DNS over TLS reverse proxy working with Docker labels but not with file provider

Traefik Traefik v2 (latest)
, ,
1

I have changed my setup lately and I no longer run AdGuard Home on the same machine that Traefik runs on. I run one instant of Traefik locally purely to act as a reverse proxy which encrypts lots of services I host.

What has me stumped is I am able to reverse proxy AdGuard Home DNS over TLS when using Docker labels, just not when trying to do the same thing using the file provider.

Working Docker labels example 
version: "3"

services:
  traefik:
    command:
      - --providers.docker=true
      - --providers.docker.exposedByDefault=false

      - --experimental.http3=true

      - --entryPoints.web.address=:80
      - --entryPoints.web.http.redirections.entryPoint.to=webSecure

      - --entryPoints.webSecure.address=:443
      - --entryPoints.webSecure.http3
      - --entrypoints.webSecure.http.tls.certResolver=myResolver
      - --entrypoints.webSecure.http.tls.domains[0].main=👀.duckdns.org
      - --entrypoints.webSecure.http.tls.domains[0].sans=*.👀.duckdns.org

      - --entryPoints.dnsOverTLS.address=:853

      - --certificatesResolvers.myResolver.acme.email=webmaster@👀.duckdns.org
      - --certificatesResolvers.myResolver.acme.storage=/letsencrypt/acme.json
      - --certificatesResolvers.myResolver.acme.dnsChallenge=true
      - --certificatesResolvers.myResolver.acme.dnsChallenge.provider=duckdns
    container_name: traefik
    environment:
      - DUCKDNS_TOKEN=👀
    image: traefik:v2.10
    networks:
      - traefik
      - adguardhome
    ports:
      - 80:80
      - 443:443
      - 443:443/udp
      - 853:853
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

      - ./traefik/letsencrypt:/letsencrypt

  adguardhome:
    container_name: adguardhome
    image: adguard/adguardhome
    labels:
      - traefik.enable=true

      - traefik.http.routers.adguardHome.entryPoints=websecure
      - traefik.http.routers.adguardHome.rule=Host(`dns.👀.duckdns.org`)
      - traefik.http.routers.adguardHome.service=adguardHome

      - traefik.http.services.adguardHome.loadBalancer.server.port=3000

      - traefik.tcp.routers.adguardHome.entryPoints=dnsOverTLS
      - traefik.tcp.routers.adguardHome.rule=HostSNI(`dns.👀.duckdns.org`)
      - traefik.tcp.routers.adguardHome.tls.certResolver=porkbun
      - traefik.tcp.routers.adguardHome.tls.domains[0].main=👀.duckdns.org
    networks:
      - adguardhome
    restart: unless-stopped
    volumes:
      - ./adguardhome/work:/opt/adguardhome/work
      - ./adguardhome/conf:/opt/adguardhome/conf

networks:
  traefik:
    name: traefik

  adguardhome:
    name: adguardhome
Broken file provider example

docker-compose.yaml

version: "3"

services:
  traefik:
    container_name: traefik
    environment:
      - DUCKDNS_TOKEN=👀
    image: traefik:v2.10
    networks:
      - traefik
    ports:
      - 80:80
      - 443:443
      - 443:443/udp
      - 853:853
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

      - ./traefik/letsencrypt:/letsencrypt
      - ./traefik.yaml:/etc/traefik/traefik.yaml:ro

networks:
  traefik:
    name: traefik

traefik.yaml

providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/traefik
    watch: true

experimental:
  http3: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: webSecure

  webSecure:
    address: :443
    http3: {}
    http:
      tls:
        certResolver: myResolver
        domains:
          - main: 👀.duckdns.org
            sans:
              - \*.👀.duckdns.org

  dnsOverTLS:
    address: :853

http:
  routers:
    adguardHome:
      entryPoints:
        - webSecure
      rule: Host(`👀.duckdns.org`)
      service: adguardHome

  services:
    adguardHome:
      loadBalancer:
        servers:
          - url: http://10.0.0.1:3000

tcp:
  routers:
    adguardHome:
      entryPoints:
        - dnsOverTLS
      rule: HostSNI(`👀.duckdns.org`)
      service: adguardHome
      tls:
        certResolver: myResolver
        domains:
          - main: 👀.duckdns.org

  services:
    adguardHome:
      loadBalancer:
        servers:
          - address: 10.0.0.1:853

certificatesResolvers:
  myResolver:
    acme:
      email: webmaster@👀.duckdns.org
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: duckdns

Error while dialing backend: dial tcp 10.0.0.1:853: connect: connection refused

2

You manually set Traefik to forward DoT requests to 10.0.0.1:853. Is your AdGuard server running on that IP and is the service/container port open?