Skip to content

Instantly share code, notes, and snippets.

@diyfr

diyfr/readme.md

Created September 29, 2023 14:39
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save diyfr/e115a82027fe45a9abf0ff4d578b111f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save diyfr/e115a82027fe45a9abf0ff4d578b111f to your computer and use it in GitHub Desktop.
Download ZIP
AdGuard Home + Traefik
Raw
readme.md

edit traefik.yml

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"
  dot: # <- ADD THIS
    address: ":853"  # <- ADD THIS

dot entrypoint it's only for adguarhome. Check traefik dashboard

Add port to traefik container (compose file)

    ports:
      - "80:80"
      - "443:443"
      - "853:853"

adguard home compose file

services:
  # see @url:https://ae3.ch/adguard-home-docker-with-dns-over-https-and-traefik/
  adguard:
    image: adguard/adguardhome:latest
    container_name: adguard
    restart: unless-stopped
    environment:
      - TZ=Europe/Paris
    expose:
      - "80"
      - "53"
      - "853"
    ports:
      - "53:53/tcp"
      - "53:53/udp"
    networks:
      - traefik
    volumes:
      - /home/docker/vol/adguard/work:/opt/adguardhome/work
      - /home/docker/config/adguard/conf:/opt/adguardhome/conf
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.adguard.entrypoints=web"
      - "traefik.http.routers.adguard.rule=Host(`dns.domain.tld`)" # change with your own domain/sub domain
      - "traefik.http.routers.adguard.middlewares=https-redirect@file"
      - "traefik.http.routers.adguard-secure.entrypoints=websecure"
      - "traefik.http.routers.adguard-secure.rule=Host(`dns.domain.tld`)" # change with your own domain/sub domain
      - "traefik.http.routers.adguard-secure.tls=true"
      - "traefik.http.routers.adguard-secure.tls.certresolver=letsencrypt"
      - "traefik.http.routers.adguard-secure.service=adguard-secure"
      - "traefik.http.services.adguard-secure.loadbalancer.server.port=80" # 3000 Change to 80 after first reboot and settings admin account
      - "traefik.docker.network=traefik"

      - "traefik.tcp.routers.adguard-tls.rule=HostSNI(`dns.domain.tld`)" # change with your own domain/sub domain
      - "traefik.tcp.routers.adguard-tls.tls=true"
      - "traefik.tcp.routers.adguard-tls.entrypoints=dot"
      - "traefik.tcp.routers.adguard-tls.tls.certresolver=letsencrypt"
      - "traefik.tcp.routers.adguard-tls.service=adguard-tls"
      - "traefik.tcp.services.adguard-tls.loadbalancer.server.port=53"

After first boot, edit /home/docker/config/adguard/conf/AdGuardHome.yml
In tls section :

tls:
  enabled: true # <- Enable this
  server_name: dns.domain.tld # <- Update this
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: true #<- Set true 
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false

Restart adguard container

Dns works : Standard port : 53 tls: 853 dns over https : 443

@cmuck
Copy link

cmuck commented Mar 4, 2026

By default, Traefik uses the first exposed port of a container.
Setting the label traefik.xxx.services.yyy.loadbalancer.server.port overrides that behavior and tell Traefik to use the port to connect to the container. Port 853 is the dedicated standard port for DNS over TLS (DoT).

"traefik.tcp.services.adguard-tls.loadbalancer.server.port=53"

This would tell Traefik for adguard-tls to connect to the container on port 53 which is not DoT, the container is using 853 for DOT and 53 for standard DNS, meaning you would route adguard-tls to standard DNS of the container.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment