From 06bad201232dea7f474155eb383c97cc30107a11 Mon Sep 17 00:00:00 2001
From: Michael Schiemer <kontakt@michaelschiemer.de>
Date: Sat, 8 Nov 2025 18:46:27 +0100
Subject: [PATCH] fix: Explicitly exclude ACME challenge path from HTTPS
 redirect

- Add explicit exclusion of /.well-known/acme-challenge from catch-all redirect
- Ensures ACME challenges are never redirected to HTTPS
- Traefik handles ACME challenges automatically, but explicit exclusion is safer
---
 deployment/stacks/traefik/docker-compose.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/deployment/stacks/traefik/docker-compose.yml b/deployment/stacks/traefik/docker-compose.yml
index c7b96d0b..464acd5f 100644
--- a/deployment/stacks/traefik/docker-compose.yml
+++ b/deployment/stacks/traefik/docker-compose.yml
@@ -54,7 +54,8 @@ services:
       
       # Global redirect to HTTPS (lower priority, matches everything else)
       # ACME challenges are excluded from redirect automatically by Traefik
-      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
+      # Explicitly exclude ACME challenge path to be safe
+      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`) && !PathPrefix(`/.well-known/acme-challenge`)"
       - "traefik.http.routers.http-catchall.entrypoints=web"
       - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
       - "traefik.http.routers.http-catchall.priority=1"