Replace internal dead links

2025-10-14 16:26:05 +02:00 · 2025-10-14 16:26:05 +02:00 · 835899f4bc
commit 835899f4bc
parent 0ea8cbdfbf
41 changed files with 310 additions and 2043 deletions
--- a/docs/content/contributing/documentation.md
+++ b/docs/content/contributing/documentation.md
@ -15,7 +15,7 @@ Let's see how.
 ### General
-This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").
+This [documentation](../index.md "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").
 ### Method 1: `Docker` and `make`
--- a/docs/content/getting-started/faq.md
+++ b/docs/content/getting-started/faq.md
@ -12,10 +12,10 @@ and while the documentation often demonstrates configuration options through fil
 the core feature of Traefik is its dynamic configurability,
 directly reacting to changes from providers over time.
-Notably, a part of the configuration is [static](../configuration-overview/#the-static-configuration),
+Notably, a part of the configuration is [static](./configuration-overview.md#the-static-configuration),
 and can be provided by a file on startup, whereas various providers,
 such as the file provider,
-contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](../configuration-overview/#the-dynamic-configuration) changes.
+contribute dynamically all along the traefik instance lifetime to its [dynamic configuration](./configuration-overview.md#the-dynamic-configuration) changes.
 In addition, the configuration englobes concepts such as the EntryPoint which can be seen as a listener on the Transport Layer (TCP),
 as apposed to the Router which is more about the Presentation (TLS) and Application layers (HTTP).
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@ -314,7 +314,7 @@ Use the `DNS-01` challenge to generate and renew ACME certificates by provisioni
 !!! warning "`CNAME` support"
    `CNAME` are supported (and sometimes even [encouraged](https://letsencrypt.org/2019/10/09/onboarding-your-customers-with-lets-encrypt-and-acme.html#the-advantages-of-a-cname)),
-    but there are a few cases where they can be [problematic](../../getting-started/faq/#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
+    but there are a few cases where they can be [problematic](../getting-started/faq.md#why-does-lets-encrypt-wildcard-certificate-renewalgeneration-with-dns-challenge-fail).
    If needed, `CNAME` support can be disabled with the following environment variable:
--- a/docs/content/https/tls.md
+++ b/docs/content/https/tls.md
@ -234,7 +234,7 @@ The TLS options allow one to configure some parameters of the TLS connection.
 !!! important "TLSOption in Kubernetes"
-    When using the [TLSOption resource](../../routing/providers/kubernetes-crd/#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
+    When using the [TLSOption resource](../routing/providers/kubernetes-crd.md#kind-tlsoption) in Kubernetes, one might setup a default set of options that,
    if not explicitly overwritten, should apply to all ingresses.  
    To achieve that, you'll have to create a TLSOption resource with the name `default`.
    There may exist only one TLSOption with the name `default` (across all namespaces) - otherwise they will be dropped.  
@ -503,7 +503,7 @@ Traefik supports mutual authentication, through the `clientAuth` section.
 For authentication policies that require verification of the client certificate, the certificate authority for the certificates should be set in `clientAuth.caFiles`.
-In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../../routing/providers/kubernetes-crd/#kind-tlsoption) for more details.
+In Kubernetes environment, CA certificate can be set in `clientAuth.secretNames`. See [TLSOption resource](../routing/providers/kubernetes-crd.md#kind-tlsoption) for more details.
 The `clientAuth.clientAuthType` option governs the behaviour as follows:
--- a/docs/content/migrate/v1-to-v2.md
+++ b/docs/content/migrate/v1-to-v2.md
--- a/docs/content/migrate/v2-to-v3-details.md
+++ b/docs/content/migrate/v2-to-v3-details.md
@ -135,7 +135,7 @@ It is now unsupported and would prevent Traefik to start.
 ##### Remediation
 The `http3` option should be removed from the static configuration experimental section.
-To configure `http3`, please checkout the [entrypoint configuration documentation](../routing/entrypoints.md#http3_1).
+To configure `http3`, please checkout the [entrypoint configuration documentation](../reference/install-configuration/entrypoints.md#http3).
 ### Consul provider
--- a/docs/content/migrate/v2-to-v3.md
+++ b/docs/content/migrate/v2-to-v3.md
@ -11,7 +11,7 @@ How to Migrate from Traefik v2 to Traefik v3.
 !!! success "Streamlined Migration Process"
    Traefik v3 introduces minimal breaking changes and maintains backward compatibility with v2 syntax in dynamic configuration, offering a gradual migration path.
-With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.
+With Traefik v3, we are introducing a streamlined transition process from v2. Minimal breaking changes have been made to specific options in the [static configuration](./v2-to-v3-details.md#install-configuration-changes "Link to install configuration changes"), and we are ensuring backward compatibility with v2 syntax in the [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes"). This will offer a gradual path for adopting the v3 syntax, allowing users to progressively migrate their Kubernetes ingress resources, Docker labels, etc., to the new format.
 ## Migration Overview
@ -33,7 +33,7 @@ The migration process consists of three progressive steps designed to minimize r
 **Review and Update Static Configuration**
-Check the changes in [static configurations](./v2-to-v3-details.md#static-configuration-changes "Link to static configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3. Modify your configurations accordingly.
+Check the changes in [static configurations](./v2-to-v3-details.md#install-configuration-changes "Link to install configuration changes") and [operations](./v2-to-v3-details.md#operations-changes "Link to operations changes") brought by Traefik v3. Modify your configurations accordingly.
 **Enable v2 Compatibility Mode**
@ -110,13 +110,13 @@ We strongly advise you to follow a progressive migration strategy ([Kubernetes r
 ## Step 3: Progressively Migrate Dynamic Configuration
 !!! info "Optional Immediate Step"
-    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes"). Enable Traefik logs to get some help if any deprecated option is in use.
+    This step can be done later in the process, as Traefik v3 is compatible with the v2 format for [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes"). Enable Traefik logs to get some help if any deprecated option is in use.
 ### Migration Process
 **Review Dynamic Configuration Changes**
-Check the changes in [dynamic configuration](./v2-to-v3-details.md#dynamic-configuration-changes "Link to dynamic configuration changes") to understand what updates are needed.
+Check the changes in [dynamic configuration](./v2-to-v3-details.md#routing-configuration-changes "Link to routing configuration changes") to understand what updates are needed.
 **Progressive Router Migration**
--- a/docs/content/migrate/v2.md
+++ b/docs/content/migrate/v2.md
@ -1,719 +0,0 @@
 ---
 title: "Traefik Migration Documentation"
 description: "Learn the steps needed to migrate to new Traefik Proxy v2 versions, i.e. v2.0 to v2.1 or v2.1 to v2.2. Read the technical documentation."
 ---
 # Migration: Steps needed between the versions
 ## v2.0 to v2.1
 ### Kubernetes CRD
 In v2.1, a new Kubernetes CRD called `TraefikService` was added.
 While updating an installation to v2.1,
 one should apply that CRD, and update the existing `ClusterRole` definition to allow Traefik to use that CRD.
 To add that CRD and enhance the permissions, the following definitions need to be applied to the cluster.
 ```yaml tab="TraefikService"
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: traefikservices.traefik.containo.us
 spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced
 ```
 ```yaml tab="ClusterRole"
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: traefik-ingress-controller
 rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.io
      - traefik.containo.us
    resources:
      - middlewares
      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
      - serverstransporttcps
    verbs:
      - get
      - list
      - watch
 ```
 After having both resources applied, Traefik will work properly.
 ## v2.1 to v2.2
 ### Headers middleware: accessControlAllowOrigin
 `accessControlAllowOrigin` is deprecated.
 This field will be removed in future 2.x releases.
 Please configure your allowed origins in `accessControlAllowOriginList` instead.
 ### Kubernetes CRD
 In v2.2, new Kubernetes CRDs called `TLSStore` and `IngressRouteUDP` were added.
 While updating an installation to v2.2,
 one should apply that CRDs, and update the existing `ClusterRole` definition to allow Traefik to use that CRDs.
 To add that CRDs and enhance the permissions, the following definitions need to be applied to the cluster.
 ```yaml tab="TLSStore"
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: tlsstores.traefik.containo.us
 spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSStore
    plural: tlsstores
    singular: tlsstore
  scope: Namespaced
 ```
 ```yaml tab="IngressRouteUDP"
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
  name: ingressrouteudps.traefik.containo.us
 spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteUDP
    plural: ingressrouteudps
    singular: ingressrouteudp
  scope: Namespaced
 ```
 ```yaml tab="ClusterRole"
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
  name: traefik-ingress-controller
 rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.io
      - traefik.containo.us
    resources:
      - middlewares
      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
      - serverstransporttcps
    verbs:
      - get
      - list
      - watch
 ```
 After having both resources applied, Traefik will work properly.
 ### Kubernetes Ingress
 To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in the Ingress.
 #### Expose an Ingress on 80 and 443
 Define the default TLS configuration on the HTTPS entry point.
 ```yaml tab="Ingress"
 kind: Ingress
 apiVersion: networking.k8s.io/v1beta1
 metadata:
  name: example
 spec:
  tls:
  - secretName: my-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: "/foo"
        backend:
          serviceName: example-com
          servicePort: 80
 ```
 Entry points definition and enable Ingress provider:
 ```yaml tab="File (YAML)"
 # Static configuration
 entryPoints:
  web:
    address: :80
  websecure:
    address: :443
    http:
      tls: {}
 providers:
  kubernetesIngress: {}
 ```
 ```toml tab="File (TOML)"
 # Static configuration
 [entryPoints.web]
  address = ":80"
 [entryPoints.websecure]
  address = ":443"
  [entryPoints.websecure.http]
    [entryPoints.websecure.http.tls]
 [providers.kubernetesIngress]
 ```
 ```bash tab="CLI"
 # Static configuration
 --entryPoints.web.address=:80
 --entryPoints.websecure.address=:443
 --entryPoints.websecure.http.tls=true
 --providers.kubernetesIngress=true
 ```
 #### Use TLS only on one Ingress
 Define the TLS restriction with annotations.
 ```yaml tab="Ingress"
 kind: Ingress
 apiVersion: networking.k8s.io/v1beta1
 metadata:
  name: example-tls
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
 spec:
  tls:
  - secretName: my-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: ""
        backend:
          serviceName: example-com
          servicePort: 80
 ```
 Entry points definition and enable Ingress provider:
 ```yaml tab="File (YAML)"
 # Static configuration
 entryPoints:
  web:
    address: :80
  websecure:
    address: :443
 providers:
  kubernetesIngress: {}
 ```
 ```toml tab="File (TOML)"
 # Static configuration
 [entryPoints.web]
  address = ":80"
 [entryPoints.websecure]
  address = ":443"
 [providers.kubernetesIngress]
 ```
 ```bash tab="CLI"
 # Static configuration
 --entryPoints.web.address=:80
 --entryPoints.websecure.address=:443
 --providers.kubernetesIngress=true
 ```
 ## v2.2.2 to v2.2.5
 ### InsecureSNI removal
 In `v2.2.2` we introduced a new flag (`insecureSNI`) which was available as a global option to disable domain fronting.
 Since `v2.2.5` this global option has been removed, and you should not use it anymore.
 ### HostSNI rule matcher removal
 In `v2.2.2` we introduced a new rule matcher (`HostSNI`) for HTTP routers which was allowing to match the Server Name Indication at the router level.
 Since `v2.2.5` this rule has been removed for HTTP routers, and you should not use it anymore.
 ## v2.2 to v2.3
 ### X.509 CommonName Deprecation
 The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present, is now disabled by default.
 It means that if one is using https with your backend servers, and a certificate with only a CommonName,
 Traefik will not try to match the server name indication with the CommonName anymore.
 It can be temporarily re-enabled by adding the value `x509ignoreCN=0` to the `GODEBUG` environment variable.
 More information: https://golang.org/doc/go1.15#commonname
 ### File Provider
 The file parser has been changed, since v2.3 the unknown options/fields in a dynamic configuration file are treated as errors.
 ### IngressClass
 In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
 In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated.
 ## v2.3 to v2.4
 ### ServersTransport
 In `v2.4.0`, the support of `ServersTransport` has been introduced.
 It is therefore necessary to update [RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-crd.md) definitions.
 ## v2.4.7 to v2.4.8
 ### Non-ASCII Domain Names
 In `v2.4.8`, we introduced a new check on domain names used in HTTP router rule `Host` and `HostRegexp` expressions,
 and in TCP router rule `HostSNI` expression.
 This check ensures that provided domain names don't contain non-ASCII characters.
 If not, an error is raised, and the associated router will be shown as invalid in the dashboard.
 This new behavior is intended to show what was failing silently previously and to help troubleshooting configuration issues.
 It doesn't change the support for non-ASCII domain names in routers rules, which is not part of the Traefik feature set so far.
 In order to use non-ASCII domain names in a router's rule, one should use the Punycode form of the domain name.
 For more information, please read the [HTTP routers rule](../routing/routers/index.md#rule) part or [TCP router rules](../routing/routers/index.md#rule_1) part of the documentation.
 ## v2.4.8 to v2.4.9
 ### Tracing Span
 In `v2.4.9`, we changed span error to log only server errors (>= 500).
 ## v2.4.9 to v2.4.10
 ### K8S CrossNamespace
 In `v2.4.10`, the default value for `allowCrossNamespace` has been changed to `false`.
 ### K8S ExternalName Service
 In `v2.4.10`, by default, it is no longer authorized to reference Kubernetes ExternalName services.
 To allow it, the `allowExternalNameServices` option should be set to `true`.
 ## v2.4 to v2.5
 ### Kubernetes CRD
 In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`.
 As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema.
 After deploying the new [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions), the resources will be validated only on creation or update.
 Please note that the unknown fields will not be pruned when migrating from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1` CRDs.
 For more details check out the official [documentation](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema).
 ### Kubernetes Ingress
 Traefik v2.5 moves forward for the Ingress provider to support Kubernetes v1.22.
 Traefik now supports only v1.14+ Kubernetes clusters, which means the support of `extensions/v1beta1` API Version ingresses has been dropped.
 The `extensions/v1beta1` API Version should now be replaced either by `networking.k8s.io/v1beta1` or by `networking.k8s.io/v1` (as of Kubernetes v1.19+).
 The support of the `networking.k8s.io/v1beta1` API Version will stop in Kubernetes v1.22.
 ### Headers middleware: ssl redirect options
 `sslRedirect`, `sslTemporaryRedirect`, `sslHost` and `sslForceHost` are deprecated in Traefik v2.5.
 For simple HTTP to HTTPS redirection, you may use [EntryPoints redirections](../routing/entrypoints.md#redirection).
 For more advanced use cases, you can use either the [RedirectScheme middleware](../middlewares/http/redirectscheme.md) or the [RedirectRegex middleware](../middlewares/http/redirectregex.md).
 ### Headers middleware: accessControlAllowOrigin
 `accessControlAllowOrigin` is no longer supported in Traefik v2.5.
 ### X.509 CommonName Deprecation Bis
 Following up on the deprecation started [previously](#x509-commonname-deprecation),
 as the `x509ignoreCN=0` value for the `GODEBUG` is [deprecated in Go 1.17](https://tip.golang.org/doc/go1.17#crypto/x509),
 the legacy behavior related to the CommonName field cannot be enabled at all anymore.
 ## v2.5.3 to v2.5.4
 ### Errors middleware
 In `v2.5.4`, when the errors service is configured with the [`PassHostHeader`](../routing/services/index.md#pass-host-header) option to `true` (default),
 the forwarded Host header value is now set to the client request Host value and not `0.0.0.0`.
 Check out the [Errors middleware](../middlewares/http/errorpages.md#service) documentation for more details.
 ## v2.5 to v2.6
 ### HTTP/3
 Traefik v2.6 introduces the `AdvertisedPort` option,
 which allows advertising, in the `Alt-Svc` header, a UDP port different from the one on which Traefik is actually listening (the EntryPoint's port).
 By doing so, it introduces a new configuration structure `http3`, which replaces the `enableHTTP3` option (which therefore doesn't exist anymore).
 To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](../routing/entrypoints.md#http3) documentation.
 ### Kubernetes Gateway API Provider
 In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) of the specification and 
 [route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
 Therefore, the RBAC and CRD definitions must be updated.
 ## v2.6.0 to v2.6.1
 ### Metrics
 In `v2.6.1`, the metrics system does not support any more custom HTTP method verbs to prevent potential metrics cardinality overhead.
 In consequence, for metrics having the method label,
 if the HTTP method verb of a request is not one defined in the set of common methods for [`HTTP/1.1`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods)
 or the [`PRI`](https://datatracker.ietf.org/doc/html/rfc7540#section-11.6) verb (for `HTTP/2`),
 the value for the method label becomes `EXTENSION_METHOD`, instead of the request's one.
 ### Tracing
 In `v2.6.1`, the Datadog tags added to a span changed from `service.name` to `traefik.service.name` and from `router.name` to `traefik.router.name`.
 ## v2.8
 ### TLS client authentication
 In `v2.8`, the `caOptional` option is deprecated as TLS client authentication is a server side option.
 This option available in the ForwardAuth middleware, as well as in the HTTP, Consul, Etcd, Redis, ZooKeeper, Marathon, Consul Catalog, and Docker providers has no effect and must not be used anymore.
 ### Consul Enterprise Namespaces
 In `v2.8`, the `namespace` option of Consul and Consul Catalog providers is deprecated, please use the `namespaces` options instead.
 ### Traefik Pilot
 In `v2.8`, the `pilot.token` and `pilot.dashboard` options are deprecated.
 Please check our Blog for migration instructions later this year.
 ## v2.8.2
 Since `v2.5.0`, the `PreferServerCipherSuites` is [deprecated and ignored](https://tip.golang.org/doc/go1.17#crypto/tls) by Go,
 in `v2.8.2` the `preferServerCipherSuites` option is also deprecated and ignored in Traefik.
 In `v2.8.2`, Traefik now reject certificates signed with the SHA-1 hash function. ([details](https://tip.golang.org/doc/go1.18#sha1))
 ## v2.9
 ### Traefik Pilot
 In `v2.9`, Traefik Pilot support has been removed.
 ## v2.10
 ### Nomad Namespace
 In `v2.10`, the `namespace` option of the Nomad provider is deprecated, please use the `namespaces` options instead.
 ### Kubernetes CRDs
 In `v2.10`, the Kubernetes CRDs API Group `traefik.containo.us` is deprecated, and its support will end starting with Traefik v3. Please use the API Group `traefik.io` instead.
 As the Kubernetes CRD provider still works with both API Versions (`traefik.io/v1alpha1` and `traefik.containo.us/v1alpha1`),
 it means that for the same kind, namespace and name, the provider will only keep the `traefik.io/v1alpha1` resource.
 In addition, the Kubernetes CRDs API Version `traefik.containo.us/v1alpha1` will not be supported in Traefik v3 itself.
 Please note that it is a requirement to update the CRDs and the RBAC in the cluster before upgrading Traefik.
 To do so, please apply the required [CRDs](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml) and [RBAC](https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml) manifests for v2.10:
 ```bash
 kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
 kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
 ```
 ### Traefik Hub
 In `v2.10`, Traefik Hub configuration has been removed because Traefik Hub v2 doesn't require this configuration.
 ## v2.11
 ### IPWhiteList (HTTP)
 In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowList](../middlewares/http/ipallowlist.md) middleware instead.
 ### IPWhiteList (TCP)
 In `v2.11`, the `IPWhiteList` middleware is deprecated, please use the [IPAllowList](../middlewares/tcp/ipallowlist.md) middleware instead.
 ### TLS CipherSuites
 > By default, cipher suites without ECDHE support are no longer offered by either clients or servers during pre-TLS 1.3 handshakes.
 > This change can be reverted with the `tlsrsakex=1 GODEBUG` setting.
 > (https://go.dev/doc/go1.22#crypto/tls)
 The _RSA key exchange_ cipher suites are way less secure than the modern ECDHE cipher suites and exposes to potential vulnerabilities like [the Marvin Attack](https://people.redhat.com/~hkario/marvin).
 Decision has been made to support ECDHE cipher suites only by default.
 The following ciphers have been removed from the default list:
 - `TLS_RSA_WITH_AES_128_CBC_SHA`
 - `TLS_RSA_WITH_AES_256_CBC_SHA`
 - `TLS_RSA_WITH_AES_128_GCM_SHA256`
 - `TLS_RSA_WITH_AES_256_GCM_SHA384`
 To enable these ciphers, please set the option `CipherSuites` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tlsrsakex=1`.
 ### Minimum TLS Version
 > By default, the minimum version offered by `crypto/tls` servers is now TLS 1.2 if not specified with config.MinimumVersion,
 > matching the behavior of crypto/tls clients.
 > This change can be reverted with the `tls10server=1 GODEBUG` setting.
 > (https://go.dev/doc/go1.22#crypto/tls)
 To enable TLS 1.0, please set the option `MinVersion` to `VersionTLS10` in your [TLS configuration](../https/tls.md#cipher-suites) or set the environment variable `GODEBUG=tls10server=1`.
 ## v2.11.1
 ### Maximum Router Priority Value
 Before v2.11.1, the maximum user-defined router priority value is:
 - `MaxInt32` for 32-bit platforms,
 - `MaxInt64` for 64-bit platforms.
 Please check out the [go documentation](https://pkg.go.dev/math#pkg-constants) for more information.
 In v2.11.1, Traefik reserves a range of priorities for its internal routers and now, 
 the maximum user-defined router priority value is:
 - `(MaxInt32 - 1000)` for 32-bit platforms,
 - `(MaxInt64 - 1000)` for 64-bit platforms.
 ### EntryPoint.Transport.RespondingTimeouts.<Timeout>
 Starting with `v2.11.1` the following timeout options are deprecated:
 - `<entryPoint>.transport.respondingTimeouts.readTimeout`
 - `<entryPoint>.transport.respondingTimeouts.writeTimeout`
 - `<entryPoint>.transport.respondingTimeouts.idleTimeout`
 They have been replaced by:
 - `<entryPoint>.transport.respondingTimeouts.http.readTimeout`
 - `<entryPoint>.transport.respondingTimeouts.http.writeTimeout`
 - `<entryPoint>.transport.respondingTimeouts.http.idleTimeout`
 ### EntryPoint.Transport.RespondingTimeouts.TCP.LingeringTimeout
 Starting with `v2.11.1` a new `lingeringTimeout` entryPoints option has been introduced, with a default value of 2s.
 The lingering timeout defines the maximum duration between each TCP read operation on the connection.
 As a layer 4 timeout, it applies during HTTP handling but respects the configured HTTP server `readTimeout`.
 This change avoids Traefik instances with the default configuration hanging while waiting for bytes to be read on the connection.
 We suggest to adapt this value accordingly to your situation.
 The new default value is purposely narrowed and can close the connection too early.
 Increasing the `lingeringTimeout` value could be the solution notably if you are dealing with the following errors:
 - TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
 - HTTP: `'499 Client Closed Request' caused by: context canceled`
 - HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
 ## v2.11.2
 ### LingeringTimeout
 Starting with `v2.11.2` the `<entrypoint>.transport.respondingTimeouts.tcp.lingeringTimeout` introduced in `v2.11.1` has been removed.
 ### RespondingTimeouts.TCP and RespondingTimeouts.HTTP
 Starting with `v2.11.2` the `respondingTimeouts.tcp` and `respondingTimeouts.http` sections introduced in `v2.11.1` have been removed.
 To configure the responding timeouts, please use the [`respondingTimeouts`](../routing/entrypoints.md#respondingtimeouts) section.  
 ### EntryPoint.Transport.RespondingTimeouts.ReadTimeout
 Starting with `v2.11.2` the entryPoints [`readTimeout`](../routing/entrypoints.md#respondingtimeouts) option default value changed to 60 seconds.
 For HTTP, this option defines the maximum duration for reading the entire request, including the body.
 For TCP, this option defines the maximum duration for the first bytes to be read on the connection.
 The default value was previously set to zero, which means no timeout.
 This change has been done to avoid Traefik instances with the default configuration to be hanging forever while waiting for bytes to be read on the connection.
 Increasing the `readTimeout` value could be the solution notably if you are dealing with the following errors:
 - TCP: `Error while handling TCP connection: readfrom tcp X.X.X.X:X->X.X.X.X:X: read tcp X.X.X.X:X->X.X.X.X:X: i/o timeout`
 - HTTP: `'499 Client Closed Request' caused by: context canceled`
 - HTTP: `ReverseProxy read error during body copy: read tcp X.X.X.X:X->X.X.X.X:X: use of closed network connection`
 ## v2.11.3
 ### Connection headers
 In `v2.11.3`, the handling of the request Connection headers directives has changed to prevent any abuse.
 Before, Traefik removed any header listed in the Connection header just before forwarding the request to the backends.
 Now, Traefik removes the headers listed in the Connection header as soon as the request is handled.
 As a consequence, middlewares do not have access to those Connection headers,
 and a new option has been introduced to specify which ones could go through the middleware chain before being removed: `<entrypoint>.forwardedHeaders.connection`.
 Please check out the [entrypoint forwarded headers connection option configuration](../routing/entrypoints.md#forwarded-headers) documentation.
 ## v2.11.14
 ### `X-Forwarded-Prefix`
 In `v2.11.14`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
 Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.
 ## v2.11.24
 ### Request Path Sanitization
 Since `v2.11.24`, the incoming request path is now cleaned before being used to match the router rules and sent to the backends.
 Any `/../`, `/./` or duplicate slash segments in the request path is interpreted and/or collapsed.
 If you want to disable this behavior, you can set the [`sanitizePath` option](../routing/entrypoints.md#sanitizepath) to `false` in the entryPoint HTTP configuration.
 This can be useful when dealing with legacy clients that are not url-encoding data in the request path.
 For example, as base64 uses the “/” character internally,
 if it's not url encoded,
 it can lead to unsafe routing when the `sanitizePath` option is set to `false`.
 !!! warning "Security"
    Setting the `sanitizePath` option to `false` is not safe.
    Ensure every request is properly url encoded instead.
 ## v2.11.25
 ### Request Path Normalization
 Since `v2.11.25`, the request path is now normalized by decoding unreserved characters in the request path,
 and also uppercasing the percent-encoded characters.
 This follows [RFC 3986 percent-encoding normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.2),
 and [RFC 3986 case normalization](https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1).
 The normalization happens before the request path is sanitized,
 and cannot be disabled.
 This notably helps with encoded dots characters (which are unreserved characters) to be sanitized properly.
 ### Routing Path
 Since `v2.11.25`, the reserved characters [(as per RFC 3986)](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2) are kept encoded in the request path when matching the router rules.
 Those characters, when decoded, change the meaning of the request path for routing purposes,
 and Traefik now keeps them encoded to avoid any ambiguity.
 ### Request Path Matching Examples
 | Request Path      | Router Rule            | Traefik v2.11.24 | Traefik v2.11.25 |
 |-------------------|------------------------|------------------|------------------|
 | `/foo%2Fbar`      | PathPrefix(`/foo/bar`) | Match            | No match         |
 | `/foo/../bar`     | PathPrefix(`/foo`)     | No match         | No match         |
 | `/foo/../bar`     | PathPrefix(`/bar`)     | Match            | Match            |
 | `/foo/%2E%2E/bar` | PathPrefix(`/foo`)     | Match            | No match         |
 | `/foo/%2E%2E/bar` | PathPrefix(`/bar`)     | No match         | Match            |
 ## v2.11.28
 ### MultiPath TCP
 Since `v2.11.28`, the MultiPath TCP support introduced with `v2.11.26` has been removed.
 It appears that enabling MPTCP on some platforms can cause Traefik to stop with the following error logs message:
 - `set tcp X.X.X.X:X->X.X.X.X:X: setsockopt: operation not supported`
 However, it can be re-enabled by setting the `multipathtcp` variable in the GODEBUG environment variable, see the related [go documentation](https://go.dev/doc/godebug#go-124).
--- a/docs/content/migrate/v3.md
+++ b/docs/content/migrate/v3.md
@ -113,9 +113,9 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.3/docs/con
 **Updated Resources:**
- [TraefikService](../../routing/services/#mirroring-service) ([PR #11032](https://github.com/traefik/traefik/pull/11032))
+- [TraefikService](../routing/services/index.md#mirroring-service) ([PR #11032](https://github.com/traefik/traefik/pull/11032))
- [RateLimit](../../middlewares/http/ratelimit/) & [InFlightReq](../../middlewares/http/inflightreq/) middlewares ([PR #9747](https://github.com/traefik/traefik/pull/9747))
+- [RateLimit](../middlewares/http/ratelimit.md) & [InFlightReq](../middlewares/http/inflightreq.md) middlewares ([PR #9747](https://github.com/traefik/traefik/pull/9747))
- [Compress](../../middlewares/http/compress/) middleware ([PR #10943](https://github.com/traefik/traefik/pull/10943))
+- [Compress](../middlewares/http/compress.md) middleware ([PR #10943](https://github.com/traefik/traefik/pull/10943))
 ### Kubernetes Gateway Provider Standard Channel
@ -326,7 +326,7 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/con
 !!! warning "Deprecation"
    The `RoundRobin` strategy is deprecated but still supported (equivalent to `wrr`). It will be removed in the next major release.
-Refer to the [HTTP Services Load Balancing documentation](../../routing/services/#load-balancing-strategy) for detailed information.
+Refer to the [HTTP Services Load Balancing documentation](../routing/services/index.md#load-balancing-strategy) for detailed information.
 #### ServersTransport CA Certificate Configuration
--- a/docs/content/observe/logs-and-access-logs.md
+++ b/docs/content/observe/logs-and-access-logs.md
@ -173,7 +173,7 @@ The available filters are:
 When using the `json` format, you can customize which fields are included in your access logs.
- **Request Fields:** You can choose to `keep`, `drop`, or `redact` any of the standard request fields. A complete list of available fields like `ClientHost`, `RequestMethod`, and `Duration` can be found in the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md#available-fields).
+- **Request Fields:** You can choose to `keep`, `drop`, or `redact` any of the standard request fields. A complete list of available fields like `ClientHost`, `RequestMethod`, and `Duration` can be found in the [reference documentation](../reference/install-configuration/observability/logs-and-accesslogs.md#json-format-fields).
 - **Request Headers:** You can also specify which request headers should be included in the logs, and whether their values should be `kept`, `dropped`, or `redacted`.
 !!! info
--- a/docs/content/operations/api.md
+++ b/docs/content/operations/api.md
@ -46,7 +46,7 @@ And then define a routing configuration on Traefik itself with the
 --8<-- "content/operations/include-api-examples.md"
-??? warning "The router's [rule](../../routing/routers/#rule) must catch requests for the URI path `/api`"
+??? warning "The router's [rule](../routing/routers/index.md#rule) must catch requests for the URI path `/api`"
    Using an "Host" rule is recommended, by catching all the incoming traffic on this host domain to the API.
    However, you can also use "path prefix" rule or any combination or rules.
@ -109,7 +109,7 @@ api:
 --api.dashboard=true
 ```
-!!! warning "With Dashboard enabled, the router [rule](../../routing/routers/#rule) must catch requests for both `/api` and `/dashboard`"
+!!! warning "With Dashboard enabled, the router [rule](../routing/routers/index.md#rule) must catch requests for both `/api` and `/dashboard`"
    Please check the [Dashboard documentation](./dashboard.md#dashboard-router-rule) to learn more about this and to get examples.
 ### `debug`
--- a/docs/content/operations/dashboard.md
+++ b/docs/content/operations/dashboard.md
@ -11,7 +11,7 @@ See What's Going On
 The dashboard is the central place that shows you the current active routes handled by Traefik.
 <figure>
-    <img src="../../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
+    <img src="../assets/img/webui-dashboard.png" alt="Dashboard - Providers" />
    <figcaption>The dashboard in action</figcaption>
 </figure>
--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@ -477,7 +477,7 @@ _Optional, Default=true_
 Expose Consul Catalog services by default in Traefik.
 If set to `false`, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ```yaml tab="File (YAML)"
 providers:
@ -672,7 +672,7 @@ providers:
 # ...
 ```
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ### `namespaces`
--- a/docs/content/providers/docker.md
+++ b/docs/content/providers/docker.md
@ -380,7 +380,7 @@ _Optional, Default=true_
 Expose containers by default through Traefik.
 If set to `false`, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ```yaml tab="File (YAML)"
 providers:
@ -554,7 +554,7 @@ as well as the usual boolean logic, as shown in examples below.
    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ```yaml tab="File (YAML)"
 providers:
--- a/docs/content/providers/ecs.md
+++ b/docs/content/providers/ecs.md
@ -214,7 +214,7 @@ as well as the usual boolean logic, as shown in examples below.
    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ```yaml tab="File (YAML)"
 providers:
--- a/docs/content/providers/nomad.md
+++ b/docs/content/providers/nomad.md
@ -384,7 +384,7 @@ _Optional, Default=true_
 Expose Nomad services by default in Traefik.
 If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ```yaml tab="File (YAML)"
 providers:
@ -504,7 +504,7 @@ providers:
 # ...
 ```
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ### `namespaces`
--- a/docs/content/providers/swarm.md
+++ b/docs/content/providers/swarm.md
@ -424,7 +424,7 @@ _Optional, Default=true_
 Expose containers by default through Traefik.
 If set to `false`, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ```yaml tab="File (YAML)"
 providers:
@ -621,7 +621,7 @@ as well as the usual boolean logic, as shown in examples below.
    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ```yaml tab="File (YAML)"
 providers:
--- a/docs/content/reference/install-configuration/providers/docker.md
+++ b/docs/content/reference/install-configuration/providers/docker.md
@ -45,7 +45,7 @@ services:
 | <a id="opt-providers-docker-username" href="#opt-providers-docker-username" title="#opt-providers-docker-username">`providers.docker.username`</a> | Defines the username for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.|  ""    | No   |
 | <a id="opt-providers-docker-password" href="#opt-providers-docker-password" title="#opt-providers-docker-password">`providers.docker.password`</a> | Defines the password for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.|  ""    | No   |
 | <a id="opt-providers-docker-useBindPortIP" href="#opt-providers-docker-useBindPortIP" title="#opt-providers-docker-useBindPortIP">`providers.docker.useBindPortIP`</a> | Instructs Traefik to use the IP/Port attached to the container's binding instead of its inner network IP/Port. See [here](#usebindportip) for more information |  false   | No   |
-| <a id="opt-providers-docker-exposedByDefault" href="#opt-providers-docker-exposedByDefault" title="#opt-providers-docker-exposedByDefault">`providers.docker.exposedByDefault`</a> | Expose containers by default through Traefik. See [here](./overview.md#restrict-the-scope-of-service-discovery) for additional information |  true    | No   |
+| <a id="opt-providers-docker-exposedByDefault" href="#opt-providers-docker-exposedByDefault" title="#opt-providers-docker-exposedByDefault">`providers.docker.exposedByDefault`</a> | Expose containers by default through Traefik. See [here](./overview.md#exposedbydefault-and-traefikenable) for additional information |  true    | No   |
 | <a id="opt-providers-docker-network" href="#opt-providers-docker-network" title="#opt-providers-docker-network">`providers.docker.network`</a> | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.docker.network` label.|  ""    | No   |
 | <a id="opt-providers-docker-defaultRule" href="#opt-providers-docker-defaultRule" title="#opt-providers-docker-defaultRule">`providers.docker.defaultRule`</a> | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information. |  ```"Host(`{{ normalize .Name }}`)"```  | No   |
 | <a id="opt-providers-docker-httpClientTimeout" href="#opt-providers-docker-httpClientTimeout" title="#opt-providers-docker-httpClientTimeout">`providers.docker.httpClientTimeout`</a> | Defines the client timeout (in seconds) for HTTP connections. If its value is 0, no timeout is set. |  0   | No   |
@ -306,7 +306,7 @@ as well as the usual boolean logic, as shown in examples below.
    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ```yaml tab="File (YAML)"
 providers:
--- a/docs/content/reference/install-configuration/providers/hashicorp/consul-catalog.md
+++ b/docs/content/reference/install-configuration/providers/hashicorp/consul-catalog.md
@ -36,7 +36,7 @@ Attaching tags to services:
 | <a id="opt-providers-consulCatalog-refreshInterval" href="#opt-providers-consulCatalog-refreshInterval" title="#opt-providers-consulCatalog-refreshInterval">`providers.consulCatalog.refreshInterval`</a> | Defines the polling interval.|  15s    | No   |
 | <a id="opt-providers-consulCatalog-prefix" href="#opt-providers-consulCatalog-prefix" title="#opt-providers-consulCatalog-prefix">`providers.consulCatalog.prefix`</a> | Defines the prefix for Consul Catalog tags defining Traefik labels.|  traefik    | yes   |
 | <a id="opt-providers-consulCatalog-requireConsistent" href="#opt-providers-consulCatalog-requireConsistent" title="#opt-providers-consulCatalog-requireConsistent">`providers.consulCatalog.requireConsistent`</a> | Forces the read to be fully consistent. See [here](#requireconsistent) for more information.|  false    | yes   |
-| <a id="opt-providers-consulCatalog-exposedByDefault" href="#opt-providers-consulCatalog-exposedByDefault" title="#opt-providers-consulCatalog-exposedByDefault">`providers.consulCatalog.exposedByDefault`</a> | Expose Consul Catalog services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#restrict-the-scope-of-service-discovery). | true | no |
+| <a id="opt-providers-consulCatalog-exposedByDefault" href="#opt-providers-consulCatalog-exposedByDefault" title="#opt-providers-consulCatalog-exposedByDefault">`providers.consulCatalog.exposedByDefault`</a> | Expose Consul Catalog services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#exposedbydefault-and-traefikenable). | true | no |
 | <a id="opt-providers-consulCatalog-defaultRule" href="#opt-providers-consulCatalog-defaultRule" title="#opt-providers-consulCatalog-defaultRule">`providers.consulCatalog.defaultRule`</a> | The Default Host rule for all services. See [here](#defaultrule) for more information. |   ```"Host(`{{ normalize .Name }}`)"```   | No   |
 | <a id="opt-providers-consulCatalog-connectAware" href="#opt-providers-consulCatalog-connectAware" title="#opt-providers-consulCatalog-connectAware">`providers.consulCatalog.connectAware`</a> | Enable Consul Connect support. If set to `true`, Traefik will be enabled to communicate with Connect services.   | false   | No |
 | <a id="opt-providers-consulCatalog-connectByDefault" href="#opt-providers-consulCatalog-connectByDefault" title="#opt-providers-consulCatalog-connectByDefault">`providers.consulCatalog.connectByDefault`</a> | Consider every service as Connect capable by default. If set to true, Traefik will consider every Consul Catalog service to be Connect capable by default. The option can be overridden on an instance basis with the traefik.consulcatalog.connect tag. | false   | No |
@ -166,7 +166,7 @@ providers:
 # ...
 ```
-For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#exposedbydefault-and-traefikenable).
 ### `namespaces`
--- a/docs/content/reference/install-configuration/providers/hashicorp/nomad.md
+++ b/docs/content/reference/install-configuration/providers/hashicorp/nomad.md
@ -46,7 +46,7 @@ service {
 | <a id="opt-providers-nomad-throttleDuration" href="#opt-providers-nomad-throttleDuration" title="#opt-providers-nomad-throttleDuration">`providers.nomad.throttleDuration`</a> | Defines how often the provider is allowed to handle service events from Nomad. This option is only compatible when the `watch` option is enabled |  0s     | No   |
 | <a id="opt-providers-nomad-defaultRule" href="#opt-providers-nomad-defaultRule" title="#opt-providers-nomad-defaultRule">`providers.nomad.defaultRule`</a> | The Default Host rule for all services. See [here](#defaultrule) for more information |   ```"Host(`{{ normalize .Name }}`)"```   | No   |
 | <a id="opt-providers-nomad-constraints" href="#opt-providers-nomad-constraints" title="#opt-providers-nomad-constraints">`providers.nomad.constraints`</a> | Defines an expression that Traefik matches against the container labels to determine whether to create any route for that container. See [here](#constraints) for more information.  |  ""   | No   |
-| <a id="opt-providers-nomad-exposedByDefault" href="#opt-providers-nomad-exposedByDefault" title="#opt-providers-nomad-exposedByDefault">`providers.nomad.exposedByDefault`</a> | Expose Nomad services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#restrict-the-scope-of-service-discovery) for additional information |  true    | No   |
+| <a id="opt-providers-nomad-exposedByDefault" href="#opt-providers-nomad-exposedByDefault" title="#opt-providers-nomad-exposedByDefault">`providers.nomad.exposedByDefault`</a> | Expose Nomad services by default in Traefik. If set to `false`, services that do not have a `traefik.enable=true` tag will be ignored from the resulting routing configuration. See [here](../overview.md#exposedbydefault-and-traefikenable) for additional information |  true    | No   |
 | <a id="opt-providers-nomad-allowEmptyServices" href="#opt-providers-nomad-allowEmptyServices" title="#opt-providers-nomad-allowEmptyServices">`providers.nomad.allowEmptyServices`</a> |  Instructs the provider to create any [servers load balancer](../../../../routing/services/index.md#servers-load-balancer) defined for Docker containers regardless of the [healthiness](https://docs.docker.com/engine/reference/builder/#healthcheck) of the corresponding containers. |  false   | No   |
 | <a id="opt-providers-nomad-prefix" href="#opt-providers-nomad-prefix" title="#opt-providers-nomad-prefix">`providers.nomad.prefix`</a> | Defines the prefix for Nomad service tags defining Traefik labels. | `traefik`     | yes   |
 | <a id="opt-providers-nomad-stale" href="#opt-providers-nomad-stale" title="#opt-providers-nomad-stale">`providers.nomad.stale`</a> | Instructs Traefik to use stale consistency for Nomad service API reads. See [here](#stale) for more information | false   | No   |
@ -245,7 +245,7 @@ providers:
 # ...
 ```
-For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#exposedbydefault-and-traefikenable).
 ## Routing Configuration
--- a/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md
+++ b/docs/content/reference/install-configuration/providers/kubernetes/kubernetes-crd.md
@ -108,18 +108,18 @@ See the dedicated section in [routing](../../../../routing/providers/kubernetes-
 <!-- markdownlint-disable MD013 -->
-| Resource  | Purpose    |
+| Resource                                                                                                                                                                                            | Purpose                                                           |
-|--------------------------------------------------|--------------------------------------------------------------------|
+|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|
-| <a id="opt-IngressRoute" href="#opt-IngressRoute" title="#opt-IngressRoute">[IngressRoute](../../../../routing/providers/kubernetes-crd.md#kind-ingressroute)</a> | HTTP Routing     |
+| <a id="opt-IngressRoute" href="#opt-IngressRoute" title="#opt-IngressRoute">[IngressRoute](../../../routing-configuration/kubernetes/crd/http/ingressroute.md)</a> | HTTP Routing                                                      |
-| <a id="opt-Middleware" href="#opt-Middleware" title="#opt-Middleware">[Middleware](../../../../middlewares/http/overview.md)</a> | Tweaks the HTTP requests before they are sent to your service  |
+| <a id="opt-Middleware" href="#opt-Middleware" title="#opt-Middleware">[Middleware](../../../routing-configuration/kubernetes/crd/http/middleware.md)</a> | Tweaks the HTTP requests before they are sent to your service     |
-| <a id="opt-TraefikService" href="#opt-TraefikService" title="#opt-TraefikService">[TraefikService](../../../../routing/providers/kubernetes-crd.md#kind-traefikservice)</a> | Abstraction for HTTP loadbalancing/mirroring  | 
+| <a id="opt-TraefikService" href="#opt-TraefikService" title="#opt-TraefikService">[TraefikService](../../../routing-configuration/kubernetes/crd/http/traefikservice.md)</a> | Abstraction for HTTP loadbalancing/mirroring                      | 
-| <a id="opt-TLSOptions" href="#opt-TLSOptions" title="#opt-TLSOptions">[TLSOptions](../../../../routing/providers/kubernetes-crd.md#kind-tlsoption)</a> | Allows configuring some parameters of the TLS connection  |
+| <a id="opt-TLSOptions" href="#opt-TLSOptions" title="#opt-TLSOptions">[TLSOptions](../../../routing-configuration/kubernetes/crd/http/tlsoption.md)</a> | Allows configuring some parameters of the TLS connection          |
-| <a id="opt-TLSStores" href="#opt-TLSStores" title="#opt-TLSStores">[TLSStores](../../../../routing/providers/kubernetes-crd.md#kind-tlsstore)</a> | Allows configuring the default TLS store    |  
+| <a id="opt-TLSStores" href="#opt-TLSStores" title="#opt-TLSStores">[TLSStores](../../../routing-configuration/kubernetes/crd/http/tlsstore.md)</a> | Allows configuring the default TLS store                          |  
-| <a id="opt-ServersTransport" href="#opt-ServersTransport" title="#opt-ServersTransport">[ServersTransport](../../../../routing/providers/kubernetes-crd.md#kind-serverstransport)</a> | Allows configuring the transport between Traefik and the backends | 
+| <a id="opt-ServersTransport" href="#opt-ServersTransport" title="#opt-ServersTransport">[ServersTransport](../../../routing-configuration/kubernetes/crd/http/serverstransport.md)</a> | Allows configuring the transport between Traefik and the backends | 
-| <a id="opt-IngressRouteTCP" href="#opt-IngressRouteTCP" title="#opt-IngressRouteTCP">[IngressRouteTCP](../../../../routing/providers/kubernetes-crd.md#kind-ingressroutetcp)</a> | TCP Routing  | 
+| <a id="opt-IngressRouteTCP" href="#opt-IngressRouteTCP" title="#opt-IngressRouteTCP">[IngressRouteTCP](../../../routing-configuration/kubernetes/crd/tcp/ingressroutetcp.md)</a> | TCP Routing                                                       | 
-| <a id="opt-MiddlewareTCP" href="#opt-MiddlewareTCP" title="#opt-MiddlewareTCP">[MiddlewareTCP](../../../../routing/providers/kubernetes-crd.md#kind-middlewaretcp)</a> | Tweaks the TCP requests before they are sent to your service       |
+| <a id="opt-MiddlewareTCP" href="#opt-MiddlewareTCP" title="#opt-MiddlewareTCP">[MiddlewareTCP](../../../routing-configuration/kubernetes/crd/tcp/middlewaretcp.md)</a> | Tweaks the TCP requests before they are sent to your service      |
-| <a id="opt-ServersTransportTCP" href="#opt-ServersTransportTCP" title="#opt-ServersTransportTCP">[ServersTransportTCP](../../../../routing/providers/kubernetes-crd.md#kind-serverstransporttc)</a> | Allows configuring the transport between Traefik and the backends |
+| <a id="opt-ServersTransportTCP" href="#opt-ServersTransportTCP" title="#opt-ServersTransportTCP">[ServersTransportTCP](../../../routing-configuration/kubernetes/crd/tcp/serverstransporttcp.md)</a> | Allows configuring the transport between Traefik and the backends |
-| <a id="opt-IngressRouteUDP" href="#opt-IngressRouteUDP" title="#opt-IngressRouteUDP">[IngressRouteUDP](../../../../routing/providers/kubernetes-crd.md#kind-ingressrouteudp)</a> | UDP Routing       |
+| <a id="opt-IngressRouteUDP" href="#opt-IngressRouteUDP" title="#opt-IngressRouteUDP">[IngressRouteUDP](../../../routing-configuration/kubernetes/crd/udp/ingressrouteudp.md)</a> | UDP Routing                                                       |
 ## Particularities
--- a/docs/content/reference/install-configuration/providers/others/ecs.md
+++ b/docs/content/reference/install-configuration/providers/others/ecs.md
@ -103,7 +103,7 @@ providers:
 # ...
 ```
-For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](../overview.md#exposedbydefault-and-traefikenable).
 ### `defaultRule`
--- a/docs/content/reference/install-configuration/providers/swarm.md
+++ b/docs/content/reference/install-configuration/providers/swarm.md
@ -50,7 +50,7 @@ services:
 | <a id="opt-providers-swarm-username" href="#opt-providers-swarm-username" title="#opt-providers-swarm-username">`providers.swarm.username`</a> | Defines the username for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.                                                                                                                                                                                                      | ""                                    | No       |
 | <a id="opt-providers-swarm-password" href="#opt-providers-swarm-password" title="#opt-providers-swarm-password">`providers.swarm.password`</a> | Defines the password for Basic HTTP authentication. This should be used when the Docker daemon socket is exposed through an HTTP proxy that requires Basic HTTP authentication.                                                                                                                                                                                                      | ""                                    | No       |
 | <a id="opt-providers-swarm-useBindPortIP" href="#opt-providers-swarm-useBindPortIP" title="#opt-providers-swarm-useBindPortIP">`providers.swarm.useBindPortIP`</a> | Instructs Traefik to use the IP/Port attached to the container's binding instead of its inner network IP/Port. See [here](#usebindportip) for more information                                                                                                                                                                                                                       | false                                 | No       |
-| <a id="opt-providers-swarm-exposedByDefault" href="#opt-providers-swarm-exposedByDefault" title="#opt-providers-swarm-exposedByDefault">`providers.swarm.exposedByDefault`</a> | Expose containers by default through Traefik. See [here](./overview.md#restrict-the-scope-of-service-discovery) for additional information                                                                                                                                                                                                                                           | true                                  | No       |
+| <a id="opt-providers-swarm-exposedByDefault" href="#opt-providers-swarm-exposedByDefault" title="#opt-providers-swarm-exposedByDefault">`providers.swarm.exposedByDefault`</a> | Expose containers by default through Traefik. See [here](./overview.md#exposedbydefault-and-traefikenable) for additional information                                                                                                                                                                                                                                           | true                                  | No       |
 | <a id="opt-providers-swarm-network" href="#opt-providers-swarm-network" title="#opt-providers-swarm-network">`providers.swarm.network`</a> | Defines a default docker network to use for connections to all containers. This option can be overridden on a per-container basis with the `traefik.swarm.network` label.                                                                                                                                                                                                            | ""                                    | No       |
 | <a id="opt-providers-swarm-defaultRule" href="#opt-providers-swarm-defaultRule" title="#opt-providers-swarm-defaultRule">`providers.swarm.defaultRule`</a> | Defines what routing rule to apply to a container if no rule is defined by a label. See [here](#defaultrule) for more information                                                                                                                                                                                                                                                    | ```"Host(`{{ normalize .Name }}`)"``` | No       |
 | <a id="opt-providers-swarm-refreshSeconds" href="#opt-providers-swarm-refreshSeconds" title="#opt-providers-swarm-refreshSeconds">`providers.swarm.refreshSeconds`</a> | Defines the polling interval for Swarm Mode.                                                                                                                                                                                                                                                                                                                                         | "15s"                                 | No       |
@ -312,7 +312,7 @@ as well as the usual boolean logic, as shown in examples below.
    constraints = "LabelRegex(`a.label.name`, `a.+`)"
    ```
-For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
+For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#exposedbydefault-and-traefikenable).
 ```yaml tab="File (YAML)"
 providers:
--- a/docs/content/reference/install-configuration/tls/spiffe.md
+++ b/docs/content/reference/install-configuration/tls/spiffe.md
@ -44,7 +44,7 @@ spiffe:
 ## ServersTransport
 Enabling SPIFFE does not imply that backend connections are going to use it automatically.
-Each [ServersTransport](../../../routing/services/index.md#serverstransport_1) or [TCPServersTransport](../../../routing/services/index.md#serverstransport_2), that is meant to be secured with SPIFFE, must explicitly enable it (see [SPIFFE with ServersTransport](../../../routing/services/index.md#spiffe) or [SPIFFE with TCPServersTransport](../../../routing/services/index.md#spiffe_1)).
+Each [ServersTransport](../../routing-configuration/http/load-balancing/serverstransport.md) or [TCPServersTransport](../../routing-configuration/tcp/serverstransport.md), that is meant to be secured with SPIFFE, must explicitly enable it (see [SPIFFE with ServersTransport](../../routing-configuration/http/load-balancing/serverstransport.md#opt-spiffe) or [SPIFFE with TCPServersTransport](../../routing-configuration/tcp/serverstransport.md#opt-serverstransport-spiffe)).
 ### Configuration Example
--- a/docs/content/reference/routing-configuration/http/load-balancing/serverstransport.md
+++ b/docs/content/reference/routing-configuration/http/load-balancing/serverstransport.md
@ -94,19 +94,20 @@ labels:
 ## Configuration Options
-| Field | Description                                               | Default              | Required |
+| Field                                                                                                                                                                                                          | Description                                                                                                                              | Default | Required |
-|:------|:----------------------------------------------------------|:---------------------|:---------|
+|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| <a id="opt-serverName" href="#opt-serverName" title="#opt-serverName">`serverName`</a> | Configures the server name that will be used as the SNI. | "" | No |
+| <a id="opt-serverName" href="#opt-serverName" title="#opt-serverName">`serverName`</a> | Configures the server name that will be used as the SNI.                                                                                 | ""      | No       |
-| <a id="opt-certificates" href="#opt-certificates" title="#opt-certificates">`certificates`</a> | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS. | [] | No |
+| <a id="opt-certificates" href="#opt-certificates" title="#opt-certificates">`certificates`</a> | Defines the list of certificates (as file paths, or data bytes) that will be set as client certificates for mTLS.                        | []      | No       |
-| <a id="opt-insecureSkipVerify" href="#opt-insecureSkipVerify" title="#opt-insecureSkipVerify">`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified. | false  | No |
+| <a id="opt-insecureSkipVerify" href="#opt-insecureSkipVerify" title="#opt-insecureSkipVerify">`insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified.                                                               | false   | No       |
-| <a id="opt-rootcas" href="#opt-rootcas" title="#opt-rootcas">`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). | [] | No |
+| <a id="opt-rootcas" href="#opt-rootcas" title="#opt-rootcas">`rootcas`</a> | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections).                                   | []      | No       |
-| <a id="opt-maxIdleConnsPerHost" href="#opt-maxIdleConnsPerHost" title="#opt-maxIdleConnsPerHost">`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host. | 200 | No |
+| <a id="opt-maxIdleConnsPerHost" href="#opt-maxIdleConnsPerHost" title="#opt-maxIdleConnsPerHost">`maxIdleConnsPerHost`</a> | Maximum idle (keep-alive) connections to keep per-host.                                                                                  | 200     | No       |
-| <a id="opt-disableHTTP2" href="#opt-disableHTTP2" title="#opt-disableHTTP2">`disableHTTP2`</a> | Disables HTTP/2 for connections with servers. | false | No |
+| <a id="opt-disableHTTP2" href="#opt-disableHTTP2" title="#opt-disableHTTP2">`disableHTTP2`</a> | Disables HTTP/2 for connections with servers.                                                                                            | false   | No       |
-| <a id="opt-peerCertURI" href="#opt-peerCertURI" title="#opt-peerCertURI">`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification. | "" | No |
+| <a id="opt-peerCertURI" href="#opt-peerCertURI" title="#opt-peerCertURI">`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification.                                             | ""      | No       |
-| <a id="opt-forwardingTimeouts-dialTimeout" href="#opt-forwardingTimeouts-dialTimeout" title="#opt-forwardingTimeouts-dialTimeout">`forwardingTimeouts.dialTimeout`</a> | Amount of time to wait until a connection to a server can be established.<br />0 = no timeout | 30s  | No |
+| <a id="opt-forwardingTimeouts-dialTimeout" href="#opt-forwardingTimeouts-dialTimeout" title="#opt-forwardingTimeouts-dialTimeout">`forwardingTimeouts.dialTimeout`</a> | Amount of time to wait until a connection to a server can be established.<br />0 = no timeout                                            | 30s     | No       |
-| <a id="opt-forwardingTimeouts-responseHeaderTimeout" href="#opt-forwardingTimeouts-responseHeaderTimeout" title="#opt-forwardingTimeouts-responseHeaderTimeout">`forwardingTimeouts.responseHeaderTimeout`</a> | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />0 = no timeout | 0s  | No |
+| <a id="opt-forwardingTimeouts-responseHeaderTimeout" href="#opt-forwardingTimeouts-responseHeaderTimeout" title="#opt-forwardingTimeouts-responseHeaderTimeout">`forwardingTimeouts.responseHeaderTimeout`</a> | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).<br />0 = no timeout | 0s      | No       |
-| <a id="opt-forwardingTimeouts-idleConnTimeout" href="#opt-forwardingTimeouts-idleConnTimeout" title="#opt-forwardingTimeouts-idleConnTimeout">`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />0 = no timeout | 90s  | No |
+| <a id="opt-forwardingTimeouts-idleConnTimeout" href="#opt-forwardingTimeouts-idleConnTimeout" title="#opt-forwardingTimeouts-idleConnTimeout">`forwardingTimeouts.idleConnTimeout`</a> | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.<br />0 = no timeout                       | 90s     | No       |
-| <a id="opt-forwardingTimeouts-readIdleTimeout" href="#opt-forwardingTimeouts-readIdleTimeout" title="#opt-forwardingTimeouts-readIdleTimeout">`forwardingTimeouts.readIdleTimeout`</a> | Defines the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection.  | 0s  | No |
+| <a id="opt-forwardingTimeouts-readIdleTimeout" href="#opt-forwardingTimeouts-readIdleTimeout" title="#opt-forwardingTimeouts-readIdleTimeout">`forwardingTimeouts.readIdleTimeout`</a> | Defines the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection.    | 0s      | No       |
-| <a id="opt-forwardingTimeouts-pingTimeout" href="#opt-forwardingTimeouts-pingTimeout" title="#opt-forwardingTimeouts-pingTimeout">`forwardingTimeouts.pingTimeout`</a> | Defines the timeout after which the HTTP/2 connection will be closed if a response to ping is not received. | 15s  | No |
+| <a id="opt-forwardingTimeouts-pingTimeout" href="#opt-forwardingTimeouts-pingTimeout" title="#opt-forwardingTimeouts-pingTimeout">`forwardingTimeouts.pingTimeout`</a> | Defines the timeout after which the HTTP/2 connection will be closed if a response to ping is not received.                              | 15s     | No       |
-| <a id="opt-spiffe-ids" href="#opt-spiffe-ids" title="#opt-spiffe-ids">`spiffe.ids`</a> | Defines the allowed SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain. | []  | No |
+| <a id="opt-spiffe" href="#opt-spiffe" title="#opt-spiffe">`spiffe`</a> | Defines the SPIFFE configuration. An empty `spiffe` section enables SPIFFE (that allows any SPIFFE ID).                                  |         | No       |
-| <a id="opt-spiffe-trustDomain" href="#opt-spiffe-trustDomain" title="#opt-spiffe-trustDomain">`spiffe.trustDomain`</a> | Defines the SPIFFE trust domain. | ""  | No |
+| <a id="opt-spiffe-ids" href="#opt-spiffe-ids" title="#opt-spiffe-ids">`spiffe.ids`</a> | Defines the allowed SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain.                                                  | []      | No       |
 | <a id="opt-spiffe-trustDomain" href="#opt-spiffe-trustDomain" title="#opt-spiffe-trustDomain">`spiffe.trustDomain`</a> | Defines the SPIFFE trust domain.                                                                                                         | ""      | No       |
--- a/docs/content/reference/routing-configuration/http/routing/router.md
+++ b/docs/content/reference/routing-configuration/http/routing/router.md
@ -23,6 +23,11 @@ http:
        - "ratelimit"
      tls:
        certResolver: "letsencrypt"
        options: "modern"
        domains:
          - main: "example.com"
            sans:
              - "www.example.com"
      observability:
        metrics: true
        accessLogs: true
@ -41,6 +46,11 @@ http:
    [http.routers.my-router.tls]
      certResolver = "letsencrypt"
      options = "modern"
      [[http.routers.my-router.tls.domains]]
        main = "example.com"
        sans = ["www.example.com"]
    [http.routers.my-router.observability]
      metrics = true
@ -56,6 +66,9 @@ labels:
  - "traefik.http.routers.my-router.middlewares=auth,ratelimit"
  - "traefik.http.routers.my-router.service=my-service"
  - "traefik.http.routers.my-router.tls.certresolver=letsencrypt"
  - "traefik.http.routers.my-router.tls.options=modern"
  - "traefik.http.routers.my-router.tls.domains[0].main=example.com"
  - "traefik.http.routers.my-router.tls.domains[0].sans=www.example.com"
  - "traefik.http.routers.my-router.observability.metrics=true"
  - "traefik.http.routers.my-router.observability.accessLogs=true"
  - "traefik.http.routers.my-router.observability.tracing=true"
@ -70,6 +83,9 @@ labels:
    "traefik.http.routers.my-router.middlewares=auth,ratelimit",
    "traefik.http.routers.my-router.service=my-service",
    "traefik.http.routers.my-router.tls.certresolver=letsencrypt",
    "traefik.http.routers.my-router.tls.options=modern",
    "traefik.http.routers.my-router.tls.domains[0].main=example.com",
    "traefik.http.routers.my-router.tls.domains[0].sans=www.example.com",
    "traefik.http.routers.my-router.observability.metrics=true",
    "traefik.http.routers.my-router.observability.accessLogs=true",
    "traefik.http.routers.my-router.observability.tracing=true"
@ -79,18 +95,22 @@ labels:
 ## Configuration Options
-| Field                              | Description                                                                                                                                                                                                                                                                                                                                                                                | Default | Required |
+| Field                                                                                              | Description                                                                                                                                                                                                                                                                                                          | Default                     | Required |
-|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
+|----------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------|----------|
-| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, HTTP routers are attached to all entry points. | All entry points | No |
+| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, HTTP routers are attached to all entry points.                                                                                                                                                                                           | All entry points            | No       |
-| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service. See [Rules & Priority](./rules-and-priority.md) for details. | | Yes |
+| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular request matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the request to the service. See [Rules & Priority](./rules-and-priority.md) for details.              |                             | Yes      |
-| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
+| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid path overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length                 | No       |
-| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [Middlewares overview](../middlewares/overview.md) for available middlewares. | | No |
+| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [Middlewares overview](../middlewares/overview.md) for available middlewares.                                                                                                                    |                             | No       |
-| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle HTTPS requests. See [TLS overview](../tls/overview.md) for detailed TLS configuration. | | No |
+| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle HTTPS requests.                                                                                                                                                                                                                        |                             | No       |
-| <a id="opt-observability" href="#opt-observability" title="#opt-observability">`observability`</a> | Observability configuration for the router. Allows fine-grained control over access logs, metrics, and tracing per router. See [Observability](./observability.md) for details. | Inherited from entry points | No |
+| <a id="opt-tls-certResolver" href="#opt-tls-certResolver" title="#opt-tls-certResolver">`tls.certResolver`</a> | The name of the certificate resolver to use for automatic certificate generation. See [Certificate Resolver](../tls/overview.md#certificate-resolver) for details.                                                                                                                                                   |                             | No       |
-| <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The name of the service that will handle the matched requests. Services can be load balancer services, weighted round robin, mirroring, or failover services. See [Service](../load-balancing/service.md) for details.| | Yes |
+| <a id="opt-tls-options" href="#opt-tls-options" title="#opt-tls-options">`tls.options`</a> | The name of the TLS options to use for configuring TLS parameters (cipher suites, min/max TLS version, client authentication, etc.). See [TLS Options](../tls/tls-options.md) for detailed configuration.                                                                                                            | `default`                   | No       |
-
+| <a id="opt-tls-domains" href="#opt-tls-domains" title="#opt-tls-domains">`tls.domains`</a> | List of domains and Subject Alternative Names (SANs) for explicit certificate domain specification. When using ACME certificate resolvers, domains are automatically extracted from router rules, making this option optional.                                                                                       |                             | No       |
 | <a id="opt-observability" href="#opt-observability" title="#opt-observability">`observability`</a> | Observability configuration for the router. Allows fine-grained control over access logs, metrics, and tracing per router. See [Observability](./observability.md) for details.                                                                                                                                      | Inherited from entry points | No       |
 | <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The name of the service that will handle the matched requests. Services can be load balancer services, weighted round robin, mirroring, or failover services. See [Service](../load-balancing/service.md) for details.                                                                                               |                             | Yes      |
 ## Router Naming
 - The character `@` is not authorized in the router name
 - In provider-specific configurations (Docker, Kubernetes), router names are often auto-generated based on service names and rules
 {!traefik-for-business-applications.md!}
--- a/docs/content/reference/routing-configuration/http/tls/overview.md
+++ b/docs/content/reference/routing-configuration/http/tls/overview.md
@ -1,10 +1,103 @@
 ---
-title: "Traefik TLS Documentation"
+title: "Traefik HTTP TLS Documentation"
-description: "Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation."
+description: "Learn how to configure the transport layer security (TLS) connection for HTTP services in Traefik Proxy. Read the technical documentation."
 ---
-Traefik's TLS configuration defines how TLS negotiation is handled for incoming connections.
+## General
-The next section of this documentation explains how to configure TLS connections through a definition in the dynamic configuration and how to configure TLS options, and certificates stores.
+When an HTTP router is configured to handle HTTPS traffic, include a `tls` field in its definition.
 This field tells Traefik that the router should process only TLS requests and ignore non-TLS traffic.
 By default, an HTTP router with a TLS field will terminate the TLS connections,
 meaning that it will send decrypted data to the services.
 The TLS configuration provides several options for fine-tuning the TLS behavior,
 including automatic certificate generation, custom TLS options, and explicit domain specification.
 ## Configuration Example
 ```yaml tab="Structured (YAML)"
 http:
  routers:
    my-https-router:
      rule: "Host(`example.com`) && Path(`/api`)"
      service: "my-http-service"
      tls:
        certResolver: "letsencrypt"
        options: "modern-tls"
        domains:
          - main: "example.com"
            sans:
              - "www.example.com"
              - "api.example.com"
 ```
 ```toml tab="Structured (TOML)"
 [http.routers.my-https-router]
  rule = "Host(`example.com`) && Path(`/api`)"
  service = "my-http-service"
  [http.routers.my-https-router.tls]
    certResolver = "letsencrypt"
    options = "modern-tls"
    [[http.routers.my-https-router.tls.domains]]
      main = "example.com"
      sans = ["www.example.com", "api.example.com"]
 ```
 ```yaml tab="Labels"
 labels:
  - "traefik.http.routers.my-https-router.rule=Host(`example.com`) && Path(`/api`)"
  - "traefik.http.routers.my-https-router.service=my-http-service"
  - "traefik.http.routers.my-https-router.tls=true"
  - "traefik.http.routers.my-https-router.tls.certresolver=letsencrypt"
  - "traefik.http.routers.my-https-router.tls.options=modern-tls"
  - "traefik.http.routers.my-https-router.tls.domains[0].main=example.com"
  - "traefik.http.routers.my-https-router.tls.domains[0].sans=www.example.com,api.example.com"
 ```
 ```json tab="Tags"
 {
  "Tags": [
    "traefik.http.routers.my-https-router.rule=Host(`example.com`) && Path(`/api`)",
    "traefik.http.routers.my-https-router.service=my-http-service",
    "traefik.http.routers.my-https-router.tls=true",
    "traefik.http.routers.my-https-router.tls.certresolver=letsencrypt",
    "traefik.http.routers.my-https-router.tls.options=modern-tls",
    "traefik.http.routers.my-https-router.tls.domains[0].main=example.com",
    "traefik.http.routers.my-https-router.tls.domains[0].sans=www.example.com,api.example.com"
  ]
 }
 ```
 ## Configuration Options
 | Field                                                                              | Description                                                                                                                                                                                                    | Default   | Required |
 |:-----------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------|:---------|
 | <a id="opt-options" href="#opt-options" title="#opt-options">`options`</a> | The name of the TLS options to use for configuring TLS parameters (cipher suites, min/max TLS version, client authentication, etc.). See [TLS Options](./tls-options.md) for detailed configuration.           | `default` | No       |
 | <a id="opt-certResolver" href="#opt-certResolver" title="#opt-certResolver">`certResolver`</a> | The name of the certificate resolver to use for automatic certificate generation via ACME providers (such as Let's Encrypt). See the [Certificate Resolver](./#certificate-resolver) section for more details. | ""        | No       |
 | <a id="opt-domains" href="#opt-domains" title="#opt-domains">`domains`</a> | List of domains and Subject Alternative Names (SANs) for explicit certificate domain specification. See the [Custom Domains](./#custom-domains) section for more details.                                      | []        | No       |
 ## Certificate Resolver
 The `tls.certResolver` option allows you to specify a certificate resolver for automatic certificate generation via ACME providers (such as Let's Encrypt).
 When a certificate resolver is configured for a router,
 Traefik will automatically obtain and manage TLS certificates for the domains specified in the router's rule (in the `Host` matcher) or in the `tls.domains` configuration (with `tls.domains` taking precedence).
 !!! important "Prerequisites"
    - Certificate resolvers must be defined in the [static configuration](../../../install-configuration/tls/certificate-resolvers/acme.md)
    - The router must have `tls` enabled
    - An ACME challenge type must be configured for the certificate resolver
 ## Custom Domains
 When using ACME certificate resolvers, domains are automatically extracted from router rules,
 but the `tls.domains` option allows you to explicitly specify the domains and Subject Alternative Names (SANs) for which certificates should be generated.
 This provides fine-grained control over certificate generation and takes precedence over domains automatically extracted from router rules.
 Every domain must have A/AAAA records pointing to Traefik.
 {!traefik-for-business-applications.md!}
--- a/docs/content/reference/routing-configuration/kubernetes/crd/tcp/ingressroutetcp.md
+++ b/docs/content/reference/routing-configuration/kubernetes/crd/tcp/ingressroutetcp.md
@ -3,7 +3,7 @@ title: "Kubernetes IngressRouteTCP"
 description: "An IngressRouteTCP is a Traefik CRD is in charge of connecting incoming TCP connections to the Services that can handle them."
 ---
-`IngressRouteTCP` is the CRD implementation of a [Traefik TCP router](../../../tcp/router/rules-and-priority.md).
+`IngressRouteTCP` is the CRD implementation of a [Traefik TCP router](../../../tcp/routing/rules-and-priority.md).
 Before creating `IngressRouteTCP` objects, you need to apply the [Traefik Kubernetes CRDs](https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions) to your Kubernetes cluster.
@ -39,7 +39,6 @@ spec:
      serversTransport: transport
      nativeLB: true
      nodePortLB: true
      tls: false
  tls:
    secretName: supersecret
@ -57,33 +56,33 @@ spec:
 ## Configuration Options
-| Field                                |  Description                    | Default                                   | Required |
+| Field                                | Description                                                                                                                                                                                                                                                                                  | Default                                   | Required |
-|-------------------------------------|-----------------------------|-------------------------------------------|-----------------------|
+|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------|-----------------------|
-| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of entrypoints names. | | No |
+| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | List of entrypoints names.                                                                                                                                                                                                                                                                   | | No |
-| <a id="opt-routes" href="#opt-routes" title="#opt-routes">`routes`</a> | List of routes. | | Yes |
+| <a id="opt-routes" href="#opt-routes" title="#opt-routes">`routes`</a> | List of routes.                                                                                                                                                                                                                                                                              | | Yes |
-| <a id="opt-routesn-match" href="#opt-routesn-match" title="#opt-routesn-match">`routes[n].match`</a> | Defines the [rule](../../../tcp/router/rules-and-priority.md#rules) of the underlying router. | | Yes |
+| <a id="opt-routesn-match" href="#opt-routesn-match" title="#opt-routesn-match">`routes[n].match`</a> | Defines the [rule](../../../tcp/routing/rules-and-priority.md#rules) of the underlying router.                                                                                                                                                                                               | | Yes |
-| <a id="opt-routesn-priority" href="#opt-routesn-priority" title="#opt-routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../tcp/router/rules-and-priority.md#priority) to disambiguate rules of the same length, for route matching. | | No |
+| <a id="opt-routesn-priority" href="#opt-routesn-priority" title="#opt-routesn-priority">`routes[n].priority`</a> | Defines the [priority](../../../tcp/routing/rules-and-priority.md#priority-calculation) to disambiguate rules of the same length, for route matching.                                                                                                                                        | | No |
-| <a id="opt-routesn-middlewaresn-name" href="#opt-routesn-middlewaresn-name" title="#opt-routesn-middlewaresn-name">`routes[n].middlewares[n].name`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) name. | | Yes |
+| <a id="opt-routesn-middlewaresn-name" href="#opt-routesn-middlewaresn-name" title="#opt-routesn-middlewaresn-name">`routes[n].middlewares[n].name`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) name.                                                                                                                                                                                                                                        | | Yes |
-| <a id="opt-routesn-middlewaresn-namespace" href="#opt-routesn-middlewaresn-namespace" title="#opt-routesn-middlewaresn-namespace">`routes[n].middlewares[n].namespace`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) namespace. | ""| No|
+| <a id="opt-routesn-middlewaresn-namespace" href="#opt-routesn-middlewaresn-namespace" title="#opt-routesn-middlewaresn-namespace">`routes[n].middlewares[n].namespace`</a> | Defines the [MiddlewareTCP](./middlewaretcp.md) namespace.                                                                                                                                                                                                                                   | ""| No|
-| <a id="opt-routesn-services" href="#opt-routesn-services" title="#opt-routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions. | | No |
+| <a id="opt-routesn-services" href="#opt-routesn-services" title="#opt-routesn-services">`routes[n].services`</a> | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions.                                                                                                                                                                                  | | No |
-| <a id="opt-routesn-servicesn-name" href="#opt-routesn-servicesn-name" title="#opt-routesn-servicesn-name">`routes[n].services[n].name`</a> | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). | | Yes |
+| <a id="opt-routesn-servicesn-name" href="#opt-routesn-servicesn-name" title="#opt-routesn-servicesn-name">`routes[n].services[n].name`</a> | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/).                                                                                                                                                                                | | Yes |
-| <a id="opt-routesn-servicesn-port" href="#opt-routesn-servicesn-port" title="#opt-routesn-servicesn-port">`routes[n].services[n].port`</a> | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.| | Yes |
+| <a id="opt-routesn-servicesn-port" href="#opt-routesn-servicesn-port" title="#opt-routesn-servicesn-port">`routes[n].services[n].port`</a> | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port.                                                                                                                                       | | Yes |
-| <a id="opt-routesn-servicesn-weight" href="#opt-routesn-servicesn-weight" title="#opt-routesn-servicesn-weight">`routes[n].services[n].weight`</a> | Defines the weight to apply to the server load balancing. | 1 | No |
+| <a id="opt-routesn-servicesn-weight" href="#opt-routesn-servicesn-weight" title="#opt-routesn-servicesn-weight">`routes[n].services[n].weight`</a> | Defines the weight to apply to the server load balancing.                                                                                                                                                                                                                                    | 1 | No |
-| <a id="opt-routesn-servicesn-proxyProtocol" href="#opt-routesn-servicesn-proxyProtocol" title="#opt-routesn-servicesn-proxyProtocol">`routes[n].services[n].proxyProtocol`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) configuration. |  | No |
+| <a id="opt-routesn-servicesn-proxyProtocol" href="#opt-routesn-servicesn-proxyProtocol" title="#opt-routesn-servicesn-proxyProtocol">`routes[n].services[n].proxyProtocol`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) configuration.                                                                                                                                                               |  | No |
-| <a id="opt-routesn-servicesn-proxyProtocol-version" href="#opt-routesn-servicesn-proxyProtocol-version" title="#opt-routesn-servicesn-proxyProtocol-version">`routes[n].services[n].proxyProtocol.version`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) version. |  | No |
+| <a id="opt-routesn-servicesn-proxyProtocol-version" href="#opt-routesn-servicesn-proxyProtocol-version" title="#opt-routesn-servicesn-proxyProtocol-version">`routes[n].services[n].proxyProtocol.version`</a> | Defines the [PROXY protocol](../../../../install-configuration/entrypoints.md#proxyprotocol-and-load-balancers) version.                                                                                                                                                                     |  | No |
-| <a id="opt-routesn-servicesn-serversTransport" href="#opt-routesn-servicesn-serversTransport" title="#opt-routesn-servicesn-serversTransport">`routes[n].services[n].serversTransport`</a> | Defines the [ServersTransportTCP](./serverstransporttcp.md).<br />The `ServersTransport` namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace. |  | No |
+| <a id="opt-routesn-servicesn-serversTransport" href="#opt-routesn-servicesn-serversTransport" title="#opt-routesn-servicesn-serversTransport">`routes[n].services[n].serversTransport`</a> | Defines the [ServersTransportTCP](./serverstransporttcp.md).<br />The `ServersTransport` namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace.                                                                    |  | No |
-| <a id="opt-routesn-servicesn-nativeLB" href="#opt-routesn-servicesn-nativeLB" title="#opt-routesn-servicesn-nativeLB">`routes[n].services[n].nativeLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See [here](#nativelb) for more information. | false | No |
+| <a id="opt-routesn-servicesn-nativeLB" href="#opt-routesn-servicesn-nativeLB" title="#opt-routesn-servicesn-nativeLB">`routes[n].services[n].nativeLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See [here](#nativelb) for more information.                                                                                         | false | No |
 | <a id="opt-routesn-servicesn-nodePortLB" href="#opt-routesn-servicesn-nodePortLB" title="#opt-routesn-servicesn-nodePortLB">`routes[n].services[n].nodePortLB`</a> | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is `NodePort`. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No |
-| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | Defines [TLS](../../../../install-configuration/tls/certificate-resolvers/overview.md) certificate configuration. |  | No |
+| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | Defines [TLS](../../../../install-configuration/tls/certificate-resolvers/overview.md) certificate configuration.                                                                                                                                                                            |  | No |
-| <a id="opt-tls-secretName" href="#opt-tls-secretName" title="#opt-tls-secretName">`tls.secretName`</a> | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace). | "" | No |
+| <a id="opt-tls-secretName" href="#opt-tls-secretName" title="#opt-tls-secretName">`tls.secretName`</a> | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace).                                                                                                                                        | "" | No |
-| <a id="opt-tls-options" href="#opt-tls-options" title="#opt-tls-options">`tls.options`</a> | Defines the reference to a [TLSOption](../http/tlsoption.md). | "" | No |
+| <a id="opt-tls-options" href="#opt-tls-options" title="#opt-tls-options">`tls.options`</a> | Defines the reference to a [TLSOption](tlsoption.md).                                                                                                                                                                                                                                        | "" | No |
-| <a id="opt-tls-options-name" href="#opt-tls-options-name" title="#opt-tls-options-name">`tls.options.name`</a> | Defines the [TLSOption](../http/tlsoption.md) name. | "" | No |
+| <a id="opt-tls-options-name" href="#opt-tls-options-name" title="#opt-tls-options-name">`tls.options.name`</a> | Defines the [TLSOption](tlsoption.md) name.                                                                                                                                                                                                                                                  | "" | No |
-| <a id="opt-tls-options-namespace" href="#opt-tls-options-namespace" title="#opt-tls-options-namespace">`tls.options.namespace`</a> | Defines the [TLSOption](../http/tlsoption.md) namespace. | "" | No |
+| <a id="opt-tls-options-namespace" href="#opt-tls-options-namespace" title="#opt-tls-options-namespace">`tls.options.namespace`</a> | Defines the [TLSOption](tlsoption.md) namespace.                                                                                                                                                                                                                                             | "" | No |
-| <a id="opt-tls-certResolver" href="#opt-tls-certResolver" title="#opt-tls-certResolver">`tls.certResolver`</a> | Defines the reference to a [CertResolver](../../../../install-configuration/tls/certificate-resolvers/overview.md). | "" | No |
+| <a id="opt-tls-certResolver" href="#opt-tls-certResolver" title="#opt-tls-certResolver">`tls.certResolver`</a> | Defines the reference to a [CertResolver](../../../../install-configuration/tls/certificate-resolvers/overview.md).                                                                                                                                                                          | "" | No |
-| <a id="opt-tls-domains" href="#opt-tls-domains" title="#opt-tls-domains">`tls.domains`</a> | List of domains. | "" | No |
+| <a id="opt-tls-domains" href="#opt-tls-domains" title="#opt-tls-domains">`tls.domains`</a> | List of domains.                                                                                                                                                                                                                                                                             | "" | No |
-| <a id="opt-tls-domainsn-main" href="#opt-tls-domainsn-main" title="#opt-tls-domainsn-main">`tls.domains[n].main`</a> | Defines the main domain name. | "" | No |
+| <a id="opt-tls-domainsn-main" href="#opt-tls-domainsn-main" title="#opt-tls-domainsn-main">`tls.domains[n].main`</a> | Defines the main domain name.                                                                                                                                                                                                                                                                | "" | No |
-| <a id="opt-tls-domainsn-sans" href="#opt-tls-domainsn-sans" title="#opt-tls-domainsn-sans">`tls.domains[n].sans`</a> | List of SANs (alternative domains).  | "" | No |
+| <a id="opt-tls-domainsn-sans" href="#opt-tls-domainsn-sans" title="#opt-tls-domainsn-sans">`tls.domains[n].sans`</a> | List of SANs (alternative domains).                                                                                                                                                                                                                                                          | "" | No |
-| <a id="opt-tls-passthrough" href="#opt-tls-passthrough" title="#opt-tls-passthrough">`tls.passthrough`</a> | If `true`, delegates the TLS termination to the backend. | false | No |
+| <a id="opt-tls-passthrough" href="#opt-tls-passthrough" title="#opt-tls-passthrough">`tls.passthrough`</a> | If `true`, delegates the TLS termination to the backend.                                                                                                                                                                                                                                     | false | No |
 ### ExternalName Service
--- a/docs/content/reference/routing-configuration/kubernetes/crd/udp/ingressrouteudp.md
+++ b/docs/content/reference/routing-configuration/kubernetes/crd/udp/ingressrouteudp.md
@ -3,7 +3,7 @@ title: "IngressRouteUDP"
 description: "Understand the routing configuration for the Kubernetes IngressRouteUDP & Traefik CRD"
 ---
-`IngressRouteUDP` is the CRD implementation of a [Traefik UDP router](../../../udp/router/rules-priority.md).
+`IngressRouteUDP` is the CRD implementation of a [Traefik UDP router](../../../udp/routing/rules-priority.md).
 Before creating `IngressRouteUDP` objects, you need to apply the [Traefik Kubernetes CRDs](https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/#definitions) to your Kubernetes cluster.
--- a/docs/content/reference/routing-configuration/kubernetes/gateway-api.md
+++ b/docs/content/reference/routing-configuration/kubernetes/gateway-api.md
@ -748,7 +748,6 @@ By default, NativeLB is `false`.
    Note that it is possible to override the default value by using the option [`nativeLBByDefault`](../../install-configuration/providers/kubernetes/kubernetes-gateway.md) at the provider level. 
 ```yaml
 ---
 apiVersion: v1
 kind: Service
 metadata:
@ -757,7 +756,10 @@ metadata:
  annotations:
    traefik.io/service.nativelb: "true"
 spec:
-[...]
+  ports:
    - name: web
      port: 80
 ```
 {!traefik-for-business-applications.md!}
--- a/docs/content/reference/routing-configuration/other-providers/consul-catalog.md
+++ b/docs/content/reference/routing-configuration/other-providers/consul-catalog.md
@ -385,7 +385,7 @@ You can declare TCP Routers, Middlewares and/or Services using tags.
 ??? info "`traefik.tcp.routers.<router_name>.rule`"
-    See [rule](../tcp/router/rules-and-priority.md#rules) for more information.
+    See [rule](../tcp/routing/rules-and-priority.md#rules) for more information.
    ```yaml
    traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)
@ -405,7 +405,7 @@ You can declare TCP Routers, Middlewares and/or Services using tags.
    ```
 ??? info "`traefik.tcp.routers.<router_name>.priority`"
-    See [priority](../tcp/router/rules-and-priority.md#priority) for more information.
+    See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information.
    ```yaml
    - "traefik.tcp.routers.mytcprouter.priority=42"
    ```
@ -460,7 +460,7 @@ You can declare TCP Routers, Middlewares and/or Services using tags.
 ??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
-    See [Passthrough](../tcp/tls.md#passthrough) for more information.
+    See [Passthrough](../tcp/tls.md#opt-passthrough) for more information.
    ```yaml
    traefik.tcp.routers.mytcprouter.tls.passthrough=true
@ -485,14 +485,6 @@ You can declare TCP Routers, Middlewares and/or Services using tags.
    traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true
    ```
 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
    See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information.
    ```yaml
    traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
    ```
 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
    Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
--- a/docs/content/reference/routing-configuration/other-providers/docker.md
+++ b/docs/content/reference/routing-configuration/other-providers/docker.md
@ -498,7 +498,7 @@ You can declare TCP Routers and/or Services using labels.
 ??? info "`traefik.tcp.routers.<router_name>.rule`"
-    See [rule](../tcp/router/rules-and-priority.md#rules) for more information.
+    See [rule](../tcp/routing/rules-and-priority.md#rules) for more information.
    ```yaml
     "traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)"
@ -565,7 +565,7 @@ You can declare TCP Routers and/or Services using labels.
 ??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
-    See [TLS](../tcp/tls.md#passthrough) for more information.
+    See [TLS](../tcp/tls.md#opt-passthrough) for more information.
    ```yaml
     "traefik.tcp.routers.mytcprouter.tls.passthrough=true"
@ -573,7 +573,7 @@ You can declare TCP Routers and/or Services using labels.
 ??? info "`traefik.tcp.routers.<router_name>.priority`"
-    See [priority](../tcp/router/rules-and-priority.md) for more information.
+    See [priority](../tcp/routing/rules-and-priority.md) for more information.
    ```yaml
     "traefik.tcp.routers.mytcprouter.priority=42"
@ -597,14 +597,6 @@ You can declare TCP Routers and/or Services using labels.
     "traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true"
    ```
 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
    See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information.
    ```yaml
     "traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1"
    ```
 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
    Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
--- a/docs/content/reference/routing-configuration/other-providers/ecs.md
+++ b/docs/content/reference/routing-configuration/other-providers/ecs.md
@ -454,7 +454,7 @@ You can declare TCP Routers and/or Services using labels.
 ??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
-    See [Passthrough](../tcp/tls.md#passthrough) for more information.
+    See [Passthrough](../tcp/tls.md#opt-passthrough) for more information.
    ```yaml
    traefik.tcp.routers.mytcprouter.tls.passthrough=true
@ -462,7 +462,7 @@ You can declare TCP Routers and/or Services using labels.
 ??? info "`traefik.tcp.routers.<router_name>.priority`"
-    See [priority](../tcp/router/rules-and-priority.md#priority) for more information.
+    See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information.
    ```yaml
    traefik.tcp.routers.mytcprouter.priority=42
@ -494,14 +494,6 @@ You can declare TCP Routers and/or Services using labels.
    traefik.http.services.myservice.loadbalancer.server.weight=42
    ```
 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
    See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information.
    ```yaml
    traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
    ```
 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
    Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
--- a/docs/content/reference/routing-configuration/other-providers/kv.md
+++ b/docs/content/reference/routing-configuration/other-providers/kv.md
@ -140,7 +140,7 @@ You can declare TCP Routers and/or Services using KV.
 | <a id="opt-traefiktcproutersmytcproutertlsdomains0sans1" href="#opt-traefiktcproutersmytcproutertlsdomains0sans1" title="#opt-traefiktcproutersmytcproutertlsdomains0sans1">`traefik/tcp/routers/mytcprouter/tls/domains/0/sans/1`</a> | See [TLS](../tcp/tls.md) for more information. | `dev.example.org`  |
 | <a id="opt-traefiktcproutersmytcproutertlsoptions" href="#opt-traefiktcproutersmytcproutertlsoptions" title="#opt-traefiktcproutersmytcproutertlsoptions">`traefik/tcp/routers/mytcprouter/tls/options`</a> | See [TLS](../tcp/tls.md) for more information. | `foobar` |
 | <a id="opt-traefiktcproutersmytcproutertlspassthrough" href="#opt-traefiktcproutersmytcproutertlspassthrough" title="#opt-traefiktcproutersmytcproutertlspassthrough">`traefik/tcp/routers/mytcprouter/tls/passthrough`</a> | See [TLS](../tcp/tls.md) for more information. | `true` |
-| <a id="opt-traefiktcproutersmytcprouterpriority" href="#opt-traefiktcproutersmytcprouterpriority" title="#opt-traefiktcproutersmytcprouterpriority">`traefik/tcp/routers/mytcprouter/priority`</a> | See [priority](../tcp/router/rules-and-priority.md#priority) for more information. | `42`  |
+| <a id="opt-traefiktcproutersmytcprouterpriority" href="#opt-traefiktcproutersmytcprouterpriority" title="#opt-traefiktcproutersmytcprouterpriority">`traefik/tcp/routers/mytcprouter/priority`</a> | See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information. | `42`  |
 #### Services
@ -148,10 +148,9 @@ You can declare TCP Routers and/or Services using KV.
 |--------------------------------------------------------------------|--------------------------------------------------------------------|------------------|
 | <a id="opt-traefiktcpservicesmytcpserviceloadbalancerservers0address" href="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0address" title="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0address">`traefik/tcp/services/mytcpservice/loadbalancer/servers/0/address`</a> | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `xx.xx.xx.xx:xx` |
 | <a id="opt-traefiktcpservicesmytcpserviceloadbalancerservers0tls" href="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0tls" title="#opt-traefiktcpservicesmytcpserviceloadbalancerservers0tls">`traefik/tcp/services/mytcpservice/loadbalancer/servers/0/tls`</a> | See [servers](../tcp/service.md#servers-load-balancer) for more information. | `true` |
 | <a id="opt-traefiktcpservicesmytcpserviceloadbalancerproxyprotocolversion" href="#opt-traefiktcpservicesmytcpserviceloadbalancerproxyprotocolversion" title="#opt-traefiktcpservicesmytcpserviceloadbalancerproxyprotocolversion">`traefik/tcp/services/mytcpservice/loadbalancer/proxyprotocol/version`</a> | See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information. | `1`   |
 | <a id="opt-traefiktcpservicesmyserviceloadbalancerserverstransport" href="#opt-traefiktcpservicesmyserviceloadbalancerserverstransport" title="#opt-traefiktcpservicesmyserviceloadbalancerserverstransport">`traefik/tcp/services/myservice/loadbalancer/serverstransport`</a> | Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.<br/>See [serverstransport](../tcp/serverstransport.md) for more information. | `foobar@file` |
 | <a id="opt-traefiktcpservicesservice-nameweightedservices0name" href="#opt-traefiktcpservicesservice-nameweightedservices0name" title="#opt-traefiktcpservicesservice-nameweightedservices0name">`traefik/tcp/services/<service_name>/weighted/services/0/name`</a> | See [Service](../tcp/service.md#weighted-round-robin) for more information. | `foobar` |
-| <a id="opt-traefiktcpservicesservice-nameweightedservices0weight" href="#opt-traefiktcpservicesservice-nameweightedservices0weight" title="#opt-traefiktcpservicesservice-nameweightedservices0weight">`traefik/tcp/services/<service_name>/weighted/services/0/weight`</a> | See [Service](../tcp/service.md#weighted-round-robin-wrr) for more information. | `42`  |
+| <a id="opt-traefiktcpservicesservice-nameweightedservices0weight" href="#opt-traefiktcpservicesservice-nameweightedservices0weight" title="#opt-traefiktcpservicesservice-nameweightedservices0weight">`traefik/tcp/services/<service_name>/weighted/services/0/weight`</a> | See [Service](../tcp/service.md#weighted-round-robin) for more information. | `42`  |
 #### Middleware
@ -205,8 +204,8 @@ You can declare UDP Routers and/or Services using KV.
 | Key (Path)                                                       | Description                                                       | Value |
 |------------------------------------------------------------------|------------------------------------------------------------------|-------|
-| <a id="opt-traefikudproutersmyudprouterentrypoints0" href="#opt-traefikudproutersmyudprouterentrypoints0" title="#opt-traefikudproutersmyudprouterentrypoints0">`traefik/udp/routers/myudprouter/entrypoints/0`</a> | See [UDP Router](../udp/router/rules-priority.md#entrypoints) for more information. | `foobar`  |
+| <a id="opt-traefikudproutersmyudprouterentrypoints0" href="#opt-traefikudproutersmyudprouterentrypoints0" title="#opt-traefikudproutersmyudprouterentrypoints0">`traefik/udp/routers/myudprouter/entrypoints/0`</a> | See [UDP Router](../udp/routing/rules-priority.md#entrypoints) for more information. | `foobar`  |
-| <a id="opt-traefikudproutersmyudprouterservice" href="#opt-traefikudproutersmyudprouterservice" title="#opt-traefikudproutersmyudprouterservice">`traefik/udp/routers/myudprouter/service`</a> | See [UDP Router](../udp/router/rules-priority.md#configuration-example) for more information. | `foobar`  |
+| <a id="opt-traefikudproutersmyudprouterservice" href="#opt-traefikudproutersmyudprouterservice" title="#opt-traefikudproutersmyudprouterservice">`traefik/udp/routers/myudprouter/service`</a> | See [UDP Router](../udp/routing/rules-priority.md#configuration-example) for more information. | `foobar`  |
 #### Services
--- a/docs/content/reference/routing-configuration/other-providers/nomad.md
+++ b/docs/content/reference/routing-configuration/other-providers/nomad.md
@ -377,7 +377,7 @@ You can declare TCP Routers and/or Services using tags.
 ??? info "`traefik.tcp.routers.<router_name>.rule`"
-    See [rule](../tcp/router/rules-and-priority.md#rules) for more information.
+    See [rule](../tcp/routing/rules-and-priority.md#rules) for more information.
    ```yaml
    traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)
@ -398,7 +398,7 @@ You can declare TCP Routers and/or Services using tags.
 ??? info "`traefik.tcp.routers.<router_name>.priority`"
-    See [priority](../tcp/router/rules-and-priority.md#priority) for more information.
+    See [priority](../tcp/routing/rules-and-priority.md#priority-calculation) for more information.
    ```yaml
    traefik.tcp.routers.myrouter.priority=42
@ -454,7 +454,7 @@ You can declare TCP Routers and/or Services using tags.
 ??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
-    See [Passthrough](../tcp/tls.md#passthrough) for more information.
+    See [Passthrough](../tcp/tls.md#opt-passthrough) for more information.
    ```yaml
    traefik.tcp.routers.mytcprouter.tls.passthrough=true
@ -478,14 +478,6 @@ You can declare TCP Routers and/or Services using tags.
    traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true
    ```
 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
    See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information.
    ```yaml
    traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
    ```
 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
    Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
--- a/docs/content/reference/routing-configuration/other-providers/swarm.md
+++ b/docs/content/reference/routing-configuration/other-providers/swarm.md
@ -520,7 +520,7 @@ You can declare TCP Routers and/or Services using labels.
 ??? info "`traefik.tcp.routers.<router_name>.rule`"
-    See [rule](../tcp/router/rules-and-priority.md#rules) for more information.
+    See [rule](../tcp/routing/rules-and-priority.md#rules) for more information.
    ```yaml
    - "traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)"
@ -589,7 +589,7 @@ You can declare TCP Routers and/or Services using labels.
 ??? info "`traefik.tcp.routers.<router_name>.tls.passthrough`"
-    See [Passthrough](../tcp/tls.md#passthrough) for more information.
+    See [Passthrough](../tcp/tls.md#opt-passthrough) for more information.
    ```yaml
    - "traefik.tcp.routers.mytcprouter.tls.passthrough=true"
@ -597,7 +597,7 @@ You can declare TCP Routers and/or Services using labels.
 ??? info "`traefik.tcp.routers.<router_name>.priority`"
-    See [priority](../tcp/router/rules-and-priority.md) for more information.
+    See [priority](../tcp/routing/rules-and-priority.md) for more information.
    ```yaml
    - "traefik.tcp.routers.myrouter.priority=42"
@ -621,14 +621,6 @@ You can declare TCP Routers and/or Services using labels.
    - "traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true"
    ```
 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version`"
    See [PROXY protocol](../tcp/service.md#proxy-protocol) for more information.
    ```yaml
    - "traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1"
    ```
 ??? info "`traefik.tcp.services.<service_name>.loadbalancer.serverstransport`"
    Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
--- a/docs/content/reference/routing-configuration/tcp/routing/router.md
+++ b/docs/content/reference/routing-configuration/tcp/routing/router.md
@ -26,6 +26,11 @@ tcp:
      tls:
        passthrough: false
        certResolver: "letsencrypt"
        options: "modern-tls"
        domains:
          - main: "example.com"
            sans:
              - "www.example.com"
      service: my-tcp-service
 ```
@ -41,6 +46,11 @@ tcp:
    [tcp.routers.my-tcp-router.tls]
      passthrough = false
      certResolver = "letsencrypt"
      options = "modern-tls"
      [[tcp.routers.my-tcp-router.tls.domains]]
        main = "example.com"
        sans = ["www.example.com"]
 ```
 ```yaml tab="Labels"
@ -51,6 +61,9 @@ labels:
  - "traefik.tcp.routers.my-tcp-router.middlewares=tcp-ipallowlist"
  - "traefik.tcp.routers.my-tcp-router.tls.certresolver=letsencrypt"
  - "traefik.tcp.routers.my-tcp-router.tls.passthrough=false"
  - "traefik.tcp.routers.my-tcp-router.tls.options=modern-tls"
  - "traefik.tcp.routers.my-tcp-router.tls.domains[0].main=example.com"
  - "traefik.tcp.routers.my-tcp-router.tls.domains[0].sans=www.example.com"
  - "traefik.tcp.routers.my-tcp-router.service=my-tcp-service"
 ```
@ -63,6 +76,9 @@ labels:
    "traefik.tcp.routers.my-tcp-router.middlewares=tcp-ipallowlist",
    "traefik.tcp.routers.my-tcp-router.tls.certresolver=letsencrypt",
    "traefik.tcp.routers.my-tcp-router.tls.passthrough=false",
    "traefik.tcp.routers.my-tcp-router.tls.options=modern-tls",
    "traefik.tcp.routers.my-tcp-router.tls.domains[0].main=example.com",
    "traefik.tcp.routers.my-tcp-router.tls.domains[0].sans=www.example.com",
    "traefik.tcp.routers.my-tcp-router.service=my-tcp-service"
  ]
 }
@ -70,17 +86,19 @@ labels:
 ## Configuration Options
-| Field                              | Description                                                                                                                                                                                                                                                                                                                                                                                | Default | Required |
+| Field                                                                          | Description                                                                                                                                                                                                                                                                                                          | Default              | Required |
-|------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------|
+|--------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|----------|
-| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, TCP routers are attached to all TCP entry points. | All TCP entry points | No |
+| <a id="opt-entryPoints" href="#opt-entryPoints" title="#opt-entryPoints">`entryPoints`</a> | The list of entry points to which the router is attached. If not specified, TCP routers are attached to all TCP entry points.                                                                                                                                                                                        | All TCP entry points | No       |
-| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular connection matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the connection to the service. See [Rules & Priority](./rules-and-priority.md) for details. | | Yes |
+| <a id="opt-rule" href="#opt-rule" title="#opt-rule">`rule`</a> | Rules are a set of matchers configured with values, that determine if a particular connection matches specific criteria. If the rule is verified, the router becomes active, calls middlewares, and then forwards the connection to the service. See [Rules & Priority](./rules-and-priority.md) for details.        |                      | Yes      |
-| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid rule overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length | No |
+| <a id="opt-priority" href="#opt-priority" title="#opt-priority">`priority`</a> | To avoid rule overlap, routes are sorted, by default, in descending order using rules length. The priority is directly equal to the length of the rule, and so the longest length has the highest priority. A value of `0` for the priority is ignored. See [Rules & Priority](./rules-and-priority.md) for details. | Rule length          | No       |
-| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [TCP Middlewares overview](../middlewares/overview.md) for available TCP middlewares. | | No |
+| <a id="opt-middlewares" href="#opt-middlewares" title="#opt-middlewares">`middlewares`</a> | The list of middlewares that are applied to the router. Middlewares are applied in the order they are declared. See [TCP Middlewares overview](../middlewares/overview.md) for available TCP middlewares.                                                                                                            |                      | No       |
-| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle TLS connections. See [TLS configuration](../tls.md) for detailed TLS options. | | No |
+| <a id="opt-tls" href="#opt-tls" title="#opt-tls">`tls`</a> | TLS configuration for the router. When specified, the router will only handle TLS connections. See [TLS configuration](../tls.md) for detailed TLS options.                                                                                                                                                          |                      | No       |
-| <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The name of the service that will handle the matched connections. Services can be load balancer services or weighted round robin services. See [TCP Service](../service.md) for details. | | Yes |
+| <a id="opt-service" href="#opt-service" title="#opt-service">`service`</a> | The name of the service that will handle the matched connections. Services can be load balancer services or weighted round robin services. See [TCP Service](../service.md) for details.                                                                                                                             |                      | Yes      |
 ## Router Naming
 - The character `@` is not authorized in the router name
 - Router names should be descriptive and follow your naming conventions
 - In provider-specific configurations (Docker, Kubernetes), router names are often auto-generated based on service names and rules
 {!traefik-for-business-applications.md!}
--- a/docs/content/reference/routing-configuration/tcp/serverstransport.md
+++ b/docs/content/reference/routing-configuration/tcp/serverstransport.md
@ -84,8 +84,8 @@ labels:
 ## Configuration Options
-| Field                                                     | Description                                                                                                                                                                                                        | Default | Required |
+| Field                                                                                                                                                                                                                      | Description                                                                                                                                                                                                        | Default | Required |
-|:----------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
+|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
 | <a id="opt-serverstransport-dialTimeout" href="#opt-serverstransport-dialTimeout" title="#opt-serverstransport-dialTimeout">`serverstransport.`<br />`dialTimeout`</a> | Defines the timeout when dialing the backend TCP service. If zero, no timeout exists.                                                                                                                              | 30s     | No       |
 | <a id="opt-serverstransport-dialKeepAlive" href="#opt-serverstransport-dialKeepAlive" title="#opt-serverstransport-dialKeepAlive">`serverstransport.`<br />`dialKeepAlive`</a> | Defines the interval between keep-alive probes for an active network connection.                                                                                                                                   | 15s     | No       |
 | <a id="opt-serverstransport-terminationDelay" href="#opt-serverstransport-terminationDelay" title="#opt-serverstransport-terminationDelay">`serverstransport.`<br />`terminationDelay`</a> | Sets the time limit for the proxy to fully terminate connections on both sides after initiating the termination sequence, with a negative value indicating no deadline. More Information [here](#terminationdelay) | 100ms   | No       |
@ -97,6 +97,7 @@ labels:
 | <a id="opt-serverstransport-tls-insecureSkipVerify" href="#opt-serverstransport-tls-insecureSkipVerify" title="#opt-serverstransport-tls-insecureSkipVerify">`serverstransport.`<br />`tls`<br />`.insecureSkipVerify`</a> | Controls whether the server's certificate chain and host name is verified.                                                                                                                                         | false   | No       |
 | <a id="opt-serverstransport-tls-rootcas" href="#opt-serverstransport-tls-rootcas" title="#opt-serverstransport-tls-rootcas">`serverstransport.`<br />`tls`<br />`.rootcas`</a> | Defines the root certificate authorities to use when verifying server certificates. (for mTLS connections).                                                                                                        |         | No       |
 | <a id="opt-serverstransport-tls-peerCertURI" href="#opt-serverstransport-tls-peerCertURI" title="#opt-serverstransport-tls-peerCertURI">`serverstransport.`<br />`tls.`<br />`peerCertURI`</a> | Defines the URI used to match against SAN URIs during the server's certificate verification.                                                                                                                       | false   | No       |
 | <a id="opt-serverstransport-spiffe" href="#opt-serverstransport-spiffe" title="#opt-serverstransport-spiffe">`serverstransport.`<br />`spiffe`</a> | Defines the SPIFFE configuration. An empty `spiffe` section enables SPIFFE (that allows any SPIFFE ID).                                                                                                            |         | No       |
 | <a id="opt-serverstransport-spiffe-ids" href="#opt-serverstransport-spiffe-ids" title="#opt-serverstransport-spiffe-ids">`serverstransport.`<br />`spiffe`<br />`.ids`</a> | Allow SPIFFE IDs.<br />This takes precedence over the SPIFFE TrustDomain.                                                                                                                                          |         | No       |
 | <a id="opt-serverstransport-spiffe-trustDomain" href="#opt-serverstransport-spiffe-trustDomain" title="#opt-serverstransport-spiffe-trustDomain">`serverstransport.`<br />`spiffe`<br />`.trustDomain`</a> | Allow SPIFFE trust domain.                                                                                                                                                                                         | ""      | No       |
--- a/docs/content/reference/routing-configuration/tcp/tls.md
+++ b/docs/content/reference/routing-configuration/tcp/tls.md
@ -5,7 +5,7 @@ description: "Learn how to configure the transport layer security (TLS) connecti
 ## General
-When a router is configured to handle HTTPS traffic, include a `tls` field in its definition. This field tells Traefik that the router should process only TLS requests and ignore non-TLS traffic.
+When a TCP router is configured to handle TLS traffic, include a `tls` field in its definition. This field tells Traefik that the router should process only TLS connections and ignore non-TLS traffic.
 By default, a router with a TLS field will terminate the TLS connections, meaning that it will send decrypted data to the services.
@ -94,11 +94,33 @@ labels:
 ## Configuration Options
-| Field   | Description  | Default    | Required |
+| Field                                                                              | Description                                                                                                                                                                                                    | Default | Required |
-|:------------------|:--------------------|:-----------------------------------------------|:---------|
+|:-----------------------------------------------------------------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------|:---------|
-| <a id="opt-passthrough" href="#opt-passthrough" title="#opt-passthrough">`passthrough`</a> | Defines whether the requests should be forwarded "as is", keeping all data encrypted. | false | No |
+| <a id="opt-passthrough" href="#opt-passthrough" title="#opt-passthrough">`passthrough`</a> | Defines whether the requests should be forwarded "as is", keeping all data encrypted.                                                                                                                          | false   | No       |
-| <a id="opt-options" href="#opt-options" title="#opt-options">`options`</a> | enables fine-grained control of the TLS parameters. It refers to a [TLS Options](../http/tls/tls-certificates.md#tls-options) and will be applied only if a `HostSNI` rule is defined. | "" | No |
+| <a id="opt-options" href="#opt-options" title="#opt-options">`options`</a> | enables fine-grained control of the TLS parameters. It refers to a [TLS Options](../http/tls/tls-options.md) and will be applied only if a `HostSNI` rule is defined.                                          | ""      | No       |
-| <a id="opt-domains" href="#opt-domains" title="#opt-domains">`domains`</a> | Defines a set of SANs (alternative domains) for each main domain. Every domain must have A/AAAA records pointing to Traefik. Each domain & SAN will lead to a certificate request.| [] | No |
+| <a id="opt-certResolver" href="#opt-certResolver" title="#opt-certResolver">`certResolver`</a> | The name of the certificate resolver to use for automatic certificate generation via ACME providers (such as Let's Encrypt). See the [Certificate Resolver](./#certificate-resolver) section for more details. | ""      | No       |
-| <a id="opt-certResolver" href="#opt-certResolver" title="#opt-certResolver">`certResolver`</a> | If defined, Traefik will try to generate certificates based on routers `Host` & `HostSNI` rules. | "" | No |
+| <a id="opt-domains" href="#opt-domains" title="#opt-domains">`domains`</a> | List of domains and Subject Alternative Names (SANs) for explicit certificate domain specification. See the [Custom Domains](./#custom-domains) section for more details.                                      | []      | No       |
 ## Certificate Resolver
 The `tls.certResolver` option allows you to specify a certificate resolver for automatic certificate generation via ACME providers (such as Let's Encrypt).
 When a certificate resolver is configured for a router,
 Traefik will automatically obtain and manage TLS certificates for the domains specified in the router's rule (in the `HostSNI` matcher) or in the `tls.domains` configuration (with `tls.domains` taking precedence).
 !!! important "Prerequisites"
    - Certificate resolvers must be defined in the [static configuration](../../install-configuration/tls/certificate-resolvers/acme.md)
    - The router must have `tls` enabled
    - An ACME challenge type must be configured for the certificate resolver
 ## Custom Domains
 When using ACME certificate resolvers, domains are automatically extracted from router rules,
 but the `tls.domains` option allows you to explicitly specify the domains and Subject Alternative Names (SANs) for which certificates should be generated.
 This provides fine-grained control over certificate generation and takes precedence over domains automatically extracted from router rules.
 Every domain must have A/AAAA records pointing to Traefik.
 {!traefik-for-business-applications.md!}
--- a/docs/content/reference/routing-configuration/udp/routing/router.md
+++ b/docs/content/reference/routing-configuration/udp/routing/router.md
@ -60,7 +60,7 @@ Even though UDP is connectionless, Traefik's UDP router implementation relies on
 Each session has an associated timeout that cleans up inactive sessions after a specified duration of inactivity.
-Session timeout can be configured using the `entryPoints.name.udp.timeout` option in the static configuration. See [EntryPoints documentation](../../install-configuration/entrypoints.md) for details.
+Session timeout can be configured using the `entryPoints.name.udp.timeout` option in the static configuration. See [EntryPoints documentation](../../../install-configuration/entrypoints.md) for details.
 ## Router Naming
--- a/docs/content/user-guides/cert-manager.md
+++ b/docs/content/user-guides/cert-manager.md
@ -56,11 +56,11 @@ The certificates can then be used in an Ingress / IngressRoute / HTTPRoute.
    ```
 Let's see now how to use it with the various Kubernetes providers of Traefik Proxy.
-The enabled providers can be seen on the [dashboard](../../operations/dashboard/) of Traefik Proxy and also in the INFO logs when Traefik Proxy starts.
+The enabled providers can be seen on the [dashboard](../operations/dashboard.md) of Traefik Proxy and also in the INFO logs when Traefik Proxy starts.
 ### With an Ingress
-To use this certificate with an Ingress, the [Kubernetes Ingress](../../providers/kubernetes-ingress/) provider has to be enabled.
+To use this certificate with an Ingress, the [Kubernetes Ingress](../providers/kubernetes-ingress.md) provider has to be enabled.
 !!! info Traefik Helm Chart
@ -94,7 +94,7 @@ To use this certificate with an Ingress, the [Kubernetes Ingress](../../provider
 ### With an IngressRoute
-To use this certificate with an IngressRoute, the [Kubernetes CRD](../../providers/kubernetes-crd/) provider has to be enabled.
+To use this certificate with an IngressRoute, the [Kubernetes CRD](../providers/kubernetes-crd.md) provider has to be enabled.
 !!! info Traefik Helm Chart
@ -124,7 +124,7 @@ To use this certificate with an IngressRoute, the [Kubernetes CRD](../../provide
 ### With an HTTPRoute
-To use this certificate with an HTTPRoute, the [Kubernetes Gateway](../../routing/providers/kubernetes-gateway/) provider has to be enabled.
+To use this certificate with an HTTPRoute, the [Kubernetes Gateway](../routing/providers/kubernetes-gateway.md) provider has to be enabled.
 !!! info Traefik Helm Chart