Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Traefik Labs has announced the release of Traefik Proxy 3.7, the latest version of its open-source cloud-native application proxy, introducing major Kubernetes and resilience improvements.
The headline feature in this release is the Ingress NGINX provider, which has now reached production-ready status. Traefik Proxy 3.7 supports more than 85 widely used Ingress NGINX annotations, allowing many existing Kubernetes Ingress configurations to work with Traefik without requiring changes to manifests or annotations.
According to Traefik Labs, the supported annotations cover over 90% of real-world usage scenarios observed across hundreds of production Kubernetes clusters. Supported functionality includes authentication, session persistence, routing and redirects, proxy tuning, load balancing, rate limiting, canary deployments, custom headers, error pages, default backends, access control, and observability features.
The release also adds partial support for popular Ingress NGINX snippet annotations such as configuration-snippet, server-snippet, and auth-snippet. Instead of directly injecting arbitrary NGINX configuration, Traefik analyzes snippet contents, translates supported directives into approved equivalents, and blocks unsupported configurations.
Another notable addition is a new TLS certificates view in the Traefik dashboard. The new Certificates section displays active TLS certificates along with their associated domains, expiration dates, and the HTTP or TCP routers using them.
Traefik Proxy 3.7 also expands middleware flexibility by allowing middleware to be attached directly to services. Previously, middleware could only be assigned to routers or entry points. With the new approach, administrators can apply authentication, rate limiting, and similar behaviors consistently across all routers connected to the same backend service without repeating configuration.
For users of the Kubernetes Gateway API, version 3.7 introduces support for Gateway API v1.5.1. This update enables Gateway listeners to reference multiple certificateRefs and automatically choose the correct certificate using Server Name Indication (SNI).
The release further strengthens resilience and failover capabilities. The Retry middleware can now retry requests based on HTTP response status codes, including errors such as 502, 503, and 504. Administrators can configure per-attempt timeouts and optionally enable retries for non-idempotent HTTP methods.
Similarly, the Failover service can now trigger failovers based on response status codes. Combined with new failover support in the TraefikService custom resource definition, this allows blue-green and active-passive deployment models to be implemented directly through Traefik’s Kubernetes CRD system.
Additional improvements in Traefik Proxy 3.7 include wildcard host support for Host and HostSNI matchers, provider routing precedence configuration, per-Ingress entry point selection for NGINX Ingresses, a new encodedCharacters middleware, fragmented TLS Client Hello support, an ACME CertificateTimeout option, enhanced Kubernetes Ingress logging fields, configurable dashboard naming, and compatibility with Knative 1.20.
Check out the release announcement or look at the project’s GitHub changelog for the full list of all changes.
Traefik Proxy 3.7 is now available on the project’s GitHub release page and Docker Hub. Documentation, the Ingress NGINX migration guide, and migration tools are accessible through Traefik’s official resources.
