A|S
DATA EXTREMES
HomeLab HQ.hub

Cloudflare Tunnel + Nginx Proxy Manager

Publish internal services safely through Cloudflare Tunnel with SSL and access controls.

Architecture

Cloudflare Tunnel handles edge to lab connectivity; NPM manages internal reverse proxying and cert requests. DNS stays in Cloudflare; you never open random WAN ports.

  • Tunnel connector runs on a small VM or Docker host inside the lab.
  • NPM issues certs via DNS challenge; no HTTP-01 needed.
  • Optional Zero Trust Access policies per hostname.

Prereqs

  • Cloudflare account with your domain onboarded.
  • API token for DNS edits and ACME (limited scope).
  • Docker host for tunnel + NPM or a VM equivalent.

Setup Flow

  1. Install cloudflared and create a named tunnel; save the credentials file.
  2. Add ingress rules mapping hostnames to internal services (HTTP). Default to 404 catch-all.
  3. Create CNAME in Cloudflare to the tunnel endpoint; orange cloud on.
  4. In NPM, add a proxy host for the service, enable websockets if needed, and request cert via DNS challenge.
  5. Optionally add a Cloudflare Access app for the hostname and require SSO before reachability.

Checklist per App

  • CNAME created and proxied
  • NPM host points to correct upstream IP:PORT
  • SSL cert valid via DNS challenge; HSTS optional
  • Access policy in place (if WAN exposure)
  • Smoke test from WAN + LAN; confirm 301 to HTTPS

Troubleshooting

  • 502/522: check tunnel status and that ingress routes the hostname.
  • SSL fail: ensure DNS challenge token scope is correct and NPM sees the DNS provider env vars.
  • Looping login: Access app hostname mismatch or cookies blocked; align exact FQDN.
  • Websocket drops: enable websocket support in NPM and ensure upstream uses HTTP, not HTTPS.