HOW TO: Recommended Cloudflare Settings

[Happy2Play 7747]

Troubleshooting for another user, but what would cause a mp4 to download file then play and a mkv to direct play/steam?

[avitali 0]

Thanks for the guide! Is the second rule (Bypass cache) still valid? It seems to me, when I play a video, it never says /*videos/* it only ever says /*videoosd/*. Shouldn't 'videoosd' be what to put in the rules?

[pir8radio 1266]

On 4/16/2022 at 4:38 PM, avitali said:

Thanks for the guide! Is the second rule (Bypass cache) still valid? It seems to me, when I play a video, it never says /*videos/* it only ever says /*videoosd/*. Shouldn't 'videoosd' be what to put in the rules?

@Luke anything change here?     do you have a screenshot showing this videoosd?

I just checked, no, its videos still:

Edited May 1, 2022 by pir8radio

[Luke 33666]

videoosd is the web app html url that you see in the browser. /videos is the video api url, so I think this is still valid.

[Flamez 0]

I just read this thread and I was wondering what similar alternatives are for using Emby on the internet since Cloudflare does not allow videos? 

Thank you.

[Turbofiero 3]

For me, it would seem the rules have to be in the reverse order as to what youve posted... unsure why, but if I do it as posted cf-cache-status stays dynamic for all images, but changing order I get miss/hit

Nonetheless thanks for the post!

[vaise 209]

I have been using cloudflare and nginx for ages with no issue.  @pir8radio's config pretty much.  No changed for ages.

Tonight my users cant connect.  Emby cant connect.  my sonarr/radarr also cant connect, so not an emby issue.

I get a 400 Bad Request.  The SSL certifate error below that and nginx below that.

I have restarted nginx, checked its logs etc etc - 

I dont know if this is a cloudflare issue at all ?

This has all just worked for me, so when it goes bad, I have no idea where to look.  Any ideas on the below errors from the nginx logs :

2022/05/31 23:04:45 [error] 386#386: *213 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.133.229:80
2022/05/31 23:04:46 [error] 386#386: *216 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:04:48 [error] 386#386: *218 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:06:09 [crit] 386#386: *220 connect() to [2606:4700::6810:85e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:85e5]:80
2022/05/31 23:06:09 [crit] 386#386: *220 connect() to [2606:4700::6810:84e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:84e5]:80
2022/05/31 23:06:10 [error] 386#386: *220 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:06:29 [crit] 386#386: *224 connect() to [2606:4700::6810:84e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:84e5]:80
2022/05/31 23:06:30 [error] 386#386: *224 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80

 

For now to fix this, I have commented the OCSP Stapling stuff in the conf file as such :

# OCSP Stapling
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_stapling_responder http://ocsp.cloudflare.com/;
#ssl_trusted_certificate /config/nginx/cf-certs/trusted-chain.pem;
# my cert + cloudflare certs combined in 1 file
#ssl_ocsp on;
#ssl_ocsp_responder http://ocsp.cloudflare.com/;
#ssl_ocsp_cache shared:OCSPCache:20m;

 

If anyone has an idea of why this started happening ?

 

Edited May 31, 2022 by vaise

[pir8radio 1266]

On 5/31/2022 at 8:07 AM, vaise said:

I have been using cloudflare and nginx for ages with no issue.  @pir8radio's config pretty much.  No changed for ages.

Tonight my users cant connect.  Emby cant connect.  my sonarr/radarr also cant connect, so not an emby issue.

I get a 400 Bad Request.  The SSL certifate error below that and nginx below that.

I have restarted nginx, checked its logs etc etc - 

I dont know if this is a cloudflare issue at all ?

This has all just worked for me, so when it goes bad, I have no idea where to look.  Any ideas on the below errors from the nginx logs :

2022/05/31 23:04:45 [error] 386#386: *213 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.133.229:80
2022/05/31 23:04:46 [error] 386#386: *216 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:04:48 [error] 386#386: *218 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:06:09 [crit] 386#386: *220 connect() to [2606:4700::6810:85e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:85e5]:80
2022/05/31 23:06:09 [crit] 386#386: *220 connect() to [2606:4700::6810:84e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:84e5]:80
2022/05/31 23:06:10 [error] 386#386: *220 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:06:29 [crit] 386#386: *224 connect() to [2606:4700::6810:84e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:84e5]:80
2022/05/31 23:06:30 [error] 386#386: *224 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80

 

For now to fix this, I have commented the OCSP Stapling stuff in the conf file as such :

# OCSP Stapling
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_stapling_responder http://ocsp.cloudflare.com/;
#ssl_trusted_certificate /config/nginx/cf-certs/trusted-chain.pem;
# my cert + cloudflare certs combined in 1 file
#ssl_ocsp on;
#ssl_ocsp_responder http://ocsp.cloudflare.com/;
#ssl_ocsp_cache shared:OCSPCache:20m;

 

If anyone has an idea of why this started happening ?

 

so you have an ssl cert on nginx, and one in cloudflare..  both certs are valid and not expired?

[vaise 209]

I suspect it is an ocsp issue.  There are some google searches that match whereby the ocsp end has to do something.  I am just back from a trip so will have a play over the next few days.  I set this up years back and have had a stroke since so will have to go through my documentation to remember it all.

[vaise 209]

12 hours ago, pir8radio said:

so you have an ssl cert on nginx, and one in cloudflare..  both certs are valid and not expired?

Howdy @pir8radio - been a while since we worked on that cloudflare caching issue together - I notice you are still a user on my system - (but I firewall USA again)

To answer your questions -

I have the cloudflare provided origin server certificate (2034 expiration).

I have the cloudflare provided authenticated origin pulls client certificate (checked it is still the latest as it was updated in 2020).

Further research today seems to indicate that this ocsp stappling stuff is only needed in NGINX if you are NOT using cloudflare, and they have implemented it in the edge certificates themselves.  This may explain why on www.ssllabs.com/ssltest and www.digicert.com/help/ they both are happy that stapling is still activated even though I have th sections commented out.  

So in summary - that ocsp section (an artifact from pre cloudflare)  which it seems was happy doing nothing all of a sudden was broken (likely at CF end as no changes my side).

 

[Flamez 0]

I am new to using Cloudflare and using the suggested settings on page one of this thread I am seeing the following on the analytics page.  I am using the free setup and wondering if I would be charged for any bandwidth usage?

Cached Bandwidth

Previous 24 hours

3.95 kB

Uncached Bandwidth

Previous 24 hours

360.01 MB

 

Edited June 12, 2022 by Flamez

[muzicman0 56]

I'm clearly not doing something right!  I use https://stream.mydomain.com to access Emby from a Cloudflare tunnel (Argo tunnel?).

Here are my rules:

*.mydomain.com/*Items/*/Images/*
Cache Level: Cache Everything, Edge Cache TTL: a month
Enabled

*.mydomain.com/*videos/*/*
Cache Level: Bypass

But I get all either miss or dynamic. 

[vaise 209]

Has anyone got BunnyCDN working with emby ?

I signed up for the free account (14 days), but if it works and videos can be ignored from their cache, it will cost hardly anything per month (they do have a $1/month minimum charge).  I expect my image cache etc to use only 15c of that!!!  I calculated what went through CF in even if they cached my video's too, it would still be about $15/month.

The things I have found - After support emails

1 - They do not hide the IP address like CF does.  That will be a later solution when they have their DNS whole site solution up and running (beta currently) - this will be more like CF then.

2 - The CF page rules we use in emby to exclude video caching - Bunny instead do that by file extension in their edge rules.  If I can get a list of emby video file extensions, that would be good.

3 - I thought I could test on a dummy subdomain from CF, however as you have to turn off the CF caching on the DNS record, then you get an error as HSTS is enable for the site, and cant therefore connect like this.  I need to use a different non CF domain, with a different nginx container to continue playing with this. 

 

[Luke 33666]

On 8/5/2022 at 11:07 PM, vaise said:

Has anyone got BunnyCDN working with emby ?

I signed up for the free account (14 days), but if it works and videos can be ignored from their cache, it will cost hardly anything per month (they do have a $1/month minimum charge).  I expect my image cache etc to use only 15c of that!!!  I calculated what went through CF in even if they cached my video's too, it would still be about $15/month.

The things I have found - After support emails

1 - They do not hide the IP address like CF does.  That will be a later solution when they have their DNS whole site solution up and running (beta currently) - this will be more like CF then.

2 - The CF page rules we use in emby to exclude video caching - Bunny instead do that by file extension in their edge rules.  If I can get a list of emby video file extensions, that would be good.

3 - I thought I could test on a dummy subdomain from CF, however as you have to turn off the CF caching on the DNS record, then you get an error as HSTS is enable for the site, and cant therefore connect like this.  I need to use a different non CF domain, with a different nginx container to continue playing with this. 

 

@Flintfamily and @kikinjo  and @enqbcvqw may have some BunnyCDN tips.

[vaise 209]

How many cloudflare users of emby are in use I wonder ? would be good to know.  

I am a little worried about what @pir8radiosaid about users being blocked from videos.

I would hate for that to happen to me while I am overseas (going for 2 months).  Not for me watching, but for me having to fix it remotely under pressure from friends and family.

With that in mind, I started a parallel 'backup' system.

Bunny.net was a non started after discussions with them, and things have moved on in unraid since I went to cloudflare many years back. 

I have rolled out a system in parallel should cloudflare stop working.  I tried the nginx Proxy Manager and the swag containers, and ended up picking swag.

I configured the geoip2 database plugin from maxmind, so I have the geo blocking that cloudflare was providing, then I got fail2ban jails working for emby and jellyseerr.  The only bit I will be missing is the DDOS protection and IP hiding capability.

This is all running in a spare domain in parallel for now, but with a few clicks, I expect I can roll out out remotely wthout too much stress.  

[Spaceboy 2336]

cloudflare here and no issues to date

[redrobot2121 0]

I am getting this massage on the video url only. Everything else is working fine.

[vaise 209]

Is that what happens when video's get blocked by Cloudflare ?

[pir8radio 1266]

 

20 hours ago, redrobot2121 said:

I am getting this massage on the video url only. Everything else is working fine.

 

18 hours ago, vaise said:

Is that what happens when video's get blocked by Cloudflare ?

 

Yes, cloudflare is trying to redirect you to a page that says something about blocking the video..      but emby doesn't let it redirect.   
 

Edited August 16, 2022 by pir8radio

[redrobot2121 0]

16 hours ago, pir8radio said:

 

 

 

Yes, cloudflare is trying to redirect you to a page that says something about blocking the video..      but emby doesn't let it redirect.   
 

Yes, i figured it out. But is the block permanent? it was not removed after 24h. i switched cf account. i was using the pro plan btw

[vaise 209]

Do you mind saying what ratio you were using?  On the cf monthly summary email, they give a total through their system and a cached amount.  Mine is around 600 total and under 4 cached.  Not blocked yet.  I also wonder it it matters if you are using a tunnel or not.  Who knows how they decide I guess.  Maybe they do a sweep daily alphabetical with a quota of bans. . Hope so as mine is at the bottom!!!!!

[pir8radio 1266]

4 hours ago, redrobot2121 said:

Yes, i figured it out. But is the block permanent? it was not removed after 24h. i switched cf account. i was using the pro plan btw

odd that they blocked you on the pro plan..  i would think unless you were doing something crazy they would leave you alone.  

[pir8radio 1266]

16 minutes ago, vaise said:

Do you mind saying what ratio you were using?  On the cf monthly summary email, they give a total through their system and a cached amount.  Mine is around 600 total and under 4 cached.  Not blocked yet.  I also wonder it it matters if you are using a tunnel or not.  Who knows how they decide I guess.  Maybe they do a sweep daily alphabetical with a quota of bans. . Hope so as mine is at the bottom!!!!!

I think what they look at is HOW MUCH is video vs other html, javascript, css       if you are mostly video, they seem to come after you.

[vaise 209]

As only emby goes through CF for me - with a 600/4 ratio - that has to be bad.....  so why not banned for me I guess.

If we only knew for sure.....

 

[vaise 209]

In my spare time, I have been looking for backup solutions in case this happens to me.  I have a spare domain configured with a swag reverse proxy etc etc as noted above that is 'ready to go' but I wondered if there is anything more.

I notice the AWS Cloudfront allows 1TB transfer a month on their free plan, which is more than enough.  It has DDOS protection, geo filtering etc.  So..... I had a play with it. 

Signed up for a free account.  Created a dns entry to my test domain called 'embyorigin.mydomain.com', then created a cloudfront 'distribution' - which was very easy, just enter the subdomain, a few clicks and it was deployed to all their servers.  you get a random domain name linked to your origin host (i.e like abcdef12345.cloudfront.net.  I hit that URL and got the emby remote login screen - which is great, but the password seems to always be incorrect (when I know it is correct).  So hit a wall on that front.  If anyone with more skills/experience than me can get this working, then this may be a great CF replacement ?  You can link your own subdomain name to it also (i did not do that until I get the base working).

 

I setup the geograhic restrictions :

I found you can create 'invalidations' - which are the equivalent of the non cache page rules we set up in cloudflare.  Not sure if this would work - but if you have 1TB a month, that would cover all my video anyway.