Merge v2.8 into master

CHANGELOG.md

@@ -1,3 +1,32 @@
+## [v2.8.5](https://github.com/traefik/traefik/tree/v2.8.5) (2022-09-13)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.4...v2.8.5)
+
+**Bug fixes:**
+- **[plugins]** Update Yaegi to v0.14.2 ([#9327](https://github.com/traefik/traefik/pull/9327) by [kevinpollet](https://github.com/kevinpollet))
+- **[server]** Fix IPv6 addr with square brackets ([#9313](https://github.com/traefik/traefik/pull/9313) by [moonlightwatch](https://github.com/moonlightwatch))
+- **[webui,api]** Display default TLS options in the dashboard ([#9312](https://github.com/traefik/traefik/pull/9312) by [skwair](https://github.com/skwair))
+
+**Documentation:**
+- **[docker]** Add healthcheck timeout seconds to value ([#9306](https://github.com/traefik/traefik/pull/9306) by [fty4](https://github.com/fty4))
+- Update deprecation notes about Pilot ([#9314](https://github.com/traefik/traefik/pull/9314) by [nmengin](https://github.com/nmengin))
+- Added resources for businesses ([#9268](https://github.com/traefik/traefik/pull/9268) by [tomatokoolaid](https://github.com/tomatokoolaid))
+
+## [v2.8.4](https://github.com/traefik/traefik/tree/v2.8.4) (2022-09-02)
+[All Commits](https://github.com/traefik/traefik/compare/v2.8.3...v2.8.4)
+
+**Bug fixes:**
+- **[docker,docker/swarm]** Fix Docker provider mem leak on operation retries ([#9288](https://github.com/traefik/traefik/pull/9288) by [rtribotte](https://github.com/rtribotte))
+- **[middleware]** Fix retry middleware on panic ([#9284](https://github.com/traefik/traefik/pull/9284) by [ldez](https://github.com/ldez))
+- **[plugins]** Allow Traefik starting even if plugin service is unavailable ([#9287](https://github.com/traefik/traefik/pull/9287) by [ldez](https://github.com/ldez))
+- chore: update paerser to v0.1.9 ([#9270](https://github.com/traefik/traefik/pull/9270) by [tomMoulard](https://github.com/tomMoulard))
+
+**Documentation:**
+- **[acme]** Fix infoblox acme provider documentation ([#9277](https://github.com/traefik/traefik/pull/9277) by [ldez](https://github.com/ldez))
+- **[k8s/crd]** Fix serversTransport CRD documentation ([#9283](https://github.com/traefik/traefik/pull/9283) by [cuishuang](https://github.com/cuishuang))
+- **[k8s/crd]** Fix k8s for example for rootCAs serversTransport ([#9274](https://github.com/traefik/traefik/pull/9274) by [ben-krieger](https://github.com/ben-krieger))
+- **[k8s]** Add missing networking apiGroup in Kubernetes RBACs examples and references ([#9295](https://github.com/traefik/traefik/pull/9295) by [fibsifan](https://github.com/fibsifan))
+- Update deprecation notes about Pilot ([#9300](https://github.com/traefik/traefik/pull/9300) by [nmengin](https://github.com/nmengin))
+
 ## [v2.8.3](https://github.com/traefik/traefik/tree/v2.8.3) (2022-08-12)
 [All Commits](https://github.com/traefik/traefik/compare/v2.8.2...v2.8.3)
 

cmd/traefik/traefik.go

@@ -226,12 +226,16 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 
 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
 	if err != nil {
-		return nil, err
+		log.WithoutContext().WithError(err).Error("Plugins are disabled because an error has occurred.")
 	}
 
 	// Providers plugins
 
 	for name, conf := range staticConfiguration.Providers.Plugin {
+		if pluginBuilder == nil {
+			break
+		}
+
 		p, err := pluginBuilder.BuildProvider(name, conf)
 		if err != nil {
 			return nil, fmt.Errorf("plugin: failed to build provider: %w", err)

docs/content/deprecation/features.md

@@ -14,12 +14,12 @@ This page is maintained and updated periodically to reflect our roadmap and any
 ### Pilot Dashboard (Metrics)
 
 Metrics will continue to function normally up to 2.8, when they will be disabled.  
-In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
+In 3.0, the Pilot platform and all Traefik integration code will be permanently removed.
 
 ### Pilot Plugins 
 
 Starting on 2.7 the pilot token will not be a requirement anymore.  
-At 2.9, a new plugin catalog home should be available, decoupled from pilot.
+Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from pilot.
 
 ### Consul Enterprise Namespace
 

docs/content/getting-started/concepts.md

@@ -39,3 +39,5 @@ You no longer need to create and synchronize configuration files cluttered with
 !!! question "How does Traefik discover the services?"
 
     Traefik is able to use your cluster API to discover the services and read the attached information. In Traefik, these connectors are called [providers](../providers/overview.md) because they _provide_ the configuration to Traefik. To learn more about them, read the [provider overview](../providers/overview.md) section.
+
+{!traefik-for-business-applications.md!}

docs/content/getting-started/configuration-overview.md

@@ -94,17 +94,4 @@ All the configuration options are documented in their related section.
 
 You can browse the available features in the menu, the [providers](../providers/overview.md), or the [routing section](../routing/overview.md) to see them in action.
 
-!!! question "Using Traefik for Business Applications?"
+{!traefik-for-business-applications.md!}
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/getting-started/install-traefik.md

@@ -179,17 +179,4 @@ And run it:
 
 All the details are available in the [Contributing Guide](../contributing/building-testing.md)
 
-!!! question "Using Traefik for Business Applications?"
+{!traefik-for-business-applications.md!}
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/getting-started/quick-start-with-kubernetes.md

@@ -53,6 +53,7 @@ rules:
       - watch
   - apiGroups:
       - extensions
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:

docs/content/getting-started/quick-start.md

@@ -116,17 +116,4 @@ IP: 172.27.0.4
 
     Now that you have a basic understanding of how Traefik can automatically create the routes to your services and load balance them, it is time to dive into [the documentation](/) and let Traefik work for you!
 
-!!! question "Using Traefik for Business Applications?"
+{!traefik-for-business-applications.md!}
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/https/acme.md

@@ -661,23 +661,10 @@ certificatesResolvers:
 If Let's Encrypt is not reachable, the following certificates will apply:
 
   1. Previously generated ACME certificates (before downtime)
-  1. Expired ACME certificates
+  2. Expired ACME certificates
-  1. Provided certificates
+  3. Provided certificates
 
 !!! important
     For new (sub)domains which need Let's Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted.
-    
-!!! question "Using Traefik for Business Applications?"
 
-    If you are using Traefik for commercial applications,
+{!traefik-for-business-applications.md!}
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/https/overview.md

@@ -19,3 +19,5 @@ The next sections of this documentation explain how to configure the TLS connect
 That is to say, how to obtain [TLS certificates](./tls.md#certificates-definition):
 either through a definition in the dynamic configuration, or through [Let's Encrypt](./acme.md) (ACME).
 And how to configure [TLS options](./tls.md#tls-options), and [certificates stores](./tls.md#certificates-stores).
+
+{!traefik-for-business-applications.md!}

docs/content/https/tls.md

@@ -490,3 +490,5 @@ spec:
       - secretCA
     clientAuthType: RequireAndVerifyClientCert
 ```
+
+{!traefik-for-business-applications.md!}

docs/content/includes/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+  "extends": "../../.markdownlint.json",
+  "MD041": false
+}

docs/content/includes/traefik-for-business-applications.md

@@ -0,0 +1,16 @@
+---
+
+!!! question "Using Traefik for Business Applications?"
+
+    If you are using Traefik for commercial applications,
+    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
+    You can use it as your:
+
+    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
+    - [Docker Swarm Ingress Controller](https://traefik.io/solutions/docker-swarm-ingress/)
+    - [API Gateway](https://traefik.io/solutions/api-gateway/)
+
+    Traefik Enterprise enables centralized access management,
+    distributed Let's Encrypt,
+    and other advanced capabilities.
+    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/middlewares/http/headers.md

@@ -469,3 +469,5 @@ The `permissionsPolicy` allows sites to control browser features.
 Set `isDevelopment` to `true` when developing to mitigate the unwanted effects of the `AllowedHosts`, SSL, and STS options.
 Usually testing takes place using HTTP, not HTTPS, and on `localhost`, not your production domain.
 If you would like your development environment to mimic production with complete Host blocking, SSL redirects, and STS headers, leave this as `false`.
+
+{!traefik-for-business-applications.md!}

docs/content/middlewares/http/overview.md

@@ -157,3 +157,5 @@ http:
 ## Community Middlewares
 
 Please take a look at the community-contributed plugins in the [plugin catalog](https://pilot.traefik.io/plugins).
+
+{!traefik-for-business-applications.md!}

docs/content/middlewares/overview.md

@@ -129,3 +129,5 @@ http:
 A list of HTTP middlewares can be found [here](http/overview.md).
 
 A list of TCP middlewares can be found [here](tcp/overview.md).
+
+{!traefik-for-business-applications.md!}

docs/content/migration/v2.md

@@ -50,6 +50,7 @@ rules:
       - watch
   - apiGroups:
       - extensions
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -58,6 +59,7 @@ rules:
       - watch
   - apiGroups:
       - extensions
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:
@@ -147,6 +149,7 @@ rules:
       - watch
   - apiGroups:
       - extensions
+      - networking.k8s.io
     resources:
       - ingresses
     verbs:
@@ -155,6 +158,7 @@ rules:
       - watch
   - apiGroups:
       - extensions
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:

docs/content/operations/dashboard.md

@@ -128,3 +128,5 @@ api:
 
 You can now access the dashboard on the port `8080` of the Traefik instance,
 at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).
+
+{!traefik-for-business-applications.md!}

docs/content/providers/docker.md

@@ -750,17 +750,4 @@ providers:
 --providers.docker.allowEmptyServices=true
 ```
 
-!!! question "Using Traefik for Business Applications?"
+{!traefik-for-business-applications.md!}
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/providers/file.md

@@ -291,3 +291,5 @@ To illustrate, it is possible to easily define multiple routers, services, and T
       # ...
     {{ end }}
     ```
+
+{!traefik-for-business-applications.md!}

docs/content/providers/kubernetes-crd.md

@@ -344,3 +344,5 @@ providers:
 ## Full Example
 
 For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
+
+{!traefik-for-business-applications.md!}

docs/content/providers/kubernetes-ingress.md

@@ -502,17 +502,4 @@ providers:
 To learn more about the various aspects of the Ingress specification that Traefik supports,
 many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.8/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.
 
-!!! question "Using Traefik for Business Applications?"
+{!traefik-for-business-applications.md!}
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/providers/overview.md

@@ -230,3 +230,5 @@ List of providers that support constraints:
 - [Kubernetes CRD](./kubernetes-crd.md#labelselector)
 - [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
 - [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)
+
+{!traefik-for-business-applications.md!}

docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

@@ -26,6 +26,7 @@ rules:
       - watch
   - apiGroups:
       - extensions
+      - networking.k8s.io
     resources:
       - ingresses/status
     verbs:

docs/content/routing/entrypoints.md

@@ -968,17 +968,4 @@ entrypoints.foo.address=:8000/udp
 entrypoints.foo.udp.timeout=10s
 ```
 
-!!! question "Using Traefik for Business Applications?"
+{!traefik-for-business-applications.md!}
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/routing/overview.md

@@ -406,3 +406,5 @@ serversTransport:
 ## Static configuration
 --serversTransport.forwardingTimeouts.idleConnTimeout=1s
 ```
+
+{!traefik-for-business-applications.md!}

docs/content/routing/providers/docker.md

@@ -368,7 +368,7 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
     See [health check](../services/index.md#health-check) for more information.
 
     ```yaml
-    - "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10"
+    - "traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10s"
     ```
 
 ??? info "`traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects`"

docs/content/routing/providers/kubernetes-crd.md

@@ -1782,3 +1782,5 @@ If the ServersTransport CRD is defined in another provider the cross-provider fo
 ## Further
 
 Also see the [full example](../../user-guides/crd-acme/index.md) with Let's Encrypt.
+
+{!traefik-for-business-applications.md!}

docs/content/routing/providers/kubernetes-ingress.md

@@ -47,6 +47,7 @@ which in turn will create the resulting routers, services, handlers, etc.
           - watch
       - apiGroups:
           - extensions
+          - networking.k8s.io
         resources:
           - ingresses/status
         verbs:
@@ -438,6 +439,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
           - watch
       - apiGroups:
           - extensions
+          - networking.k8s.io
         resources:
           - ingresses/status
         verbs:
@@ -645,6 +647,7 @@ For more options, please refer to the available [annotations](#on-ingress).
           - watch
       - apiGroups:
           - extensions
+          - networking.k8s.io
         resources:
           - ingresses/status
         verbs:
@@ -944,3 +947,5 @@ This will allow users to create a "default router" that will match all unmatched
     to avoid this global ingress from satisfying requests that could match other ingresses.
 
     To do this, use the `traefik.ingress.kubernetes.io/router.priority` annotation (as seen in [Annotations on Ingress](#on-ingress)) on your ingresses accordingly.
+
+{!traefik-for-business-applications.md!}

docs/content/routing/routers/index.md

@@ -1330,17 +1330,4 @@ Services are the target for the router.
 
 !!! important "UDP routers can only target UDP services (and not HTTP or TCP services)."
 
-!!! question "Using Traefik for Business Applications?"
+{!traefik-for-business-applications.md!}
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/routing/services/index.md

@@ -1647,17 +1647,4 @@ udp:
         address = "private-ip-server-2:8080/"
 ```
 
-!!! question "Using Traefik for Business Applications?"
+{!traefik-for-business-applications.md!}
-
-    If you are using Traefik for commercial applications,
-    consider the [Enterprise Edition](https://traefik.io/traefik-enterprise/).
-    You can use it as your:
-
-    - [Kubernetes Ingress Controller](https://traefik.io/solutions/kubernetes-ingress/)
-    - [Load Balancer](https://traefik.io/solutions/docker-swarm-ingress/)
-    - [API Gateway](https://traefik.io/solutions/api-gateway/)
-
-    Traefik Enterprise enables centralized access management,
-    distributed Let's Encrypt,
-    and other advanced capabilities.
-    Learn more in [this 15-minute technical walkthrough](https://info.traefik.io/watch-traefikee-demo).

docs/content/user-guides/docker-compose/basic-example/index.md

@@ -93,3 +93,5 @@ whoami:
     # Allow request only from the predefined entry point named "web"
     - "traefik.http.routers.whoami.entrypoints=web"
 ```
+
+{!traefik-for-business-applications.md!}

docs/mkdocs.yml

@@ -55,9 +55,9 @@ markdown_extensions:
   - pymdownx.tasklist
   - pymdownx.snippets:
       check_paths: true
-#  - markdown_include.include:
+  - markdown_include.include:
-#      base_path: content/includes/
+      base_path: content/includes/
-#      encoding: utf-8
+      encoding: utf-8
   - toc:
       permalink: true
 

go.mod

@@ -60,7 +60,7 @@ require (
 	github.com/stretchr/testify v1.8.0
 	github.com/stvp/go-udp-testing v0.0.0-20191102171040-06b61409b154
 	github.com/traefik/paerser v0.1.9
-	github.com/traefik/yaegi v0.14.1
+	github.com/traefik/yaegi v0.14.2
 	github.com/uber/jaeger-client-go v2.30.0+incompatible
 	github.com/uber/jaeger-lib v2.2.0+incompatible
 	github.com/unrolled/render v1.0.2

go.sum

@@ -1915,8 +1915,8 @@ github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305 h1:y/1cL5AL2oRcfz
 github.com/tonistiigi/vt100 v0.0.0-20190402012908-ad4c4a574305/go.mod h1:gXOLibKqQTRAVuVZ9gX7G9Ykky8ll8yb4slxsEMoY0c=
 github.com/traefik/paerser v0.1.9 h1:x5hZafOt/yogLvr6upoSOYIAn2nh2GsnLb236MOzd4I=
 github.com/traefik/paerser v0.1.9/go.mod h1:Dk3Bfz6Zyj13/S8pJyRdx/FNvXlsVRVbtp0UK4ZSiA0=
-github.com/traefik/yaegi v0.14.1 h1:t0ssyzeZCWTFGd/JnVuDxH/slMQfYg+2CDD4dLW/rU0=
+github.com/traefik/yaegi v0.14.2 h1:9t9xepIfar6BrYdwJHGc+XRKo6qFoJCl6Z46N3hUtUw=
-github.com/traefik/yaegi v0.14.1/go.mod h1:AVRxhaI2G+nUsaM1zyktzwXn69G3t/AuTDrCiTds9p0=
+github.com/traefik/yaegi v0.14.2/go.mod h1:AVRxhaI2G+nUsaM1zyktzwXn69G3t/AuTDrCiTds9p0=
 github.com/transip/gotransip/v6 v6.6.1 h1:nsCU1ErZS5G0FeOpgGXc4FsWvBff9GPswSMggsC4564=
 github.com/transip/gotransip/v6 v6.6.1/go.mod h1:pQZ36hWWRahCUXkFWlx9Hs711gLd8J4qdgLdRzmtY+g=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926 h1:G3dpKMzFDjgEh2q1Z7zUUtKa8ViPtH+ocF0bE0g00O8=

pkg/api/handler_http.go

@@ -11,6 +11,7 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/traefik/traefik/v2/pkg/config/runtime"
 	"github.com/traefik/traefik/v2/pkg/log"
+	"github.com/traefik/traefik/v2/pkg/tls"
 )
 
 type routerRepresentation struct {
@@ -20,6 +21,10 @@ type routerRepresentation struct {
 }
 
 func newRouterRepresentation(name string, rt *runtime.RouterInfo) routerRepresentation {
+	if rt.TLS != nil && rt.TLS.Options == "" {
+		rt.TLS.Options = tls.DefaultTLSConfigName
+	}
+
 	return routerRepresentation{
 		RouterInfo: rt,
 		Name:       name,

pkg/api/handler_http_test.go

@@ -223,6 +223,52 @@ func TestHandler_HTTP(t *testing.T) {
 				jsonFile:   "testdata/router-bar.json",
 			},
 		},
+		{
+			desc: "one router by id, implicitly using default TLS options",
+			path: "/api/http/routers/baz@myprovider",
+			conf: runtime.Configuration{
+				Routers: map[string]*runtime.RouterInfo{
+					"baz@myprovider": {
+						Router: &dynamic.Router{
+							EntryPoints: []string{"web"},
+							Service:     "foo-service@myprovider",
+							Rule:        "Host(`foo.baz`)",
+							Middlewares: []string{"auth", "addPrefixTest@anotherprovider"},
+							TLS:         &dynamic.RouterTLSConfig{},
+						},
+						Status: "enabled",
+					},
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/router-baz-default-tls-options.json",
+			},
+		},
+		{
+			desc: "one router by id, using specific TLS options",
+			path: "/api/http/routers/baz@myprovider",
+			conf: runtime.Configuration{
+				Routers: map[string]*runtime.RouterInfo{
+					"baz@myprovider": {
+						Router: &dynamic.Router{
+							EntryPoints: []string{"web"},
+							Service:     "foo-service@myprovider",
+							Rule:        "Host(`foo.baz`)",
+							Middlewares: []string{"auth", "addPrefixTest@anotherprovider"},
+							TLS: &dynamic.RouterTLSConfig{
+								Options: "myTLS",
+							},
+						},
+						Status: "enabled",
+					},
+				},
+			},
+			expected: expected{
+				statusCode: http.StatusOK,
+				jsonFile:   "testdata/router-baz-custom-tls-options.json",
+			},
+		},
 		{
 			desc: "one router by id, that does not exist",
 			path: "/api/http/routers/foo@myprovider",
@@ -811,6 +857,7 @@ func TestHandler_HTTP(t *testing.T) {
 			// To lazily initialize the Statuses.
 			rtConf.PopulateUsedBy()
 			rtConf.GetRoutersByEntryPoints(context.Background(), []string{"web"}, false)
+			rtConf.GetRoutersByEntryPoints(context.Background(), []string{"web"}, true)
 
 			handler := New(static.Configuration{API: &static.API{}, Global: &static.Global{}}, rtConf)
 			server := httptest.NewServer(handler.createRouter())

pkg/api/testdata/router-baz-custom-tls-options.json

@@ -0,0 +1,20 @@
+{
+	"entryPoints": [
+		"web"
+	],
+	"middlewares": [
+		"auth",
+		"addPrefixTest@anotherprovider"
+	],
+	"name": "baz@myprovider",
+	"provider": "myprovider",
+	"rule": "Host(`foo.baz`)",
+	"service": "foo-service@myprovider",
+	"tls": {
+		"options": "myTLS"
+	},
+	"status": "enabled",
+	"using": [
+		"web"
+	]
+}

pkg/api/testdata/router-baz-default-tls-options.json

@@ -0,0 +1,20 @@
+{
+	"entryPoints": [
+		"web"
+	],
+	"middlewares": [
+		"auth",
+		"addPrefixTest@anotherprovider"
+	],
+	"name": "baz@myprovider",
+	"provider": "myprovider",
+	"rule": "Host(`foo.baz`)",
+	"service": "foo-service@myprovider",
+	"tls": {
+		"options": "default"
+	},
+	"status": "enabled",
+	"using": [
+		"web"
+	]
+}

pkg/middlewares/requestdecorator/request_decorator.go

@@ -49,11 +49,16 @@ func (r *RequestDecorator) ServeHTTP(rw http.ResponseWriter, req *http.Request,
 
 func parseHost(addr string) string {
 	if !strings.Contains(addr, ":") {
+		// IPv4 without port or empty address
 		return addr
 	}
 
+	// IPv4 with port or IPv6
 	host, _, err := net.SplitHostPort(addr)
 	if err != nil {
+		if addr[0] == '[' && addr[len(addr)-1] == ']' {
+			return addr[1 : len(addr)-1]
+		}
 		return addr
 	}
 	return host

pkg/middlewares/requestdecorator/request_decorator_test.go

@@ -104,7 +104,7 @@ func TestRequestFlattening(t *testing.T) {
 	}
 }
 
-func TestRequestHostParseHost(t *testing.T) {
+func Test_parseHost(t *testing.T) {
 	testCases := []struct {
 		desc     string
 		host     string
@@ -130,6 +130,46 @@ func TestRequestHostParseHost(t *testing.T) {
 			host:     "127.0.0.1:",
 			expected: "127.0.0.1",
 		},
+		{
+			desc:     "host with : and without port",
+			host:     "fe80::215:5dff:fe20:cd6a",
+			expected: "fe80::215:5dff:fe20:cd6a",
+		},
+		{
+			desc:     "IPv6 host with : and with port",
+			host:     "[fe80::215:5dff:fe20:cd6a]:123",
+			expected: "fe80::215:5dff:fe20:cd6a",
+		},
+		{
+			desc:     "IPv6 host with : and without port",
+			host:     "[fe80::215:5dff:fe20:cd6a]:",
+			expected: "fe80::215:5dff:fe20:cd6a",
+		},
+		{
+			desc:     "IPv6 host without : and without port",
+			host:     "[fe80::215:5dff:fe20:cd6a]",
+			expected: "fe80::215:5dff:fe20:cd6a",
+		},
+		{
+			desc:     "invalid IPv6: missing [",
+			host:     "fe80::215:5dff:fe20:cd6a]",
+			expected: "fe80::215:5dff:fe20:cd6a]",
+		},
+		{
+			desc:     "invalid IPv6: missing ]",
+			host:     "[fe80::215:5dff:fe20:cd6a",
+			expected: "[fe80::215:5dff:fe20:cd6a",
+		},
+		{
+			desc:     "empty address",
+			host:     "",
+			expected: "",
+		},
+		{
+			desc:     "only :",
+			host:     ":",
+			expected: "",
+		},
 	}
 
 	for _, test := range testCases {

pkg/plugins/client.go

@@ -164,7 +164,12 @@ func (c *Client) Download(ctx context.Context, pName, pVersion string) (string,
 
 	defer func() { _ = resp.Body.Close() }()
 
-	if resp.StatusCode == http.StatusOK {
+	switch resp.StatusCode {
+	case http.StatusNotModified:
+		// noop
+		return hash, nil
+
+	case http.StatusOK:
 		err = os.MkdirAll(filepath.Dir(filename), 0o755)
 		if err != nil {
 			return "", fmt.Errorf("failed to create directory: %w", err)
@@ -189,15 +194,11 @@ func (c *Client) Download(ctx context.Context, pName, pVersion string) (string,
 		}
 
 		return hash, nil
-	}
 
-	if resp.StatusCode == http.StatusNotModified {
+	default:
-		// noop
+		data, _ := io.ReadAll(resp.Body)
-		return hash, nil
+		return "", fmt.Errorf("error: %d: %s", resp.StatusCode, string(data))
 	}
-
-	data, _ := io.ReadAll(resp.Body)
-	return "", fmt.Errorf("error: %d: %s", resp.StatusCode, string(data))
 }
 
 // Check checks the plugin archive integrity.

pkg/server/middleware/middlewares.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"reflect"
 	"strings"
 
 	"github.com/containous/alice"
@@ -340,7 +341,7 @@ func (b *Builder) buildConstructor(ctx context.Context, middlewareName string) (
 	}
 
 	// Plugin
-	if config.Plugin != nil {
+	if config.Plugin != nil && !reflect.ValueOf(b.pluginBuilder).IsNil() { // Using "reflect" because "b.pluginBuilder" is an interface.
 		if middleware != nil {
 			return nil, badConf
 		}

script/gcg/traefik-bugfix.toml

@@ -4,11 +4,11 @@ RepositoryName = "traefik"
 OutputType = "file"
 FileName = "traefik_changelog.md"
 
-# example new bugfix v2.8.3
+# example new bugfix v2.8.5
 CurrentRef = "v2.8"
-PreviousRef = "v2.8.2"
+PreviousRef = "v2.8.4"
 BaseBranch = "v2.8"
-FutureCurrentRefName = "v2.8.3"
+FutureCurrentRefName = "v2.8.5"
 
 ThresholdPreviousRef = 10
 ThresholdCurrentRef = 10