I had heard about Cloudflare Tunnels, and thought it would be a good way to stop forwarding ports 443/80 in my router.
I spent two solid days studying whether I should switch from Nginx Proxy Manager to Caddy, or Swag, or Traefik etc. There are endless videos and tutorials for all of them. I nearly gave up because I had a hard time integrating them with Cloudflare.
Eventually, I realized the answer is none of the above. Only use Cloudflare Tunnels.
The big picture is, you set up a free Cloudflare account and set your domain DNS servers to Cloudflare. In Cloudflare, create tunnels, and create a Public Hostname for every service you want to access (e.g. plex, overseerr, etc.) Cloudflare essentially does the job that Nginx Proxy Manager was previously doing. It can also create auth applications to protect your access.
Then, you can stop forwarding ports, and never worry about SSL certificates again. You’re covered by the Cloudflare certificate from the user to cloudflare, then cloudflare encrypts everything into your Cloudflared app(s). Cloudflare nags you about adding an A record but you don’t actually need it so your domain does not need to be linked to your home IP.
The only server that gave me any trouble was wordpress. I had to add this line to the top of my wp-config.php file: $_SERVER['HTTPS'] = 'on';
Cloudflare allows multiple tunnels, to different instances of cloudflared. For Home Assistant I’m using this wonderful add-on (in remote mode):
For all my other self-hosted apps, I have a different tunnel on my unRaid server, which can proxy anything else on my network.