How should a series of Traefik proxies be chained together?

I have a series Traefik proxies across a couple hosts/networks that I am trying to consolidate. What is the appropriate method for linking these proxies together such that proxy1 will be the entry point? Proxy1 will handle any routes configured. If a request doesn't match any configured routes, the (encrypted) request will be forwarded to the next proxy in the chain. The process would repeat on proxy2, etc.

I have a configuration now where I have a catchall TCP router that forwards any request (using the proxy protocol, I think) that matches it to the next proxy in the chain. That seems to work for the most part. However, intermittently, this chain of proxies will return 404 instead of routing to the service. If perform a hard refresh (ctrl+shift+r in FF), the proxies sort themselves out and my request is routed to the correct service.

The main challenge is that first Traefik can not decode the requests without knowing the TLS cert. You can only use HostSNI(`*`) without the cert, otherwise Traefik will create a custom one. But this TCP router will be matched before any http router, so it just does not work, as it will "catch all".

You could setup your first Traefik with a LetsEncrypt wildcard cert (dnsChallenge), then you can match the domains. The question is how you forward your requests. You could send them unencrypted, use another LE cert (note the issuing limits) or you let Traefik build an internal custom TLS cert, just set insecureSkipVerify on the originating Traefik.

As it stands, I'm using let's encrypt on all the traefik proxies in the chain. They're all getting wildcard certs for the same domain.

Is it not possible to set the priority on the fallback tcp router such that it gets matched after any other configured routers? Or is the issue that (because TLS passthrough is in use) that the traffic is never decrypted so http routers cannot match?

TCP routers are always matched before http routers (doc):

If both HTTP routers and TCP routers listen to the same entry points, the TCP routers will apply before the HTTP routers. If no matching route is found for the TCP routers, then the HTTP routers will take over.

I see. That is likely my issue then.

I guess I will have to bite the bullet and register all the services with the TCP router on the edge proxy.

Thank you for your help!