If you’re running the simplest setup with no reverse proxy, you don’t need a local DNS server as long as your router supports NAT loopback. Cloudflare will resolve your domain to your public IP, your browser will connect to that public IP, and—if your router supports it—the router will loop the traffic back inside your network and forward port 443 to your Unraid server. By default: HTTP uses port 80 HTTPS uses port 443 (You can technically run SSL on any port, including 80, but browsers won’t assume it by default.) So when you visit: https://unraid.mydomain.com your browser connects to public_IP:443, and your router forwards that to Unraid. If you instead visit: https://unraid.mydomain.com:8000 your browser will connect to public_IP:8000. That port must be open on your router and forwarded to the correct internal IP and port. Adding “:8000” tells the browser to use HTTPS on port 8000 instead of the default 443. To avoid opening a new port every time you add a service, you can use a reverse proxy. With a proxy, you only need ports 80 and 443 open for all your HTTP/HTTPS traffic. From the reverse proxy inward, all other services stay internal. The proxy looks at the domain name in the request and routes it to the right service on your LAN. For example: plex.mydomain.com → 192.168.1.6:9000 unraid.mydomain.com → 192.168.1.6:8000 Both domains resolve to the same public IP, and the reverse proxy decides where each request goes based on the hostname. If you use direct port forwarding to your Unraid server, and this app retrieves the certificate from Cloudflare, then Unraid itself holds the valid certificate and can establish a secure HTTPS session directly with your browser. If you instead use a reverse proxy, the proxy becomes the device that establishes the HTTPS session with your browser. Because the browser sees a valid certificate from the proxy, you won’t get any SSL warnings. If Unraid also has the certificate and you configure the reverse proxy to connect to Unraid over HTTPS instead of HTTP, then the connection is encrypted on both sides — from the browser to the proxy, and from the proxy to Unraid. That gives you full end‑to‑end encryption. Just keep in mind that only Unraid is covered automatically. If you want true end‑to‑end encryption for each individual service behind the proxy, you’ll need to configure those services to use the certificate as well so the “last mile” between the proxy and each service is encrypted. *Trust me, I’m a doctor. Well, not that kind of doctor — but the confidence is the same. And my handwriting proves it.