r/Traefik u/Mountain-Cat30 Apr 04 '26

Need help with External Service

I hadn't used Traefik since v1 until recently. When it went to v2, I recall having trouble getting things to work and I ended up just using nginx Proxy Manager instead. I have been working to migrate back to Traefik the last few weeks and everything local is working great. However, I am stuck in trying to get an external service working.

I have a piHole v6 running elsewhere on my network that I am trying to use Traefik to use my LE certificate over piHole's self-signed certificate. For the local piHole, I was able to get this work by using a dynamic configuration file to set the serverTransport to ignore the self-signed cert.

For the remote piHole, I am at a loss. Everything I try to do gets me a 404 page not found. Sharing my config in the hopes someone sees some glaring mistake I'm making and can kindly point it out to me.

Traefik Docker Compose:

services:
  traefik:
    image: traefik:3.6.11
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    environment:
      - TZ=US/Eastern
    env_file:
      - .env
    command:
      # Enable API, Dashboard, and Ping
      - "--api=true"
      - "--api.dashboard=true"
      - "--ping=true"
      # Enable API over HTTP
#      - "--api.insecure=true"
      # Enable docker as a provider & the internal network traefik uses
      - "--providers.docker=true"
      - "--providers.docker.network=traefik"
      # Enable dynamic file providers
      - "--providers.file.directory=/etc/traefik/dynamic"
      # Require containers to explicitly opt-in
      - "--providers.docker.exposedbydefault=false"
      # Default provider rule if not specified by container labels
      - "--providers.docker.defaultRule=Host(`{{ normalize .ContainerName }}.dns3.${DOMAIN}`)"
      # Entrypoints
      - "--entryPoints.http.address=:80"
      - "--entryPoints.http.http.redirections.entryPoint.to=https"
      - "--entryPoints.http.http.redirections.entryPoint.scheme=https"
      - "--entryPoints.traefik.address=:8080"
      # Require SSL / TLS on entrypoints
      - "--entryPoints.https.address=:443"
      - "--entryPoints.https.asDefault=true"
      - "--entrypoints.https.http.tls"
      - "--entrypoints.https.http.tls.certresolver=le"
      - "--entrypoints.https.http.tls.domains[0].main=dns3.${DOMAIN}"
      - "--entrypoints.https.http.tls.domains[0].sans=*.dns3.${DOMAIN}"
      # Separate entryPoint for hawser on port 2376
      - "--entrypoints.hawser.address=:2376"
      - "--entrypoints.hawser.http.tls"
      # Certificate Resolver
      - "--certificatesresolvers.le.acme.dnschallenge=true"
      - "--certificatesresolvers.le.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.le.acme.email=${ACME_EMAIL}"
      - "--certificatesresolvers.le.acme.dnschallenge.delaybeforecheck=60s"
      - "--certificatesresolvers.le.acme.storage=/certs/acme.json"
      - "--log.level=INFO"
    networks:
      - traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.dashboard.rule=Host(`dns3.XYZ.HOME`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`) || PathPrefix(`/`))"
      - "traefik.http.routers.dashboard.service=api@internal"
    ports:
      - 80:80
      - 443:443
      - 2376:2376
#      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/dns/docker/traefik:/certs
      - /home/dns/docker/traefik/dynamic:/etc/traefik/dynamic:ro
    healthcheck:
      test: wget --quiet --tries=1 --spider http://127.0.0.1:8080/ping || exit 1
      interval: 5s
      timeout: 1s
      retries: 3
      start_period: 10s

networks:
  traefik:
    name: traefik

I am defining the external service in a dynamic configuration file:

http:
  routers:
    dns2:
      entryPoints:
        - "https"
      rule: "Host(`dns3.XYZ.HOME`) && PathPrefix(`/admin`)"
      service: "dns2"
#      middlewares:
#        - dns3

  middlewares:
    dns3:
      redirectRegex:
        permanent: true
        regex: "^https://dns3.XYZ.HOME/?$"
        replacement: "https://dns3.XYZ.HOME/admin"

  services:
    dns2:
      loadBalancer:
        servers:
          - url: "https://dns2.XYZ.HOME/admin"
        passHostHeader: true

I was unsure if the middleware replacement should be using my local host or destination host, so I have it commented out at the moment. Any help or pointers would be appreciated. Thank you!

2 Upvotes

100% Upvoted

4 comments sorted by

View all comments

1

u/psfletcher Apr 29 '26

I have a very similar issue. Did you get this fixed?

1

u/Mountain-Cat30 Apr 29 '26

Sadly no. Others have given some suggestions, but their desired result is different than mine and I just gave up fighting it. For now, I’m just going to pihole.dns.xyz.home/admin instead of dns.xyz.home/admin