1.9 KiB
Situation
I have a datacenter (DC) server hosted on Hetzner that forwards incoming web traffic via a WireGuard tunnel to a local office server. On the local server, Traefik runs as a reverse proxy inside a rootless Podman container.
My known, valid services are hosted on two specific subdomains affine.creature-go.com and openwebui.creature-go.com.
Problem
Bots and script kiddies are scanning my Hetzner IP directly or guessing random subdomains. Traefik is currently returning standard 404 Not Found errors for these unmatched requests (which show up in my logs as "-" "-"). This is wasting my WireGuard tunnel bandwidth and consuming local server resources.
Strategy: A Traefik "Black Hole"
To discourage bots and save resources, I want to implement a "Black Hole" catch-all router in Traefik. The goal is to intercept any request that does not explicitly match my valid subdomains and immediately reject it with a 403 Forbidden, preventing Traefik from wasting time looking for a backend.
The planned architecture for this is:
- Rule: A catch-all matching all hosts:
HostRegexp('{any:.*}') - Priority: The lowest possible priority (e.g.,
priority: 1) so my valid domains are always evaluated first. - Middleware: An
ipAllowListmiddleware restricted to an impossible source like127.0.0.1/32. This forces a 403 for all external traffic hitting the rule. - Service: Routed to Traefik's built-in
noop@internaldummy service.
Your Task
Please act as a Traefik and Podman expert and provide the following:
- The dynamic YAML configuration needed to create this Black Hole router and middleware.
- Verification steps: How can I ensure my existing valid routers Affine and OpenWebUI have the correct priority to avoid getting swallowed by this new Black Hole?
Current Traefik configuration files
My current Traefik configuration files are attached.