Apologies in advance if I'm missing something. I've found similar questions from the past, but none with a solution that works for me.
I have a single entryPoint on port 443, with a handful of associated Routers that do TLS and use Host rules, with a wildcard certificate that I've generated and manage outside Traefik (hence no certResolver). Ideally I want all connections to complete TLS using an SNI that matches a rule for one of my Routers (possible separate topic), and be dropped otherwise.
The problem that I'm running into is that HTTP requests on port 443 without any attempt at TLS are getting a response. It's always a 404 response, because (presumably) there's no Router that matches, so it's not actually exposing any content, but it is exposing the fact that there's an HTTP service of some sort and, and my mind at least, would seem to encourage an attacker to keep trying. I would prefer to shut the door with minimal response (perhaps a TCP reset) if anything other than a TLS handshake is attempted.
These non-TLS HTTP requests are logged like:
<client_ip> - - [11/Dec/2024:12:21:13 +0000] "GET /p0wn_attempt HTTP/1.1" 404 19 "-" "-" 12 "-" "-" 0ms
My main config contains:
providers:
docker:
exposedByDefault: false
file:
directory: /dynamic
entryPoints:
webTls:
address: ":443"
http:
tls: {}
and dynamic/tls.yml contains:
tls:
certificates:
- certFile: /certs/chain.pem
keyFile: /certs/privkey.pem
options:
default:
sniStrict: true
Past discussions in Google results suggest that simply specifying tls for the entryPoint should make it required, but that does not appear to be the case for me.
What am I missing?