Beyond the IP Address: Modernizing Homelab Infrastructure for Security and Scalability

In a growing homelab environment, managing services through raw IP addresses and port numbers quickly becomes a bottleneck for both security and usability, not to mention incredibly annoying unsafe browser warnings. My goal for this project was to move away from fragmented IP service access like 192.168.1.50:8123, and implement an internal routing layer. By deploying Nginx Proxy Manager (NPM) in conjunction with Cloudflare, I transitioned my stack to a host-based routing model that provides encrypted, valid SSL access for every service without exposing any internal ports to the public internet.

Architectural Security via DNS-01 Challenges

A primary challenge in securing a local network is obtaining valid SSL certificates without opening the firewall to external traffic. To solve this, I used the DNS-01 challenge protocol. Unlike the standard HTTP-01 challenge, which requires an open port 80 for verification, the DNS-01 method allows Nginx Proxy Manager to communicate directly with the Cloudflare API.

NPM creates a temporary TXT record in my domain’s DNS settings to prove ownership. Once Let’s Encrypt verifies the record, a certificate is issued, and the record is automatically purged. This approach ensures that all internal traffic from Home Assistant to my n8n automation workflows is encrypted via a trusted Certificate Authority (CA), while the entire infrastructure remains “dark” to external scans.

Optimizing Identity Management and Workflow Efficiency

Beyond the immediate security benefits of SSL, this transition solved a significant friction point in my daily operations, credential management. When multiple services share a single IP address but different ports, password managers like LastPass struggle to distinguish between them. This often results in a cluttered UI where I have to filter through dozens of unrelated credentials for the same host.

Mapping each service to a unique subdomain, frigate.domain.net or portainer.domain.net, provided LastPass with the unique URI context it requires. This enabled:

• Precision Autofill: Immediate recognition of service-specific credentials, eliminating manual searching.
• Secure Origins: Browser-level trust that allows for modern web features (like geolocation or clipboard access) which are often disabled on insecure or self-signed connections.
• Scalable Onboarding: The ability to instantly deploy new services with a standardized, secure-by-default URL structure.

This project shifts from a “hobbyist” setup to a systematic approach, where networking, security, and user experience are treated as a unified stack.

I ended up registering a domain with Cloudflare just for these internal sites, it doesn’t exist on the internet. By using the DNS Server built into my Synology Router, I was able to route all of these internally, only moving to Cloudflare’s public DNS when it doesn’t find a match.