# ./traefik/forward-to-legacy-nginx.yaml

tcp:
  routers:
    # Router for LEGACY HTTPS (Passthrough)
    nginx-legacy-router-secure:
      # DO NOT use "*". List the domains that Nginx manages itself.
      # If you use "*", Traefik's own HTTPS domains will not work.
      rule: "HostSNI(`excali.kovagoadi.hu`) || HostSNI(`another-legacy.hu`)"
      service: nginx-legacy-service-secure
      tls:
        passthrough: true
      priority: 10
      entryPoints:
        - "https"

  services:
    nginx-legacy-service-secure:
      loadBalancer:
        servers:
          - address: "webserver:443"

http:
  routers:
    # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router)
    traefik-acme-handler:
      rule: "Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)"
      entryPoints:
        - "web"
      service: "acme-http@internal" # This is the internal service name
      priority: 1000                # High priority to ensure it wins

    # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx)
    nginx-legacy-router:
      rule: "HostRegexp(`^.+$`)"
      service: nginx-legacy-service
      entryPoints:
        - "web"
      priority: 90

  services:
    nginx-legacy-service:
      loadBalancer:
        servers:
          - url: "http://webserver:80"