prompts/Traefik.md

# Situation
I have a datacenter (DC) server hosted on Hetzner that forwards incoming web traffic via a WireGuard tunnel to a local office server. On the local server, Traefik runs as a reverse proxy inside a rootless Podman container. 

My known, valid services are hosted on two specific subdomains `affine.creature-go.com` and `openwebui.creature-go.com`.

# Problem
Bots and script kiddies are scanning my Hetzner IP directly or guessing random subdomains. Traefik is currently returning standard `404 Not Found` errors for these unmatched requests (which show up in my logs as `"-" "-"`). This is wasting my WireGuard tunnel bandwidth and consuming local server resources.

# Strategy: A Traefik "Black Hole"
To discourage bots and save resources, I want to implement a "Black Hole" catch-all router in Traefik. The goal is to intercept any request that does *not* explicitly match my valid subdomains and immediately reject it with a `403 Forbidden`, preventing Traefik from wasting time looking for a backend.

The planned architecture for this is:
1. **Rule:** A catch-all matching all hosts: `HostRegexp('{any:.*}')`
2. **Priority:** The lowest possible priority (e.g., `priority: 1`) so my valid domains are always evaluated first.
3. **Middleware:** An `ipAllowList` middleware restricted to an impossible source like `127.0.0.1/32`. This forces a 403 for all external traffic hitting the rule.
4. **Service:** Routed to Traefik's built-in `noop@internal` dummy service.

# Your Task
Please act as a Traefik and Podman expert and provide the following:
1. **The dynamic YAML configuration** needed to create this Black Hole router and middleware.
2. **Verification steps:** How can I ensure my existing valid routers Affine and OpenWebUI have the correct priority to avoid getting swallowed by this new Black Hole?

# Current Traefik configuration files

My current Traefik configuration files are attached.