Part 2: Set Up Nginx Proxy Manager on Proxmox with Cloudflare DNS & Pi-hole#

In Part 2 of this series, we’re setting up Nginx Proxy Manager (NPM) inside Proxmox so we can start exposing our local services with clean HTTPS URLs and valid SSL certificates.

This is where the home lab starts feeling real.

Instead of accessing Home Assistant with something like:

  • http://192.168.1.20:8123

…we’ll be able to use:

  • https://ha.domain.com

And because we’re using Cloudflare DNS validation, we can issue a wildcard certificate for our domain and keep everything secure and polished.

Why We’re Doing It This Way#

In Part 1, we set up Pi-hole at:

  • 192.168.1.10

For this build, we’ll install Nginx Proxy Manager on:

  • 192.168.1.11/24

Using a static IP keeps things predictable and avoids DNS headaches later.

This gives us:

  • Pi-hole handling local DNS
  • Nginx Proxy Manager handling HTTPS and reverse proxying
  • Cloudflare handling DNS-based certificate validation

That combo is simple, reliable, and perfect for a home lab.

Step 1: Install Nginx Proxy Manager in Proxmox#

We’ll be installing Nginx Proxy Manager in Proxmox using the community helper script.

During the script setup, choose:

  • Advanced

This is important because it allows us to:

  • Set a root password
  • Assign a static IP address

Use the following static IP:

  • 192.168.1.11/24

We’re choosing this because:

  • 192.168.1.10 = Pi-hole
  • 192.168.1.11 = Nginx Proxy Manager

That keeps the infrastructure clean and easy to remember.

https://community-scripts.org/scripts/nginxproxymanager?from=scripts&fromQ=nginx

Step 2: Access Nginx Proxy Manager for the First Time#

Once the container is up and running, open Nginx Proxy Manager in your browser:

  • http://192.168.1.11:81

From there:

  1. Create your admin user
  2. Sign in to the dashboard

Once you’re logged in, we’re ready to set up SSL.

Step 3: Create a Cloudflare API Token for DNS Validation#

To issue a wildcard certificate in Nginx Proxy Manager, we’ll use Cloudflare DNS validation.

In Cloudflare:#

  1. Log in to Cloudflare
  2. Click your profile icon
  3. Go to API Tokens
  4. Click Create Token
  5. Choose the Edit zone DNS template

Update the permissions to the following:#

  • Zone → Zone → Read
  • Zone → DNS → Edit

Under Zone Resources:#

  • Include → Specific Zone → domain.com

Then:

  1. Click Continue to Summary
  2. Create the token
  3. Copy the API token

You’ll need this token in Nginx Proxy Manager in the next step.

Important: Save this token somewhere safe before leaving the page. You may not be able to view it again.

Step 4: Create a Wildcard SSL Certificate in Nginx Proxy Manager#

Now that you have the Cloudflare API token, we can create a Let’s Encrypt wildcard certificate.

In Nginx Proxy Manager:

  1. Click SSL Certificates
  2. Click Add SSL Certificate
  3. Choose Let’s Encrypt via DNS Challenge

Configure the certificate:#

Domains:

  • *.domain.com
  • domain.com

Key Type:

  • RSA 2048

DNS Provider:

  • Cloudflare

When you select Cloudflare, Nginx Proxy Manager will display the credentials file content.

In that credentials section:

  • Replace the placeholder API key with the Cloudflare API token you copied earlier

Then:

  1. Click Save

If everything is correct, the certificate should save successfully.

If the certificate does not save:#

Something likely went wrong with the Cloudflare token.

Double-check:

  • The token was created correctly
  • The correct zone (domain.com) was selected
  • The permissions were set exactly as listed above

If the certificate saves successfully, move on to the next step.

Step 5: Create a Secure Proxy Host for Home Assistant#

Now we’re going to give Home Assistant a clean, secure local address.

Instead of:

  • http://192.168.1.20:8123

We’ll use:

  • https://ha.domain.com

In Nginx Proxy Manager:#

  1. Click Hosts
  2. Click Proxy Hosts
  3. Click Add Proxy Host

Details Tab#

Configure it like this:

  • Domain Names: ha.domain.com
  • Scheme: http
  • Forward Hostname / IP: 192.168.1.20
  • Forward Port: 8123

Enable:

  • Block Common Exploits
  • Websockets Support

SSL Tab#

Under SSL:

  • Select the certificate we just created: *.domain.com

Enable:

  • Force SSL
  • HTTP/2 Support

Save the proxy host.

That’s it — Nginx Proxy Manager is now ready to securely reverse proxy Home Assistant.

Step 6: Add a Local DNS Record in Pi-hole#

The final piece is making sure your local network knows where ha.domain.com should go.

In Pi-hole, create a local DNS entry that points:

  • ha.domain.com192.168.1.11

This is important because:

  • Pi-hole resolves ha.domain.com to Nginx Proxy Manager
  • Nginx Proxy Manager receives the request
  • NPM forwards it to Home Assistant at 192.168.1.20:8123
  • Your browser sees a valid HTTPS certificate

So from any device using Pi-hole for DNS, you should now be able to browse to:

  • https://ha.domain.com

…and reach Home Assistant securely.

Final Result#

At this point, your home lab now has:

  • Pi-hole for local DNS (192.168.1.10)
  • Nginx Proxy Manager for reverse proxy + HTTPS (192.168.1.11)
  • Cloudflare handling DNS validation for wildcard certificates
  • Home Assistant accessible at a clean local HTTPS address

This is one of those upgrades that instantly makes your setup feel more polished and scalable.

Once this is working, adding more services becomes easy:

  • grafana.domain.com
  • portainer.domain.com
  • jellyfin.domain.com
  • uptime.domain.com

Same process. Same wildcard cert. Same clean experience.

What’s Next?#

Now that Nginx Proxy Manager is in place, the rest of your self-hosted stack gets a lot easier.

You’ve built the foundation for:

  • Cleaner local service URLs
  • Trusted HTTPS everywhere
  • Easier expansion as your home lab grows

In the next part, you can start layering on more services behind NPM and turning your home lab into a truly polished self-hosted platform.

Quick Recap#

  • Install Nginx Proxy Manager in Proxmox using the helper script
  • Choose Advanced during install
  • Set a root password
  • Assign static IP 192.168.1.11/24
  • Log into http://192.168.1.11:81
  • Create a Cloudflare API token
  • Generate a wildcard Let’s Encrypt certificate using DNS challenge
  • Create a proxy host for Home Assistant
  • Point ha.domain.com to 192.168.1.11 in Pi-hole
  • Access Home Assistant securely at https://ha.domain.com

Closing Thoughts#

This is one of the best upgrades you can make early in a home lab build.

It’s not flashy. It’s not expensive. But it gives you:

  • Security
  • Simplicity
  • Scalability
  • A much more professional setup

And once you’ve done it once, you’ll use this pattern for almost everything you self-host.

If you’re following along, Part 2 is where your lab starts feeling like real infrastructure.