Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

** GUIDE ** How to configure Cloudflare on your unRAID server with NGINX Proxy Manager

Featured Replies

  • 8 months later...

@Sycotix thanks for the great tutorial here. I followed the instructions as you provided but ran into some problem and wondering if you or anyone else would have any suggestions.

 

PROBLEM

I am getting the Cloudflare error page when I browse to my subdomain with error 521 (webserver is down). The web server I want to host on NPM is up and running and I can reach it on the LAN by going to its local IP address. I further did a packet capture on the switch port connecting the NPM server and what I see is that the communication is breaking down at the initial TCP handshake. The Cloudflare server sends a TCP SYN to NPM but NPM responds with a RST. I verified the port forwarding is working correctly and we see destination port tcp/18443.

 

If I browse to the NPM local IP on port 8080 I do get the congratulations page.

 

SETUP

I'm using a Cloud Origin CA cert on Cloudflare. I have port forwards on my router for 443 & 80 to go to 18443 & 1880, respectively. My Cloudflare DNS records are setup so that I have an A record for my root domain set to my public IP address and a CNAME for my subdomain. On NPM I added the Origin cert and setup the host with the following settings:

 

Details

  • scheme: http
  • Forward: local IP of server
  • forward port: 5055
  • cache assets: enabled
  • block common exploits: enabled
  • websocket support: enabled

 

SSL

  • force SSL: enabled
  • HTTP/2 support: enabled

 

If any other details are needed then please let me know. Any help or advice is much appreciated. Cheers!

  • Author
13 minutes ago, noobguy said:

@Sycotix thanks for the great tutorial here. I followed the instructions as you provided but ran into some problem and wondering if you or anyone else would have any suggestions.

 

PROBLEM

I am getting the Cloudflare error page when I browse to my subdomain with error 521 (webserver is down). The web server I want to host on NPM is up and running and I can reach it on the LAN by going to its local IP address. I further did a packet capture on the switch port connecting the NPM server and what I see is that the communication is breaking down at the initial TCP handshake. The Cloudflare server sends a TCP SYN to NPM but NPM responds with a RST. I verified the port forwarding is working correctly and we see destination port tcp/18443.

 

If I browse to the NPM local IP on port 8080 I do get the congratulations page.

 

SETUP

I'm using a Cloud Origin CA cert on Cloudflare. I have port forwards on my router for 443 & 80 to go to 18443 & 1880, respectively. My Cloudflare DNS records are setup so that I have an A record for my root domain set to my public IP address and a CNAME for my subdomain. On NPM I added the Origin cert and setup the host with the following settings:

 

Details

  • scheme: http
  • Forward: local IP of server
  • forward port: 5055
  • cache assets: enabled
  • block common exploits: enabled
  • websocket support: enabled

 

SSL

  • force SSL: enabled
  • HTTP/2 support: enabled

 

If any other details are needed then please let me know. Any help or advice is much appreciated. Cheers!

Well written mate!

 

So, if you go to you public IP and port will it let you reach the app?

28 minutes ago, Sycotix said:

Well written mate!

 

So, if you go to you public IP and port will it let you reach the app?

Thanks!!

 

It is the same issue. If I open up my firewall to all IP's (instead of just CF ones) and hit my Public IP I can't reach it. Packet captures on LAN confirm source IP is from my phone instead of CF and destination port is tcp/18443 is reaching NPM but still is responding with RST's.

Edited by noobguy

Seems I have the same issue as well.

 

Additionally, when using flexible mode in Cloudflare, the unraid web gui loads when accessing example.domain.com even if this is set up to point to another docker in Nginx Proxy Manager.

 

 

  • 1 month later...

I also have the exact same issue.   I think we're all fundamentally missing something.   Perhaps something with the port fowards?

  • Author

If it works on Flexible and not on strict it could be your SSL certs. We highly recommend you run the tunnel to avoid poet forwarding entirely. 

 

Be sure to check our docs at: https://docs.ibracorp.io

 

I never really solved this but I did test this out using another (edit: NPM image) from CA and it worked with no other change on my side. I'm happy to test anything to get this docker image working. Just let me know.

Edited by noobguy

  • 4 months later...

I'm also having the same issue. Browser is throwing 521 error when on anything but flexible with 2 different NPM images

Edit: Figured this out. For some reason the ONLY thing that would get this to work for me was disabling "Force SSL" in each host proxy. Cloudflare is still set to Full (Strict) and everything is now working. Really strange as HSPS is also enabled in Cloudflare, and disabling Force SSL obviously grays out those options in NGINX... but she works lol

Edited by Avsynthe

  • 7 months later...
On 4/25/2022 at 1:29 AM, Avsynthe said:

I'm also having the same issue. Browser is throwing 521 error when on anything but flexible with 2 different NPM images

Edit: Figured this out. For some reason the ONLY thing that would get this to work for me was disabling "Force SSL" in each host proxy. Cloudflare is still set to Full (Strict) and everything is now working. Really strange as HSPS is also enabled in Cloudflare, and disabling Force SSL obviously grays out those options in NGINX... but she works lol

 

Don't know how you figured this out... but I tried the same after banging my head against a wall all day and it fixed it. Thanks for sharing!

Edited by Breadford

  • 1 year later...

Sorry for the necromancy, but I am having a issue with SSL and using Cloudflare Tunnel.

 

I created a tunnel on cloudflare:

image.png.f171ae351715f18d605175c88eeff2a2.png

 

I have it point to my dockers Nginx HTTPS port '18443':

image.thumb.png.3dcf190826951c45e1c1bf2ddc207e24.png

 

The tunnel connection reports healthy:

image.thumb.png.7cc16669369af8ec6824e66936785f8c.png

 

I created a Client Certificate on Cloudflare and added that in the Nginx Proxy Manager:

image.png.7f01a2c7c4e6c26359b748ecb3e7e58e.png

 

 

I created a Proxy Host using the certificate:

image.png.7722a63cfb478fc3e0ef1f84f24f0c6a.png

 

I have the public hostname directing to my target docker container on port '8086':

image.thumb.png.acc2cb44809ca40b44d53ed8a4ca20cc.png

 

However, when I attempt to access my docker from my public hostname I get a 502 error:

image.png.66aef8d4dc8a624161493bc7a62c4945.png

 

Anyone have any ideas/advice?

Edited by Paldren

  • 2 months later...

I just tried setting this up as well.  Got the same error as Paldren above.

 

Any help would be greatly appreciated!

Edited by shunter

  • 6 months later...

Hi Paldren!

 

Your post is a bit older, but since I'm currently struggling to set up NPM and Cloudflare the way I want, I also came across the topic of "Cloudflare Tunnels". Right now, it's the only working configuration that allows me to make individual Docker services publicly accessible via my own domain and SSL without exposing my public IPv4 address. I'm actually working on solving everything through Tailscale, but I'm currently stuck with that.

 

With the help of Cloudflare Tunnel and additional authentication, everything is working for now, and I think this setup is at least somewhat "secure."

 

In your first screenshot, I noticed that under "Public Hostname" in the CF Tunnel settings, you entered the HTTPS port of your NPM. However, you should enter the port of the service you want to access via the CF Tunnel - for example, port 8096 for Jellyfin.

 

Besides that, you don't actually need NPM at all when using CF Tunnel. Please correct me if I'm talking nonsense—I'm still a beginner when it comes to networking.

 

Best regards,
Tom

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.