Authorised parties have prior knowledge of the subdomains where the apps reside.

Everyone else hitting the IPs directly (presumably coming from mass IP scans) will be met with a honeypot vhost returning nothing.

An example can be found in the nginx manual with the catch-all approach: https://nginx.org/en/docs/http/server_names.html#miscellaneo...