I’ve been leveraging Nginx Proxy Manager for a while now in the lab here and had most of my services exposed to the internet. This, however, raises some security concerns for me as many applications leverage authentication, but aren’t necessarily hardened for public internet exposure. I had been hunting around for a solution that provides domain name services, but LAN access only without the need for usernames and passwords via access lists in Nginx Proxy Manager. I finally stumbled on a solution, and I figured I would share it with all of you.
First, to get one thing out of the way, I am a homelabber. I am by no means an expert. With that said, I find technology fascinating and can never resist a good problem to solve. There are countless forums, forum posts, and videos out there, but none that I found really put everything together cohesively.
Let me give you an example of my scenario; there are certain services I want exposed to the public internet and some I don’t, but for all I want to be able to leverage domain names instead of using IP addresses. To further complicate things, I want everything to use SSL and I don’t want to have to remember ports.
One of the services I don’t want to expose to the internet is my TrueNAS server. For me, truenas.somedomain.com is much simpler, and way cooler, than typing an IP address. Plus the added benefit of providing SSL just makes things better.
There are a few issues to work through:
- Leveraging only Nginx Proxy Manager exposes this to the internet.
- If I try to use a basic access list, I am prompted for a username and password from the proxy manager before I am prompted for a username and password from TrueNAS, that is redundant.
- This also doesn’t solve the issue of not being exposed to the internet requirement.
- If I use a DNS rewrite only in AdGuard Home, I have to populate the port with my domain name which is infuriating because I can never remember the ports for things at my advanced age. Yes, a me problem…
It turns out the solution to the problem is actually pretty simple.
To fix all this, all it takes is configuring two applications properly: AdGuard Home and Nginx Proxy Manager.
First, I created an access list in Nginx Proxy Manager named “Local Only” with an allow for 192.168.0.0/24, to cover all my VLANS with Satisfy Any checked ticked on.


Assign it to each proxy host entry in Nginx Proxy Manager that you want LAN only access to

Create a DNS rewrite for each entry in Adguard Home with the IP address of my Nginx Proxy Manager, or us a wildcard entry like *.somedomain.com

Problem solved!
No WAN access to the services, local LAN access only via an easy to remember services name like truenas.somedomain.com, and SSL. Easy Peasy Pumpkin Squeezy. Enjoy!