I'm trying to access my Pi-hole container from pihole.mydomain.com without any ports or /admin, and I swear the multitude of posts on the internet make this seem really straightforward. Perhaps it is and I'm being dumb, but I cannot get it to work. Below is my current docker-compose for both Traefik and Pi-hole: ``` version: "3.7" services: traefik: container_name: traefik image: traefik:latest restart: unless-stopped security_opt: - no-new-privileges:true networks: - medianet ports: - 80:80 - 443:443 environment: - CF_API_EMAIL=${CF_API_EMAIL} - CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN} - TZ=${TZ} - PUID=${PUID} - PGID=${PGID} volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro - /path/to/traefik:/etc/traefik - /path/to/shared:/shared - /path/to/traefik/logs/traefik.log:/etc/traefik/logs/traefik.log - /path/to/traefik/logs/access.log:/etc/traefik/logs/access.log labels: - traefik.enable=true - traefik.http.routers.traefik.entrypoints=http - traefik.http.routers.traefik.rule=Host(`${TRAEFIK_DASHBOARD_HOST}`) - traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_USER_PASS} - traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https - traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https - traefik.http.routers.traefik.middlewares=traefik-https-redirect - traefik.http.routers.traefik-secure.entrypoints=https - traefik.http.routers.traefik-secure.rule=Host(`${TRAEFIK_DASHBOARD_HOST}`) - traefik.http.routers.traefik-secure.middlewares=traefik-auth - traefik.http.routers.traefik-secure.tls=true - traefik.http.routers.traefik-secure.tls.certresolver=cloudflare - traefik.http.routers.traefik-secure.tls.domains[0].main=${TRAEFIK_BASE_DNS} - traefik.http.routers.traefik-secure.tls.domains[0].sans=*.${TRAEFIK_BASE_DNS} - traefik.http.routers.traefik-secure.service=api@internal pihole: container_name: pihole image: pihole/pihole:latest restart: unless-stopped networks: - medianet - npm_network domainname: mydomain.com hostname: pihole ports: - 53:53/tcp - 53:53/udp environment: - TZ=${TZ} - WEBPASSWORD=${WEBPASSWORD} - FTLCONF_LOCAL_IPV4=192.168.1.116 - WEBTHEME=default-auto - DNSMASQ_LISTENING=ALL - VIRTUAL_HOST=pihole.mydomain.com volumes: - /path/to/pihole:/etc/pihole - /path/to/pihole/dnsmasq.d:/etc/dnsmasq.d cap_add: - NET_ADMIN labels: - traefik.enable=true - traefik.http.routers.pihole.rule=Host(`pihole.mydomain.com`) - traefik.http.routers.pihole.entrypoints=https - traefik.http.routers.pihole.tls=true - traefik.http.routers.pihole.service=pihole - traefik.http.services.pihole.loadbalancer.server.port=80 ``` The Pi-hole one will load the login page and, upon entering the password and logging in, it will simply bring me back to the login page. So just keeps looping around. The Traefik config is working with lots of other containers, all of which are using SSL certificates, so I'm pretty sure my Traefik config is okay. I've tried middlewares to addprefix=/admin, which just ends up looping round with multiple /admin prefixes and also doesn't work. Anybody got any ideas? I'm aware I don't ***have*** to put Pi-hole behind SSL as I'm not exposing any of this stuff to the open internet (ports 80 and 443 are not forwarded on my router, and I'm using local DNS records in Pi-hole to access via subdomains). Happy to post my traefik.yml and config.yml files if needed. ***UPDATE:*** I seem to have figured it out! Below is my final Pi-hole docker-compose - the Traefik one remains unchanged from the original post: ``` pihole: container_name: pihole image: pihole/pihole:latest restart: unless-stopped networks: - medianet - npm_network domainname: mydomain.com hostname: pihole ports: - 53:53/tcp - 53:53/udp environment: - TZ=${TZ} - WEBPASSWORD=${WEBPASSWORD} - FTLCONF_LOCAL_IPV4=192.168.1.116 - WEBTHEME=default-auto - DNSMASQ_LISTENING=ALL - VIRTUAL_HOST=pihole.mydomain.com volumes: - /path/to/pihole:/etc/pihole - /path/to/pihole/dnsmasq.d:/etc/dnsmasq.d cap_add: - NET_ADMIN labels: - traefik.enable=true - traefik.http.routers.pihole.entrypoints=http - traefik.http.routers.pihole.rule=Host(`pihole.mydomain.com`) - traefik.http.middlewares.pihole-https-redirect.redirectscheme.scheme=https - traefik.http.routers.pihole.middlewares=pihole-https-redirect - traefik.http.routers.pihole.service=pihole - traefik.http.routers.pihole-secure.entrypoints=https - traefik.http.routers.pihole-secure.rule=Host(`pihole.mydomain.com`) - traefik.http.routers.pihole-secure.tls=true - traefik.http.routers.pihole-secure.service=pihole - traefik.http.services.pihole.loadbalancer.server.port=80 ```

I'm sure I'm massively overthinking this, but any help would be greatly appreciated. I have a domain name that I bought through NameCheap and I've pointed it to Cloudflare (i.e. updated the name servers). I have a Synology NAS on which I run Docker and a few containers. Up until now I've done this using IP addresses and ports to access everything (I have a Homepage container running and just link to everything from there). But I want to setup SSL and start running Vaultwarden, hence purchasing a domain name to make it all easier. I tried creating an A record in Cloudflare to point to the internal IP of my NAS (and obviously, this couldn't be orange-clouded through CF because it's internal to my LAN). I'm very reluctant to point the A record to the external IP of my NAS (which, for added headache is dynamic, so I'd need to get some kind of DDNS) because I don't want to expose everything on my NAS to the Internet. In actual fact, I'm not precious about accessing ***any*** of this stuff over the internet - if I need remote access I have a Tailscale container running that I can connect to (more on that later in the post). The domain name was purely for ease of setting up SSL and Vaultwarden. So I guess my questions are: * What is the best way to go about this - do I create a DDNS on the NAS and point that external IP address to my domain in Cloudflare, then use Traefik to just expose the containers I want to have access to using subdomains? * If so, then how do I know that all other ports aren't accessible (I assume because I'm only going to expose ports 80 and 443 in Traefik?) * What do other people see (i.e. outside my network) if they go to my domain? How do I ensure they can't access my NAS and see some kind of page? * Is there a benefit to using Cloudflare? * How would Pi-hole and local DNS fit into this? I guess I could point my router at Pi-hole for DNS and create my A records on Pi-hole for all my subdomains - but what do I need to setup initially in Cloudflare? * I also have a RPi that has a (very basic) website on it - how do I setup an A record to have Cloudflare point a sub-domain to the Pi's IP address? * Going back to the Tailscale thing - is it possible to point the domain to the IP address of the Tailscale container, so that the domain is only accessible when I switch on the Tailscale VPN? Is this a good idea/bad idea? Is there a better way to do it? I'm sure these are all noob-type questions, but for the past 6-7 years I've purely used this internally using IP:port combinations, so never had to worry about domain names and external exposure, etc. Many thanks in advance!

Hey all, I'm sure I'm massively overlooking something, but wondered if someone could help me out, please? I'm trying to switch from Traefik to Nginx Proxy Manager on my Synology NAS, and I've opted to run NPM via a bridge network and a macvlan, so as to not have to mess around with ports 80 and 443 on the NAS (usually reserved for Synology services). I've got the following: **Bridge network (npm_bridge):** * Subnet = 192.168.10.0/24 * IP range = 192.168.10.2/32 * Gateway of 192.168.10.1. **Macvlan network (npm_network):** * Subnet = 192.168.1.0/24 (same as my LAN) * IP range = 192.168.1.216/32 * Gateway = 192.168.1.1 (same as my LAN). NPM is connected to these two networks, and I have a MariaDB container connected to the host - everything works great with NPM and MariaDB - no issues. However, I have a *third* network, **medianet**: * Subnet = 192.168.96.0/24 * Gateway = 192.168.96.1. Connected to that network I have a Gluetun container (via docker-compose). I then have multiple other containers that run through the Gluetun container (several "arrs" and Portainer) using **network_mode: service:gluetun**. What I used to have via Traefik was a local hostname I created (let's say, nas.local for posting's sake) and I could simply create labels in my docker-compose for each service to assign ports. I could then access all of these containers via nas.local/portainer, nas.local/sonarr, etc. and they would be accessible via the VPN container. However, I'm completely stuck on how to do this via NPM. I've tried all kinds of combinations via the Proxy Host configuration, but I don't know how to set it up. * Do I need an overarching nas.local entry as the top level? If so, what hostname/IP and port combination do I use? * Do I think setup Custom Locations behind it, one for each service, i.e. Portainer? If so, what is the hostname/IP and port for this? * Or do I create a new Proxy Host per entry, i.e. portainer.nas.local? * Do I even need to have Portainer behind the VPN as well, or do I add that direct to the medianet network, and then somehow link NPM to the medianet network as well? I'm really at a loss, and as it stands all my containers are offline at the moment because I can't figure out how to connect them (except Homebridge and MariaDB - they're both up as they're connected to the host network). Any help would be very, very much appreciated.