I used to have port forwarding on my router (80/443) with a wildcard CNAME pointing to my public IP address, along with a local dnsmasq rule that...
This is an automated archive made by the Lemmit Bot.

The original was posted on /r/selfhosted by /u/SpaceManaRitual on 2026-03-28 12:21:38+00:00.

I used to have port forwarding on my router (80/443) with a wildcard CNAME pointing to my public IP address, along with a local dnsmasq rule that would resolve internally to my local IP address. This worked great with Nginx Proxy Manager and a wildcard certificate but wasn’t very secure (crowdsec helped but still…)

Now I’ve closed the ports on the router and configured Cloudflare tunnel routes with access control, but I’m struggling with SNI issues since the exposed subdomains’ certificates seem to exist both at the edge (CF) and internally (NPM).

I’m running pihole + dnscrypt proxy for internal dns resolution, I’ve set a regex rule to exclude my domain from pihole itself… but I’m still having issues locally.

Any help would be greatly appreciated!