What kind of service are you running that you need to proxy it over port 80 or 443 and not directly use some of the supported and compatible ports with Cloudflare proxy as listed on the article below?
Using cloudflared tunnel, you can close ports on the host or network equipment, therefrom the service can listen and be bound to the port (to e.g. only localhost) while noone from outside cannot ping the port since.
Furthermore, if you don’t have public static IP I don’t see the need to port forward it at all, which might cause issue and close connection from your ISP provider if they don’t allow such thing nor support port forwarding on your router.
If you’re going to use cloudfalred tunnel, the solution is to bound it to localhost IP address and use desired port. Therefrom, close the port on the router.
I’d suggest crating and running a tunnel via dashboard (remote):
Sounds like configuration error on the origin, either web server or what’s behind the Nginx Proxy Manager?
Nginx requires ports 80 & 443 to be public accessible then a A record on the domain for *.example.com but as 80 & 443 are HTTP and HTTPS ports its a weakness on the network
This is why I want to setup Cloudflare tunnels so no ports are open.
I know Cloudflare tunnels acts like a reverse proxy but when I add all of my items that are in Nginx Reverse Proxy Manger I get the same error being 502. This is the main reason why I want to continue using proxy manger as I know this works with the services that I run.
How did you defined your domain/website to listen over vhost or nginx conf file?
Exactly.
The hostname/website e.g. app.example.com can listen to port 80 or/and 443 on all IPs, even 0.0.0.0.
You can install UFW and block access to all incoming ports.
It’ll work locally only from this point - only when you test and access localhost on your device.
Install cloudflared tunnel remotely managed.
Enter a desired public hostname such as app.example.com:443 if app.example.com is bound and listening over 443 on localhost.
Double-check if you’ve got SSL certificate or not (best case to use Cloudflare Origin CA certificate), make sure to use noTLSVerify option (if no SSL at origin installed) for HTTPS of your public hostname.
Website will resolve over HTTPS, no public IP exposed, no open ports on your device to the public internet when you check with Nmap or any online tool.
No need for Nginx Proxy Manager if you’re already running Nginx from what I understand? Could be I am wrong
This is how I have it setup at the moment
CF Tunnel is setup on NPM server and public hostnames are setup for HTTP and HTTPS traffic to forward to the NPM server
The NPM server should the forward Cloudflare requests for any domain to NPM e.g status.example.com will resolve local to 192.168.1.50 and say proxy.example.com to resolve local to 192.168.1.51
I haven’t used it, therefrom I hope it does, maybe that’s the catch here
A small suggestion, instead of * (apex, wildcard) add either www.example.com (the real domain) and/or example.com, or any other sub-domain which is actually working and bound to 127.0.0.1 (via 80 and/or 443) on localhost in the nginx.conf or .vhost file.
If there’s the host/device with this address, or NPM makes it work like that, yes.
In such case, should consider using the 192.xxx.xxx.xxx IP addresses instead of 127.0.0.1, except if when you netstat -tulnp and you do see the services/apps listening on all IP addresses (network card interfaces) such as 0.0.0.0, 127.0.0.1, 192.168.xxx.xxx with the desired port(s).
as listed on the article below? 
