Make ClientId identifying work when the built-in Encryption is disabled

[trmdi]

Prerequisites

• I have checked the Wiki and Discussions and found no answer

• I have searched other issues and found no duplicates

• I want to request a feature or enhancement and not ask a question

The problem

When AGH works behind a reverse proxy and TLS is provided by the proxy, queries to tls://client.dns.example.com work, but AGH does not use client as the client id.
How can I make it work?

Proposed solution

Maybe enable the clientIds feature when the Encryption is disabled?

[cyagon]

I currently have the same problem. I am using Traefik as a proxy.

For reference, these are the configs i am using:

docker-compose.yml

services:
  traefik:
    image: traefik:3.0
    container_name: traefik
    command:
      - "--global.sendanonymoususage=false"
      - "--log=true"
      - "--log.level=INFO"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.dot.address=:853"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--certificatesresolvers.cf.acme.dnschallenge=true"
      - "--certificatesresolvers.cf.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.cf.acme.keyType=EC256"
      - "[email protected]"
      - "--certificatesresolvers.cf.acme.storage=/traefik/acme.json"
    ports:
      - 80:80/tcp
      - 443:443/tcp
      - 853:853 #DNS-over-TLS
    volumes:
      - "./traefik:/traefik"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    restart: always
    environment:
      - CF_DNS_API_TOKEN=##########
  
  adguardhome:
    image: adguard/adguardhome:latest
    volumes:
      - ./adguardhome/work:/opt/adguardhome/work
      - ./adguardhome/conf:/opt/adguardhome/conf
    depends_on:
      - traefik
    restart: always
    labels:
      - traefik.enable=true
      - traefik.http.routers.adguardhome.rule=Host(`dns.example.domain`)
      - traefik.http.routers.adguardhome.entrypoints=websecure
      - traefik.http.routers.adguardhome.tls=true
      - traefik.http.routers.adguardhome.tls.certresolver=cf
      - traefik.http.services.adguardhome.loadBalancer.server.port=3000
      
      - traefik.tcp.routers.adguardhome-tls.rule=HostSNI(`dns.example.domain`) || HostSNIRegexp(`^.+\.dns\.example\.domain`)
      - traefik.tcp.routers.adguardhome-tls.tls=true
      - traefik.tcp.routers.adguardhome-tls.tls.domains[0].main=dns.example.domain
      - traefik.tcp.routers.adguardhome-tls.tls.domains[0].sans=*.dns.example.domain
      - traefik.tcp.routers.adguardhome-tls.entrypoints=dot
      - traefik.tcp.routers.adguardhome-tls.tls.certresolver=cf
      - traefik.tcp.routers.adguardhome-tls.service=adguardhome-tls
      - traefik.tcp.services.adguardhome-tls.loadbalancer.server.port=53

AdguardHome.yaml

...
tls:
  enabled: true
  server_name: dns.example.domain
  force_https: false
  port_https: 443
  port_dns_over_tls: 853
  port_dns_over_quic: 853
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: true
  certificate_chain: ""
  private_key: ""
  certificate_path: ""
  private_key_path: ""
  strict_sni_check: false
...

Connection to Adguard Home via Androids "Private DNS" option fully works well, but it the ClientIDs (like "smartphone.dns.example.domain" do not get recognized.