Practical architecture for combining AdGuard Home and Nginx Proxy Manager

Below

is a clear, actionable, scalable way to combine AdGuard Home ~~mit~~with Nginx Proxy Manager zuthat ~~kombinieren~~mirrors –the ~~analog~~reasoning ~~zur~~and ~~Qualität~~quality ~~und~~of ~~Logik~~the ~~des~~ Pi-hole + ~~NPM-Setups~~,NPM ~~das~~setup duyou ~~bereits~~already ~~kennst,~~reviewed ~~aber~~— ~~angepasst~~but anadapted ~~die~~for ~~architektonischen~~the ~~und~~architectural ~~protokollbedingten~~and ~~Unterschiede~~protocol ~~von~~differences that AdGuard ~~Home.~~Home introduces.(adguard.com)

~~Kurz~~In ~~gesagt:~~short:

AdGuard Home ~~wird~~becomes ~~deine maßgebliche DNS-Quelle (optional auch mit verschlüsseltem~~your DNS –source of truth (and optionally encrypted DNS — DoH/DoT)
Nginx Proxy Manager (NPM) ~~übernimmt~~handles HTTP/HTTPS ~~für~~for ~~alle~~web ~~Web-Oberflächen~~interfaces ~~und~~and ~~Dienste~~services
You separate DNS ~~und~~from ~~Web-Traffic~~web ~~werden~~traffic ~~sauber~~and ~~getrennt~~avoid →port ~~keine Port-Konflikte~~conflicts

✅ GrundprinzipienCore Principles

1) Let AdGuard Home nurhandle fürDNS, DNS nutzen, nicht fürnot HTTP

~~Die Stärke von~~ AdGuard ~~Home~~Home’s ~~liegt~~strength inis ~~netzwerkweitem~~network-wide DNS + ~~Filter-/Kindersicherungs-Funktionen.~~filter/parental Escontrol ~~unterstützt~~features. ~~nativ~~It ~~die~~natively ~~verschlüsselten~~supports ~~DNS-Protokolle~~encrypted DNS protocols DNS-over-HTTPS (DoH) ~~und~~and DNS-over-TLS (DoT), ~~wenn~~if duyou ~~sie~~enable ~~aktivierst.~~ them.(Virtualization Howto)

~~DNS-Dienste:~~DNS ~~Port~~services: port 53 (UDP/TCP), DoH, DoT
~~Die~~Do ~~Admin-Web-Oberfläche~~not ~~von~~expose AdGuard Home’s admin web UI directly on 80/443 → NPM should own ports 80/443 so web traffic is centralized

2) Run AdGuard Home niemalsAdmin direktUI aufon Porta 80/443different exponieren
port

→

By ~~NPM soll die Ports 80/443 exklusiv besitzen, damit der gesamte Web-Traffic zentralisiert wird~~

2)default AdGuard Home Admin-binds its web UI aufon einenports anderenlike Port80/3000/any legen

custom

~~Standardmäßig~~— ~~bindet~~this can conflict with NPM. Run AdGuard ~~Home~~Home’s ~~seine~~web ~~Web-Oberfläche~~interface ~~auf~~on ~~Ports~~a ~~wie 80/3000 oder benutzerdefiniert – das kollidiert mit NPM.~~
~~→ AdGuard Home Web-Interface auf einen Port~~port ~~außerhalb~~other ~~von~~than 80/443 ~~betreiben~~ (~~z. B.~~e.g., 8080, 3000, 8443). (Reddit)

~~Später leitet~~Later NPM ~~diesen~~will ~~internen~~proxy ~~Port~~that ~~weiter,~~internal ~~sodass~~port duso ~~extern~~external ~~sauber~~access ~~über~~can ~~eine~~be ~~schöne~~via ~~Domain~~a ~~mit~~friendly ~~HTTPS~~domain, ~~zugreifen~~with ~~kannst.~~clean HTTPS.

3) Lokale Hostnamen über DNS-Rewrites inUse AdGuard HomeHome’s DNS rewrites for local hostnames

~~Statt~~Instead ~~Wildcard-~~of wildcard DNS (~~das~~which ~~bei~~can cause SSL ~~und~~and ~~Routing~~service zurouting ~~Unklarheiten~~ambiguity), ~~führen~~explicitly ~~kann)~~configure ~~explizit~~local ~~lokale~~DNS ~~DNS-Einträge~~entries ininside AdGuard ~~Home konfigurieren:~~Home:

myservice.lab.zn80.net   → 192.168.10.105
adguard.pihole.lab.zn80.net     → 192.168.10.105

~~Diese~~These ~~Rewrites~~rewrites ~~entsprechen~~are ~~den~~equivalent ~~A-Records bei~~to Pi-~~hole~~hole’s ~~und~~A ~~sagen~~records ~~den~~and ~~Clients~~tell ~~genau,~~clients ~~wohin~~exactly ~~die~~where ~~Anfragen~~to ~~gehen~~send ~~sollen~~requests –without ~~ohne~~relying ~~Wildcard-Unschärfe.~~on wildcard responses. (AdGuard Home ~~nutzt~~supports ~~dafür~~rewrites but not exactly the same UI as Pi-hole — you use DNS Rewrite Rules ~~– die Oberfläche ist etwas anders als bei Pi-hole.~~.) (Chris Kirby)

4) Let NPM fürhandle HTTP/HTTPS undand Zertifikate verantwortlich machencertificates

~~Der~~All ~~gesamte~~external ~~externe~~web ~~Web-Zugriff~~access, ~~(Admin-Panels~~including +admin ~~Dienste)~~panels ~~läuft~~and ~~über~~service frontends, should go through NPM:

~~Für~~For ~~jeden~~each ~~Dienst:~~service:

~~Öffentliche~~Public URL	NPM Proxy Host ~~Konfiguration~~config	~~Interne~~Internal ~~Adresse~~Address
`https://adguard.lab.zn80.net`	Proxy ~~zum~~to ~~internen~~internal AdGuard Home ~~Admin-Port~~admin port (~~z. B.~~e.g., 8080)	~~z. B.~~e.g., `192.168.10.105:8080`
`https://grafana.lab.zn80.net`	Proxy zuto Grafana	~~z. B.~~e.g., `192.168.10.110:3000`
~~usw.~~etc.	…	…

~~Das~~This ~~bringt:~~achieves:

~~Einen~~Single ~~einzigen~~entry ~~Einstiegspunkt~~point ~~für~~for ~~alle~~all ~~Web-Oberflächen~~web UIs
~~Zentrale~~Centralized ~~SSL-Zertifikatsverwaltung~~SSL certificate generation & ~~-Erneuerung~~renewal (Let’s Encrypt)
~~Saubere~~Clean ~~interne~~internal ~~Dienststruktur~~service structure

🔧 Schritt-für-Schritt-EinrichtungStep-by-Step Setup

A) Configure AdGuard Home DNS konfigurieren

Install and run AdGuard Home ~~auf~~on ~~deinem~~your ~~Homelab-Host~~homelab ~~installieren und starten.~~ host.(adguard.com)
In ~~den~~ AdGuard Home ~~Einstellungen:~~settings:
- ~~Normales~~Enable normal DNS ~~auf Port~~on 53 ~~aktivieren~~
- ~~Optional~~Optionally enable DoH/DoT ~~aktivieren,~~if ~~wenn~~you duwant ~~verschlüsselte~~encrypted ~~Auflösung möchtest~~resolution
- ~~Trusted~~Set ~~Proxies~~trusted ~~setzen,~~proxies ~~falls~~if duusing a reverse proxy for DoH ~~über Reverse Proxy nutzt~~ (~~fortgeschritten)~~ advanced)(GitHub)
Create DNS ~~Rewrites~~rewrites ~~für~~for ~~deine~~your ~~internen~~internal ~~Dienste anlegen~~services → ~~lokale~~local ~~Hostnamen~~hostnames ~~zeigen~~map ~~auf~~to ~~die~~NPM ~~NPM-~~IP.

Clients imon ~~Netzwerk~~your ~~sollten~~network should use AdGuard Home ~~als~~as ~~DNS-Server~~their ~~nutzen~~DNS server (~~per~~via DHCP ~~oder~~or ~~Router-Einstellung)~~router config). SoThis ~~lösen~~ensures ~~sie~~they ~~interne~~resolve ~~Domains~~internal ~~auf,~~domains ~~bevor~~before ~~sie~~going ~~upstream~~upstream.

~~gehen.~~

B) Change AdGuard Home Admin-UI-Admin UI Port ändern

AdGuard Home ~~erlaubt~~lets ~~die~~you ~~Konfiguration~~configure ~~des~~its ~~HTTP-Admin-Ports~~HTTP –admin port — do ~~nicht~~not ~~auf~~leave it on 80/443 ~~belassen, wenn~~if NPM ~~diese~~is ~~Ports~~going ~~übernimmt.~~to ~~Häufig~~manage ~~genutzt:~~those. It’s common to use something like:

192.168.10.105:8080

(NPM ~~leitet~~will ~~das~~proxy ~~später~~this ~~weiter.~~later.)

C) Configure Nginx Proxy Manager (NPM) konfigurieren

C.1 – Proxy Host RegelnRules

~~Für~~For ~~jeden~~each ~~Dienst~~service/web /UI ~~jede~~you ~~Web-Oberfläche,~~want ~~die~~externally ~~extern erreichbar sein soll:~~reachable:

~~Neuen~~Create a Proxy Host in NPM ~~anlegen~~
Domain: ~~z. B.~~e.g., adguard.lab.zn80.net
Forward ~~Hostname / IP:~~hostname: 192.168.10.105
Forward ~~Port:~~port: ~~dein~~your AdGuard Home ~~Admin-Port~~admin UI port (~~z. B.~~e.g., 8080)
Enable SSL ~~aktivieren~~ → ~~Zertifikat~~request/renew certificate via Let’s Encrypt ~~anfordern/erneuern~~

~~Das~~Repeat ~~für~~for ~~alle~~all ~~weiteren~~other ~~Dienste wiederholen~~services (Home Assistant, ~~Jellyfin~~Jellyfin, ~~usw.~~etc.).

NPM ~~lauscht~~will ~~exklusiv~~listen ~~auf~~on ports 80/443 ~~und~~exclusively ~~terminiert~~and terminate HTTPS.

D) DNS-Avoid Proxying DNS Port niemals proxyn

Do ~~Port~~not proxy port 53 ~~niemals~~ ~~über~~through NPM ~~leiten –~~— DNS ~~ist~~is ~~kein~~not ~~HTTP-Dienst~~an ~~und~~HTTP ~~muss~~service ~~direkt~~and ~~erreichbar~~must ~~bleiben.~~stay direct.

E) SSL-ZertifikateSSL Certificates

~~Für~~ ~~alle öffentlich erreichbaren Subdomains~~
Use Let’s Encrypt ~~über~~through NPM ~~nutzen.~~for all publicly reachable subdomains.
~~Bei~~ ~~rein~~
If ~~internen~~you ~~Namen~~want internal-only names (~~z. B.~~e.g., .lab.zn80.net), ~~bei~~with ~~denen~~valid TLS and Let’s Encrypt ~~scheitert:~~fails:
- ~~Entweder~~Either ~~DNS-Challenge~~use ~~verwenden~~a DNS challenge
- ~~Oder~~Or ~~lokale/interne~~use a local/internal CA ~~nutzen,~~trusted ~~die~~by ~~auf~~your ~~den Clients vertraut wird~~clients
~~Zertifikate~~ ~~müssen~~
Certificates ~~exakt~~must ~~zum~~match imthe ~~Browser~~hostname ~~verwendeten~~used ~~Hostnamen~~in ~~passen~~the ~~(sonst~~browser ~~Sicherheitswarnungen).~~to avoid security warnings.

🧠 WarumWhy dasThis dieIs bestethe LösungBest istSetup

✅ DNS-FunktionenDNS bleibenfeatures mächtigremain undpowerful flexibeland flexible

AdGuard Home ~~kann~~can serve DNS, including local rewrites, redirection, and encrypted DNS ~~inkl.~~protocols ~~lokaler~~— ~~Rewrites,~~all ~~Umleitungen~~without ~~und~~conflicting ~~verschlüsselter~~with ~~Protokolle~~your ~~(DoH/DoT)~~web ~~bereitstellen~~reverse ~~– ohne Konflikt mit dem Web-Reverse-Proxy.~~ proxy.(Virtualization Howto)

✅ NPM wirdbecomes diethe einzigesingle sicheresource Web-Zugangsstellefor secure web access

~~Alle~~All ~~internen~~internal ~~Oberflächen~~UIs ~~und~~and ~~Apps~~apps ~~sind~~are ~~über~~accessible ~~schöne~~through friendly URLs ~~mit~~with ~~korrekten~~proper ~~Zertifikaten erreichbar.~~certificates.

✅ KlareSeparation Aufgabentrennungof concerns

~~DNS →~~DNS: AdGuard Home
HTTP/~~HTTPS →~~HTTPS: NPM This simplifies maintenance and improves security and debugging.

~~Das vereinfacht Wartung, erhöht Sicherheit und erleichtert die Fehlersuche.~~

🧩 ZusätzlicheAdditional HinweiseNotes

DNS over HTTPS (DoH) / DNS over TLS (DoT)

~~Wenn~~If duyou ~~diese~~enable these in AdGuard Home ~~aktivierst~~and ~~und~~want ~~Clients~~clients ~~sie~~to ~~nutzen~~use ~~sollen,~~them, ~~laufen~~they ~~sie~~are ~~unabhängig~~handled ~~von~~independently of NPM. NPM ~~kann~~can proxy HTTP-~~basierte~~related ~~Admin-Oberflächen~~admin ~~proxyen,~~UIs, ~~aber~~but ~~verschlüsselte~~encrypted ~~DNS-Pfade~~DNS ~~sind~~paths ~~kein~~are ~~klassisches~~not HTTP –in duthe ~~solltest~~same ~~DoH-Endpunkte~~sense ~~nur~~— ~~bewusst~~you ~~exponieren,~~won’t ~~wenn~~reverse-proxy duthem ~~das~~unless ~~wirklich~~you ~~willst.~~deliberately expose DoH endpoints.

Trusted Reverse-Proxy-Headerreverse proxy headers

~~Wenn~~If duyou proxy AdGuard Home ~~über~~through NPM ~~proxy~~and ~~und~~use ~~Funktionen~~features ~~nutzt,~~tied ~~die~~to ~~echte~~client ~~Client-~~IPs ~~brauchen~~(e.g., logging real client IPs), consider enabling forwarding headers (~~z. B. Logging), dann~~ X-Real-IP, &etc.) ~~Co.~~and ~~weiterleiten~~configuring ~~und~~trusted ~~Trusted Proxies in AdGuard Home konfigurieren.~~ proxies.(GitHub)

Lokale

Local DNS-AuflösungDNS resolution in NPM

~~Manche~~Some ~~Setups~~setups ~~(besonders~~report ~~Container)~~issues ~~haben Probleme, wenn~~when NPM ~~selbst~~resolves ~~lokale~~local DNS ~~von~~from AdGuard Home ~~auflösen~~in ~~soll~~certain –container ~~stelle~~environments ~~sicher,~~— ~~dass~~make ~~Container~~sure ~~deinen~~containers ~~DNS-Server~~can ~~erreichen~~reach ~~oder~~your ~~konfiguriere~~DNS ~~Fallback-Resolver.~~server or configure fallback resolvers.(forums.truenas.com)

📌 FinaleFinal empfohleneArchitecture Architektur(Recommended)

[Router DHCP] → vergibtgives clients DNS of AdGuard Home als DNS an Clients

[Client] 
   |
   +-- DNS-AnfrageDNS anquery to AdGuard Home →--> löstresolves lokalelocal Dienste aufservices
   |
   +-- HTTP(S)-Anfrage anrequest to NPM (80/443) →-->    
        |
        +-- Reverse Proxyproxy zuto interneninternal Dienstenservices (AdGuard UI, Apps)apps)

~~Dieses~~This ~~Muster~~pattern ~~hält~~keeps ~~die~~DNS ~~DNS-Auflösung~~resolution ~~stabil~~stable ~~und~~and ~~die~~web/HTTPS ~~Web-/HTTPS-Verwaltung~~handling ~~sicher,~~secure, ~~zentralisiert~~centralized, ~~und~~and ~~skalierbar,~~scalable ~~während~~as ~~deine~~your ~~Dienste~~services ~~wachsen.~~grow.

If you want, I can provide a concrete example NPM proxy configuration for AdGuard Home (with headers and SSL settings) along with how to handle DoH/DoT clients on Android or browsers — just let me know your priorities.