From 7cc013eaf232959a9ad648b57cb99b6fd1753ae3 Mon Sep 17 00:00:00 2001
From: poduck <poduck@gmail.com>
Date: Wed, 3 Dec 2025 17:19:21 -0500
Subject: [PATCH] fix(traefik): Add TCP router with HostSNIRegexp for wildcard
 subdomain TLS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a TCP-level router using HostSNIRegexp to match unknown subdomains
at the TLS layer and terminate TLS with wildcard certificate.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../compose/production/traefik/traefik.yml    | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/smoothschedule/compose/production/traefik/traefik.yml b/smoothschedule/compose/production/traefik/traefik.yml
index 71f96c4..dbfb663 100644
--- a/smoothschedule/compose/production/traefik/traefik.yml
+++ b/smoothschedule/compose/production/traefik/traefik.yml
@@ -53,6 +53,29 @@ tls:
           sans:
             - "*.smoothschedule.com"
 
+tcp:
+  routers:
+    # Catch-all for tenant subdomains at TLS layer
+    # This matches any subdomain that isn't handled by specific HTTP routers
+    subdomain-sni-router:
+      rule: 'HostSNIRegexp(`^[a-z0-9-]+\\.smoothschedule\\.com$`)'
+      entryPoints:
+        - web-secure
+      service: nginx-tcp
+      tls:
+        passthrough: false
+        certResolver: letsencrypt-dns
+        domains:
+          - main: "smoothschedule.com"
+            sans:
+              - "*.smoothschedule.com"
+
+  services:
+    nginx-tcp:
+      loadBalancer:
+        servers:
+          - address: "nginx:80"
+
 http:
   routers:
     # Main domain and www