From 2702b7379886b49313d30951c077a488141a40ec Mon Sep 17 00:00:00 2001
From: kovagoadi <kovagoadi@gmail.com>
Date: Thu, 27 Nov 2025 23:58:43 +0100
Subject: [PATCH] Initial migration from legacy nginx (#11)

Reviewed-on: https://gitea.kovagoadi.hu/kovagoadi.hu/traefik/pulls/11
Co-authored-by: kovagoadi <kovagoadi@gmail.com>
Co-committed-by: kovagoadi <kovagoadi@gmail.com>
---
 dev.env                           |  6 ++++-
 docker-compose.yaml               | 22 +++++++++++++++--
 prod.env                          |  6 ++++-
 prod/forward-to-legacy-nginx.yaml | 39 +++++++++++++++++++++++++++++++
 staging.env                       |  6 ++++-
 5 files changed, 74 insertions(+), 5 deletions(-)
 create mode 100644 prod/forward-to-legacy-nginx.yaml

diff --git a/dev.env b/dev.env
index 3ec5165..e42f23f 100644
--- a/dev.env
+++ b/dev.env
@@ -1,3 +1,7 @@
 PORT=898
+HTTPS_PORT=446
 ENV=dev
-NETWORK_NAME=proxy
\ No newline at end of file
+NETWORK_NAME=proxy
+CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory
+DOMAIN=dev.kovagoadi.hu
+TRAEFIK_LEGACY_OPT=
\ No newline at end of file
diff --git a/docker-compose.yaml b/docker-compose.yaml
index db7ae13..b2848ae 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,23 +1,34 @@
 services:
   traefik:
     image: "traefik:v3.6@sha256:aaf0f6185419a50c74651448c1a5bf4606bd2d2ddb7b8749eed505d55bf8b8ea"
-    # container_name: "traefik"
     restart: unless-stopped
     security_opt:
       - no-new-privileges:true
     networks:
       - proxy
+      - legacy-nginx
     command:
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--providers.docker.network=proxy"
       - "--providers.docker.constraints=Label(`env`, `${ENV}`)"
       - "--entryPoints.web.address=:80"
+      - "--entryPoints.https.address=:443"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com"
+      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
+      - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}"
+      - "${TRAEFIK_LEGACY_OPT:-}"
+      - "--providers.file.watch=true"
     ports:
       - "${PORT}:80"
+      - "${HTTPS_PORT}:443"
       - "8080"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./data/letsencrypt:/letsencrypt"
+      - "./${ENV}/forward-to-legacy-nginx.yaml:/etc/traefik/forward-to-legacy-nginx.yaml"
 
   whoami:
     image: "traefik/whoami@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab"
@@ -27,7 +38,14 @@ services:
     labels:
       - "env=${ENV}"
       - "traefik.enable=true"
-      - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)"
+      - "traefik.http.routers.whoami.rule=Host(`test-whoami.${DOMAIN}`)"
+      - "traefik.http.routers.https.rule=Host(`test-whoami.${DOMAIN}`)"
       - "traefik.http.routers.whoami.entrypoints=web"
+      - traefik.http.routers.https.entrypoints=https
+      - traefik.http.routers.https.tls=true
+      - traefik.http.routers.https.tls.certresolver=letsencrypt
 networks:
   proxy:
+  legacy-nginx:
+    name: proxy
+    external: true
diff --git a/prod.env b/prod.env
index 571feb7..186c79a 100644
--- a/prod.env
+++ b/prod.env
@@ -1,3 +1,7 @@
 PORT=81
+HTTPS_PORT=444
 ENV=prod
-NETWORK_NAME=proxy
\ No newline at end of file
+NETWORK_NAME=proxy
+CERTBOT_CA_RESOLVER=https://acme-v02.api.letsencrypt.org/directory
+DOMAIN=kovagoadi.hu
+TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml"
\ No newline at end of file
diff --git a/prod/forward-to-legacy-nginx.yaml b/prod/forward-to-legacy-nginx.yaml
new file mode 100644
index 0000000..e184fe0
--- /dev/null
+++ b/prod/forward-to-legacy-nginx.yaml
@@ -0,0 +1,39 @@
+# ./traefik/forward-to-legacy-nginx.yaml
+
+tcp:
+  routers:
+    # Router for HTTPS (Passthrough)
+    nginx-legacy-router-secure:
+      rule: "HostSNI(`*`)"
+      service: nginx-legacy-service-secure
+      # Passthrough must be true for SSL to reach Nginx encrypted
+      tls:
+        passthrough: true
+      priority: 1
+      entryPoints:
+        - "https"
+
+  services:
+    # Service defining the external IP
+    nginx-legacy-service-secure:
+      loadBalancer:
+        servers:
+          # This is the actual external IP and Port of your Nginx
+          - address: "webserver:443"
+
+http:
+  routers:
+    # Router for HTTP
+    nginx-legacy-router:
+      rule: "HostRegexp(`^.+$`)"
+      service: nginx-legacy-service
+      # Low priority ensures specific containers are handled first
+      priority: 1
+      entryPoints:
+        - "web"
+
+  services:
+    nginx-legacy-service:
+      loadBalancer:
+        servers:
+          - url: "http://webserver:80"
\ No newline at end of file
diff --git a/staging.env b/staging.env
index dc09e47..38ab2dc 100644
--- a/staging.env
+++ b/staging.env
@@ -1,3 +1,7 @@
 PORT=8080
+HTTPS_PORT=445
 ENV=staging
-NETWORK_NAME=proxy
\ No newline at end of file
+NETWORK_NAME=proxy
+CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory
+DOMAIN=staging.kovagoadi.hu
+TRAEFIK_LEGACY_OPT=
\ No newline at end of file