lingyuzeng 8d2689a15a feat(registrar): add TLS_MODE for Traefik TCP; fix tag newline; default ACME resolver ...

- Add TLS_MODE env to control TCP TLS behavior:
  - terminating (default): Traefik terminates TLS (tls=true + tls.certresolver)
  - passthrough: end-to-end TLS passthrough (tls.passthrough=true)
  - plaintext: plain TCP for internal/Tailscale (HostSNI(`*`) + priority=1)

- Introduce TRAEFIK_CERT_RESOLVER with default "alidns" for ACME issuance.
  (HTTP branch keeps optional tls.certresolver line commented for easy enablement.)

- Fix tag concatenation: use a real newline for NL so that to_json_array()
  parses tags line-by-line into a proper JSON array (prevents single-line tag blob).

- Improve TCP router/service tags and comments to make behavior explicit
  per mode, and keep HTTP branch consistent (middlewares + priority).

BREAKING CHANGE:
- TCP default changes from implicit plaintext to TLS-terminating via Traefik.
  If you relied on plaintext TCP previously, set `TLS_MODE=plaintext` (or
  use `TLS_MODE=passthrough` if your backend terminates TLS itself).
  Ensure Traefik has a working ACME resolver named in $TRAEFIK_CERT_RESOLVER
  (default "alidns") or override accordingly.

2025-10-03 17:30:18 +08:00

4.9 KiB

Executable File

Raw Blame History

View Raw