TLS Certification for Dashboard behind Traefik

The issue I am facing: I managed to set up my Pihole Docker instance behind a Traefik instance and access it through a given CNAME record. However, Pihole is still using its self-generated certificate (which the browser says its insecure) instead of the one generated through Traefik (which is safe and is used by other services).

Details about my system:

Traefik Compose file
---
services:
  traefik:
    image: traefik:v3.4.0
    container_name: traefik
    command:
      - "--api.insecure=true"
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      proxy:
    ports:
      - 80:80
      - 443:443
      - 8080:8080
    environment:
      CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN}
    volumes:
      - /media/SERVER/Docker/Security/traefik/data/traefik.yaml:/etc/traefik/traefik.yaml:ro
      - /media/SERVER/Docker/Security/traefik/data/conf:/etc/traefik/conf
      - /media/SERVER/Docker/Security/traefik/ssl:/ssl-certs
      - /media/SERVER/Docker/Security/traefik/logs:/var/log/traefik
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.domain.localname`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=[REDACTED]"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.name`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=domain.localname"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.domain.localname"
      - "traefik.http.routers.traefik-secure.tls.domains[1].main=domain.name"
      - "traefik.http.routers.traefik-secure.tls.domains[1].sans=*.domain.name"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      
networks:
  proxy:
    external: true
Pi-hole Compose file
---
services:
  pihole:
    hostname: lnxhole
    domainname: local
    container_name: lnxhole
    image: pihole/pihole:latest
    mac_address: [REDACTED]
    cap_add:
      - NET_ADMIN
      - SYS_TIME
    networks:
      macvlan0:
        ipv4_address: 192.168.0.9
      proxy:
    ports:
      - 53/tcp
      - 53/udp
    dns:
      - 1.1.1.1
    volumes:
      - /media/SERVER/Docker/Pihole/etc-pihole:/etc/pihole
      - /media/SERVER/Docker/Pihole/backups:/backups
    environment:
      FTLCONF_dns_reply_host_ipv4: 192.168.0.9
      FTLCONF_webserver_api_password: ${ADMIN_PASS}
      FTLCONF_webserver_domain: 'pihole.domain.localname'
      FTLCONF_webserver_port: '80r,443s'
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole.entrypoints=http"
      - "traefik.http.routers.pihole.rule=Host(`pihole.domain.localname`)"
      - "traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.pihole.middlewares=pihole-https-redirect"
      - "traefik.http.routers.pihole-secure.entrypoints=https"
      - "traefik.http.routers.pihole-secure.rule=Host(`pihole.domain.localname`)"
      - "traefik.http.routers.pihole-secure.tls=true"
      - "traefik.http.routers.pihole-secure.service=pihole"
      - "traefik.http.services.pihole.loadbalancer.server.port=443"
      - "traefik.docker.network=proxy"
    restart: unless-stopped
    
networks:
  macvlan0:
    external: true
  proxy:
    external: true

What I have changed since installing Pi-hole: Only that Pi-hole is set on a Macvlan just for a dedicated IP with conditional forwarding to my Unifi, but you can ignore that.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.