Serving doh with Ad Guard Home Backend running on dual raspberry pi

Traefik Traefik v3 (latest)
,
1

Hey, I'm running Traefik v3 beta 3, and got it working more or less, however facing once issue with config for a router that should connects to https servers running on raspberry pi(s) on a different network.

connectivity is ok and tested. however the "sheild" icon does not come up in traefik dashboard

global:
  checkNewVersion: true
  sendAnonymousUsage: false

log:
  level: DEBUG

api:
  dashboard: true
  insecure: true

entryPoints:
  web:
    address: :80 # HTTP entry point
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443 # HTTPS entry point
    http2:
      maxConcurrentStreams: 42
    http3:
      advertisedPort: 443
    transport:
      lifeCycle:
        requestAcceptGraceTimeout: 42
        graceTimeOut: 42
      respondingTimeouts:
        readTimeout: 42
        writeTimeout: 42
        idleTimeout: 42

providers:
  docker:
    exposedByDefault: false
  file:
    directory: /etc/traefik
    watch: true

middlewares:
  hsts:
    headers:
      customResponseHeaders:
        Strict-Transport-Security: "max-age=31536000; includeSubDomains"

http:
  routers:
    doh:
      rule: "Host(`xy.domain.pw`)"
      service: "doh"
      entryPoints: ["websecure"]
  services:
    doh:
      loadBalancer:
        servers:
          - url: "https://dns.domain.pw/dns-query"
          - url: "https://dns2.domain.pw/dns-query"
tls:
  stores:
    default:
      defaultCertificate:
        certFile: /etc/traefik/fullchain.cer
        keyFile: /etc/traefik/domain.pw.key

Screenshot 2023-10-12 220201
Screenshot 2023-10-12 220201634×842 50.4 KB

when curling i see a strange behavor that site is not running https on port 443 but rather http as seen here . bad request is expected as no valid doh request was sent

S222creenshot 2023-10-122 221032
S222creenshot 2023-10-122 221032853×237 5.11 KB

any idea how to fix this?

2

TLS is not enabled globally on entrypoint and not on the router.

1 Like
3

thank you for your response! how would i enable it ?

4

Enable TLS for loaded certs:

http:
  routers:
    doh:
      rule: "Host(`xy.domain.pw`)"
      service: "doh"
      entryPoints: ["websecure"]
      tls: {}

(Doc)

Be aware that you mix Traefik static and dynamic config in your file.

5

That worked! thank you!

I noticed when I go to xy.domain.pw, I notice that I am not sent to backend on dns-query, but rather root of dns.domain.pw, so I have to add /dns-query again, is there away to have it just be on xy.domain.pw?

6

loadbalancer.servers.url will just use the domain and port as target. The path stays the same, you need middleware like addPrefix to change that.

Be aware that standard web apps do not like messing with paths, they usually like to be run on root, so rather only use a sub-domain.

PathPrefix mostly only works with web apps that can be configured with a "base URL" or plain APIs, that don’t return HTML with absolute paths for scripts, images and redirects.

1 Like
7

Yeah used to that with nginx where need to change backend stuff.
thank you for your help!

swiched from nginx after running that for years Traefik is a different mindset

8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.