fix: catch-all middleware allow localhost for healthcheck, drop certresolver

CatchAllMiddleware was intercepting Docker healthcheck requests (Host:
localhost) and internal API calls, returning 404 instead of passing
through. Also removed certresolver from catch-all Traefik router to
avoid cert provisioning issues with HostRegexp(.+).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

controller/docker-compose.yml

@@ -54,11 +54,12 @@ services:
       - "traefik.http.services.controller.loadbalancer.server.port=8080"
       - "traefik.docker.network=traefik-public"
       # Catch-all: branded error page for stopped/undeployed app subdomains
+      # Priority 1 = lowest, so running app routers always win.
+      # No certresolver — uses Traefik's default cert store (previously issued certs).
       - "traefik.http.routers.catchall.rule=HostRegexp(`.+`)"
       - "traefik.http.routers.catchall.priority=1"
       - "traefik.http.routers.catchall.entrypoints=websecure"
       - "traefik.http.routers.catchall.tls=true"
-      - "traefik.http.routers.catchall.tls.certresolver=letsencrypt"
       - "traefik.http.routers.catchall.service=controller"
       # Health check labels for monitoring
       - "felhom.managed=true"

controller/internal/web/server.go

@@ -295,7 +295,9 @@ func (s *Server) CatchAllMiddleware(next http.Handler) http.Handler {
 		if idx := strings.LastIndex(host, ":"); idx != -1 {
 			host = host[:idx]
 		}
-		if strings.EqualFold(host, controllerHost) || host == "" {
+		// Pass through: controller host, localhost (healthcheck/internal), or empty
+		if strings.EqualFold(host, controllerHost) || host == "" ||
+			host == "localhost" || host == "127.0.0.1" {
 			next.ServeHTTP(w, r)
 			return
 		}