Pihole in Docker behind Traefik 2 (and Cloudflare and Let's Encrypt)

Hey everyone. I think like a lot of people, I have gone down the Traefik tunnel because of this blog post. I followed it a few months ago and have since spread out on my own. It's been my first time using Docker (or even Linux, for that matter), but it's been my COVID-19 hobby and I'm obsessed.

I have my own domain, and serve media to family. My server is an Intel NUC running Ubuntu 20.04 and Docker.

My Docker and Traefik have been stable for a long while, but I started trying to add Pi-hole a few days ago (never used Pi-hole before) and now I've really made a mess of things. I'm out of my league and just guessing and now I'm nearing giving up. The past few days have been long.

OK, here's what I've got:

Networks:

networks:
  t2_proxy:
    external:
      name: t2_proxy
  default:
    driver: bridge
  socket_proxy:
    external:
      name: socket_proxy

Traefik:

  traefik:
    container_name: traefik
    image: traefik:chevrotin
    command:
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=true
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      ## Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
      - --entryPoints.traefik.address=:$TRAEFIK_PORT
      - --api=true
      # - --api.insecure=true
      # - --serversTransport.insecureSkipVerify=true
      - --log=true
      - --log.level=INFO
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      # - --providers.docker.endpoint=unix:///var/run/docker.sock # Use Docker Socket Proxy instead for improved security
      - --providers.docker.endpoint=tcp://socket-proxy:2375
      # - --providers.docker.defaultrule=HostHeader(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      # - --entrypoints.https.http.middlewares=chain-oauth@file
      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
      - --entrypoints.https.http.tls.certresolver=dns-cloudflare
      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME
      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME
      - --providers.docker.network=t2_proxy
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
      - --providers.file.watch=true # Only works on top level files in the rules folder
      # - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.email=$MY_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
    networks:
      t2_proxy:
        ipv4_address: $TRAEFIK_IP
      socket_proxy:
    depends_on:
      - socket-proxy
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - $DIR_DOCKER/traefik2/rules:/rules
      # - /var/run/docker.sock:/var/run/docker.sock:ro # Use Docker Socket Proxy instead for improved security
      - $DIR_DOCKER/traefik2/acme/acme.json:/acme.json
      - $DIR_DOCKER/traefik2/traefik.log:/traefik.log
      - $DIR_DOCKER/shared:/shared
    environment:
      - CF_API_EMAIL=$MY_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
    labels:
      - "traefik.enable=true"
      ## HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      ## HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=HostHeader(`traefik.$DOMAINNAME`)"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"

And finally, we have Pihole:

  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    cap_add:
      - NET_ADMIN
    restart: unless-stopped
    hostname: pihole
    networks:
      t2_proxy:
        ipv4_address: $PIHOLE_IP
    dns:
      - 127.0.0.1
      - 1.1.1.1
    ports:
      - "$PIHOLE_PORT1:80"
      - "$PIHOLE_PORT2:443"
      - "53:53/tcp"
      - "53:53/udp"
      - "67:67/udp"
    volumes:
      - $DIR_DOCKER/pihole/pihole:/etc/pihole
      - $DIR_DOCKER/pihole/dnsmasq.d:/etc/dnsmasq.d
      - $DIR_DOCKER/pihole/pihole.log:/var/log/pihole.log
    environment:
      ServerIP: $SERVER_IP
      PROXY_LOCATION: pihole
      VIRTUAL_HOST: pihole.$DOMAINNAME
      VIRTUAL_PORT: 80
      TZ: $TZ
      WEBPASSWORD: $PIHOLE_PASSWORD
    labels:
      - "traefik.enable=true"
      ## HTTP-to-HTTPS Redirect
      - "traefik.http.routers.pihole-catchall.entrypoints=http"
      - "traefik.http.routers.pihole-catchall.rule=HostRegexp(`pihole.$DOMAINNAME,{catchall:.*}`)"
      - "traefik.http.routers.pihole-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      ## HTTP Routers
      - "traefik.http.routers.pihole-rtr.entrypoints=https"
      - "traefik.http.routers.pihole-rtr.rule=HostHeader(`pihole.$DOMAINNAME`)"
      ## Middlewares
      - "traefik.http.routers.pihole-rtr.middlewares=chain-oauth@file"
      ## HTTP Services
      - "traefik.http.routers.pihole-rtr.service=pihole-svc"
      - "traefik.http.services.pihole-svc.loadbalancer.server.port=80"

So Plex is only spinning up as "unhealthy" and keeps saying:

Starting Plex Media Server.
/bin/sh: 1: /usr/lib/plexmediaserver/Plex Media Server: not found

Meanwhile, Statping is being really weird. It's unable to ping over HTTP. It keeps saying:

WARN[8104] Service Statping Failing: Could not get IP address for domain https://statping.EXAMPLE.COM, lookup statping.EXAMPLE.COM on 127.0.0.11:53: read udp 127.0.0.1:58173->127.0.0.11:53: i/o timeout | Lookup in: 0 μs device="map[arch:amd64 num_cpu:8]" os="map[name:linux]" runtime="map[go_maxprocs:8 go_numcgocalls:1 go_numroutines:21 name:go version:go1.14.6]" type=service

Oh, and my OAuth won't work. So, there's that.

Oddly, I have about a dozen other containers that seem to be working fine.

Any help? Happy to buy someone a beer or a coffee if they can help solve this headache for me!

Looking through the forums, I think my problems might be similar to Pihole TCP/UDP Services for port 53 behind Traefik - Traefik v2 (latest) - Traefik Labs Community Forum which @cakiwi seemed to sort out, but I couldn't figure it out.

I have just stumbled over this topic.

@CoreyVidal, do you still have the problem?
Are you aware of:

• Pi-hole + traefik = DNS-over-TLS : pihole (reddit.com)
• Traefik (not in Docker) - Pi-hole documentation (pi-hole.net)