From e2c67a605fa80fa0397c4da17e13ee283010247b Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 11:13:23 +0100 Subject: [PATCH 01/26] Trying out this config --- docker-compose.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index db7ae13..e0ede1d 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -13,6 +13,15 @@ services: - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.web.address=:80" + - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https + - --entryPoints=Name:https Address::443 TLS + - --defaultentrypoints=https,http + - --docker.watch=true + - --acme.email=kovagoadi@gmail.com + - --acme.storage=acme.json + - --acme.entryPoint=https + - --acme.onHostRule=true + - --acme.httpchallenge.entrypoint=http ports: - "${PORT}:80" - "8080" @@ -27,7 +36,7 @@ services: labels: - "env=${ENV}" - "traefik.enable=true" - - "traefik.http.routers.whoami.rule=Host(`whoami.docker.localhost`)" + - "traefik.http.routers.whoami.rule=Host(`test.staging.kovaogoadi.hu`)" - "traefik.http.routers.whoami.entrypoints=web" networks: proxy: -- 2.49.1 From 29ee2a8952ea8937be3a23d2beabebc8fe43748d Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 11:16:04 +0100 Subject: [PATCH 02/26] Removed storage --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index e0ede1d..ac149c4 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -18,7 +18,7 @@ services: - --defaultentrypoints=https,http - --docker.watch=true - --acme.email=kovagoadi@gmail.com - - --acme.storage=acme.json + # - --acme.storage=acme.json - --acme.entryPoint=https - --acme.onHostRule=true - --acme.httpchallenge.entrypoint=http -- 2.49.1 From 1fd5cf18d40a284c66bec3794a687b6f1c2f40c0 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 11:20:02 +0100 Subject: [PATCH 03/26] new config --- docker-compose.yaml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index ac149c4..d1b9dc7 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -16,12 +16,10 @@ services: - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https - --entryPoints=Name:https Address::443 TLS - --defaultentrypoints=https,http - - --docker.watch=true - - --acme.email=kovagoadi@gmail.com - # - --acme.storage=acme.json - - --acme.entryPoint=https - - --acme.onHostRule=true - - --acme.httpchallenge.entrypoint=http + - --certificatesresolvers.letsencrypt.acme.httpchallenge=true + - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http + - --certificatesresolvers.letsencrypt.acme.email=${EMAIL} + - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json ports: - "${PORT}:80" - "8080" -- 2.49.1 From 13677780c929791604bce91b79843097a5c8b6e7 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 11:22:42 +0100 Subject: [PATCH 04/26] removed bad flag --- docker-compose.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index d1b9dc7..2b5b735 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -15,7 +15,6 @@ services: - "--entryPoints.web.address=:80" - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https - --entryPoints=Name:https Address::443 TLS - - --defaultentrypoints=https,http - --certificatesresolvers.letsencrypt.acme.httpchallenge=true - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http - --certificatesresolvers.letsencrypt.acme.email=${EMAIL} -- 2.49.1 From 8c6b234336f34d77097acdaa2346969f1eb99233 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 11:25:46 +0100 Subject: [PATCH 05/26] add storage --- docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index 2b5b735..80b73d3 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -24,6 +24,7 @@ services: - "8080" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" + - "./data/letsencrypt:/letsencrypt" whoami: image: "traefik/whoami@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab" -- 2.49.1 From 5935247afba1fced9668be1c17e4eb770a2f3332 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 11:27:29 +0100 Subject: [PATCH 06/26] Add entrypoint --- docker-compose.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 80b73d3..29c376b 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -13,8 +13,7 @@ services: - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.web.address=:80" - - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https - - --entryPoints=Name:https Address::443 TLS + - "--entrypoints.https.address=:443" - --certificatesresolvers.letsencrypt.acme.httpchallenge=true - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http - --certificatesresolvers.letsencrypt.acme.email=${EMAIL} -- 2.49.1 From 0888e1e2247700869776f3a4ee0d239425acdb20 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 11:31:47 +0100 Subject: [PATCH 07/26] Changed entrypoint --- docker-compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 29c376b..18afaca 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -13,9 +13,9 @@ services: - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.web.address=:80" - - "--entrypoints.https.address=:443" + - "--entryPoints.https.address=:443" - --certificatesresolvers.letsencrypt.acme.httpchallenge=true - - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http + - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web - --certificatesresolvers.letsencrypt.acme.email=${EMAIL} - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json ports: -- 2.49.1 From 32db27f6fc16bff83256edf801f2105c03dfc49e Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 11:37:00 +0100 Subject: [PATCH 08/26] request CA --- docker-compose.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 18afaca..f164f32 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -16,7 +16,7 @@ services: - "--entryPoints.https.address=:443" - --certificatesresolvers.letsencrypt.acme.httpchallenge=true - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web - - --certificatesresolvers.letsencrypt.acme.email=${EMAIL} + - --certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json ports: - "${PORT}:80" @@ -33,7 +33,10 @@ services: labels: - "env=${ENV}" - "traefik.enable=true" - - "traefik.http.routers.whoami.rule=Host(`test.staging.kovaogoadi.hu`)" + - "traefik.http.routers.whoami.rule=Host(`test.staging.kovagoadi.hu`)" - "traefik.http.routers.whoami.entrypoints=web" + - traefik.http.routers.https.entrypoints=https + - traefik.http.routers.https.tls=true + - traefik.http.routers.https.tls.certresolver=letsencrypt networks: proxy: -- 2.49.1 From 6303a534e58150949d0823c24f6730f7017c7be9 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 11:39:50 +0100 Subject: [PATCH 09/26] Add new host rule --- docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index f164f32..95d717d 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -34,6 +34,7 @@ services: - "env=${ENV}" - "traefik.enable=true" - "traefik.http.routers.whoami.rule=Host(`test.staging.kovagoadi.hu`)" + - "traefik.http.routers.https.rule=Host(`test.staging.kovagoadi.hu`)" - "traefik.http.routers.whoami.entrypoints=web" - traefik.http.routers.https.entrypoints=https - traefik.http.routers.https.tls=true -- 2.49.1 From 8392dc278dd6fc63edf5c60a8c6221a6461e7a39 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 12:16:26 +0100 Subject: [PATCH 10/26] Added debugging messages --- docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index 95d717d..74fd71b 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -8,6 +8,7 @@ services: networks: - proxy command: + - --log.level=DEBUG - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=proxy" -- 2.49.1 From 53550de6b1ee3124414a132a71643161bfab1b94 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 14:24:24 +0100 Subject: [PATCH 11/26] Added https port --- docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index 74fd71b..26be6fa 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -21,6 +21,7 @@ services: - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json ports: - "${PORT}:80" + - "4443:80" - "8080" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" -- 2.49.1 From 8d3566708097f95595bc86e282155d6e26c93ded Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 14:36:43 +0100 Subject: [PATCH 12/26] Fix port --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 26be6fa..d69a564 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -21,7 +21,7 @@ services: - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json ports: - "${PORT}:80" - - "4443:80" + - "4443:443" - "8080" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" -- 2.49.1 From e894d4bd075f6f8ac46f0a6334e6f25dd1be9e28 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Tue, 25 Nov 2025 15:02:55 +0100 Subject: [PATCH 13/26] Commit changes --- docker-compose.yaml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index d69a564..e1db4fb 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -41,5 +41,49 @@ services: - traefik.http.routers.https.entrypoints=https - traefik.http.routers.https.tls=true - traefik.http.routers.https.tls.certresolver=letsencrypt + catchall-shim: + image: traefik/whoami + labels: + - "traefik.enable=true" + + # ------------------------------------------------------- + # 1. HTTPS Handling (TCP Passthrough) -> Port 443 + # ------------------------------------------------------- + + # Use a TCP Router for Port 443 + - "traefik.tcp.routers.catchall-https.entrypoints=https" + + # Match Any Domain (Wildcard SNI) + - "traefik.tcp.routers.catchall-https.rule=HostSNI(`*`)" + + # CRITICAL: Passthrough = true + # Traefik will NOT decrypt. It passes the encrypted stream to Nginx. + - "traefik.tcp.routers.catchall-https.tls.passthrough=true" + + # Low priority so other specific routes in Traefik override this + # - "traefik.tcp.routers.catchall-https.priority=1" + + # Point to the Nginx service + - "traefik.tcp.routers.catchall-https.service=nginx-backend-secure" + + # Define the destination IP for HTTPS (Note: 'server.address', not 'url') + # Replace 192.168.1.100 with your Nginx IP + - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.address=192.168.1.85:443" + - "env=${ENV}" + + + # ------------------------------------------------------- + # 2. HTTP Handling (Standard Proxy) -> Port 80 + # ------------------------------------------------------- + # Since HTTP is unencrypted, we can use a standard HTTP router. + # This forwards the request to Nginx port 80 (for Certbot challenges/redirects). + + - "traefik.http.routers.catchall-http.entrypoints=web" + - "traefik.http.routers.catchall-http.rule=PathPrefix(`/`)" + # - "traefik.http.routers.catchall-http.priority=1" + - "traefik.http.routers.catchall-http.service=nginx-backend-plain" + + # Define the destination IP for HTTP + - "traefik.http.services.nginx-backend-plain.loadbalancer.server.url=http://192.168.1.85:80" networks: proxy: -- 2.49.1 From 2f5050bc676fe1cf072b4f0875fafb5d7629c460 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 12:48:20 +0100 Subject: [PATCH 14/26] Moved config --- asd.yaml | 21 +++++++++++++ docker-compose.yaml | 73 ++++++++++++++++++++++++--------------------- 2 files changed, 60 insertions(+), 34 deletions(-) create mode 100644 asd.yaml diff --git a/asd.yaml b/asd.yaml new file mode 100644 index 0000000..4bb72ea --- /dev/null +++ b/asd.yaml @@ -0,0 +1,21 @@ +# ./traefik/dynamic_conf.yml + +tcp: + routers: + # Router for HTTPS (Passthrough) + nginx-secure-router: + rule: "HostSNI(`*`)" + service: nginx-secure-service + # Passthrough must be true for SSL to reach Nginx encrypted + tls: + passthrough: true + entryPoints: + - "https" + + services: + # Service defining the external IP + nginx-secure-service: + loadBalancer: + servers: + # This is the actual external IP and Port of your Nginx + - address: "192.168.1.85:443" diff --git a/docker-compose.yaml b/docker-compose.yaml index e1db4fb..2d2cd1c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -19,6 +19,8 @@ services: - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web - --certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json + - "--providers.file.filename=/etc/traefik/dynamic_conf.yml" + - "--providers.file.watch=true" ports: - "${PORT}:80" - "4443:443" @@ -26,6 +28,7 @@ services: volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "./data/letsencrypt:/letsencrypt" + - ./asd.yaml:/etc/traefik/dynamic_conf.yml whoami: image: "traefik/whoami@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab" @@ -41,49 +44,51 @@ services: - traefik.http.routers.https.entrypoints=https - traefik.http.routers.https.tls=true - traefik.http.routers.https.tls.certresolver=letsencrypt - catchall-shim: - image: traefik/whoami - labels: - - "traefik.enable=true" + # catchall-shim: + # image: traefik/whoami + # networks: + # - proxy + # labels: + # - "traefik.enable=true" - # ------------------------------------------------------- - # 1. HTTPS Handling (TCP Passthrough) -> Port 443 - # ------------------------------------------------------- + # # ------------------------------------------------------- + # # 1. HTTPS Handling (TCP Passthrough) -> Port 443 + # # ------------------------------------------------------- - # Use a TCP Router for Port 443 - - "traefik.tcp.routers.catchall-https.entrypoints=https" + # # Use a TCP Router for Port 443 + # - "traefik.tcp.routers.https.entrypoints=https" - # Match Any Domain (Wildcard SNI) - - "traefik.tcp.routers.catchall-https.rule=HostSNI(`*`)" + # # Match Any Domain (Wildcard SNI) + # - "traefik.tcp.routers.https.rule=HostSNI(`*`)" - # CRITICAL: Passthrough = true - # Traefik will NOT decrypt. It passes the encrypted stream to Nginx. - - "traefik.tcp.routers.catchall-https.tls.passthrough=true" + # # CRITICAL: Passthrough = true + # # Traefik will NOT decrypt. It passes the encrypted stream to Nginx. + # - "traefik.tcp.routers.https.tls.passthrough=true" - # Low priority so other specific routes in Traefik override this - # - "traefik.tcp.routers.catchall-https.priority=1" + # # Low priority so other specific routes in Traefik override this + # - "traefik.tcp.routers.catchall-https.priority=1" - # Point to the Nginx service - - "traefik.tcp.routers.catchall-https.service=nginx-backend-secure" + # # Point to the Nginx service + # - "traefik.tcp.routers.https.service=nginx-backend-secure" - # Define the destination IP for HTTPS (Note: 'server.address', not 'url') - # Replace 192.168.1.100 with your Nginx IP - - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.address=192.168.1.85:443" - - "env=${ENV}" + # # Define the destination IP for HTTPS (Note: 'server.address', not 'url') + # # Replace 192.168.1.100 with your Nginx IP + # - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.address=192.168.1.85" + # - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.port=443" + # - "env=${ENV}" + # # ------------------------------------------------------- + # # 2. HTTP Handling (Standard Proxy) -> Port 80 + # # ------------------------------------------------------- + # # Since HTTP is unencrypted, we can use a standard HTTP router. + # # This forwards the request to Nginx port 80 (for Certbot challenges/redirects). - # ------------------------------------------------------- - # 2. HTTP Handling (Standard Proxy) -> Port 80 - # ------------------------------------------------------- - # Since HTTP is unencrypted, we can use a standard HTTP router. - # This forwards the request to Nginx port 80 (for Certbot challenges/redirects). + # # - "traefik.http.routers.catchall-http.entrypoints=web" + # # - "traefik.http.routers.catchall-http.rule=PathPrefix(`/`)" + # # # - "traefik.http.routers.catchall-http.priority=1" + # # - "traefik.http.routers.catchall-http.service=nginx-backend-plain" - - "traefik.http.routers.catchall-http.entrypoints=web" - - "traefik.http.routers.catchall-http.rule=PathPrefix(`/`)" - # - "traefik.http.routers.catchall-http.priority=1" - - "traefik.http.routers.catchall-http.service=nginx-backend-plain" - - # Define the destination IP for HTTP - - "traefik.http.services.nginx-backend-plain.loadbalancer.server.url=http://192.168.1.85:80" + # # # Define the destination IP for HTTP + # # - "traefik.http.services.nginx-backend-plain.loadbalancer.server.url=http://192.168.1.85:80" networks: proxy: -- 2.49.1 From fff6ac43e41e7d1bdd81b14565df7d36923ffa23 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 13:02:20 +0100 Subject: [PATCH 15/26] Small cleanup --- dev/forward-to-legacy-nginx.yaml | 21 +++++++++++ docker-compose.yaml | 60 ++++---------------------------- 2 files changed, 27 insertions(+), 54 deletions(-) create mode 100644 dev/forward-to-legacy-nginx.yaml diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml new file mode 100644 index 0000000..4bb72ea --- /dev/null +++ b/dev/forward-to-legacy-nginx.yaml @@ -0,0 +1,21 @@ +# ./traefik/dynamic_conf.yml + +tcp: + routers: + # Router for HTTPS (Passthrough) + nginx-secure-router: + rule: "HostSNI(`*`)" + service: nginx-secure-service + # Passthrough must be true for SSL to reach Nginx encrypted + tls: + passthrough: true + entryPoints: + - "https" + + services: + # Service defining the external IP + nginx-secure-service: + loadBalancer: + servers: + # This is the actual external IP and Port of your Nginx + - address: "192.168.1.85:443" diff --git a/docker-compose.yaml b/docker-compose.yaml index 2d2cd1c..d6511bc 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,25 +1,23 @@ services: traefik: image: "traefik:v3.6@sha256:aaf0f6185419a50c74651448c1a5bf4606bd2d2ddb7b8749eed505d55bf8b8ea" - # container_name: "traefik" restart: unless-stopped security_opt: - no-new-privileges:true networks: - proxy command: - - --log.level=DEBUG - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.web.address=:80" - "--entryPoints.https.address=:443" - - --certificatesresolvers.letsencrypt.acme.httpchallenge=true - - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web - - --certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com - - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json - - "--providers.file.filename=/etc/traefik/dynamic_conf.yml" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" + - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + - "--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" - "--providers.file.watch=true" ports: - "${PORT}:80" @@ -28,7 +26,7 @@ services: volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "./data/letsencrypt:/letsencrypt" - - ./asd.yaml:/etc/traefik/dynamic_conf.yml + - "./${ENV}/forward-to-legacy-nginx.yaml:/etc/traefik/forward-to-legacy-nginx.yaml" whoami: image: "traefik/whoami@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab" @@ -44,51 +42,5 @@ services: - traefik.http.routers.https.entrypoints=https - traefik.http.routers.https.tls=true - traefik.http.routers.https.tls.certresolver=letsencrypt - # catchall-shim: - # image: traefik/whoami - # networks: - # - proxy - # labels: - # - "traefik.enable=true" - - # # ------------------------------------------------------- - # # 1. HTTPS Handling (TCP Passthrough) -> Port 443 - # # ------------------------------------------------------- - - # # Use a TCP Router for Port 443 - # - "traefik.tcp.routers.https.entrypoints=https" - - # # Match Any Domain (Wildcard SNI) - # - "traefik.tcp.routers.https.rule=HostSNI(`*`)" - - # # CRITICAL: Passthrough = true - # # Traefik will NOT decrypt. It passes the encrypted stream to Nginx. - # - "traefik.tcp.routers.https.tls.passthrough=true" - - # # Low priority so other specific routes in Traefik override this - # - "traefik.tcp.routers.catchall-https.priority=1" - - # # Point to the Nginx service - # - "traefik.tcp.routers.https.service=nginx-backend-secure" - - # # Define the destination IP for HTTPS (Note: 'server.address', not 'url') - # # Replace 192.168.1.100 with your Nginx IP - # - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.address=192.168.1.85" - # - "traefik.tcp.services.nginx-backend-secure.loadbalancer.server.port=443" - # - "env=${ENV}" - - # # ------------------------------------------------------- - # # 2. HTTP Handling (Standard Proxy) -> Port 80 - # # ------------------------------------------------------- - # # Since HTTP is unencrypted, we can use a standard HTTP router. - # # This forwards the request to Nginx port 80 (for Certbot challenges/redirects). - - # # - "traefik.http.routers.catchall-http.entrypoints=web" - # # - "traefik.http.routers.catchall-http.rule=PathPrefix(`/`)" - # # # - "traefik.http.routers.catchall-http.priority=1" - # # - "traefik.http.routers.catchall-http.service=nginx-backend-plain" - - # # # Define the destination IP for HTTP - # # - "traefik.http.services.nginx-backend-plain.loadbalancer.server.url=http://192.168.1.85:80" networks: proxy: -- 2.49.1 From a88f824e69ff62307fc08caf5adbf7f2244fd872 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 13:17:47 +0100 Subject: [PATCH 16/26] Added legacy-nginx network --- asd.yaml | 21 --------------------- dev/forward-to-legacy-nginx.yaml | 10 +++++----- docker-compose.yaml | 6 +++++- 3 files changed, 10 insertions(+), 27 deletions(-) delete mode 100644 asd.yaml diff --git a/asd.yaml b/asd.yaml deleted file mode 100644 index 4bb72ea..0000000 --- a/asd.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# ./traefik/dynamic_conf.yml - -tcp: - routers: - # Router for HTTPS (Passthrough) - nginx-secure-router: - rule: "HostSNI(`*`)" - service: nginx-secure-service - # Passthrough must be true for SSL to reach Nginx encrypted - tls: - passthrough: true - entryPoints: - - "https" - - services: - # Service defining the external IP - nginx-secure-service: - loadBalancer: - servers: - # This is the actual external IP and Port of your Nginx - - address: "192.168.1.85:443" diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 4bb72ea..4852ec7 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -1,11 +1,11 @@ -# ./traefik/dynamic_conf.yml +# ./traefik/forward-to-legacy-nginx.yml tcp: routers: # Router for HTTPS (Passthrough) - nginx-secure-router: + nginx-legacy-router: rule: "HostSNI(`*`)" - service: nginx-secure-service + service: nginx-legacy-service # Passthrough must be true for SSL to reach Nginx encrypted tls: passthrough: true @@ -14,8 +14,8 @@ tcp: services: # Service defining the external IP - nginx-secure-service: + nginx-legacy-service: loadBalancer: servers: # This is the actual external IP and Port of your Nginx - - address: "192.168.1.85:443" + - address: "webserver:443" diff --git a/docker-compose.yaml b/docker-compose.yaml index d6511bc..3ecd04c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -6,6 +6,7 @@ services: - no-new-privileges:true networks: - proxy + - legacy-nginx command: - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" @@ -43,4 +44,7 @@ services: - traefik.http.routers.https.tls=true - traefik.http.routers.https.tls.certresolver=letsencrypt networks: - proxy: + proxy: + legacy-nginx: + name: proxy + external: true -- 2.49.1 From 0a87dad19eee1bbd03d9dd5774c6a4f4ccdfcab0 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 13:24:03 +0100 Subject: [PATCH 17/26] Added http rule --- dev/forward-to-legacy-nginx.yaml | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 4852ec7..3721d14 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -5,17 +5,35 @@ tcp: # Router for HTTPS (Passthrough) nginx-legacy-router: rule: "HostSNI(`*`)" - service: nginx-legacy-service + service: nginx-legacy-service-secure # Passthrough must be true for SSL to reach Nginx encrypted tls: passthrough: true + priority: 1 entryPoints: - "https" services: # Service defining the external IP - nginx-legacy-service: + nginx-legacy-service-secure: loadBalancer: servers: # This is the actual external IP and Port of your Nginx - address: "webserver:443" + +http: + routers: + # Router for HTTP + nginx-legacy-router: + rule: "HostRegexp(`^.+$`)" + service: nginx-legacy-service + # Low priority ensures specific containers are handled first + priority: 1 + entryPoints: + - "http" + + services: + nginx-legacy-service: + loadBalancer: + servers: + - url: "http://webserver:80" \ No newline at end of file -- 2.49.1 From 3df8175369e542688fa42c15f7e4722143df0bfd Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 13:31:24 +0100 Subject: [PATCH 18/26] Fix bug --- dev/forward-to-legacy-nginx.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 3721d14..2338d1a 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -30,7 +30,7 @@ http: # Low priority ensures specific containers are handled first priority: 1 entryPoints: - - "http" + - "web" services: nginx-legacy-service: -- 2.49.1 From 3d08166b30bb7c21e75bb714df18edfa7988ae0a Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 13:36:57 +0100 Subject: [PATCH 19/26] Renamed router --- dev/forward-to-legacy-nginx.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 2338d1a..a51e851 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -3,7 +3,7 @@ tcp: routers: # Router for HTTPS (Passthrough) - nginx-legacy-router: + nginx-legacy-router-secure: rule: "HostSNI(`*`)" service: nginx-legacy-service-secure # Passthrough must be true for SSL to reach Nginx encrypted -- 2.49.1 From 7eb2ca3e5222fc58faf591c6dfa4e610ca21bfaa Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 14:10:24 +0100 Subject: [PATCH 20/26] Added custom CA_RESOLVER for ENV's --- dev.env | 3 ++- docker-compose.yaml | 1 + prod.env | 3 ++- staging.env | 3 ++- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/dev.env b/dev.env index 3ec5165..2c74377 100644 --- a/dev.env +++ b/dev.env @@ -1,3 +1,4 @@ PORT=898 ENV=dev -NETWORK_NAME=proxy \ No newline at end of file +NETWORK_NAME=proxy +CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml index 3ecd04c..0bd40c1 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -18,6 +18,7 @@ services: - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" - "--providers.file.watch=true" ports: diff --git a/prod.env b/prod.env index 571feb7..731d5de 100644 --- a/prod.env +++ b/prod.env @@ -1,3 +1,4 @@ PORT=81 ENV=prod -NETWORK_NAME=proxy \ No newline at end of file +NETWORK_NAME=proxy +CERTBOT_CA_RESOLVER=https://acme-v02.api.letsencrypt.org/directory \ No newline at end of file diff --git a/staging.env b/staging.env index dc09e47..da0fddc 100644 --- a/staging.env +++ b/staging.env @@ -1,3 +1,4 @@ PORT=8080 ENV=staging -NETWORK_NAME=proxy \ No newline at end of file +NETWORK_NAME=proxy +CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory \ No newline at end of file -- 2.49.1 From 3e37209df177f0314e7056d0989591f6325f6e6a Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 23:27:34 +0100 Subject: [PATCH 21/26] Removed hardcoded value --- docker-compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 0bd40c1..acb57b6 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -38,8 +38,8 @@ services: labels: - "env=${ENV}" - "traefik.enable=true" - - "traefik.http.routers.whoami.rule=Host(`test.staging.kovagoadi.hu`)" - - "traefik.http.routers.https.rule=Host(`test.staging.kovagoadi.hu`)" + - "traefik.http.routers.whoami.rule=Host(`test-whoami.${DOMAIN}`)" + - "traefik.http.routers.https.rule=Host(`test-whoami.${DOMAIN}`)" - "traefik.http.routers.whoami.entrypoints=web" - traefik.http.routers.https.entrypoints=https - traefik.http.routers.https.tls=true -- 2.49.1 From 1180109ce4793e77f932bb0c28a73db24017947d Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 23:31:31 +0100 Subject: [PATCH 22/26] Added missing files --- dev.env | 3 ++- prod.env | 3 ++- staging.env | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dev.env b/dev.env index 2c74377..6aaa8b3 100644 --- a/dev.env +++ b/dev.env @@ -1,4 +1,5 @@ PORT=898 ENV=dev NETWORK_NAME=proxy -CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory \ No newline at end of file +CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory +DOMAIN=dev.kovagoadi.hu \ No newline at end of file diff --git a/prod.env b/prod.env index 731d5de..015a656 100644 --- a/prod.env +++ b/prod.env @@ -1,4 +1,5 @@ PORT=81 ENV=prod NETWORK_NAME=proxy -CERTBOT_CA_RESOLVER=https://acme-v02.api.letsencrypt.org/directory \ No newline at end of file +CERTBOT_CA_RESOLVER=https://acme-v02.api.letsencrypt.org/directory +DOMAIN=kovagoadi.hu \ No newline at end of file diff --git a/staging.env b/staging.env index da0fddc..5c5857c 100644 --- a/staging.env +++ b/staging.env @@ -1,4 +1,5 @@ PORT=8080 ENV=staging NETWORK_NAME=proxy -CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory \ No newline at end of file +CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory +DOMAIN=staging.kovagoadi.hu \ No newline at end of file -- 2.49.1 From cdb1d09ecb0b1008c17431b03d4959bf3357841d Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 23:37:30 +0100 Subject: [PATCH 23/26] Last things to do before merge --- docker-compose.yaml | 2 +- {dev => prod}/forward-to-legacy-nginx.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename {dev => prod}/forward-to-legacy-nginx.yaml (95%) diff --git a/docker-compose.yaml b/docker-compose.yaml index acb57b6..4844bab 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -45,7 +45,7 @@ services: - traefik.http.routers.https.tls=true - traefik.http.routers.https.tls.certresolver=letsencrypt networks: - proxy: + proxy: legacy-nginx: name: proxy external: true diff --git a/dev/forward-to-legacy-nginx.yaml b/prod/forward-to-legacy-nginx.yaml similarity index 95% rename from dev/forward-to-legacy-nginx.yaml rename to prod/forward-to-legacy-nginx.yaml index a51e851..e184fe0 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/prod/forward-to-legacy-nginx.yaml @@ -1,4 +1,4 @@ -# ./traefik/forward-to-legacy-nginx.yml +# ./traefik/forward-to-legacy-nginx.yaml tcp: routers: -- 2.49.1 From 5c942651f59d6cce0a300f46ef5bc0ffb32a267c Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 23:40:49 +0100 Subject: [PATCH 24/26] Added dummy file --- dev/forward-to-legacy-nginx.yaml | 1 + staging/forward-to-legacy-nginx.yaml | 1 + 2 files changed, 2 insertions(+) create mode 100644 dev/forward-to-legacy-nginx.yaml create mode 100644 staging/forward-to-legacy-nginx.yaml diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml new file mode 100644 index 0000000..918e308 --- /dev/null +++ b/dev/forward-to-legacy-nginx.yaml @@ -0,0 +1 @@ +# ./traefik/forward-to-legacy-nginx.yaml diff --git a/staging/forward-to-legacy-nginx.yaml b/staging/forward-to-legacy-nginx.yaml new file mode 100644 index 0000000..918e308 --- /dev/null +++ b/staging/forward-to-legacy-nginx.yaml @@ -0,0 +1 @@ +# ./traefik/forward-to-legacy-nginx.yaml -- 2.49.1 From 9a3833f84384b68361e84751a4fda987bb54e803 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 23:46:36 +0100 Subject: [PATCH 25/26] Moved to seperate variable --- dev.env | 3 ++- dev/forward-to-legacy-nginx.yaml | 1 - docker-compose.yaml | 2 +- prod.env | 3 ++- staging.env | 3 ++- staging/forward-to-legacy-nginx.yaml | 1 - 6 files changed, 7 insertions(+), 6 deletions(-) delete mode 100644 dev/forward-to-legacy-nginx.yaml delete mode 100644 staging/forward-to-legacy-nginx.yaml diff --git a/dev.env b/dev.env index 6aaa8b3..61e4c46 100644 --- a/dev.env +++ b/dev.env @@ -2,4 +2,5 @@ PORT=898 ENV=dev NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory -DOMAIN=dev.kovagoadi.hu \ No newline at end of file +DOMAIN=dev.kovagoadi.hu +TRAEFIK_LEGACY_OPT= \ No newline at end of file diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml deleted file mode 100644 index 918e308..0000000 --- a/dev/forward-to-legacy-nginx.yaml +++ /dev/null @@ -1 +0,0 @@ -# ./traefik/forward-to-legacy-nginx.yaml diff --git a/docker-compose.yaml b/docker-compose.yaml index 4844bab..fd5fc9b 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -19,7 +19,7 @@ services: - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - - "--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" + - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: - "${PORT}:80" diff --git a/prod.env b/prod.env index 015a656..ad905e1 100644 --- a/prod.env +++ b/prod.env @@ -2,4 +2,5 @@ PORT=81 ENV=prod NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-v02.api.letsencrypt.org/directory -DOMAIN=kovagoadi.hu \ No newline at end of file +DOMAIN=kovagoadi.hu +TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" \ No newline at end of file diff --git a/staging.env b/staging.env index 5c5857c..aa3bb60 100644 --- a/staging.env +++ b/staging.env @@ -2,4 +2,5 @@ PORT=8080 ENV=staging NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory -DOMAIN=staging.kovagoadi.hu \ No newline at end of file +DOMAIN=staging.kovagoadi.hu +TRAEFIK_LEGACY_OPT= \ No newline at end of file diff --git a/staging/forward-to-legacy-nginx.yaml b/staging/forward-to-legacy-nginx.yaml deleted file mode 100644 index 918e308..0000000 --- a/staging/forward-to-legacy-nginx.yaml +++ /dev/null @@ -1 +0,0 @@ -# ./traefik/forward-to-legacy-nginx.yaml -- 2.49.1 From 2cf1ca0165531cc95be40a4979c320b9031e5f19 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Thu, 27 Nov 2025 23:51:34 +0100 Subject: [PATCH 26/26] Added seperate HTTPS_PORT variable --- dev.env | 1 + docker-compose.yaml | 2 +- prod.env | 1 + staging.env | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/dev.env b/dev.env index 61e4c46..e42f23f 100644 --- a/dev.env +++ b/dev.env @@ -1,4 +1,5 @@ PORT=898 +HTTPS_PORT=446 ENV=dev NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory diff --git a/docker-compose.yaml b/docker-compose.yaml index fd5fc9b..b2848ae 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -23,7 +23,7 @@ services: - "--providers.file.watch=true" ports: - "${PORT}:80" - - "4443:443" + - "${HTTPS_PORT}:443" - "8080" volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" diff --git a/prod.env b/prod.env index ad905e1..186c79a 100644 --- a/prod.env +++ b/prod.env @@ -1,4 +1,5 @@ PORT=81 +HTTPS_PORT=444 ENV=prod NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-v02.api.letsencrypt.org/directory diff --git a/staging.env b/staging.env index aa3bb60..38ab2dc 100644 --- a/staging.env +++ b/staging.env @@ -1,4 +1,5 @@ PORT=8080 +HTTPS_PORT=445 ENV=staging NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory -- 2.49.1