I’m just gonna copy paste it here, it should give you a good idea on what to do:
Well, it’s quite straightforward once you setup the Cloudflare component which I guess you already did.
As for LetsEncrypt replacement, I am using NGINX Proxy Manager.
You install it, do port forwarding for 80 and 443 from your router to this add-on ports as per the instructions and start creating your “Proxy Hosts” entries i.e. for homeassistant:
Proxy Host: homeassistant.yourdomain.com
Destination: To your Hassio IP on the correspondent port, in this case 8123 for Homeassistant.
And select the right incoming protocol (HTTP/HTTPS), I guess you’ll start with HTTP to get it working first then you can switch to full HTTPS later on.
Fiddle with the remaining settings, they should be quite straightforward.
Reverse proxy grants you the power of having subdomains so you can forward plex.yourdomain.com to your PC Plex instance, ha.yourdomain.com to your HomeAssistant instance on an RPi, and so on. You get the idea.
Now as for the benefit of NGINX proxy manager it already has LetsEncrypt embedded in a nice interface, basically it takes one click to get your certificate…
But since you’re using Cloudflare you can use the Origin server certificates offered by them which are valid for 15 years so you don’t have to worry about renewing your certificates or about getting LetsEncrypt to successfully complete the challenge for issuing the certificate. You can download them from SSL/TLS -> Origin Server tab on the Cloudflare console and upload them into the NGINX Proxy Manager.
In my case migrating it was quite straightforward since I was using a new domain name and using subdomains, so I left my old setup running (using DuckDNS) until I got the new one up, beware you’ll have same some certificate errors depending on which URL you use and the base_url entry in your configuration.yaml, however you can just click on continue visiting the website despite the certificate error.
Steps for migrating:
- Setup NGINX
- Upload the origin certificate from Cloudflare (wildcard cert so works for any subdomains)
- Add the proxy hosts entries for the old and new setup
- Switch the port forwarding correctly
So you will have your old setup running while you create/test the new one or until you figure out what do you want to do with it (which services to expose, which subdomain names, only specific pages from a service, etc).
If you’re not using full HTTPS end to end, you will need to change the setting in Cloudflare console SSL/TLS to Full or Flexible. Once you have it up and running, including the origin certificates you can switch to Full (Strict). If you don’t do this you will most likely run into a lot of certificate errors on your browser or bad redirection.
My advice is to also configure your router to drop any connections not coming from Cloudflare for security.
Cloudflare will be the proxy, your IP will never be exposed and anyway anything coming to your public IP that is not proxied traffic will be dropped. You can start adding more stuff on Cloudflare like security rules for DDOS, stop bots (like the ones from Shodan), challenges for risky IPs like (like the ones you get from websites to prove you’re not a robot), etc.
One very useful feature to completely secure my setup that is WAY more useful and important than Fail2Ban or whatever is the Cloudflare Access.
So it’s like a 2 step authentication, whoever tries to access your instance will have to authenticate on Cloudflare Access before being able to reach your instance so you can drop the fail2ban.
And you can stop worrying about DDOS, bots, unauthorized access to your instance, etc. Cloudflare will be your Firewall and your router should only allow traffic coming from Cloudflare.
The only exception is if you have a standard VPNs, these cannot be proxied through Cloudflare so you will have to turn off the proxy feature for that specific DNS entry in Cloudflare. I think there are certain VPN protocols like WireGuard which are exempted from this.
But for starters you can start with HTTP basic configuration on HA on port 8123, it will still show as HTTPS when you reach your instance, but the connection between Cloudflare and your instance will be plain HTTP so beware.
To get full HTTPS you will need to upload the Cloudflare origin certificate and setting HTTPS as your protocol in the NGINX reverse proxy add-on; setting your base URL valie in the HTTP section of the configuration.yaml with HTTPS i.e. https://ha.yourdomain.com and setting Cloudflare encryption to FULL STRICT.