Thanks for those links. I actually learned some neat tricks there, but no foolproof answer to my rev. proxy question... 
Still using this Nginx-Config for Pihole v6 beta and until now everything is working fine...
"dns" is locally resolved to x.x.x.254 which is shared by 2 different piholes via keepalived.
Works quite nice..
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name dns.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
if ($lan-ip = yes) { set $geo-whitelist yes; }
if ($geo-whitelist = no) { return 404; }
# enable for Authelia (requires authelia-location.conf in the location block)
include /config/nginx/authelia-server.conf;
location = / {
# enable for Authelia (requires authelia-server.conf in the server block)
include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app dns;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port/admin;
}
location /admin {
# TODO: check, ob Authelia schläft, wenn's exakt nur im root Block gelistet is ..
include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app dns;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
location /api {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app dns;
set $upstream_port 80;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
# deny access to .htaccess/.htpasswd files
location ~ /\.ht {
deny all;
}
}