Traefik Knowledge Patch (v3.1 – v3.6)
Baseline: Traefik v3.0.x. Covers: v3.1 through v3.6.9 (July 2024 – November 2025).
Index
| Topic | Reference | Key features | |-------|-----------|-------------| | Routing & Middleware | [references/routing-and-middleware.md] | Multi-layer routing (parentRefs), ForwardAuth body/method forwarding, Zstandard compression, error page status rewrites, path sanitization, encoded character controls | | Load Balancing & Services | [references/load-balancing.md] | p2c / leasttime / highestRandomWeight strategies, TCP & passive health checks, sticky cookie domain/path, Redis rate limiter, fast proxy mode | | Providers & Observability | [references/providers-and-observability.md] | Knative provider, NGINX Ingress provider, OTLP logs, trace verbosity, API dashboard base path |
Breaking Changes & Deprecations
| Version | Change |
|---------|--------|
| v3.1 | disableIngressClassLookup renamed to disableClusterScopeResources |
| v3.1 | Gateway API provider no longer experimental |
| v3.2.2 | traefik.docker.network renamed to traefik.swarm.network (Swarm labels) |
| v3.3 | acme.dnsChallenge.delaybeforecheck renamed to acme.dnsChallenge.propagation.delayBeforeChecks |
| v3.3 | tracing.globalAttributes renamed to tracing.resourceAttributes |
| v3.4 | RoundRobin strategy deprecated — use wrr |
| v3.4 | rootCAsSecrets deprecated — use rootCAs (supports ConfigMaps + Secrets) |
| v3.4 | core.defaultRuleSyntax and ruleSyntax deprecated (v2 compat removed) |
| v3.5.2 | proxyProtocol on TCP LB deprecated — use TCPServersTransport |
| v3.6.2 | NGINX Ingress provider no longer experimental |
Quick Reference: New Load Balancer Strategies
| Strategy | Version | Description |
|----------|---------|-------------|
| wrr | (default) | Weighted round-robin (replaces deprecated RoundRobin) |
| p2c | v3.4 | Power of Two Choices — picks the less-loaded of two random backends |
| leasttime | v3.6 | Routes to the backend with lowest response time |
| highestRandomWeight | v3.6 | Probabilistic weighting |
http:
services:
my-service:
loadBalancer:
strategy: p2c # or leasttime, highestRandomWeight, wrr
servers:
- url: "http://backend1:8080"
- url: "http://backend2:8080"
Quick Reference: ForwardAuth Options
| Option | Version | Description |
|--------|---------|-------------|
| forwardBody | v3.3 | Send request body to auth server |
| maxBodySize | v3.3 | Limit forwarded body size (bytes) |
| preserveLocationHeader | v3.3 | Keep Location header from auth response |
| preserveRequestMethod | v3.4 | Keep original HTTP method (GET/POST/etc.) |
| maxResponseBodySize | v3.6.9 | Limit auth response body size (default -1 = unlimited) |
Quick Reference: Compression Encodings
Since v3.1/v3.2, the compress middleware supports Zstandard and explicit encoding order:
http:
middlewares:
compress:
compress:
encodings:
- gzip
- br
- zstd
Default order since v3.3.5: gzip, br, zstd.
Multi-Layer Routing (v3.6)
Routers can have parent-child relationships via parentRefs. Parent routers apply shared middleware (e.g., auth) and child routers make routing decisions based on enriched request context.
Three router types: Root (attached to entryPoints, no service), Intermediate (has children, inherits from root), Leaf (must define a service).
http:
routers:
api-parent:
rule: "Host(`api.example.com`)"
middlewares:
- auth-with-tier
entryPoints:
- websecure
tls: {}
# No service — this is a parent router
api-enterprise:
rule: "Header(`X-Customer-Tier`, `enterprise`)"
service: stable-backend
parentRefs:
- api-parent
api-free:
rule: "Header(`X-Customer-Tier`, `free`)"
service: canary-backend
parentRefs:
- api-parent
Child routers cannot be called directly — requests must flow through their parent.
Redis Rate Limiter (v3.4)
Distributed rate limiting backed by Redis, replacing in-memory-only for multi-instance deployments:
http:
middlewares:
rate-limit:
rateLimit:
average: 100
burst: 50
redis:
endpoints:
- "redis:6379"
Post-Quantum TLS (v3.5)
X25519MLKEM768 curve for post-quantum-secure TLS:
tls:
options:
default:
curvePreferences:
- X25519MLKEM768
- X25519
Security: Path Sanitization & Encoded Characters
Path sanitization (v3.3.6+): Incoming paths are auto-cleaned (/../, /./, //). Disable per-entrypoint if needed:
entryPoints:
web:
address: ":80"
http:
sanitizePath: false
Encoded characters (v3.6.4+): Control which encoded characters to allow in request paths:
entryPoints:
web:
address: ":80"
http:
encodedCharacters:
allowEncodedSlash: true # %2F - default true since v3.6.7
allowEncodedBackSlash: true # %5C
allowEncodedNullCharacter: true # %00
Reference Files
- [references/routing-and-middleware.md] — Multi-layer routing, ForwardAuth, compression, error pages, path/encoding security
- [references/load-balancing.md] — LB strategies, health checks, sticky cookies, Redis rate limiter, fast proxy
- [references/providers-and-observability.md] — Knative, NGINX Ingress, OTLP logs, trace verbosity, API dashboard