I'm trying to access my Pi-hole container from pihole.mydomain.com without any ports or /admin, and I swear the multitude of posts on the internet make this seem really straightforward. Perhaps it is and I'm being dumb, but I cannot get it to work.
Below is my current docker-compose for both Traefik and Pi-hole:
version: "3.7"
services:
traefik:
container_name: traefik
image: traefik:latest
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- medianet
ports:
- 80:80
- 443:443
environment:
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
- TZ=${TZ}
- PUID=${PUID}
- PGID=${PGID}
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /path/to/traefik:/etc/traefik
- /path/to/shared:/shared
- /path/to/traefik/logs/traefik.log:/etc/traefik/logs/traefik.log
- /path/to/traefik/logs/access.log:/etc/traefik/logs/access.log
labels:
- traefik.enable=true
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DASHBOARD_HOST}`)
- traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_USER_PASS}
- traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https
- traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https
- traefik.http.routers.traefik.middlewares=traefik-https-redirect
- traefik.http.routers.traefik-secure.entrypoints=https
- traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DASHBOARD_HOST}`)
- traefik.http.routers.traefik-secure.middlewares=traefik-auth
- traefik.http.routers.traefik-secure.tls=true
- traefik.http.routers.traefik-secure.tls.certresolver=cloudflare
- traefik.http.routers.traefik-secure.tls.domains[0].main=${TRAEFIK_BASE_DNS}
- traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${TRAEFIK_BASE_DNS}
- traefik.http.routers.traefik-secure.service=api@internal
pihole:
container_name: pihole
image: pihole/pihole:latest
restart: unless-stopped
networks:
- medianet
- npm_network
domainname: mydomain.com
hostname: pihole
ports:
- 53:53/tcp
- 53:53/udp
environment:
- TZ=${TZ}
- WEBPASSWORD=${WEBPASSWORD}
- FTLCONF_LOCAL_IPV4=192.168.1.116
- WEBTHEME=default-auto
- DNSMASQ_LISTENING=ALL
- VIRTUAL_HOST=pihole.mydomain.com
volumes:
- /path/to/pihole:/etc/pihole
- /path/to/pihole/dnsmasq.d:/etc/dnsmasq.d
cap_add:
- NET_ADMIN
labels:
- traefik.enable=true
- traefik.http.routers.pihole.rule=Host(`pihole.mydomain.com`)
- traefik.http.routers.pihole.entrypoints=https
- traefik.http.routers.pihole.tls=true
- traefik.http.routers.pihole.service=pihole
- traefik.http.services.pihole.loadbalancer.server.port=80
The Pi-hole one will load the login page and, upon entering the password and logging in, it will simply bring me back to the login page. So just keeps looping around.
The Traefik config is working with lots of other containers, all of which are using SSL certificates, so I'm pretty sure my Traefik config is okay.
I've tried middlewares to addprefix=/admin, which just ends up looping round with multiple /admin prefixes and also doesn't work.
Anybody got any ideas?
I'm aware I don't have to put Pi-hole behind SSL as I'm not exposing any of this stuff to the open internet (ports 80 and 443 are not forwarded on my router, and I'm using local DNS records in Pi-hole to access via subdomains).
Happy to post my traefik.yml and config.yml files if needed.
UPDATE: I seem to have figured it out! Below is my final Pi-hole docker-compose - the Traefik one remains unchanged from the original post:
pihole:
container_name: pihole
image: pihole/pihole:latest
restart: unless-stopped
networks:
- medianet
- npm_network
domainname: mydomain.com
hostname: pihole
ports:
- 53:53/tcp
- 53:53/udp
environment:
- TZ=${TZ}
- WEBPASSWORD=${WEBPASSWORD}
- FTLCONF_LOCAL_IPV4=192.168.1.116
- WEBTHEME=default-auto
- DNSMASQ_LISTENING=ALL
- VIRTUAL_HOST=pihole.mydomain.com
volumes:
- /path/to/pihole:/etc/pihole
- /path/to/pihole/dnsmasq.d:/etc/dnsmasq.d
cap_add:
- NET_ADMIN
labels:
- traefik.enable=true
- traefik.http.routers.pihole.entrypoints=http
- traefik.http.routers.pihole.rule=Host(`pihole.mydomain.com`)
- traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https
- traefik.http.routers.pihole.middlewares=pihole-https-redirect
- traefik.http.routers.pihole.service=pihole
- traefik.http.routers.pihole-secure.entrypoints=https
- traefik.http.routers.pihole-secure.rule=Host(`pihole.mydomain.com`)
- traefik.http.routers.pihole-secure.tls=true
- traefik.http.routers.pihole-secure.service=pihole
- traefik.http.services.pihole.loadbalancer.server.port=80
If you expose port 80 on the PiHole service, can you login? Are you certain it's a problem with Traefik? The PiHole could just be having problems.
You might also look into the 302 redirect that PiHole does upon login. It might not play nicely with Traefik.
Before putting Pi-hole behind Traefik, it worked perfectly via :/admin. And the logs for Pi-hole now in Traefik show that it is up and working, and I get the login page. But just can't get beyond it.
The guides I've seen show how to structure the Traefik labels with and without the addprefix middleware, and both apparently work. So I'm wondering if by following several guides and taking bits from each, I've ended up overlooking something.
I'll try and expose 80 and see if it makes a difference, but like I say everything is up and running in the backend, I just can't get past the login screen on the frontend.