Secure IP middleware is blocking unmatched routes

I have a Wordpress site where I want to use middleware to restrict wp-admin, wp-login and xmlrpc to only certain secure IP ranges. I got that working using a combination of the following:

A middlewares.toml file for dynamic Traefik config:

		sourceRange =  ["", "", ""]

		sourceRange = [""]
		average = 10
		burst = 50
		middlewares = ["bur-whitelist", "wp-ratelimit"]

		middlewares = ["csf-whitelist", "wp-ratelimit"]

docker-compose.yaml (particularly note the ${SERVICE}_admin rule and middleware lines:

      - "traefik.enable=true"
      - "traefik.http.routers.${SERVICE}.rule=Host(`${DOMAIN}`)"
      - "traefik.http.routers.${SERVICE}.service=nginx-${SERVICE}"
      - "traefik.http.routers.${SERVICE}.entrypoints=websecure"
      - "traefik.http.routers.${SERVICE}.middlewares=wp-ratelimit@file"
      - "traefik.http.routers.${SERVICE}.tls=true"
      - "traefik.http.routers.${SERVICE}_admin.entrypoints=websecure"
      - "traefik.http.routers.${SERVICE}_admin.rule=(Host(`${DOMAIN}`) && Path(`/{(wp-login|wp-admin|xmlrpc)}`, `/{(.*)}/{(wp-login|wp-admin|xmlrpc)}`))"
      - "traefik.http.routers.${SERVICE}_admin.middlewares=bur-secured@file"
      - "traefik.http.routers.${SERVICE}_admin.tls=true"
      - "traefik.${SERVICE}.network=traefik"

This setup does correctly block the wp-admin, wp-login and xmlrpc routes.

Note:Because this is a multisite, I quickly discovered that hackers could enter https://domain/random_entry/wp-admin and it would reroute back to the main wp-admin. This is why I have a second entry in the admin rule with the /{(.*)}/{(wp-login|wp-admin|xmlrpc)}) to prevent that. Perhaps there is a better way for that to be done?

More importantly, this admin route Path rule is matching more than just wp-admin, wp-login and xmlrpc, and in so doing is breaking other parts of the site. We have some static files mounted at /csf_directives_administratives_final, and for some reason Traefik is matching that path as being part of the admin route, so is applying the IP filter and blocking it. I can't figure out for the life of me why that route rule would match this extra path so I'm hoping someone can point me in the right direction.

It gets stranger - based on another blog I tried tweaking the admin route rule to:

- "traefik.http.routers.${SERVICE}_admin.rule=(Host(${DOMAIN}) && PathPrefix(/wp-admin,/admin,/wp-login.php) || Method(POST))"

At first this seemed to work well as it actually allowed the /csf_directives_administratives_final to work, but then I got a report of something even stranger...

People logging onto the wp-admin of other Traefik/Docker sites were now getting caught by this 'rule' and redirected to the wp-admin for this site.

Since the rule specifies the host && path, why the heck would it catch anything going to a completely different host/domain?