Cleanup Connection headers before passing the middleware chain

Co-authored-by: Romain <rtribotte@users.noreply.github.com>

docs/content/reference/static-configuration/cli-ref.md

@@ -111,6 +111,9 @@ Entry point address.
 `--entrypoints.<name>.allowacmebypass`:  
 Enables handling of ACME TLS and HTTP challenges with custom routers. (Default: ```false```)
 
+`--entrypoints.<name>.forwardedheaders.connection`:  
+List of Connection headers that are allowed to pass through the middleware chain before being removed.
+
 `--entrypoints.<name>.forwardedheaders.insecure`:  
 Trust all forwarded headers. (Default: ```false```)
 

docs/content/reference/static-configuration/env-ref.md

@@ -111,6 +111,9 @@ Entry point address.
 `TRAEFIK_ENTRYPOINTS_<NAME>_ALLOWACMEBYPASS`:  
 Enables handling of ACME TLS and HTTP challenges with custom routers. (Default: ```false```)
 
+`TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_CONNECTION`:  
+List of Connection headers that are allowed to pass through the middleware chain before being removed.
+
 `TRAEFIK_ENTRYPOINTS_<NAME>_FORWARDEDHEADERS_INSECURE`:  
 Trust all forwarded headers. (Default: ```false```)
 

docs/content/reference/static-configuration/file.toml

@@ -33,6 +33,7 @@
     [entryPoints.EntryPoint0.forwardedHeaders]
       insecure = true
       trustedIPs = ["foobar", "foobar"]
+      connection = ["foobar", "foobar"]
     [entryPoints.EntryPoint0.http]
       middlewares = ["foobar", "foobar"]
       encodeQuerySemicolons = true

docs/content/reference/static-configuration/file.yaml

@@ -37,6 +37,9 @@ entryPoints:
       trustedIPs:
         - foobar
         - foobar
+      connection:
+        - foobar
+        - foobar
     http:
       redirections:
         entryPoint:

docs/content/routing/entrypoints.md

@@ -422,6 +422,40 @@ You can configure Traefik to trust the forwarded headers information (`X-Forward
     --entryPoints.web.forwardedHeaders.insecure
     ```
 
+??? info "`forwardedHeaders.connection`"
+    
+    As per RFC7230, Traefik respects the Connection options from the client request.
+    By doing so, it removes any header field(s) listed in the request Connection header and the Connection header field itself when empty.
+    The removal happens as soon as the request is handled by Traefik,
+    thus the removed headers are not available when the request passes through the middleware chain.
+    The `connection` option lists the Connection headers allowed to passthrough the middleware chain before their removal.
+
+    ```yaml tab="File (YAML)"
+    ## Static configuration
+    entryPoints:
+      web:
+        address: ":80"
+        forwardedHeaders:
+          connection:
+            - foobar
+    ```
+
+    ```toml tab="File (TOML)"
+    ## Static configuration
+    [entryPoints]
+      [entryPoints.web]
+        address = ":80"
+
+        [entryPoints.web.forwardedHeaders]
+          connection = ["foobar"]
+    ```
+
+    ```bash tab="CLI"
+    ## Static configuration
+    --entryPoints.web.address=:80
+    --entryPoints.web.forwardedHeaders.connection=foobar
+    ```
+
 ### Transport
 
 #### `respondingTimeouts`