Allow handling ACME challenges with custom routers

pkg/provider/traefik/internal.go

@@ -87,15 +87,27 @@ func (i *Provider) createConfiguration(ctx context.Context) *dynamic.Configurati
 }
 
 func (i *Provider) acme(cfg *dynamic.Configuration) {
-	var eps []string
+	allowACMEByPass := map[string]bool{}
+	for name, ep := range i.staticCfg.EntryPoints {
+		allowACMEByPass[name] = ep.AllowACMEByPass
+	}
 
+	var eps []string
+	var epsByPass []string
 	uniq := map[string]struct{}{}
 	for _, resolver := range i.staticCfg.CertificatesResolvers {
 		if resolver.ACME != nil && resolver.ACME.HTTPChallenge != nil && resolver.ACME.HTTPChallenge.EntryPoint != "" {
-			if _, ok := uniq[resolver.ACME.HTTPChallenge.EntryPoint]; !ok {
-				eps = append(eps, resolver.ACME.HTTPChallenge.EntryPoint)
-				uniq[resolver.ACME.HTTPChallenge.EntryPoint] = struct{}{}
+			if _, ok := uniq[resolver.ACME.HTTPChallenge.EntryPoint]; ok {
+				continue
 			}
+			uniq[resolver.ACME.HTTPChallenge.EntryPoint] = struct{}{}
+
+			if allowByPass, ok := allowACMEByPass[resolver.ACME.HTTPChallenge.EntryPoint]; ok && allowByPass {
+				epsByPass = append(epsByPass, resolver.ACME.HTTPChallenge.EntryPoint)
+				continue
+			}
+
+			eps = append(eps, resolver.ACME.HTTPChallenge.EntryPoint)
 		}
 	}
 
@@ -110,6 +122,17 @@ func (i *Provider) acme(cfg *dynamic.Configuration) {
 		cfg.HTTP.Routers["acme-http"] = rt
 		cfg.HTTP.Services["acme-http"] = &dynamic.Service{}
 	}
+
+	if len(epsByPass) > 0 {
+		rt := &dynamic.Router{
+			Rule:        "PathPrefix(`/.well-known/acme-challenge/`)",
+			EntryPoints: epsByPass,
+			Service:     "acme-http@internal",
+		}
+
+		cfg.HTTP.Routers["acme-http-bypass"] = rt
+		cfg.HTTP.Services["acme-http"] = &dynamic.Service{}
+	}
 }
 
 func (i *Provider) redirection(ctx context.Context, cfg *dynamic.Configuration) {