Hello everyone,
I am trying to deploy a sort of "catch-all" container for requests with an unknown Host header (Or rather, host header of a domain, for which I don't yet have a matching container)
E.g.:
I have a container for foo.example.com and bar.example.com.
But if a request comes for bas.example.com, I'd like it to be routed to a sort-of default container.
The goal is to stop enumeration attacks by replying with a (seemingly) identical HTTP page, even for subdomains I did not configure yet.
I tried achieving that by the following router rules:
Host(`*`)
Host(`*.example.com`)
HostRegexp(`^.+\.example\.com`)
None of them result in the request being routed into the correct container.
Furthermore, having enabled Traefik's access log, I can see that requests for domains I have previously explicitly defined contain both, the Frontend name and Backend IP the request was routed to.
But neither of those are defined for requests that should be handled by the catchall container (Both are "-"), and as there's no container to handle the requests, a 404 is returned.
Other domains (For containers with router rules like Host(foo.example.com)) work fine.
Using Traefik v2.10, as an ingress for Docker provider.
Any tips on how to further debug the issue would be very appreciated!
For starters, Host() does not accept wildcards.
Be aware that most traffic nowadays uses https, so a catch-all is only possible with a wildcard cert on one level of the domain. Otherwise requests will get a custom Traefik default cert and the client will not trust it, you will see errors in log.
Yep, I'm well-aware. Have a valid wildcard cert served by nginx that's standing in front of Traefik to serve as TLS terminator, forwarding the traffic then through plain text HTTP onto a locally bound Traefik port.
And the wildcard issue did occur to me that it might be the case, hence why I tried using regular expression matching next.
Yet it doesn't seem to match, leading to me starting the thread here to ask for help 
If I do a docker container inspect on the container, it does show the rule being parsed correctly:
"Labels": {
...
"traefik.docker.network": "traefik",
"traefik.enable": "True",
"traefik.http.routers.zzz_catchall.rule": "HostRegexp(`^.+.example.com`)"
}
Yet foobar.example.com is not routed to the container. In fact, it's not routed to any container, resulting in the access log of:
172.21.0.1 - - [13/Aug/2024:13:11:25 +0000] "GET / HTTP/1.0" 404 19 "-" "-" 18 "-" "-" 0ms
No frontend, no backend IP, nothing 
For catch-all, you can probably just use PathPrefix(`/`) without Host().