a short summary about ansible-adguard HOT 10 OPEN

ok, let me explain:

all my changes are done in der /srv/docker dir!

• i use an .env file
• i have made some changes in the docker-compose.yml
  docker-compose.zip
• one in the traefik/rule/middlewares.yml file
  i added my IP @ home to be able to connect to portainer and traefik
• one in the trafik.yml
  for the trustedIPs for the real IP forwarding

... and all the other things are in this two tickets.

Dont know what´s the best and easiest way help cause i am not a dev!
First of all i will attach my compose file ...

from ansible-adguard.

got it!!!!!

add this to traefik.yml for x-forwarding the real client IP:

websecure:
address: :443
proxyProtocol:
insecure: true
forwardedHeaders:
trustedIPs:
- "127.0.0.1/32" # localhost
- "10.0.0.0/8" # swarm mode ip range
- "192.168.0.0/16" # stand-alone after 172.16.0.0/12 is exhausted
- "172.16.0.0/12" # stand-alone
insecure: true
dnsovertls:

source: https://community.traefik.io/t/use-x-forwarded-in-traefik-v2/5206/4

from ansible-adguard.

but only for DoH ... cause DoT is shown as simple DNS in Adguard ...

from ansible-adguard.

Next little win!

• i am able to conect to the Traefik Dashboard after removing the:

"&& (PathPrefix(/api) || PathPrefix(/dashboard))"
from the
"traefik.http.routers.traefikdashboard.rule=Host(traefik.{{hostname}})
Label

• i expose 53/tcp and 53/udp direct to adguard) to see the client real IP when doing a normal dns query

The only problem on my list is that i see the proxy IP when using Dot. When this is working i need a wildcard cert to see the client with a "name" like myandroid.adguard.tld

from ansible-adguard.

traefik dashboard can only be accessed with:
https://url/dashboard/
it is very picky and you need the last /!

And regarding the stuff you changed, can you either do a PR? or show me where to edit the stuff needed?

from ansible-adguard.

i was playing around with docker-socket-proxy, but its not a real security booster ...cause you would need more then one proxy with differrent permissions/container ...

What i will change is the traefik wildcard cert thing in combination with nsone.net

from ansible-adguard.

traefik dashboard can only be accessed with: https://url/dashboard/ it is very picky and you need the last /!

Doesn´t work for me. Dont know why .. i have tested it with the / at the end but nothing happens

And regarding the stuff you changed, can you either do a PR? or show me where to edit the stuff needed?

i have to figure out how i can make this cause i am not a dev. only a security guy/admin with much time to play around! ;-)

from ansible-adguard.

maybe i will only apply this to the public facing traefik contianer ...
https://chriswiegman.com/2019/11/protecting-your-docker-socket-with-traefik-2/

adguard has no connection to the docker socket

from ansible-adguard.

since my server is supposed to be pubilc accessible i want to make it as secure as possible.i looked at some tutorial regarding traefik and crowdsec. how did you come up with this traefik config?

from ansible-adguard.

Hi Sorry Ronald for the slow reply, did you managed to get it working? The Traefik config is made by myself using the traefik docs.

from ansible-adguard.