From 5d5d7e783ac7cb034e916b0af0d3a9a5c7028771 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 19:36:05 +0100 Subject: [PATCH 01/40] Setup env --- dev.env | 2 +- dev/forward-to-legacy-nginx.yaml | 39 ++++++++++++++++++++++++++++++++ docker-compose.yaml | 4 ++++ 3 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 dev/forward-to-legacy-nginx.yaml diff --git a/dev.env b/dev.env index e42f23f..d64700d 100644 --- a/dev.env +++ b/dev.env @@ -4,4 +4,4 @@ ENV=dev NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory DOMAIN=dev.kovagoadi.hu -TRAEFIK_LEGACY_OPT= \ No newline at end of file +TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" \ No newline at end of file diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml new file mode 100644 index 0000000..e184fe0 --- /dev/null +++ b/dev/forward-to-legacy-nginx.yaml @@ -0,0 +1,39 @@ +# ./traefik/forward-to-legacy-nginx.yaml + +tcp: + routers: + # Router for HTTPS (Passthrough) + nginx-legacy-router-secure: + rule: "HostSNI(`*`)" + service: nginx-legacy-service-secure + # Passthrough must be true for SSL to reach Nginx encrypted + tls: + passthrough: true + priority: 1 + entryPoints: + - "https" + + services: + # Service defining the external IP + nginx-legacy-service-secure: + loadBalancer: + servers: + # This is the actual external IP and Port of your Nginx + - address: "webserver:443" + +http: + routers: + # Router for HTTP + nginx-legacy-router: + rule: "HostRegexp(`^.+$`)" + service: nginx-legacy-service + # Low priority ensures specific containers are handled first + priority: 1 + entryPoints: + - "web" + + services: + nginx-legacy-service: + loadBalancer: + servers: + - url: "http://webserver:80" \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml index ec912a7..52c1850 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -6,6 +6,7 @@ services: - no-new-privileges:true networks: - proxy + - legacy-nginx command: - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" @@ -45,5 +46,8 @@ services: - traefik.http.routers.https.tls.certresolver=letsencrypt networks: proxy: + legacy-nginx: + name: proxy + external: true volumes: letsencrypt: \ No newline at end of file -- 2.49.1 From 860f4333e12f8c6902f094a69d1ab7b8ae7f730c Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 19:53:51 +0100 Subject: [PATCH 02/40] Testing new config --- dev/forward-to-legacy-nginx.yaml | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index e184fe0..78134c1 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -1,5 +1,10 @@ # ./traefik/forward-to-legacy-nginx.yaml +entryPoints: + web: + # Essential: Allows your routers to intercept /.well-known/acme-challenge/ + allowACMEByPass: true + tcp: routers: # Router for HTTPS (Passthrough) @@ -23,14 +28,24 @@ tcp: http: routers: - # Router for HTTP + # 1. ROUTE FOR TRAEFIK-MANAGED DOMAINS + # For domains Traefik should handle, send challenges to the internal ACME service. + traefik-acme-handler: + rule: "Host(`test-whoami.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" + entryPoints: + - "web" + service: "acme-http@internal" # This is the internal service name + priority: 1000 # High priority to ensure it wins + + # 2. THE CATCH-ALL ROUTER (LEGACY) + # This remains your broad catch-all. Since it has lower priority, + # the one above handles the Traefik domains, and everything else hits this. nginx-legacy-router: rule: "HostRegexp(`^.+$`)" service: nginx-legacy-service - # Low priority ensures specific containers are handled first - priority: 1 entryPoints: - "web" + priority: 1 # Will catch ACME for any domain NOT listed in the handler above services: nginx-legacy-service: -- 2.49.1 From e039bfed6dd5e5b0b45574c27ba75cac4788f947 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 20:17:12 +0100 Subject: [PATCH 03/40] Trying this config --- dev/forward-to-legacy-nginx.yaml | 8 ++++++-- docker-compose.yaml | 1 - 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 78134c1..2b0b88c 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -1,9 +1,13 @@ # ./traefik/forward-to-legacy-nginx.yaml + +# static configuration (traefik.yml) entryPoints: web: - # Essential: Allows your routers to intercept /.well-known/acme-challenge/ - allowACMEByPass: true + address: ":80" # or :898 in your case + allowACMEByPass: true # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS + + tcp: routers: diff --git a/docker-compose.yaml b/docker-compose.yaml index af11734..596ae0f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -12,7 +12,6 @@ services: - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - - "--entryPoints.web.address=:80" - "--entryPoints.https.address=:443" - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" -- 2.49.1 From 3ac0b176992c74f3fdf51e5abe4bf441e9905e5a Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 20:23:06 +0100 Subject: [PATCH 04/40] Moved certificateResolver --- dev/forward-to-legacy-nginx.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 2b0b88c..9f45428 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -7,7 +7,13 @@ entryPoints: address: ":80" # or :898 in your case allowACMEByPass: true # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS - +certificatesResolvers: + myresolver: + acme: + email: "kovagoadi@gmail.com" + storage: "acme.json" + httpChallenge: + entryPoint: web tcp: routers: -- 2.49.1 From 2795ca9465ef3f3de49e5399ca8a7a0cf68e029e Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 20:25:51 +0100 Subject: [PATCH 05/40] Removed certificateresolver --- docker-compose.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 596ae0f..11e9d9c 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -13,11 +13,11 @@ services: - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.https.address=:443" - - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" + # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" + # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" + # - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + # - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: -- 2.49.1 From 095267f415776e9b2e64b57a3220e811510382bb Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 20:33:39 +0100 Subject: [PATCH 06/40] Fix entrypoints --- docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index 11e9d9c..8b1bd5b 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -13,6 +13,7 @@ services: - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.https.address=:443" + - "--entryPoints.web.address=:80" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" -- 2.49.1 From a370df9f82b9cf50c0e9d509682898b477705959 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 20:37:08 +0100 Subject: [PATCH 07/40] Unified config --- dev/forward-to-legacy-nginx.yaml | 2 +- docker-compose.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 9f45428..7235573 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -8,7 +8,7 @@ entryPoints: allowACMEByPass: true # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS certificatesResolvers: - myresolver: + letsencrypt: acme: email: "kovagoadi@gmail.com" storage: "acme.json" diff --git a/docker-compose.yaml b/docker-compose.yaml index 8b1bd5b..c594027 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -13,7 +13,7 @@ services: - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.https.address=:443" - - "--entryPoints.web.address=:80" + # - "--entryPoints.web.address=:80" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" -- 2.49.1 From 51cb58e1857704280f90f063bb883631e8ffd076 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 20:40:48 +0100 Subject: [PATCH 08/40] Fix entrypoint --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index c594027..8b1bd5b 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -13,7 +13,7 @@ services: - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.https.address=:443" - # - "--entryPoints.web.address=:80" + - "--entryPoints.web.address=:80" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" -- 2.49.1 From 65f7a680f48d6468968cef01cfac372d74807961 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 20:43:55 +0100 Subject: [PATCH 09/40] Uncommented certificateresolver --- docker-compose.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 8b1bd5b..ad20848 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -14,11 +14,11 @@ services: - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.https.address=:443" - "--entryPoints.web.address=:80" - # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - # - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - # - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" + - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: -- 2.49.1 From 324177e3573528838c1a90b62ca8993069168352 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 20:50:38 +0100 Subject: [PATCH 10/40] Small changes --- dev/forward-to-legacy-nginx.yaml | 2 +- docker-compose.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 7235573..d904ddb 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -41,7 +41,7 @@ http: # 1. ROUTE FOR TRAEFIK-MANAGED DOMAINS # For domains Traefik should handle, send challenges to the internal ACME service. traefik-acme-handler: - rule: "Host(`test-whoami.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" + rule: "Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" entryPoints: - "web" service: "acme-http@internal" # This is the internal service name diff --git a/docker-compose.yaml b/docker-compose.yaml index ad20848..af11734 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -12,8 +12,8 @@ services: - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - - "--entryPoints.https.address=:443" - "--entryPoints.web.address=:80" + - "--entryPoints.https.address=:443" - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" -- 2.49.1 From a63d3c93c7cb5b227543e2f195441c80b0827de5 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 21:00:18 +0100 Subject: [PATCH 11/40] Redo stuff --- docker-compose.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index af11734..74b2214 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -14,11 +14,11 @@ services: - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.web.address=:80" - "--entryPoints.https.address=:443" - - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" + # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" + # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" + # - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + # - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: -- 2.49.1 From 2a5e27896d5060c67599da7d67484e3bd551872f Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 21:04:58 +0100 Subject: [PATCH 12/40] Trying new config --- dev/forward-to-legacy-nginx.yaml | 14 +++++++------- docker-compose.yaml | 10 +++++----- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index d904ddb..830a781 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -7,13 +7,13 @@ entryPoints: address: ":80" # or :898 in your case allowACMEByPass: true # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS -certificatesResolvers: - letsencrypt: - acme: - email: "kovagoadi@gmail.com" - storage: "acme.json" - httpChallenge: - entryPoint: web +# certificatesResolvers: +# letsencrypt: +# acme: +# email: "kovagoadi@gmail.com" +# storage: "acme.json" +# httpChallenge: +# entryPoint: web tcp: routers: diff --git a/docker-compose.yaml b/docker-compose.yaml index 74b2214..af11734 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -14,11 +14,11 @@ services: - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.web.address=:80" - "--entryPoints.https.address=:443" - # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - # - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - # - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" + - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: -- 2.49.1 From ae514479d11a08bfd80dee1dd54647ec43b1090e Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 21:08:15 +0100 Subject: [PATCH 13/40] Trying this --- docker-compose.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index af11734..2ce5b73 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -14,6 +14,7 @@ services: - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.web.address=:80" - "--entryPoints.https.address=:443" + - "--entryPoints.web.allowACMEByPass=true" - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" -- 2.49.1 From 4b2cfc142f9ec2ede73e9372e0cc308829ca30c6 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 21:16:49 +0100 Subject: [PATCH 14/40] Trying this out --- docker-compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 2ce5b73..791fb5d 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -15,11 +15,11 @@ services: - "--entryPoints.web.address=:80" - "--entryPoints.https.address=:443" - "--entryPoints.web.allowACMEByPass=true" - - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + #- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" + # - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: -- 2.49.1 From 9cefaffaba2d2a0b2567c43a63eb5bee2c44b417 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 21:27:29 +0100 Subject: [PATCH 15/40] Trying this --- dev/forward-to-legacy-nginx.yaml | 14 +++++++------- docker-compose.yaml | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 830a781..d904ddb 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -7,13 +7,13 @@ entryPoints: address: ":80" # or :898 in your case allowACMEByPass: true # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS -# certificatesResolvers: -# letsencrypt: -# acme: -# email: "kovagoadi@gmail.com" -# storage: "acme.json" -# httpChallenge: -# entryPoint: web +certificatesResolvers: + letsencrypt: + acme: + email: "kovagoadi@gmail.com" + storage: "acme.json" + httpChallenge: + entryPoint: web tcp: routers: diff --git a/docker-compose.yaml b/docker-compose.yaml index 791fb5d..6869b03 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -15,7 +15,7 @@ services: - "--entryPoints.web.address=:80" - "--entryPoints.https.address=:443" - "--entryPoints.web.allowACMEByPass=true" - #- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" -- 2.49.1 From 45f0008eda4b24cac2ab69422add459123c4eb3c Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 21:30:30 +0100 Subject: [PATCH 16/40] Try this --- dev/forward-to-legacy-nginx.yaml | 4 ++-- docker-compose.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index d904ddb..e5afe5c 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -12,8 +12,8 @@ certificatesResolvers: acme: email: "kovagoadi@gmail.com" storage: "acme.json" - httpChallenge: - entryPoint: web + # httpChallenge: + # entryPoint: web tcp: routers: diff --git a/docker-compose.yaml b/docker-compose.yaml index 6869b03..c29d2b0 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -16,7 +16,7 @@ services: - "--entryPoints.https.address=:443" - "--entryPoints.web.allowACMEByPass=true" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" + # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" # - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" -- 2.49.1 From a4fab170fa626a6e27fc26d5f5e30f10001bc2c7 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 21:44:05 +0100 Subject: [PATCH 17/40] =?UTF-8?q?Elvileg=20m=C3=A9g=20nem=20j=C3=B3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker-compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index c29d2b0..1eaa54f 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -17,8 +17,8 @@ services: - "--entryPoints.web.allowACMEByPass=true" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" + # - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" # - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" -- 2.49.1 From 076550be7b15198ddce6db1bb8573e340b132863 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 21:47:02 +0100 Subject: [PATCH 18/40] Checking this out --- docker-compose.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 1eaa54f..6487779 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -14,12 +14,12 @@ services: - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.web.address=:80" - "--entryPoints.https.address=:443" - - "--entryPoints.web.allowACMEByPass=true" - # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - # - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - # - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" + - "--entryPoints.web.allowacmebypass=true" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" + - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: -- 2.49.1 From 959669dc66de3a724cc9152a186100ed7cb50281 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 21:57:31 +0100 Subject: [PATCH 19/40] Trying this out --- dev/forward-to-legacy-nginx.yaml | 7 +++++-- docker-compose.yaml | 16 ++++++++-------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index e5afe5c..32f342c 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -6,14 +6,16 @@ entryPoints: web: address: ":80" # or :898 in your case allowACMEByPass: true # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS + https: + address: ":443" certificatesResolvers: letsencrypt: acme: email: "kovagoadi@gmail.com" storage: "acme.json" - # httpChallenge: - # entryPoint: web + httpChallenge: + entryPoint: web tcp: routers: @@ -57,6 +59,7 @@ http: - "web" priority: 1 # Will catch ACME for any domain NOT listed in the handler above + services: nginx-legacy-service: loadBalancer: diff --git a/docker-compose.yaml b/docker-compose.yaml index 6487779..19aa8c3 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -12,14 +12,14 @@ services: - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - - "--entryPoints.web.address=:80" - - "--entryPoints.https.address=:443" - - "--entryPoints.web.allowacmebypass=true" - - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" + # - "--entryPoints.web.address=:80" + # - "--entryPoints.https.address=:443" + # - "--entryPoints.web.allowacmebypass=true" + # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" + # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" + # - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + # - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: -- 2.49.1 From 25218446a6ae78519842f411cd5cfa836822b2b1 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 22:10:53 +0100 Subject: [PATCH 20/40] Testing this --- dev/forward-to-legacy-nginx.yaml | 26 +++++++++++++------------- docker-compose.yaml | 15 +++++++-------- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 32f342c..399dcf9 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -2,20 +2,20 @@ # static configuration (traefik.yml) -entryPoints: - web: - address: ":80" # or :898 in your case - allowACMEByPass: true # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS - https: - address: ":443" +# entryPoints: +# web: +# address: ":80" # or :898 in your case +# allowACMEByPass: true # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS +# https: +# address: ":443" -certificatesResolvers: - letsencrypt: - acme: - email: "kovagoadi@gmail.com" - storage: "acme.json" - httpChallenge: - entryPoint: web +# certificatesResolvers: +# letsencrypt: +# acme: +# email: "kovagoadi@gmail.com" +# storage: "acme.json" +# httpChallenge: +# entryPoint: web tcp: routers: diff --git a/docker-compose.yaml b/docker-compose.yaml index 19aa8c3..99b81dd 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -12,14 +12,13 @@ services: - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=proxy" - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - # - "--entryPoints.web.address=:80" - # - "--entryPoints.https.address=:443" - # - "--entryPoints.web.allowacmebypass=true" - # - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - # - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - # - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - # - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - # - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" + - "--entryPoints.web.address=:80" + - "--entryPoints.https.address=:443" + - "--entryPoints.web.allowACMEByPass=true" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" + - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" + - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: -- 2.49.1 From e333ed38a074ebc27e3f895754928ebd50bdd9d6 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 22:18:45 +0100 Subject: [PATCH 21/40] Testing thsi out --- dev/forward-to-legacy-nginx.yaml | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 399dcf9..1c456bf 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -19,11 +19,12 @@ tcp: routers: - # Router for HTTPS (Passthrough) + # Router for LEGACY HTTPS (Passthrough) nginx-legacy-router-secure: - rule: "HostSNI(`*`)" + # DO NOT use "*". List the domains that Nginx manages itself. + # If you use "*", Traefik's own HTTPS domains will not work. + rule: "HostSNI(`excali.kovagoadi.hu`, `another-legacy.hu`)" service: nginx-legacy-service-secure - # Passthrough must be true for SSL to reach Nginx encrypted tls: passthrough: true priority: 1 @@ -31,34 +32,28 @@ tcp: - "https" services: - # Service defining the external IP nginx-legacy-service-secure: loadBalancer: servers: - # This is the actual external IP and Port of your Nginx - address: "webserver:443" http: routers: - # 1. ROUTE FOR TRAEFIK-MANAGED DOMAINS - # For domains Traefik should handle, send challenges to the internal ACME service. + # 1. TRAEFIK-MANAGED ACME HANDLER traefik-acme-handler: rule: "Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" entryPoints: - "web" - service: "acme-http@internal" # This is the internal service name - priority: 1000 # High priority to ensure it wins + service: "acme-http@internal" + priority: 1000 - # 2. THE CATCH-ALL ROUTER (LEGACY) - # This remains your broad catch-all. Since it has lower priority, - # the one above handles the Traefik domains, and everything else hits this. + # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx) nginx-legacy-router: rule: "HostRegexp(`^.+$`)" service: nginx-legacy-service entryPoints: - "web" - priority: 1 # Will catch ACME for any domain NOT listed in the handler above - + priority: 1 services: nginx-legacy-service: -- 2.49.1 From 2069278f3564102982430ef95b5ef821da7a756f Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 22:20:14 +0100 Subject: [PATCH 22/40] Force recreate --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 99b81dd..7435379 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,5 @@ services: - traefik: + traefik3: image: "traefik:v3.6@sha256:4ec25d36f3203240bc1631bb43954c61e872331ab693e741398f1dde6974c145" restart: unless-stopped security_opt: -- 2.49.1 From bf04f5645cb86f302386ed358d31e6b86251a048 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 22:27:59 +0100 Subject: [PATCH 23/40] Added router --- docker-compose.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docker-compose.yaml b/docker-compose.yaml index 7435379..68aa627 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -19,6 +19,10 @@ services: - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + - "traefik.http.routers.traefik-acme-handler.rule=Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" + - "traefik.http.routers.traefik-acme-handler.entrypoints=web" + - "traefik.http.routers.traefik-acme-handler.service=acme-http@internal" + - "traefik.http.routers.traefik-acme-handler.priority=1000" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: -- 2.49.1 From bae8f8ffa40d948184ea505d6b0b551b9acceaec Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 22:40:44 +0100 Subject: [PATCH 24/40] Trying this out --- dev/forward-to-legacy-nginx.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 1c456bf..a98b97e 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -40,12 +40,7 @@ tcp: http: routers: # 1. TRAEFIK-MANAGED ACME HANDLER - traefik-acme-handler: - rule: "Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" - entryPoints: - - "web" - service: "acme-http@internal" - priority: 1000 + # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx) nginx-legacy-router: -- 2.49.1 From 4e3aa30c613598c653e724930c853aeb9ef9a288 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 22:42:10 +0100 Subject: [PATCH 25/40] Force recreation again --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 68aa627..b0c32f3 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,5 @@ services: - traefik3: + traefik4: image: "traefik:v3.6@sha256:4ec25d36f3203240bc1631bb43954c61e872331ab693e741398f1dde6974c145" restart: unless-stopped security_opt: -- 2.49.1 From 92b98879f84c551046bd2ca8a45ff7e1a8efb31d Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Fri, 19 Dec 2025 22:59:49 +0100 Subject: [PATCH 26/40] fix(traefik): allow acme bypass and set high priority for whoami --- dev/forward-to-legacy-nginx.yaml | 5 ++--- docker-compose.yaml | 8 ++------ 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index a98b97e..87be2a6 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -23,7 +23,7 @@ tcp: nginx-legacy-router-secure: # DO NOT use "*". List the domains that Nginx manages itself. # If you use "*", Traefik's own HTTPS domains will not work. - rule: "HostSNI(`excali.kovagoadi.hu`, `another-legacy.hu`)" + rule: "HostSNI(`excali.kovagoadi.hu`) || HostSNI(`another-legacy.hu`)" service: nginx-legacy-service-secure tls: passthrough: true @@ -39,8 +39,7 @@ tcp: http: routers: - # 1. TRAEFIK-MANAGED ACME HANDLER - + # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router) # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx) nginx-legacy-router: diff --git a/docker-compose.yaml b/docker-compose.yaml index b0c32f3..a6ea120 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,5 @@ services: - traefik4: + traefik3: image: "traefik:v3.6@sha256:4ec25d36f3203240bc1631bb43954c61e872331ab693e741398f1dde6974c145" restart: unless-stopped security_opt: @@ -19,10 +19,6 @@ services: - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - - "traefik.http.routers.traefik-acme-handler.rule=Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" - - "traefik.http.routers.traefik-acme-handler.entrypoints=web" - - "traefik.http.routers.traefik-acme-handler.service=acme-http@internal" - - "traefik.http.routers.traefik-acme-handler.priority=1000" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: @@ -42,12 +38,12 @@ services: labels: - "env=${ENV}" - "traefik.enable=true" + - "traefik.http.routers.whoami.priority=10000" - "traefik.http.routers.whoami.rule=Host(`test-whoami.${DOMAIN}`)" - "traefik.http.routers.https.rule=Host(`test-whoami.${DOMAIN}`)" - "traefik.http.routers.whoami.entrypoints=web" - traefik.http.routers.https.entrypoints=https - traefik.http.routers.https.tls=true - - traefik.http.routers.https.tls.certresolver=letsencrypt networks: proxy: legacy-nginx: -- 2.49.1 From a88191b3399d9a683e410167c795e83c149cc91f Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:23:45 +0100 Subject: [PATCH 27/40] Testing this out --- dev/forward-to-legacy-nginx.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 87be2a6..ae66a7b 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -47,7 +47,7 @@ http: service: nginx-legacy-service entryPoints: - "web" - priority: 1 + priority: 100 services: nginx-legacy-service: -- 2.49.1 From 715840dbb1e22a9d6163f90235b799bc3701526f Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:25:47 +0100 Subject: [PATCH 28/40] Force recreate --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index cb45fbc..9058e0d 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,5 @@ services: - traefik3: + traefik4: image: "traefik:v3.6@sha256:67622638cd88dbfcfba40159bc652ecf0aea0e032f8a3c7e3134ae7c037b9910" restart: unless-stopped security_opt: -- 2.49.1 From e1894c89fd01cff7505a8140838ccae86ebbc9e0 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:29:17 +0100 Subject: [PATCH 29/40] Added acme handler --- dev/forward-to-legacy-nginx.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index ae66a7b..14ab53c 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -40,6 +40,12 @@ tcp: http: routers: # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router) + traefik-acme-handler: + rule: "Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" + entryPoints: + - "web" + service: "acme-http@internal" # This is the internal service name + priority: 10001 # High priority to ensure it wins # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx) nginx-legacy-router: -- 2.49.1 From ebeebd89505b7c0ffd31d35bb11b79bb421232de Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:31:45 +0100 Subject: [PATCH 30/40] Force recreate --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 9058e0d..6547274 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,5 @@ services: - traefik4: + traefik5: image: "traefik:v3.6@sha256:67622638cd88dbfcfba40159bc652ecf0aea0e032f8a3c7e3134ae7c037b9910" restart: unless-stopped security_opt: -- 2.49.1 From c7ba97cd55f4483ba1c9bd49add331a74f4f554c Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:36:12 +0100 Subject: [PATCH 31/40] Changed priority values --- dev/forward-to-legacy-nginx.yaml | 6 +++--- docker-compose.yaml | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 14ab53c..b8a1d9b 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -27,7 +27,7 @@ tcp: service: nginx-legacy-service-secure tls: passthrough: true - priority: 1 + priority: 10 entryPoints: - "https" @@ -45,7 +45,7 @@ http: entryPoints: - "web" service: "acme-http@internal" # This is the internal service name - priority: 10001 # High priority to ensure it wins + priority: 1000 # High priority to ensure it wins # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx) nginx-legacy-router: @@ -53,7 +53,7 @@ http: service: nginx-legacy-service entryPoints: - "web" - priority: 100 + priority: 10 services: nginx-legacy-service: diff --git a/docker-compose.yaml b/docker-compose.yaml index 6547274..30fc662 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,5 @@ services: - traefik5: + traefik6: image: "traefik:v3.6@sha256:67622638cd88dbfcfba40159bc652ecf0aea0e032f8a3c7e3134ae7c037b9910" restart: unless-stopped security_opt: @@ -38,8 +38,9 @@ services: labels: - "env=${ENV}" - "traefik.enable=true" - - "traefik.http.routers.whoami.priority=10000" + - "traefik.http.routers.whoami.priority=100" - "traefik.http.routers.whoami.rule=Host(`test-whoami.${DOMAIN}`)" + - "traefik.http.routers.https.priority=100" - "traefik.http.routers.https.rule=Host(`test-whoami.${DOMAIN}`)" - "traefik.http.routers.whoami.entrypoints=web" - traefik.http.routers.https.entrypoints=https -- 2.49.1 From f0697a336d0c8b3d5a3962a4b72e52f32dee146f Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:40:11 +0100 Subject: [PATCH 32/40] Changed priority --- dev/forward-to-legacy-nginx.yaml | 2 +- docker-compose.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index b8a1d9b..37a7b31 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -53,7 +53,7 @@ http: service: nginx-legacy-service entryPoints: - "web" - priority: 10 + priority: 100 services: nginx-legacy-service: diff --git a/docker-compose.yaml b/docker-compose.yaml index 30fc662..64fe6bb 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,5 @@ services: - traefik6: + traefik7: image: "traefik:v3.6@sha256:67622638cd88dbfcfba40159bc652ecf0aea0e032f8a3c7e3134ae7c037b9910" restart: unless-stopped security_opt: -- 2.49.1 From cee7c526413a0678623509fd0a6f4e7b35cc3819 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:42:42 +0100 Subject: [PATCH 33/40] Trying with 90 value --- dev/forward-to-legacy-nginx.yaml | 2 +- docker-compose.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 37a7b31..2c27fc3 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -53,7 +53,7 @@ http: service: nginx-legacy-service entryPoints: - "web" - priority: 100 + priority: 90 services: nginx-legacy-service: diff --git a/docker-compose.yaml b/docker-compose.yaml index 64fe6bb..e9b5234 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,5 @@ services: - traefik7: + traefik8: image: "traefik:v3.6@sha256:67622638cd88dbfcfba40159bc652ecf0aea0e032f8a3c7e3134ae7c037b9910" restart: unless-stopped security_opt: -- 2.49.1 From 291d4a77ee5dd0f88511cc4fdd2c3a01bca499f9 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:49:11 +0100 Subject: [PATCH 34/40] Did some changes --- dev/forward-to-legacy-nginx.yaml | 17 ----------------- docker-compose.yaml | 4 +++- 2 files changed, 3 insertions(+), 18 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 2c27fc3..7ec78ce 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -1,22 +1,5 @@ # ./traefik/forward-to-legacy-nginx.yaml - -# static configuration (traefik.yml) -# entryPoints: -# web: -# address: ":80" # or :898 in your case -# allowACMEByPass: true # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS -# https: -# address: ":443" - -# certificatesResolvers: -# letsencrypt: -# acme: -# email: "kovagoadi@gmail.com" -# storage: "acme.json" -# httpChallenge: -# entryPoint: web - tcp: routers: # Router for LEGACY HTTPS (Passthrough) diff --git a/docker-compose.yaml b/docker-compose.yaml index e9b5234..9dc1bae 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,5 @@ services: - traefik8: + traefik9: image: "traefik:v3.6@sha256:67622638cd88dbfcfba40159bc652ecf0aea0e032f8a3c7e3134ae7c037b9910" restart: unless-stopped security_opt: @@ -19,6 +19,7 @@ services: - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: @@ -45,6 +46,7 @@ services: - "traefik.http.routers.whoami.entrypoints=web" - traefik.http.routers.https.entrypoints=https - traefik.http.routers.https.tls=true + - traefik.http.routers.https.tls.certresolver=letsencrypt networks: proxy: legacy-nginx: -- 2.49.1 From bc665e4649d36690563d991e8c81b9cbf823b75b Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:56:01 +0100 Subject: [PATCH 35/40] Configured some changes --- dev/forward-to-legacy-nginx.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml index 7ec78ce..49e50d2 100644 --- a/dev/forward-to-legacy-nginx.yaml +++ b/dev/forward-to-legacy-nginx.yaml @@ -2,12 +2,11 @@ tcp: routers: - # Router for LEGACY HTTPS (Passthrough) + # Router for HTTPS (Passthrough) nginx-legacy-router-secure: - # DO NOT use "*". List the domains that Nginx manages itself. - # If you use "*", Traefik's own HTTPS domains will not work. - rule: "HostSNI(`excali.kovagoadi.hu`) || HostSNI(`another-legacy.hu`)" + rule: "HostSNI(`*`)" service: nginx-legacy-service-secure + # Passthrough must be true for SSL to reach Nginx encrypted tls: passthrough: true priority: 10 @@ -15,9 +14,11 @@ tcp: - "https" services: + # Service defining the external IP nginx-legacy-service-secure: loadBalancer: servers: + # This is the actual external IP and Port of your Nginx - address: "webserver:443" http: @@ -34,9 +35,10 @@ http: nginx-legacy-router: rule: "HostRegexp(`^.+$`)" service: nginx-legacy-service + # Low priority ensures specific containers are handled first, but before the default acme-handler + priority: 90 entryPoints: - "web" - priority: 90 services: nginx-legacy-service: -- 2.49.1 From 8ce3bd28db8643d25ec7328d4419d4a3ab41ac26 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:56:17 +0100 Subject: [PATCH 36/40] Added missing docker compose --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 9dc1bae..9eb8b33 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,5 +1,5 @@ services: - traefik9: + traefik10: image: "traefik:v3.6@sha256:67622638cd88dbfcfba40159bc652ecf0aea0e032f8a3c7e3134ae7c037b9910" restart: unless-stopped security_opt: -- 2.49.1 From d535301b8b0b368afa1bdab468ba57fd2990f165 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 14:58:45 +0100 Subject: [PATCH 37/40] Modified prod file --- prod/forward-to-legacy-nginx.yaml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/prod/forward-to-legacy-nginx.yaml b/prod/forward-to-legacy-nginx.yaml index e184fe0..49e50d2 100644 --- a/prod/forward-to-legacy-nginx.yaml +++ b/prod/forward-to-legacy-nginx.yaml @@ -9,7 +9,7 @@ tcp: # Passthrough must be true for SSL to reach Nginx encrypted tls: passthrough: true - priority: 1 + priority: 10 entryPoints: - "https" @@ -23,12 +23,20 @@ tcp: http: routers: - # Router for HTTP + # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router) + traefik-acme-handler: + rule: "Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" + entryPoints: + - "web" + service: "acme-http@internal" # This is the internal service name + priority: 1000 # High priority to ensure it wins + + # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx) nginx-legacy-router: rule: "HostRegexp(`^.+$`)" service: nginx-legacy-service - # Low priority ensures specific containers are handled first - priority: 1 + # Low priority ensures specific containers are handled first, but before the default acme-handler + priority: 90 entryPoints: - "web" -- 2.49.1 From 332299bf0d45210d874c3c33a9cf39be70220c55 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 15:02:51 +0100 Subject: [PATCH 38/40] testing for staging and dev --- dev.env | 3 ++- docker-compose.yaml | 12 ++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/dev.env b/dev.env index d64700d..6c37125 100644 --- a/dev.env +++ b/dev.env @@ -4,4 +4,5 @@ ENV=dev NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory DOMAIN=dev.kovagoadi.hu -TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" \ No newline at end of file +TRAEFIK_LEGACY_OPT= +# TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml index 9eb8b33..a4faf9b 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,12 +1,12 @@ services: - traefik10: + traefik11: image: "traefik:v3.6@sha256:67622638cd88dbfcfba40159bc652ecf0aea0e032f8a3c7e3134ae7c037b9910" restart: unless-stopped security_opt: - no-new-privileges:true networks: - proxy - - legacy-nginx + # - legacy-nginx command: - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" @@ -19,7 +19,7 @@ services: - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" + - "--certificatesResolvers.letsencrypt.acme.caServer=${CERTBOT_CA_RESOLVER}" - "${TRAEFIK_LEGACY_OPT:-}" - "--providers.file.watch=true" ports: @@ -49,8 +49,8 @@ services: - traefik.http.routers.https.tls.certresolver=letsencrypt networks: proxy: - legacy-nginx: - name: proxy - external: true + # legacy-nginx: + # name: proxy + # external: true volumes: letsencrypt: \ No newline at end of file -- 2.49.1 From 40088ce6a9e1d61d7c7c17319ff49c4837e24eb4 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 15:06:18 +0100 Subject: [PATCH 39/40] Added ACME_BYPASS variable --- dev.env | 1 + docker-compose.yaml | 2 +- prod.env | 1 + staging.env | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/dev.env b/dev.env index 6c37125..6b520c4 100644 --- a/dev.env +++ b/dev.env @@ -4,5 +4,6 @@ ENV=dev NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory DOMAIN=dev.kovagoadi.hu +ACME_BYPASS=false TRAEFIK_LEGACY_OPT= # TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml index a4faf9b..ec9dd02 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -14,7 +14,7 @@ services: - "--providers.docker.constraints=Label(`env`, `${ENV}`)" - "--entryPoints.web.address=:80" - "--entryPoints.https.address=:443" - - "--entryPoints.web.allowACMEByPass=true" + - "--entryPoints.web.allowACMEByPass=${ACME_BYPASS}" - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web" - "--certificatesresolvers.letsencrypt.acme.email=kovagoadi@gmail.com" diff --git a/prod.env b/prod.env index 302deeb..9a3f01a 100644 --- a/prod.env +++ b/prod.env @@ -4,4 +4,5 @@ ENV=prod NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-v02.api.letsencrypt.org/directory DOMAIN=kovagoadi.hu +ACME_BYPASS=true TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" \ No newline at end of file diff --git a/staging.env b/staging.env index 38ab2dc..587707c 100644 --- a/staging.env +++ b/staging.env @@ -4,4 +4,5 @@ ENV=staging NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory DOMAIN=staging.kovagoadi.hu +ACME_BYPASS=false TRAEFIK_LEGACY_OPT= \ No newline at end of file -- 2.49.1 From 2487a53ebf4c2942c74f0de3e9b26ccbfd2cf616 Mon Sep 17 00:00:00 2001 From: kovagoadi Date: Sat, 20 Dec 2025 15:10:50 +0100 Subject: [PATCH 40/40] Pre-merge changes --- dev/forward-to-legacy-nginx.yaml | 47 ------------------------------- docker-compose.yaml | 6 +--- prod/forward-to-legacy-nginx.yaml | 2 +- 3 files changed, 2 insertions(+), 53 deletions(-) delete mode 100644 dev/forward-to-legacy-nginx.yaml diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml deleted file mode 100644 index 49e50d2..0000000 --- a/dev/forward-to-legacy-nginx.yaml +++ /dev/null @@ -1,47 +0,0 @@ -# ./traefik/forward-to-legacy-nginx.yaml - -tcp: - routers: - # Router for HTTPS (Passthrough) - nginx-legacy-router-secure: - rule: "HostSNI(`*`)" - service: nginx-legacy-service-secure - # Passthrough must be true for SSL to reach Nginx encrypted - tls: - passthrough: true - priority: 10 - entryPoints: - - "https" - - services: - # Service defining the external IP - nginx-legacy-service-secure: - loadBalancer: - servers: - # This is the actual external IP and Port of your Nginx - - address: "webserver:443" - -http: - routers: - # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router) - traefik-acme-handler: - rule: "Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" - entryPoints: - - "web" - service: "acme-http@internal" # This is the internal service name - priority: 1000 # High priority to ensure it wins - - # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx) - nginx-legacy-router: - rule: "HostRegexp(`^.+$`)" - service: nginx-legacy-service - # Low priority ensures specific containers are handled first, but before the default acme-handler - priority: 90 - entryPoints: - - "web" - - services: - nginx-legacy-service: - loadBalancer: - servers: - - url: "http://webserver:80" \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml index ec9dd02..d0ab6a3 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,12 +1,11 @@ services: - traefik11: + traefik: image: "traefik:v3.6@sha256:67622638cd88dbfcfba40159bc652ecf0aea0e032f8a3c7e3134ae7c037b9910" restart: unless-stopped security_opt: - no-new-privileges:true networks: - proxy - # - legacy-nginx command: - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" @@ -49,8 +48,5 @@ services: - traefik.http.routers.https.tls.certresolver=letsencrypt networks: proxy: - # legacy-nginx: - # name: proxy - # external: true volumes: letsencrypt: \ No newline at end of file diff --git a/prod/forward-to-legacy-nginx.yaml b/prod/forward-to-legacy-nginx.yaml index 49e50d2..4da1e72 100644 --- a/prod/forward-to-legacy-nginx.yaml +++ b/prod/forward-to-legacy-nginx.yaml @@ -25,7 +25,7 @@ http: routers: # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router) traefik-acme-handler: - rule: "Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" + rule: "Host(`test-whoami.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" entryPoints: - "web" service: "acme-http@internal" # This is the internal service name -- 2.49.1