Help getting HA running with Traefik

I’m running HA in a Docker container, and I’ve seen a few people recommend using Traefik to access it externally, easily create certificates with Let’s Encrypt etc.

I’ve cobbled together the traefik.toml and docker-compose.yml files but whatever I’ve tried nothing shows up in Traefik’s web frontend. Although I can see that acme.json has successfully added certificates for the domain I’ve included in the traefik.toml file.

Here are my cobbled together files:

traefik.toml

debug = false
checkNewVersion = true
logLevel = "ERROR"
defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[retry]

[web]
address = ":8080"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "MY-DOMAIN.duckdns.org"
watch = true
exposedbydefault = false

[acme]
email = "MY-EMAIL-ADDRESS"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"

[[acme.domains]]
  main = "MY-DOMAIN.duckdns.org"

docker-compose.yml

version: '3'

services:
  traefik:
    container_name: Traefik
    image: traefik
    restart: always
    command: --docker --web --docker.watch --docker.domain=MY-DOMAIN.duckdns.org --docker.exposedbydefault=false
    ports:
      - 8080:8080
      - 80:80
      - 443:443
    networks:
      - web
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ~/traefik/traefik.toml:/traefik.toml
      - ~/traefik/acme.json:/acme.json

  homeassistant:
    image: homeassistant/home-assistant
    container_name: HomeAssistant
    networks:
      - web
    expose:
      - 8123
    volumes:
     - ~/docker/homeassistant:/config
     - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.backend=HomeAssistant" # Same name as my Home Assistant container?
      - "traefik.docker.network=web"
      - "traefik.frontend.rule=Host:MY-DOMAIN.duckdns.org"
      - "traefik.enable=true"
      - "traefik.port=8123"
      - "traefik.default.protocol=http"
    ports:
      - "8123:8123"
    restart: unless-stopped

networks:
  web:
    external: true

Is there anything I've missed here (or anything in the files that shouldn't be there) that's affecting it from running properly?

…nevermind, after a bit of messing about I managed to get this up and running.

Can you share what you ended up doing please Jono? I’m in a similar spot right now.

Sure. Presumably you’ve created the docker-compose.yml, traefik.toml, and acme.json files (and changed the permission on the acme.json file).

mkdir -p ~/docker/traefik

touch ~/docker/traefik/docker-compose.yml
touch ~/docker/traefik/acme.json && chmod 600 ~/docker/traefik/acme.json
touch ~/docker/traefik/traefik.toml

I created a network for traefik and the containers called 'proxy'

docker network create proxy


And here’s the code that works for me:

docker-compose.yml

version: '3'

networks:
  proxy:
    external: true

services:
  reverse-proxy:
    container_name: reverse-proxy
    image: traefik
    restart: always
    command: --web --docker
    networks:
      - proxy       
    ports:
      - 8080:8080
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ~/docker/traefik/traefik.toml:/traefik.toml
      - ~/docker/traefik/acme.json:/acme.json

  homeassistant:
    image: homeassistant/home-assistant
    container_name: home-assistant
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - 8123
    volumes:
     - ~/docker/homeassistant_config:/config
     - /etc/localtime:/etc/localtime:ro
    labels:
      - "traefik.backend=home-assistant"
      - "traefik.docker.network=proxy"
      - "traefik.frontend.rule=Host:MY-DOMAIN.COM"
      - "traefik.enable=true"
      - "traefik.port=8123"
      - "traefik.default.protocol=http"

**traefik.toml**

debug = false

logLevel = "ERROR"
defaultEntryPoints = ["https","http"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

[retry]

[web]
address = ":8080"

[docker]
endpoint = "unix:///var/run/docker.sock"
domain = "docker.localhost"
watch = true
exposedbydefault = false

[acme]
email = "MY-EMAIL-ADDRESS"
storage = "acme.json"
entryPoint = "https"
OnHostRule = true
[acme.httpChallenge]
entryPoint = "http"

[[acme.domains]]
  main = "MY-DOMAIN.COM"

Thank you @jono, that’s been super useful- I’ve managed to get mine working by comparing to your configs. Thanks!

No problem

Hi Folks,

I tried this week to run a PiHole container in combination with Homeassistant and Traefik.
For this I had to make some changes to @jono’s configuration, which I would like to share with you.

My needs were…:

1. …to run PiHole with an IPv4 and an IPv6 address.
   (Because I can’t disable IPv6 on my router and therefore need an IPv6 capable DNS server)
   –> For this I had to make the Traefik Docker network IPv6 capable first.
2. …to make Homeassistant externally accessible via HTTPS and PiHole internally accessible via HTTP.
   (Because PiHole currently supports, at least not without detours, only HTTP as frontend for administration and advertising blocking)
   –> For this I had to disable the standard HTTP --> HTTPS forwarding used by @jono in Traefik and switch it on at container level in the docker-compose.yaml.
3. …to make PiHole internally accessible via port 80
   (Because PiHole needs the standard HTTP port for the correct display of the placeholders for blocked advertisements.)
   –> For this I had to use a special frontendrule that I had found after some searching around.

Here are my steps to achieve these goals:

1. Goal) Run PiHole with an IPv4 and an IPv6

1.1 Deactivate all containers that already used the Traefik proxy network. In my case this was only Homeassistant and Traefik itself.

sudo docker rm -f YOUR_TRAEFIK_CONTAINER_ID
sudo docker rm -f YOUR_HOMEASSISTANT_CONTAINER_ID

1.2 Enable IPv6 support for Docker by edit /etc/docker/daemon.json and set the ipv6 key to true .

{{{ "ipv6": true }}}

Then Reload the Docker configuration file.

sudo systemctl reload docker

1.3 Remove the old Traefik proxy network and add a new one with IPV6 support

sudo docker network rm YOUR_TRAEFIK_PROXY_NETWORK

sudo docker network create --ipv6 --driver=bridge --subnet=172.20.0.0/16 --subnet=2002:ac14:0000::/48 --gateway=172.20.0.1 proxy

2. Goal) Make Homeassistant externally accessible via HTTPS and PiHole internally accessible via HTTP.

2.1 For this you only have to make some modifications in the Traefik.toml
Change this:

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

to this:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"
  [entryPoints.https.tls]

For more info you can have a look here: https://docs.traefik.io/user-guide/examples/

2.2 After that only two additional entries have to be made in the labels for Homeassistant in docker-compose.yaml.

  - "traefik.frontend.headers.SSLRedirect=true"
  - "traefik.frontend.entryPoints=http,https"

Only containers with these labels are now automatically redirected from HTTP to HTTPS. For all other containers there is no automatic redirection anymore!

3. Goal) Make PiHole internally accessible via port 80

3.1 For this you also need some additional labels for the PiHole container in the docker-compose.yaml

  - "traefik.frontend.rule=HostRegexp:{catchall:.*}"
  - "traefik.frontend.priority=1"

For more info you can have a look here: https://www.techjunktrunk.com/docker/2017/11/03/traefik-default-server-catch-all/

3.2 Last but not least you have to change to the docker-compose.yaml directory and execute it with a force recreate. Otherwise the newly created network would not be assigned correctly.

sudo docker-compose up -d --force-recreate

ATTENTION: Of course, the default settings for the PiHole container must also have been made beforehand. This is not described here.
More information about these settings can be found in the official info for the Pihole Container: https://hub.docker.com/r/pihole/pihole/

As an example I attach my current docker-compose.yaml here:

version: '3'

networks:
  proxy:
    external: true

services:
  portainer:
    container_name: portainer
    restart: always
    image: portainer/portainer
    volumes:
      - /home/docker_data/portainer:/data
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - "9000:9000"

  reverse-proxy:
    container_name: reverse-proxy
    image: traefik
    restart: always
    command: --web --docker --docker.domain=YOUR_LAN_DOMAIN
    networks:
      - proxy
    ports:
      - 8080:8080
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/docker_data/traefik/traefik.toml:/traefik.toml
      - /home/docker_data/traefik/acme.json:/acme.json

  pihole:
    container_name: pihole
    image: pihole/pihole
    restart: unless-stopped
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 67:67/udp
      - 8053:80/tcp
    environment:
      - ServerIP=YOUR_IPv4_SERVER_IP
      - ServerIPv6=YOUR_IPv6_SERVER_IP
      - IPv6=true
      - PROXY_LOCATION=pihole
      - VIRTUAL_HOST=pihole.YOUR_LAN_DOMAIN
      - VIRTUAL_PORT=80
      - TZ='Europe/Berlin'
      - WEBPASSWORD=******
    networks:
      - proxy
    volumes:
      - /home/docker_data/pihole/pihole.log:/var/log/pihole.log
      - /home/docker_data/pihole/etc-pihole/:/etc/pihole/
      - /home/docker_data/pihole/etc-dnsmasqd/:/etc/dnsmasq.d/
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.backend=pihole
      - traefik.frontend.rule=HostRegexp:pihole.YOUR_LAN_DOMAIN,{catchall:.*}
      - traefik.frontend.priority=1
      - traefik.port=80
      - traefik.frontend.entryPoints=http

  postgres:
    container_name: postgres
    restart: unless-stopped
    image: postgres
    volumes:
      - /home/docker_data/postgres:/var/lib/postgresql/data
      - /etc/localtime:/etc/localtime:ro
    environment:
      - POSTGRES_USER=******
      - POSTGRES_PASSWORD=******
    ports:
      - "5432:5432"

  influxdb:
    container_name: influxdb
    restart: unless-stopped
    image: influxdb
    volumes:
      - /home/docker_data/influxdb/influxdb.conf:/etc/influxdb/influxdb.conf:ro
      - /home/docker_data/influxdb/db:/var/lib/influxdb
    environment:
      - INFLUX_GRAPHITE_ENABLED='true'
    ports:
      - "8086:8086"

  grafana:
    container_name: grafana
    restart: unless-stopped
    image: grafana/grafana
    volumes:
      - /home/docker_data/grafana:/var/lib/grafana
    ports:
      - "3000:3000"

  homeassistant:
    container_name: home-assistant
    restart: always
    image: homeassistant/home-assistant
    depends_on:
      - "reverse-proxy"
    networks:
      - proxy
    ports:
      - 8123:8123
    volumes:
      - /home/docker_data/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
    privileged: true
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"
      - "traefik.backend=home-assistant"
      - "traefik.frontend.rule=Host:YOUR_WWW_DOMAIN"
      - "traefik.port=8123"
      - "traefik.default.protocol=http"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.entryPoints=http,https"

I hope that this information can help one or the other.
Greeting.

I’m glad someone figured this out.

I never managed to get Pi-hole running with it myself, I’ll give a try at some point. Thanks!

Looks good, thanks for sharing. One question though: Without network mode “host” for HA you lose auto-discovery feature, right?

Thanks!

What exactly do you mean with "network mode “Host” "?
Autodiscovery works fine for me.

As stated in the install instructions here: https://www.home-assistant.io/docs/installation/docker/ and discussed in this forum (Avoid network_mode: host for Docker), net=host is needed in the docker-compose (or whatever you use) to have autodiscovery working.

Curious why it works on your end

I’m trying to set this up with Pi-hole as well as Traefik and Home Assistant, but haven’t managed to get it all running successfully yet. So have a few questions


I don’t (think) I need IPv6 support, so should I remove that part when setting up the new Traefik proxy network?

sudo docker network create --driver=bridge --subnet=172.20.0.0/16 --subnet=2002:ac14:0000::/48 --gateway=172.20.0.1 proxy

Or could I just leave it in there, and it won’t make any difference for my use?

In docker-compose.yaml > pihole > environment what should I enter for ServerIP?

Should it be the IP address of my Intel NUC that’s running the Docker containers (192.168.0.5), or the Docker IP address (127.0.0.1), or the IP address from the newly created Traefik proxy network (172.20.0.1 ), or something else?


Then whatever I use in docker-compose.yaml for the ServerIP I presumably enter that in my router’s settings for the Primary DNS?

When I use port 53 in docker-compose.yaml (53:53/tcp) and run docker-compose it says port 53 is already in use, but I can't find what's using it. Is there a way to find out what's using that port?

Or is changing it to 54:53/tcp OK?

Hi,

if you don’t need IPv6 support, setting up an IPv6 Docker network doesn’t make sense for you. If you want you can set it up the way I do, with no advantages or disadvantages, or just use your existing docker traefik network.

The Server IP is the real IP address of the Docker Host. So in your case the 192.168.0.5 . This will be used later in the router as the new DNS address.

If your system runs on Linux, you can use the command lsof -i TCP| fgrep LISTEN to find out which program is currently listening on which port.
As you can see here https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers Port 53 is the standard port for DNS Services. So I think it is a port that has to be at least opened for the functionality of Pihole.

Unfortunately I have to remove PiHole, because my girlfriend and my mother-in-law, who lives with us, would like to see advertising in their shopping mood.
And the function of manually switching off PiHole via Homeassistant was unfortunately already too complicated for them.

Thanks a lot. I’m away this weekend so I’ll try again on Monday.

Oh dear