Pihole v6 webgui behind Traefik

papalozarou · March 1, 2025, 4:00pm

Have just spent the last three and a half hours tearing my hair out trying to make this work. Am migrating from v5.

If I leave the default ports alone, trying to hit the url times out. If I change the port of Pihole via a FTLCONF_webserver_port Traefik cannot see Pihole and exposing the changed port does nothing – as in it doesn't appear as exposed when running docker ps -a.

I'm at a loss as to where to go here, other than to revert back to v5.

Docker compose snippet:

pihole:
    image: pihole/pihole:latest
    container_name: pihole
    hostname: pihole
    networks:
      network_name:
        ipv4_address: 10.5.0.3
    dns:
      - 127.0.0.1
      - 1.1.1.1
    ports:
      - 53:53/tcp
      - 53:53/udp
    environment:
      TZ: Cont/City
      FTLCONF_dns_listeningMode: all
      FTLCONF_dns_upstreams: 10.5.0.4#5053
      FTLCONF_webserver_domain: "pihole.domain.com"
      FTLCONF_webserver_interface_theme: default-auto
      FTLCONF_webserver_interface_boxed: false
    volumes:
      - "./pihole/etc-pihole:/etc/pihole"
      - "./pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
    cap_add:
      - NET_ADMIN
    depends_on:
     - cloudflared
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole.tls=true"
      - "traefik.http.routers.pihole.rule=Host(`pihole.domain.com`)"
      - "traefik.http.middlewares.pihole-redirect.redirectregex.regex=^https://pihole.domain.com/?$$"
      - "traefik.http.middlewares.pihole-redirect.redirectregex.replacement=https://pihole.domain.com/admin"
    restart: unless-stopped

Bucking_Horn · March 1, 2025, 4:03pm

Please share the output of:

docker ps

docker image ls pihole/pihole

papalozarou · March 1, 2025, 4:08pm

Thanks for the quick reply.

Output of docker compose ps -a:

NAME                COMMAND                  SERVICE             STATUS               PORTS
cloudflared         "/usr/local/bin/clou…"   cloudflared         running (healthy)   49312/tcp
dhcp-helper         "dhcp-helper -n -s 1…"   dhcp-helper         running              
pihole              "start.sh"               pihole              running (healthy)   0.0.0.0:53->53/tcp, 0.0.0.0:53->53/udp, :::53->53/tcp, :::53->53/udp
traefik             "/entrypoint.sh trae…"   traefik             running              0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:8080->8080/tcp, :::80->80/tcp, :::443->443/tcp, :::8080->8080/tcp

Image is latest:

pihole              pihole/pihole             latest              cf5e7ddfcd9a        106MB

Bucking_Horn · March 1, 2025, 4:22pm

latest is just the tag as present at the time the image was downloaded, so you could still have been running from a v5 image.
But size as well as the COMMAND from the container list suggest it's indeed a v6 image and container.

Contrary to your description, your docker compose is void of any FTLCONF_webserver_port or ports declarations for port 80.

What's your container's network mode?

When that mode is allowing your container to declare ports, as your compose suggests, there would be not need to adjust FTLCONF_webserver_port.

Did you try having Docker map port 80 yet?

    ports:
      - 53:53/tcp
      - 53:53/udp
      - 8081:80/tcp

papalozarou · March 1, 2025, 4:32pm

Thanks again for the reply – can't @ you as I'm new here

Sorry, the config I posted was the last config I'd tried, i.e. not specifying a port, running with the defaults of 80,443. Specifying the defaults under port would error as traefik already occupies those ports on the host, so my hope was that I'd be able to get away with only exposing the ports on the docker network vs mapping to host ports.

I've just tried FTLCONF_webserver_port: 8089 now and… appear to have gotten it working. It didn't seem to work on port 8081, however this works. I have no idea why if I'm honest, but I'll take it

Thanks for your help, it's appreciated.

Updated compose snippet in case it helps anyone else:

  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    hostname: pihole
    networks:
      network_name:
        ipv4_address: 10.5.0.3
    dns:
      - 127.0.0.1
      - 1.1.1.1
    ports:
      - 53:53/tcp
      - 53:53/udp
    expose:
      - 8089
    environment:
      TZ: Europe/London
      FTLCONF_dns_listeningMode: all
      FTLCONF_dns_upstreams: 10.5.0.4#5053
      FTLCONF_webserver_domain: "pihole.domain.com"
      FTLCONF_webserver_interface_theme: default-auto
      FTLCONF_webserver_interface_boxed: false
      FTLCONF_webserver_port: 8089
    volumes:
      - "./pihole/etc-pihole:/etc/pihole"
      - "./pihole/etc-dnsmasq.d:/etc/dnsmasq.d"
    cap_add:
      - NET_ADMIN
    depends_on:
     - cloudflared
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole.tls=true"
      - "traefik.http.routers.pihole.rule=Host(`pihole.domain.com`)"
      - "traefik.http.middlewares.pihole-redirect.redirectregex.regex=^https://pihole.domain.com/?$$"
      - "traefik.http.middlewares.pihole-redirect.redirectregex.replacement=https://pihole.domain.com/admin"
      - "traefik.http.services.pihole.loadbalancer.server.port=8089"
      - "traefik.http.services.pihole.loadbalancer.passhostheader=true"
    restart: unless-stopped

Bucking_Horn · March 1, 2025, 5:00pm

I see no reason why mapping - 8089:80/tcp should not have worked, without the need to also set FTLCONF_webserver_port.

rdwebdesign · March 1, 2025, 9:38pm

~~The correct variable is FTLCONF_webserver_api_port.~~

I made a confusion... The variable you used is correct.

lordcheeto · June 18, 2025, 11:39pm

Slightly different issue, but in case anyone else stumbles on this, my Traefik configuration for v5 had middleware to strip out the /admin from URLsm - stripping out the /admin from calls to the reverse proxy using redirectRegex and adding it back in for the backend call between the reverse proxy and service using addPrefix. This worked for v5, but v6 changed the API endpoint from /admin/api to /api. So /admin isn't superfluous anymore.

You can probably do something with webserver.paths.webhome in the config, but I just removed these from my Traefik config.

IrishTR · November 23, 2025, 7:07pm

I’m havin a heck of a time trying to get this new Pihole 6 to work with Traefik, would you mind sharing your config?

orb71 · December 6, 2025, 3:25pm

Hi @IrishTR

If you need a working configuration, here’s the one I use. Just replace the pihole.example.com & myresolver value with your own. This setup sends you straight to the Pi-hole login page. Tested and working with Pi-hole v6 and Traefik v3.

- traefik.enable=true
- traefik.http.services.pihole.loadbalancer.server.port=80
- traefik.http.services.pihole.loadbalancer.passHostHeader=true
# Main router for all paths except "/"
- traefik.http.routers.pihole.rule=Host(`pihole.example.com`)
- traefik.http.routers.pihole.entryPoints=websecure
- traefik.http.routers.pihole.tls=true
- traefik.http.routers.pihole.tls.certresolver=myresolver
- traefik.http.routers.pihole.service=pihole
# Root router to rewrite "/" to "/admin/"
- traefik.http.routers.pihole-root.rule=Host(`pihole.example.com`) && Path(`/`)
- traefik.http.routers.pihole-root.entryPoints=websecure
- traefik.http.routers.pihole-root.tls=true
- traefik.http.routers.pihole-root.tls.certresolver=myresolver
- traefik.http.routers.pihole-root.service=pihole
- traefik.http.routers.pihole-root.middlewares=pihole-root-rewrite
# Middleware rewriting root to /admin/
- traefik.http.middlewares.pihole-root-rewrite.replacePath.path=/admin/

Note: Pi-hole always redirects to /admin/login, so there’s no simple way to keep the root URL in the address bar.