Simplifying LAN Only Access for Nginx Proxy Manager

I’ve been leveraging Nginx Proxy Manager for a while now in the lab here and had most of my services exposed to the internet. This, however, raises some security concerns for me as many applications leverage authentication, but aren’t necessarily hardened for public internet exposure. I had been hunting around for a solution that provides domain name services, but LAN access only without the need for usernames and passwords via access lists in Nginx Proxy Manager. I finally stumbled on a solution, and I figured I would share it with all of you.

First, to get one thing out of the way, I am a homelabber. I am by no means an expert. With that said, I find technology fascinating and can never resist a good problem to solve. There are countless forums, forum posts, and videos out there, but none that I found really put everything together cohesively.

Let me give you an example of my scenario; there are certain services I want exposed to the public internet and some I don’t, but for all I want to be able to leverage domain names instead of using IP addresses. To further complicate things, I want everything to use SSL and I don’t want to have to remember ports.

One of the services I don’t want to expose to the internet is my TrueNAS server. For me, truenas.somedomain.com is much simpler, and way cooler, than typing an IP address. Plus the added benefit of providing SSL just makes things better.

There are a few issues to work through:

  • Leveraging only Nginx Proxy Manager exposes this to the internet.
  • If I try to use a basic access list, I am prompted for a username and password from the proxy manager before I am prompted for a username and password from TrueNAS, that is redundant.
  • This also doesn’t solve the issue of not being exposed to the internet requirement.
  • If I use a DNS rewrite only in AdGuard Home, I have to populate the port with my domain name which is infuriating because I can never remember the ports for things at my advanced age. Yes, a me problem…

It turns out the solution to the problem is actually pretty simple.

To fix all this, all it takes is configuring two applications properly: AdGuard Home and Nginx Proxy Manager.

First, I created an access list in Nginx Proxy Manager named “Local Only” with an allow for 192.168.0.0/24, to cover all my VLANS with Satisfy Any checked ticked on.

Assign it to each proxy host entry in Nginx Proxy Manager that you want LAN only access to

Create a DNS rewrite for each entry in Adguard Home with the IP address of my Nginx Proxy Manager, or us a wildcard entry like *.somedomain.com

Problem solved!

No WAN access to the services, local LAN access only via an easy to remember services name like truenas.somedomain.com, and SSL. Easy Peasy Pumpkin Squeezy. Enjoy!

About Joe D

I have always had a passion for everything computing. In early 2000, I decided to take my passion to the web. Thus, C.O.D. was born. Through the years we have made many great friends at C.O.D. and hope to continue our journey for years to come.

Check Also

Share Your WiFi Password With a QR CODE

Sharing your WiFi with friends and family can quickly become a major annoyance. In my household, my son's friends are constantly asking for me to enter the WiFi details so they can hop on and suck the life out of my wireless network. Grabbing each device or phone, navigating the menus, and then typing in my very complex WiFi password is a pain. With a little help from a QR Code, you can sit back, relax, and just point to a QR Code hanging on the wall.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.