Part 2: Set Up Nginx Proxy Manager on Proxmox with Cloudflare DNS & pfSense#

In Part 2 of this series, we’re setting up Nginx Proxy Manager (NPM) inside Proxmox so we can start exposing our local services with clean HTTPS URLs and valid SSL certificates.

This is where the home lab starts feeling real.

Instead of accessing Home Assistant with something like:

  • http://192.168.1.20:8123

…we’ll be able to use:

  • https://ha.domain.com

And because we’re using Cloudflare DNS validation, we can issue a wildcard certificate for our domain and keep everything secure and polished.

Why We’re Doing It This Way#

In Part 1, we set up pfSense as our firewall and router.

For this build, we’ll install Nginx Proxy Manager on:

  • 192.168.1.11/24

Using a static IP keeps things predictable and avoids DNS headaches later.

This gives us:

  • pfSense handling firewall, routing, and local DNS resolution
  • Nginx Proxy Manager handling HTTPS and reverse proxying
  • Cloudflare handling DNS-based certificate validation

That combo is simple, reliable, and perfect for a home lab.

Step 1: Install Nginx Proxy Manager in Proxmox#

We’ll be installing Nginx Proxy Manager in Proxmox using the community helper script.

During the script setup, choose:

  • Advanced

This is important because it allows us to:

  • Set a root password
  • Assign a static IP address

Use the following static IP:

  • 192.168.1.11/24

That keeps the infrastructure clean and easy to remember.

https://community-scripts.org/scripts/nginxproxymanager?from=scripts&fromQ=nginx

Step 2: Access Nginx Proxy Manager for the First Time#

Once the container is up and running, open Nginx Proxy Manager in your browser:

  • http://192.168.1.11:81

From there:

  1. Create your admin user
  2. Sign in to the dashboard

Once you’re logged in, we’re ready to set up SSL.

Step 3: Get Your Cloudflare Global API Key#

To issue a wildcard certificate in Nginx Proxy Manager, we’ll use Cloudflare DNS validation with the Global API Key.

Note: Nginx Proxy Manager also supports scoped API Tokens. However, the Global API Key method is more straightforward for this use case and avoids potential permission issues with token-based validation. If you prefer to use an API Token instead, create one with Zone - Zone - Read and Zone - DNS - Edit permissions scoped to your domain, then select dns_cloudflare_api_token as the credential type in Step 4.

In Cloudflare#

  1. Log in to Cloudflare
  2. Click your profile icon in the top right
  3. Go to My Profile
  4. Select API Tokens from the left sidebar
  5. Scroll down to the Global API Key section
  6. Click View next to the Global API Key
  7. Confirm your password when prompted
  8. Copy the Global API Key

You’ll need this key along with your Cloudflare account email in the next step.

Important: The Global API Key has full access to your Cloudflare account. Treat it like a password. Do not share it or commit it to version control.

Step 4: Create a Wildcard SSL Certificate in Nginx Proxy Manager#

Now that you have the Cloudflare Global API Key, we can create a Let’s Encrypt wildcard certificate.

In Nginx Proxy Manager:

  1. Click SSL Certificates
  2. Click Add SSL Certificate
  3. Choose Let’s Encrypt

Configure the certificate#

Domain Names:

  • *.domain.com
  • domain.com

Toggle Use a DNS Challenge to enable it.

DNS Provider:

  • Cloudflare

When you select Cloudflare, Nginx Proxy Manager will display a credentials file content box pre-populated with a template.

Replace the template content with the following:

dns_cloudflare_email = your-email@example.com
dns_cloudflare_api_key = your-global-api-key-here

Replace your-email@example.com with the email address tied to your Cloudflare account, and your-global-api-key-here with the Global API Key you copied in Step 3.

Check the I Agree to the Let’s Encrypt Terms of Service box.

Then:

  1. Click Save

If everything is correct, the certificate should save successfully.

If the certificate does not save#

Something likely went wrong with the Cloudflare credentials.

Double-check:

  • You are using the Global API Key, not an API Token (unless you intentionally configured a scoped token)
  • The email address matches the one on your Cloudflare account exactly
  • The key was pasted correctly with no leading or trailing whitespace
  • Your domain (domain.com) is active and managed in Cloudflare

If the certificate saves successfully, move on to the next step.

Step 5: Create a Secure Proxy Host for Home Assistant#

Now we’re going to give Home Assistant a clean, secure local address.

Instead of:

  • http://192.168.1.20:8123

We’ll use:

  • https://ha.domain.com

In Nginx Proxy Manager#

  1. Click Hosts
  2. Click Proxy Hosts
  3. Click Add Proxy Host

Details Tab#

Configure it like this:

  • Domain Names: ha.domain.com
  • Scheme: http
  • Forward Hostname / IP: 192.168.1.20
  • Forward Port: 8123

Enable:

  • Block Common Exploits
  • Websockets Support

SSL Tab#

Under SSL:

  • Select the certificate we just created: *.domain.com

Enable:

  • Force SSL
  • HTTP/2 Support

Save the proxy host.

That’s it – Nginx Proxy Manager is now ready to securely reverse proxy Home Assistant.

Step 6: Add a DNS Host Override in pfSense#

The final piece is making sure your local network knows where ha.domain.com should resolve.

In pfSense:

  1. Navigate to Services > DNS Resolver
  2. Scroll down to Host Overrides
  3. Click Add

Configure the override:

  • Host: ha
  • Domain: domain.com
  • IP Address: 192.168.1.11
  • Description: Home Assistant via NPM

Click Save, then click Apply Changes.

Why point to Nginx Proxy Manager, not Home Assistant directly?#

The DNS override points ha.domain.com to 192.168.1.11 (Nginx Proxy Manager), not to Home Assistant’s IP. This is intentional:

  • pfSense resolves ha.domain.com to Nginx Proxy Manager
  • Nginx Proxy Manager receives the request on port 443
  • NPM forwards it to Home Assistant at 192.168.1.20:8123
  • Your browser sees a valid HTTPS certificate

This keeps all traffic flowing through the reverse proxy, which handles SSL termination and provides a single point of control for all your proxied services.

Wildcard DNS Override (Optional)#

If you plan to proxy multiple services behind NPM (which you will), you can add a wildcard host override instead of creating individual entries for each service.

In pfSense:

  1. Navigate to Services > DNS Resolver
  2. Under Custom Options at the bottom, add:
server:
  local-zone: "domain.com." redirect
  local-data: "domain.com. A 192.168.1.11"

This tells Unbound (pfSense’s DNS resolver) to resolve all subdomains of domain.com to 192.168.1.11. Every new service you add in NPM will automatically resolve without touching pfSense DNS again.

Note: This overrides public DNS for domain.com on your local network. If you also need to resolve the bare domain to its public IP for external services, use individual host overrides instead of the wildcard approach.

Click Save, then click Apply Changes.

From any device using pfSense for DNS, you should now be able to browse to:

  • https://ha.domain.com

…and reach Home Assistant securely.

Final Result#

At this point, your home lab now has:

  • pfSense for firewall, routing, and local DNS resolution
  • Nginx Proxy Manager for reverse proxy + HTTPS (192.168.1.11)
  • Cloudflare handling DNS validation for wildcard certificates
  • Home Assistant accessible at a clean local HTTPS address
  • Forever Certificates Nginx will automatically handle the certificate renewal

This is one of those upgrades that instantly makes your setup feel more polished and scalable.

Once this is working, adding more services becomes easy:

  • grafana.domain.com
  • portainer.domain.com
  • jellyfin.domain.com
  • uptime.domain.com

Same process. Same wildcard cert. Same clean experience.

Alternative: Using Pi-hole Instead of pfSense#

If you are not running pfSense – for example, if you’re using a consumer router or a different firewall that does not support DNS overrides – you can use Pi-hole to handle local DNS resolution instead.

Prerequisites#

  • Pi-hole installed and running (for this guide, we’ll assume it is at 192.168.1.10)
  • Your network devices configured to use Pi-hole as their DNS server (either via DHCP or static configuration)

Adding a Local DNS Record in Pi-hole#

  1. Open the Pi-hole admin interface (typically http://192.168.1.10/admin)
  2. Navigate to Local DNS > DNS Records
  3. Add a new entry:
    • Domain: ha.domain.com
    • IP Address: 192.168.1.11
  4. Click Add

The traffic flow is the same as the pfSense method:

  • Pi-hole resolves ha.domain.com to Nginx Proxy Manager at 192.168.1.11
  • Nginx Proxy Manager receives the request and forwards it to Home Assistant at 192.168.1.20:8123
  • Your browser sees a valid HTTPS certificate

Wildcard DNS in Pi-hole#

Pi-hole does not natively support wildcard DNS records through its web interface. However, you can configure one using dnsmasq:

  1. SSH into your Pi-hole server
  2. Create a custom dnsmasq configuration file:
sudo nano /etc/dnsmasq.d/02-custom-wildcard.conf
  1. Add the following line:
address=/domain.com/192.168.1.11
  1. Save the file and restart the DNS service:
sudo pihole restartdns

This tells dnsmasq to resolve all subdomains of domain.com to 192.168.1.11, giving you the same wildcard behavior as the pfSense Unbound method.

Note: The same caveat applies here. This overrides public DNS resolution for domain.com on your local network. If you need the bare domain to resolve to its public IP, use individual DNS records instead.

What’s Next?#

Now that Nginx Proxy Manager is in place, the rest of your self-hosted stack gets a lot easier.

You’ve built the foundation for:

  • Cleaner local service URLs
  • Trusted HTTPS everywhere
  • Easier expansion as your home lab grows

In the next part, you can start layering on more services behind NPM and turning your home lab into a truly polished self-hosted platform.

Quick Recap#

  • Install Nginx Proxy Manager in Proxmox using the helper script
  • Choose Advanced during install
  • Set a root password
  • Assign static IP 192.168.1.11/24
  • Log into http://192.168.1.11:81
  • Copy the Cloudflare Global API Key from your Cloudflare profile
  • Generate a wildcard Let’s Encrypt certificate using DNS challenge with your Global API Key and account email
  • Create a proxy host for Home Assistant
  • Add a DNS host override in pfSense pointing ha.domain.com to 192.168.1.11
  • Optionally configure a wildcard DNS override in pfSense Unbound or Pi-hole dnsmasq
  • Access Home Assistant securely at https://ha.domain.com

Closing Thoughts#

This is one of the best upgrades you can make early in a home lab build.

It’s not flashy. It’s not expensive. But it gives you:

  • Security
  • Simplicity
  • Scalability
  • A much more professional setup

And once you’ve done it once, you’ll use this pattern for almost everything you self-host.

If you’re following along, Part 2 is where your lab starts feeling like real infrastructure.