a short summary

[rowie]

After some small hints like:

• errors in documentation (wrong path for example)
• problems with using sudo
  (sudo visudo
  And append a line as follows:

ansibleUserName ALL=(ALL) NOPASSWD:ALL)

• adding my IP to whitelist (middlewares.yml ) for portainer
• changing the hostname from adfree to adguard (AdGuardHome.yaml)
• make a uniform formating in the docker-compose.yml
• and some other small things ...

it is now finally running ... halfway

... unfortunately some things still do not work and slowly, I begin to despair.

What is not working:

• traefik dashbord - 404 page not found
• DoT (enabled on my android mobilephone - Private DNS) seams to be working, but its shown as simple DNS request in Adguard.
• The thing with the proxy IP is for me critical, cause all the deny list are useless when the container only sees the docker ip

I cant understand why (traefik) in this project is not working like a normal reverse proxy with x-forwarded-for enabled
Adguard needs the real IP for blocking unwanted clients.

br,
rowie

[rowie]

got it!!!!!

add this to traefik.yml for x-forwarding the real client IP:

websecure:
address: :443
proxyProtocol:
insecure: true
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32" # localhost
- "10.0.0.0/8" # swarm mode ip range
- "192.168.0.0/16" # stand-alone after 172.16.0.0/12 is exhausted
- "172.16.0.0/12" # stand-alone
insecure: true
dnsovertls:

source: https://community.traefik.io/t/use-x-forwarded-in-traefik-v2/5206/4

[rowie]

but only for DoH ... cause DoT is shown as simple DNS in Adguard ...

[rowie]

Next little win!

• i am able to conect to the Traefik Dashboard after removing the:

"&& (PathPrefix(/api) || PathPrefix(/dashboard))"
from the
"traefik.http.routers.traefikdashboard.rule=Host(traefik.{{hostname}})
Label

• i expose 53/tcp and 53/udp direct to adguard) to see the client real IP when doing a normal dns query

The only problem on my list is that i see the proxy IP when using Dot. When this is working i need a wildcard cert to see the client with a "name" like myandroid.adguard.tld

[bruvv]

traefik dashboard can only be accessed with:
https://url/dashboard/
it is very picky and you need the last /!

And regarding the stuff you changed, can you either do a PR? or show me where to edit the stuff needed?

[rowie]

ok, let me explain:

all my changes are done in der /srv/docker dir!

• i use an .env file
• i have made some changes in the docker-compose.yml
  docker-compose.zip
• one in the traefik/rule/middlewares.yml file
  i added my IP @ home to be able to connect to portainer and traefik
• one in the trafik.yml
  for the trustedIPs for the real IP forwarding

... and all the other things are in this two tickets.

Dont know what´s the best and easiest way help cause i am not a dev!
First of all i will attach my compose file ...

[rowie]

i was playing around with docker-socket-proxy, but its not a real security booster ...cause you would need more then one proxy with differrent permissions/container ...

What i will change is the traefik wildcard cert thing in combination with nsone.net

[rowie]

traefik dashboard can only be accessed with: https://url/dashboard/ it is very picky and you need the last /!

Doesn´t work for me. Dont know why .. i have tested it with the / at the end but nothing happens

And regarding the stuff you changed, can you either do a PR? or show me where to edit the stuff needed?

i have to figure out how i can make this cause i am not a dev. only a security guy/admin with much time to play around! ;-)

[rowie]

maybe i will only apply this to the public facing traefik contianer ...
https://chriswiegman.com/2019/11/protecting-your-docker-socket-with-traefik-2/

adguard has no connection to the docker socket

[rowie]

since my server is supposed to be pubilc accessible i want to make it as secure as possible.i looked at some tutorial regarding traefik and crowdsec. how did you come up with this traefik config?

[bruvv]

Hi Sorry Ronald for the slow reply, did you managed to get it working? The Traefik config is made by myself using the traefik docs.