I have changed my setup lately and I no longer run AdGuard Home on the same machine that Traefik runs on. I run one instant of Traefik locally purely to act as a reverse proxy which encrypts lots of services I host.
What has me stumped is I am able to reverse proxy AdGuard Home DNS over TLS when using Docker labels, just not when trying to do the same thing using the file provider.
Working Docker labels example
version: "3"
services:
traefik:
command:
- --providers.docker=true
- --providers.docker.exposedByDefault=false
- --experimental.http3=true
- --entryPoints.web.address=:80
- --entryPoints.web.http.redirections.entryPoint.to=webSecure
- --entryPoints.webSecure.address=:443
- --entryPoints.webSecure.http3
- --entrypoints.webSecure.http.tls.certResolver=myResolver
- --entrypoints.webSecure.http.tls.domains[0].main=👀.duckdns.org
- --entrypoints.webSecure.http.tls.domains[0].sans=*.👀.duckdns.org
- --entryPoints.dnsOverTLS.address=:853
- --certificatesResolvers.myResolver.acme.email=webmaster@👀.duckdns.org
- --certificatesResolvers.myResolver.acme.storage=/letsencrypt/acme.json
- --certificatesResolvers.myResolver.acme.dnsChallenge=true
- --certificatesResolvers.myResolver.acme.dnsChallenge.provider=duckdns
container_name: traefik
environment:
- DUCKDNS_TOKEN=👀
image: traefik:v2.10
networks:
- traefik
- adguardhome
ports:
- 80:80
- 443:443
- 443:443/udp
- 853:853
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/letsencrypt:/letsencrypt
adguardhome:
container_name: adguardhome
image: adguard/adguardhome
labels:
- traefik.enable=true
- traefik.http.routers.adguardHome.entryPoints=websecure
- traefik.http.routers.adguardHome.rule=Host(`dns.👀.duckdns.org`)
- traefik.http.routers.adguardHome.service=adguardHome
- traefik.http.services.adguardHome.loadBalancer.server.port=3000
- traefik.tcp.routers.adguardHome.entryPoints=dnsOverTLS
- traefik.tcp.routers.adguardHome.rule=HostSNI(`dns.👀.duckdns.org`)
- traefik.tcp.routers.adguardHome.tls.certResolver=porkbun
- traefik.tcp.routers.adguardHome.tls.domains[0].main=👀.duckdns.org
networks:
- adguardhome
restart: unless-stopped
volumes:
- ./adguardhome/work:/opt/adguardhome/work
- ./adguardhome/conf:/opt/adguardhome/conf
networks:
traefik:
name: traefik
adguardhome:
name: adguardhome
Broken file provider example
docker-compose.yaml
version: "3"
services:
traefik:
container_name: traefik
environment:
- DUCKDNS_TOKEN=👀
image: traefik:v2.10
networks:
- traefik
ports:
- 80:80
- 443:443
- 443:443/udp
- 853:853
restart: unless-stopped
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik/letsencrypt:/letsencrypt
- ./traefik.yaml:/etc/traefik/traefik.yaml:ro
networks:
traefik:
name: traefik
traefik.yaml
providers:
docker:
exposedByDefault: false
file:
directory: /etc/traefik
watch: true
experimental:
http3: true
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: webSecure
webSecure:
address: :443
http3: {}
http:
tls:
certResolver: myResolver
domains:
- main: 👀.duckdns.org
sans:
- \*.👀.duckdns.org
dnsOverTLS:
address: :853
http:
routers:
adguardHome:
entryPoints:
- webSecure
rule: Host(`👀.duckdns.org`)
service: adguardHome
services:
adguardHome:
loadBalancer:
servers:
- url: http://10.0.0.1:3000
tcp:
routers:
adguardHome:
entryPoints:
- dnsOverTLS
rule: HostSNI(`👀.duckdns.org`)
service: adguardHome
tls:
certResolver: myResolver
domains:
- main: 👀.duckdns.org
services:
adguardHome:
loadBalancer:
servers:
- address: 10.0.0.1:853
certificatesResolvers:
myResolver:
acme:
email: webmaster@👀.duckdns.org
storage: /letsencrypt/acme.json
dnsChallenge:
provider: duckdns
Error while dialing backend: dial tcp 10.0.0.1:853: connect: connection refused