Practical architecture for combining Pi-hole and Nginx Proxy Manager

✔️ Überblick:Overview: RollenRoles derof einzelnenEach KomponentenComponent

Pi-hole

~~Betreibt~~Runs ~~lokalen~~local DNS (~~Port~~port 53)
~~Dient~~Serves ~~als~~as ~~DNS-Resolver~~the ~~für~~DNS ~~dein~~resolver ~~Netzwerk~~for your network
~~Stellt~~Provides ~~lokale~~local ~~DNS-Einträge~~DNS ~~bereit,~~records ~~damit~~so ~~Geräte~~devices ~~Servicenamen~~resolve ~~auflösen~~service ~~können~~names (~~z. B.~~e.g., home.lab, jellyfin.lab)
~~Muss~~Does ~~kein~~not ~~HTTP~~need ~~(Port~~to serve HTTP(80) ~~oder~~or ~~HTTPS (Port~~ HTTPS(443) ~~ausliefern~~

Nginx Proxy Manager (NPM)

~~Bearbeitet~~Handles ~~den gesamten~~all HTTP/~~HTTPS-Verkehr~~HTTPS ~~für~~traffic ~~die~~for ~~Dienste~~services
~~Verwaltet~~Manages ~~SSL-Zertifikate~~SSL certificates (Let’s ~~Encrypt,~~Encrypt ~~falls~~if ~~gewünscht)~~you choose)
~~Leitet~~Routes ~~eingehende~~incoming ~~Anfragen~~application anrequests ~~die~~to ~~internen~~internal ~~Dienste~~services ~~auf~~on ~~unterschiedlichen~~different ~~Ports/~~ports/IPs ~~weiter~~

~~Kernprinzip~~Key Principle

Pi-hole ~~ist~~handles ~~ausschließlich~~DNS ~~für~~resolution ~~die~~ ~~DNS-Auflösung~~ ~~zuständig.~~
only. NPM ~~kümmert~~handles ~~sich~~web umtraffic ~~Web-Traffic-Routing~~routing ~~und~~and ~~HTTPS-Terminierung~~HTTPS termination.

~~Diese~~This ~~klare~~clear ~~Trennung~~separation ~~verhindert~~avoids ~~Konflikte~~conflicts ~~und~~and ~~macht~~makes ~~die~~management ~~Verwaltung skalierbar.~~scalable.

✔️ BesteBest ArchitekturArchitecture (amMost zuverlässigsten)Reliable)

1) Move Pi-holehole’s Web-Web UI vonoff Port 80/443 wegbewegen

~~Standardmäßig~~By ~~bindet~~default Pi-hole ~~seine~~binds ~~Web-Oberfläche~~its anweb ~~Port~~UI to port 80/443. ~~Das~~This ~~kollidiert~~collides ~~mit~~with NPM.

Change Pi-hole ~~Admin-~~Admin UI ~~auf~~to ~~einen~~a ~~anderen~~different ~~Port umstellen~~port (z.e.g., B.8081, ~~8081, 8888)~~8888):

~~Auf dem~~On Pi-~~hole-Host:~~hole ~~Lighttpd-Konfiguration~~host: ~~anpassen,~~change ~~sodass~~Lighttpd config so /admin ~~auf~~listens z.on ~~B. Port~~ 8081 lauscht
DNS ~~auf~~on ~~Port~~Pi-hole still runs on port 53 ~~bleibt~~and ~~davon~~is ~~unberührt~~unaffected by this change

~~Dadurch~~This ~~kann~~allows NPM ~~die~~to ~~Ports~~own 80/443 ~~exklusiv nutzen.~~exclusively. (bolet.io)

2) LokaleLocal DNS-EinträgeDNS Records in Pi-hole fürfor alleAll reverse-proxiedReverse-Proxied Hosts

~~Erstelle~~Create A~~-Records,~~ ~~die~~records ~~freundliche~~that ~~Domains~~point ~~auf~~friendly ~~die~~domains IPto ~~von~~NPM’s ~~NPM zeigen.~~IP.

~~Beispiel:~~Example:

pihole.lab.zn80.net     → 192.168.10.105
jellyfin.lab.zn80.net   → 192.168.10.105
bookstack.lab.zn80.net  → 192.168.10.105

~~Warum?~~Reasoning:

~~Geräte~~Devices ~~fragen~~query Pi-~~hole-~~hole DNS aband ~~und~~get ~~erhalten~~your ~~deine~~internal ~~internen Namen~~names
NPM ~~leitet~~then ~~dann~~routes ~~anhand~~based ~~des~~on ~~Host-Headers~~Host ~~weiter~~header

Pi-hole ~~ist~~is ~~die~~the ~~maßgebliche~~DNS ~~DNS-Quelle~~source ~~für~~of ~~dein~~truth for your LAN. (ReproDev)

3) Configure NPM Proxy Hosts infor NPMEach für jeden Dienst konfigurierenService

InInside NPM ~~unter~~ Proxy Hosts:

~~Domain /~~ Domain/Hostname	Forward To	Port	~~Hinweise~~Notes
`pihole.lab.zn80.net`	192.168.10.105	8081	Pi-hole ~~Admin-~~admin UI
`jellyfin.lab.zn80.net`	192.168.10.xxx	8096	~~Jellyfin-Dienst~~Jellyfin service
`bookstack.lab.zn80.net`	…	…	~~Weitere~~Other ~~Dienste~~services

~~Wichtige~~Important ~~Details~~details

~~Bei~~For Pi-hole ~~ggf.~~you ~~den~~may ~~Pfad~~need to forward /admin ~~korrekt~~correct ~~weiterleiten~~paths
~~Idealerweise für~~ ~~alle~~ ~~Hosts~~Enable SSL ~~aktivieren~~for all hosts (ideally) via Let’s Encrypt –(even ~~auch~~internal ~~bei~~DNS) ~~internen Domains)~~
~~→ Falls~~If Let’s Encrypt ~~die~~can’t ~~internen~~validate ~~Domains~~via ~~nicht~~DNS ~~validieren~~challenge ~~kann,~~for ~~lokales~~internal ~~CA-Zertifikat~~domains, ~~oder~~you ~~vertrauenswürdiges~~can ~~selbstsigniertes~~use ~~Zertifikat~~a ~~verwenden~~local ~~und~~CA ~~auf~~or ~~den~~self-signed ~~Clients~~cert ~~einpflegen.~~and manage trust in your clients. (Reddit)

~~Dadurch~~This ~~wird~~makes ~~alles~~everything ~~sauber~~clean ~~nur~~to ~~über~~access ~~Hostnamen~~via ~~erreichbar~~Hostnames exclusively:

https://jellyfin.lab.zn80.net
https://pihole.lab.zn80.net/admin

4) InterneMaintain expliziteInternal DNS-EinträgeDNS stattInstead of Wildcard DNS (optional,Optional aberbut sicherer)safer)

~~Man~~You ~~könnte~~could ~~versucht~~be ~~sein,~~tempted ~~einen~~to ~~Wildcard~~use zua ~~nutzen~~wildcard (*.lab.zn80.net → 192.168.10.105), ~~das~~but ~~ist~~that ~~jedoch~~is ~~weniger~~less ~~sicher~~safe and confusing ~~und~~for ~~macht~~certificate ~~Zertifikatsvalidierung~~validation &and ~~Fehlersuche~~service ~~schwieriger.~~discovery.

~~Besseres~~Better ~~Muster:~~pattern:

Pi-hole ~~lokaler~~local DNS → ~~explizite~~explicit ~~A-Records~~A ~~pro~~records ~~Hostname~~per hostname
Pi-hole → ~~NPM-~~NPM IP
NPM → ~~interner~~internal ~~Dienst~~service

~~Explizite~~Explicit ~~Einträge~~records ~~helfen bei:~~help:

~~TTL-Verwaltung~~TTL management
~~SSL-Zertifikatsausstellung~~SSL certificate issuance
~~Fehlersuche~~Troubleshooting

🧠 WarumWhy dasThis derIs bestethe WegBest istWay

✅ DNS + Reverse Proxy sindare saubercleanly getrenntseparated

Pi-hole ~~liefert~~isn’t ~~kein~~serving ~~HTTP~~HTTP, →so ~~keine~~there’s ~~Port-Konflikte~~
no port conflict. NPM ~~kann~~can handle 80/443 ~~störungsfrei~~without ~~nutzen~~interference.

✅ EchteYou HTTPS-Verschlüsselungachieve auchreal internHTTPS for internal domains

~~Jeder~~Every ~~Dienst~~service ~~kann~~can ~~über~~have ~~NPM~~a ~~ein~~valid ~~gültiges~~certificate ~~Zertifikat~~via ~~erhalten~~NPM.

✅ Einfach,Easy, skalierbarscalable, &and zukunftssicherfuture-proof

~~Neuen~~Adding ~~Dienst~~a ~~hinzufügen:~~new service is trivial:

~~A-Record~~Add A record in Pi-hole ~~anlegen~~
Add Proxy Host in NPM ~~erstellen~~
~~Fertig~~Done

✅ FunktioniertWorks mitwith VPN / lokalenlocal DNS-ClientsDNS clients

~~Solange~~If ~~Geräte~~your devices use Pi-~~hole~~hole’s ~~als DNS-Server nutzen~~DNS (~~LAN, WLAN,~~ wired/wireless/VPN), ~~lösen~~they ~~sie~~resolve ~~die~~domain ~~Namen~~names ~~auf, die~~that NPM ~~proxyen~~can ~~kann.~~proxy. (Pi-~~Hole~~hole ~~Uberspace~~Userspace)

🛠 DetaillierteDetailed UmsetzungImplementation

A) Change Pi-hole Weboberflächeweb aufinterface anderen Port legenport

~~Datei bearbeiten:~~Edit /etc/lighttpd/lighttpd.conf:

server.port = 8081

~~Danach neu starten:~~Restart:

sudo systemctl restart lighttpd

B) DNS-EinträgeAdd DNS entries in Pi-hole anlegen

In Pi-~~hole~~hole:

~~unter:~~

Local DNS → DNS Records

~~Beispiele:~~Examples:

pihole.lab.zn80.net → 192.168.10.105
jellyfin.lab.zn80.net → 192.168.10.105

C) In NPM, add Proxy Hosts in NPM anlegen

~~Für~~For ~~jeden~~each ~~Dienst:~~service:

~~Domain-Namen:~~ ~~deine~~
Domain ~~lokale~~names: ~~Domain~~your local domain
~~Forward-Hostname/-IP~~ +
Forward ~~Port:~~hostname: ~~echter~~actual ~~Dienst~~service IP/port (Pi-hole ~~Admin~~admin =UI at 8081)
SSL:
- ~~Neues~~Request ~~Zertifikat~~new ~~anfordern~~cert (~~wenn~~if ~~öffentliche~~public ~~Domain~~domain ~~oder~~or ~~DNS-Challenge~~DNS ~~möglich)~~challenge available)
- ~~Oder~~Or ~~lokales~~use local CA / ~~vertrauenswürdiges~~self-signed ~~selbstsigniertes~~trusted ~~Zertifikat verwenden~~cert

~~Empfohlene~~Set ~~Standard-Optionen:~~common options:

Block ~~exploits~~exploits: ~~→ aktiviert~~enabled
Expires ~~headers →~~headers: optional
~~Websockets~~Websockets: →if ~~falls benötigt~~needed

🚫 WasWhat manNot nichtto tun sollteDo

❌ Don’t proxy Pi-hole DNS-Portport

Do not try to proxy port 53 ~~nicht~~through ~~über~~NPM. ~~NPM proxyn~~

DNS ~~muss~~must ~~direkt~~be ~~erreicht werden – niemals proxyen!~~direct.

❌ Don’t expose Pi-hole Admin-admin UI nicht öffentlich exponierenpublicly

~~Nur~~Pi-hole ~~aus~~should only be accessible from your LAN ~~oder~~or ~~per VPN erreichbar machen.~~VPN.

❌ KeineDon’t Wildcardsuse verwenden,wildcards wennunless manyou dieknow Zertifikatskettecertificate nicht beherrschtchain

~~Wildcard-~~Wildcard DNS ~~kann~~can break HTTPS ~~kaputt~~if ~~machen,~~certificates ~~wenn~~aren’t ~~die Zertifikate nicht passen.~~matching.

📌 SoFinal sollteResult esYou amShould Ende aussehenSee

~~Nach~~After ~~der Einrichtung:~~setup:

nslookup pihole.lab.zn80.net      # → 192.168.10.105
nslookup jellyfin.lab.zn80.net    # → 192.168.10.105

Browser:

~~Im Browser:~~

https://pihole.lab.zn80.net/admin  # mit SSL
https://jellyfin.lab.zn80.net      # mit SSL

Pi-hole ~~macht~~DNS ~~DNS,~~works, NPM ~~übernimmt~~handles ~~den~~web ~~Web-Zugriff~~access, –and ~~alles~~everything ~~sicher,~~is ~~konsistent~~secure, ~~und~~consistent, ~~gut~~and ~~wartbar.~~manageable.

~~Viel Erfolg bei der Umsetzung!~~