From 2700def7b66d6d637b6e214f384e2732e9326229 Mon Sep 17 00:00:00 2001
From: josedario87 <jodarioel87@gmail.com>
Date: Sat, 1 Nov 2025 01:24:17 -0600
Subject: [PATCH] Agregar labels TCP para passthrough de agentes MeshCentral
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Configurado router TCP con SNI para mesh-agents subdomain
- Habilitado TLS passthrough para que MeshCentral maneje su propio certificado SSL
- TCP service apunta al puerto 443 interno del contenedor
- Mejorada organización de labels con secciones HTTP y TCP
---
 docker-compose.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 74ddb9e..afcc7ec 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,6 +44,10 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=principal"
 
+      # ======================================================================
+      # HTTP Services & Routers - Para Web UI de usuarios
+      # ======================================================================
+
       # Service - Conexión HTTP interna (Traefik maneja HTTPS hacia el exterior)
       - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=81"
 
@@ -70,6 +74,21 @@ services:
       - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Host=${APP_DOMAIN}"
       - "traefik.http.middlewares.${APP_NAME}-headers.headers.sslredirect=true"
 
+      # ======================================================================
+      # TCP Router & Service - Para agentes con TCP Passthrough
+      # ======================================================================
+      # Los agentes se conectarán a mesh-agents.nucleoriofrio.com
+      # y verán el certificado SSL de MeshCentral (no el de Traefik)
+
+      # TCP Router - SNI routing para subdominio de agentes
+      - "traefik.tcp.routers.${APP_NAME}-agents-tcp.rule=HostSNI(`mesh-agents.${APP_DOMAIN#*.}`)"
+      - "traefik.tcp.routers.${APP_NAME}-agents-tcp.entrypoints=websecure"
+      - "traefik.tcp.routers.${APP_NAME}-agents-tcp.tls.passthrough=true"
+      - "traefik.tcp.routers.${APP_NAME}-agents-tcp.service=${APP_NAME}-tcp"
+
+      # TCP Service - Conexión directa al puerto HTTPS de MeshCentral
+      - "traefik.tcp.services.${APP_NAME}-tcp.loadbalancer.server.port=443"
+
 networks:
   principal:
     external: true