Https sni passthrough for just one docker service?

I have a fairly typical (I think) traefik deployment on docker swarm.

    command:
     - "--providers.docker=true"
     - "--providers.docker.exposedbydefault=false"
     - "--entrypoints.web.address=:80"
     - "--entrypoints.websecure.address=:443"
     - "--entrypoints.websecure.http.tls=true"

which means that normal services only need 3 labels to be exposed via https

  labels:
    - traefik.enable=true
    - traefik.http.routers.${STACK_NAME-traefik}.rule=Host("traefik.${DOMAIN}")
    - traefik.http.services.${STACK_NAME-traefik}.loadbalancer.server.port=8080

But now, I want to add step-ca as a service to my stack, and give it a vanity domain. Is it possible to have one SniHost(ca.${DOMAIN}) rule on websecure that just passes through the https traffic to the step-ca service to do its own termination?
(step-ca is an acme service that provides certificates, ultimately would be a source of on-prem certificates to both traefik and other consumers via the vanity url).

Hello @chrisbecke,

By configuring TLS on the entrypoint, you are configuring TLS termination for all requests associated with that entrypoint. You cannot specifically disable this for one router.

If you remove the TLS configuration on the entrypoint, you will require TLS configuration on all routers associated with that entrypoint.

You have more flexibility by not using entrypoint configurations, but require more per-service labels and configuration.

Thanks for confirming.
I'll just have to expose this service on a unique port then :confused: