Merge branch 'main' into fix-acme

dev.env

@@ -4,6 +4,4 @@ ENV=dev
 NETWORK_NAME=proxy
 CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory
 DOMAIN=dev.kovagoadi.hu
-ACME_BYPASS=false
-# TRAEFIK_LEGACY_OPT=
-TRAEFIK_LEGACY_OPT="--providers.file.directory=/etc/traefik"
+TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml"

dev/forward-to-legacy-nginx.yaml

@@ -1,44 +1,53 @@
 # ./traefik/forward-to-legacy-nginx.yaml
 
+    
+# static configuration (traefik.yml)
+# entryPoints:
+#   web:
+#     address: ":80" # or :898 in your case
+#     allowACMEByPass: true  # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS
+#   https:
+#     address: ":443"
+
+# certificatesResolvers:
+#   letsencrypt:
+#     acme:
+#       email: "kovagoadi@gmail.com"
+#       storage: "acme.json"
+#       httpChallenge:
+#        entryPoint: web
+
 tcp:
   routers:
-    # Router for HTTPS (Passthrough)
+    # Router for LEGACY HTTPS (Passthrough)
     nginx-legacy-router-secure:
-      rule: "HostSNI(`*`)"
+      # DO NOT use "*". List the domains that Nginx manages itself.
+      # If you use "*", Traefik's own HTTPS domains will not work.
+      rule: "HostSNI(`excali.kovagoadi.hu`) || HostSNI(`another-legacy.hu`)"
       service: nginx-legacy-service-secure
-      # Passthrough must be true for SSL to reach Nginx encrypted
       tls:
         passthrough: true
-      priority: 10
+      priority: 1
       entryPoints:
         - "https"
 
   services:
-    # Service defining the external IP
     nginx-legacy-service-secure:
       loadBalancer:
         servers:
-          # This is the actual external IP and Port of your Nginx
           - address: "webserver:443"
 
 http:
   routers:
     # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router)
-    traefik-acme-handler:
-      rule: "Host(`test-whoami.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)"
-      entryPoints:
-        - "web"
-      service: "acme-http@internal" # This is the internal service name
-      priority: 1000                # High priority to ensure it wins
 
     # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx)
     nginx-legacy-router:
       rule: "HostRegexp(`^.+$`)"
       service: nginx-legacy-service
-      # Low priority ensures specific containers are handled first, but before the default acme-handler
-      priority: 90
       entryPoints:
         - "web"
+      priority: 1 
 
   services:
     nginx-legacy-service:

dev/route-to-staging-dev.yaml

@@ -1,30 +0,0 @@
-http:
-  routers:
-    # Router for HTTP (Port 80)
-    staging:
-      rule: "Host(`staging.kovagoadi.hu`) || Host(`test-whoami.staging.kovagoadi.hu`)"
-      entryPoints:
-        - "web"
-      service: "dev-staging"
-      priority: 1000000
-
-    # Router for HTTPS (Port 443)
-    staging-secure:
-      rule: "Host(`staging.kovagoadi.hu`) || Host(`dev.kovagoadi.hu`)"
-      entryPoints:
-        - "https"
-      service: "dev-staging-secure"
-      priority: 100
-      tls: {} # <--- This enables TLS for this router
-
-  services:
-    dev-staging:
-      loadBalancer:
-        servers:
-          - url: "http://192.168.1.85:8080"
-          
-    dev-staging-secure:
-      loadBalancer:
-        servers:
-          # Note: Ensure Traefik trusts the cert at .85 or set insecureSkipVerify
-          - url: "https://192.168.1.85:445"

docker-compose.yaml

@@ -1,5 +1,5 @@
 services:
-  traefik:
+  traefik3:
     image: "traefik:v3.6@sha256:67622638cd88dbfcfba40159bc652ecf0aea0e032f8a3c7e3134ae7c037b9910"
     restart: unless-stopped
     security_opt:
@@ -8,19 +8,17 @@ services:
       - proxy
       - legacy-nginx
     command:
-      - "--log.level=DEBUG"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--providers.docker.network=proxy"
       - "--providers.docker.constraints=Label(`env`, `${ENV}`)"
       - "--entryPoints.web.address=:80"
       - "--entryPoints.https.address=:443"
-      - "--entryPoints.web.allowACMEByPass=${ACME_BYPASS}"
+      - "--entryPoints.web.allowACMEByPass=true"
       - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
       - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
       - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com"
       - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
-      - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}"
       - "${TRAEFIK_LEGACY_OPT:-}"
       - "--providers.file.watch=true"
     ports:
@@ -30,7 +28,7 @@ services:
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "letsencrypt:/letsencrypt"
-      - "./${ENV}:/etc/traefik"
+      - "./${ENV}/forward-to-legacy-nginx.yaml:/etc/traefik/forward-to-legacy-nginx.yaml"
 
   whoami:
     image: "traefik/whoami@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab"
@@ -40,14 +38,12 @@ services:
     labels:
       - "env=${ENV}"
       - "traefik.enable=true"
-      - "traefik.http.routers.whoami.priority=1000000"
+      - "traefik.http.routers.whoami.priority=10000"
       - "traefik.http.routers.whoami.rule=Host(`test-whoami.${DOMAIN}`)"
-      - "traefik.http.routers.https.priority=1000000"
       - "traefik.http.routers.https.rule=Host(`test-whoami.${DOMAIN}`)"
       - "traefik.http.routers.whoami.entrypoints=web"
       - traefik.http.routers.https.entrypoints=https
       - traefik.http.routers.https.tls=true
-      - traefik.http.routers.https.tls.certresolver=letsencrypt
 networks:
   proxy:
   legacy-nginx:

prod.env

@@ -4,5 +4,4 @@ ENV=prod
 NETWORK_NAME=proxy
 CERTBOT_CA_RESOLVER=https://acme-v02.api.letsencrypt.org/directory
 DOMAIN=kovagoadi.hu
-ACME_BYPASS=true
-TRAEFIK_LEGACY_OPT="--providers.file.directory=/etc/traefik"
+TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml"

prod/forward-to-legacy-nginx.yaml

@@ -9,7 +9,7 @@ tcp:
       # Passthrough must be true for SSL to reach Nginx encrypted
       tls:
         passthrough: true
-      priority: 10
+      priority: 1
       entryPoints:
         - "https"
 
@@ -23,20 +23,12 @@ tcp:
 
 http:
   routers:
-    # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router)
-    traefik-acme-handler:
-      rule: "Host(`test-whoami.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)"
-      entryPoints:
-        - "web"
-      service: "acme-http@internal" # This is the internal service name
-      priority: 1000                # High priority to ensure it wins
-
-    # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx)
+    # Router for HTTP
     nginx-legacy-router:
       rule: "HostRegexp(`^.+$`)"
       service: nginx-legacy-service
-      # Low priority ensures specific containers are handled first, but before the default acme-handler
-      priority: 90
+      # Low priority ensures specific containers are handled first
+      priority: 1
       entryPoints:
         - "web"
 

prod/route-to-staging-dev.yaml

@@ -1,30 +0,0 @@
-http:
-  routers:
-    # Router for HTTP (Port 80)
-    staging:
-      rule: "HostRegexp({subdomain:.+}.staging.kovagoadi.hu`) || Host(`staging.kovagoadi.hu`) || Host(`dev.kovagoadi.hu`)"
-      entryPoints:
-        - "web"
-      service: "dev-staging"
-      priority: 1_000_000
-
-    # Router for HTTPS (Port 443)
-    staging-secure:
-      rule: "Host(`staging.kovagoadi.hu`) || Host(`dev.kovagoadi.hu`)"
-      entryPoints:
-        - "https"
-      service: "dev-staging-secure"
-      priority: 100
-      tls: {} # <--- This enables TLS for this router
-
-  services:
-    dev-staging:
-      loadBalancer:
-        servers:
-          - url: "http://192.168.1.85:8080"
-          
-    dev-staging-secure:
-      loadBalancer:
-        servers:
-          # Note: Ensure Traefik trusts the cert at .85 or set insecureSkipVerify
-          - url: "https://192.168.1.85:445"

staging.env

@@ -4,5 +4,4 @@ ENV=staging
 NETWORK_NAME=proxy
 CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory
 DOMAIN=staging.kovagoadi.hu
-ACME_BYPASS=false
 TRAEFIK_LEGACY_OPT=