# ./traefik/forward-to-legacy-nginx.yaml

tcp:
  routers:
    # Router for HTTPS (Passthrough)
    nginx-legacy-router-secure:
      rule: "HostSNI(`*`)"
      service: nginx-legacy-service-secure
      # Passthrough must be true for SSL to reach Nginx encrypted
      tls:
        passthrough: true
      priority: 10
      entryPoints:
        - "https"

  services:
    # Service defining the external IP
    nginx-legacy-service-secure:
      loadBalancer:
        servers:
          # This is the actual external IP and Port of your Nginx
          - address: "webserver:443"

http:
  routers:
    # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router)
    traefik-acme-handler:
      rule: "Host(`test-whoami.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)"
      entryPoints:
        - "web"
      service: "acme-http@internal" # This is the internal service name
      priority: 1000                # High priority to ensure it wins

    # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx)
    nginx-legacy-router:
      rule: "HostRegexp(`^.+$`)"
      service: nginx-legacy-service
      # Low priority ensures specific containers are handled first, but before the default acme-handler
      priority: 90
      entryPoints:
        - "web"

  services:
    nginx-legacy-service:
      loadBalancer:
        servers:
          - url: "http://webserver:80"