NGINX Proxy Manager / CloudFlare Help

Hi All,

I’ve recently change my configuration with proxies, I’m playing around with [ NGINX Proxy manager ] & [ CloudFlare ], have run into the issue where I cant use [ ZTP CF Tunnel ] for all of my services.

All help is very much apreciated !!

Working

Summary

I have had my HA Setup running through CloudFlare [ ZTP CF tunnel ]. Works great, setup my cloudflared instance… added the relevant config to my HA config.ymal & BOOM I have access to my HA login through my domain name as seen below.

HA Server Config

Working through Cloudflared

Need help With

As said I have decided to try integrate NPM into my setup & migrate over all bar a few of my services to this along with the CF DNS proxied connections. I have managed to get it to work with all other services and have managed to get it directing to my HA Server but I get the wonderful Error 400: Bad Request. Ill post my full setup below with redacted info in hope that someone can help.

I am aware that images show my internal IP structure, this is not an issue as its a test network and will be destroyed after posting.

Configurations

----- CloudFlare -----

A quick rundown of the config. this is the DNS page, As my ISP does not offer a static address or for that matter long static leases, so I’ve had to do some trickery to allow stable connections. I have setup my PFSense box to connect to the CF network using inbuilt ddns to update an A record with my external IP every 6 hours.

So I have setup a CNAME [test1] this points towards the A record on my domain ddns. this allows me to connect to my services through CloudFlare & then my reverse proxy.

I have created an origin certificate through CloudFlare to sign my domain and sub domains & set the encryption mode to Full Strict.

See Images Below.

Summary

DNS Record

Origin Status

Origin Cert

----- Firewall -----

My Firewall / Router is [ PFSense ]

I have created an alias with the following info ports [ 80 & 443 ] the ports required by NPN & Networks this contains a list of the [ CF Proxy networks ] that could be used to communicate with my Network services from the CloudFlare network, I have created a NAT Port Forwarding rule to use the alias, this intern has created the WAN rules sending requests to NPM running on the HA Server.

See Images Below.

Summary

Port Alias

CF Network Alias

NAT Port Forward

WAN Rule

----- Home Assistant -----

The reverse proxy is NGINX Proxy Manager. I have installed this through my HA Server with the configured ports ports [ 80 & 443 ]. I also added the CF Proxies to the HA config.yaml.

See Images Below.

Summary

NPM Installed & running

NPM Config

HA configuration.yaml

----- Reverse Proxy -----

After installing the NPM on Ha & doing a basic setup it was ready to use. As I am using CF Proxy I added CF Networks to the access list of NPM.

I added my CloudFlare origin cert & Key to the NPM cert section with [ CF Root certificate ].

See Images Below.

Summary

Finally I setup a new host [test1] pointing it to my internal address for the HA Server, adding the access list created and CF certificate to it.

Access List

Certificate

Host Setup


If it helps here is a log file of NPM from start and attempting to access.

-----------------------------------------------------------
 Add-on: Nginx Proxy Manager
 Manage Nginx proxy hosts with a simple, powerful interface
-----------------------------------------------------------
 Add-on version: 1.0.1
 You are running the latest version of this add-on.
 System: Home Assistant OS 12.4  (amd64 / generic-x86-64)
 Home Assistant Core: 2024.6.4
 Home Assistant Supervisor: 2024.06.0
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service base-addon-banner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service base-addon-log-level: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service base-addon-log-level successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service init-npm: starting
s6-rc: info: service init-nginx: starting
s6-rc: info: service init-npm successfully started
s6-rc: info: service npm: starting
s6-rc: info: service npm successfully started
s6-rc: info: service init-nginx successfully started
s6-rc: info: service nginx: starting
s6-rc: info: service nginx successfully started
s6-rc: info: service legacy-services: starting
[17:46:42] INFO: Starting the Manager...
[17:46:42] INFO: Starting NGinx...
s6-rc: info: service legacy-services successfully started
[6/23/2024] [5:46:42 PM] [Global   ] › ℹ  info      Using Sqlite: /config/database.sqlite
[6/23/2024] [5:46:43 PM] [Migrate  ] › ℹ  info      Current database version: none
[6/23/2024] [5:46:43 PM] [Setup    ] › ℹ  info      Logrotate Timer initialized
[6/23/2024] [5:46:43 PM] [Setup    ] › ℹ  info      Logrotate completed.
[6/23/2024] [5:46:43 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[6/23/2024] [5:46:43 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[6/23/2024] [5:46:43 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v4
[6/23/2024] [5:46:44 PM] [IP Ranges] › ℹ  info      Fetching https://www.cloudflare.com/ips-v6
[6/23/2024] [5:46:44 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[6/23/2024] [5:46:44 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[6/23/2024] [5:46:44 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[6/23/2024] [5:46:44 PM] [Global   ] › ℹ  info      Backend PID 157 listening on port 3000 ...
[6/23/2024] [5:46:44 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[6/23/2024] [5:46:44 PM] [SSL      ] › ℹ  info      Renew Complete
[23/Jun/2024:17:48:54 +0100] - 400 400 - GET https test1.REDACTED.co.uk "/" [Client 162.158.33.166] [Length 16] [Gzip -] [Sent-to 10.9.0.150] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
[23/Jun/2024:17:49:44 +0100] - 400 400 - GET https test1.REDACTED.co.uk "/" [Client 162.158.74.74] [Length 16] [Gzip -] [Sent-to 10.9.0.150] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
[23/Jun/2024:17:49:45 +0100] - 400 400 - GET https test1.REDACTED.co.uk "/" [Client 162.158.74.74] [Length 16] [Gzip -] [Sent-to 10.9.0.150] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"
[23/Jun/2024:17:49:46 +0100] - 400 400 - GET https test1.REDACTED.co.uk "/" [Client 162.158.74.74] [Length 16] [Gzip -] [Sent-to 10.9.0.150] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "-"

Have you looked at using the Cloudflared addon in conjunction with Cloudflare? With it handling all of your sub-domains there’s very little you need to do. However this assumes the security on your end-points is robust. Alternatively you can set it up such that you define the end-points on Cloudflare (see here). Then you can include security at the Cloudflare point, for example requiring your gmail account for login. (Actually you can probably do this using the local tunnel add-on setup too, given the security is defined separately to the route)

This then requires no port forwarding as Cloudflared establishes the tunnel with Cloudflare.

I’ve gone down a slightly more complex route because I want the same URL internally (http) and externally (https). So I have (public) ha.my-domain.com go thru the tunnel to (private) ha.my-domain.com which is a local pihole DNS entry pointing to an instance of NPM, and that proxies for ip:8123. Ditto for other sub-domains.

@michaelblight - Many thanks for the reply, after a couple of hours playing round with this i decided it was not worth the security risk running the proxy on my home automation system itself.

I have deployed a system on my network stack that integrate tightly with my security & Cloudflare proxies & Cloudflares ZTP Tunnels .