# ./traefik/forward-to-legacy-nginx.yaml

    
# static configuration (traefik.yml)
entryPoints:
  web:
    address: ":80" # or :898 in your case
    allowACMEByPass: true  # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS

certificatesResolvers:
  letsencrypt:
    acme:
      email: "kovagoadi@gmail.com"
      storage: "acme.json"
      # httpChallenge:
      #  entryPoint: web

tcp:
  routers:
    # Router for HTTPS (Passthrough)
    nginx-legacy-router-secure:
      rule: "HostSNI(`*`)"
      service: nginx-legacy-service-secure
      # Passthrough must be true for SSL to reach Nginx encrypted
      tls:
        passthrough: true
      priority: 1
      entryPoints:
        - "https"

  services:
    # Service defining the external IP
    nginx-legacy-service-secure:
      loadBalancer:
        servers:
          # This is the actual external IP and Port of your Nginx
          - address: "webserver:443"

http:
  routers:
    # 1. ROUTE FOR TRAEFIK-MANAGED DOMAINS
    # For domains Traefik should handle, send challenges to the internal ACME service.
    traefik-acme-handler:
      rule: "Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)"
      entryPoints:
        - "web"
      service: "acme-http@internal" # This is the internal service name
      priority: 1000                # High priority to ensure it wins

    # 2. THE CATCH-ALL ROUTER (LEGACY)
    # This remains your broad catch-all. Since it has lower priority,
    # the one above handles the Traefik domains, and everything else hits this.
    nginx-legacy-router:
      rule: "HostRegexp(`^.+$`)"
      service: nginx-legacy-service
      entryPoints:
        - "web"
      priority: 1  # Will catch ACME for any domain NOT listed in the handler above

  services:
    nginx-legacy-service:
      loadBalancer:
        servers:
          - url: "http://webserver:80"