Introduction

A key goal of my homelab journey is to build and host services using infrastructure that I control.

For this project, I wanted to host my own WordPress website while keeping the underlying services inside my home network.

The objective was simple:

  • Host WordPress locally
  • Use my own domain
  • Provide secure HTTPS access
  • Avoid exposing my home network directly to the internet

The final result:

https://realmlabs.uk

running from my own infrastructure.


The Starting Point

The WordPress site was already running inside Docker and was accessible internally.

The challenge was making it publicly available without opening inbound ports on my router.

The traditional approach would be:

Internet
    |
Router Port Forward
    |
Home Server
    |
WordPress

However, this exposes services directly to the internet and requires maintaining firewall rules and certificates.

Instead, I chose Cloudflare Tunnel.


Why Cloudflare Tunnel?

Cloudflare Tunnel creates an outbound encrypted connection from my network to Cloudflare.

Instead of users connecting directly to my home server, the connection path becomes:

Visitor
   |
HTTPS
   |
Cloudflare
   |
Secure Tunnel
   |
Home Lab Server
   |
Docker
   |
WordPress

Benefits:

  • No port forwarding required
  • No exposed inbound services
  • HTTPS handled by Cloudflare
  • Home IP address remains private
  • Easy to publish additional services later

Creating the Cloudflare Tunnel

The first step was creating a tunnel within Cloudflare Zero Trust.

A new tunnel was created and named:

RealmLabs

Cloudflare provides a connection token which allows the local cloudflared service to establish the tunnel.


Running Cloudflared with Docker

Since the environment already uses Docker management tools, Cloudflared was deployed as another container.

Example Docker Compose configuration:

version: "3.8"

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: cloudflared
    restart: unless-stopped
    command: tunnel --no-autoupdate run --token YOUR_TUNNEL_TOKEN

The tunnel token is kept private and should never be published.

Once deployed, the container logs confirmed that the tunnel successfully connected to Cloudflare.


Publishing the WordPress Application

After the tunnel was online, a published application route was created.

The route connects the public domain:

realmlabs.uk

to the internal WordPress service.

Example:

Public hostname:
realmlabs.uk

Service:
HTTP

Origin:
internal-wordpress-host:8082

Cloudflare then handles incoming HTTPS requests and forwards them securely through the tunnel.


Configuring WordPress for HTTPS

After the tunnel was configured, the website was accessible externally.

However, WordPress still believed it was running from its original internal address.

This caused incorrect links and HTTPS warnings.

The WordPress site configuration was updated:

WordPress Address:
https://realmlabs.uk

Site Address:
Realm Labs | Technology, Projects & Guides

After saving the changes, WordPress correctly generated secure HTTPS links.


Final Architecture

The completed design:

Internet
    |
    |
Cloudflare
    |
    |
Cloudflare Tunnel
    |
    |
Home Lab Server
    |
    |
Docker
    |
    |
WordPress

The website is now publicly accessible while the application remains securely hosted inside the home network.


Future Expansion

The same approach can be used to publish additional homelab services.

Examples:

realmlabs.uk              Main website
blog.realmlabs.uk         Blog
projects.realmlabs.uk     Project documentation
ha.realmlabs.uk           Home Assistant
grafana.realmlabs.uk      Monitoring

Cloudflare Tunnel provides a secure foundation for expanding a self-hosted environment without exposing the entire network.

This setup forms the foundation for future RealmLabs projects and documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *