I use traefik v2 with DNSchallenge and wildcard domain like all my docker routers exposed have the same wildcard domain.
For theses routers, all work well but when I curl a non existent router, I get default traefik cert with 404 not found
curl -ks https://<REPLACED>:443 -vvv * Trying <REPLACED>:443... * TCP_NODELAY set * Connected to <REPLACED> (<REPLACED>) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=TRAEFIK DEFAULT CERT * start date: Dec 14 14:43:25 2021 GMT * expire date: Dec 14 14:43:25 2022 GMT * issuer: CN=TRAEFIK DEFAULT CERT * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x55b70e814e30) > GET / HTTP/2 > Host: <REPLACED> > user-agent: curl/7.68.0 > accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * Connection state changed (MAX_CONCURRENT_STREAMS == 250)! < HTTP/2 404 < content-type: text/plain; charset=utf-8 < x-content-type-options: nosniff < content-length: 19 < date: Tue, 14 Dec 2021 15:05:16 GMT < 404 page not found
Is it a security problem, maybe leak of information ? (traefik version ? )
Could I block the connection for non existent router, this way I wont serve a cert for TLS connection ?
Or maybe it's the default behavior of traefik and it's ok :).
Thanks for your time.