diff --git a/dev.env b/dev.env index 6b520c4..7c085dd 100644 --- a/dev.env +++ b/dev.env @@ -5,5 +5,5 @@ NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-staging-v02.api.letsencrypt.org/directory DOMAIN=dev.kovagoadi.hu ACME_BYPASS=false -TRAEFIK_LEGACY_OPT= -# TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" \ No newline at end of file +# TRAEFIK_LEGACY_OPT= +TRAEFIK_LEGACY_OPT="--providers.file.directory=/etc/traefik" \ No newline at end of file diff --git a/dev/forward-to-legacy-nginx.yaml b/dev/forward-to-legacy-nginx.yaml new file mode 100644 index 0000000..4da1e72 --- /dev/null +++ b/dev/forward-to-legacy-nginx.yaml @@ -0,0 +1,47 @@ +# ./traefik/forward-to-legacy-nginx.yaml + +tcp: + routers: + # Router for HTTPS (Passthrough) + nginx-legacy-router-secure: + rule: "HostSNI(`*`)" + service: nginx-legacy-service-secure + # Passthrough must be true for SSL to reach Nginx encrypted + tls: + passthrough: true + priority: 10 + entryPoints: + - "https" + + services: + # Service defining the external IP + nginx-legacy-service-secure: + loadBalancer: + servers: + # This is the actual external IP and Port of your Nginx + - address: "webserver:443" + +http: + routers: + # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router) + traefik-acme-handler: + rule: "Host(`test-whoami.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)" + entryPoints: + - "web" + service: "acme-http@internal" # This is the internal service name + priority: 1000 # High priority to ensure it wins + + # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx) + nginx-legacy-router: + rule: "HostRegexp(`^.+$`)" + service: nginx-legacy-service + # Low priority ensures specific containers are handled first, but before the default acme-handler + priority: 90 + entryPoints: + - "web" + + services: + nginx-legacy-service: + loadBalancer: + servers: + - url: "http://webserver:80" \ No newline at end of file diff --git a/dev/route-to-staging-dev.yaml b/dev/route-to-staging-dev.yaml new file mode 100644 index 0000000..51fef4f --- /dev/null +++ b/dev/route-to-staging-dev.yaml @@ -0,0 +1,30 @@ +http: + routers: + # Router for HTTP (Port 80) + staging: + rule: "Host(`staging.kovagoadi.hu`) || Host(`test-whoami.staging.kovagoadi.hu`)" + entryPoints: + - "web" + service: "dev-staging" + priority: 1000000 + + # Router for HTTPS (Port 443) + staging-secure: + rule: "Host(`staging.kovagoadi.hu`) || Host(`dev.kovagoadi.hu`)" + entryPoints: + - "https" + service: "dev-staging-secure" + priority: 100 + tls: {} # <--- This enables TLS for this router + + services: + dev-staging: + loadBalancer: + servers: + - url: "http://192.168.1.85:8080" + + dev-staging-secure: + loadBalancer: + servers: + # Note: Ensure Traefik trusts the cert at .85 or set insecureSkipVerify + - url: "https://192.168.1.85:445" \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml index d0ab6a3..c47b299 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -6,7 +6,9 @@ services: - no-new-privileges:true networks: - proxy + - legacy-nginx command: + - "--log.level=DEBUG" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--providers.docker.network=proxy" @@ -28,7 +30,7 @@ services: volumes: - "/var/run/docker.sock:/var/run/docker.sock:ro" - "letsencrypt:/letsencrypt" - - "./${ENV}/forward-to-legacy-nginx.yaml:/etc/traefik/forward-to-legacy-nginx.yaml" + - "./${ENV}:/etc/traefik" whoami: image: "traefik/whoami@sha256:200689790a0a0ea48ca45992e0450bc26ccab5307375b41c84dfc4f2475937ab" @@ -38,9 +40,9 @@ services: labels: - "env=${ENV}" - "traefik.enable=true" - - "traefik.http.routers.whoami.priority=100" + - "traefik.http.routers.whoami.priority=1000000" - "traefik.http.routers.whoami.rule=Host(`test-whoami.${DOMAIN}`)" - - "traefik.http.routers.https.priority=100" + - "traefik.http.routers.https.priority=1000000" - "traefik.http.routers.https.rule=Host(`test-whoami.${DOMAIN}`)" - "traefik.http.routers.whoami.entrypoints=web" - traefik.http.routers.https.entrypoints=https @@ -48,5 +50,8 @@ services: - traefik.http.routers.https.tls.certresolver=letsencrypt networks: proxy: + legacy-nginx: + name: proxy + external: true volumes: letsencrypt: \ No newline at end of file diff --git a/prod.env b/prod.env index 9a3f01a..dc8856b 100644 --- a/prod.env +++ b/prod.env @@ -5,4 +5,4 @@ NETWORK_NAME=proxy CERTBOT_CA_RESOLVER=https://acme-v02.api.letsencrypt.org/directory DOMAIN=kovagoadi.hu ACME_BYPASS=true -TRAEFIK_LEGACY_OPT="--providers.file.filename=/etc/traefik/forward-to-legacy-nginx.yaml" \ No newline at end of file +TRAEFIK_LEGACY_OPT="--providers.file.directory=/etc/traefik" \ No newline at end of file diff --git a/prod/route-to-staging-dev.yaml b/prod/route-to-staging-dev.yaml new file mode 100644 index 0000000..1fa3382 --- /dev/null +++ b/prod/route-to-staging-dev.yaml @@ -0,0 +1,30 @@ +http: + routers: + # Router for HTTP (Port 80) + staging: + rule: "HostRegexp({subdomain:.+}.staging.kovagoadi.hu`) || Host(`staging.kovagoadi.hu`) || Host(`dev.kovagoadi.hu`)" + entryPoints: + - "web" + service: "dev-staging" + priority: 1_000_000 + + # Router for HTTPS (Port 443) + staging-secure: + rule: "Host(`staging.kovagoadi.hu`) || Host(`dev.kovagoadi.hu`)" + entryPoints: + - "https" + service: "dev-staging-secure" + priority: 100 + tls: {} # <--- This enables TLS for this router + + services: + dev-staging: + loadBalancer: + servers: + - url: "http://192.168.1.85:8080" + + dev-staging-secure: + loadBalancer: + servers: + # Note: Ensure Traefik trusts the cert at .85 or set insecureSkipVerify + - url: "https://192.168.1.85:445" \ No newline at end of file