The issue I am facing: I managed to set up my Pihole Docker instance behind a Traefik instance and access it through a given CNAME record. However, Pihole is still using its self-generated certificate (which the browser says its insecure) instead of the one generated through Traefik (which is safe and is used by other services).
Details about my system:
Traefik Compose file
---
services:
traefik:
image: traefik:v3.4.0
container_name: traefik
command:
- "--api.insecure=true"
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
proxy:
ports:
- 80:80
- 443:443
- 8080:8080
environment:
CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN}
volumes:
- /media/SERVER/Docker/Security/traefik/data/traefik.yaml:/etc/traefik/traefik.yaml:ro
- /media/SERVER/Docker/Security/traefik/data/conf:/etc/traefik/conf
- /media/SERVER/Docker/Security/traefik/ssl:/ssl-certs
- /media/SERVER/Docker/Security/traefik/logs:/var/log/traefik
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik.domain.localname`)"
- "traefik.http.middlewares.traefik-auth.basicauth.users=[REDACTED]"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.name`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
- "traefik.http.routers.traefik-secure.tls.domains[0].main=domain.localname"
- "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.domain.localname"
- "traefik.http.routers.traefik-secure.tls.domains[1].main=domain.name"
- "traefik.http.routers.traefik-secure.tls.domains[1].sans=*.domain.name"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
proxy:
external: true
Pi-hole Compose file
---
services:
pihole:
hostname: lnxhole
domainname: local
container_name: lnxhole
image: pihole/pihole:latest
mac_address: [REDACTED]
cap_add:
- NET_ADMIN
- SYS_TIME
networks:
macvlan0:
ipv4_address: 192.168.0.9
proxy:
ports:
- 53/tcp
- 53/udp
dns:
- 1.1.1.1
volumes:
- /media/SERVER/Docker/Pihole/etc-pihole:/etc/pihole
- /media/SERVER/Docker/Pihole/backups:/backups
environment:
FTLCONF_dns_reply_host_ipv4: 192.168.0.9
FTLCONF_webserver_api_password: ${ADMIN_PASS}
FTLCONF_webserver_domain: 'pihole.domain.localname'
FTLCONF_webserver_port: '80r,443s'
labels:
- "traefik.enable=true"
- "traefik.http.routers.pihole.entrypoints=http"
- "traefik.http.routers.pihole.rule=Host(`pihole.domain.localname`)"
- "traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https"
- "traefik.http.routers.pihole.middlewares=pihole-https-redirect"
- "traefik.http.routers.pihole-secure.entrypoints=https"
- "traefik.http.routers.pihole-secure.rule=Host(`pihole.domain.localname`)"
- "traefik.http.routers.pihole-secure.tls=true"
- "traefik.http.routers.pihole-secure.service=pihole"
- "traefik.http.services.pihole.loadbalancer.server.port=443"
- "traefik.docker.network=proxy"
restart: unless-stopped
networks:
macvlan0:
external: true
proxy:
external: true
What I have changed since installing Pi-hole: Only that Pi-hole is set on a Macvlan just for a dedicated IP with conditional forwarding to my Unifi, but you can ignore that.