Enable TLS passthrough for Matrix federation on ports 12244 and 443

2026-02-10 18:20:39 +01:00 · 2026-02-10 18:20:39 +01:00 · 5feeff9d3e
commit 5feeff9d3e
parent 8c543be367
1 changed files with 16 additions and 0 deletions
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@ -170,6 +170,22 @@
            rule = "HostSNI(`*`)";
            service = "matrix-federation";
            entryPoints = ["federation"];
+            # Pass TLS through to the backend (Conduit handles TLS on port 12244)
+            tls = {
+              passthrough = true;
+            };
+          };
+          # Also accept TLS passthrough on port 443 for the Matrix host so
+          # other servers that contact :443/_matrix/*
+          # will be forwarded to Conduit as well.
+          matrix-tls443 = {
+            # match by SNI to avoid interfering with other HTTPS sites
+            rule = "HostSNI(`lgbtq.prg-radio.org`)";
+            service = "matrix-federation";
+            entryPoints = ["websecure"];
+            tls = {
+              passthrough = true;
+            };
          };
        };