How to route TCP after matching HTTP rules?

I am running Traefik on a VPS that has a Site-To-Site wireguard tunnel to my homeserver. I am running a couple of bandwidth intensive services directly on the VPS, some other i.e. compute intensive stuff, on my homeserver.

Ideally, Traefik would just scan the labels of all my docker containers running on the VPS, match their rules, route applicable requests, do TLS termination for them and - if no match is found - pass off anything, untouched to the homeserver.

I found out that this can be done - when using http requests - by giving the local rules a higher priority and make a catch-all with a lower priority to the homeserver.

Optimally, the fallback would just do a TCP passthrough, so the remote host can take care of redirecting http/https, do TLS termination and so on.

Unfortunately it seems that this is not possible with traefik?! if my research is correct, TCP and HTTP routers are handled independently, with priorities only applicable for TCP rules with other TCP rules and http rules with other http rules but not mixed TCP/HTTP.

On top of that, TCP rules are handled before http rules, so it's technically not possible to have a TCP catch-all router AFTER http routers: nothing would ever reach the local http hosts even if there is a matching rule.

So what are my options here to route any host unknown to the VPS' Traefik, regardless if http/https request, to the Homeserver?

If both HTTP routers and TCP routers listen to the same EntryPoint, the TCP routers will apply before the HTTP routers. If no matching route is found for the TCP routers, then the HTTP routers will take over.

Doc

If all you services use TLS, you can use HostSNI() to match them. But Traefik would need to have access to all TLS certs used, even the ones from home server.

They are not necessarily services that need TCP, I just want the existing infrastructure to work with little changes as possible.

My homeserver handled directly incoming request in its own in the past, so ha-proxy was doing tls offloading, route matching etc. I don't have time to change all that setup to traefik right now, so my idea was to place traefik on the vps before ha-proxy, sieve out the http requests for the VPS and hand the rest off to ha-proxy as it was before.

Obviously the easiest would be to just pass through the TCP traffic.