Closed trmdi closed 3 months ago
I currently have the same problem. I am using Traefik as a proxy.
For reference, these are the configs i am using:
docker-compose.yml
services:
traefik:
image: traefik:3.0
container_name: traefik
command:
- "--global.sendanonymoususage=false"
- "--log=true"
- "--log.level=INFO"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.dot.address=:853"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--certificatesresolvers.cf.acme.dnschallenge=true"
- "--certificatesresolvers.cf.acme.dnschallenge.provider=cloudflare"
- "--certificatesresolvers.cf.acme.keyType=EC256"
- "--certificatesresolvers.cf.acme.email=postmaster@example.domain"
- "--certificatesresolvers.cf.acme.storage=/traefik/acme.json"
ports:
- 80:80/tcp
- 443:443/tcp
- 853:853 #DNS-over-TLS
volumes:
- "./traefik:/traefik"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
restart: always
environment:
- CF_DNS_API_TOKEN=##########
adguardhome:
image: adguard/adguardhome:latest
volumes:
- ./adguardhome/work:/opt/adguardhome/work
- ./adguardhome/conf:/opt/adguardhome/conf
depends_on:
- traefik
restart: always
labels:
- traefik.enable=true
- traefik.http.routers.adguardhome.rule=Host(`dns.example.domain`)
- traefik.http.routers.adguardhome.entrypoints=websecure
- traefik.http.routers.adguardhome.tls=true
- traefik.http.routers.adguardhome.tls.certresolver=cf
- traefik.http.services.adguardhome.loadBalancer.server.port=3000
- traefik.tcp.routers.adguardhome-tls.rule=HostSNI(`dns.example.domain`) || HostSNIRegexp(`^.+\.dns\.example\.domain`)
- traefik.tcp.routers.adguardhome-tls.tls=true
- traefik.tcp.routers.adguardhome-tls.tls.domains[0].main=dns.example.domain
- traefik.tcp.routers.adguardhome-tls.tls.domains[0].sans=*.dns.example.domain
- traefik.tcp.routers.adguardhome-tls.entrypoints=dot
- traefik.tcp.routers.adguardhome-tls.tls.certresolver=cf
- traefik.tcp.routers.adguardhome-tls.service=adguardhome-tls
- traefik.tcp.services.adguardhome-tls.loadbalancer.server.port=53
AdguardHome.yaml
...
tls:
enabled: true
server_name: dns.example.domain
force_https: false
port_https: 443
port_dns_over_tls: 853
port_dns_over_quic: 853
port_dnscrypt: 0
dnscrypt_config_file: ""
allow_unencrypted_doh: true
certificate_chain: ""
private_key: ""
certificate_path: ""
private_key_path: ""
strict_sni_check: false
...
Connection to Adguard Home via Androids "Private DNS" option fully works well, but it the ClientIDs (like "smartphone.dns.example.domain" do not get recognized.
Prerequisites
[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to request a feature or enhancement and not ask a question
The problem
When AGH works behind a reverse proxy and TLS is provided by the proxy, queries to tls://client.dns.example.com work, but AGH does not use
client
as the client id. How can I make it work?Proposed solution
Maybe enable the clientIds feature when the Encryption is disabled?