Logs from VahaC

IT-Tools and Dozzle in my LAN without ports

,

Access IT-Tools and Dozzle in my LAN without ports

I run a small homelab where a couple of “developer quality-of-life” services run on a NAS:

  • IT‑Tools (a Swiss‑army knife of utilities) 🧠🔧
  • Dozzle (a lightweight real‑time Docker log viewer) 👀🐳

Both services were reachable via raw IP + port (e.g., http://<NAS_IP>:<PORT>). That works, but it’s annoying—so I set up clean local hostnames to access IT-Tools and Dozzle in your LAN without ports.

My goal was to open them like regular websites, with no ports:

  • http://it-tools.lan
  • http://dozzle.lan

This post is a clean, reproducible way to do it using:

  • a Keenetic router (for local DNS)
  • Nginx Proxy Manager (running as a Home Assistant add-on)

Privacy note: All IP addresses, hostnames, usernames, and any potentially identifying values below are intentionally anonymized.

Architecture overview 🧱

  • NAS hosts the apps:
    • IT‑Tools runs on http://<NAS_IP>:<ITTOOLS_PORT>
    • Dozzle runs on http://<NAS_IP>:<DOZZLE_PORT>
  • Home Assistant machine runs Nginx Proxy Manager on http://<PROXY_IP>:81 (admin UI) and listens on LAN ports 80/443.
  • Keenetic provides local DNS overrides:
    • it-tools.lan<PROXY_IP>
    • dozzle.lan<PROXY_IP>
  • Nginx Proxy Manager routes by hostname:
    • it-tools.lan<NAS_IP>:<ITTOOLS_PORT>
    • dozzle.lan<NAS_IP>:<DOZZLE_PORT>

Result: users type a friendly name, NPM forwards traffic to the right service.

Step 1 — Confirm the services work via IP + port ✅

Before touching DNS or proxy rules, verify the apps are reachable directly:

  • http://<NAS_IP>:<ITTOOLS_PORT>
  • http://<NAS_IP>:<DOZZLE_PORT>

If those don’t work, fix networking/container ports first.

Step 2 — Create Proxy Hosts in Nginx Proxy Manager 🌐

Open the NPM admin UI:

  • http://<PROXY_IP>:81

Then create two Proxy Hosts.

2.1 IT‑Tools host 🧰

Hosts → Proxy Hosts → Add Proxy Host

  • Domain Names: it-tools.lan
  • Scheme: http
  • Forward Hostname / IP: <NAS_IP>
  • Forward Port: <ITTOOLS_PORT>

Recommended toggles:

  • Block Common Exploits
  • ⛔ Websockets usually not required for IT‑Tools

Save.

2.2 Dozzle host 👀

Hosts → Proxy Hosts → Add Proxy Host

  • Domain Names: dozzle.lan
  • Scheme: http
  • Forward Hostname / IP: <NAS_IP>
  • Forward Port: <DOZZLE_PORT>

Recommended toggles:

  • Websockets Support (Dozzle live updates)
  • Block Common Exploits

Save.

Note: .lan is a private/local domain. Public CA certificates like Let’s Encrypt generally won’t issue certificates for it. For pure LAN usage, HTTP is perfectly fine.

Step 3 — Add local DNS records on Keenetic 🧭

Keenetic makes “static DNS records” easiest via CLI (SSH). The goal is simple:

  • it-tools.lan<PROXY_IP>
  • dozzle.lan<PROXY_IP>

3.1 SSH into Keenetic

From a LAN computer:

ssh <ROUTER_ADMIN>@<ROUTER_IP>

3.2 Add static host records

In the Keenetic CLI, run:

ip host it-tools.lan <PROXY_IP>
ip host dozzle.lan <PROXY_IP>
system configuration save
exit

That’s it. Now the router answers DNS queries for those names.

Step 4 — Verify DNS from a client 🔎

On Windows (example):

nslookup it-tools.lan <ROUTER_IP>
nslookup dozzle.lan <ROUTER_IP>

You should see both resolving to <PROXY_IP>.

Also confirm the client is actually using the router for DNS:

ipconfig /all

Look for DNS Servers<ROUTER_IP>.

Step 5 — The “it resolves but the browser won’t open it” trap 🪤

This one cost me the most time.

Everything looked correct:

  • nslookup returned the right IP ✅
  • curl succeeded ✅
  • but the browser refused to load http://it-tools.lan / http://dozzle.lan

Root cause: Secure DNS / DNS‑over‑HTTPS (DoH) 🔐

Modern browsers can bypass your LAN DNS and use a public resolver (Cloudflare/Google/etc.) via DoH.

A public resolver obviously has no idea what it-tools.lan is — it’s a private name.

Fix: disable DoH (Secure DNS) in the browser ✅

Chrome / Edge:

  • Settings → Privacy and security → Security
  • Turn off Use Secure DNS (or set it to “use current provider” if appropriate)

After disabling DoH, the browser started using the router DNS again — and local .lan domains worked instantly.

Quick health checks 🩺

If something still doesn’t work, these checks isolate the problem fast.

1) Does the name resolve?

nslookup it-tools.lan <ROUTER_IP>

2) Does the proxy answer on port 80?

curl -I http://it-tools.lan

3) For Dozzle, test GET (some services dislike HEAD)

curl -s -o NUL -w "%{http_code}\n" http://dozzle.lan/
  • 200/301/302 is good
  • 502 usually means proxy can’t reach the backend
  • 404 often means hostname doesn’t match any Proxy Host

Final result 🎉

Once DNS and NPM are aligned:

  • http://it-tools.lan opens IT‑Tools with no port
  • http://dozzle.lan opens Dozzle with no port

And the best part: this works for every device in the LAN (PC, phone, tablet) as long as they use the router DNS and don’t override it with DoH.

Optional improvements ✨

  • Use a proper internal domain like home.arpa for standards compliance
  • Add internal TLS with a private CA (if you want HTTPS everywhere)
  • Create an “Apps” dashboard page in Home Assistant with links to your LAN services

Summary 📌

  • Put Nginx Proxy Manager in front of your tools
  • Point local DNS names to your proxy IP on Keenetic via ip host ...
  • If DNS works but the browser fails, disable **Secure DNS (DoH)

,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.