From d3f7e39d6dfea4298157ed1cab9efc08364cf2b5 Mon Sep 17 00:00:00 2001
From: kisfenyo <nagyfenyvesi.viktor@gmail.com>
Date: Mon, 23 Feb 2026 14:15:49 +0100
Subject: [PATCH] fix: catch-all middleware allow localhost for healthcheck,
 drop certresolver

CatchAllMiddleware was intercepting Docker healthcheck requests (Host:
localhost) and internal API calls, returning 404 instead of passing
through. Also removed certresolver from catch-all Traefik router to
avoid cert provisioning issues with HostRegexp(.+).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 controller/docker-compose.yml     | 3 ++-
 controller/internal/web/server.go | 4 +++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/controller/docker-compose.yml b/controller/docker-compose.yml
index c363d05..7b0879e 100644
--- a/controller/docker-compose.yml
+++ b/controller/docker-compose.yml
@@ -54,11 +54,12 @@ services:
       - "traefik.http.services.controller.loadbalancer.server.port=8080"
       - "traefik.docker.network=traefik-public"
       # Catch-all: branded error page for stopped/undeployed app subdomains
+      # Priority 1 = lowest, so running app routers always win.
+      # No certresolver — uses Traefik's default cert store (previously issued certs).
       - "traefik.http.routers.catchall.rule=HostRegexp(`.+`)"
       - "traefik.http.routers.catchall.priority=1"
       - "traefik.http.routers.catchall.entrypoints=websecure"
       - "traefik.http.routers.catchall.tls=true"
-      - "traefik.http.routers.catchall.tls.certresolver=letsencrypt"
       - "traefik.http.routers.catchall.service=controller"
       # Health check labels for monitoring
       - "felhom.managed=true"
diff --git a/controller/internal/web/server.go b/controller/internal/web/server.go
index a8380fe..688161f 100644
--- a/controller/internal/web/server.go
+++ b/controller/internal/web/server.go
@@ -295,7 +295,9 @@ func (s *Server) CatchAllMiddleware(next http.Handler) http.Handler {
 		if idx := strings.LastIndex(host, ":"); idx != -1 {
 			host = host[:idx]
 		}
-		if strings.EqualFold(host, controllerHost) || host == "" {
+		// Pass through: controller host, localhost (healthcheck/internal), or empty
+		if strings.EqualFold(host, controllerHost) || host == "" ||
+			host == "localhost" || host == "127.0.0.1" {
 			next.ServeHTTP(w, r)
 			return
 		}