Thought I should post my guide on how to do this, as I've struggled with this for quite some time now. I wanted something to bypass the NAT/router as I did not have the option of port-forwarding. I will also be moving quite some in the upcoming year, so dynamic IP was almost a given. And obviously I wanted it to be cheap. This does it all.
This is free, no port-forwarding required and no static IP required. Wildcard domain and SSL certificate supported. It works with Cloudflare tunnels, Cloudflare DNS, Nginx Proxy Manager and obviously TrueNAS SCALE.
I am not a professional, if you see a flaw in this design, please let me know!
-
Domain name at Cloudflare
-
TrueNAS Scale with TrueCharts configured
-
Install Cloudflare tunnel:
-
Install
cloudflaredfrom TrueCharts. -
Go to cloudflare team dash -> Access -> Tunnels -> Create a tunnel. Name isn't important
-
Copy the token from the
Install and run a connectorsection. Just the token, save it somewhere safe. -
In the
cloudflaredinstall menu, enter the token underTunnel Token. Finish the installation.
-
-
Install Nginx Proxy Manager and link the tunnel to it:
-
Install
nginx-proxy-managerfrom the official community repo (haven't tested the TrueCharts one). Leave everything default. -
Kubernetes uses internal hostnames (kinda, not exactly), these can be calculated using this calculator and guide (calculator at the bottom). If you left the default name, the address is
nginx-proxy-manager.ix-nginx-proxy-manager.svc.cluster.local. -
In your Cloudflare tunnel configuration, go to Public Hostname -> Add a public hostname -> empty subdomain, domain = your domain name, empty path, service type = HTTP, URL = the address calculated in the previous step with
:30001appended to it (that is the HTTP port of Nginx Proxy Manager). -
Replicate the previous step, but for subdomain enter
*. The rest is exactly the same. -
Make sure that the public hostname without the
*is on top (three dots -> move up). -
While in the tunnel configuration, go to Private Network -> Add a private network ->
172.16.0.0/16. This allows the tunnel to access the Kubernetes network (see the link mentioned in step 2.2 for more information). -
Wildcard tunnels require special DNS configuration. Go to your Cloudflare DNS Records -> Add record -> Type = CNAME, Name =
*, Target =<your-tunnel-id-here>.cfargotunnel.com, proxied = true. Your tunnel ID can be retrieved from the tunnels overview on the Cloudflare one dash dashboard. -
Make sure a CNAME record for your domain name is present as well. If not, add it: Type = CNAME, Name =
<your-domain-name>, target = same as previous step, proxied = true.
-
-
Configure wildcard SSL certificate
-
Go to your Nginx Proxy Manager dashboard (TrueNAS dashboard -> Apps -> nginx-proxy-manager -> Web Portal). Default login is
admin@example.comwithchangeme(see these docs). Obviously you really need to change that, and it will make you. -
Get a Cloudflare DNS API token for the next step. Go to your profile -> API Tokens -> Create Token. Use the 'Edit zone DNS' template. Under Zone Resources, set it to Include Specific zone your-domain-name. Leave the rest default and continue to create. Safe this token somewhere safe.
-
Go to SSL Certificates -> Add SSL Certificate -> Let's encrypt -> domain name =
*.yourdomain.com. EnableUse a DNS Challenge, set DNS Provider to Cloudflare and leave propagation seconds default. Set the token to the token created in the previous step. Agree to the Let's Encrypt Terms of Service and press save. This might take a few minutes.
-
-
You are now ready to add hosts! Keep the following things in mind:
-
Domain Names must be full length, so including your domain name (e.g.
hello.your-domain.name). -
Scheme must be HTTP.
-
Forward Hostname must be generated using the calculator mentioned in step 2.2.
-
To enable the SSL wildcard certificate, go to the SSL tab and under SSL Certificate select the existing one which starts with
*.
-
Nginx Proxy Manager should automatically renew your certificate, so you should never have to worry about this. Theoretically you can pick up your server, move across the globe, connect it to the internet, and it should be accessible again within minutes. All thanks to the Cloudflare tunnel!
Please let me know if you have any feedback! Hope this helps some people out here!
Hi there, I'm also trying to wrap my head around this. Could someone kindly explain, what the wildcard ssl certificate is used for and why I need to create it that specific way? AFAIK the situation is the following (assuming I am in the same network as my home server):
Every access to my domains first goes out to cloudflare, which has all the https/ssl stuff set up.
cloudflare securely tunnels it back to my local network via the cloudflared.
As per the tunnel configuration, all requests are forwarded by cloudflared via plain http to my local NPM instance, which in return resolves the sub domains to the individual services.
Nowhere in this chain is an ssl certificate from NPM needed/used. And in fact, if configuring my NPM entries to be http-only, it does work without an issue.
Now to my 'special case', where I actually need https support from NPM directly: Since my internet connection isn't really great, I setup my local DNS server (adguardhome) to rewrite all DNS requests for "*.mydomain.com" directly to my NPM instance's local IP, bypassing cloudflare completely (esp. useful for downloading stuff from nextcloud).
In this case, I do need a SSL certificate for my subdomain to access it via https from my local network. But even here, It works fine by using the default "Request new Certificate with LetsEncrypt" option.
If I reconfigure the tunnel to also use https instead of http to access NPM, I get a 502 Error for my services, which I really cannot explain.
If someone can shed a light here, I'd be really happy about it :)