Remove deprecated options

2022-11-25 10:50:06 +01:00 · 2022-11-25 10:50:06 +01:00 · a3e4c85ec0
commit a3e4c85ec0
parent bee86b5ac7
62 changed files with 43 additions and 985 deletions
--- a/.golangci.yml
+++ b/.golangci.yml
@ -134,14 +134,6 @@ issues:
  exclude:
    - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked'
    - "should have a package comment, unless it's in another file for this package"
    - 'SA1019: cfg.SSLRedirect is deprecated'
    - 'SA1019: cfg.SSLTemporaryRedirect is deprecated'
    - 'SA1019: cfg.SSLHost is deprecated'
    - 'SA1019: cfg.SSLForceHost is deprecated'
    - 'SA1019: cfg.FeaturePolicy is deprecated'
    - 'SA1019: c.Providers.ConsulCatalog.Namespace is deprecated'
    - 'SA1019: c.Providers.Consul.Namespace is deprecated'
    - 'SA1019: c.Providers.Nomad.Namespace is deprecated'
  exclude-rules:
    - path: '(.+)_test.go'
      linters:
--- a/cmd/traefik/traefik.go
+++ b/cmd/traefik/traefik.go
@ -204,10 +204,6 @@ func setupServer(staticConfiguration *static.Configuration) (*server.Server, err
 		return nil, err
 	}
 	if staticConfiguration.Pilot != nil {
 		log.Warn().Msg("Traefik Pilot has been removed.")
 	}
 	// Plugins
 	pluginBuilder, err := createPluginBuilder(staticConfiguration)
--- a/docs/content/deprecation/features.md
+++ b/docs/content/deprecation/features.md
@ -2,33 +2,4 @@
 This page is maintained and updated periodically to reflect our roadmap and any decisions around feature deprecation.
-| Feature                                                     | Deprecated | End of Support | Removal |
+There is no feature deprecation in Traefik v3 for now.
 |-------------------------------------------------------------|------------|----------------|---------|
 | [Pilot](#pilot)                                             | 2.7        | 2.8            | 2.9     |
 | [Consul Enterprise Namespace](#consul-enterprise-namespace) | 2.8        | N/A            | 3.0     |
 | [TLS 1.0 and 1.1 Support](#tls-10-and-11)                   | N/A        | 2.8            | N/A     |
 | [Nomad Namespace](#nomad-namespace)                         | 2.10       | N/A            | 3.0     |
 ## Impact
 ### Pilot
 Metrics will continue to function normally up to 2.8, when they will be disabled.  
 In 2.9, the Pilot platform and all Traefik integration code will be permanently removed.
 Starting on 2.7 the pilot token will not be a requirement anymore for plugins.  
 Since 2.8, a [new plugin catalog](https://plugins.traefik.io) is available, decoupled from Pilot.
 ### Consul Enterprise Namespace
 Starting on 2.8 the `namespace` option of Consul and Consul Catalog providers is deprecated, 
 please use the `namespaces` options instead.  
 ### TLS 1.0 and 1.1
 Starting on 2.8 the default TLS options will use the minimum version of TLS 1.2. Of course, it can still be overridden with custom configuration.  
 ### Nomad Namespace
 Starting on 2.10 the `namespace` option of the Nomad provider is deprecated,
 please use the `namespaces` options instead.  
--- a/docs/content/middlewares/http/headers.md
+++ b/docs/content/middlewares/http/headers.md
@ -364,43 +364,11 @@ The `allowedHosts` option lists fully qualified domain names that are allowed.
 The `hostsProxyHeaders` option is a set of header keys that may hold a proxied hostname value for the request.
 ### `sslRedirect`
 !!! warning
    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
 The `sslRedirect` only allow HTTPS requests when set to `true`.
 ### `sslTemporaryRedirect`
 !!! warning
    Deprecated in favor of [EntryPoint redirection](../../routing/entrypoints.md#redirection) or the [RedirectScheme middleware](./redirectscheme.md).
 Set `sslTemporaryRedirect` to `true` to force an SSL redirection using a 302 (instead of a 301).
 ### `sslHost`
 !!! warning
    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
 The `sslHost` option is the host name that is used to redirect HTTP requests to HTTPS.
 ### `sslProxyHeaders`
 The `sslProxyHeaders` option is set of header keys with associated values that would indicate a valid HTTPS request.
 It can be useful when using other proxies (example: `"X-Forwarded-Proto": "https"`).
 ### `sslForceHost`
 !!! warning
    Deprecated in favor of the [RedirectRegex middleware](./redirectregex.md).
 Set `sslForceHost` to `true` and set `sslHost` to force requests to use `SSLHost` regardless of whether they already use SSL.
 ### `stsSeconds`
 The `stsSeconds` is the max-age of the `Strict-Transport-Security` header.
@ -452,14 +420,6 @@ The `publicKey` implements HPKP to prevent MITM attacks with forged certificates
 The `referrerPolicy` allows sites to control whether browsers forward the `Referer` header to other sites.
 ### `featurePolicy`
 !!! warning
    Deprecated in favor of `permissionsPolicy`
 The `featurePolicy` allows sites to control browser features.
 ### `permissionsPolicy`
 The `permissionsPolicy` allows sites to control browser features.
--- a/docs/content/middlewares/http/stripprefix.md
+++ b/docs/content/middlewares/http/stripprefix.md
@ -88,85 +88,3 @@ For instance, `/products` also matches `/products/shoes` and `/products/shirts`.
 If your backend is serving assets (e.g., images or JavaScript files), it can use the `X-Forwarded-Prefix` header to properly construct relative URLs.
 Using the previous example, the backend should return `/products/shoes/image.png` (and not `/image.png`, which Traefik would likely not be able to associate with the same backend).
 ### `forceSlash`
 _Optional, Default=true_
 The `forceSlash` option ensures the resulting stripped path is not the empty string, by replacing it with `/` when necessary.
 This option was added to keep the initial (non-intuitive) behavior of this middleware, in order to avoid introducing a breaking change.
 It is recommended to explicitly set `forceSlash` to `false`.
 ??? info "Behavior examples"
    - `forceSlash=true`
    | Path       | Prefix to strip | Result |
    |------------|-----------------|--------|
    | `/`        | `/`             | `/`    |
    | `/foo`     | `/foo`          | `/`    |
    | `/foo/`    | `/foo`          | `/`    |
    | `/foo/`    | `/foo/`         | `/`    |
    | `/bar`     | `/foo`          | `/bar` |
    | `/foo/bar` | `/foo`          | `/bar` |
    - `forceSlash=false`
    | Path       | Prefix to strip | Result |
    |------------|-----------------|--------|
    | `/`        | `/`             | empty  |
    | `/foo`     | `/foo`          | empty  |
    | `/foo/`    | `/foo`          | `/`    |
    | `/foo/`    | `/foo/`         | empty  |
    | `/bar`     | `/foo`          | `/bar` |
    | `/foo/bar` | `/foo`          | `/bar` |
 ```yaml tab="Docker"
 labels:
  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
 ```
 ```yaml tab="Kubernetes"
 apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
  name: example
 spec:
  stripPrefix:
    prefixes:
      - "/foobar"
    forceSlash: false
 ```
 ```json tab="Marathon"
 "labels": {
  "traefik.http.middlewares.example.stripprefix.prefixes": "/foobar",
  "traefik.http.middlewares.example.stripprefix.forceSlash": "false"
 }
 ```
 ```yaml tab="Rancher"
 labels:
  - "traefik.http.middlewares.example.stripprefix.prefixes=/foobar"
  - "traefik.http.middlewares.example.stripprefix.forceSlash=false"
 ```
 ```yaml tab="File (YAML)"
 http:
  middlewares:
    example:
      stripPrefix:
        prefixes:
          - "/foobar"
        forceSlash: false
 ```
 ```toml tab="File (TOML)"
 [http.middlewares]
  [http.middlewares.example.stripPrefix]
    prefixes = ["/foobar"]
    forceSlash = false
 ```
--- a/docs/content/migration/v2-to-v3.md
+++ b/docs/content/migration/v2-to-v3.md
@ -20,3 +20,13 @@ In v3, we renamed the `IPWhiteList` middleware to `IPAllowList` without changing
 ## gRPC Metrics
 In v3, the reported status code for gRPC requests is now the value of the `Grpc-Status` header.  
 ## Deprecated Options Removal
 - The `pilot` option has been removed from the static configuration.
 - The `tracing.datadog.globaltag` option has been removed.
 - The `namespace` option of Consul, Consul Catalog and Nomad providers has been removed.
 - The `tls.caOptional` option has been removed from the ForwardAuth middleware, as well as from the HTTP, Consul, Etcd, Redis, ZooKeeper, Marathon, Consul Catalog, and Docker providers.
 - `sslRedirect`, `sslTemporaryRedirect`, `sslHost`, `sslForceHost` and `featurePolicy` options of the Headers middleware have been removed.
 - The `forceSlash` option of the StripPrefix middleware has been removed.
 - the `preferServerCipherSuites` option has been removed.
--- a/docs/content/observability/tracing/datadog.md
+++ b/docs/content/observability/tracing/datadog.md
@ -65,30 +65,6 @@ tracing:
 --tracing.datadog.debug=true
 ```
 #### `globalTag`
 ??? warning "Deprecated in favor of the [`globalTags`](#globaltags) option."
    _Optional, Default=empty_
    Applies a shared key:value tag on all spans.
    ```yaml tab="File (YAML)"
    tracing:
      datadog:
        globalTag: sample
    ```
    ```toml tab="File (TOML)"
    [tracing]
      [tracing.datadog]
        globalTag = "sample"
    ```
    ```bash tab="CLI"
    --tracing.datadog.globalTag=sample
    ```
 #### `globalTags`
 _Optional, Default=empty_
--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@ -667,41 +667,6 @@ providers:
 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 ### `namespace`
 ??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
    _Optional, Default=""_
    The `namespace` option defines the namespace in which the consul catalog services will be discovered.
    !!! warning
        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
    !!! warning
        One should only define either the `namespaces` option or the `namespace` option.
    ```yaml tab="File (YAML)"
    providers:
      consulCatalog:
        namespace: "production" 
        # ...
    ```
    ```toml tab="File (TOML)"
    [providers.consulCatalog]
      namespace = "production"
      # ...
    ```
    ```bash tab="CLI"
    --providers.consulcatalog.namespace=production
    # ...
    ```
 ### `namespaces`
 _Optional, Default=""_
--- a/docs/content/providers/consul.md
+++ b/docs/content/providers/consul.md
@ -59,40 +59,6 @@ providers:
 --providers.consul.rootkey=traefik
 ```
 ### `namespace`
 ??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
    _Optional, Default=""_
    The `namespace` option defines the namespace to query.
    !!! warning
        The namespace option only works with [Consul Enterprise](https://www.consul.io/docs/enterprise),
        which provides the [Namespaces](https://www.consul.io/docs/enterprise/namespaces) feature.
    !!! warning
        One should only define either the `namespaces` option or the `namespace` option.
    ```yaml tab="File (YAML)"
    providers:
      consul:
        # ...
        namespace: "production"
    ```
    ```toml tab="File (TOML)"
    [providers.consul]
      # ...
      namespace = "production"
    ```
    ```bash tab="CLI"
    --providers.consul.namespace=production
    ```
 ### `namespaces`
 _Optional, Default=""_
--- a/docs/content/providers/nomad.md
+++ b/docs/content/providers/nomad.md
@ -440,36 +440,6 @@ providers:
 For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
 ### `namespace`
 ??? warning "Deprecated in favor of the [`namespaces`](#namespaces) option."
    _Optional, Default=""_
    The `namespace` option defines the namespace in which the Nomad services will be discovered.
    !!! warning
        One should only define either the `namespaces` option or the `namespace` option.
    ```yaml tab="File (YAML)"
    providers:
      nomad:
        namespace: "production"
        # ...
    ```
    ```toml tab="File (TOML)"
    [providers.nomad]
      namespace = "production"
      # ...
    ```
    ```bash tab="CLI"
    --providers.nomad.namespace=production
    # ...
    ```
 ### `namespaces`
 _Optional, Default=""_
--- a/docs/content/reference/dynamic-configuration/docker-labels.yml
+++ b/docs/content/reference/dynamic-configuration/docker-labels.yml
@ -31,7 +31,6 @@
 - "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.authrequestheaders=foobar, foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.ca=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.cert=foobar"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify=true"
 - "traefik.http.middlewares.middleware09.forwardauth.tls.key=foobar"
@ -54,7 +53,6 @@
 - "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1=foobar"
 - "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0=foobar"
 - "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1=foobar"
 - "traefik.http.middlewares.middleware10.headers.featurepolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.forcestsheader=true"
 - "traefik.http.middlewares.middleware10.headers.framedeny=true"
 - "traefik.http.middlewares.middleware10.headers.hostsproxyheaders=foobar, foobar"
@ -62,12 +60,8 @@
 - "traefik.http.middlewares.middleware10.headers.permissionspolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.publickey=foobar"
 - "traefik.http.middlewares.middleware10.headers.referrerpolicy=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslforcehost=true"
 - "traefik.http.middlewares.middleware10.headers.sslhost=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1=foobar"
 - "traefik.http.middlewares.middleware10.headers.sslredirect=true"
 - "traefik.http.middlewares.middleware10.headers.ssltemporaryredirect=true"
 - "traefik.http.middlewares.middleware10.headers.stsincludesubdomains=true"
 - "traefik.http.middlewares.middleware10.headers.stspreload=true"
 - "traefik.http.middlewares.middleware10.headers.stsseconds=42"
@ -118,7 +112,6 @@
 - "traefik.http.middlewares.middleware19.replacepathregex.replacement=foobar"
 - "traefik.http.middlewares.middleware20.retry.attempts=42"
 - "traefik.http.middlewares.middleware20.retry.initialinterval=42"
 - "traefik.http.middlewares.middleware21.stripprefix.forceslash=true"
 - "traefik.http.middlewares.middleware21.stripprefix.prefixes=foobar, foobar"
 - "traefik.http.middlewares.middleware22.stripprefixregex.regex=foobar, foobar"
 - "traefik.http.middlewares.middleware23.grpcweb.alloworigins=foobar, foobar"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@ -159,7 +159,6 @@
        authRequestHeaders = ["foobar", "foobar"]
        [http.middlewares.Middleware09.forwardAuth.tls]
          ca = "foobar"
          caOptional = true
          cert = "foobar"
          key = "foobar"
          insecureSkipVerify = true
@ -175,10 +174,6 @@
        addVaryHeader = true
        allowedHosts = ["foobar", "foobar"]
        hostsProxyHeaders = ["foobar", "foobar"]
        sslRedirect = true
        sslTemporaryRedirect = true
        sslHost = "foobar"
        sslForceHost = true
        stsSeconds = 42
        stsIncludeSubdomains = true
        stsPreload = true
@ -191,7 +186,6 @@
        contentSecurityPolicy = "foobar"
        publicKey = "foobar"
        referrerPolicy = "foobar"
        featurePolicy = "foobar"
        permissionsPolicy = "foobar"
        isDevelopment = true
        [http.middlewares.Middleware10.headers.customRequestHeaders]
@ -282,7 +276,6 @@
    [http.middlewares.Middleware21]
      [http.middlewares.Middleware21.stripPrefix]
        prefixes = ["foobar", "foobar"]
        forceSlash = true
    [http.middlewares.Middleware22]
      [http.middlewares.Middleware22.stripPrefixRegex]
        regex = ["foobar", "foobar"]
@ -458,7 +451,6 @@
      cipherSuites = ["foobar", "foobar"]
      curvePreferences = ["foobar", "foobar"]
      sniStrict = true
      preferServerCipherSuites = true
      alpnProtocols = ["foobar", "foobar"]
      [tls.options.Options0.clientAuth]
        caFiles = ["foobar", "foobar"]
@ -469,7 +461,6 @@
      cipherSuites = ["foobar", "foobar"]
      curvePreferences = ["foobar", "foobar"]
      sniStrict = true
      preferServerCipherSuites = true
      alpnProtocols = ["foobar", "foobar"]
      [tls.options.Options1.clientAuth]
        caFiles = ["foobar", "foobar"]
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@ -164,7 +164,6 @@ http:
        address: foobar
        tls:
          ca: foobar
          caOptional: true
          cert: foobar
          key: foobar
          insecureSkipVerify: true
@ -208,13 +207,9 @@ http:
        hostsProxyHeaders:
          - foobar
          - foobar
        sslRedirect: true
        sslTemporaryRedirect: true
        sslHost: foobar
        sslProxyHeaders:
          name0: foobar
          name1: foobar
        sslForceHost: true
        stsSeconds: 42
        stsIncludeSubdomains: true
        stsPreload: true
@ -227,7 +222,6 @@ http:
        contentSecurityPolicy: foobar
        publicKey: foobar
        referrerPolicy: foobar
        featurePolicy: foobar
        permissionsPolicy: foobar
        isDevelopment: true
    Middleware11:
@ -319,7 +313,6 @@ http:
        prefixes:
          - foobar
          - foobar
        forceSlash: true
    Middleware22:
      stripPrefixRegex:
        regex:
@ -509,7 +502,6 @@ tls:
          - foobar
        clientAuthType: foobar
      sniStrict: true
      preferServerCipherSuites: true
      alpnProtocols:
        - foobar
        - foobar
@ -528,7 +520,6 @@ tls:
          - foobar
        clientAuthType: foobar
      sniStrict: true
      preferServerCipherSuites: true
      alpnProtocols:
        - foobar
        - foobar
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
@ -946,8 +946,6 @@ spec:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
                    properties:
                      caOptional:
                        type: boolean
                      caSecret:
                        description: CASecret is the name of the referenced Kubernetes
                          Secret containing the CA to validate the server certificate.
@ -1066,9 +1064,6 @@ spec:
                    description: CustomResponseHeaders defines the header names and
                      values to apply to the response.
                    type: object
                  featurePolicy:
                    description: 'Deprecated: use PermissionsPolicy instead.'
                    type: string
                  forceSTSHeader:
                    description: ForceSTSHeader defines whether to add the STS header
                      even when the connection is HTTP.
@ -1104,12 +1099,6 @@ spec:
                      value. This allows sites to control whether browsers forward
                      the Referer header to other sites.
                    type: string
                  sslForceHost:
                    description: 'Deprecated: use RedirectRegex instead.'
                    type: boolean
                  sslHost:
                    description: 'Deprecated: use RedirectRegex instead.'
                    type: string
                  sslProxyHeaders:
                    additionalProperties:
                      type: string
@ -1118,14 +1107,6 @@ spec:
                      useful when using other proxies (example: "X-Forwarded-Proto":
                      "https").'
                    type: object
                  sslRedirect:
                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
                      instead.'
                    type: boolean
                  sslTemporaryRedirect:
                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
                      instead.'
                    type: boolean
                  stsIncludeSubdomains:
                    description: STSIncludeSubdomains defines whether the includeSubDomains
                      directive is appended to the Strict-Transport-Security header.
@ -1467,11 +1448,6 @@ spec:
                  This middleware removes the specified prefixes from the URL path.
                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
                properties:
                  forceSlash:
                    description: 'ForceSlash ensures that the resulting stripped path
                      is not the empty string, by replacing it with / when necessary.
                      Default: true.'
                    type: boolean
                  prefixes:
                    description: Prefixes defines the prefixes to strip from the request
                      URL.
@ -1807,12 +1783,6 @@ spec:
                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                  VersionTLS13. Default: VersionTLS10.'
                type: string
              preferServerCipherSuites:
                description: 'PreferServerCipherSuites defines whether the server
                  chooses a cipher suite among his own instead of among the client''s.
                  It is enabled automatically when minVersion or maxVersion is set.
                  Deprecated: https://github.com/golang/go/issues/45430'
                type: boolean
              sniStrict:
                description: SniStrict defines whether Traefik allows connections
                  from clients connections that do not specify a server_name extension.
--- a/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
+++ b/docs/content/reference/dynamic-configuration/kubernetes-crd-resource.yml
@ -193,7 +193,6 @@ spec:
      - foobar
    clientAuthType: RequireAndVerifyClientCert
  sniStrict: true
  preferServerCipherSuites: true
  alpnProtocols:
    - foobar
    - foobar
--- a/docs/content/reference/dynamic-configuration/kv-ref.md
+++ b/docs/content/reference/dynamic-configuration/kv-ref.md
@ -37,7 +37,6 @@
 | `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeaders/1` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/authResponseHeadersRegex` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/ca` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/caOptional` | `true` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/cert` | `foobar` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/insecureSkipVerify` | `true` |
 | `traefik/http/middlewares/Middleware09/forwardAuth/tls/key` | `foobar` |
@ -66,7 +65,6 @@
 | `traefik/http/middlewares/Middleware10/headers/customRequestHeaders/name1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/customResponseHeaders/name0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/customResponseHeaders/name1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/featurePolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/forceSTSHeader` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/frameDeny` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/hostsProxyHeaders/0` | `foobar` |
@ -75,12 +73,8 @@
 | `traefik/http/middlewares/Middleware10/headers/permissionsPolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/publicKey` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/referrerPolicy` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/sslForceHost` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/sslHost` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/sslProxyHeaders/name0` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/sslProxyHeaders/name1` | `foobar` |
 | `traefik/http/middlewares/Middleware10/headers/sslRedirect` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/sslTemporaryRedirect` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsIncludeSubdomains` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsPreload` | `true` |
 | `traefik/http/middlewares/Middleware10/headers/stsSeconds` | `42` |
@ -135,7 +129,6 @@
 | `traefik/http/middlewares/Middleware19/replacePathRegex/replacement` | `foobar` |
 | `traefik/http/middlewares/Middleware20/retry/attempts` | `42` |
 | `traefik/http/middlewares/Middleware20/retry/initialInterval` | `42s` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/forceSlash` | `true` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/0` | `foobar` |
 | `traefik/http/middlewares/Middleware21/stripPrefix/prefixes/1` | `foobar` |
 | `traefik/http/middlewares/Middleware22/stripPrefixRegex/regex/0` | `foobar` |
@ -312,7 +305,6 @@
 | `traefik/tls/options/Options0/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options0/maxVersion` | `foobar` |
 | `traefik/tls/options/Options0/minVersion` | `foobar` |
 | `traefik/tls/options/Options0/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options0/sniStrict` | `true` |
 | `traefik/tls/options/Options1/alpnProtocols/0` | `foobar` |
 | `traefik/tls/options/Options1/alpnProtocols/1` | `foobar` |
@ -325,7 +317,6 @@
 | `traefik/tls/options/Options1/curvePreferences/1` | `foobar` |
 | `traefik/tls/options/Options1/maxVersion` | `foobar` |
 | `traefik/tls/options/Options1/minVersion` | `foobar` |
 | `traefik/tls/options/Options1/preferServerCipherSuites` | `true` |
 | `traefik/tls/options/Options1/sniStrict` | `true` |
 | `traefik/tls/stores/Store0/defaultCertificate/certFile` | `foobar` |
 | `traefik/tls/stores/Store0/defaultCertificate/keyFile` | `foobar` |
--- a/docs/content/reference/dynamic-configuration/marathon-labels.json
+++ b/docs/content/reference/dynamic-configuration/marathon-labels.json
@ -31,7 +31,6 @@
 "traefik.http.middlewares.middleware09.forwardauth.authresponseheaders": "foobar, foobar",
 "traefik.http.middlewares.middleware09.forwardauth.authresponseheadersregex": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.ca": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.caoptional": "true",
 "traefik.http.middlewares.middleware09.forwardauth.tls.cert": "foobar",
 "traefik.http.middlewares.middleware09.forwardauth.tls.insecureskipverify": "true",
 "traefik.http.middlewares.middleware09.forwardauth.tls.key": "foobar",
@ -54,7 +53,6 @@
 "traefik.http.middlewares.middleware10.headers.customrequestheaders.name1": "foobar",
 "traefik.http.middlewares.middleware10.headers.customresponseheaders.name0": "foobar",
 "traefik.http.middlewares.middleware10.headers.customresponseheaders.name1": "foobar",
 "traefik.http.middlewares.middleware10.headers.featurepolicy": "foobar",
 "traefik.http.middlewares.middleware10.headers.forcestsheader": "true",
 "traefik.http.middlewares.middleware10.headers.framedeny": "true",
 "traefik.http.middlewares.middleware10.headers.hostsproxyheaders": "foobar, foobar",
@ -62,12 +60,8 @@
 "traefik.http.middlewares.middleware10.headers.permissionspolicy": "foobar",
 "traefik.http.middlewares.middleware10.headers.publickey": "foobar",
 "traefik.http.middlewares.middleware10.headers.referrerpolicy": "foobar",
 "traefik.http.middlewares.middleware10.headers.sslforcehost": "true",
 "traefik.http.middlewares.middleware10.headers.sslhost": "foobar",
 "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name0": "foobar",
 "traefik.http.middlewares.middleware10.headers.sslproxyheaders.name1": "foobar",
 "traefik.http.middlewares.middleware10.headers.sslredirect": "true",
 "traefik.http.middlewares.middleware10.headers.ssltemporaryredirect": "true",
 "traefik.http.middlewares.middleware10.headers.stsincludesubdomains": "true",
 "traefik.http.middlewares.middleware10.headers.stspreload": "true",
 "traefik.http.middlewares.middleware10.headers.stsseconds": "42",
@ -118,7 +112,6 @@
 "traefik.http.middlewares.middleware19.replacepathregex.replacement": "foobar",
 "traefik.http.middlewares.middleware20.retry.attempts": "42",
 "traefik.http.middlewares.middleware20.retry.initialinterval": "42",
 "traefik.http.middlewares.middleware21.stripprefix.forceslash": "true",
 "traefik.http.middlewares.middleware21.stripprefix.prefixes": "foobar, foobar",
 "traefik.http.middlewares.middleware22.stripprefixregex.regex": "foobar, foobar",
 "traefik.http.middlewares.middleware23.grpcweb.alloworigins": "foobar, foobar",
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
@ -369,8 +369,6 @@ spec:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
                    properties:
                      caOptional:
                        type: boolean
                      caSecret:
                        description: CASecret is the name of the referenced Kubernetes
                          Secret containing the CA to validate the server certificate.
@ -489,9 +487,6 @@ spec:
                    description: CustomResponseHeaders defines the header names and
                      values to apply to the response.
                    type: object
                  featurePolicy:
                    description: 'Deprecated: use PermissionsPolicy instead.'
                    type: string
                  forceSTSHeader:
                    description: ForceSTSHeader defines whether to add the STS header
                      even when the connection is HTTP.
@ -527,12 +522,6 @@ spec:
                      value. This allows sites to control whether browsers forward
                      the Referer header to other sites.
                    type: string
                  sslForceHost:
                    description: 'Deprecated: use RedirectRegex instead.'
                    type: boolean
                  sslHost:
                    description: 'Deprecated: use RedirectRegex instead.'
                    type: string
                  sslProxyHeaders:
                    additionalProperties:
                      type: string
@ -541,14 +530,6 @@ spec:
                      useful when using other proxies (example: "X-Forwarded-Proto":
                      "https").'
                    type: object
                  sslRedirect:
                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
                      instead.'
                    type: boolean
                  sslTemporaryRedirect:
                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
                      instead.'
                    type: boolean
                  stsIncludeSubdomains:
                    description: STSIncludeSubdomains defines whether the includeSubDomains
                      directive is appended to the Strict-Transport-Security header.
@ -890,11 +871,6 @@ spec:
                  This middleware removes the specified prefixes from the URL path.
                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
                properties:
                  forceSlash:
                    description: 'ForceSlash ensures that the resulting stripped path
                      is not the empty string, by replacing it with / when necessary.
                      Default: true.'
                    type: boolean
                  prefixes:
                    description: Prefixes defines the prefixes to strip from the request
                      URL.
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_tlsoptions.yaml
@ -88,12 +88,6 @@ spec:
                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                  VersionTLS13. Default: VersionTLS10.'
                type: string
              preferServerCipherSuites:
                description: 'PreferServerCipherSuites defines whether the server
                  chooses a cipher suite among his own instead of among the client''s.
                  It is enabled automatically when minVersion or maxVersion is set.
                  Deprecated: https://github.com/golang/go/issues/45430'
                type: boolean
              sniStrict:
                description: SniStrict defines whether Traefik allows connections
                  from clients connections that do not specify a server_name extension.
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@ -417,9 +417,6 @@ Enable Consul backend with default settings. (Default: ```false```)
 `--providers.consul.endpoints`:  
 KV store endpoints. (Default: ```127.0.0.1:8500```)
 `--providers.consul.namespace`:  
 Sets the namespace used to discover the configuration (Consul Enterprise only).
 `--providers.consul.namespaces`:  
 Sets the namespaces used to discover the configuration (Consul Enterprise only).
@ -429,9 +426,6 @@ Root key used for KV store. (Default: ```traefik```)
 `--providers.consul.tls.ca`:  
 TLS CA
 `--providers.consul.tls.caoptional`:  
 TLS CA.Optional (Default: ```false```)
 `--providers.consul.tls.cert`:  
 TLS cert
@ -483,9 +477,6 @@ The URI scheme for the Consul server
 `--providers.consulcatalog.endpoint.tls.ca`:  
 TLS CA
 `--providers.consulcatalog.endpoint.tls.caoptional`:  
 TLS CA.Optional (Default: ```false```)
 `--providers.consulcatalog.endpoint.tls.cert`:  
 TLS cert
@ -501,9 +492,6 @@ Token is used to provide a per-request ACL token which overrides the agent's def
 `--providers.consulcatalog.exposedbydefault`:  
 Expose containers by default. (Default: ```true```)
 `--providers.consulcatalog.namespace`:  
 Sets the namespace used to discover services (Consul Enterprise only).
 `--providers.consulcatalog.namespaces`:  
 Sets the namespaces used to discover services (Consul Enterprise only).
@ -558,9 +546,6 @@ Polling interval for swarm mode. (Default: ```15```)
 `--providers.docker.tls.ca`:  
 TLS CA
 `--providers.docker.tls.caoptional`:  
 TLS CA.Optional (Default: ```false```)
 `--providers.docker.tls.cert`:  
 TLS cert
@ -627,9 +612,6 @@ Root key used for KV store. (Default: ```traefik```)
 `--providers.etcd.tls.ca`:  
 TLS CA
 `--providers.etcd.tls.caoptional`:  
 TLS CA.Optional (Default: ```false```)
 `--providers.etcd.tls.cert`:  
 TLS cert
@ -672,9 +654,6 @@ Polling timeout for endpoint. (Default: ```5```)
 `--providers.http.tls.ca`:  
 TLS CA
 `--providers.http.tls.caoptional`:  
 TLS CA.Optional (Default: ```false```)
 `--providers.http.tls.cert`:  
 TLS cert
@ -819,9 +798,6 @@ Set a response header timeout for Marathon. (Default: ```60```)
 `--providers.marathon.tls.ca`:  
 TLS CA
 `--providers.marathon.tls.caoptional`:  
 TLS CA.Optional (Default: ```false```)
 `--providers.marathon.tls.cert`:  
 TLS cert
@ -861,9 +837,6 @@ Nomad region to use. If not provided, the local agent region is used.
 `--providers.nomad.endpoint.tls.ca`:  
 TLS CA
 `--providers.nomad.endpoint.tls.caoptional`:  
 TLS CA.Optional (Default: ```false```)
 `--providers.nomad.endpoint.tls.cert`:  
 TLS cert
@ -879,9 +852,6 @@ Token is used to provide a per-request ACL token.
 `--providers.nomad.exposedbydefault`:  
 Expose Nomad services by default. (Default: ```true```)
 `--providers.nomad.namespace`:  
 Sets the Nomad namespace used to discover services.
 `--providers.nomad.namespaces`:  
 Sets the Nomad namespaces used to discover services.
@ -945,9 +915,6 @@ Root key used for KV store. (Default: ```traefik```)
 `--providers.redis.tls.ca`:  
 TLS CA
 `--providers.redis.tls.caoptional`:  
 TLS CA.Optional (Default: ```false```)
 `--providers.redis.tls.cert`:  
 TLS cert
@ -1023,9 +990,6 @@ Sets the header name prefix used to store baggage items in a map.
 `--tracing.datadog.debug`:  
 Enables Datadog debug. (Default: ```false```)
 `--tracing.datadog.globaltag`:  
 Sets a key:value tag on all spans.
 `--tracing.datadog.globaltags.<name>`:  
 Sets a list of key:value tags on all spans.
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@ -453,9 +453,6 @@ The URI scheme for the Consul server
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CA`:  
 TLS CA
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CAOPTIONAL`:  
 TLS CA.Optional (Default: ```false```)
 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_TLS_CERT`:  
 TLS cert
@ -471,9 +468,6 @@ Token is used to provide a per-request ACL token which overrides the agent's def
 `TRAEFIK_PROVIDERS_CONSULCATALOG_EXPOSEDBYDEFAULT`:  
 Expose containers by default. (Default: ```true```)
 `TRAEFIK_PROVIDERS_CONSULCATALOG_NAMESPACE`:  
 Sets the namespace used to discover services (Consul Enterprise only).
 `TRAEFIK_PROVIDERS_CONSULCATALOG_NAMESPACES`:  
 Sets the namespaces used to discover services (Consul Enterprise only).
@ -498,9 +492,6 @@ Watch Consul API events. (Default: ```false```)
 `TRAEFIK_PROVIDERS_CONSUL_ENDPOINTS`:  
 KV store endpoints. (Default: ```127.0.0.1:8500```)
 `TRAEFIK_PROVIDERS_CONSUL_NAMESPACE`:  
 Sets the namespace used to discover the configuration (Consul Enterprise only).
 `TRAEFIK_PROVIDERS_CONSUL_NAMESPACES`:  
 Sets the namespaces used to discover the configuration (Consul Enterprise only).
@ -510,9 +501,6 @@ Root key used for KV store. (Default: ```traefik```)
 `TRAEFIK_PROVIDERS_CONSUL_TLS_CA`:  
 TLS CA
 `TRAEFIK_PROVIDERS_CONSUL_TLS_CAOPTIONAL`:  
 TLS CA.Optional (Default: ```false```)
 `TRAEFIK_PROVIDERS_CONSUL_TLS_CERT`:  
 TLS cert
@ -558,9 +546,6 @@ Polling interval for swarm mode. (Default: ```15```)
 `TRAEFIK_PROVIDERS_DOCKER_TLS_CA`:  
 TLS CA
 `TRAEFIK_PROVIDERS_DOCKER_TLS_CAOPTIONAL`:  
 TLS CA.Optional (Default: ```false```)
 `TRAEFIK_PROVIDERS_DOCKER_TLS_CERT`:  
 TLS cert
@ -627,9 +612,6 @@ Root key used for KV store. (Default: ```traefik```)
 `TRAEFIK_PROVIDERS_ETCD_TLS_CA`:  
 TLS CA
 `TRAEFIK_PROVIDERS_ETCD_TLS_CAOPTIONAL`:  
 TLS CA.Optional (Default: ```false```)
 `TRAEFIK_PROVIDERS_ETCD_TLS_CERT`:  
 TLS cert
@ -672,9 +654,6 @@ Polling timeout for endpoint. (Default: ```5```)
 `TRAEFIK_PROVIDERS_HTTP_TLS_CA`:  
 TLS CA
 `TRAEFIK_PROVIDERS_HTTP_TLS_CAOPTIONAL`:  
 TLS CA.Optional (Default: ```false```)
 `TRAEFIK_PROVIDERS_HTTP_TLS_CERT`:  
 TLS cert
@ -822,9 +801,6 @@ Set a TLS handshake timeout for Marathon. (Default: ```5```)
 `TRAEFIK_PROVIDERS_MARATHON_TLS_CA`:  
 TLS CA
 `TRAEFIK_PROVIDERS_MARATHON_TLS_CAOPTIONAL`:  
 TLS CA.Optional (Default: ```false```)
 `TRAEFIK_PROVIDERS_MARATHON_TLS_CERT`:  
 TLS cert
@ -861,9 +837,6 @@ Nomad region to use. If not provided, the local agent region is used.
 `TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CA`:  
 TLS CA
 `TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CAOPTIONAL`:  
 TLS CA.Optional (Default: ```false```)
 `TRAEFIK_PROVIDERS_NOMAD_ENDPOINT_TLS_CERT`:  
 TLS cert
@ -879,9 +852,6 @@ Token is used to provide a per-request ACL token.
 `TRAEFIK_PROVIDERS_NOMAD_EXPOSEDBYDEFAULT`:  
 Expose Nomad services by default. (Default: ```true```)
 `TRAEFIK_PROVIDERS_NOMAD_NAMESPACE`:  
 Sets the Nomad namespace used to discover services.
 `TRAEFIK_PROVIDERS_NOMAD_NAMESPACES`:  
 Sets the Nomad namespaces used to discover services.
@ -945,9 +915,6 @@ Root key used for KV store. (Default: ```traefik```)
 `TRAEFIK_PROVIDERS_REDIS_TLS_CA`:  
 TLS CA
 `TRAEFIK_PROVIDERS_REDIS_TLS_CAOPTIONAL`:  
 TLS CA.Optional (Default: ```false```)
 `TRAEFIK_PROVIDERS_REDIS_TLS_CERT`:  
 TLS cert
@ -1023,9 +990,6 @@ Sets the header name prefix used to store baggage items in a map.
 `TRAEFIK_TRACING_DATADOG_DEBUG`:  
 Enables Datadog debug. (Default: ```false```)
 `TRAEFIK_TRACING_DATADOG_GLOBALTAG`:  
 Sets a key:value tag on all spans.
 `TRAEFIK_TRACING_DATADOG_GLOBALTAGS_<NAME>`:  
 Sets a list of key:value tags on all spans.
--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@ -71,7 +71,6 @@
    allowEmptyServices = true
    [providers.docker.tls]
      ca = "foobar"
      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@ -96,7 +95,6 @@
    respectReadinessChecks = true
    [providers.marathon.tls]
      ca = "foobar"
      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@ -159,7 +157,6 @@
    connectByDefault = true
    serviceName = "foobar"
    watch = true
    namespace = "foobar"
    namespaces = ["foobar", "foobar"]
    [providers.consulCatalog.endpoint]
      address = "foobar"
@ -169,7 +166,6 @@
      endpointWaitTime = "42s"
      [providers.consulCatalog.endpoint.tls]
        ca = "foobar"
        caOptional = true
        cert = "foobar"
        key = "foobar"
        insecureSkipVerify = true
@ -181,7 +177,6 @@
    constraints = "foobar"
    prefix = "foobar"
    stale = true
    namespace = "foobar"
    namespaces = ["foobar", "foobar"]
    exposedByDefault = true
    refreshInterval = "42s"
@ -192,7 +187,6 @@
      endpointWaitTime = "42s"
      [providers.nomad.endpoint.tls]
        ca = "foobar"
        caOptional = true
        cert = "foobar"
        key = "foobar"
        insecureSkipVerify = true
@ -212,11 +206,9 @@
    rootKey = "foobar"
    endpoints = ["foobar", "foobar"]
    token = "foobar"
    namespace = "foobar"
    namespaces = ["foobar", "foobar"]
    [providers.consul.tls]
      ca = "foobar"
      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@ -227,7 +219,6 @@
    password = "foobar"
    [providers.etcd.tls]
      ca = "foobar"
      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@ -244,7 +235,6 @@
    db = 42
    [providers.redis.tls]
      ca = "foobar"
      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@ -257,7 +247,6 @@
      name1 = "foobar"
    [providers.http.tls]
      ca = "foobar"
      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@ -376,7 +365,6 @@
    sampleRate = 42.0
  [tracing.datadog]
    localAgentHostPort = "foobar"
    globalTag = "foobar"
    [tracing.datadog.globalTags]
      tag1 = "foobar"
      tag2 = "foobar"
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@ -70,7 +70,6 @@ providers:
    defaultRule: foobar
    tls:
      ca: foobar
      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@ -96,7 +95,6 @@ providers:
    dcosToken: foobar
    tls:
      ca: foobar
      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@ -171,7 +169,6 @@ providers:
    connectByDefault: true
    serviceName: foobar
    watch: true
    namespace: foobar
    namespaces:
      - foobar
      - foobar
@ -183,7 +180,6 @@ providers:
      endpointWaitTime: 42s
      tls:
        ca: foobar
        caOptional: true
        cert: foobar
        key: foobar
        insecureSkipVerify: true
@ -195,7 +191,6 @@ providers:
    constraints: foobar
    prefix: foobar
    stale: true
    namespace: foobar
    namespaces:
      - foobar
      - foobar
@ -208,7 +203,6 @@ providers:
      endpointWaitTime: 42s
      tls:
        ca: foobar
        caOptional: true
        cert: foobar
        key: foobar
        insecureSkipVerify: true
@ -232,13 +226,11 @@ providers:
      - foobar
      - foobar
    token: foobar
    namespace: foobar
    namespaces:
      - foobar
      - foobar
    tls:
      ca: foobar
      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@ -251,7 +243,6 @@ providers:
    password: foobar
    tls:
      ca: foobar
      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@ -272,7 +263,6 @@ providers:
    db: 42
    tls:
      ca: foobar
      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@ -285,7 +275,6 @@ providers:
      name1: foobar
    tls:
      ca: foobar
      caOptional: true
      cert: foobar
      key: foobar
      insecureSkipVerify: true
@ -402,7 +391,6 @@ tracing:
    sampleRate: 42
  datadog:
    localAgentHostPort: foobar
    globalTag: foobar
    globalTags:
      tag1: foobar
      tag2: foobar
--- a/integration/consul_test.go
+++ b/integration/consul_test.go
@ -102,7 +102,6 @@ func (s *ConsulSuite) TestSimpleConfiguration(c *check.C) {
 		"traefik/http/middlewares/compressor/compress":            "",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/0": "foo",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/1": "bar",
 		"traefik/http/middlewares/striper/stripPrefix/forceSlash": "true",
 	}
 	for k, v := range data {
--- a/integration/etcd_test.go
+++ b/integration/etcd_test.go
@ -97,7 +97,6 @@ func (s *EtcdSuite) TestSimpleConfiguration(c *check.C) {
 		"traefik/http/middlewares/compressor/compress":            "",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/0": "foo",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/1": "bar",
 		"traefik/http/middlewares/striper/stripPrefix/forceSlash": "true",
 	}
 	for k, v := range data {
--- a/integration/fixtures/k8s/01-traefik-crd.yml
+++ b/integration/fixtures/k8s/01-traefik-crd.yml
@ -946,8 +946,6 @@ spec:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
                    properties:
                      caOptional:
                        type: boolean
                      caSecret:
                        description: CASecret is the name of the referenced Kubernetes
                          Secret containing the CA to validate the server certificate.
@ -1066,9 +1064,6 @@ spec:
                    description: CustomResponseHeaders defines the header names and
                      values to apply to the response.
                    type: object
                  featurePolicy:
                    description: 'Deprecated: use PermissionsPolicy instead.'
                    type: string
                  forceSTSHeader:
                    description: ForceSTSHeader defines whether to add the STS header
                      even when the connection is HTTP.
@ -1104,12 +1099,6 @@ spec:
                      value. This allows sites to control whether browsers forward
                      the Referer header to other sites.
                    type: string
                  sslForceHost:
                    description: 'Deprecated: use RedirectRegex instead.'
                    type: boolean
                  sslHost:
                    description: 'Deprecated: use RedirectRegex instead.'
                    type: string
                  sslProxyHeaders:
                    additionalProperties:
                      type: string
@ -1118,14 +1107,6 @@ spec:
                      useful when using other proxies (example: "X-Forwarded-Proto":
                      "https").'
                    type: object
                  sslRedirect:
                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
                      instead.'
                    type: boolean
                  sslTemporaryRedirect:
                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
                      instead.'
                    type: boolean
                  stsIncludeSubdomains:
                    description: STSIncludeSubdomains defines whether the includeSubDomains
                      directive is appended to the Strict-Transport-Security header.
@ -1467,11 +1448,6 @@ spec:
                  This middleware removes the specified prefixes from the URL path.
                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
                properties:
                  forceSlash:
                    description: 'ForceSlash ensures that the resulting stripped path
                      is not the empty string, by replacing it with / when necessary.
                      Default: true.'
                    type: boolean
                  prefixes:
                    description: Prefixes defines the prefixes to strip from the request
                      URL.
@ -1807,12 +1783,6 @@ spec:
                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                  VersionTLS13. Default: VersionTLS10.'
                type: string
              preferServerCipherSuites:
                description: 'PreferServerCipherSuites defines whether the server
                  chooses a cipher suite among his own instead of among the client''s.
                  It is enabled automatically when minVersion or maxVersion is set.
                  Deprecated: https://github.com/golang/go/issues/45430'
                type: boolean
              sniStrict:
                description: SniStrict defines whether Traefik allows connections
                  from clients connections that do not specify a server_name extension.
--- a/integration/redis_test.go
+++ b/integration/redis_test.go
@ -98,7 +98,6 @@ func (s *RedisSuite) TestSimpleConfiguration(c *check.C) {
 		"traefik/http/middlewares/compressor/compress":            "true",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/0": "foo",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/1": "bar",
 		"traefik/http/middlewares/striper/stripPrefix/forceSlash": "true",
 	}
 	for k, v := range data {
--- a/integration/testdata/rawdata-consul.json
+++ b/integration/testdata/rawdata-consul.json
@ -112,8 +112,7 @@
        "prefixes": [
          "foo",
          "bar"
-        ],
+        ]
        "forceSlash": true
      },
      "status": "enabled",
      "usedBy": [
--- a/integration/testdata/rawdata-etcd.json
+++ b/integration/testdata/rawdata-etcd.json
@ -112,8 +112,7 @@
        "prefixes": [
          "foo",
          "bar"
-        ],
+        ]
        "forceSlash": true
      },
      "status": "enabled",
      "usedBy": [
--- a/integration/testdata/rawdata-redis.json
+++ b/integration/testdata/rawdata-redis.json
@ -112,8 +112,7 @@
        "prefixes": [
          "foo",
          "bar"
-        ],
+        ]
        "forceSlash": true
      },
      "status": "enabled",
      "usedBy": [
--- a/integration/testdata/rawdata-zk.json
+++ b/integration/testdata/rawdata-zk.json
@ -112,8 +112,7 @@
        "prefixes": [
          "foo",
          "bar"
-        ],
+        ]
        "forceSlash": true
      },
      "status": "enabled",
      "usedBy": [
--- a/integration/zk_test.go
+++ b/integration/zk_test.go
@ -100,7 +100,6 @@ func (s *ZookeeperSuite) TestSimpleConfiguration(c *check.C) {
 		"traefik/http/middlewares/compressor/compress":            "",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/0": "foo",
 		"traefik/http/middlewares/striper/stripPrefix/prefixes/1": "bar",
 		"traefik/http/middlewares/striper/stripPrefix/forceSlash": "true",
 	}
 	for k, v := range data {
--- a/pkg/config/dynamic/fixtures/sample.toml
+++ b/pkg/config/dynamic/fixtures/sample.toml
@ -46,7 +46,6 @@
    httpClientTimeout = 42
    [providers.docker.tls]
      ca = "foobar"
      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@ -71,7 +70,6 @@
    respectReadinessChecks = true
    [providers.marathon.tls]
      ca = "foobar"
      caOptional = true
      cert = "foobar"
      key = "foobar"
      insecureSkipVerify = true
@ -182,7 +180,6 @@
    sampleRate = 42.0
  [tracing.datadog]
    localAgentHostPort = "foobar"
    globalTag = "foobar"
    debug = true
    prioritySampling = true
    traceIDHeaderName = "foobar"
@ -292,7 +289,6 @@
        authRequestHeaders = ["foobar", "foobar"]
        [http.middlewares.Middleware15.forwardAuth.tls]
          ca = "foobar"
          caOptional = true
          cert = "foobar"
          key = "foobar"
          insecureSkipVerify = true
@ -376,10 +372,6 @@
        addVaryHeader = true
        allowedHosts = ["foobar", "foobar"]
        hostsProxyHeaders = ["foobar", "foobar"]
        sslRedirect = true
        sslTemporaryRedirect = true
        sslHost = "foobar"
        sslForceHost = true
        stsSeconds = 42
        stsIncludeSubdomains = true
        stsPreload = true
@ -392,7 +384,6 @@
        contentSecurityPolicy = "foobar"
        publicKey = "foobar"
        referrerPolicy = "foobar"
        featurePolicy = "foobar"
        isDevelopment = true
        [http.middlewares.Middleware8.headers.customRequestHeaders]
          name0 = "foobar"
--- a/pkg/config/dynamic/middlewares.go
+++ b/pkg/config/dynamic/middlewares.go
@ -260,17 +260,9 @@ type Headers struct {
 	AllowedHosts []string `json:"allowedHosts,omitempty" toml:"allowedHosts,omitempty" yaml:"allowedHosts,omitempty"`
 	// HostsProxyHeaders defines the header keys that may hold a proxied hostname value for the request.
 	HostsProxyHeaders []string `json:"hostsProxyHeaders,omitempty" toml:"hostsProxyHeaders,omitempty" yaml:"hostsProxyHeaders,omitempty" export:"true"`
 	// Deprecated: use EntryPoint redirection or RedirectScheme instead.
 	SSLRedirect bool `json:"sslRedirect,omitempty" toml:"sslRedirect,omitempty" yaml:"sslRedirect,omitempty" export:"true"`
 	// Deprecated: use EntryPoint redirection or RedirectScheme instead.
 	SSLTemporaryRedirect bool `json:"sslTemporaryRedirect,omitempty" toml:"sslTemporaryRedirect,omitempty" yaml:"sslTemporaryRedirect,omitempty" export:"true"`
 	// Deprecated: use RedirectRegex instead.
 	SSLHost string `json:"sslHost,omitempty" toml:"sslHost,omitempty" yaml:"sslHost,omitempty"`
 	// SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request.
 	// It can be useful when using other proxies (example: "X-Forwarded-Proto": "https").
 	SSLProxyHeaders map[string]string `json:"sslProxyHeaders,omitempty" toml:"sslProxyHeaders,omitempty" yaml:"sslProxyHeaders,omitempty"`
 	// Deprecated: use RedirectRegex instead.
 	SSLForceHost bool `json:"sslForceHost,omitempty" toml:"sslForceHost,omitempty" yaml:"sslForceHost,omitempty" export:"true"`
 	// STSSeconds defines the max-age of the Strict-Transport-Security header.
 	// If set to 0, the header is not set.
 	STSSeconds int64 `json:"stsSeconds,omitempty" toml:"stsSeconds,omitempty" yaml:"stsSeconds,omitempty" export:"true"`
@ -299,8 +291,6 @@ type Headers struct {
 	// ReferrerPolicy defines the Referrer-Policy header value.
 	// This allows sites to control whether browsers forward the Referer header to other sites.
 	ReferrerPolicy string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"`
 	// Deprecated: use PermissionsPolicy instead.
 	FeaturePolicy string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"`
 	// PermissionsPolicy defines the Permissions-Policy header value.
 	// This allows sites to control browser features.
 	PermissionsPolicy string `json:"permissionsPolicy,omitempty" toml:"permissionsPolicy,omitempty" yaml:"permissionsPolicy,omitempty" export:"true"`
@ -333,10 +323,6 @@ func (h *Headers) HasCorsHeadersDefined() bool {
 func (h *Headers) HasSecureHeadersDefined() bool {
 	return h != nil && (len(h.AllowedHosts) != 0 ||
 		len(h.HostsProxyHeaders) != 0 ||
 		h.SSLRedirect ||
 		h.SSLTemporaryRedirect ||
 		h.SSLForceHost ||
 		h.SSLHost != "" ||
 		len(h.SSLProxyHeaders) != 0 ||
 		h.STSSeconds != 0 ||
 		h.STSIncludeSubdomains ||
@ -350,7 +336,6 @@ func (h *Headers) HasSecureHeadersDefined() bool {
 		h.ContentSecurityPolicy != "" ||
 		h.PublicKey != "" ||
 		h.ReferrerPolicy != "" ||
 		h.FeaturePolicy != "" ||
 		h.PermissionsPolicy != "" ||
 		h.IsDevelopment)
 }
@ -553,14 +538,6 @@ type Retry struct {
 type StripPrefix struct {
 	// Prefixes defines the prefixes to strip from the request URL.
 	Prefixes []string `json:"prefixes,omitempty" toml:"prefixes,omitempty" yaml:"prefixes,omitempty" export:"true"`
 	// ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary.
 	// Default: true.
 	ForceSlash bool `json:"forceSlash,omitempty" toml:"forceSlash,omitempty" yaml:"forceSlash,omitempty" export:"true"` // Deprecated
 }
 // SetDefaults Default values for a StripPrefix.
 func (s *StripPrefix) SetDefaults() {
 	s.ForceSlash = true
 }
 // +k8s:deepcopy-gen=true
--- a/pkg/config/label/label_test.go
+++ b/pkg/config/label/label_test.go
@ -42,7 +42,6 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware7.forwardauth.authresponseheaders":                     "foobar, fiibar",
 		"traefik.http.middlewares.Middleware7.forwardauth.authrequestheaders":                      "foobar, fiibar",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.ca":                                  "foobar",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.caoptional":                          "true",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.cert":                                "foobar",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.insecureskipverify":                  "true",
 		"traefik.http.middlewares.Middleware7.forwardauth.tls.key":                                 "foobar",
@ -71,14 +70,9 @@ func TestDecodeConfiguration(t *testing.T) {
 		"traefik.http.middlewares.Middleware8.headers.isdevelopment":                               "true",
 		"traefik.http.middlewares.Middleware8.headers.publickey":                                   "foobar",
 		"traefik.http.middlewares.Middleware8.headers.referrerpolicy":                              "foobar",
 		"traefik.http.middlewares.Middleware8.headers.featurepolicy":                               "foobar",
 		"traefik.http.middlewares.Middleware8.headers.permissionspolicy":                           "foobar",
 		"traefik.http.middlewares.Middleware8.headers.sslforcehost":                                "true",
 		"traefik.http.middlewares.Middleware8.headers.sslhost":                                     "foobar",
 		"traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name0":                       "foobar",
 		"traefik.http.middlewares.Middleware8.headers.sslproxyheaders.name1":                       "foobar",
 		"traefik.http.middlewares.Middleware8.headers.sslredirect":                                 "true",
 		"traefik.http.middlewares.Middleware8.headers.ssltemporaryredirect":                        "true",
 		"traefik.http.middlewares.Middleware8.headers.stsincludesubdomains":                        "true",
 		"traefik.http.middlewares.Middleware8.headers.stspreload":                                  "true",
 		"traefik.http.middlewares.Middleware8.headers.stsseconds":                                  "42",
@ -462,7 +456,6 @@ func TestDecodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
 						ForceSlash: true,
 					},
 				},
 				"Middleware18": {
@ -530,7 +523,6 @@ func TestDecodeConfiguration(t *testing.T) {
 						Address: "foobar",
 						TLS: &types.ClientTLS{
 							CA:                 "foobar",
 							CAOptional:         true,
 							Cert:               "foobar",
 							Key:                "foobar",
 							InsecureSkipVerify: true,
@ -587,14 +579,10 @@ func TestDecodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
 						SSLRedirect:          true,
 						SSLTemporaryRedirect: true,
 						SSLHost:              "foobar",
 						SSLProxyHeaders: map[string]string{
 							"name0": "foobar",
 							"name1": "foobar",
 						},
 						SSLForceHost:            true,
 						STSSeconds:              42,
 						STSIncludeSubdomains:    true,
 						STSPreload:              true,
@ -607,7 +595,6 @@ func TestDecodeConfiguration(t *testing.T) {
 						ContentSecurityPolicy:   "foobar",
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
 						FeaturePolicy:           "foobar",
 						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},
@ -958,7 +945,6 @@ func TestEncodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
 						ForceSlash: true,
 					},
 				},
 				"Middleware18": {
@ -1034,7 +1020,6 @@ func TestEncodeConfiguration(t *testing.T) {
 						Address: "foobar",
 						TLS: &types.ClientTLS{
 							CA:                 "foobar",
 							CAOptional:         true,
 							Cert:               "foobar",
 							Key:                "foobar",
 							InsecureSkipVerify: true,
@ -1091,14 +1076,10 @@ func TestEncodeConfiguration(t *testing.T) {
 							"foobar",
 							"fiibar",
 						},
 						SSLRedirect:          true,
 						SSLTemporaryRedirect: true,
 						SSLHost:              "foobar",
 						SSLProxyHeaders: map[string]string{
 							"name0": "foobar",
 							"name1": "foobar",
 						},
 						SSLForceHost:            true,
 						STSSeconds:              42,
 						STSIncludeSubdomains:    true,
 						STSPreload:              true,
@ -1111,7 +1092,6 @@ func TestEncodeConfiguration(t *testing.T) {
 						ContentSecurityPolicy:   "foobar",
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
 						FeaturePolicy:           "foobar",
 						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},
@ -1231,7 +1211,6 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthResponseHeaders":                     "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.AuthRequestHeaders":                      "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CA":                                  "foobar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.CAOptional":                          "true",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Cert":                                "foobar",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.InsecureSkipVerify":                  "true",
 		"traefik.HTTP.Middlewares.Middleware7.ForwardAuth.TLS.Key":                                 "foobar",
@ -1260,14 +1239,9 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware8.Headers.IsDevelopment":                               "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.PublicKey":                                   "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.ReferrerPolicy":                              "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.FeaturePolicy":                               "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.PermissionsPolicy":                           "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLForceHost":                                "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLHost":                                     "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name0":                       "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLProxyHeaders.name1":                       "foobar",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLRedirect":                                 "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.SSLTemporaryRedirect":                        "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.STSIncludeSubdomains":                        "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.STSPreload":                                  "true",
 		"traefik.HTTP.Middlewares.Middleware8.Headers.STSSeconds":                                  "42",
@ -1318,7 +1292,6 @@ func TestEncodeConfiguration(t *testing.T) {
 		"traefik.HTTP.Middlewares.Middleware16.Retry.Attempts":                                     "42",
 		"traefik.HTTP.Middlewares.Middleware16.Retry.InitialInterval":                              "1000000000",
 		"traefik.HTTP.Middlewares.Middleware17.StripPrefix.Prefixes":                               "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware17.StripPrefix.ForceSlash":                             "true",
 		"traefik.HTTP.Middlewares.Middleware18.StripPrefixRegex.Regex":                             "foobar, fiibar",
 		"traefik.HTTP.Middlewares.Middleware19.Compress.MinResponseBodyBytes":                      "42",
 		"traefik.HTTP.Middlewares.Middleware20.Plugin.tomato.aaa":                                  "foo1",
--- a/pkg/config/static/pilot.go
+++ b/pkg/config/static/pilot.go
@ -1,8 +0,0 @@
 package static
 // Pilot Configuration related to Traefik Pilot.
 // Deprecated.
 type Pilot struct {
 	Token     string `description:"Traefik Pilot token. (Deprecated)" json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty" loggable:"false"`
 	Dashboard bool   `description:"Enable Traefik Pilot in the dashboard. (Deprecated)" json:"dashboard,omitempty" toml:"dashboard,omitempty" yaml:"dashboard,omitempty"`
 }
--- a/pkg/config/static/static_config.go
+++ b/pkg/config/static/static_config.go
@ -78,9 +78,6 @@ type Configuration struct {
 	CertificatesResolvers map[string]CertificateResolver `description:"Certificates resolvers configuration." json:"certificatesResolvers,omitempty" toml:"certificatesResolvers,omitempty" yaml:"certificatesResolvers,omitempty" export:"true"`
 	// Deprecated.
 	Pilot *Pilot `description:"Traefik Pilot configuration (Deprecated)." json:"pilot,omitempty" toml:"pilot,omitempty" yaml:"pilot,omitempty" export:"true"`
 	Hub *hub.Provider `description:"Traefik Hub configuration." json:"hub,omitempty" toml:"hub,omitempty" yaml:"hub,omitempty" label:"allowEmpty" file:"allowEmpty" export:"true"`
 	Experimental *Experimental `description:"experimental features." json:"experimental,omitempty" toml:"experimental,omitempty" yaml:"experimental,omitempty" export:"true"`
@ -264,11 +261,6 @@ func (c *Configuration) SetEffectiveConfiguration() {
 		}
 	}
 	// Enable anonymous usage when pilot is enabled.
 	if c.Pilot != nil {
 		c.Global.SendAnonymousUsage = true
 	}
 	// Disable Gateway API provider if not enabled in experimental.
 	if c.Experimental == nil || !c.Experimental.KubernetesGateway {
 		c.Providers.KubernetesGateway = nil
@ -346,18 +338,6 @@ func (c *Configuration) ValidateConfiguration() error {
 		acmeEmail = resolver.ACME.Email
 	}
 	if c.Providers.ConsulCatalog != nil && c.Providers.ConsulCatalog.Namespace != "" && len(c.Providers.ConsulCatalog.Namespaces) > 0 {
 		return fmt.Errorf("Consul Catalog provider cannot have both namespace and namespaces options configured")
 	}
 	if c.Providers.Consul != nil && c.Providers.Consul.Namespace != "" && len(c.Providers.Consul.Namespaces) > 0 {
 		return fmt.Errorf("Consul provider cannot have both namespace and namespaces options configured")
 	}
 	if c.Providers.Nomad != nil && c.Providers.Nomad.Namespace != "" && len(c.Providers.Nomad.Namespaces) > 0 {
 		return fmt.Errorf("Nomad provider cannot have both namespace and namespaces options configured")
 	}
 	return nil
 }
--- a/pkg/middlewares/headers/header.go
+++ b/pkg/middlewares/headers/header.go
@ -1,16 +1,13 @@
 package headers
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"regexp"
 	"strconv"
 	"strings"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/logs"
 )
 // Header is a middleware that helps setup a few basic security features.
@ -29,10 +26,6 @@ func NewHeader(next http.Handler, cfg dynamic.Headers) (*Header, error) {
 	hasCustomHeaders := cfg.HasCustomHeadersDefined()
 	hasCorsHeaders := cfg.HasCorsHeadersDefined()
 	ctx := log.With().Str(logs.MiddlewareType, typeName).Logger().WithContext(context.Background())
 	handleDeprecation(ctx, &cfg)
 	regexes := make([]*regexp.Regexp, len(cfg.AccessControlAllowOriginListRegex))
 	for i, str := range cfg.AccessControlAllowOriginListRegex {
 		reg, err := regexp.Compile(str)
--- a/pkg/middlewares/headers/headers.go
+++ b/pkg/middlewares/headers/headers.go
@ -7,7 +7,6 @@ import (
 	"net/http"
 	"github.com/opentracing/opentracing-go/ext"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/middlewares"
 	"github.com/traefik/traefik/v2/pkg/middlewares/connectionheader"
@ -18,26 +17,6 @@ const (
 	typeName = "Headers"
 )
 func handleDeprecation(ctx context.Context, cfg *dynamic.Headers) {
 	logger := log.Ctx(ctx).Warn()
 	if cfg.SSLRedirect {
 		logger.Msg("SSLRedirect is deprecated, please use entrypoint redirection instead.")
 	}
 	if cfg.SSLTemporaryRedirect {
 		logger.Msg("SSLTemporaryRedirect is deprecated, please use entrypoint redirection instead.")
 	}
 	if cfg.SSLHost != "" {
 		logger.Msg("SSLHost is deprecated, please use RedirectRegex middleware instead.")
 	}
 	if cfg.SSLForceHost {
 		logger.Msg("SSLForceHost is deprecated, please use RedirectScheme middleware instead.")
 	}
 	if cfg.FeaturePolicy != "" {
 		logger.Msg("FeaturePolicy is deprecated, please use PermissionsPolicy header instead.")
 	}
 }
 type headers struct {
 	name    string
 	handler http.Handler
@ -49,10 +28,6 @@ func New(ctx context.Context, next http.Handler, cfg dynamic.Headers, name strin
 	logger := middlewares.GetLogger(ctx, name, typeName)
 	logger.Debug().Msg("Creating middleware")
 	mCtx := logger.WithContext(ctx)
 	handleDeprecation(mCtx, &cfg)
 	hasSecureHeaders := cfg.HasSecureHeadersDefined()
 	hasCustomHeaders := cfg.HasCustomHeadersDefined()
 	hasCorsHeaders := cfg.HasCorsHeadersDefined()
--- a/pkg/middlewares/headers/secure.go
+++ b/pkg/middlewares/headers/secure.go
@ -21,9 +21,6 @@ func newSecure(next http.Handler, cfg dynamic.Headers, contextKey string) *secur
 		ForceSTSHeader:          cfg.ForceSTSHeader,
 		FrameDeny:               cfg.FrameDeny,
 		IsDevelopment:           cfg.IsDevelopment,
 		SSLRedirect:             cfg.SSLRedirect,
 		SSLForceHost:            cfg.SSLForceHost,
 		SSLTemporaryRedirect:    cfg.SSLTemporaryRedirect,
 		STSIncludeSubdomains:    cfg.STSIncludeSubdomains,
 		STSPreload:              cfg.STSPreload,
 		ContentSecurityPolicy:   cfg.ContentSecurityPolicy,
@ -31,12 +28,10 @@ func newSecure(next http.Handler, cfg dynamic.Headers, contextKey string) *secur
 		CustomFrameOptionsValue: cfg.CustomFrameOptionsValue,
 		PublicKey:               cfg.PublicKey,
 		ReferrerPolicy:          cfg.ReferrerPolicy,
 		SSLHost:                 cfg.SSLHost,
 		AllowedHosts:            cfg.AllowedHosts,
 		HostsProxyHeaders:       cfg.HostsProxyHeaders,
 		SSLProxyHeaders:         cfg.SSLProxyHeaders,
 		STSSeconds:              cfg.STSSeconds,
 		FeaturePolicy:           cfg.FeaturePolicy,
 		PermissionsPolicy:       cfg.PermissionsPolicy,
 		SecureContextKey:        contextKey,
 	}
--- a/pkg/middlewares/headers/secure_test.go
+++ b/pkg/middlewares/headers/secure_test.go
@ -11,125 +11,12 @@ import (
 // Middleware tests based on https://github.com/unrolled/secure
 func Test_newSecure_sslForceHost(t *testing.T) {
 	type expected struct {
 		statusCode int
 		location   string
 	}
 	testCases := []struct {
 		desc string
 		host string
 		cfg  dynamic.Headers
 		expected
 	}{
 		{
 			desc: "http should return a 301",
 			host: "http://powpow.example.com",
 			cfg: dynamic.Headers{
 				SSLRedirect:  true,
 				SSLForceHost: true,
 				SSLHost:      "powpow.example.com",
 			},
 			expected: expected{
 				statusCode: http.StatusMovedPermanently,
 				location:   "https://powpow.example.com",
 			},
 		},
 		{
 			desc: "http sub domain should return a 301",
 			host: "http://www.powpow.example.com",
 			cfg: dynamic.Headers{
 				SSLRedirect:  true,
 				SSLForceHost: true,
 				SSLHost:      "powpow.example.com",
 			},
 			expected: expected{
 				statusCode: http.StatusMovedPermanently,
 				location:   "https://powpow.example.com",
 			},
 		},
 		{
 			desc: "https should return a 200",
 			host: "https://powpow.example.com",
 			cfg: dynamic.Headers{
 				SSLRedirect:  true,
 				SSLForceHost: true,
 				SSLHost:      "powpow.example.com",
 			},
 			expected: expected{statusCode: http.StatusOK},
 		},
 		{
 			desc: "https sub domain should return a 301",
 			host: "https://www.powpow.example.com",
 			cfg: dynamic.Headers{
 				SSLRedirect:  true,
 				SSLForceHost: true,
 				SSLHost:      "powpow.example.com",
 			},
 			expected: expected{
 				statusCode: http.StatusMovedPermanently,
 				location:   "https://powpow.example.com",
 			},
 		},
 		{
 			desc: "http without force host and sub domain should return a 301",
 			host: "http://www.powpow.example.com",
 			cfg: dynamic.Headers{
 				SSLRedirect:  true,
 				SSLForceHost: false,
 				SSLHost:      "powpow.example.com",
 			},
 			expected: expected{
 				statusCode: http.StatusMovedPermanently,
 				location:   "https://powpow.example.com",
 			},
 		},
 		{
 			desc: "https without force host and sub domain should return a 301",
 			host: "https://www.powpow.example.com",
 			cfg: dynamic.Headers{
 				SSLRedirect:  true,
 				SSLForceHost: false,
 				SSLHost:      "powpow.example.com",
 			},
 			expected: expected{statusCode: http.StatusOK},
 		},
 	}
 	next := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		_, _ = rw.Write([]byte("OK"))
 	})
 	for _, test := range testCases {
 		t.Run(test.desc, func(t *testing.T) {
 			mid := newSecure(next, test.cfg, "mymiddleware")
 			req := httptest.NewRequest(http.MethodGet, test.host, nil)
 			rw := httptest.NewRecorder()
 			mid.ServeHTTP(rw, req)
 			assert.Equal(t, test.expected.statusCode, rw.Result().StatusCode)
 			assert.Equal(t, test.expected.location, rw.Header().Get("Location"))
 		})
 	}
 }
 func Test_newSecure_modifyResponse(t *testing.T) {
 	testCases := []struct {
 		desc     string
 		cfg      dynamic.Headers
 		expected http.Header
 	}{
 		{
 			desc: "FeaturePolicy",
 			cfg: dynamic.Headers{
 				FeaturePolicy: "vibrate 'none';",
 			},
 			expected: http.Header{"Feature-Policy": []string{"vibrate 'none';"}},
 		},
 		{
 			desc: "PermissionsPolicy",
 			cfg: dynamic.Headers{
--- a/pkg/middlewares/stripprefix/strip_prefix.go
+++ b/pkg/middlewares/stripprefix/strip_prefix.go
@ -21,7 +21,6 @@ const (
 type stripPrefix struct {
 	next     http.Handler
 	prefixes []string
 	forceSlash bool // TODO Must be removed (breaking), the default behavior must be forceSlash=false
 	name     string
 }
@ -30,7 +29,6 @@ func New(ctx context.Context, next http.Handler, config dynamic.StripPrefix, nam
 	middlewares.GetLogger(ctx, name, typeName).Debug().Msg("Creating middleware")
 	return &stripPrefix{
 		prefixes: config.Prefixes,
 		forceSlash: config.ForceSlash,
 		next:     next,
 		name:     name,
 	}, nil
@ -61,13 +59,6 @@ func (s *stripPrefix) serveRequest(rw http.ResponseWriter, req *http.Request, pr
 }
 func (s *stripPrefix) getPrefixStripped(urlPath, prefix string) string {
 	if s.forceSlash {
 		// Only for compatibility reason with the previous behavior,
 		// but the previous behavior is wrong.
 		// This needs to be removed in the next breaking version.
 		return "/" + strings.TrimPrefix(strings.TrimPrefix(urlPath, prefix), "/")
 	}
 	return ensureLeadingSlash(strings.TrimPrefix(urlPath, prefix))
 }
--- a/pkg/middlewares/stripprefix/strip_prefix_test.go
+++ b/pkg/middlewares/stripprefix/strip_prefix_test.go
@ -31,17 +31,6 @@ func TestStripPrefix(t *testing.T) {
 			expectedStatusCode: http.StatusOK,
 			expectedPath:       "/noprefixes",
 		},
 		{
 			desc: "wildcard (.*) requests (ForceSlash)",
 			config: dynamic.StripPrefix{
 				Prefixes:   []string{"/"},
 				ForceSlash: true,
 			},
 			path:               "/",
 			expectedStatusCode: http.StatusOK,
 			expectedPath:       "/",
 			expectedHeader:     "/",
 		},
 		{
 			desc: "wildcard (.*) requests",
 			config: dynamic.StripPrefix{
@ -52,17 +41,6 @@ func TestStripPrefix(t *testing.T) {
 			expectedPath:       "",
 			expectedHeader:     "/",
 		},
 		{
 			desc: "prefix and path matching (ForceSlash)",
 			config: dynamic.StripPrefix{
 				Prefixes:   []string{"/stat"},
 				ForceSlash: true,
 			},
 			path:               "/stat",
 			expectedStatusCode: http.StatusOK,
 			expectedPath:       "/",
 			expectedHeader:     "/stat",
 		},
 		{
 			desc: "prefix and path matching",
 			config: dynamic.StripPrefix{
@ -73,17 +51,6 @@ func TestStripPrefix(t *testing.T) {
 			expectedPath:       "",
 			expectedHeader:     "/stat",
 		},
 		{
 			desc: "path prefix on exactly matching path (ForceSlash)",
 			config: dynamic.StripPrefix{
 				Prefixes:   []string{"/stat/"},
 				ForceSlash: true,
 			},
 			path:               "/stat/",
 			expectedStatusCode: http.StatusOK,
 			expectedPath:       "/",
 			expectedHeader:     "/stat/",
 		},
 		{
 			desc: "path prefix on exactly matching path",
 			config: dynamic.StripPrefix{
@ -133,17 +100,6 @@ func TestStripPrefix(t *testing.T) {
 			expectedPath:       "/us",
 			expectedHeader:     "/stat",
 		},
 		{
 			desc: "later prefix matching (ForceSlash)",
 			config: dynamic.StripPrefix{
 				Prefixes:   []string{"/mismatch", "/stat"},
 				ForceSlash: true,
 			},
 			path:               "/stat",
 			expectedStatusCode: http.StatusOK,
 			expectedPath:       "/",
 			expectedHeader:     "/stat",
 		},
 		{
 			desc: "later prefix matching",
 			config: dynamic.StripPrefix{
--- a/pkg/plugins/client.go
+++ b/pkg/plugins/client.go
@ -36,7 +36,6 @@ const pluginsURL = "https://plugins.traefik.io/public/"
 const (
 	hashHeader = "X-Plugin-Hash"
 	tokenHeader = "X-Token"
 )
 // ClientOptions the options of a Traefik plugins client.
@ -49,7 +48,6 @@ type Client struct {
 	HTTPClient *http.Client
 	baseURL    *url.URL
 	token     string
 	archives  string
 	stateFile string
 	goPath    string
@ -158,10 +156,6 @@ func (c *Client) Download(ctx context.Context, pName, pVersion string) (string,
 		req.Header.Set(hashHeader, hash)
 	}
 	if c.token != "" {
 		req.Header.Set(tokenHeader, c.token)
 	}
 	resp, err := c.HTTPClient.Do(req)
 	if err != nil {
 		return "", fmt.Errorf("failed to call service: %w", err)
@ -222,10 +216,6 @@ func (c *Client) Check(ctx context.Context, pName, pVersion, hash string) error
 		req.Header.Set(hashHeader, hash)
 	}
 	if c.token != "" {
 		req.Header.Set(tokenHeader, c.token)
 	}
 	resp, err := c.HTTPClient.Do(req)
 	if err != nil {
 		return fmt.Errorf("failed to call service: %w", err)
--- a/pkg/provider/consulcatalog/config_test.go
+++ b/pkg/provider/consulcatalog/config_test.go
@ -3070,7 +3070,6 @@ func Test_buildConfiguration(t *testing.T) {
 func TestNamespaces(t *testing.T) {
 	testCases := []struct {
 		desc               string
 		namespace          string
 		namespaces         []string
 		expectedNamespaces []string
 	}{
@ -3078,11 +3077,6 @@ func TestNamespaces(t *testing.T) {
 			desc:               "no defined namespaces",
 			expectedNamespaces: []string{""},
 		},
 		{
 			desc:               "deprecated: use of defined namespace",
 			namespace:          "test-ns",
 			expectedNamespaces: []string{"test-ns"},
 		},
 		{
 			desc:               "use of 1 defined namespaces",
 			namespaces:         []string{"test-ns"},
@ -3102,7 +3096,6 @@ func TestNamespaces(t *testing.T) {
 			t.Parallel()
 			pb := &ProviderBuilder{
 				Namespace:  test.namespace,
 				Namespaces: test.namespaces,
 			}
--- a/pkg/provider/consulcatalog/consul_catalog.go
+++ b/pkg/provider/consulcatalog/consul_catalog.go
@ -49,25 +49,15 @@ type itemData struct {
 type ProviderBuilder struct {
 	Configuration `yaml:",inline" export:"true"`
 	// Deprecated: use Namespaces option instead.
 	Namespace  string   `description:"Sets the namespace used to discover services (Consul Enterprise only)." json:"namespace,omitempty" toml:"namespace,omitempty" yaml:"namespace,omitempty"`
 	Namespaces []string `description:"Sets the namespaces used to discover services (Consul Enterprise only)." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty"`
 }
 // BuildProviders builds Consul Catalog provider instances for the given namespaces configuration.
 func (p *ProviderBuilder) BuildProviders() []*Provider {
 	// We can warn about that, because we've already made sure before that
 	// Namespace and Namespaces are mutually exclusive.
 	if p.Namespace != "" {
 		log.Warn().Msg("Namespace option is deprecated, please use the Namespaces option instead.")
 	}
 	if len(p.Namespaces) == 0 {
 		return []*Provider{{
 			Configuration: p.Configuration,
 			name:          providerName,
 			// p.Namespace could very well be empty.
 			namespace: p.Namespace,
 		}}
 	}
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@ -623,7 +623,6 @@ func createForwardAuthMiddleware(k8sClient Client, namespace string, auth *v1alp
 	}
 	forwardAuth.TLS = &types.ClientTLS{
 		CAOptional:         auth.TLS.CAOptional,
 		InsecureSkipVerify: auth.TLS.InsecureSkipVerify,
 	}
--- a/pkg/provider/kubernetes/crd/kubernetes_test.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_test.go
@ -5145,7 +5145,6 @@ func TestCrossNamespace(t *testing.T) {
 						"cross-ns-stripprefix": {
 							StripPrefix: &dynamic.StripPrefix{
 								Prefixes: []string{"/stripit"},
 								ForceSlash: false,
 							},
 						},
 					},
@ -5216,7 +5215,6 @@ func TestCrossNamespace(t *testing.T) {
 						"cross-ns-stripprefix": {
 							StripPrefix: &dynamic.StripPrefix{
 								Prefixes: []string{"/stripit"},
 								ForceSlash: false,
 							},
 						},
 						"default-test-errorpage": {
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/middleware.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/middleware.go
@ -167,7 +167,6 @@ type ClientTLS struct {
 	CertSecret string `json:"certSecret,omitempty"`
 	// InsecureSkipVerify defines whether the server certificates should be validated.
 	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
 	CAOptional         bool `json:"caOptional,omitempty"`
 }
 // +k8s:deepcopy-gen=true
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/tlsoption.go
@ -41,10 +41,6 @@ type TLSOptionSpec struct {
 	ClientAuth ClientAuth `json:"clientAuth,omitempty"`
 	// SniStrict defines whether Traefik allows connections from clients connections that do not specify a server_name extension.
 	SniStrict bool `json:"sniStrict,omitempty"`
 	// PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
 	// It is enabled automatically when minVersion or maxVersion is set.
 	// Deprecated: https://github.com/golang/go/issues/45430
 	PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"`
 	// ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
 	// More info: https://doc.traefik.io/traefik/v2.9/https/tls/#alpn-protocols
 	ALPNProtocols []string `json:"alpnProtocols,omitempty"`
--- a/pkg/provider/kv/consul/consul.go
+++ b/pkg/provider/kv/consul/consul.go
@ -7,7 +7,6 @@ import (
 	"time"
 	"github.com/kvtools/consul"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/traefik/v2/pkg/provider"
 	"github.com/traefik/traefik/v2/pkg/provider/kv"
 	"github.com/traefik/traefik/v2/pkg/types"
@ -25,8 +24,6 @@ type ProviderBuilder struct {
 	Token string           `description:"Per-request ACL token." json:"token,omitempty" toml:"token,omitempty" yaml:"token,omitempty" loggable:"false"`
 	TLS   *types.ClientTLS `description:"Enable TLS support." json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
 	// Deprecated: use Namespaces instead.
 	Namespace  string   `description:"Sets the namespace used to discover the configuration (Consul Enterprise only)." json:"namespace,omitempty" toml:"namespace,omitempty" yaml:"namespace,omitempty"`
 	Namespaces []string `description:"Sets the namespaces used to discover the configuration (Consul Enterprise only)." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty"`
 }
@ -38,18 +35,10 @@ func (p *ProviderBuilder) SetDefaults() {
 // BuildProviders builds Consul provider instances for the given namespaces configuration.
 func (p *ProviderBuilder) BuildProviders() []*Provider {
 	// We can warn about that, because we've already made sure before that
 	// Namespace and Namespaces are mutually exclusive.
 	if p.Namespace != "" {
 		log.Warn().Msg("Namespace option is deprecated, please use the Namespaces option instead.")
 	}
 	if len(p.Namespaces) == 0 {
 		return []*Provider{{
 			Provider: p.Provider,
 			name:     providerName,
 			// p.Namespace could very well be empty.
 			namespace: p.Namespace,
 			token:    p.Token,
 			tls:      p.TLS,
 		}}
--- a/pkg/provider/kv/consul/consul_test.go
+++ b/pkg/provider/kv/consul/consul_test.go
@ -9,7 +9,6 @@ import (
 func TestNamespaces(t *testing.T) {
 	testCases := []struct {
 		desc               string
 		namespace          string
 		namespaces         []string
 		expectedNamespaces []string
 	}{
@ -17,11 +16,6 @@ func TestNamespaces(t *testing.T) {
 			desc:               "no defined namespaces",
 			expectedNamespaces: []string{""},
 		},
 		{
 			desc:               "deprecated: use of defined namespace",
 			namespace:          "test-ns",
 			expectedNamespaces: []string{"test-ns"},
 		},
 		{
 			desc:               "use of 1 defined namespaces",
 			namespaces:         []string{"test-ns"},
@ -41,7 +35,6 @@ func TestNamespaces(t *testing.T) {
 			t.Parallel()
 			pb := &ProviderBuilder{
 				Namespace:  test.namespace,
 				Namespaces: test.namespaces,
 			}
--- a/pkg/provider/kv/kv_test.go
+++ b/pkg/provider/kv/kv_test.go
@ -79,7 +79,6 @@ func Test_buildConfiguration(t *testing.T) {
 		"traefik/http/middlewares/Middleware08/forwardAuth/tls/key":                                  "foobar",
 		"traefik/http/middlewares/Middleware08/forwardAuth/tls/insecureSkipVerify":                   "true",
 		"traefik/http/middlewares/Middleware08/forwardAuth/tls/ca":                                   "foobar",
 		"traefik/http/middlewares/Middleware08/forwardAuth/tls/caOptional":                           "true",
 		"traefik/http/middlewares/Middleware08/forwardAuth/tls/cert":                                 "foobar",
 		"traefik/http/middlewares/Middleware08/forwardAuth/address":                                  "foobar",
 		"traefik/http/middlewares/Middleware08/forwardAuth/trustForwardHeader":                       "true",
@ -106,12 +105,8 @@ func Test_buildConfiguration(t *testing.T) {
 		"traefik/http/middlewares/Middleware09/headers/accessControlAllowOriginListRegex/1":          "foobar",
 		"traefik/http/middlewares/Middleware09/headers/contentTypeNosniff":                           "true",
 		"traefik/http/middlewares/Middleware09/headers/accessControlAllowCredentials":                "true",
 		"traefik/http/middlewares/Middleware09/headers/featurePolicy":                                "foobar",
 		"traefik/http/middlewares/Middleware09/headers/permissionsPolicy":                            "foobar",
 		"traefik/http/middlewares/Middleware09/headers/forceSTSHeader":                               "true",
 		"traefik/http/middlewares/Middleware09/headers/sslRedirect":                                  "true",
 		"traefik/http/middlewares/Middleware09/headers/sslHost":                                      "foobar",
 		"traefik/http/middlewares/Middleware09/headers/sslForceHost":                                 "true",
 		"traefik/http/middlewares/Middleware09/headers/sslProxyHeaders/name1":                        "foobar",
 		"traefik/http/middlewares/Middleware09/headers/sslProxyHeaders/name0":                        "foobar",
 		"traefik/http/middlewares/Middleware09/headers/allowedHosts/0":                               "foobar",
@ -130,7 +125,6 @@ func Test_buildConfiguration(t *testing.T) {
 		"traefik/http/middlewares/Middleware09/headers/addVaryHeader":                                "true",
 		"traefik/http/middlewares/Middleware09/headers/hostsProxyHeaders/0":                          "foobar",
 		"traefik/http/middlewares/Middleware09/headers/hostsProxyHeaders/1":                          "foobar",
 		"traefik/http/middlewares/Middleware09/headers/sslTemporaryRedirect":                         "true",
 		"traefik/http/middlewares/Middleware09/headers/customBrowserXSSValue":                        "foobar",
 		"traefik/http/middlewares/Middleware09/headers/referrerPolicy":                               "foobar",
 		"traefik/http/middlewares/Middleware09/headers/accessControlExposeHeaders/0":                 "foobar",
@ -206,7 +200,6 @@ func Test_buildConfiguration(t *testing.T) {
 		"traefik/http/middlewares/Middleware18/retry/attempts":                                       "42",
 		"traefik/http/middlewares/Middleware19/stripPrefix/prefixes/0":                               "foobar",
 		"traefik/http/middlewares/Middleware19/stripPrefix/prefixes/1":                               "foobar",
 		"traefik/http/middlewares/Middleware19/stripPrefix/forceSlash":                               "true",
 		"traefik/tcp/routers/TCPRouter0/entryPoints/0":                                               "foobar",
 		"traefik/tcp/routers/TCPRouter0/entryPoints/1":                                               "foobar",
 		"traefik/tcp/routers/TCPRouter0/service":                                                     "foobar",
@ -378,7 +371,6 @@ func Test_buildConfiguration(t *testing.T) {
 							"foobar",
 							"foobar",
 						},
 						ForceSlash: true,
 					},
 				},
 				"Middleware00": {
@ -413,7 +405,6 @@ func Test_buildConfiguration(t *testing.T) {
 						Address: "foobar",
 						TLS: &types.ClientTLS{
 							CA:                 "foobar",
 							CAOptional:         true,
 							Cert:               "foobar",
 							Key:                "foobar",
 							InsecureSkipVerify: true,
@ -589,14 +580,10 @@ func Test_buildConfiguration(t *testing.T) {
 							"foobar",
 							"foobar",
 						},
 						SSLRedirect:          true,
 						SSLTemporaryRedirect: true,
 						SSLHost:              "foobar",
 						SSLProxyHeaders: map[string]string{
 							"name1": "foobar",
 							"name0": "foobar",
 						},
 						SSLForceHost:            true,
 						STSSeconds:              42,
 						STSIncludeSubdomains:    true,
 						STSPreload:              true,
@ -609,7 +596,6 @@ func Test_buildConfiguration(t *testing.T) {
 						ContentSecurityPolicy:   "foobar",
 						PublicKey:               "foobar",
 						ReferrerPolicy:          "foobar",
 						FeaturePolicy:           "foobar",
 						PermissionsPolicy:       "foobar",
 						IsDevelopment:           true,
 					},
--- a/pkg/provider/nomad/config_test.go
+++ b/pkg/provider/nomad/config_test.go
@ -2611,7 +2611,6 @@ func Test_keepItem(t *testing.T) {
 func TestNamespaces(t *testing.T) {
 	testCases := []struct {
 		desc               string
 		namespace          string
 		namespaces         []string
 		expectedNamespaces []string
 	}{
@ -2619,11 +2618,6 @@ func TestNamespaces(t *testing.T) {
 			desc:               "no defined namespaces",
 			expectedNamespaces: []string{""},
 		},
 		{
 			desc:               "deprecated: use of defined namespace",
 			namespace:          "test-ns",
 			expectedNamespaces: []string{"test-ns"},
 		},
 		{
 			desc:               "use of 1 defined namespaces",
 			namespaces:         []string{"test-ns"},
@ -2643,7 +2637,6 @@ func TestNamespaces(t *testing.T) {
 			t.Parallel()
 			pb := &ProviderBuilder{
 				Namespace:  test.namespace,
 				Namespaces: test.namespaces,
 			}
--- a/pkg/provider/nomad/nomad.go
+++ b/pkg/provider/nomad/nomad.go
@ -52,23 +52,15 @@ type item struct {
 type ProviderBuilder struct {
 	Configuration `yaml:",inline" export:"true"`
 	// Deprecated: Use Namespaces option instead
 	Namespace  string   `description:"Sets the Nomad namespace used to discover services." json:"namespace,omitempty" toml:"namespace,omitempty" yaml:"namespace,omitempty"`
 	Namespaces []string `description:"Sets the Nomad namespaces used to discover services." json:"namespaces,omitempty" toml:"namespaces,omitempty" yaml:"namespaces,omitempty"`
 }
 // BuildProviders builds Nomad provider instances for the given namespaces configuration.
 func (p *ProviderBuilder) BuildProviders() []*Provider {
 	if p.Namespace != "" {
 		log.Warn().Msg("Namespace option is deprecated, please use the Namespaces option instead.")
 	}
 	if len(p.Namespaces) == 0 {
 		return []*Provider{{
 			Configuration: p.Configuration,
 			name:          providerName,
 			// p.Namespace could be empty
 			namespace: p.Namespace,
 		}}
 	}
--- a/pkg/redactor/redactor_config_test.go
+++ b/pkg/redactor/redactor_config_test.go
@ -176,7 +176,6 @@ func init() {
 				},
 				StripPrefix: &dynamic.StripPrefix{
 					Prefixes: []string{"foo"},
 					ForceSlash: true,
 				},
 				StripPrefixRegex: &dynamic.StripPrefixRegex{
 					Regex: []string{"foo"},
@ -211,11 +210,7 @@ func init() {
 					AddVaryHeader:                     true,
 					AllowedHosts:                      []string{"foo"},
 					HostsProxyHeaders:                 []string{"foo"},
 					SSLRedirect:                       true,
 					SSLTemporaryRedirect:              true,
 					SSLHost:                           "foo",
 					SSLProxyHeaders:                   map[string]string{"foo": "bar"},
 					SSLForceHost:                      true,
 					STSSeconds:                        42,
 					STSIncludeSubdomains:              true,
 					STSPreload:                        true,
@ -228,7 +223,6 @@ func init() {
 					ContentSecurityPolicy:             "foo",
 					PublicKey:                         "foo",
 					ReferrerPolicy:                    "foo",
 					FeaturePolicy:                     "foo",
 					PermissionsPolicy:                 "foo",
 					IsDevelopment:                     true,
 				},
@ -278,7 +272,6 @@ func init() {
 					Address: "127.0.0.1",
 					TLS: &types.ClientTLS{
 						CA:                 "ca.pem",
 						CAOptional:         true,
 						Cert:               "cert.pem",
 						Key:                "cert.pem",
 						InsecureSkipVerify: true,
@ -592,7 +585,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 		DefaultRule: "PathPrefix(`/`)",
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
 			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
@ -615,7 +607,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 		DCOSToken:        "foobar",
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
 			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
@ -691,7 +682,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 				Token:      "MyToken",
 				TLS: &types.ClientTLS{
 					CA:                 "myCa",
 					CAOptional:         true,
 					Cert:               "mycert.pem",
 					Key:                "mycert.key",
 					InsecureSkipVerify: true,
@ -710,7 +700,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 			ExposedByDefault:  true,
 			DefaultRule:       "PathPrefix(`/`)",
 		},
 		Namespace:  "ns",
 		Namespaces: []string{"ns1", "ns2"},
 	}
@ -735,12 +724,10 @@ func TestDo_staticConfiguration(t *testing.T) {
 		Token: "secret",
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
 			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
 		},
 		Namespace:  "ns",
 		Namespaces: []string{"ns1", "ns2"},
 	}
@ -753,7 +740,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 		Password: "password",
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
 			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
@ -778,7 +764,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 		Password: "password",
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
 			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
@ -791,7 +776,6 @@ func TestDo_staticConfiguration(t *testing.T) {
 		PollTimeout:  42,
 		TLS: &types.ClientTLS{
 			CA:                 "myCa",
 			CAOptional:         true,
 			Cert:               "mycert.pem",
 			Key:                "mycert.key",
 			InsecureSkipVerify: true,
@ -903,7 +887,7 @@ func TestDo_staticConfiguration(t *testing.T) {
 		},
 		Datadog: &datadog.Config{
 			LocalAgentHostPort:         "foobar",
-			GlobalTag:                  "foobar",
+			GlobalTags:                 map[string]string{"foobar": "foobar"},
 			Debug:                      true,
 			PrioritySampling:           true,
 			TraceIDHeaderName:          "foobar",
--- a/pkg/redactor/testdata/anonymized-dynamic-config.json
+++ b/pkg/redactor/testdata/anonymized-dynamic-config.json
@ -99,8 +99,7 @@
        "stripPrefix": {
          "prefixes": [
            "foo"
-          ],
+          ]
          "forceSlash": true
        },
        "stripPrefixRegex": {
          "regex": [
@ -161,10 +160,6 @@
          "hostsProxyHeaders": [
            "foo"
          ],
          "sslRedirect": true,
          "sslTemporaryRedirect": true,
          "sslHost": "xxxx",
          "sslForceHost": true,
          "stsSeconds": 42,
          "stsIncludeSubdomains": true,
          "stsPreload": true,
@ -177,7 +172,6 @@
          "contentSecurityPolicy": "xxxx",
          "publicKey": "xxxx",
          "referrerPolicy": "foo",
          "featurePolicy": "foo",
          "permissionsPolicy": "foo",
          "isDevelopment": true
        },
@ -235,7 +229,6 @@
          "address": "xxxx",
          "tls": {
            "ca": "xxxx",
            "caOptional": true,
            "cert": "xxxx",
            "key": "xxxx",
            "insecureSkipVerify": true
--- a/pkg/redactor/testdata/anonymized-static-config.json
+++ b/pkg/redactor/testdata/anonymized-static-config.json
@ -83,7 +83,6 @@
      "defaultRule": "xxxx",
      "tls": {
        "ca": "xxxx",
        "caOptional": true,
        "cert": "xxxx",
        "key": "xxxx",
        "insecureSkipVerify": true
@ -111,7 +110,6 @@
      "dcosToken": "xxxx",
      "tls": {
        "ca": "xxxx",
        "caOptional": true,
        "cert": "xxxx",
        "key": "xxxx",
        "insecureSkipVerify": true
@ -189,7 +187,6 @@
        "token": "xxxx",
        "tls": {
          "ca": "xxxx",
          "caOptional": true,
          "cert": "xxxx",
          "key": "xxxx",
          "insecureSkipVerify": true
@ -207,7 +204,6 @@
      "cache": true,
      "exposedByDefault": true,
      "defaultRule": "xxxx",
      "namespace": "xxxx",
      "namespaces": [
        "xxxx",
        "xxxx"
@ -233,12 +229,10 @@
      "token": "xxxx",
      "tls": {
        "ca": "xxxx",
        "caOptional": true,
        "cert": "xxxx",
        "key": "xxxx",
        "insecureSkipVerify": true
      },
      "namespace": "xxxx",
      "namespaces": [
        "xxxx",
        "xxxx"
@ -248,7 +242,6 @@
      "rootKey": "xxxx",
      "tls": {
        "ca": "xxxx",
        "caOptional": true,
        "cert": "xxxx",
        "key": "xxxx",
        "insecureSkipVerify": true
@ -265,7 +258,6 @@
      "rootKey": "xxxx",
      "tls": {
        "ca": "xxxx",
        "caOptional": true,
        "cert": "xxxx",
        "key": "xxxx",
        "insecureSkipVerify": true
@ -279,7 +271,6 @@
      "pollTimeout": "42ns",
      "tls": {
        "ca": "xxxx",
        "caOptional": true,
        "cert": "xxxx",
        "key": "xxxx",
        "insecureSkipVerify": true
@ -394,7 +385,9 @@
    },
    "datadog": {
      "localAgentHostPort": "xxxx",
-      "globalTag": "foobar",
+      "globalTags": {
        "foobar": "foobar"
      },
      "debug": true,
      "prioritySampling": true,
      "traceIDHeaderName": "foobar",
--- a/pkg/redactor/testdata/secured-dynamic-config.json
+++ b/pkg/redactor/testdata/secured-dynamic-config.json
@ -99,8 +99,7 @@
        "stripPrefix": {
          "prefixes": [
            "foo"
-          ],
+          ]
          "forceSlash": true
        },
        "stripPrefixRegex": {
          "regex": [
@ -161,13 +160,9 @@
          "hostsProxyHeaders": [
            "foo"
          ],
          "sslRedirect": true,
          "sslTemporaryRedirect": true,
          "sslHost": "foo",
          "sslProxyHeaders": {
            "foo": "bar"
          },
          "sslForceHost": true,
          "stsSeconds": 42,
          "stsIncludeSubdomains": true,
          "stsPreload": true,
@ -180,7 +175,6 @@
          "contentSecurityPolicy": "foo",
          "publicKey": "foo",
          "referrerPolicy": "foo",
          "featurePolicy": "foo",
          "permissionsPolicy": "foo",
          "isDevelopment": true
        },
@ -238,7 +232,6 @@
          "address": "127.0.0.1",
          "tls": {
            "ca": "ca.pem",
            "caOptional": true,
            "cert": "cert.pem",
            "key": "xxxx",
            "insecureSkipVerify": true
--- a/pkg/tls/tls.go
+++ b/pkg/tls/tls.go
@ -24,7 +24,6 @@ type Options struct {
 	CurvePreferences []string   `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty" export:"true"`
 	ClientAuth       ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
 	SniStrict        bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
 	PreferServerCipherSuites bool       `json:"preferServerCipherSuites,omitempty" toml:"preferServerCipherSuites,omitempty" yaml:"preferServerCipherSuites,omitempty" export:"true"` // Deprecated: https://github.com/golang/go/issues/45430
 	ALPNProtocols    []string   `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"`
 }
--- a/pkg/tracing/datadog/datadog.go
+++ b/pkg/tracing/datadog/datadog.go
@ -4,7 +4,6 @@ import (
 	"io"
 	"net"
 	"os"
 	"strings"
 	"github.com/opentracing/opentracing-go"
 	"github.com/rs/zerolog/log"
@ -19,8 +18,6 @@ const Name = "datadog"
 // Config provides configuration settings for a datadog tracer.
 type Config struct {
 	LocalAgentHostPort         string            `description:"Sets the Datadog Agent host:port." json:"localAgentHostPort,omitempty" toml:"localAgentHostPort,omitempty" yaml:"localAgentHostPort,omitempty"`
 	// Deprecated: use GlobalTags instead.
 	GlobalTag                  string            `description:"Sets a key:value tag on all spans." json:"globalTag,omitempty" toml:"globalTag,omitempty" yaml:"globalTag,omitempty" export:"true"`
 	GlobalTags                 map[string]string `description:"Sets a list of key:value tags on all spans." json:"globalTags,omitempty" toml:"globalTags,omitempty" yaml:"globalTags,omitempty" export:"true"`
 	Debug                      bool              `description:"Enables Datadog debug." json:"debug,omitempty" toml:"debug,omitempty" yaml:"debug,omitempty" export:"true"`
 	PrioritySampling           bool              `description:"Enables priority sampling. When using distributed tracing, this option must be enabled in order to get all the parts of a distributed trace sampled." json:"prioritySampling,omitempty" toml:"prioritySampling,omitempty" yaml:"prioritySampling,omitempty" export:"true"`
@ -66,17 +63,6 @@ func (c *Config) Setup(serviceName string) (opentracing.Tracer, io.Closer, error
 		opts = append(opts, datadog.WithGlobalTag(k, v))
 	}
 	if c.GlobalTag != "" {
 		logger.Warn().Msg(`Datadog: option "globalTag" is deprecated, please use "globalTags" instead.`)
 		key, value, _ := strings.Cut(c.GlobalTag, ":")
 		// Don't override a tag already defined with the new option.
 		if _, ok := c.GlobalTags[key]; !ok {
 			opts = append(opts, datadog.WithGlobalTag(key, value))
 		}
 	}
 	if c.PrioritySampling {
 		opts = append(opts, datadog.WithPrioritySampling())
 	}
--- a/pkg/types/tls.go
+++ b/pkg/types/tls.go
@ -17,8 +17,6 @@ import (
 // CA, Cert and Key can be either path or file contents.
 type ClientTLS struct {
 	CA                 string `description:"TLS CA" json:"ca,omitempty" toml:"ca,omitempty" yaml:"ca,omitempty"`
 	// Deprecated: TLS client authentication is a server side option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).
 	CAOptional         bool   `description:"TLS CA.Optional" json:"caOptional,omitempty" toml:"caOptional,omitempty" yaml:"caOptional,omitempty" export:"true"`
 	Cert               string `description:"TLS cert" json:"cert,omitempty" toml:"cert,omitempty" yaml:"cert,omitempty"`
 	Key                string `description:"TLS key" json:"key,omitempty" toml:"key,omitempty" yaml:"key,omitempty" loggable:"false"`
 	InsecureSkipVerify bool   `description:"TLS insecure skip verify" json:"insecureSkipVerify,omitempty" toml:"insecureSkipVerify,omitempty" yaml:"insecureSkipVerify,omitempty" export:"true"`
@ -31,10 +29,6 @@ func (c *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, error) {
 		return nil, nil
 	}
 	if c.CAOptional {
 		log.Ctx(ctx).Warn().Msg("CAOptional is deprecated, TLS client authentication is a server side option.")
 	}
 	// Not initialized, to rely on system bundle.
 	var caPool *x509.CertPool