Praktische Anleitung: AdGuard Home und Nginx Proxy Manager zusammen betreiben

~~Below~~Hier isist aeine ~~clear,~~klare, ~~actionable,~~umsetzbare ~~scalable~~und ~~way~~skalierbare Methode, ~~to combine~~um AdGuard Home ~~with~~mit Nginx Proxy Manager ~~that~~zu ~~mirrors~~kombinieren ~~the~~– ~~reasoning~~analog ~~and~~zur ~~quality~~Qualität ofund ~~the~~Logik des Pi-hole + ~~NPM~~NPM-Setups, ~~setup~~das ~~you~~du ~~already~~bereits ~~reviewed~~kennst, —aber ~~but~~angepasst ~~adapted~~an ~~for~~die ~~the~~architektonischen ~~architectural~~und ~~and~~protokollbedingten ~~protocol~~Unterschiede ~~differences that~~von AdGuard ~~Home~~Home. ~~introduces.~~(adguard.com)

InKurz ~~short:~~gesagt:

AdGuard Home ~~becomes~~wird ~~your~~deine maßgebliche DNS-Quelle (optional auch mit verschlüsseltem DNS ~~source of truth (and optionally encrypted DNS —~~– DoH/DoT)
Nginx Proxy Manager (NPM) ~~handles~~übernimmt HTTP/HTTPS ~~for~~für ~~web~~alle ~~interfaces~~Web-Oberflächen ~~and~~und ~~services~~Dienste
~~You separate~~ DNS ~~from~~und ~~web~~Web-Traffic ~~traffic~~werden ~~and~~sauber ~~avoid~~getrennt ~~port~~→ ~~conflicts~~keine Port-Konflikte

✅ Core PrinciplesGrundprinzipien

1) LetAdGuard Home nur für DNS nutzen, nicht für HTTP

Die Stärke von AdGuard Home ~~handle~~liegt ~~DNS,~~in ~~not HTTP~~

~~AdGuard Home’s strength is network-wide~~netzwerkweitem DNS + ~~filter/parental~~Filter-/Kindersicherungs-Funktionen. ~~control~~Es ~~features.~~unterstützt Itnativ ~~natively~~die ~~supports~~verschlüsselten ~~encrypted DNS protocols~~DNS-Protokolle DNS-over-HTTPS (DoH) ~~and~~und DNS-over-TLS (DoT), ifwenn ~~you~~du ~~enable~~sie ~~them.~~aktivierst. (Virtualization Howto)

~~DNS~~DNS-Dienste: ~~services: port~~Port 53 (UDP/TCP), DoH, DoT
DoDie ~~not~~Admin-Web-Oberfläche ~~expose~~von AdGuard ~~Home’s~~Home ~~admin~~niemals ~~web~~direkt auf Port 80/443 exponieren
→ NPM soll die Ports 80/443 exklusiv besitzen, damit der gesamte Web-Traffic zentralisiert wird

2) AdGuard Home Admin-UI directlyauf oneinen anderen Port legen

Standardmäßig bindet AdGuard Home seine Web-Oberfläche auf Ports wie 80/3000 oder benutzerdefiniert – das kollidiert mit NPM.
→ AdGuard Home Web-Interface auf einen Port außerhalb von 80/443 ~~→ NPM should own ports 80/443 so web traffic is centralized~~

2) Run AdGuard Home Admin UI on a different port

~~By default AdGuard Home binds its web UI on ports like 80/3000/any custom — this can conflict with NPM. Run AdGuard Home’s web interface on a port~~ ~~other than 80/443~~betreiben (~~e.g.,~~z. B. 8080, 3000, 8443). (Reddit)

~~Later~~Später leitet NPM ~~will~~diesen ~~proxy~~internen ~~that~~Port ~~internal~~weiter, ~~port~~sodass sodu ~~external~~extern ~~access~~sauber ~~can~~über beeine ~~via~~schöne aDomain ~~friendly~~mit ~~domain,~~HTTPS ~~with~~zugreifen ~~clean HTTPS.~~kannst.

3) UseLokale Hostnamen über DNS-Rewrites in AdGuard Home’s DNS rewrites for local hostnamesHome

~~Instead~~Statt ~~of wildcard~~ Wildcard-DNS (~~which~~das ~~can cause~~bei SSL ~~and~~und ~~service~~Routing ~~routing~~zu ~~ambiguity),~~Unklarheiten ~~explicitly~~führen ~~configure~~kann) ~~local~~explizit ~~DNS~~lokale ~~entries~~DNS-Einträge ~~inside~~in AdGuard ~~Home:~~Home konfigurieren:

myservice.lab.zn80.net → 192.168.10.105
pihole.adguard.lab.zn80.net   → 192.168.10.105

~~These~~Diese ~~rewrites~~Rewrites ~~are~~entsprechen ~~equivalent~~den toA-Records bei Pi-~~hole’s~~hole Aund ~~records~~sagen ~~and~~den ~~tell~~Clients ~~clients~~genau, ~~exactly~~wohin ~~where~~die toAnfragen ~~send~~gehen ~~requests~~sollen ~~without~~– ~~relying~~ohne ~~on wildcard responses.~~Wildcard-Unschärfe. (AdGuard Home ~~supports~~nutzt ~~rewrites but not exactly the same UI as Pi-hole — you use~~dafür DNS Rewrite Rules. – die Oberfläche ist etwas anders als bei Pi-hole.) (Chris Kirby)

4) Let NPM handlefür HTTP/HTTPS andund certificatesZertifikate verantwortlich machen

~~All~~Der ~~external~~gesamte ~~web~~externe ~~access,~~Web-Zugriff ~~including~~(Admin-Panels ~~admin~~+ ~~panels~~Dienste) ~~and~~läuft ~~service frontends, should go through~~über NPM:

~~For~~Für ~~each~~jeden ~~service:~~Dienst:

~~Public~~Öffentliche URL	NPM Proxy Host ~~config~~Konfiguration	~~Internal~~Interne ~~Address~~Adresse
`https://adguard.lab.zn80.net`	Proxy tozum ~~internal~~internen AdGuard Home ~~admin port~~Admin-Port (~~e.g.,~~z. B. 8080)	~~e.g.,~~z. B. `192.168.10.105:8080`
`https://grafana.lab.zn80.net`	Proxy tozu Grafana	~~e.g.,~~z. B. `192.168.10.110:3000`
~~etc.~~usw.	…	…

~~This~~Das ~~achieves:~~bringt:

~~Single~~Einen ~~entry~~einzigen ~~point~~Einstiegspunkt ~~for~~für ~~all~~alle ~~web UIs~~Web-Oberflächen
~~Centralized~~Zentrale ~~SSL certificate generation~~SSL-Zertifikatsverwaltung & ~~renewal~~-Erneuerung (Let’s Encrypt)
~~Clean~~Saubere ~~internal~~interne ~~service structure~~Dienststruktur

🔧 Step-by-Step SetupSchritt-für-Schritt-Einrichtung

A) Configure AdGuard Home DNS konfigurieren

~~Install and run~~ AdGuard Home onauf ~~your~~deinem ~~homelab~~Homelab-Host ~~host.~~installieren und starten. (adguard.com)
In
Inden AdGuard Home ~~settings:~~
Einstellungen:
- ~~Enable normal~~Normales DNS onauf Port 53 aktivieren
- ~~Optionally enable~~Optional DoH/DoT ifaktivieren, ~~you~~wenn ~~want~~du ~~encrypted~~verschlüsselte ~~resolution~~Auflösung möchtest
- ~~Set~~Trusted ~~trusted~~Proxies ~~proxies~~setzen, iffalls ~~using a reverse proxy for~~du DoH über Reverse Proxy nutzt (~~advanced)~~fortgeschritten) (GitHub)
~~Create~~ DNS ~~rewrites~~Rewrites ~~for~~für ~~your~~deine ~~internal~~internen ~~services~~Dienste anlegen → ~~local~~lokale ~~hostnames~~Hostnamen ~~map~~zeigen toauf ~~NPM~~die NPM-IP.

Clients onim ~~your~~Netzwerk ~~network should use~~sollten AdGuard Home asals ~~their~~DNS-Server ~~DNS server~~nutzen (~~via~~per DHCP oroder ~~router config)~~Router-Einstellung). ~~This~~So ~~ensures~~lösen ~~they~~sie ~~resolve~~interne ~~internal~~Domains ~~domains~~auf, ~~before~~bevor ~~going~~sie ~~upstream.~~upstream gehen.

B) Change AdGuard Home AdminAdmin-UI-Port UI Portändern

AdGuard Home ~~lets~~erlaubt ~~you~~die ~~configure~~Konfiguration ~~its~~des ~~HTTP~~HTTP-Admin-Ports ~~admin port — do~~– ~~not~~nicht ~~leave it on~~auf 80/443 ifbelassen, wenn NPM isdiese ~~going~~Ports toübernimmt. ~~manage~~Häufig ~~those. It’s common to use something like:~~genutzt:

192.168.10.105:8080

(NPM ~~will~~leitet ~~proxy~~das ~~this~~später ~~later.~~weiter.)

C) Configure Nginx Proxy Manager (NPM) konfigurieren

C.1 – Proxy Host RulesRegeln

~~For~~Für ~~each~~jeden ~~service/web~~Dienst UI/ ~~you~~jede ~~want~~Web-Oberfläche, ~~externally~~die ~~reachable:~~extern erreichbar sein soll:

~~Create a~~Neuen Proxy Host in NPM anlegen
Domain: ~~e.g.,~~z. B. adguard.lab.zn80.net
Forward ~~hostname:~~Hostname / IP: 192.168.10.105
Forward ~~port:~~Port: ~~your~~dein AdGuard Home ~~admin UI port~~Admin-Port (~~e.g.,~~z. B. 8080)
~~Enable~~SSL ~~SSL~~aktivieren → ~~request/renew certificate~~Zertifikat via Let’s Encrypt anfordern/erneuern

~~Repeat~~Das ~~for~~für ~~all~~alle ~~other~~weiteren ~~services~~Dienste wiederholen (Home Assistant, ~~Jellyfin,~~Jellyfin ~~etc.~~usw.).

NPM ~~will~~lauscht ~~listen~~exklusiv ~~on ports~~auf 80/443 ~~exclusively~~und ~~and terminate~~terminiert HTTPS.

D) AvoidDNS-Port Proxyingniemals proxyn

Port 53 niemals über NPM leiten – DNS ~~Port~~ist

Dokein ~~not~~HTTP-Dienst ~~proxy~~und ~~port~~muss 53direkt ~~through~~erreichbar ~~NPM — DNS is not an HTTP service and must stay direct.~~bleiben.

E) SSL CertificatesSSL-Zertifikate

Für
~~Use~~alle öffentlich erreichbaren Subdomains Let’s Encrypt ~~through~~über NPM ~~for all publicly reachable subdomains.~~
nutzen.
Bei
Ifrein ~~you~~internen ~~want internal-only names~~Namen (~~e.g.,~~z. B. .lab.zn80.net), ~~with~~bei ~~valid TLS and~~denen Let’s Encrypt ~~fails:~~
scheitert:
- ~~Either~~Entweder ~~use~~DNS-Challenge ~~a DNS challenge~~verwenden
- OrOder ~~use a local/internal~~lokale/interne CA ~~trusted~~nutzen, bydie ~~your~~auf ~~clients~~den Clients vertraut wird
Zertifikate
~~Certificates~~müssen ~~must~~exakt ~~match~~zum ~~the~~im ~~hostname~~Browser ~~used~~verwendeten inHostnamen ~~the~~passen ~~browser~~(sonst ~~to avoid security warnings.~~
Sicherheitswarnungen).

🧠 WhyWarum Thisdas Isdie thebeste BestLösung Setupist

✅ DNSDNS-Funktionen featuresbleiben remainmächtig powerfulund and flexibleflexibel

AdGuard Home ~~can serve DNS, including local rewrites, redirection, and encrypted~~kann DNS ~~protocols~~inkl. —lokaler ~~all~~Rewrites, ~~without~~Umleitungen ~~conflicting~~und ~~with~~verschlüsselter ~~your~~Protokolle ~~web~~(DoH/DoT) ~~reverse~~bereitstellen ~~proxy.~~– ohne Konflikt mit dem Web-Reverse-Proxy. (Virtualization Howto)

✅ NPM becomeswird thedie singleeinzige sourcesichere for secure web accessWeb-Zugangsstelle

~~All~~Alle ~~internal~~internen ~~UIs~~Oberflächen ~~and~~und ~~apps~~Apps ~~are~~sind ~~accessible~~über ~~through friendly~~schöne URLs ~~with~~mit ~~proper~~korrekten ~~certificates.~~Zertifikaten erreichbar.

✅ SeparationKlare of concernsAufgabentrennung

~~DNS:~~DNS → AdGuard Home
HTTP/~~HTTPS:~~HTTPS → NPM ~~This simplifies maintenance and improves security and debugging.~~

Das vereinfacht Wartung, erhöht Sicherheit und erleichtert die Fehlersuche.

🧩 AdditionalZusätzliche NotesHinweise

DNS over HTTPS (DoH) / DNS over TLS (DoT)

IfWenn ~~you~~du ~~enable these~~diese in AdGuard Home ~~and~~aktivierst ~~want~~und ~~clients~~Clients tosie ~~use~~nutzen ~~them,~~sollen, ~~they~~laufen ~~are~~sie ~~handled~~unabhängig ~~independently of~~von NPM. NPM ~~can proxy~~kann HTTP-~~related~~basierte ~~admin~~Admin-Oberflächen ~~UIs,~~proxyen, ~~but~~aber ~~encrypted~~verschlüsselte ~~DNS~~DNS-Pfade ~~paths~~sind ~~are~~kein ~~not~~klassisches HTTP in– ~~the~~du ~~same~~solltest ~~sense~~DoH-Endpunkte —nur ~~you~~bewusst ~~won’t~~exponieren, ~~reverse-proxy~~wenn ~~them~~du ~~unless~~das ~~you~~wirklich ~~deliberately expose DoH endpoints.~~willst.

Trusted reverse proxy headersReverse-Proxy-Header

IfWenn ~~you proxy~~du AdGuard Home ~~through~~über NPM ~~and~~proxy ~~use~~und ~~features~~Funktionen ~~tied~~nutzt, todie ~~client~~echte Client-IPs brauchen (~~e.g.~~z. B. Logging), ~~logging~~dann ~~real client IPs), consider enabling forwarding headers (~~X-Real-IP, ~~etc.)~~& ~~and~~Co. ~~configuring~~weiterleiten ~~trusted~~und ~~proxies.~~Trusted Proxies in AdGuard Home konfigurieren. (GitHub)

Local

Lokale DNS resolutionDNS-Auflösung in NPM

~~Some~~Manche ~~setups~~Setups ~~report~~(besonders ~~issues~~Container) ~~when~~haben Probleme, wenn NPM ~~resolves~~selbst ~~local~~lokale DNS ~~from~~von AdGuard Home inauflösen ~~certain~~soll ~~container~~– ~~environments~~stelle —sicher, ~~make~~dass ~~sure~~Container ~~containers~~deinen ~~can~~DNS-Server ~~reach~~erreichen ~~your~~oder ~~DNS~~konfiguriere ~~server~~Fallback-Resolver. ~~or configure fallback resolvers.~~(forums.truenas.com)

📌 FinalFinale Architectureempfohlene (Recommended)Architektur

[Router DHCP] → gives clients DNS ofvergibt AdGuard Home als DNS an Clients
[Client]
   |
   +-- DNSDNS-Anfrage query toan AdGuard Home -->→ resolveslöst locallokale servicesDienste auf
   |
   +-- HTTP(S)-Anfrage request toan NPM (80/443) -->→
        |
        +-- Reverse proxyProxy tozu internalinternen servicesDiensten (AdGuard UI, apps)Apps)

~~This~~Dieses ~~pattern~~Muster ~~keeps~~hält ~~DNS~~die ~~resolution~~DNS-Auflösung ~~stable~~stabil ~~and~~und ~~web/HTTPS~~die ~~handling~~Web-/HTTPS-Verwaltung ~~secure,~~sicher, ~~centralized,~~zentralisiert ~~and~~und ~~scalable~~skalierbar, aswährend ~~your~~deine ~~services~~Dienste ~~grow.~~wachsen.

~~If you want, I can provide a~~ ~~concrete example NPM proxy configuration~~ ~~for AdGuard Home (with headers and SSL settings) along with how to handle DoH/DoT clients on Android or browsers — just let me know your priorities.~~