starred/AdGuardHome

Fork 0

mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00

Adguard home behind Traefik have a lot of slowdowns/locks with DOT Server #1397

New issue

Closed

opened 2026-03-04 01:16:31 -05:00 by deekerman · 3 comments

deekerman commented

2026-03-04 01:16:31 -05:00

Owner

Originally created by @Akruidenberg on GitHub (Mar 20, 2020).

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

I am running the latest version
I checked the documentation and found no answer
I checked to make sure that this issue has not already been filed

Problem Description

There is no clear documentation to run adguard behind nginx or traefik to get it working with an DOT server. See my docker compose for an example. With this config, loading a few pages is working fine. But after that, there are a lot of slow downs. Some elements of a web page take more than a minute to load. DOH is working fine with the "AllowUnencryptedDOH" setting in the config file.
There is nothing to see in the logs of Traefik or Adguard.
Rate limit off don't work.

I´m using a oneplus 6 smarphone with Android 10, using the intergrated DOT option. My tablet with Android 10 have the same problem.

However, using adguard with self signed certs without traefik, there are no problems. Maybe my config is wrong,

Proposed Solution

Write docs an get the DOT server working behind traefik. the slowdowns are really frustrating.

Additional Information

services:
  traefik2:
    container_name: traefik2
    image: traefik:cantal
    restart: always
    command:
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false
      - --entryPoints.http.address=:80
      # https://www.reddit.com/r/docker/comments/c1wrep/traefik_reverse_proxy_question_docker_overlay/
#      - --entrypoints.http.forwardedHeaders.trustedIPs=127.0.0.1/31, 192.168.90.1/24
#      - --entrypoints.http.proxyProtocol=true
#      - --entrypoints.http.proxyProtocol.trustedIPs=127.0.0.1/31, 192.168.90.1/24
      - --entryPoints.https.address=:443
      - --entryPoints.tls.address=:853
      - --entryPoints.urbackup.address=:55415
      - --api=true
#      - --api.insecure=true
#      - --serversTransport.insecureSkipVerify=false
      - --log=true
      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/var/log/docker/traefik.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINBASE`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=reverseproxy
      - --providers.docker.endpoint=tcp://dockersock-proxy:2375
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules
      - --providers.file.watch=true
      - --certificatesresolvers.ovh.acme.dnschallenge=true
#      - --certificatesResolvers.ovh.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # uncomment when testing
      - --certificatesResolvers.ovh.acme.email=${SMTP_DEST_EMAIL}
      - --certificatesResolvers.ovh.acme.storage=/acme.json
      - --certificatesResolvers.ovh.acme.dnsChallenge.provider=ovh
    networks:
      - reverseproxy
      - dockersock-proxy
    user: ${PUID}
    ports:
      - "80:80"
      - "443:443"
      - "853:853"
      - "55415:55415"
    volumes:
      - $USERDIR/traefik2/rules:/rules
      - $USERDIR/traefik2/acme.json:/acme.json
      - $USERDIR/traefik2/traefik.log:/var/log/docker/traefik.log
    environment:
      OVH_ENDPOINT: ovh-eu
      OVH_APPLICATION_KEY: ${OVH_APPLICATION_KEY}
      OVH_APPLICATION_SECRET: ${OVH_APPLICATION_SECRET}
      OVH_CONSUMER_KEY: ${OVH_CONSUMER_KEY}
    sysctls:
      net.ipv4.ip_unprivileged_port_start: "0"
    labels:
      - "traefik.enable=true"
      # HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)"
      - "traefik.http.routers.http_catchall.entrypoints=http"
      - "traefik.http.routers.http_catchall.middlewares=https_redirect@docker"
      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"
      # HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINBASE`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.certresolver=ovh"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINBASE"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINBASE"
      ## Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=traefik-headers@docker,rate-limit@file,oauth@file"
      - "traefik.http.middlewares.traefik-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
      ## Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ## labels      
      - "com.centurylinklabs.watchtower.enable=false"             

  adguard:
    container_name: adguardhome
    restart: unless-stopped
    image: adguard/adguardhome
    hostname: adguard
    ports:
      - "53:53"
      - "53:53/udp"
    expose:
      - "80"
      - "3000"
      - "443"
      - "853"
    volumes:
      - ${USERDIR}/adguard/conf:/opt/adguardhome/conf
      - ${USERDIR}/adguard/work:/opt/adguardhome/work
    user: ${PUID}
    networks:
      - reverseproxy
    labels:
      traefik.enable: "true"
      ## HTTP Routers
      traefik.http.routers.adguard-rtr.entrypoints: https
      traefik.http.routers.adguard-rtr.rule: Host(`dns.$DOMAINBASE`)
      traefik.http.routers.adguard-rtr.tls: "true"
      traefik.http.routers.adguard-rtr.tls.certresolver: ovh
      ## Middlewares
      traefik.http.routers.adguard-rtr.middlewares: noauth-chain@file        
      ## HTTP Services
      traefik.http.routers.adguard-rtr.service: adguard-svc
      traefik.http.services.adguard-svc.loadbalancer.server.port: 80  
      ###TCP
      traefik.tcp.routers.adguard-tls.entrypoints: tls
      traefik.tcp.routers.adguard-tls.rule: HostSNI(`dns.$DOMAINBASE`)
      traefik.tcp.routers.adguard-tls.tls: "true" 
      traefik.tcp.routers.adguard-tls.tls.certresolver: ovh
      ## Middlewares
      ## tcp Services
      traefik.tcp.routers.adguard-tls.service: adguard-svc-tls   
      traefik.tcp.services.adguard-svc-tls.loadbalancer.server.port: 53  
      traefik.tcp.services.adguard-svc-tls.loadbalancer.terminationdelay: 0  
      ## labels       
      com.centurylinklabs.watchtower.enable: "false"

Originally created by @Akruidenberg on GitHub (Mar 20, 2020).  ### Prerequisites Please answer the following questions for yourself before submitting an issue. **YOU MAY DELETE THE PREREQUISITES SECTION.** - [x] I am running the latest version - [x] I checked the documentation and found no answer - [x] I checked to make sure that this issue has not already been filed ### Problem Description There is no clear documentation to run adguard behind nginx or traefik to get it working with an DOT server. See my docker compose for an example. With this config, loading a few pages is working fine. But after that, there are a lot of slow downs. Some elements of a web page take more than a minute to load. DOH is working fine with the **"AllowUnencryptedDOH"** setting in the config file. There is nothing to see in the logs of Traefik or Adguard. Rate limit off don't work. I´m using a oneplus 6 smarphone with Android 10, using the intergrated DOT option. My tablet with Android 10 have the same problem. However, using adguard with self signed certs without traefik, there are no problems. Maybe my config is wrong, ### Proposed Solution Write docs an get the DOT server working behind traefik. the slowdowns are really frustrating. ### Additional Information ``` services: traefik2: container_name: traefik2 image: traefik:cantal restart: always command: - --global.checkNewVersion=true - --global.sendAnonymousUsage=false - --entryPoints.http.address=:80 # https://www.reddit.com/r/docker/comments/c1wrep/traefik_reverse_proxy_question_docker_overlay/ # - --entrypoints.http.forwardedHeaders.trustedIPs=127.0.0.1/31, 192.168.90.1/24 # - --entrypoints.http.proxyProtocol=true # - --entrypoints.http.proxyProtocol.trustedIPs=127.0.0.1/31, 192.168.90.1/24 - --entryPoints.https.address=:443 - --entryPoints.tls.address=:853 - --entryPoints.urbackup.address=:55415 - --api=true # - --api.insecure=true # - --serversTransport.insecureSkipVerify=false - --log=true - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC - --accessLog=true - --accessLog.filePath=/var/log/docker/traefik.log - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines - --accessLog.filters.statusCodes=400-499 - --providers.docker=true - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINBASE`) - --providers.docker.exposedByDefault=false - --providers.docker.network=reverseproxy - --providers.docker.endpoint=tcp://dockersock-proxy:2375 - --providers.docker.swarmMode=false - --providers.file.directory=/rules - --providers.file.watch=true - --certificatesresolvers.ovh.acme.dnschallenge=true # - --certificatesResolvers.ovh.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # uncomment when testing - --certificatesResolvers.ovh.acme.email=${SMTP_DEST_EMAIL} - --certificatesResolvers.ovh.acme.storage=/acme.json - --certificatesResolvers.ovh.acme.dnsChallenge.provider=ovh networks: - reverseproxy - dockersock-proxy user: ${PUID} ports: - "80:80" - "443:443" - "853:853" - "55415:55415" volumes: - $USERDIR/traefik2/rules:/rules - $USERDIR/traefik2/acme.json:/acme.json - $USERDIR/traefik2/traefik.log:/var/log/docker/traefik.log environment: OVH_ENDPOINT: ovh-eu OVH_APPLICATION_KEY: ${OVH_APPLICATION_KEY} OVH_APPLICATION_SECRET: ${OVH_APPLICATION_SECRET} OVH_CONSUMER_KEY: ${OVH_CONSUMER_KEY} sysctls: net.ipv4.ip_unprivileged_port_start: "0" labels: - "traefik.enable=true" # HTTP-to-HTTPS Redirect - "traefik.http.routers.http_catchall.rule=HostRegexp(`{any:.+}`)" - "traefik.http.routers.http_catchall.entrypoints=http" - "traefik.http.routers.http_catchall.middlewares=https_redirect@docker" - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https" - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true" # HTTP Routers - "traefik.http.routers.traefik-rtr.entrypoints=https" - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINBASE`)" - "traefik.http.routers.traefik-rtr.tls=true" - "traefik.http.routers.traefik-rtr.tls.certresolver=ovh" - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINBASE" - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINBASE" ## Middlewares - "traefik.http.routers.traefik-rtr.middlewares=traefik-headers@docker,rate-limit@file,oauth@file" - "traefik.http.middlewares.traefik-headers.headers.featurepolicy=camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';" ## Services - API - "traefik.http.routers.traefik-rtr.service=api@internal" ## labels - "com.centurylinklabs.watchtower.enable=false" adguard: container_name: adguardhome restart: unless-stopped image: adguard/adguardhome hostname: adguard ports: - "53:53" - "53:53/udp" expose: - "80" - "3000" - "443" - "853" volumes: - ${USERDIR}/adguard/conf:/opt/adguardhome/conf - ${USERDIR}/adguard/work:/opt/adguardhome/work user: ${PUID} networks: - reverseproxy labels: traefik.enable: "true" ## HTTP Routers traefik.http.routers.adguard-rtr.entrypoints: https traefik.http.routers.adguard-rtr.rule: Host(`dns.$DOMAINBASE`) traefik.http.routers.adguard-rtr.tls: "true" traefik.http.routers.adguard-rtr.tls.certresolver: ovh ## Middlewares traefik.http.routers.adguard-rtr.middlewares: noauth-chain@file ## HTTP Services traefik.http.routers.adguard-rtr.service: adguard-svc traefik.http.services.adguard-svc.loadbalancer.server.port: 80 ###TCP traefik.tcp.routers.adguard-tls.entrypoints: tls traefik.tcp.routers.adguard-tls.rule: HostSNI(`dns.$DOMAINBASE`) traefik.tcp.routers.adguard-tls.tls: "true" traefik.tcp.routers.adguard-tls.tls.certresolver: ovh ## Middlewares ## tcp Services traefik.tcp.routers.adguard-tls.service: adguard-svc-tls traefik.tcp.services.adguard-svc-tls.loadbalancer.server.port: 53 traefik.tcp.services.adguard-svc-tls.loadbalancer.terminationdelay: 0 ## labels com.centurylinklabs.watchtower.enable: "false" ```

deekerman

2026-03-04 01:16:31 -05:00

closed this issue
added the
wontfix
label

deekerman commented

2026-03-04 01:16:39 -05:00

Author

Owner

@ameshkov commented on GitHub (Mar 20, 2020):

Well, first of all, you don't really need to use AdGuard's DOT if your Traefik instance does TLS encryption by itself.

You can simply do traefik:853 --> adguardhome:53 instead

@ameshkov commented on GitHub (Mar 20, 2020): Well, first of all, you don't really need to use AdGuard's DOT if your Traefik instance does TLS encryption by itself. You can simply do `traefik:853` --> `adguardhome:53` instead

deekerman commented

2026-03-04 01:16:39 -05:00

Author

Owner

@Akruidenberg commented on GitHub (Mar 20, 2020):

Well, first of all, you don't really need to use AdGuard's DOT if your Traefik instance does TLS encryption by itself.

You can simply do traefik:853 --> adguardhome:53 instead

I´m doing that right now. Here is my config file for adguard:

bind_host: 0.0.0.0
bind_port: 80
users:
- name: *****-*****
  password: *************
language: nl
rlimit_nofile: 0
web_session_ttl: 12
dns:
  bind_host: 0.0.0.0
  port: 53
  statistics_interval: 1
  querylog_enabled: true
  querylog_interval: 1
  querylog_memsize: 0
  protection_enabled: true
  blocking_mode: nxdomain
  blocking_ipv4: ""
  blocking_ipv6: ""
  blocked_response_ttl: 10
  ratelimit: 20
  ratelimit_whitelist: []
  refuse_any: true
  bootstrap_dns:
  - 1.1.1.1:53
  all_servers: true
  edns_client_subnet: false
  aaaa_disabled: false
  allowed_clients: []
  disallowed_clients: []
  blocked_hosts: []
  parental_block_host: family-block.dns.adguard.com
  safebrowsing_block_host: standard-block.dns.adguard.com
  cache_size: 4194304
  upstream_dns:
  - tls://1dot1dot1dot1.cloudflare-dns.com
  - https://cloudflare-dns.com/dns-query
  filtering_enabled: true
  filters_update_interval: 1
  parental_enabled: false
  safesearch_enabled: false
  safebrowsing_enabled: true
  safebrowsing_cache_size: 1048576
  safesearch_cache_size: 1048576
  parental_cache_size: 1048576
  cache_time: 30
  rewrites: []
  blocked_services: []
tls:
  enabled: true
  server_name: ""
  force_https: false
  port_https: 0
  port_dns_over_tls: 0
  allow_unencrypted_doh: true
  strict_sni_check: true
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
filters:
- enabled: false
  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
  name: AdGuard Simplified Domain Names filter
  id: 1
- enabled: false
  url: https://adaway.org/hosts.txt
  name: AdAway
  id: 2
- enabled: false
  url: https://hosts-file.net/ad_servers.txt
  name: hpHosts - Ad and Tracking servers only
  id: 3
- enabled: false
  url: https://www.malwaredomainlist.com/hostslist/hosts.txt
  name: MalwareDomainList.com Hosts List
  id: 4
- enabled: false
  url: https://filters.adtidy.org/extension/chromium/filters/8.txt
  name: AdGuard Dutch filter
  id: 1563103081
- enabled: true
  url: https://dbl.oisd.nl/
  name: oisd algemeen filter
  id: 1569162405
whitelist_filters: []
user_rules:
- '@@||www.googletagmanager.com^$important'
- '@@||stats.nextcloud.com^$important'
- '@@||www.smarthomebeginner.com^$important'
- '@@||g.ezoic.net^$important'
- ""
dhcp:
  enabled: false
  interface_name: ""
  gateway_ip: ""
  subnet_mask: ""
  range_start: ""
  range_end: ""
  lease_duration: 86400
  icmp_timeout_msec: 1000
clients: []
log_file: ""
verbose: false
schema_version: 6

Is working fine for first +-3 pages. But after that i get a lot of locks/slowdowns.

@Akruidenberg commented on GitHub (Mar 20, 2020): > Well, first of all, you don't really need to use AdGuard's DOT if your Traefik instance does TLS encryption by itself. > > You can simply do `traefik:853` --> `adguardhome:53` instead I´m doing that right now. Here is my config file for adguard: ``` bind_host: 0.0.0.0 bind_port: 80 users: - name: *****-***** password: ************* language: nl rlimit_nofile: 0 web_session_ttl: 12 dns: bind_host: 0.0.0.0 port: 53 statistics_interval: 1 querylog_enabled: true querylog_interval: 1 querylog_memsize: 0 protection_enabled: true blocking_mode: nxdomain blocking_ipv4: "" blocking_ipv6: "" blocked_response_ttl: 10 ratelimit: 20 ratelimit_whitelist: [] refuse_any: true bootstrap_dns: - 1.1.1.1:53 all_servers: true edns_client_subnet: false aaaa_disabled: false allowed_clients: [] disallowed_clients: [] blocked_hosts: [] parental_block_host: family-block.dns.adguard.com safebrowsing_block_host: standard-block.dns.adguard.com cache_size: 4194304 upstream_dns: - tls://1dot1dot1dot1.cloudflare-dns.com - https://cloudflare-dns.com/dns-query filtering_enabled: true filters_update_interval: 1 parental_enabled: false safesearch_enabled: false safebrowsing_enabled: true safebrowsing_cache_size: 1048576 safesearch_cache_size: 1048576 parental_cache_size: 1048576 cache_time: 30 rewrites: [] blocked_services: [] tls: enabled: true server_name: "" force_https: false port_https: 0 port_dns_over_tls: 0 allow_unencrypted_doh: true strict_sni_check: true certificate_chain: "" private_key: "" certificate_path: "" private_key_path: "" filters: - enabled: false url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt name: AdGuard Simplified Domain Names filter id: 1 - enabled: false url: https://adaway.org/hosts.txt name: AdAway id: 2 - enabled: false url: https://hosts-file.net/ad_servers.txt name: hpHosts - Ad and Tracking servers only id: 3 - enabled: false url: https://www.malwaredomainlist.com/hostslist/hosts.txt name: MalwareDomainList.com Hosts List id: 4 - enabled: false url: https://filters.adtidy.org/extension/chromium/filters/8.txt name: AdGuard Dutch filter id: 1563103081 - enabled: true url: https://dbl.oisd.nl/ name: oisd algemeen filter id: 1569162405 whitelist_filters: [] user_rules: - '@@||www.googletagmanager.com^$important' - '@@||stats.nextcloud.com^$important' - '@@||www.smarthomebeginner.com^$important' - '@@||g.ezoic.net^$important' - "" dhcp: enabled: false interface_name: "" gateway_ip: "" subnet_mask: "" range_start: "" range_end: "" lease_duration: 86400 icmp_timeout_msec: 1000 clients: [] log_file: "" verbose: false schema_version: 6 ``` Is working fine for first +-3 pages. But after that i get a lot of locks/slowdowns.

deekerman commented

2026-03-04 01:16:39 -05:00

Author

Owner

@stale[bot] commented on GitHub (May 19, 2020):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale[bot] commented on GitHub (May 19, 2020): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AdGuardHome#1397

No description provided.

Rows
Columns