Setup NPM + Cloudflare

Learn how to securely access your self-hosted services using Nginx Proxy Manager and Cloudflare, with a simple step-by-step guide for beginners.

What's Nginx Proxy Manager?

Nginx Proxy Manager (NPM) is a simple web-based tool that lets you manage reverse proxies for your websites or services. Under the hood, it uses Nginx, one of the most powerful and efficient web servers out there, but wraps it in a user-friendly interface so you don’t need to manually edit config files.

Reverse Proxy

A reverse proxy is a server that sits in front of your internal services and forwards incoming requests to the right one — kind of like a receptionist directing visitors to the right office.

With Nginx Proxy Manager, you can:

  • Route traffic to different internal services (like your self-hosted blog, dashboard, or apps) using domain names.

  • Secure your sites with free HTTPS certificates from Let’s Encrypt — with automatic renewal.

  • Set up custom access controls, redirections, and security headers.

  • Easily manage multiple domains and subdomains without touching the command line.

In short: it takes the complexity out of reverse proxying. Perfect if you're running services on a homelab or self-hosted server.

What's Cloudflare?

Cloudflare is a service that sits between your visitors and your server, acting as a reverse proxy and a security/performance layer. Think of it like a protective and optimizing shield in front of your site.

Here’s what Cloudflare does:

  • DNS Management: It lets you control your domain’s DNS with a fast, global network.

  • DDoS Protection & Web Application Firewall (WAF): It blocks malicious traffic before it reaches your server.

  • Caching & Speed Boost: It can cache static content (like images, CSS, JS) closer to your visitors, speeding up page load times.

  • HTTPS with SSL: Even if your server doesn’t have HTTPS, Cloudflare can still provide a secure HTTPS connection to your visitors.

  • Page Rules & Redirects: You can easily set behavior like redirects, URL rewrites, or force HTTPS on certain paths.

Cloudflare is widely used — from small personal blogs to enterprise-grade websites — and it’s free to get started.

Structure

Very Simple diagram of how it will be working

Installation

Now for the fun part! First of all, we're going to setup ours Domain and connect it to Cloudflare to make it work the proper way. Don't worry, it's not gonna be hard!

Requirements

  • A Server: This can be a Raspberry Pi, an old laptop, a dedicated server, or a Virtual Private Server (VPS) running a Linux distribution like Ubuntu or Debian.

  • Docker and Docker Compose: We’ll be using Docker to run Nginx Proxy Manager. It’s the cleanest and easiest way to get started. If you don’t have them installed, a quick search for “install Docker and Docker Compose” will get you sorted.

  • A Registered Domain Name: You’ll need a domain name (e.g., yourdomain.com) that you can manage the DNS records for. I highly recommend using a registrar that makes it easy to change your nameservers, as we’ll be pointing them to Cloudflare.

  • A Free Cloudflare Account: Head over to Cloudflare’s website and sign up for a free account.

1

Setting up your Domain with Cloudflare

First things first, let’s get your domain ready.

  1. Add Your Domain to Cloudflare Log in to your Cloudflare account and click on “Add a site.” Enter your domain name and follow the on-screen instructions. Cloudflare will scan for your existing DNS records.

  2. Change Your Nameservers This is a very important step, but don’t worry, Cloudflare will help you thru the process. Cloudflare will provide you with two new nameservers. You’ll need to log in to your domain registrar’s dashboard (where you bought the domain) and replace your current nameservers with the ones provided by Cloudflare.

  3. Point Your Domain to Your Server Once your nameservers have updated, you need to create a DNS “A” record in Cloudflare to point your domain (or a subdomain) to your server’s public IP address. In your Cloudflare dashboard, go to the “DNS” section for your domain and click "Add Record", then, compile with the following:

    1. Type: A

    2. Name: @ (or, if you want, a subdomain, e.g. blog)

    3. IPv4 address: Enter your server’s public IP address. (be careful. it must be the public IP of your server, not private addresses! It should NOT look like 192.168.1.0, or 172.0.3.0, or even 10.20.30.40)

    4. Proxy status: For now, you can leave this as “DNS only” (the grey cloud). We’ll come back to this later.

2

Installing NPM with Docker Compose

Now, let’s get Nginx Proxy Manager up and running on your server. SSH into your server and follow these steps.

  1. Create a Directory Let’s keep things organized. Create a directory for your Nginx Proxy Manager configuration. I recommend creating it in your home directory.

cd # <- Moves to your home directory
mkdir npm

  1. Create a Docker Compose File Create a new file named docker-compose.yml using your favorite text editor (like nano or vim)

nano docker-compose.yml

  1. Add Docker Compose configuration Copy the following configuration into your newly created docker-compose.yml

services:
    app:
        image: 'jc21/nginx-proxy-manager:latest'
        restart: unless-stopped
        ports:
            - '80:80' 
            - '81:81'
            - '443:443'
         volumes:
             - ./data:/data
             - ./letsencrypt:/etc/letsencrypt

  • services:: Defines the containers (called “services”) that Docker Compose will manage. You can have multiple services like a database, frontend, backend, etc.

  • app:: The name of the service. This is just a label and can be anything you want. Here, it runs the Nginx Proxy Manager.

  • image: 'jc21/nginx-proxy-manager:latest': Tells Docker which image to use. This image contains the Nginx Proxy Manager application.

    • jc21/nginx-proxy-manager: the name of the Docker image.

    • :latest: use the latest version available (can be replaced with a specific version for stability).

  • restart: unless-stopped: Makes Docker automatically restart the container if it crashes, unless you manually stop it.

  • ports:: Maps ports between your host (the machine running Docker) and the container.

    • '80:80': maps port 80 on your host to port 80 in the container (HTTP).

    • '81:81': maps port 81 on your host to port 81 in the container (NPM web admin interface).

    • '443:443': maps port 443 on your host to port 443 in the container (HTTPS).

  • volumes:: Creates a persistent connection between folders on your host and inside the container. This makes data survive even if the container is deleted.

    • ./data:/data: stores app data (like users, configs) on your local system in the ./data folder.

    • ./letsencrypt:/etc/letsencrypt: stores SSL certificates (auto-generated by NPM using Let's Encrypt) in the local ./letsencrypt folder.

  1. Start the Container Save the file and start the services in the background:

docker compose up -d
3

Accessing and Configuring NPM

With Nginx Proxy Manager running, it’s time to log in and do the initial setup

  1. Access the Web UI Open your web browser and navigate to http://<your_server_ip>:81.

Make sure to digit http://, otherwise your browser might not be able to display the webpage.

  1. Login Now it's time for login! Use the following credentials: Email: admin@example.com Password: changeme The first thing you’ll be prompted to do is change your default username, email, and password. Do this immediately to secure your setup.

4

Integrating Cloudflare for SSL Certificates

Now for the magic. We’ll get a Cloudflare API token so Nginx Proxy Manager can automatically create the necessary DNS records to issue SSL certificates via Let’s Encrypt.

Get Your Cloudflare API Token:

  1. In your Cloudflare dashboard, go to “My Profile” > “API Tokens.

  2. Click “Create Token.

  3. Find the “Edit zone DNS” template and click “Use template.

  4. Under “Permissions,” ensure “Zone” > “DNS” is set to “Edit.”

  5. Under “Zone Resources,” select “Include” > “Specific zone” and choose your domain.

  6. Click “Continue to summary” and then “Create Token.

  7. Important: Copy the generated API token and save it somewhere safe. You won’t be able to see it again.

5

Creating Your First Proxy Host with SSL

Let’s put it all together and proxy a service with a secure SSL certificate.

  1. Add Proxy Host In the Nginx Proxy Manager dashboard, go to “Hosts” > “Proxy Hosts” and click “Add Proxy Host.”

  1. Configure the Details Now that we're in the right interface, let's fill out the details

    1. Domain Names: Enter the full subdomain you want to use (e.g., portainer.yourdomain.com).

    2. Scheme: http

    3. Forward Hostname / IP: Enter the local IP address or hostname (if you’re using Docker, you can use the name of the docker container) of the service you want to proxy.

    4. Forward Port: Enter the port the service is running on.

  1. Request an SSL Certificate Now the cool part! Let's request a SSL certificate to encrypt the traffic that will be generated for our services.

    1. Click on the “SSL” tab.

    2. In the “SSL Certificate” dropdown, select “Request a new SSL Certificate.

    3. Enable “Use a DNS Challenge.”

    4. DNS Provider: Select “Cloudflare.”

    5. In the “Credentials File Content” box, paste the following, replacing <YOUR_CLOUDFLARE_API_TOKEN> with the token you generated earlier: dns_cloudflare_api_token = <YOUR_CLOUDFLARE_API_TOKEN>

    6. Agree to the Let’s Encrypt Terms of Service.

    7. Click “Save.”

    Nginx Proxy Manager will now communicate with Cloudflare to create a temporary DNS record, prove you own the domain, and issue a free SSL certificate from Let’s Encrypt.

6

Securing Your Setup with Cloudflare’s Proxy

Remember how we set the DNS record to “DNS only”? Now it’s time to enable Cloudflare’s proxy to hide your public IP address.

  1. Enable the Proxy Go back to the “DNS” section in your Cloudflare dashboard.

  2. Edit the A Record Find the A record you created earlier and click “Edit.”

  3. Toggle the Proxy Status Click on the grey cloud to turn it orange. This means traffic will be proxied through Cloudflare.

  4. Set SSL/TLS Encryption Mode In the “SSL/TLS” section of your Cloudflare dashboard, set the encryption mode to “Full (Strict).” This ensures that your connection is encrypted from the visitor to Cloudflare, and from Cloudflare to your server.

If your Public IP address gets exposed, and someone tries to attack your server directly thru your IP address, Cloudflare will not sit between the attacker and your server, and therefore, Cloudflare will not defend you against attacks. It doesn’t mean that it’s impossible to defend your server but… yeah, be careful, and don’t expose your public IP address.

Conclusion

Congratulations! You now have a robust and secure setup for accessing your self-hosted applications. You’ve learned how to:

  • Configure a domain with Cloudflare.

  • Install Nginx Proxy Manager using Docker Compose.

  • Create a proxy host to forward traffic to your services.

  • Automatically generate and renew free SSL certificates with Let’s Encrypt and Cloudflare.

  • Secure your setup by hiding your public IP address with Cloudflare’s proxy.

This is a foundational setup for any homelab or self-hosting enthusiast. From here, you can add more services, create custom access lists, and explore the many other features of Nginx Proxy Manager.

Happy homelabbing!

PreviousInstalling ProxMoxNextEthical Hacking

Last updated