HOW TO: Recommended Cloudflare Settings

[giankoski68 4]

5 minutes ago, Flexeire said:

Not the worst to be fair. I’d take the $30 a month hit easily. How have you found performance so far?

So far so good. Try it just found it here . 

[crusher11 851]

I've only just checked on this thread...no issues so far, but I guess I need to be looking into other solutions? I'm running NGINX and CloudFlare, with the latter handling my certs and geoblocking. Problem is, I know absolutely nothing about any of this, I've just been following instructions from people who do. So I have no idea how to look into alternatives.

[vaise 304]

Everyone on cf should plan for a contingency in case the worst happens.  Have a roll back solution so you can keep your remote users operational.  If like me you ported to cloudflare from an nginx / letsencryot solution, or a direct to emby with Certs config, then dust off that doco you (hopefully) made and prepare for the worst.  Saves having a busted system that then you have to piece together under duress with unhappy remote family and friends.

Easiest way I had was to roll back to a new basic nginx working solution for emby, then I moved to cloudflare tunnels which does not need nginx (as it is also a proxy server),  so should cf stop working, I just re-enable the port forwards and deactivate the emby dns entry to point back to the nginx reverse proxy.  No more cf then.

Until someone with more skills that me can come up with a cdn that works with emby.

[crusher11 851]

I don't know what a lot of that means, but there's no prior setup to roll back to for me. Mine was set up with NGINX/CF from the get-go.

[vaise 304]

I guess many have grown up over years and added CF, and others did it from scratch.  
There are two pinned posts on this forum.  One is cloudflare and the other is nginx.  Read the nginx only one for the differences is a start I guess.

Ignoring all the ‘cool’ things with cloudflare, the one this they give is an easy ssl cert.  if we remove the cf dependency, then you need a ssl cert another way.  Letsencrypt (as it’s free) is the norm there.

I just hope my cf stays working as the tunnels is way cool.  No nginx needed at all.  

[KegTapper 7]

I am hoping cf stays working as well. I moved and am forced to be on a cgnat network. So ditched caddy2 and using CF tunnels. They are awesome.

[crusher11 851]

15 hours ago, vaise said:

I guess many have grown up over years and added CF, and others did it from scratch.  
There are two pinned posts on this forum.  One is cloudflare and the other is nginx.  Read the nginx only one for the differences is a start I guess.

 

The NGINX one is just @pir8radio's config, isn't it? Pretty sure that's what I followed when I got set up in the first place.

Like I said, I don't really understand any of the under-the-hood stuff so I'm not sure what CF gives me and would need replacing, or how to set up a redundancy. I know it's handling my certs and geoblocking...I've not looked at LetsEncrypt but I don't know if I can double up with certs from both. Can NGINX geoblock? Is CF doing anything else for me that I would need to duplicate elsewhere?

I don't have a huge amount of online use, 99% of it is just me looking up what's on my server when I'm out and about, maybe checking a clip or two. Very rare anyone else uses my server at all. So it's not a massive issue if it goes down for a day or two, but I'd like to avoid that if possible.

[mbuser18 9]

do I need cloudflare if I have my own firewall machine like pfsense plus a reverse proxy?

[pwhodges 1529]

I would say you don't need CloudFlare unless you know that you need it.

Paul

[mbuser18 9]

1 hour ago, pwhodges said:

I would say you don't need CloudFlare unless you know that you need it.

Paul

Hmmm.  very philosophical!

[vaise 304]

3 hours ago, mbuser18 said:

do I need cloudflare if I have my own firewall machine like pfsense plus a reverse proxy?

All I can say is that after going back to port forward from all the 'internet' rather than from the cloudflare IP's only, I had about 4-9 'attacks' blocked with my unify USG router that has IPS turned on (Intrusion Protection System).  I never had alerts with CF from it. 

All attacks were dsheild - known bad IP addresses.  Probably harmless.   

If they did get to the reverse proxy, I have lots of stuff in there also (geo blocking, fail2ban), so I am OK with being pushed off CF if is happens.  I ran like that for a week and can flip over in less than 30 seconds.

[vaise 304]

10 hours ago, KegTapper said:

I am hoping cf stays working as well. I moved and am forced to be on a cgnat network. So ditched caddy2 and using CF tunnels. They are awesome.

After having tunnels for 2 weeks I also love it.  It also means I can keep the working (but unused as tunnels dont need it) nginx system waiting to step in.

If if stops for you, with cgnat, that would be a pain.  Remote PC's could use tailscale to access your system but I dont think it is on all emby client devices.

[giankoski68 4]

Guys , I tested out BunnyCDN and it really speed up your service. Though it is a paid one 5$/1TB it is really a good replacement.

Use my referral link : https://bunny.net?ref=n7v4rtk8x9 

 

 

[vaise 304]

1 hour ago, giankoski68 said:

Guys , I tested out BunnyCDN and it really speed up your service. Though it is a paid one 5$/1TB it is really a good replacement.

Use my referral link : https://bunny.net?ref=n7v4rtk8x9 

 

 

In my testing of bunny, and based on my support calls with them, they have a few issues.   

I Posted above here somewhere I think. 

Main one was that they had to use whole site, and hard code your origin server - with no way of updating it should your IP change.  

The CDN side of CF is not really a benefit it seems for me - I ran without CF for a week and there was no reported difference by any of my remote users.  Exactly the same they said.  2 users were the other side of the world also.

[giankoski68 4]

On 9/2/2022 at 9:33 AM, vaise said:

In my testing of bunny, and based on my support calls with them, they have a few issues.   

I Posted above here somewhere I think. 

Main one was that they had to use whole site, and hard code your origin server - with no way of updating it should your IP change.  

The CDN side of CF is not really a benefit it seems for me - I ran without CF for a week and there was no reported difference by any of my remote users.  Exactly the same they said.  2 users were the other side of the world also.

You need to set your Emby Server IP to static.  

What i did is i change the Emby Server - Network Options

Change Public https port to 443

Change Public http port to 80

External Domain : Your Pullzone Name (BunnyNet)

Secure connection mode: Change to handled by reverse proxy

[vaise 304]

11 hours ago, giankoski68 said:

You need to set your Emby Server IP to static.  

What i did is i change the Emby Server - Network Options

Change Public https port to 443

Change Public http port to 80

External Domain : Your Pullzone Name (BunnyNet)

Secure connection mode: Change to handled by reverse proxy

That would imply you only have emby being hosted there and you have opened it up directly to the internet.  I have a proxy server with tons of stuff being proxied from the internet.  That said, what happens if your isp changes your internet wan ip, you would have to change it manually in Bunny.

In its current form is a far cry from cf, does not hide your wan ip and hence offers little benefits I believe (at least for now).  The CDN side itself is not a benefit to my end users (as seen in testing).

[ceb0610 0]

Have we found a good alternative to CF yet?

[vaise 304]

On 30/09/2022 at 11:37, ceb0610 said:

Have we found a good alternative to CF yet?

I dont think there is a good alternative.

Nothing that provides all that CF offer anyway.

I am just prepared to go back to my self hosted system in seconds if CF cut me off like others.

I feel for those cgnat'ers that need the tunnel option......

[oliverhoerberg 0]

EDIT: removed

Edited October 7, 2022 by oliverhoerberg

[mbuser18 9]

cloudflare is giving me problems on other kinds of streaming sites as well.  I have implemented the recommended settings here, but what if I were to skip all caching from cloudflare?  Is that bad?  instead of doing those page rules for /*videos/* etc...what if i just do a single page rule for all the sites like *domain* ?  Wouldn't that solve all these problems?  I have another site i need to do similar page rules for, but I am out of free page rules, so this is what I am thinking.

[vaise 304]

We are only excluding videos here for emby.  Which you must do.  If you exclude everything, you may as well turn off caching completely.  In my experience, my remote users don’t gain much from edge caching of emby images anyway.

[pir8radio 1292]

On 10/24/2022 at 4:53 PM, mbuser18 said:

cloudflare is giving me problems on other kinds of streaming sites as well.  I have implemented the recommended settings here, but what if I were to skip all caching from cloudflare?  Is that bad?  instead of doing those page rules for /*videos/* etc...what if i just do a single page rule for all the sites like *domain* ?  Wouldn't that solve all these problems?  I have another site i need to do similar page rules for, but I am out of free page rules, so this is what I am thinking.

the only way not to run through cloudflares network is disable the "Orange cloud" under DNS settings..   this just uses cloudflare for DNS, it shows your real server IP, you loose SSL from cloudflare and everything.  with orange cloud ON you pass through their nginx proxy servers, (that's how they supply an ssl and all of the other features).   There is no real way around the cloudflare rule of not streaming video through them.     the /*videos/ rule just makes it so cloudflare doesn't cache the video, this causes playback issues on clients.   it wasn't added to get around their video stream blocking.     

 

Edited October 26, 2022 by pir8radio

[vaise 304]

deleted.  I was mistaken.

Edited November 15, 2022 by vaise

[crusher11 851]

I'm getting a 521 error from Cloudflare. Help?

[pwhodges 1529]

Cloudflare thinks your server is down - is it?

Paul