//nbkelley /homelab

Proxy Management & Cloudflare Tunnels

Calendar May 1, 2026
Cloudflare, Opnsense, Nginx-Proxy-Manager, Networking, Tunnels, Docker, Troubleshooting

Proxy Management & Cloudflare Tunnels#

What Was Established#

There are multiple layers of proxying available in the homelab, ranging from edge protection (Cloudflare) to local routing (OPNsense/Nginx Proxy Manager).

Nginx Proxy Manager (NPM) Troubleshooting#

  • Redirect Loops & Timeouts: Often caused by misconfigured upstream servers or aggressive timeout settings in NPM’s web UI. Resolving a redirect loop may expose underlying connectivity issues that manifest as timeouts.
  • Docker Compose Pattern: NPM is deployed with network_mode: host to bind directly to host ports (80, 443, 81), bypassing Docker’s NAT for direct host network access.
  • Verification Steps:
    1. Check container health: docker ps | grep nginx-proxy-manager (ensure healthy status).
    2. Verify port bindings: sudo netstat -tulpn | grep :80 / :443 (requires net-tools package).
    3. Inspect NPM Web UI: Access at http://<host-ip>:81 to review Proxy Host settings, specifically timeout values and upstream server addresses.
  • Port Conflicts: Use netstat to identify which container owns a specific port (e.g., docker-proxy vs nginx: master). In this setup, port 8000 was observed bound to docker-proxy, indicating another service in the compose stack.
  • Co-located Services: The same Docker Compose stack hosts cloudflare-ddns (for dynamic IP updates) and netbird (for mesh networking), requiring careful port management to avoid conflicts.

Key Decisions#

  • Use network_mode: host for NPM to simplify port mapping and ensure direct access to host network interfaces.
  • Rely on net-tools (netstat) for quick port binding verification in host-networked Docker containers.

Current Configuration#

  • Docker Host: iluvatar@proxy (192.168.1.208)
  • NPM Web UI: http://192.168.1.208:81
  • Ports: 80 (HTTP), 443 (HTTPS), 81 (NPM Admin UI)

Historical Notes#

  • Troubleshooting session from 2025-11-17 resolved a redirect loop that subsequently turned into a timeout issue.
  • net-tools installation was required to diagnose port bindings on the host.

Open Questions#

  • Specific timeout values configured in NPM for upstream services.
  • Whether netbird or cloudflare-ddns requires dedicated port exposure or can share the host network.

Uptime Kuma - Configuration & Integrations