Project Highlights
- Implemented SSL/TLS certificates using Cloudflare and NGINX Proxy Manager to secure external and internal service communication
- Enforced HTTPS and secure transport policies across all published services
- Applied security headers and browser hardening controls to reduce attack surface exposure
- Eliminated public port forwarding by routing services exclusively through Cloudflare Tunnel
- Restricted administrative interfaces to local network access while maintaining secure remote connectivity
- Integrated Cloudflare Zero Trust policies to enforce identity-aware authentication before resource access
- Validated encryption, certificate trust chains, and secure access workflows across the environment
- Established a scalable security model capable of securely publishing additional self-hosted applications
Greetings!
After implementing Cloudflare Tunnel connectivity, reverse proxy routing, and Zero Trust application access, the final phase focused on strengthening the overall security posture of the NAS environment. This stage centered on certificate management, transport security enforcement, browser-level protections, and reducing unnecessary exposure of internal services.
The objective was not only to secure current services, but also to create a repeatable and scalable framework capable of supporting additional applications without relying on traditional port forwarding or direct public exposure.
Implementing Trusted SSL/TLS Certificates
SSL/TLS certificates were implemented to ensure encrypted communication between clients, Cloudflare, the reverse proxy, and backend services. Centralizing certificate management through NGINX Proxy Manager simplified administration while allowing secure HTTPS communication across multiple subdomains and hosted applications.
Simplified SSL/TLS handshake process demonstrating encrypted communication establishment between client and server systems. (Ankit Sinhal, 2021)
Cloudflare Origin Certificates and automated ACME-based certificate management were used to establish trusted encrypted connections between Cloudflare and internal services. This reduced the need for manual certificate maintenance while improving scalability for future deployments.
Cloudflare API token configuration and TrueNAS ACME DNS-Authenticator integration used to automate certificate validation and management workflows. (Cloudflare, 2026; TrueNAS, 2026)
Key security improvements included:
- End-to-end encrypted communication paths
- Automated certificate renewal workflows
- HTTPS enforcement across all exposed services
- Centralized TLS management through the reverse proxy
These changes ensured that sensitive traffic, authentication requests, and application data remained encrypted throughout the entire communication chain.
Enforcing HTTPS and Secure Transport Policies
To further strengthen transport security, HTTPS enforcement policies were configured at both the Cloudflare and reverse proxy layers. Redirect rules ensured that insecure HTTP requests were automatically upgraded to HTTPS connections before reaching backend services.
Example of Cloudflare SSL/TLS and Edge Certificate settings configured to enforce encrypted HTTPS communication and end-to-end transport security. (Super SaaS, n.d.)
Additional hardening measures included enabling HTTP Strict Transport Security (HSTS) and restricting legacy TLS protocol usage. These configurations helped reduce the risk of downgrade attacks, insecure session handling, and weak encryption negotiation.
HSTS transport security policies and NGINX Proxy Manager SSL settings used to strengthen HTTPS enforcement and secure reverse proxy communications. (freeCodeCamp, 2018; NGINX Proxy Manager, 2026)
The final configuration ensured that:
- All external access occurred exclusively over HTTPS
- Legacy or insecure protocol versions were minimized
- Secure browser communication policies remained consistently enforced
- Backend services were no longer directly exposed over unsecured connections
Together, these transport security controls established a more resilient and production-aligned deployment architecture.
Applying Security Headers and Hardening Controls
Browser-level protections were added through the implementation of multiple HTTP security headers. These controls reduced the likelihood of common web-based attack vectors by limiting how browsers process application content and external resources.
Common HTTP security headers and their associated functions used to strengthen browser security, reduce attack surface exposure, and enforce secure web application behavior. (Raj, 2020)
Security headers such as Content Security Policy (CSP), X-Frame-Options, and X-Content-Type-Options were configured to strengthen application behavior and reduce exposure to content injection, clickjacking, and MIME-based attacks.
Cloudflare HTTP Response Header Transform Rules used to apply browser security headers and enforce secure web application behavior across hosted services. (Cloudflare, 2026)
Additional hardening efforts focused on minimizing unnecessary exposure of services and administrative interfaces. Internal resources were segmented behind the reverse proxy architecture while management access remained limited to trusted network paths.
This phase contributed to:
- Reduced browser-side attack surface exposure
- Improved control over trusted content sources
- Better isolation of internal infrastructure components
- Increased consistency with modern web security best practices
Reducing Public Exposure and Strengthening Access Control
A major objective of the final configuration stage was minimizing unnecessary exposure of internal infrastructure. Traditional port forwarding was fully eliminated in favor of Cloudflare Tunnel-based connectivity, ensuring that inbound access requests were authenticated and proxied before reaching internal services.
Administrative interfaces such as the TrueNAS management portal were restricted to local network access whenever possible, while externally accessible applications remained protected through Cloudflare Zero Trust authentication policies.
This approach provided several security advantages:
- Internal IP addresses remained hidden from external users
- Services were inaccessible without passing through the Zero Trust layer
- Identity-aware authentication occurred before application access
- Public attack surface exposure was significantly reduced
By routing traffic through Cloudflare Tunnel and NGINX Proxy Manager, the environment achieved a layered security model that combined encrypted transport, reverse proxy segmentation, and identity-based access enforcement.
Validation and Final Configuration Testing
After configuring hostname routing, I created a Cloudflare Zero Trust application to protect access to the Nextcloud subdomain.
Following implementation, the environment was tested to validate that security controls operated as intended across all services and access paths. HTTPS enforcement, certificate trust validation, authentication workflows, and reverse proxy routing were reviewed to confirm stable and secure operation.
Qualys SSL Labs validation results confirming strong SSL/TLS configuration, secure certificate deployment, and hardened transport security settings across the hosted environment. (Qualys SSL Labs, 2026)
Testing also confirmed that backend services were no longer publicly reachable without passing through Cloudflare Tunnel and Zero Trust authentication policies.
Cloudflare Zero Trust authentication portal enforcing identity-aware access control through external identity provider authentication prior to application access.
Validation activities included:
- Verifying HTTPS enforcement across hosted services
- Confirming valid SSL/TLS certificate chains
- Testing Cloudflare Zero Trust authentication flows
- Reviewing browser security indicators and applied headers
- Confirming restricted access to internal administrative services
Additionally, after implementing and validating the configured security headers, the hosted environment achieved an A+ security rating during external browser security testing, confirming that transport security policies and header-based hardening controls were functioning as intended.
SecurityHeaders.com scan results confirming implementation of multiple HTTP security headers and strong browser security policy enforcement across the hosted environment. (Security Headers, 2026)
These checks verified that the NAS environment successfully transitioned from a standard homelab deployment into a hardened, security-focused infrastructure platform.
Key Takeaways
This final phase reinforced the importance of combining multiple layers of security to protect self-hosted infrastructure and remotely accessible services. Implementing SSL/TLS certificates and enforcing HTTPS policies ensured that communication remained encrypted across all access points, while HTTP security headers and browser hardening controls helped reduce exposure to common web-based attack vectors. Replacing traditional port forwarding with Cloudflare Tunnel significantly reduced public attack surface exposure by masking internal infrastructure and routing requests through authenticated proxy services instead of directly exposing the network to the internet.
Integrating Cloudflare Zero Trust further strengthened the environment by enforcing identity-aware authentication before users could access internal applications or administrative resources. Centralizing traffic management through NGINX Proxy Manager also simplified certificate handling, reverse proxy routing, and long-term scalability for future deployments. Together, these configurations established a secure and repeatable architecture capable of supporting additional self-hosted services while maintaining strong access control, encrypted communication, and modern infrastructure security practices.
Zero Trust remote access architecture illustrating layered security controls used to protect self-hosted NAS infrastructure through Cloudflare DNS, identity-aware authentication, encrypted tunnel routing, reverse proxy management, and segmented internal network access.
Conclusion
This project evolved from a standard NAS deployment into a layered, security-focused infrastructure platform designed around modern Zero Trust principles. Through the integration of TrueNAS SCALE, Cloudflare Tunnel, NGINX Proxy Manager, Nextcloud, automated certificate management, and Cloudflare Zero Trust, the environment was transformed into a secure and scalable self-hosted ecosystem capable of supporting remote access without exposing internal infrastructure to the public internet.
Beyond improving security and accessibility, the project provided hands-on experience with reverse proxy architecture, encrypted communications, identity-aware access control, DNS and tunnel routing, application publishing, and infrastructure hardening. The final architecture establishes a repeatable framework for securely deploying additional self-hosted services while maintaining centralized access management and reduced attack surface exposure.