New: Licenses.md, Traefik.md; Updated Steuererklärungen.md

Traefik.md

@@ -0,0 +1,25 @@
+# Situation
+I have a datacenter (DC) server hosted on Hetzner that forwards incoming web traffic via a WireGuard tunnel to a local office server. On the local server, Traefik runs as a reverse proxy inside a rootless Podman container. 
+
+My known, valid services are hosted on two specific subdomains `affine.creature-go.com` and `openwebui.creature-go.com`.
+
+# Problem
+Bots and script kiddies are scanning my Hetzner IP directly or guessing random subdomains. Traefik is currently returning standard `404 Not Found` errors for these unmatched requests (which show up in my logs as `"-" "-"`). This is wasting my WireGuard tunnel bandwidth and consuming local server resources.
+
+# Strategy: A Traefik "Black Hole"
+To discourage bots and save resources, I want to implement a "Black Hole" catch-all router in Traefik. The goal is to intercept any request that does *not* explicitly match my valid subdomains and immediately reject it with a `403 Forbidden`, preventing Traefik from wasting time looking for a backend.
+
+The planned architecture for this is:
+1. **Rule:** A catch-all matching all hosts: `HostRegexp('{any:.*}')`
+2. **Priority:** The lowest possible priority (e.g., `priority: 1`) so my valid domains are always evaluated first.
+3. **Middleware:** An `ipAllowList` middleware restricted to an impossible source like `127.0.0.1/32`. This forces a 403 for all external traffic hitting the rule.
+4. **Service:** Routed to Traefik's built-in `noop@internal` dummy service.
+
+# Your Task
+Please act as a Traefik and Podman expert and provide the following:
+1. **The dynamic YAML configuration** needed to create this Black Hole router and middleware.
+2. **Verification steps:** How can I ensure my existing valid routers Affine and OpenWebUI have the correct priority to avoid getting swallowed by this new Black Hole?
+
+# Current Traefik configuration files
+
+My current Traefik configuration files are attached.