Step-by-Step Guide to Nginx Proxy Manager with Cloudflare SSL: Perfect for Your Homelab

The self-hosting movement is gaining momentum, with Nginx Proxy Manager with Cloudflare SSL becoming essential for homelab enthusiasts wanting to reduce their reliance on cloud services while keeping their data secure . In fact, this powerful combination creates a robust security barrier protecting against vulnerabilities that hackers might exploit through zero-day attacks .

Nginx is free, open-source, and remarkably easy to set up, allowing you to have a reverse proxy working in no time at all . Additionally, it has been around for decades, making it highly optimized for load balancing, SSL offloading, and protection against DDoS attacks . When paired with Cloudflare for SSL certificates, you create a security system that properly encrypts data between your applications and users. These SSL certificates contain crucial information like domain details and the public key used for encrypting data .

Throughout this guide, I’ll walk you through the complete process of setting up Nginx Proxy Manager with Cloudflare SSL for your homelab. We’ll cover everything from installation to configuration, focusing on TCP port 443 (the standard port for websites using SSL) , and even explore how to implement wildcard certificates for maximum flexibility. Whether you’re new to self-hosting or looking to strengthen your existing setup, this step-by-step approach will help you create a secure and efficient gateway to your homelab services.

Setting up your homelab environment

Before diving into Nginx Proxy Manager and Cloudflare SSL integration, we need to establish a solid foundation for our homelab environment. Setting up the right infrastructure first ensures smooth operation later.

Install Docker and Docker Compose

Docker and Docker Compose form the backbone of our Nginx Proxy Manager deployment. Docker Desktop offers the easiest installation method since it bundles Docker Engine, CLI, and Docker Compose together ^[1]. For Linux users, however, a command-line installation is more common.

To install Docker Compose on Ubuntu or Debian:

sudo apt-get update
sudo apt-get install docker-compose-plugin

For RPM-based distributions like CentOS or Fedora:

sudo yum update
sudo yum install docker-compose-plugin

Verify your installation with:

docker compose version

Choose a Linux distro or OS for hosting

Selecting the right operating system significantly impacts your homelab’s performance and management. Ubuntu Server stands out as an excellent choice for beginners due to its user-friendly interface and extensive documentation ^[2]. Furthermore, after installing Ubuntu, you can quickly set up Docker and deploy containers within minutes.

Proxmox VE offers a more specialized alternative, built specifically for virtualization and containerization. It supports both KVM for virtual machines and LXC for containers ^[3]. The integrated web GUI makes management straightforward without requiring SSH for every task.

For those focused purely on containerization, Fedora CoreOS comes pre-installed with Docker and Podman, making it a purpose-built distribution for container deployments ^[4].

Assign a static IP to your server

A static IP address is essential for your homelab server, especially when setting up Nginx Proxy Manager. There are two primary approaches:

1. Configure a static IP directly on your server by editing network configuration files. For instance, on OpenSUSE, you would modify /etc/sysconfig/network/ifcfg-eth0 and set IPADDR='192.168.0.222/24' ^[5].
2. Use Static DHCP reservation through your router, which assigns the same IP to your server based on its MAC address. Most modern routers support this feature – look for options labeled “Reserve Address” or “Static DHCP” in your router’s configuration panel ^[5].

Consequently, your Nginx Proxy Manager will always be accessible at the same address, creating stability for your reverse proxy setup and allowing consistent forwarding of ports 80 and 443 from your router to your server.

Installing Nginx Proxy Manager with Docker

_{Image Source: Nginx Proxy Manager}

Now that our homelab environment is ready, let’s install Nginx Proxy Manager using Docker. This powerful tool will handle all our reverse proxy needs with a clean web interface, making SSL management straightforward alongside Cloudflare integration.

Create a docker-compose.yml file

First, create a dedicated directory for your Nginx Proxy Manager installation:

mkdir ~/nginx-proxy-manager
cd ~/nginx-proxy-manager

Next, create a docker-compose.yml file in this directory using your preferred text editor ^[6]. This file defines how Docker will run the Nginx Proxy Manager container. The bare minimum configuration uses SQLite for database storage, which is perfect for most homelab setups:

services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
      - '443:443'
      - '81:81'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

Configure ports and volumes

The port configuration maps three essential ports from your host to the container ^[7]:

• Port 80: Handles HTTP requests
• Port 443: Manages HTTPS connections
• Port 81: Provides access to the admin interface

Volume mapping ensures your configuration persists even if the container is recreated:

• ./data:/data: Stores configuration files and SQLite database
• ./letsencrypt:/etc/letsencrypt: Maintains your SSL certificates

For advanced users, alternative database configurations with MySQL/MariaDB or PostgreSQL are available, though they require additional setup ^[8].

Start the container with Docker Compose

Once your configuration is ready, launch Nginx Proxy Manager with:

docker compose up -d

The -d flag runs the container in detached mode, allowing it to operate in the background ^[9].

After the container starts (which may take a moment), access the admin interface by navigating to http://your-server-ip:81 in your browser. For your initial login, use these default credentials ^[9]:

• Email: [email protected]
• Password: changeme

Upon first login, you’ll be prompted to update these credentials immediately for security reasons. Ultimately, you now have a functioning Nginx Proxy Manager ready for integration with Cloudflare SSL!

Connecting Cloudflare and generating SSL certificates

_{Image Source: Reddit}

With Nginx Proxy Manager installed, securing your homelab applications requires integrating with Cloudflare and generating SSL certificates. This critical step establishes encrypted connections between your services and users.

Buy or register a domain on Cloudflare

To begin this process, purchase a domain name if you don’t already own one. Although various registrars work, managing your domain directly through Cloudflare simplifies the entire setup. Alternatively, if you purchased a domain elsewhere, you’ll need to transfer DNS management to Cloudflare by creating a free account and updating your domain’s nameservers to those provided by Cloudflare.

Create a Cloudflare API token

After setting up your domain, create an API token that will allow Nginx Proxy Manager to automatically validate certificates:

1. Navigate to your Cloudflare dashboard, then go to My Profile > API Tokens
2. Select Create Token and choose the Edit zone DNS template
3. Customize the token name (e.g., “NPM Certificate Management”)
4. Under permissions, ensure Zone > DNS > Edit is selected
5. Restrict the token to your specific domain under Zone Resources
6. Optional: Add IP restrictions for enhanced security

Copy and securely store this token—you’ll need it when configuring certificates in Nginx Proxy Manager.

Set DNS records to point to your homelab

Next, create an A record in Cloudflare pointing to your homelab:

• Type: A
• Name: Use * for wildcard subdomains or specific subdomain names
• Content: Your homelab’s public IP address
• Proxy status: DNS only (gray cloud icon)

This configuration ensures traffic routes correctly to your self-hosted services.

Add Let’s Encrypt certificate using DNS challenge

In Nginx Proxy Manager:

1. Go to SSL Certificates > Add SSL Certificate
2. Select Let’s Encrypt with DNS Challenge
3. Enter your domain (e.g., example.com and *.example.com)
4. Choose Cloudflare as DNS provider
5. Enter your Cloudflare API token
6. Set propagation time to 120 seconds

Enable wildcard SSL with Cloudflare DNS

The DNS challenge method is essential for wildcard certificates that cover all subdomains. Unlike HTTP validation, DNS validation works regardless of whether your services are publicly accessible. Once the certificate is issued, Nginx Proxy Manager will automatically manage renewals through Cloudflare’s API, ensuring continuous protection for all your homelab services.

Adding and securing proxy hosts

_{Image Source: RapidSeedbox}

After generating SSL certificates, the next crucial step is configuring proxy hosts in Nginx Proxy Manager to securely expose your homelab services to the internet.

Add a new proxy host in NPM

From your Nginx Proxy Manager dashboard, navigate to the “Hosts” menu and select “Proxy Hosts.” Click the “Add Proxy Host” button to begin configuration. The Details tab requires several crucial pieces of information:

1. Enter your domain name (e.g., service.yourdomain.com) in the “Domain Names” field
2. Set “Scheme” to http (this refers to how NPM communicates with your internal service, not how external users will connect)
3. In “Forward Hostname/IP,” enter either your service’s IP address (e.g., 192.168.1.100) or Docker container name if they share the same network
4. Specify the “Forward Port” where your service listens internally
5. Enable “Block Common Exploits” for enhanced protection against malicious attacks

Enable Force SSL and HTTP/2

Before saving, switch to the SSL tab where you’ll configure security settings. Select your previously generated Let’s Encrypt certificate from the dropdown menu. Next, enable these critical security options:

• Force SSL: Automatically redirects all HTTP traffic to HTTPS
• HTTP/2 Support: Implements the modern HTTP protocol for improved performance
• HSTS Enabled: Adds an extra layer of protection against man-in-the-middle attacks

These settings ensure all connections to your services remain encrypted and utilize modern web standards.

Use the correct SSL certificate

For each proxy host, make sure to select the appropriate certificate. If you created a wildcard certificate (*.yourdomain.com), you can use it across multiple subdomains. Otherwise, each proxy host needs its specific certificate. Pay special attention to domain matching—browsers will display security warnings if there’s a mismatch between your certificate and actual domain.

Test access from external network

Once configured, test your setup by visiting your domain from an external network (such as mobile data or another WiFi). First, verify HTTPS is working properly—look for the padlock icon in your browser’s address bar. Subsequently, confirm your service is accessible and functioning correctly. If issues arise, check your router’s port forwarding (80/443) and Cloudflare DNS settings to ensure proper traffic routing.

Conclusion

Setting up Nginx Proxy Manager with Cloudflare SSL creates a powerful foundation for your homelab environment. Throughout this guide, we’ve walked through each essential step – from establishing your server environment to securing your services with SSL certificates. This combination offers significantly enhanced security for all your self-hosted applications while maintaining accessibility from anywhere.

The beauty of this setup lies not only in its robust security features but also its remarkable flexibility. Wildcard certificates allow you to add new services effortlessly without reconfiguring SSL for each one. Additionally, the intuitive web interface makes managing your proxy hosts straightforward, even for those new to self-hosting.

Many homelab enthusiasts find that once this infrastructure is in place, expanding their self-hosted ecosystem becomes much simpler. You can now confidently add services like media servers, home automation systems, or personal cloud storage without worrying about secure access. The automatic certificate renewal through Cloudflare’s API ensures your services remain protected without constant maintenance.

Though the initial setup requires attention to detail, the long-term benefits far outweigh this investment of time. Your data remains under your control while still enjoying the security advantages of enterprise-grade SSL encryption. As self-hosting continues to grow in popularity, this Nginx Proxy Manager and Cloudflare SSL combination stands as an ideal gateway to digital sovereignty.

Remember to test your configuration thoroughly after completion and keep your Docker containers updated. With this setup, you’ve taken a significant step toward building a secure, reliable, and independent digital environment that truly belongs to you.

Key Takeaways

This comprehensive guide demonstrates how to create a secure, professional-grade homelab setup using Nginx Proxy Manager and Cloudflare SSL certificates for enhanced security and accessibility.

• Docker simplifies deployment: Use Docker Compose to install Nginx Proxy Manager quickly with persistent data storage and proper port mapping (80, 443, 81).

• Cloudflare API integration automates SSL: Create API tokens for DNS challenge validation, enabling automatic certificate generation and renewal without manual intervention.

• Wildcard certificates maximize flexibility: Generate *.domain.com certificates to secure unlimited subdomains with a single SSL certificate, streamlining service expansion.

• Force SSL and HTTP/2 enhance security: Enable these critical settings in proxy hosts to redirect all traffic to HTTPS and implement modern web protocols.

• Static IP assignment ensures stability: Configure static DHCP reservation or direct IP assignment to maintain consistent access to your reverse proxy setup.

This setup transforms your homelab into a secure, enterprise-grade environment where you maintain complete control over your data while enjoying professional-level SSL encryption and automated certificate management.

FAQs

Q1. How do I set up Nginx Proxy Manager for my homelab? To set up Nginx Proxy Manager, install Docker and Docker Compose, create a docker-compose.yml file with the necessary configurations, and run the container. Access the admin interface at http://your-server-ip:81 and log in with the default credentials. Then, configure your proxy hosts and SSL certificates as needed.

Q2. Can I use Cloudflare SSL certificates with Nginx Proxy Manager? Yes, you can use Cloudflare SSL certificates with Nginx Proxy Manager. After setting up your domain on Cloudflare, create an API token for DNS challenge validation. In Nginx Proxy Manager, add a new SSL certificate using the Let’s Encrypt DNS challenge method, selecting Cloudflare as the DNS provider and entering your API token.

Q3. How do I secure my homelab services with SSL? To secure your homelab services with SSL, use Nginx Proxy Manager to generate Let’s Encrypt certificates through the DNS challenge method. Enable “Force SSL” and “HTTP/2 Support” for each proxy host. This ensures all connections to your services are encrypted and utilize modern web standards.

Q4. What are the benefits of using wildcard SSL certificates in a homelab? Wildcard SSL certificates (e.g., *.yourdomain.com) offer flexibility by allowing you to secure multiple subdomains with a single certificate. This simplifies management and enables you to add new services without reconfiguring SSL for each one, streamlining the expansion of your self-hosted ecosystem.

Q5. How can I ensure my Nginx Proxy Manager setup is working correctly? To verify your Nginx Proxy Manager setup, test access from an external network (like mobile data). Check that HTTPS is working properly by looking for the padlock icon in your browser’s address bar. Confirm that your services are accessible and functioning correctly. If issues arise, review your router’s port forwarding (80/443) and Cloudflare DNS settings to ensure proper traffic routing.