From fff6ac43e41e7d1bdd81b14565df7d36923ffa23 Mon Sep 17 00:00:00 2001
From: kovagoadi <kovagoadi@gmail.com>
Date: Thu, 27 Nov 2025 13:02:20 +0100
Subject: [PATCH] Small cleanup

---
 dev/forward-to-legacy-nginx.yaml | 21 +++++++++++
 docker-compose.yaml              | 60 ++++----------------------------
 2 files changed, 27 insertions(+), 54 deletions(-)
 create mode 100644 dev/forward-to-legacy-nginx.yaml

diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml
new file mode 100644
index 0000000..4bb72ea
--- /dev/null
+++ b/dev/forward-to-legacy-nginx.yaml
@@ -0,0 +1,21 @@
+# ./traefik/dynamic_conf.yml
+
+tcp:
+  routers:
+    # Router for HTTPS (Passthrough)
+    nginx-secure-router:
+      rule: "HostSNI(`*`)"
+      service: nginx-secure-service
+      # Passthrough must be true for SSL to reach Nginx encrypted
+      tls:
+        passthrough: true
+      entryPoints:
+        - "https"
+
+  services:
+    # Service defining the external IP
+    nginx-secure-service:
+      loadBalancer:
+        servers:
+          # This is the actual external IP and Port of your Nginx
+          - address: "192.168.1.85:443"
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 2d2cd1c..d6511bc 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,25 +1,23 @@
 services:
   traefik:
     image: "traefik:v3.6@sha256:aaf0f6185419a50c74651448c1a5bf4606bd2d2ddb7b8749eed505d55bf8b8ea"
-    # container_name: "traefik"
     restart: unless-stopped
     security_opt:
       - no-new-privileges:true
     networks:
       - proxy
     command:
-      - --log.level=DEBUG
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--providers.docker.network=proxy"
       - "--providers.docker.constraints=Label(`env`, `${ENV}`)"
       - "--entryPoints.web.address=:80"
       - "--entryPoints.https.address=:443"
-      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
-      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
-      - --certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com
-      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
-      - "--providers.file.filename=/etc/traefik/dynamic_conf.yml"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
+      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com"
+      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
+      - "--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml"
       - "--providers.file.watch=true"
     ports:
       - "${PORT}:80"
@@ -28,7 +26,7 @@ services:
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "./data/letsencrypt:/letsencrypt"
-      - ./asd.yaml:/etc/traefik/dynamic_conf.yml
+      - "./${ENV}/forward-to-legacy-nginx.yaml:/etc/traefik/forward-to-legacy-nginx.yaml"
 
   whoami:
     image: "traefik/whoami@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab"
@@ -44,51 +42,5 @@ services:
       - traefik.http.routers.https.entrypoints=https
       - traefik.http.routers.https.tls=true
       - traefik.http.routers.https.tls.certresolver=letsencrypt
-  # catchall-shim:
-  #   image: traefik/whoami
-  #   networks:
-  #     - proxy
-  #   labels:
-  #     - "traefik.enable=true"
-
-  #     # -------------------------------------------------------
-  #     # 1. HTTPS Handling (TCP Passthrough) -> Port 443
-  #     # -------------------------------------------------------
-
-  #     # Use a TCP Router for Port 443
-  #     - "traefik.tcp.routers.https.entrypoints=https"
-
-  #     # Match Any Domain (Wildcard SNI)
-  #     - "traefik.tcp.routers.https.rule=HostSNI(`*`)"
-
-  #     # CRITICAL: Passthrough = true
-  #     # Traefik will NOT decrypt. It passes the encrypted stream to Nginx.
-  #     - "traefik.tcp.routers.https.tls.passthrough=true"
-
-  #     # Low priority so other specific routes in Traefik override this
-  #     - "traefik.tcp.routers.catchall-https.priority=1"
-
-  #     # Point to the Nginx service
-  #     - "traefik.tcp.routers.https.service=nginx-backend-secure"
-
-  #     # Define the destination IP for HTTPS (Note: 'server.address', not 'url')
-  #     # Replace 192.168.1.100 with your Nginx IP
-  #     - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.address=192.168.1.85"
-  #     - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.port=443"
-  #     - "env=${ENV}"
-
-  #     # -------------------------------------------------------
-  #     # 2. HTTP Handling (Standard Proxy) -> Port 80
-  #     # -------------------------------------------------------
-  #     # Since HTTP is unencrypted, we can use a standard HTTP router.
-  #     # This forwards the request to Nginx port 80 (for Certbot challenges/redirects).
-
-  #     # - "traefik.http.routers.catchall-http.entrypoints=web"
-  #     # - "traefik.http.routers.catchall-http.rule=PathPrefix(`/`)"
-  #     # # - "traefik.http.routers.catchall-http.priority=1"
-  #     # - "traefik.http.routers.catchall-http.service=nginx-backend-plain"
-
-  #     # # Define the destination IP for HTTP
-  #     # - "traefik.http.services.nginx-backend-plain.loadbalancer.server.url=http://192.168.1.85:80"
 networks:
   proxy: