Tym*_*iev 5 docker docker-compose traefik
我在配置 traefik + pihole 设置时遇到问题。我想通过 tls 配置 dns。也许有人可以指出我正确的方向?
在调试过程中,我发现了工具kdig。我已经尝试过了:
kdig -d @myiphere +tls-ca +tls-host=mydnshere example.com 07:36:12
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(myiphere), port(853), protocol(TCP)
;; DEBUG: TLS, imported 127 system certificates
;; WARNING: TLS, handshake failed (A TLS fatal alert has been received.)
好吧,也许证书是错误的?它看起来不像:
openssl s_client -connect mydnshere:853
CONNECTED(00000003)
/***bunch of text here***/
SSL handshake has read 5070 bytes and written 382 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
/***bunch of text here***/
有人可以指出我正确的方向或告诉我缺少什么吗?
我必须提到这一点dig domain.com @myiphere并且dig +tcp domain.com @myiphere工作得很好。
这是我的配置:
特拉菲克:
version: "3.8"
services:
reverse-proxy:
image: traefik
restart: unless-stopped
command:
- "--api=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.dns.address=:53"
- "--entrypoints.dot.address=:853"
- "--entrypoints.dns-udp.address=:53/udp"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.vpn-udp.address=:51820/udp"
- "--entrypoints.syncthing-tcp.address=:20000"
- "--entrypoints.syncthing-udp.address=:20000/udp"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--certificatesresolvers.le.acme.email=wkill95@gmail.com"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.le.acme.httpchallenge=true"
- "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
- "--pilot.token=${TRAEFIK_PILOT_TOKEN:-}"
- "--serversTransport.insecureSkipVerify=true"
- "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
ports:
# TODO: found out how to show remote ip in pihole
#- "53:53"
#- "53:53/udp"
- "853:853"
# The HTTP port
- "80:80"
- "443:443"
# VPN
- "51820:51820/udp"
# The Web UI (enabled by --api.insecure=true)
#- "8080:8080"
# Syncthing
- "22000:22000"
- "22000:22000/udp"
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik_certs:/letsencrypt
networks:
- reverse-proxy
dns:
- 1.1.1.1
- 1.0.0.1
labels:
- "traefik.enable=true"
- "traefik.http.routers.api-data.rule=Host(`${TRAEFIK_API_DOMAIN?No traefik api domain set}`) && ( Path(`/api/version`) || PathPrefix(`/api/http/`) || PathPrefix(`/api/tcp/`))"
- "traefik.http.routers.api-data.entrypoints=websecure"
- "traefik.http.routers.api-data.service=api@internal"
- "traefik.http.routers.api-data.tls=true"
- "traefik.http.routers.api-data.tls.certresolver=${TRAEFIK_API_CERTRESOLVER?No traefik api certificate resolver}"
- "traefik.http.routers.api.rule=Host(`${TRAEFIK_API_DOMAIN?No traefik api domain set}`)"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.service=api@internal"
- "traefik.http.routers.api.tls=true"
- "traefik.http.routers.api.tls.certresolver=${TRAEFIK_API_CERTRESOLVER?No traefik api certificate resolver}"
- "traefik.http.routers.api.middlewares=authelia@docker"
- "flame.type=application"
- "flame.name=Traefik"
- "flame.url=https://${TRAEFIK_API_DOMAIN}"
- "flame.icon=router-network"
volumes:
traefik_certs:
networks:
reverse-proxy:
name: reverse-proxy
皮孔:
version: '3.8'
services:
pihole:
image: pihole/pihole
restart: unless-stopped
env_file: pihole.environment
cap_add:
- CAP_NET_ADMIN
networks:
- reverse-proxy
dns:
- 127.0.0.1
- 1.1.1.1
ports:
- 53:53/tcp
- 53:53/udp
volumes:
- 'pihole_configs:/etc/pihole/'
labels:
- "traefik.enable=true"
- "traefik.docker.network=reverse-proxy"
- "traefik.http.routers.pihole-api.rule=Host(`${PIHOLE_DOMAIN:?No pihole domain set}`) && Path(`/admin/api.php`)"
- "traefik.http.routers.pihole-api.tls=true"
- "traefik.http.routers.pihole-api.tls.certresolver=${PIHOLE_CERTRESOLVER?No pihole certificate resolver}"
- "traefik.http.routers.pihole-api.entrypoints=websecure"
- "traefik.http.routers.pihole-api.service=pihole"
- "traefik.http.services.pihole-api.loadBalancer.server.port=80"
- "traefik.http.routers.pihole.rule=Host(`${PIHOLE_DOMAIN:?No pihole domain set}`)"
- "traefik.http.routers.pihole.tls=true"
- "traefik.http.routers.pihole.tls.certresolver=${PIHOLE_CERTRESOLVER?No pihole certificate resolver}"
- "traefik.http.routers.pihole.entrypoints=websecure"
- "traefik.http.routers.pihole.service=pihole"
- "traefik.http.routers.pihole.middlewares=authelia@docker"
- "traefik.http.services.pihole.loadBalancer.server.port=80"
- "flame.type=application"
- "flame.name=DNS"
- "flame.url=https://${PIHOLE_DOMAIN}/admin"
- "flame.icon=pi-hole"
- "traefik.tcp.routers.dnsovertls.rule=HostSNI(`mydnshere`)"
- "traefik.tcp.routers.dnsovertls.entrypoints=dot"
- "traefik.tcp.routers.dnsovertls.tls.certresolver=le"
- "traefik.tcp.routers.dnsovertls.service=pihole"
# Normal DNS coming in on 53 TCP, no TLS
- "traefik.tcp.routers.dns.rule=HostSNI(`*`)"
- "traefik.tcp.routers.dns.entrypoints=dns"
- "traefik.tcp.routers.dns.service=pihole"
# recieves traffic from both the TLS and non-TLS traefik routers
- "traefik.tcp.services.pihole.loadbalancer.server.port=53"
# Normal DNS coming in on 53 UDP
- "traefik.udp.routers.udpdns.entrypoints=dns-udp"
- "traefik.udp.routers.udpdns.service=pihole"
- "traefik.udp.services.pihole.loadbalancer.server.port=53"
volumes:
pihole_configs:
networks:
reverse-proxy:
external: true
小智 -1
我试图理解你在这里试图做什么。您想使用 Traefik 作为 Pihole DNS 解析尝试的代理吗?我认为效果不佳,因为您正在使用 Traefik 作为服务的反向代理。
Traefik 处理来自外部的传入连接并发回相应的答案。据我所知,如果 Pihole 自己决定进行查找,它永远不会通过 Traefik。您必须为安全查找配置单独的服务,例如 Stubby 或 Cloudflared。我推荐 cloudflared (它通过 DoH 进行加密查找),因为他们的文档中有官方指南。
除此之外,docker compose 文件中的 DNS 字段是针对 docker 容器环境的。但这不是您为 Pihole 查找配置 DNS 地址的地方,您必须在 Pihole 应用程序设置中执行此操作。
| 归档时间: |
|
| 查看次数: |
1706 次 |
| 最近记录: |