HOW TO: Recommended Cloudflare Settings

[vaise 307]

What’s the router?

[crusher11 863]

5 hours ago, vaise said:

What’s the router?

It's a TP-Link AC1750.

[darkassassin07 434]

If you forward a different wan port to your server (8096 for example), can you reach your server through that?

 

My previous internet connection blocked hosting on port 80, but every other port I tried worked. I've heard of other ISPs blocking some incoming ports but not others.

Edited February 29 by darkassassin07

[vaise 307]

Also, had your isp changed to cgnat?  As that would also cause this as you can’t port forward with cgnat.

 

cf with proxy dns ticked will only forward 443 so so all testing with that turned off.

[crusher11 863]

4 minutes ago, vaise said:

Also, had your isp changed to cgnat?  As that would also cause this as you can’t port forward with cgnat.

They use CGNAT by default, but I specifically opted out when signing up. That my IP remains the same as what I set up in CloudFlare indicates they haven't changed anything on me.

4 minutes ago, vaise said:

cf with proxy dns ticked will only forward 443 so so all testing with that turned off.

I'm not sure I follow. If I'm testing IP:PORT then CF settings are irrelevant, surely? Either way, yes, it's currently DNS only.

[vaise 307]

Cf does proxies only 80 and 443 traffic I thought.  Hence turn off proxy until you get comms to your open port working.

[vaise 307]

Could they have turned cgnat back on by accident or design?

[crusher11 863]

40 minutes ago, vaise said:

Could they have turned cgnat back on by accident or design?

I still have the same IP address, so it seems unlikely.

[vaise 307]

Gotta be the port forward is not working then.  Have you tried restarting your router?

[vaise 307]

Is there any sort of firewall active on your emby server?

[crusher11 863]

3 minutes ago, vaise said:

Is there any sort of firewall active on your emby server?

I'm not sure? It's running through CloudFlare and NGINX, I don't think there's anything else in there.

[crusher11 863]

Seems it was an NGINX issue. Resolved.

[unisoft 291]

Are the exclusions still similar to:

yourdomain.net/*videos/*/*

yourdomain.net/*items/*/images/*

as when I look in emby's server logs I see paths which makes me think it should be:

 

yourdomain.net/emby/*videos/*/*

yourdomain.net/emby/*items/*/images/

Anyone who knows, would be grateful

[vaise 307]

Would that not depend on if you are using subdomains or not ?

Mine are :

[vaise 307]

On 06/03/2024 at 01:13, unisoft said:

Are the exclusions still similar to:

yourdomain.net/*videos/*/*

yourdomain.net/*items/*/images/*

as when I look in emby's server logs I see paths which makes me think it should be:

 

yourdomain.net/emby/*videos/*/*

yourdomain.net/emby/*items/*/images/

Anyone who knows, would be grateful

Its only video you are excluding - and in my experience, if this is not excluded and goes through CF cache - they things take 20-30 seconds to start. 

This was from testing when these had to be changed with @pir8radio a long time ago now (year back).  He ran tests on my system, viewed the chrome debug, and we made the changes i=until the cache was not there for videos, then the files played back immediately.

That said - I have swag sitting ready to take over in case I am blocked.....

[CFC 25]

I use Cloudflare using a non-cached port so I don't have to wonder.

See here in section "Ports supported by Cloudflare, but with caching disabled":

https://developers.cloudflare.com/fundamentals/reference/network-ports/#network-ports-compatible-with-cloudflares-proxy

CFC

[vaise 307]

That’s fine.  
But you are not getting any benefit of your emby jpg’s, images etc being distributed to all their end servers so closer to remote users.  

However when I ran with no caching (just a tick box so no need for a different port), I never noticed much of a difference from the users.

[CFC 25]

Yes, I didn't notice much if any difference cached or not cached.

Correct, I can tick to un-proxy, but I like to use their firewall features and filter my incoming connection to CF ip's only on my end.

It's just another option for those who may not be aware.

CFC

 

[vaise 307]

1 hour ago, CFC said:

Yes, I didn't notice much if any difference cached or not cached.

Correct, I can tick to un-proxy, but I like to use their firewall features and filter my incoming connection to CF ip's only on my end.

It's just another option for those who may not be aware.

CFC

 

I did not mean untick the proxy (very bad), but there is a screen to disable all caching - just a switch on what you want cached.  If I think there are CF issues, i click that off, then flush cache and see if any issues still - that's how we found that CF roles slightly changed and the cached files needed updating for emby.

But as you say - it really does not seem to make much, if any difference - in the user poll I did.  

I also swapped to my 'disaster' plan if CF block me - untick the proxy, re-open the 443/80 port forwards (as I use tunnels now) and start up my swag reverse proxy - and still the users did not notice any differences in speed of browsing libs etc.

Caching level :

 

[HorsePDF 3]

I finally got some time to try and move away from hosting Emby directly and use Cloudflare - I came up with something today that serves nearly all requests via Cloudflare, but goes directly for the actual video streaming, which I posted here:

This works for me because I don't have restrictions on my home internet connection, if you are using CF tunnels to avoid CGNAT then this won't help - but if you just want to use Cloudflare auth/caching/security then it may be valuable for you.

 

[vaise 307]

2 hours ago, HorsePDF said:

I finally got some time to try and move away from hosting Emby directly and use Cloudflare - I came up with something today that serves nearly all requests via Cloudflare, but goes directly for the actual video streaming, which I posted here:

This works for me because I don't have restrictions on my home internet connection, if you are using CF tunnels to avoid CGNAT then this won't help - but if you just want to use Cloudflare auth/caching/security then it may be valuable for you.

 

Nice 1.  A bit technical for most - but great nonetheless..

[KegTapper 8]

Great write-up!!!!

I'm on cgnat and still plugging away with a tunnel averaging 150gb per month. 

[shoodidagen 3]

Hi @pir8radio

I think there have been some changes since this was last updated. There's no longer a section 2.8 on Cloudflare's TOS (only goes to 2.7 then onto section 3).

Some of the options have been Deprecated, and I can't work out how to configure the rules as there are Lots of options to choose from (Page Rules is also Deprecated).

Are you able to help me please?

Thank you

 

 

On 05/11/2021 at 16:59, pir8radio said:

Cloudflare and emby   

Config Version	1.0.0
Last Update	02-25-2022
Update by	Pir8Radio

 

** UPDATE:  I AM HEARING OF EMBY USERS GETTING VIDEO FILES BLOCKED WHEN USING CLOUDFLARE (FREE TIER).  IF THIS IS THE CASE, I NO LONGER RECOMMEND USING CLOUDFLARE.   

Even with the cache bypass rules, your video still passes through their system and is technically against their TOS.   Use CloudFlare at your own risk if you choose to continue.   I'll update if I get more info.  Please post in this thread if you find you have video loading/playing/downloading issues while using cloudflare or have received an email from them about this.  

 

MESSAGE FROM CLOUDFLARE:  Free, Pro, and Business Plans serving videos or a disproportionate amount of non-HTML content can be in violation of Section 2.8 of the Self-Serve Subscription Agreement (TOS).

 

This will turn into a full Cloudflare how-to.  Others are welcome to edit this or PM me with suggestions..   However right now I'm just going to post some recommended settings for people who already have Cloudflare setup.

 

There are a few cloudflare settings that break emby, some break it in obvious ways, some only certain apps in certain situations..   These are the settings I found that work well as of today. I'll try to maintain this post and update the header info should new features come out, or the community discovers better settings than these. 

As of today, these are the settings available to us in Cloudflare FREE account:

 

First disable the two main things that will break emby,  go to the "Speed" tab then "Optimization" sub-tab.

DISABLE Auto Minify and Rocket Loader!  (screen shots are in the recommended state)

 

 

Other options on this settings page are optional to enable, I suggest enabling Brotli compression.   It's a good thing. 

 

Now head over to the "Caching" tab and select the "Configuration" sub-tab.

Set your Caching settings as shown below. 

 

THIS IS OPTIONAL:

Other settings in this settings tab are optional to whatever you like..   I have "Always Online" enabled, its kind of a neat feature that caches as much of your emby server as it can in case your server is down, users will at least see an emby splash screen, that's usually about it..  but its something...     kind of useless otherwise..   Handy if you have other websites, it will totally cache normal html websites and users can continue to use your cached site when you have a web server outage. 

 

Next head over to the "Rules" tab.

Create these two rules:

Rule #2 here we will bypass caching 99% of all video.   Caching the video will actually slow down the client experience.  It screws with the chunks and often times has to fully cache 1 chunk before cloudflare sends it to the client, causing playback delays. 

Rule #3 here will cache all images on the edge servers for 30 days.   We need this rule, because cloudflare only caches known file urls, like    picture.jpg or poster.png  emby serves up webp images with NO EXTENSION so cloudflare doesn't know to cache these items.   But 99% of emby images come from the /items/XXXXXX/images directory so we will just force cache everything that comes from this URL,  it should be only images.        Keep in mind when you enable this it can take some time to build up cache..   emby serves up different sized images based on browser screen size, apps, etc..   so if you load a page that is minimized to a small window on your desktop emby will serve smaller sized images, if you make your browser full screen, now emby will serve up larger images and those images may load slow the first few times until they get cached too.        Go below this screenshot and I'll show you how to check if caching is working.  

 

Check to see if Cloudflare Caching is working

Well, how do you know Cloudflare is doing its thang'?    Use a browser like chrome,  or the new Microsoft edge (which is just a rebranded chrome).  Open the browser, right click in the browser window and go down to "Inspect" (there is an F key for this too I forget what it is, I should add that here lol).  Once the dev window pops up adjust it so you have a good view on the right, click the "Network" tab,  hit the reload button on whatever page you are on so some info populates on the right dev screen.  You should see something similar to this:

Right click on the table header (Name, Method, Status, Protocol)   anywhere, just right click the "Name" one.   Go down to "Response Headers"  then "Manage Header Columns".   A little window will pop up hit "Add custom header..."  and then add this header:   cf-cache-status 

Now select the little sub tab that says "all" 

 

 

now surf your way to your emby server,    and you should see something like the below screenshot.   

Hit is well..... a hit!   this image came from cloudflare and was never requested from your emby server, saving you from sending this image to the client, saving time and bandwidth. 

MISS is also kind of obvious,  it was a miss, either due to never being cached yet (first time Cloudflare has seen this image or document) if you hit refresh a few times, cloudflare will then cache it and it will turn to HIT. 

BYPASS I'm actually not sure why my server is returning server 500 errors below, this image is being called for by emby clients but the server has no image to serve, but usually you should only see BYPASS on playing video's if your rules above are correct.   Or in my case, a server error will not be cached. 

DYNAMIC this is also a NO HIT response..  this is usually due to Cloudflare knowing this resource changes a lot and doesn't want to cache it so your clients don't get served stale data, or its a video, websocket, or some other format Cloudfare's great automated intelligence deems it should not be cached. 

That is the basics that will save you a lot of headache and blaming emby for things not working..    There are lots of cool options to enable outside of these basic settings above, ask questions here, send ideas that maybe I have missed that work great for you..    I just wanted to throw this up due to a lot more of you guys using Cloudflare. 

 

In the end you should start to see more "HIT" responses...   and a noticeably faster loading time for the clients, less bandwidth usage for your emby server,  and everyone is happy..   Well.....  within reason....