Securing AdGuard Home
This guide covers how to add authentication and authorization to an instance of AdGuard while giving us a great excuse to demonstrate how to use Pomerium's add headers functionality to transparently pass along basic authentication credentials to a downstream app.
What is AdGuard?
AdGuard Home operates as a DNS server that re-routes tracking domains to a "black hole", thus preventing your devices from connecting to those servers. Instead of browser plugins or other software on each computer, you can install AdGuard in one place and your entire network is protected. AdGuard is very similar to Pi-hole but has some marked advantages.
Where Pomerium fits
AdGuard is a great candidate for protecting with pomerium as it it does not currently support any authentication or authorization capabilities beyond a single set of HTTP Basic Access Authentication credentials.
This guide assumes you have already completed one of the [quick start] guides, and have a working instance of Pomerium up and running. For purpose of this guide, I'm going to use docker-compose, though any other deployment method would work equally well.
# config.yaml - from: https://adguard.domain.example to: http://adguard allowed_users: - email@example.com set_request_headers: # https://www.blitter.se/utils/basic-authentication-header-generator/ Authorization: Basic dXNlcjpwYXNzd29yZA=== allow_websockets: true
Here's the important bit. If you don't add the
set_request_headers line above, you will be prompted for a basic login on each visit.
# docker-compose.yaml adguard: image: adguard/adguardhome:latest volumes: - ./adguard/workdir:/opt/adguardhome/work:rw - ./adguard/confdir:/opt/adguardhome/conf:rw ports: - 53:53/udp expose: - 67 - 68 - 80 - 443 - 853 - 3000 restart: always
Set your router to use your new host as the primary DNS server.
Simply navigate to your new adguard instance (e.g.
https://adguard.domain.example) and behold all of the malware you and your family are no longer subjected to.