HOW TO: Recommended Cloudflare Settings

[Happy2Play]

Troubleshooting for another user, but what would cause a mp4 to download file then play and a mkv to direct play/steam?

[avitali]

Thanks for the guide! Is the second rule (Bypass cache) still valid? It seems to me, when I play a video, it never says /*videos/* it only ever says /*videoosd/*. Shouldn't 'videoosd' be what to put in the rules?

[pir8radio]

On 4/16/2022 at 4:38 PM, avitali said:

Thanks for the guide! Is the second rule (Bypass cache) still valid? It seems to me, when I play a video, it never says /*videos/* it only ever says /*videoosd/*. Shouldn't 'videoosd' be what to put in the rules?

@Luke anything change here?     do you have a screenshot showing this videoosd?

I just checked, no, its videos still:

Edited May 1 by pir8radio

[Luke]

videoosd is the web app html url that you see in the browser. /videos is the video api url, so I think this is still valid.

[Flamez]

I just read this thread and I was wondering what similar alternatives are for using Emby on the internet since Cloudflare does not allow videos? 

Thank you.

[Turbofiero]

For me, it would seem the rules have to be in the reverse order as to what youve posted... unsure why, but if I do it as posted cf-cache-status stays dynamic for all images, but changing order I get miss/hit

Nonetheless thanks for the post!

[vaise]

I have been using cloudflare and nginx for ages with no issue.  @pir8radio's config pretty much.  No changed for ages.

Tonight my users cant connect.  Emby cant connect.  my sonarr/radarr also cant connect, so not an emby issue.

I get a 400 Bad Request.  The SSL certifate error below that and nginx below that.

I have restarted nginx, checked its logs etc etc - 

I dont know if this is a cloudflare issue at all ?

This has all just worked for me, so when it goes bad, I have no idea where to look.  Any ideas on the below errors from the nginx logs :

2022/05/31 23:04:45 [error] 386#386: *213 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.133.229:80
2022/05/31 23:04:46 [error] 386#386: *216 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:04:48 [error] 386#386: *218 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:06:09 [crit] 386#386: *220 connect() to [2606:4700::6810:85e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:85e5]:80
2022/05/31 23:06:09 [crit] 386#386: *220 connect() to [2606:4700::6810:84e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:84e5]:80
2022/05/31 23:06:10 [error] 386#386: *220 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:06:29 [crit] 386#386: *224 connect() to [2606:4700::6810:84e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:84e5]:80
2022/05/31 23:06:30 [error] 386#386: *224 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80

 

For now to fix this, I have commented the OCSP Stapling stuff in the conf file as such :

# OCSP Stapling
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_stapling_responder http://ocsp.cloudflare.com/;
#ssl_trusted_certificate /config/nginx/cf-certs/trusted-chain.pem;
# my cert + cloudflare certs combined in 1 file
#ssl_ocsp on;
#ssl_ocsp_responder http://ocsp.cloudflare.com/;
#ssl_ocsp_cache shared:OCSPCache:20m;

 

If anyone has an idea of why this started happening ?

 

Edited May 31 by vaise

[pir8radio]

On 5/31/2022 at 8:07 AM, vaise said:

I have been using cloudflare and nginx for ages with no issue.  @pir8radio's config pretty much.  No changed for ages.

Tonight my users cant connect.  Emby cant connect.  my sonarr/radarr also cant connect, so not an emby issue.

I get a 400 Bad Request.  The SSL certifate error below that and nginx below that.

I have restarted nginx, checked its logs etc etc - 

I dont know if this is a cloudflare issue at all ?

This has all just worked for me, so when it goes bad, I have no idea where to look.  Any ideas on the below errors from the nginx logs :

2022/05/31 23:04:45 [error] 386#386: *213 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.133.229:80
2022/05/31 23:04:46 [error] 386#386: *216 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:04:48 [error] 386#386: *218 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:06:09 [crit] 386#386: *220 connect() to [2606:4700::6810:85e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:85e5]:80
2022/05/31 23:06:09 [crit] 386#386: *220 connect() to [2606:4700::6810:84e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:84e5]:80
2022/05/31 23:06:10 [error] 386#386: *220 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80
2022/05/31 23:06:29 [crit] 386#386: *224 connect() to [2606:4700::6810:84e5]:80 failed (99: Address not available) while requesting certificate status, responder: ocsp.cloudflare.com, peer: [2606:4700::6810:84e5]:80
2022/05/31 23:06:30 [error] 386#386: *224 OCSP_check_validity() failed (SSL: error:2707307D:OCSP routines:OCSP_check_validity:status expired) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.132.229:80

 

For now to fix this, I have commented the OCSP Stapling stuff in the conf file as such :

# OCSP Stapling
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_stapling_responder http://ocsp.cloudflare.com/;
#ssl_trusted_certificate /config/nginx/cf-certs/trusted-chain.pem;
# my cert + cloudflare certs combined in 1 file
#ssl_ocsp on;
#ssl_ocsp_responder http://ocsp.cloudflare.com/;
#ssl_ocsp_cache shared:OCSPCache:20m;

 

If anyone has an idea of why this started happening ?

 

so you have an ssl cert on nginx, and one in cloudflare..  both certs are valid and not expired?

[vaise]

I suspect it is an ocsp issue.  There are some google searches that match whereby the ocsp end has to do something.  I am just back from a trip so will have a play over the next few days.  I set this up years back and have had a stroke since so will have to go through my documentation to remember it all.

[vaise]

12 hours ago, pir8radio said:

so you have an ssl cert on nginx, and one in cloudflare..  both certs are valid and not expired?

Howdy @pir8radio - been a while since we worked on that cloudflare caching issue together - I notice you are still a user on my system - (but I firewall USA again)

To answer your questions -

I have the cloudflare provided origin server certificate (2034 expiration).

I have the cloudflare provided authenticated origin pulls client certificate (checked it is still the latest as it was updated in 2020).

Further research today seems to indicate that this ocsp stappling stuff is only needed in NGINX if you are NOT using cloudflare, and they have implemented it in the edge certificates themselves.  This may explain why on www.ssllabs.com/ssltest and www.digicert.com/help/ they both are happy that stapling is still activated even though I have th sections commented out.  

So in summary - that ocsp section (an artifact from pre cloudflare)  which it seems was happy doing nothing all of a sudden was broken (likely at CF end as no changes my side).

 

[Flamez]

I am new to using Cloudflare and using the suggested settings on page one of this thread I am seeing the following on the analytics page.  I am using the free setup and wondering if I would be charged for any bandwidth usage?

Cached Bandwidth

Previous 24 hours

3.95 kB

Uncached Bandwidth

Previous 24 hours

360.01 MB

 

Edited June 12 by Flamez

[muzicman0]

I'm clearly not doing something right!  I use https://stream.mydomain.com to access Emby from a Cloudflare tunnel (Argo tunnel?).

Here are my rules:

*.mydomain.com/*Items/*/Images/*
Cache Level: Cache Everything, Edge Cache TTL: a month
Enabled

*.mydomain.com/*videos/*/*
Cache Level: Bypass

But I get all either miss or dynamic.