Skip to content

Instantly share code, notes, and snippets.

@prateekrajgautam

prateekrajgautam/Guide: Cloudflare Tunnel with Nginx Proxy Manager.md

Last active July 3, 2024 18:17
Show Gist options
  • Save prateekrajgautam/75afbaa9bcda8eb1dfb6b5ceecd25e8c to your computer and use it in GitHub Desktop.
Save prateekrajgautam/75afbaa9bcda8eb1dfb6b5ceecd25e8c to your computer and use it in GitHub Desktop.
Download ZIP
Guide: Cloudflare Tunnel with Nginx Proxy Manager
Raw
Guide: Cloudflare Tunnel with Nginx Proxy Manager.md

Thought I should post my guide on how to do this, as I've struggled with this for quite some time now. I wanted something to bypass the NAT/router as I did not have the option of port-forwarding. I will also be moving quite some in the upcoming year, so dynamic IP was almost a given. And obviously I wanted it to be cheap. This does it all.

This is free, no port-forwarding required and no static IP required. Wildcard domain and SSL certificate supported. It works with Cloudflare tunnels, Cloudflare DNS, Nginx Proxy Manager and obviously TrueNAS SCALE.

I am not a professional, if you see a flaw in this design, please let me know!

Requirements:

  • Domain name at Cloudflare

  • TrueNAS Scale with TrueCharts configured

Steps:

  1. Install Cloudflare tunnel:

    1. Install cloudflared from TrueCharts.

    2. Go to cloudflare team dash -> Access -> Tunnels -> Create a tunnel. Name isn't important

    3. Copy the token from the Install and run a connector section. Just the token, save it somewhere safe.

    4. In the cloudflared install menu, enter the token under Tunnel Token. Finish the installation.

  2. Install Nginx Proxy Manager and link the tunnel to it:

    1. Install nginx-proxy-manager from the official community repo (haven't tested the TrueCharts one). Leave everything default.

    2. Kubernetes uses internal hostnames (kinda, not exactly), these can be calculated using this calculator and guide (calculator at the bottom). If you left the default name, the address is nginx-proxy-manager.ix-nginx-proxy-manager.svc.cluster.local.

    3. In your Cloudflare tunnel configuration, go to Public Hostname -> Add a public hostname -> empty subdomain, domain = your domain name, empty path, service type = HTTP, URL = the address calculated in the previous step with :30001 appended to it (that is the HTTP port of Nginx Proxy Manager).

    4. Replicate the previous step, but for subdomain enter *. The rest is exactly the same.

    5. Make sure that the public hostname without the * is on top (three dots -> move up).

    6. While in the tunnel configuration, go to Private Network -> Add a private network -> 172.16.0.0/16. This allows the tunnel to access the Kubernetes network (see the link mentioned in step 2.2 for more information).

    7. Wildcard tunnels require special DNS configuration. Go to your Cloudflare DNS Records -> Add record -> Type = CNAME, Name = *, Target = <your-tunnel-id-here>.cfargotunnel.com, proxied = true. Your tunnel ID can be retrieved from the tunnels overview on the Cloudflare one dash dashboard.

    8. Make sure a CNAME record for your domain name is present as well. If not, add it: Type = CNAME, Name = <your-domain-name>, target = same as previous step, proxied = true.

  3. Configure wildcard SSL certificate

    1. Go to your Nginx Proxy Manager dashboard (TrueNAS dashboard -> Apps -> nginx-proxy-manager -> Web Portal). Default login is admin@example.com with changeme (see these docs). Obviously you really need to change that, and it will make you.

    2. Get a Cloudflare DNS API token for the next step. Go to your profile -> API Tokens -> Create Token. Use the 'Edit zone DNS' template. Under Zone Resources, set it to Include Specific zone your-domain-name. Leave the rest default and continue to create. Safe this token somewhere safe.

    3. Go to SSL Certificates -> Add SSL Certificate -> Let's encrypt -> domain name = *.yourdomain.com. Enable Use a DNS Challenge, set DNS Provider to Cloudflare and leave propagation seconds default. Set the token to the token created in the previous step. Agree to the Let's Encrypt Terms of Service and press save. This might take a few minutes.

  4. You are now ready to add hosts! Keep the following things in mind:

    1. Domain Names must be full length, so including your domain name (e.g. hello.your-domain.name).

    2. Scheme must be HTTP.

    3. Forward Hostname must be generated using the calculator mentioned in step 2.2.

    4. To enable the SSL wildcard certificate, go to the SSL tab and under SSL Certificate select the existing one which starts with *.

Nginx Proxy Manager should automatically renew your certificate, so you should never have to worry about this. Theoretically you can pick up your server, move across the globe, connect it to the internet, and it should be accessible again within minutes. All thanks to the Cloudflare tunnel!

Please let me know if you have any feedback! Hope this helps some people out here!

source article Author:joppiedoppie

@kmanwar89
Copy link

This guide is excellent! As someone who just setup CF tunnels and is migrating my setup behind NPM w/ tunnels, this is an awesome reference.

There's several points that you could probably make a bit more generic - i.e., for folks who don't have a TrueNAS, or are just hosting it on their own mini server, they can simply copy the code to bring up the cloudflared docker container. My preference is to take those docker run strings and put them through a tool like composerize to create a docker compose file instead, and run that using the -d flag (for daemon)

If you're using Cloudflare, you can also generate an origin certificate for 10 or 15 years, and don't have to worry about LetsEncrypt (there's some issues in NPM as it relates to Let'sEncrypt auto renewals that I'd rather not mess with)

I may take inspiration from your guide to write my own revised version :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment