Traefik Labs has released Traefik Proxy 3.7, the latest version of its open-source cloud-native application proxy.
The most important release update is the Ingress NGINX provider, which is now production-ready. Traefik Proxy 3.7 supports over 85 commonly used Ingress NGINX annotations, enabling many existing Kubernetes Ingress resources to operate with Traefik without modifying manifests or annotations.
According to Traefik Labs, the supported annotation set covers more than 90% of real-world usage patterns observed across hundreds of production clusters. The list includes authentication, session affinity, routing and redirects, proxy tuning, load balancing, rate limiting, canary deployments, custom headers, custom error pages, default backends, access control, and observability.
This release also introduces partial support for commonly used Ingress NGINX snippet annotations, such as configuration-snippet, server-snippet, and auth-snippet. Rather than inserting raw user-provided NGINX configuration, Traefik parses snippet content, maps it to an approved list of supported directives, and rejects unsupported input.
Apart from the NGINX’s improvements, Traefik Proxy 3.7 introduces a new TLS certificates view in the dashboard. The Certificates menu displays active TLS certificates, their associated domains, expiration dates, and their attachment points across HTTP and TCP routers.
Another update allows middleware to be attached directly to services. Previously, Traefik middlewares were only attached to routers or entry points. In version 3.7, middlewares can be applied at the service level, enabling consistent authentication, rate limiting, or other behaviors across all routers targeting the same backend service without duplicating configuration.
For Kubernetes Gateway API users, Traefik Proxy 3.7 adds support for Gateway API v1.5.1. This update allows Gateway listeners to reference multiple certificateRefs and select the appropriate certificate using SNI.
Resilience features have been expanded as well. The Retry middleware can now retry requests based on HTTP response status codes, with configurable per-attempt timeouts and optional support for non-idempotent methods. This enables Traefik to retry requests when backends return responses such as 502, 503, or 504.
On top of that, the Failover service can now trigger failover based on response status codes. This, combined with new service failover support in the TraefikService custom resource definition, allows blue-green and active-passive setups to be defined directly in Kubernetes using Traefik’s CRD model.
Additional updates include wildcard host support in Host and HostSNI matchers, provider routing precedence configuration, per-Ingress entry point selection for NGINX Ingresses, a new encodedCharacters middleware, support for fragmented TLS Client Hello, an ACME CertificateTimeout option, Kubernetes Ingress log fields, dashboard name configuration, and Knative 1.20 support.
Check out the release announcement or look at the project’s GitHub changelog for the full list of all changes.
Traefik Proxy 3.7 is now available on the project’s GitHub release page and Docker Hub. Documentation, the Ingress NGINX migration guide, and migration tools are accessible through Traefik’s official resources.
Image credits: Traefik Labs
