Best way to either match all hosts but exclude one (in this case, direct to the server's IP), or to drop a connection to a specific host with no response?

I've recently updated my logging (I'm now parsing Traefik's logs via Fluentd and running through Kibana & Elasticsearch), and I've noticed that when I get a request direct to the server's IP it gets grabbed by my "match all http and redirect to https" rule, and then a 404 via https with a "invalid" certificate (traefik's inbuilt default one) since it doesn't match any additional rules. Since these requests are mostly (entirely?) vulnerability scans ideally I don't want them getting any response, and definitely don't want that default Traefik cert sent to avoid being on a list of potentially vulnerable servers if an exploit is found in the future.

First thought was to shift my rule that matches all http requests to match all http requests EXCEPT ones that match my ip, but it looks like Go's regex parser doesn't support negative lookups, so that won't work.

Next thought was to have a rule with higher priority that matches requests to the IP and drops them into the void, but having hunted through the docs and googled I can't seem to spot such functionality.

Any suggestions as to the best way to drop such request with as little response to the sender as possible?

Hi @Lastof

For TLS connections you can look at strict-sni-checking

If you are redirecting http to https that should be enough.

For http you can add a low priority PathPrefix(`/`) rule with a noop@internal service(this returns 418).