Moving from open Ports and Nginx Proxy Manager to Cloudflared

[dm82m]

Hey guys,

I am making heavy use of Nginx Proxy Manager and don't want to miss it. Listening on 80+443 for multiple domains/subdomains and redirecting to my internal network services. Also taking care of certs with LetsEncrypt.

Currently I am trying to close my local ports and put everything through the cloudflared tunnel.

Within the configuration I just enabled nginx_proxy_manager, tunnel is up.

Now I think that I need to put the CNAME of my domains to the tunnel URL. Also the cloudflared documentation tells "directly to the tunnel URL". But where can I find this tunnel url?

as CNAME use <TUNNEL_ID>.cfargotunnel.com with proxy enabled -> works!

And another question to add: what about the certs? Should nginx proxy manager still take care of them or is this done by the tunnel and I can remove all the cert stuff from nginx?

I will answer myself as follows: I think the tunnel forwards what it gets. You can stay in with the ssl handling on nginx side or use cloudflare for it. Within cloudflare you can also directly redirect all 80 calls to 443 calls on default. So it is ensured that all the connection is s encrypted by default.

Best,
Dirk

[brenner-tobias]

Hi Dirk,
regarding the CNAME, you described the correct URL. In the "normal" set-up, the add-on creates the CNAME for HA and all other additional_hosts for you, so we kind of neglected that, but might have to revisit it.
If you are heavily using NGINX, you can also work with wildcards in the CNAME and decide what to do with the requests in NGINX (e.g. CNAME *.example.com to the tunnel).

Regarding https this kind of depends on your personal preference. All the traffic is encrypted from theclient via the Cloudflare Reverse Proxy to the tunnel. Since you are running NGINX as a HA add-on, the communication from the Cloudflared Docker container goes directly via the docker network to NGINX, so it does not leave the device. If you want this step to also be encrypted, you have to use https for that as well, which can all be configured.

Kindly let me know if this helps or if you have any additional questions.

Best
Tobias

[dm82m]

thanks @brenner-tobias

If you are heavily using NGINX, you can also work with wildcards in the CNAME and decide what to do with the requests in NGINX (e.g. CNAME *.example.com to the tunnel).

already did that :)

Regarding https this kind of depends on your personal preference. All the traffic is encrypted from theclient via the Cloudflare Reverse Proxy to the tunnel. Since you are running NGINX as a HA add-on, the communication from the Cloudflared Docker container goes directly via the docker network to NGINX, so it does not leave the device. If you want this step to also be encrypted, you have to use https for that as well, which can all be configured.
yes no need for https on the local side as it is all routed within the same local device/network. it was just important to me that a http connection to cloudflare is transformed to to https but that is already done via cloudflare handling.

so all good on my side! :)