [service] Add a note about how to disable connection reuse with backends (#​11716 by rtribotte)
• Fix broken link in documentation (#​11761 by sheddy-traefik)
• Change version for path sanitization migration guide (#​11702 by rtribotte)

v2.11.24

Compare Source

All Commits

Bug fixes:

• [acme] Bump github.com/go-acme/lego/v4 to v4.23.1 (#​11690 by ldez)
• [metrics] Bump gopkg.in/DataDog/dd-trace-go.v1 to v1.72.2 (#​11693 by kevinpollet)
• [middleware] Add Content-Length header to preflight response (#​11682 by lbenguigui)
• [server] Sanitize request path (#​11684 by rtribotte)
• Bump github.com/redis/go-redis/v9 to v9.7.3 (#​11695 by kevinpollet)
• Bump golang.org/x/net to v0.38.0 (#​11691 by kevinpollet)
• Bump golang.org/x/oauth2 to v0.28.0 (#​11689 by rtribotte)

Documentation:

• [middleware] Add content-length best practice documentation (#​11697 by sheddy-traefik)
• Typo fix on the Explanation Section for User Guide HTTP Challenge. (#​11676 by YapWC)

v2.11.23

Compare Source

All Commits

Release canceled.

v2.11.22

Compare Source

All Commits

Bug fixes:

• [ecs,logs] Bump AWS SDK to v2 (#​11359 by Juneezee)
• [logs,tls] Error level log for configuration-related TLS errors with backends (#​11611 by rtribotte)
• [rules] Allow underscore character in HostSNI matcher (#​11557 by rohitlohar45)
• [server] Bump github.com/vulcand/oxy/v2 to v2.0.3 (#​11649 by adamvduke)
• [server] Bump golang.org/x/net to v0.37.0 (#​11632 by kevinpollet)
• [webui] Change boolean module properties default value to undefined (#​11639 by rtribotte)
• Bump github.com/golang-jwt/jwt to v4.5.2 and v5.2.2 (#​11634 by kevinpollet)
• Bump github.com/redis/go-redis/v9 to v9.6.3 (#​11633 by kevinpollet)
• Bump golang.org/x/net to v0.36.0 (#​11608 by kevinpollet)
• Bump github.com/go-jose/go-jose/v4 to v4.0.5 (#​11571 by kevinpollet)

Documentation:

• [accesslogs] Remove documentation for OriginStatusLine and DownstreamStatusLine accessLogs fields (#​11599 by rtribotte)
• [middleware] Clarifies that retry middleware uses TCP, not HTTP status codes (#​11603 by geraldcroes)
• [redis] Add tip for dynamic configuration updates of Redis (#​11577 by Alanxtl)
• Add Security Support (#​11610 by nmengin)

v2.11.21

Compare Source

All Commits

Bug fixes:

• [acme] Bump github.com/go-acme/lego/v4 to v4.22.2 (#​11537 by ldez)
• [cli] Bump github.com/traefik/paerser to v0.2.2 (#​11530 by kevinpollet)
• [middleware] Enable the retry middleware in the proxy (#​11536 by kevinpollet)
• [middleware] Retry should send headers on Write (#​11534 by kevinpollet)

v3.3.3 (2025-01-31)

All Commits

Bug fixes:

• [api] Do not create observability model by default (#​11476 by rtribotte)
• [fastproxy] Fix content-length header assertion (#​11498 by kevinpollet)
• [fastproxy] Handle responses without content length header (#​11458 by rtribotte)
• [k8s/crd,k8s] Add missing headerField in Middleware CRD (#​11499 by jspdown)
• [tracing,accesslogs] Bring back TraceID and SpanID fields in access logs (#​11450 by rtribotte)

Misc:

• Merge branch v2.11 into v3.3 (#​11502 by rtribotte)
• Merge branch v2.11 into v3.3 (#​11491 by rtribotte)

v2.11.20 (2025-01-31)

All Commits

Bug fixes:

• [acme] Graceful shutdown for ACME JSON write operation (#​11497 by juliens)

Documentation:

• Change docker-compose to docker compose (#​11496 by khai-pi)

v2.11.19 (2025-01-29)

All Commits

Bug fixes:

• [middleware] Changing log message when client cert is not available to debug (#​11453 by Nelwhix)
• [service] Do not create a logger instance for each proxy (#​11487 by kevinpollet)
• [webui] Fix auto refresh not clearing on component unmount (#​11477 by DoubleREW)

Documentation:

• Remove awesome.traefik.io reference in documentation section (#​11435 by kevinpollet)

v3.3.2 (2025-01-14)

All Commits

Bug fixes:

• [fastproxy] Do not read response body for HEAD requests (#​11442 by kevinpollet)
• [metrics,tracing,accesslogs] Fix observability configuration on EntryPoints (#​11446 by rtribotte)
• [webui] Set content-type when serving webui index (#​11428 by kevinpollet)

Documentation:

• [acme] Fix deprecated dnsChallenge propagation logging and documentation (#​11433 by thomscode)
• [acme] Add missing trailing s to propagation.delayBeforeCheck option (#​11417 by jspiers)

Misc:

• Merge branch v2.11 into v3.3 (#​11419 by kevinpollet)

v3.3.1 (2025-01-07)

All Commits

Bug fixes:

• [websocket,server] Disable http2 connect setting for websocket by default (#​11408 by rtribotte)

v3.2.5 (2025-01-07)

All Commits

Bug fixes:

• [websocket,server] Disable http2 connect setting for websocket by default (#​11408 by rtribotte)

v2.11.18 (2025-01-07)

All Commits

Bug fixes:

• [websocket,server] Disable http2 connect setting for websocket by default (#​11412 by rtribotte)

v3.3.0 (2025-01-06)

All Commits

Enhancements:

• [acme] Add options to control ACME propagation checks (#​11241 by ldez)
• [api] Add support dump API endpoint (#​11328 by mmatur)
• [http] Set Host header in HTTP provider request (#​11237 by nikonhub)
• [k8s/crd,k8s] Make the IngressRoute kind optional (#​11177 by skirtan1)
• [k8s/ingress,sticky-session,k8s/crd,k8s] Support serving endpoints (#​11121 by BZValoche)
• [logs,accesslogs] OpenTelemetry Logs and Access Logs (#​11319 by rtribotte)
• [logs,accesslogs] Add experimental flag for OTLP logs integration (#​11335 by kevinpollet)
• [metrics,tracing,accesslogs] Manage observability at entrypoint and router level (#​11308 by rtribotte)
• [middleware,authentication] Add an option to preserve the ForwardAuth Server Location header (#​11318 by Nelwhix)
• [middleware,authentication] Only calculate basic auth hashes once for concurrent requests (#​11143 by michelheusschen)
• [middleware,authentication] Send request body to authorization server for forward auth (#​11097 by kyo-ke)
• [plugins] Add AbortOnPluginFailure option to abort startup on plugin load failure (#​11228 by bmagic)
• [sticky-session] Configurable path for sticky cookies (#​11166 by IIpragmaII)
• [webui,api] Configurable API & Dashboard base path (#​11250 by rtribotte)

Bug fixes:

• [k8s/ingress,k8s/crd] Fix fenced server status computation (#​11361 by kevinpollet)

Documentation:

• Prepare release v3.3.0-rc2 (#​11362 by rtribotte)
• Prepare Release v3.3.0-rc1 (#​11349 by rtribotte)

Misc:

• Merge branch v3.2 into v3.3 (#​11402 by kevinpollet)
• Merge branch v3.2 into v3.3 (#​11393 by mmatur)
• Merge branch v3.2 into v3.3 (#​11389 by mmatur)
• Merge branch v3.2 into v3.3 (#​11367 by kevinpollet)
• Merge branch v3.2 into master (#​11340 by kevinpollet)
• Merge branch v3.2 into master (#​11293 by kevinpollet)
• Merge branch v3.2 into master (#​11239 by kevinpollet)
• Merge branch v3.2 into master (#​11187 by kevinpollet)

v3.2.4 (2025-01-06)

All Commits

Bug fixes:

• [k8s/gatewayapi] Support empty value for core Kubernetes API group (#​11386 by rtribotte)
• [tcp,k8s/crd] Pass TLS bool from IngressRouteTCP to TCPService (#​11343 by lipmem)
• [tls] Upgrade github.com/spiffe/go-spiffe/v2 to v2.4.0 (#​11385 by mmatur)
• Remove duplicate github.com/coreos/go-systemd dependency (#​11354 by Juneezee)

Documentation:

• [k8s/gatewayapi] Update Gateway API version support to v1.2.1 (#​11357 by kevinpollet)
• Add @​jnoordsij to maintainers (#​11352 by emilevauge)

Misc:

• Merge branch v2.11 into v3.2 (#​11400 by kevinpollet)
• Merge branch v2.11 into v3.2 (#​11392 by rtribotte)
• Merge branch v2.11 into v3.2 (#​11388 by mmatur)
• Merge branch v2.11 into v3.2 (#​11366 by kevinpollet)

v2.11.17 (2025-01-06)

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.21.0 (#​11368 by ldez)
• [middleware] Fix typo in basicauth note (#​11397 by tieje)
• [service] Configure ErrorLog in httputil.ReverseProxy (#​11344 by peacewalker122)
• Bump golang.org/x/net to v0.33.0 (#​11365 by kevinpollet)

Documentation:

• [acme] Fix allowACMEByPass TOML example (#​11370 by hannesbraun)
• [k8s/crd] Update copyright for 2025 (#​11383 by kevinpollet)

v3.3.0-rc2 (2024-12-20)

All Commits

Bug fixes:

• [k8s/ingress,k8s/crd] Fix fenced server status computation (#​11361 by kevinpollet)

v3.3.0-rc1 (2024-12-16)

All Commits

Enhancements:

• [acme] Add options to control ACME propagation checks (#​11241 by ldez)
• [api] Add support dump API endpoint (#​11328 by mmatur)
• [http] Set Host header in HTTP provider request (#​11237 by nikonhub)
• [k8s/crd,k8s] Make the IngressRoute kind optional (#​11177 by skirtan1)
• [logs,accesslogs] OpenTelemetry Logs and Access Logs (#​11319 by rtribotte)
• [logs,accesslogs] Add experimental flag for OTLP logs integration (#​11335 by kevinpollet)
• [metrics,tracing,accesslogs] Manage observability at entrypoint and router level (#​11308 by rtribotte)
• [middleware,authentication] Add an option to preserve the ForwardAuth Server Location header (#​11318 by Nelwhix)
• [middleware,authentication] Only calculate basic auth hashes once for concurrent requests (#​11143 by michelheusschen)
• [middleware,authentication] Send request body to authorization server for forward auth (#​11097 by kyo-ke)
• [plugins] Add AbortOnPluginFailure option to abort startup on plugin load failure (#​11228 by bmagic)
• [sticky-session] Configurable path for sticky cookies (#​11166 by IIpragmaII)
• [sticky-session,k8s/ingress,k8s/crd,k8s] Support serving endpoints (#​11121 by BZValoche)
• [webui,api] Configurable API & Dashboard base path (#​11250 by rtribotte)

Misc:

• Merge branch v3.2 into master (#​11340 by kevinpollet)
• Merge branch v3.2 into master (#​11293 by kevinpollet)
• Merge branch v3.2 into master (#​11239 by kevinpollet)
• Merge branch v3.2 into master (#​11187 by kevinpollet)

v3.2.3 (2024-12-16)

All Commits

Documentation:

• Update reference install documentation with current chart default (#​11332 by mloiseleur)

Misc:

• Merge branch v2.11 into v3.2 (#​11346 by kevinpollet)
• Merge branch v2.11 into v3.2 (#​11337 by kevinpollet)

v2.11.16 (2024-12-16)

All Commits

Bug fixes:

• [server] Update golang.org/x dependencies (#​11336 by rtribotte)

v3.2.2 (2024-12-10)

All Commits

Bug fixes:

• [docker,docker/swarm] Rename traefik.docker.* labels for Docker Swarm to traefik.swarm.* (#​11247 by anchal00)
• [k8s/gatewayapi] Update sigs.k8s.io/gateway-api to v1.2.1 (#​11314 by kevinpollet)
• [plugins] Fix WASM settings (#​11321 by juliens)
• [rules] Fix models mechanism for default rule syntax (#​11300 by rtribotte)

Documentation:

• Move callout to the entrypoint page footer (#​11305 by kevinpollet)
• Fix incorrect links in v3 migration sections (#​11297 by kevinpollet)
• New Install Reference Documentation (#​11213 by sheddy-traefik)

v2.11.15 (2024-12-06)

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.20.4 (#​11295 by ldez)
• [http3] Update github.com/quic-go/quic-go to v0.48.2 (#​11320 by kevinpollet)

v3.2.1 (2024-11-20)

All Commits

Bug fixes:

• [k8s/ingress,k8s] Fix HostRegexp config for rule syntax v2 (#​11288 by kevinpollet)
• [logs] Change level of peeking first byte error log to DEBUG for Postgres (#​11270 by rtribotte)
• [service,fastproxy] Fix case problem for websocket upgrade (#​11246 by juliens)

Documentation:

• [acme,tls] Document how to use Certificates of cert-manager (#​11053 by mloiseleur)
• [docker/swarm] Add tips about the use of docker in dynamic configuration for swarm provider (#​11207 by webash)
• [middleware] Add Compress middleware to migration guide (#​11229 by logica0419)

Misc:

• Merge branch v2.11 into v3.2 (#​11290 by kevinpollet)
• Merge branch v2.11 into v3.2 (#​11287 by rtribotte)
• Merge branch v2.11 into v3.2 (#​11285 by juliens)
• Merge branch v2.11 into v3.2 (#​11268 by kevinpollet)

v2.11.14 (2024-11-20)

All Commits

Bug fixes:

• [acme] Update go-acme/lego to v4.20.2 (#​11263 by ldez)
• [logs,server] Change level of peeking first byte error log to DEBUG (#​11254 by rtribotte)
• [middleware,server] Drop untrusted X-Forwarded-Prefix header (#​11253 by rtribotte)
• [server] Apply keepalive config to h2c entrypoints (#​11276 by davefu113)
• [service] Fix internal handlers ServiceBuilder composition (#​11281 by juliens)

Documentation:

• [accesslogs] Update access-logs.md, add examples for accesslog.format (#​11275 by bluepuma77)
• Fix the defaultRule CLI examples (#​11282 by kevinpollet)
• Fix spelling, grammar, and rephrase sections for clarity in some documentation pages (#​11280 by AntoineDeveloper)
• Fix absolute link in the migration guide (#​11269 by kevinpollet)
• Add X-Forwarded-Prefix to the migration guide (#​11267 by kevinpollet)
• Fix a small typo in entrypoints documentation (#​11261 by quiode)
• Add a warning about environment variables casing for static configuration (#​11226 by anchal00)
• Improve documentation on dashboard (#​11220 by mloiseleur)

v3.2.0 (2024-10-28)

All Commits

Enhancements:

• [acme] Remove same email requirement for certresolvers (#​11019 by Emrio)
• [acme] Add support for custom CA certificates by certificate resolver (#​10816 by ldez)
• [acme] Add 30 day certificatesDuration step (#​10970 by luker983)
• [docker] Support HTTP BasicAuth for docker and swarm endpoint (#​10776 by 985492783)
• [k8s,k8s/gatewayapi] Add supported features to the Gateway API GatewayClass status (#​11056 by rtribotte)
• [k8s,k8s/gatewayapi] Update sigs.k8s.io/gateway-api to v1.2.0-rc1 (#​11124 by rtribotte)
• [k8s,k8s/gatewayapi] Add support for backend protocol selection in HTTP and GRPC routes (#​11051 by rtribotte)
• [k8s,k8s/gatewayapi] Improve Kubernetes GatewayAPI TCPRoute and TLSRoute support (#​11042 by rtribotte)
• [k8s,k8s/gatewayapi] Support HTTPRoute destination port matching (#​11134 by kevinpollet)
• [k8s,k8s/gatewayapi] Bump sigs.k8s.io/gateway-api to v1.2.0-rc2 (#​11131 by kevinpollet)
• [k8s,k8s/gatewayapi] Add support for Gateway API BackendTLSPolicies (#​11009 by rtribotte)
• [k8s,k8s/gatewayapi] Support NativeLB option in GatewayAPI provider (#​11147 by rtribotte)
• [k8s,k8s/gatewayapi] Support ResponseHeaderModifier filter (#​10987 by kevinpollet)
• [k8s,k8s/gatewayapi] Support GRPC routes (#​10975 by kevinpollet)
• [k8s,k8s/gatewayapi] Bump sigs.k8s.io/gateway-api to v1.2.0 (#​11167 by rtribotte)
• [metrics,otel] Allow setting service.name for OTLP metrics (#​10917 by cmartell-at-ocp)
• [middleware,accesslogs] Record trace id and EntryPoint span id into access log (#​10921 by weijiany)
• [middleware,authentication] Support LogUserHeader with forwardAuth middleware (#​10833 by GaleHuang)
• [middleware] Add encodings option to the compression middleware (#​10943 by wollomatic)
• [middleware] Add support for ipv6 subnet in ipStrategy (#​9747 by michal-kralik)
• [nomad] Support for watching instead of polling Nomad (#​10997 by deverton-godaddy)
• [server,performance] Introduce a fast proxy mode to improve HTTP/1.1 performances with backends (#​11122 by kevinpollet)
• [server] Configurable max request header size (#​10995 by lucasrod16)
• [service] Add mirrorBody option to HTTP mirroring (#​11032 by MatteoPaier)
• [service] Add an option to preserve server path (#​11193 by mmatur)

Bug fixes:

• [k8s,k8s/gatewayapi] Ensuring Gateway API reflected Traefik resource name unicity (#​11222 by rtribotte)
• [k8s,k8s/gatewayapi] Preserve GRPCRoute filters order (#​11199 by kevinpollet)
• [k8s,k8s/gatewayapi] Support http and https appProtocol for Kubernetes Service (#​11176 by WillDaSilva)
• [k8s,k8s/gatewayapi] Avoid updating Accepted status for routes matching no Gateways (#​11170 by rtribotte)
• [k8s,k8s/gatewayapi] Do not update gateway status when not selected by a gateway class (#​11169 by kevinpollet)
• [service] Detect and drop broken conns in the fastproxy pool (#​11212 by kevinpollet)

Documentation:

• [k8s,k8s/gatewayapi] Document nativeLBByDefault annotation on Kubernetes Gateway provider (#​11209 by mloiseleur)
• [k8s/crd,k8s] Detail CRD update with v3.2 in the migration guide (#​11164 by mloiseleur)
• [k8s/gatewayapi] Add missing RBAC in the migration guide (#​11189 by mloiseleur)
• [k8s] Fix instructions for downloading CRDs of Gateway API v1.2 (#​11191 by mloiseleur)
• Prepare release v3.2.0-rc2 (#​11182 by kevinpollet)
• Prepare Release v3.2.0-rc1 (#​11154 by rtribotte)

Misc:

• Merge branch v3.1 into v3.2 (#​11219 by kevinpollet)
• Merge branch v3.1 into v3.2 (#​11181 by kevinpollet)
• Merge branch v3.1 into master (#​11153 by kevinpollet)
• Merge branch v3.1 into master (#​11110 by kevinpollet)
• Merge branch v3.1 into master (#​11066 by mmatur)
• Merge branch v3.1 into master (#​11047 by mmatur)
• Merge branch v3.1 into master (#​10980 by kevinpollet)
• Merge branch v3.1 into master (#​10952 by mmatur)
• Merge branch v3.1 into master (#​10906 by rtribotte)

v3.1.7 (2024-10-28)

All Commits

Bug fixes:

• [k8s,k8s/gatewayapi] Preserve HTTPRoute filters order (#​11198 by kevinpollet)

Documentation:

• [k8s,k8s/gatewayapi] Fix broken links in Kubernetes Gateway provider page (#​11188 by mloiseleur)

Misc:

• Merge branch v2.11 into v3.1 (#​11232 by kevinpollet)
• Merge branch v2.11 into v3.1 (#​11218 by kevinpollet)

v2.11.13 (2024-10-28)

All Commits

Bug fixes:

• [middleware,service] Panic on aborted requests to properly close the connection (#​11129 by tonybart1337)

Documentation:

• Update business callouts (#​11217 by tomatokoolaid)

v3.2.0-rc2 (2024-10-09)

All Commits

Enhancements:

• [k8s,k8s/gatewayapi] Bump sigs.k8s.io/gateway-api to v1.2.0 (#​11167 by rtribotte)

Bug fixes:

• [k8s,k8s/gatewayapi] Support http and https appProtocol for Kubernetes Service (#​11176 by WillDaSilva)
• [k8s,k8s/gatewayapi] Avoid updating Accepted status for routes matching no Gateways (#​11170 by rtribotte)
• [k8s,k8s/gatewayapi] Do not update gateway status when not selected by a gateway class (#​11169 by kevinpollet)

Documentation:

• Detail CRD update with v3.2 in the migration guide (#​11164 by mloiseleur)

Misc:

• Merge branch v3.1 into v3.2 (#​11181 by kevinpollet)

v3.1.6 (2024-10-09)

All Commits

Bug fixes:

• [middleware] Reuse compression writers (#​11168 by michelheusschen)
• [middleware] Use correct default weight in Accept-Encoding (#​11084 by michelheusschen)
• [plugins] Close wasm middleware to prevent memory leak (#​11151 by ttys3)

Misc:

• Merge branch v2.11 into v3.1 (#​11179 by kevinpollet)
• Merge branch v2.11 into v3.1 (#​11174 by mmatur)

v2.11.12 (2024-10-09)

All Commits

Bug fixes:

• [middleware] Bump github.com/klauspost/compress to dbd6c38 (#​11162 by kevinpollet)
• [webui] Upgrade to node 22.9 and yarn lock to fix vulnerabilities (#​11173 by kevinpollet)
• [webui] Adopt a layout for the large amount of entrypoint port numbers (#​11157 by framebassman)

Documentation:

• [accesslogs] Clarify that only header fields may be redacted in access-logs (#​11139 by mattbnz)
• Update business callout (#​11172 by tomatokoolaid)

v3.2.0-rc1 (2024-10-02)

All Commits

Enhancements:

• [acme] Remove same email requirement for certresolvers (#​11019 by Emrio)
• [acme] Add support for custom CA certificates by certificate resolver (#​10816 by ldez)
• [acme] Add 30 day certificatesDuration step (#​10970 by luker983)
• [docker] Support HT

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 17 additional dependencies were updated

Details:

Package	Change
github.com/cloudflare/cloudflare-go	v0.104.0 -> v0.115.0
github.com/goccy/go-json	v0.10.3 -> v0.10.5
github.com/google/go-cmp	v0.6.0 -> v0.7.0
github.com/gorilla/websocket	v1.5.0 -> v1.5.3
github.com/miekg/dns	v1.1.59 -> v1.1.64
github.com/traefik/paerser	v0.2.1 -> v0.2.2
golang.org/x/crypto	v0.27.0 -> v0.36.0
golang.org/x/mod	v0.21.0 -> v0.23.0
golang.org/x/net	v0.29.0 -> v0.38.0
golang.org/x/oauth2	v0.21.0 -> v0.28.0
golang.org/x/sync	v0.8.0 -> v0.12.0
golang.org/x/sys	v0.25.0 -> v0.31.0
golang.org/x/term	v0.24.0 -> v0.30.0
golang.org/x/text	v0.18.0 -> v0.23.0
golang.org/x/time	v0.6.0 -> v0.11.0
golang.org/x/tools	v0.25.0 -> v0.30.0
google.golang.org/protobuf	v1.34.2 -> v1.36.5