fix(traefik): Add TLS store for wildcard subdomain routing

- Add default TLS store with wildcard certificate for unknown SNIs - Add priority=1 to subdomain-router for catch-all behavior - Use proper Traefik v3 HostRegexp syntax with anchors 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-03 17:14:36 -05:00
parent 13441d88fc
commit a723d784cd
1 changed files with 13 additions and 1 deletions
--- a/smoothschedule/compose/production/traefik/traefik.yml
+++ b/smoothschedule/compose/production/traefik/traefik.yml
@@ -43,6 +43,16 @@ certificatesResolvers:
          - "1.1.1.1:53"
          - "8.8.8.8:53"

+tls:
+  stores:
+    default:
+      defaultGeneratedCert:
+        resolver: letsencrypt-dns
+        domain:
+          main: "smoothschedule.com"
+          sans:
+            - "*.smoothschedule.com"
+
 http:
  routers:
    # Main domain and www
@@ -103,8 +113,10 @@ http:
    # Wildcard subdomain router for tenant subdomains
    # Uses DNS challenge for wildcard certificate (*.smoothschedule.com)
    # Routes to nginx which serves the frontend SPA and proxies /api/ to Django
+    # Low priority (1) ensures specific domain routers match first
    subdomain-router:
-      rule: 'HostRegexp(`[a-z0-9-]+\\.smoothschedule\\.com`)'
+      rule: 'HostRegexp(`^[a-z0-9-]+\\.smoothschedule\\.com$`)'
+      priority: 1
      entryPoints:
        - web-secure
      middlewares: