I've recently updated my logging (I'm now parsing Traefik's logs via Fluentd and running through Kibana & Elasticsearch), and I've noticed that when I get a request direct to the server's IP it gets grabbed by my "match all http and redirect to https" rule, and then a 404 via https with a "invalid" certificate (traefik's inbuilt default one) since it doesn't match any additional rules. Since these requests are mostly (entirely?) vulnerability scans ideally I don't want them getting any response, and definitely don't want that default Traefik cert sent to avoid being on a list of potentially vulnerable servers if an exploit is found in the future.
First thought was to shift my rule that matches all http requests to match all http requests EXCEPT ones that match my ip, but it looks like Go's regex parser doesn't support negative lookups, so that won't work.
Next thought was to have a rule with higher priority that matches requests to the IP and drops them into the void, but having hunted through the docs and googled I can't seem to spot such functionality.
Any suggestions as to the best way to drop such request with as little response to the sender as possible?