Jump to content

HOW TO: Recommended Cloudflare Settings


pir8radio

Recommended Posts

2 hours ago, pir8radio said:

but yea it caused me headache in the beginning..    emby changed something, and the js was trying the old location because it was an old js file..   took me a bit to figure it out..  🙂   

I had some of those "WTF" moments myself. :)

Link to comment
Share on other sites

Spaceboy

that may also explain some of the historical issues i have had with CF and caching, although that was really to do with the 'arr's. i need to look at this advice and implement soon as well, thanks @pir8radio

  • Thanks 1
Link to comment
Share on other sites

@pir8radio and I both came at this differently I guess you could say without a template to work from and have both found all almost identical settings that work.

Every once in a while Cloudflare makes some change (documented on not) that requires a tweak but other than that, these settings just flat out work.

I'm currently running a couple Emby Servers through Cloudflare both tunneled and not tunneled on the same domain name.

  • Agree 1
Link to comment
Share on other sites

Flexeire

This guide just saved my ass

All iPhone, iPad, Apple TV, Fire tv and Smart tv users could not scrub, or resume playback correctly when the CF CDN was enabled. 

It was fine without it, but the peering was still bad.

After following this guide the issue is now resolved!! instantly resolved. I had no idea CF was doing some weird caching of the Video as default that was screwing with the playback.

 

Interesting the issue did not persist on Android TV apps, or web browsers.

 

PS. Still don't see any HIT's showing in cf-cache-status yet, but like you said could take a while to show up

Edited by Flexeire
  • Like 1
Link to comment
Share on other sites

I'm not getting any hits at all. My Emby is on emby.mydomain.net how should I write my rules?

 

24 hours later not a single hit

Edited by Pog22
Link to comment
Share on other sites

  • 2 weeks later...
igeoorge

Hi friends,

Did you get the email from cloudflare talking about WAF?

A snippet of the email:

"As you may know, a zero-day exploit affecting the popular Apache Log4j utility (CVE-2021-44228) was made public on December 9, 2021 that results in remote code execution (RCE).

For all organizations using Log4j, you should update to version 2.15.0 as soon as possible. The latest version can be found at the Log4j download page.

As a Cloudflare WAF customer, if the WAF is deployed on your traffic, you are automatically receiving mitigation against exploit attempts.

Three newly deployed rules are already in place and were switched to a default action of BLOCK as of 14:15 UTC today."

 

I'm a little lost. Should we do something on cloudflare?

Link to comment
Share on other sites

crash1015

I have a feeling that email we got was mostly for big business. I don't think it has to do with our small servers. But anyone can correct me if I'm wrong as I'm curious as well.

Link to comment
Share on other sites

It's just letting you know about a common exploit that's been found that does affect many people.

Unless you're running those apps you have nothing to worry about with a typical Emby or Emby/NGINX setup.

  • Thanks 1
Link to comment
Share on other sites

kennsann

Is it possible to ask for the nginx config you use?

Nvm, found this


Thanks for your work and sharing.

Edited by kennsann
  • Thanks 1
Link to comment
Share on other sites

henryford

One thing to add: If you use Chrome to check whether the rules are working correctly, make sure to check the little checkbox "Disable cache" on top of the Network tab in the devtools. Otherwise chrome might just serve you content from its local cache.

 

Other than that: Thanks for the guide :)

  • Like 1
  • Agree 1
  • Thanks 1
Link to comment
Share on other sites

  • 4 weeks later...
troyhough

@pir8radio @cayars

Can you guys make new screenshots and/or merge all current settings that are optimal in the first post then keep it up to date going forward so  people aren't forced to read the entire thread now and in the future? Just a thought. Thanks for all the hard work!

  • Like 1
Link to comment
Share on other sites

I haven't looked at it in a bit but I'm pretty sure he does keep it up to date.
There are a couple settings that could be set different ways and not hurt anything but others that must be set a specific way to work correctly.

I took a quick look at most of the important settings in your setup and changed the ones I knew needing changing but it would be a good idea to compare each screen to what he has.
Send me a PM with any difference, just so I'm aware as well.  You can always post a question in that thread as well for clarification or questions on any settings.

Link to comment
Share on other sites

troyhough

Just a heads up when it's set up this way, ALL traffic is sent out of your WAN and back to you instead of being just sent/received locally through the LAN. I had to go into my 2 primary Android TV devices and forget the server and re-enter using the local IP to force it to work via LAN. This is ok but whenever I travel and bring one of my devices with me I have to go in and forget the server and re-enter the login information using the https://....... Then when I return I need to go back, forget the server, re-enter the local IP info.

@Luke @ebr Hopefully Emby will detect the server on the LAN and route traffic directly in the future if that is possible!?!?

Link to comment
Share on other sites

6 minutes ago, troyhough said:

Just a heads up when it's set up this way, ALL traffic is sent out of your WAN and back to you instead of being just sent/received locally through the LAN. I had to go into my 2 primary Android TV devices and forget the server and re-enter using the local IP to force it to work via LAN. This is ok but whenever I travel and bring one of my devices with me I have to go in and forget the server and re-enter the login information using the https://....... Then when I return I need to go back, forget the server, re-enter the local IP info.

@Luke @ebr Hopefully Emby will detect the server on the LAN and route traffic directly in the future if that is possible!?!?

We already do that. Make sure the correct local and remote addresses are displayed on your server dashboard. I think one limitation of the android tv app is that it won't be able to change addresses while the app is open, so the app will need to be restarted. But our standard android app will respond to network changes on the fly.

Link to comment
Share on other sites

troyhough
13 minutes ago, Luke said:

We already do that. Make sure the correct local and remote addresses are displayed on your server dashboard. I think one limitation of the android tv app is that it won't be able to change addresses while the app is open, so the app will need to be restarted. But our standard android app will respond to network changes on the fly.

Is this what you are talking about? From the verbiage it sounds like Emby already presents the correct IP to apps and if it's left blank the server will automatically detect the local IP?

Capture.JPG.0fd3789689ad937d55c34eb7f5dc1b9d.JPG

Edited by troyhough
Link to comment
Share on other sites

  • 3 weeks later...
rodainas
16 minutes ago, vmcosco said:

These cache settings would NOT apply if I am only using Cloudflare for DNS Only (grey cloud) at this point right?

Correct

  • Agree 1
Link to comment
Share on other sites

  • 4 weeks later...
atropa
On 2/26/2022 at 12:10 AM, pir8radio said:

UPDATE MADE TO POST #1 PLEASE REVIEW.
 

 

What service would you recommend other than Cloudflare, which offers similar services.
You can actually only use a vpn, right?
Link to comment
Share on other sites

pir8radio
7 hours ago, atropa said:
What service would you recommend other than Cloudflare, which offers similar services.
You can actually only use a vpn, right?

yea not a lot of services (free) that let you proxy through them.  There are plenty of free CDN's but they do not hide your server IP...   

Link to comment
Share on other sites

atropa
40 minutes ago, pir8radio said:

yea not a lot of services (free) that let you proxy through them.  There are plenty of free CDN's but they do not hide your server IP...   

Too bad. Cloudflare had everything I need. And it was easy xD. Haven't had any problems with videos so far.
Are you still using Cloudflare at the moment?
Link to comment
Share on other sites

pir8radio
On 3/5/2022 at 9:00 AM, atropa said:
Too bad. Cloudflare had everything I need. And it was easy xD. Haven't had any problems with videos so far.
Are you still using Cloudflare at the moment?

yes i am..    I don't know what "gets people caught"  not sure what they are looking into..   I know their terms say something like "disproportional amount" of video vs html, I also run some crypto stuff that does like 7 million requests a day that might be camouflaging my video stuff.. lol  🙂 

Link to comment
Share on other sites

  • 2 weeks later...
redrobot2121

is there any way to server the only video directly from the origin server but everything else should be proxied ??? 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...