From 6673e6324160e64eae76e81deae5ce5a8a345e38 Mon Sep 17 00:00:00 2001
From: adlee-was-taken <aaron.daniel.lee@gmail.com>
Date: Sat, 21 Feb 2026 21:12:48 -0500
Subject: [PATCH] Enable HTTPS-only with HTTP->HTTPS redirect

SSL cert issued via Let's Encrypt. Remove HTTP fallback router,
enable redirect, reduce Traefik log level to WARN.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docker-compose.prod.yml | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 6061d22..ae0be76 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -56,15 +56,10 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.docker.network=golfgame_web"
-      # HTTPS route (primary, once DNS + cert are working)
       - "traefik.http.routers.golf.rule=Host(`${DOMAIN:-golf.example.com}`)"
       - "traefik.http.routers.golf.entrypoints=websecure"
       - "traefik.http.routers.golf.tls=true"
       - "traefik.http.routers.golf.tls.certresolver=letsencrypt"
-      # HTTP route (fallback for testing before DNS/cert)
-      - "traefik.http.routers.golf-http.rule=Host(`${DOMAIN:-golf.example.com}`)"
-      - "traefik.http.routers.golf-http.entrypoints=web"
-      - "traefik.http.routers.golf-http.service=golf"
       - "traefik.http.services.golf.loadbalancer.server.port=8000"
       # WebSocket sticky sessions
       - "traefik.http.services.golf.loadbalancer.sticky.cookie=true"
@@ -119,13 +114,12 @@ services:
       - "--api.dashboard=true"
       - "--api.insecure=true"
       - "--accesslog=true"
-      - "--log.level=DEBUG"
+      - "--log.level=WARN"
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:80"
-      # HTTP->HTTPS redirect disabled until DNS propagates and cert is issued
-      # - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
-      # - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
+      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
       - "--entrypoints.websecure.address=:443"
       - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
       - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"