AdGuard Home + Traefik

readme.md

edit traefik.yml

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
  dot: # <- ADD THIS
    address: ":853"  # <- ADD THIS

dot entrypoint it's only for adguarhome. Check traefik dashboard

Add port to traefik container (compose file)

    ports:
      - "80:80"
      - "443:443"
      - "853:853"

adguard home compose file

services:
  # see @url:https://ae3.ch/adguard-home-docker-with-dns-over-https-and-traefik/
  adguard:
    image: adguard/adguardhome:latest
    container_name: adguard
    restart: unless-stopped
    environment:
      - TZ=Europe/Paris
    expose:
      - "80"
      - "53"
      - "853"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
    networks:
      - traefik
    volumes:
      - /home/docker/vol/adguard/work:/opt/adguardhome/work
      - /home/docker/config/adguard/conf:/opt/adguardhome/conf
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.adguard.entrypoints=web"
      - "traefik.http.routers.adguard.rule=Host(`dns.domain.tld`)" # change with your own domain/sub domain
      - "traefik.http.routers.adguard.middlewares=https-redirect@file"
      - "traefik.http.routers.adguard-secure.entrypoints=websecure"
      - "traefik.http.routers.adguard-secure.rule=Host(`dns.domain.tld`)" # change with your own domain/sub domain
      - "traefik.http.routers.adguard-secure.tls=true"
      - "traefik.http.routers.adguard-secure.tls.certresolver=letsencrypt"
      - "traefik.http.routers.adguard-secure.service=adguard-secure"
      - "traefik.http.services.adguard-secure.loadbalancer.server.port=80" # 3000 Change to 80 after first reboot and settings admin account
      - "traefik.docker.network=traefik"

      - "traefik.tcp.routers.adguard-tls.rule=HostSNI(`dns.domain.tld`)" # change with your own domain/sub domain
      - "traefik.tcp.routers.adguard-tls.tls=true"
      - "traefik.tcp.routers.adguard-tls.entrypoints=dot"
      - "traefik.tcp.routers.adguard-tls.tls.certresolver=letsencrypt"
      - "traefik.tcp.routers.adguard-tls.service=adguard-tls"
      - "traefik.tcp.services.adguard-tls.loadbalancer.server.port=53"

After first boot, edit /home/docker/config/adguard/conf/AdGuardHome.yml
In tls section :

tls:
  enabled: true # <- Enable this
  server_name: dns.domain.tld # <- Update this
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: true #<- Set true 
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false

Restart adguard container

Dns works : Standard port : 53 tls: 853 dns over https : 443

Thanks, worked very well for my.

The same domain for tls and web does not work, I had to assign me another domain for web.
dns.domain.con for tls
adguard.domain.com for web

Thanks so much for this! I did not have to use 2 different domains, i tried both ways, and both seemed to work well. However, since I using host network_mode for traefik, it was easier to use host for adguard as well. This created a conflict on port 80, so i changed the port in traefik labels from 80 to an unused port. I also had to update the adguard config file itself to the same port. Port 53 had a conflict on ubuntu so i followed this link and it solved the conflict - AdguardTeam/AdGuardHome#4283

After that port 53 and 853 were fine. All is well but before I was not able to access internet as the dns wasn't working properly.

Is this line correct?
- "traefik.tcp.services.adguard-tls.loadbalancer.server.port=53"
Asking since 53 is the unencrypted DNS port, should be 853 for DNS-over-TLS right?

Is this line correct? - "traefik.tcp.services.adguard-tls.loadbalancer.server.port=53" Asking since 53 is the unencrypted DNS port, should be 853 for DNS-over-TLS right?

"traefik.tcp.routers.adguard-tls.entrypoints=dot"

traefik provide tls certificate 53 ->853. ?

By default, Traefik uses the first exposed port of a container.
Setting the label traefik.xxx.services.yyy.loadbalancer.server.port overrides that behavior and tell Traefik to use the port to connect to the container. Port 853 is the dedicated standard port for DNS over TLS (DoT).

"traefik.tcp.services.adguard-tls.loadbalancer.server.port=53"

This would tell Traefik for adguard-tls to connect to the container on port 53 which is not DoT, the container is using 853 for DOT and 53 for standard DNS, meaning you would route adguard-tls to standard DNS of the container.