Traefik and PiHole with Docker: forward client IP

I currently got in touch with Traefik and using it as reverse proxy for my docker services. So far everything works fine, except the fact that the client IP addresses aren't forwarded but only the internal docker IP from Traefik is shown. How can I make the original client IP addresses available to my services?

As a minimal setup example I use Traefik and PiHole. With following configurations:

docker-compose.traefik.yml

version: "3"

services:

  traefik:
    container_name: traefik
    image: traefik
    restart: always
    networks:
      - local
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 80:80/tcp
      - 443:443/tcp
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "traefik:/etc/traefik/"
    command:
      - "--global.checknewversion=true"
      - "--global.sendanonymoususage=false"
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/etc/traefik/config"
      - "--providers.file.watch=true"
      - "--entrypoints.dnstcp.address=:53/tcp"
      - "--entrypoints.dnsudp.address=:53/udp"
      - "--entrypoints.http.address=:80/tcp"
      - "--entrypoints.http.http.redirections.entryPoint.to=https"
      - "--entrypoints.http.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.https.address=:443/tcp"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.rule=Host(`traefik.raspberrypi.local`)"
      - "traefik.http.routers.traefik.service=api@internal"
      
volumes:
  traefik:
    name: traefik
    
networks:
  local:
    name: local

dynamic_config.yml

tls:
  certificates:
    - certFile: /etc/traefik/certs/raspberrypi.local.crt
      keyFile: /etc/traefik/certs/raspberrypi.local.key

docker-compose.pihole.yml

version: "3"

services:

  pihole:
    container_name: pihole
    image: pihole/pihole
    restart: always
    networks:
      - local
    environment:
      TZ: "Europe/Berlin"
    volumes:
      - "/var/lib/docker/volumes/pihole/_data/etc-pihole/:/etc/pihole/"
      - "/var/lib/docker/volumes/pihole/_data/etc-dnsmasq.d/:/etc/dnsmasq.d/"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.pihole.entrypoints=https"
      - "traefik.http.routers.pihole.tls=true"
      - "traefik.http.routers.pihole.rule=Host(`pihole.raspberrypi.local`)"
      - "traefik.http.routers.pihole.middlewares=pihole-prefix"
      - "traefik.http.middlewares.pihole-prefix.addPrefix.prefix=/admin"
      - "traefik.http.services.pihole.loadbalancer.server.port=80"

      - "traefik.tcp.routers.dnstcp.entrypoints=dnstcp"
      - "traefik.tcp.routers.dnstcp.rule=HostSNI(`*`)"
      - "traefik.tcp.services.pihole.loadbalancer.server.port=53"

      - "traefik.udp.routers.dnsudp.entrypoints=dnsudp"
      - "traefik.udp.services.pihole.loadbalancer.server.port=53"

volumes:
  pihole:
    name: pihole
    
networks:
  local:
    name: local

When using Traefik only one IP (domain) shows in the client list. Which actual is the internal docker IP of Traefik. Without using Traefik the list shows all the local network IP addresses.

I am wondering if this has to do with the POST HOST HEADER of the UDP service, which seems to be by default set to false?

I did not manage turning it to true. Adding this to the UDP service did not help and made Traefik crash:
- "traefik.udp.services.pihole.loadbalancer.passHostHeader=true"

But maybe the problem is somewhere else?

Thanks for any help in advance!

hi chris25

do u have any solution for that ?

i have exactly the same problem.

matthias

Unfortunately not. Sadly also no single answer here
I also raised the question at traefik: https://community.traefik.io/t/traefik-and-pihole-with-docker-forward-client-ip/9933 maybe at some point we can get some input on this

It's not related to Pi-hole, it's about networking in general and Docker's network isolation in specific.
I've switched your topic to the Community Help category accordingly.

Pi-hole is at the receiving end here, it will have to make good with the IP address or addresses it sees DNS traffic originating from.

If you isolate Pi-hole and Traefik in a Docker bridge network, Docker will NAT all requests into that network.
You may be able to overcome this by employing EDNS0 (if both Docker and Traefik would support that), or by chosing a different Docker network mode.

Even then, Traefik may also NAT or otherwise alter requests, which would have to be addressed separately in Traefik, if possible (note that I am not familiar with Traefik at all).

It's a good idea to consider other sources at Traefik and Docker for help with this.

Thanks for the reply.

I know this topic might not be directly related to pi-hole, rather than the interaction between docker, traefik and pi-hole as described by you.

I thought this is not an unusual use case so someone of the community already faced the same "problem" and thus has a solution.

Thats why I was posting here as well.

hi chris25

i guess we have to run the pihole compose in network_mode: host

but then we have many "bind adress in use" failures/collisions with the entrypoints from traefik , i guess we have to refactore a lot ... if we use network_mode:host we dont need any dns entrypoints)

with that way ,yesterday i was able to see the clients in the pihole frontend but the web interface was not routed through traefik anymore ... but thit is a little thing i guess

do we want to figure out it togehter?

or is it the wrong way ?

matthias

We can try, if you have any ideas how.
I posted mine in the first post (which did not work).

I will try traefik in host mode but than how to connect other containers like pi-hole in bridge mode?

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.