How to have TLS options applied per IP?

Currently I have default TLS options that has strict SNI checking and client authentication enabled, which is being applied to all routes.

I'd like to have certain IPs (namely local) bypass strict SNI checking and client authentication. From what I can tell, it's possible to set TLS options per route, and the route can have a rule to match a client IP and drop the SNI check & client auth. However, this would mean two routes per service which is quite ugly IMO.

I assume I can do this via custom middleware (assuming I disable the above options and re-implement them in a plugin), but I was wondering if there is a better solution or if this is a bad idea in general.

AFAIK the default way with Traefik would be to use two routers for every service, as you described.

Would it be possible to programmatically instantiate a route per service in this fashion then? Currently I set up routes via docker labels. There is a default rule applied, as follows: Traefik Docker Documentation - Traefik. It would be nice if its possible to have an additional rule template that's applied for each container in a similar way.

Since I'm not seeing a way to configure that I assume it's only possible via middleware then.

There is only one defaultRule.

Of course you can do it "programmatically", you can use a script to write dynamic config file or provide dynamic config dynamically to providers.http.