I'm trying to access my Pi-hole container from pihole.mydomain.com without any ports or /admin, and I swear the multitude of posts on the internet make this seem really straightforward. Perhaps it is and I'm being dumb, but I cannot get it to work.
Below is my current docker-compose for both Traefik and Pi-hole:
version: "3.7"
services:
traefik:
container_name: traefik
image: traefik:latest
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- medianet
ports:
- 80:80
- 443:443
environment:
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
- TZ=${TZ}
- PUID=${PUID}
- PGID=${PGID}
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /path/to/traefik:/etc/traefik
- /path/to/shared:/shared
- /path/to/traefik/logs/traefik.log:/etc/traefik/logs/traefik.log
- /path/to/traefik/logs/access.log:/etc/traefik/logs/access.log
labels:
- traefik.enable=true
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DASHBOARD_HOST}`)
- traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_USER_PASS}
- traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.traefik.middlewares=traefik-https-redirect
- traefik.http.routers.traefik-secure.entrypoints=https
- traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DASHBOARD_HOST}`)
- traefik.http.routers.traefik-secure.middlewares=traefik-auth
- traefik.http.routers.traefik-secure.tls=true
- traefik.http.routers.traefik-secure.tls.certresolver=cloudflare
- traefik.http.routers.traefik-secure.tls.domains[0].main=${TRAEFIK_BASE_DNS}
- traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${TRAEFIK_BASE_DNS}
- traefik.http.routers.traefik-secure.service=api@internal
pihole:
container_name: pihole
image: pihole/pihole:latest
restart: unless-stopped
networks:
- medianet
- npm_network
domainname: mydomain.com
hostname: pihole
ports:
- 53:53/tcp
- 53:53/udp
environment:
- TZ=${TZ}
- WEBPASSWORD=${WEBPASSWORD}
- FTLCONF_LOCAL_IPV4=192.168.1.116
- WEBTHEME=default-auto
- DNSMASQ_LISTENING=ALL
- VIRTUAL_HOST=pihole.mydomain.com
volumes:
- /path/to/pihole:/etc/pihole
- /path/to/pihole/dnsmasq.d:/etc/dnsmasq.d
cap_add:
- NET_ADMIN
labels:
- traefik.enable=true
- traefik.http.routers.pihole.rule=Host(`pihole.mydomain.com`)
- traefik.http.routers.pihole.entrypoints=https
- traefik.http.routers.pihole.tls=true
- traefik.http.routers.pihole.service=pihole
- traefik.http.services.pihole.loadbalancer.server.port=80
The Pi-hole one will load the login page and, upon entering the password and logging in, it will simply bring me back to the login page. So just keeps looping around.
The Traefik config is working with lots of other containers, all of which are using SSL certificates, so I'm pretty sure my Traefik config is okay.
I've tried middlewares to addprefix=/admin, which just ends up looping round with multiple /admin prefixes and also doesn't work.
Anybody got any ideas?
I'm aware I don't have to put Pi-hole behind SSL as I'm not exposing any of this stuff to the open internet (ports 80 and 443 are not forwarded on my router, and I'm using local DNS records in Pi-hole to access via subdomains).
Happy to post my traefik.yml and config.yml files if needed.
UPDATE: I seem to have figured it out! Below is my final Pi-hole docker-compose - the Traefik one remains unchanged from the original post:
pihole:
container_name: pihole
image: pihole/pihole:latest
restart: unless-stopped
networks:
- medianet
- npm_network
domainname: mydomain.com
hostname: pihole
ports:
- 53:53/tcp
- 53:53/udp
environment:
- TZ=${TZ}
- WEBPASSWORD=${WEBPASSWORD}
- FTLCONF_LOCAL_IPV4=192.168.1.116
- WEBTHEME=default-auto
- DNSMASQ_LISTENING=ALL
- VIRTUAL_HOST=pihole.mydomain.com
volumes:
- /path/to/pihole:/etc/pihole
- /path/to/pihole/dnsmasq.d:/etc/dnsmasq.d
cap_add:
- NET_ADMIN
labels:
- traefik.enable=true
- traefik.http.routers.pihole.entrypoints=http
- traefik.http.routers.pihole.rule=Host(`pihole.mydomain.com`)
- traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https
- traefik.http.routers.pihole.middlewares=pihole-https-redirect
- traefik.http.routers.pihole.service=pihole
- traefik.http.routers.pihole-secure.entrypoints=https
- traefik.http.routers.pihole-secure.rule=Host(`pihole.mydomain.com`)
- traefik.http.routers.pihole-secure.tls=true
- traefik.http.routers.pihole-secure.service=pihole
- traefik.http.services.pihole.loadbalancer.server.port=80
Yeah I had SearXNG running via a Docker container and it was pretty good. I didn’t like having to use a domain name and expose it over the internet though, because Docker is running on my NAS. I guess I could give it another try using Cloudflare tunnels so I don’t have to open anything up.
Or else go back to Startpage.