# ./traefik/forward-to-legacy-nginx.yaml

    
# static configuration (traefik.yml)
# entryPoints:
#   web:
#     address: ":80" # or :898 in your case
#     allowACMEByPass: true  # <--- WITHOUT THIS, TRAEFIK ALWAYS WINS
#   https:
#     address: ":443"

# certificatesResolvers:
#   letsencrypt:
#     acme:
#       email: "kovagoadi@gmail.com"
#       storage: "acme.json"
#       httpChallenge:
#        entryPoint: web

tcp:
  routers:
    # Router for LEGACY HTTPS (Passthrough)
    nginx-legacy-router-secure:
      # DO NOT use "*". List the domains that Nginx manages itself.
      # If you use "*", Traefik's own HTTPS domains will not work.
      rule: "HostSNI(`excali.kovagoadi.hu`) || HostSNI(`another-legacy.hu`)"
      service: nginx-legacy-service-secure
      tls:
        passthrough: true
      priority: 10
      entryPoints:
        - "https"

  services:
    nginx-legacy-service-secure:
      loadBalancer:
        servers:
          - address: "webserver:443"

http:
  routers:
    # 1. TRAEFIK-MANAGED ACME HANDLER (Removed manual router)
    traefik-acme-handler:
      rule: "Host(`test-whoami.dev.kovagoadi.hu`) && PathPrefix(`/.well-known/acme-challenge/`)"
      entryPoints:
        - "web"
      service: "acme-http@internal" # This is the internal service name
      priority: 1000                # High priority to ensure it wins

    # 2. THE HTTP CATCH-ALL (Sends other ACME and HTTP to Nginx)
    nginx-legacy-router:
      rule: "HostRegexp(`^.+$`)"
      service: nginx-legacy-service
      entryPoints:
        - "web"
      priority: 100

  services:
    nginx-legacy-service:
      loadBalancer:
        servers:
          - url: "http://webserver:80"