diff --git a/roles/traefik/defaults/main.yml b/roles/traefik/defaults/main.yml
index eea7391..ffc237e 100644
--- a/roles/traefik/defaults/main.yml
+++ b/roles/traefik/defaults/main.yml
@@ -11,6 +11,13 @@ service_name: traefik
 docker_compose_dir: "{{ docker_compose_base_dir }}/{{ service_name }}"
 docker_volume_dir: "{{ docker_volume_base_dir }}/{{ service_name }}"
 
+# Optional /etc/hosts entries injected into the traefik container. Useful
+# when downstream middlewares (e.g. ForwardAuth to an authentik instance
+# running on a sibling LAN) need a public FQDN to resolve to an internal
+# IP because the DMZ doesn't hairpin the public address back inside.
+# Example: ["auth.example.com:172.16.19.101"]
+traefik_extra_hosts: []
+
 # Deployment mode: 'dmz' or 'backend'
 # - dmz: Public-facing reverse proxy that routes to backend servers using file provider
 # - backend: Application server with docker provider for local container discovery
diff --git a/roles/traefik/templates/docker-compose.yml.j2 b/roles/traefik/templates/docker-compose.yml.j2
index 6dbb9ec..9463e58 100644
--- a/roles/traefik/templates/docker-compose.yml.j2
+++ b/roles/traefik/templates/docker-compose.yml.j2
@@ -33,6 +33,12 @@ services:
 {% endif %}
     networks:
       - {{ traefik_network }}
+{% if traefik_extra_hosts | default([]) | length > 0 %}
+    extra_hosts:
+{%   for h in traefik_extra_hosts %}
+      - "{{ h }}"
+{%   endfor %}
+{% endif %}
 
 networks:
   {{ traefik_network }}: