Jump to content

HOW TO: Recommended Cloudflare Settings


pir8radio

Recommended Posts

crusher11
37 minutes ago, pwhodges said:

Cloudflare thinks your server is down - is it?

Paul

I don't know? I can access it locally. Haven't changed any of the CloudFlare or network settings recently that I'm aware of/can remember. 

Link to comment
Share on other sites

crusher11

I'm unable to access my server via PUBLICIP:8096 or PUBLICIP:443. But I'm not sure if that's normal given the CloudFlare/NGINX setup or not. 

Link to comment
Share on other sites

Port forwarding is all good on your router and local firewall is open? Can you reach your PC using a different service via IP (RDP as an example)

You could remove anything related to connecting securely as a test and then see if you can connect via public IP.

When I have the cert configured i'm unable to connect via public IP as well.

Link to comment
Share on other sites

What does your CF dashboard say for bandwidth used over the last 30 days? Do you get a monthly email telling you how much data you used? I believe they only send an email when you use more than a certain amount, but I don't know what the threshold is.

Link to comment
Share on other sites

42 minutes ago, C.S. said:

What does your CF dashboard say for bandwidth used over the last 30 days? Do you get a monthly email telling you how much data you used? I believe they only send an email when you use more than a certain amount, but I don't know what the threshold is.

I don't think that's true, I get one for ~2MB data used for as domain I'm not using

Link to comment
Share on other sites

1 hour ago, crusher11 said:

100MB, why? 

MB, not GB? So you basically haven't used it at all in the past month?

I was thinking maybe they banned you, but you don't really use it, so probably not.

Link to comment
Share on other sites

crusher11
47 minutes ago, C.S. said:

MB, not GB? So you basically haven't used it at all in the past month?

I was thinking maybe they banned you, but you don't really use it, so probably not.

I'm not sure how long it's been down for TBH. 

Link to comment
Share on other sites

crusher11
3 minutes ago, C.S. said:

I think we can say at least 30 days. Did you get the emails? Do you know how much data you've been pushing?

Well the reason I don't know is it rarely gets used, so the lack of data the last month is really no indicator one way or the other.

How much data I've been pushing is irrelevant. The answer isn't going to resolve my issue one way or the other. 

Link to comment
Share on other sites

crusher11

CanYouSeeMe is negative on 8096 and 443, but again I don't know if that's normal with NGINX/CloudFlare.

Still haven't established if it's an Emby issue, and NGINX issue, or a CloudFlare issue.

Link to comment
Share on other sites

samuelqwe
14 hours ago, crusher11 said:

CanYouSeeMe is negative on 8096 and 443, but again I don't know if that's normal with NGINX/CloudFlare.

Assuming you usually connect using HTTPS, port 443 should be open on your router and CanYouSeeMe should be able to see it as open if Nginx is actually accepting the connection. Otherwise, there is port 80 for HTTP traffic, but you don’t actually need if you connect exclusively using HTTPS.

So if you’ve checked that port 443 (and/or 80) is open on your router and that it is pointing to the device hosting the Nginx server on your LAN, and that your public ip is correctly entered in your CloudFlare DNS rules, then it’s likely an issue with the Nginx configuration.

Port 8096 (or 8920 for secure connections) would only need to be open and reachable on CanYouSeeMe if you were connecting directly to Emby with your plugins on public IP instead of your domain, so it shouldn’t need to be open in this case.

Also, just to be sure, have you checked that your domain has not expired and is still active? Just looking at all the possibilities here.

Link to comment
Share on other sites

I have found the cloudflare tunnels have really taken all this pain away.  Tunnel is now either up or down, it has detailed logging, and no reverse proxy to worry about.  And no ports to open on the router.

Edited by vaise
Link to comment
Share on other sites

crusher11

Yep, turns out it's NGINX, which had completely stopped running. Attempting to restart gives the error "Docker API has failed. Please visit Docker Log for more information." Docker log:

Start container nginx2 failed: {"message":"Bind mount failed: '/volume1/Emby Libraries/emby.log' does not exists"}.
       
Link to comment
Share on other sites

  • 1 month later...

My emby server (a docker container) is accessed remotely through Cloudflare tunnel to the port 8096 of emby server. There is no problem to log in from my laptop's web browser. When I tried to connect the server (same host name) from android app, the log in screen will show up but I can't log in. It will always show "Sign In Error Invalid username or password. Please try again" even though the correct information was provided. The server log shows a single line: "Error Server: Access token is invalid or expired". Any help is appreciated.

Update:

Issue is resolved if port 443 is specified (instead of left empty)

Edited by wmd1942
Issue resolved
  • Thanks 1
Link to comment
Share on other sites

9 hours ago, wmd1942 said:

My emby server (a docker container) is accessed remotely through Cloudflare tunnel to the port 8096 of emby server. There is no problem to log in from my laptop's web browser. When I tried to connect the server (same host name) from android app, the log in screen will show up but I can't log in. It will always show "Sign In Error Invalid username or password. Please try again" even though the correct information was provided. The server log shows a single line: "Error Server: Access token is invalid or expired". Any help is appreciated.

Update:

Issue is resolved if port 443 is specified (instead of left empty)

I use all ports on my tunnel config - no issues on my side reported from any remote family.  Maybe they dont have any android phones however.....  Plenty of google TV and a few chromecasts.

image.thumb.png.55d9142d7ac6b1c99b358647c9379b54.png

Maybe it is something in your application policy config ?

Maybe update your cloudflare tunnel version ?  I am using docker - cloudflare/cloudflared:2022.12.1-amd64

Link to comment
Share on other sites

  • 3 weeks later...

Well my number came up tonight and CF TOS'ed me.

It was a good 5 year run.

Got a nginx reverse proxy stood up in the cloud pretty quickly and had everything working after an hour 

 

Link to comment
Share on other sites

On 1/16/2023 at 8:47 PM, jad3675 said:

Well my number came up tonight and CF TOS'ed me.

It was a good 5 year run.

Got a nginx reverse proxy stood up in the cloud pretty quickly and had everything working after an hour 

 

I had the same thing happen to me last month. I switched everything over to nginx reverse proxy as well..... but I did love the Cloudfare setup. I have a feeling more and more people are going to start having this happen to them.

Link to comment
Share on other sites

53 minutes ago, sross44 said:

I had the same thing happen to me last month. I switched everything over to nginx reverse proxy as well..... but I did love the Cloudfare setup. I have a feeling more and more people are going to start having this happen to them.

If CF's defense, I was averaging ~4TB/month. I am honestly beyond surprised I was able to skate for the better part of 5 years.

Rather than setup a ngninx reverse proxy on my home network and open 443 up to the world, I spun up an Ampere A1 instance in the Oracle Cloud (it's free!) - 1GB bandwidth, 10TB egress/month and a public IP address. Installed nginx with mod_security and deployed crowdsec on it. Whitelisted the public IP on my home firewall. It's probably 98% as good as CF from a WAF/Intrusion standpoint. Don't have the fancy webpanel like CF, but I can scrape the metrics into the CloudSIEM from Datadog and have an idea of what's going on.

 

John

Link to comment
Share on other sites

My public ip changes on average once every 2 weeks.  That would be a pain I think.  CF only 489gb last month.

Link to comment
Share on other sites

14 hours ago, vaise said:

My public ip changes on average once every 2 weeks.  That would be a pain I think.  CF only 489gb last month.

My pub ip changes if my firewall gets rebooted. CF is doing my DNS, though. I have the name record that nginx uses to connect back to emby updated via the cloudflare-ddns script and then another script (on the reverse proxy) that reloads nginx if the DNS record changes. A bit convoluted (and a few minutes of downtime while DNS changes) but it works.

 

Link to comment
Share on other sites

On 1/19/2023 at 9:57 AM, jad3675 said:

If CF's defense, I was averaging ~4TB/month. I am honestly beyond surprised I was able to skate for the better part of 5 years.

Rather than setup a ngninx reverse proxy on my home network and open 443 up to the world, I spun up an Ampere A1 instance in the Oracle Cloud (it's free!) - 1GB bandwidth, 10TB egress/month and a public IP address. Installed nginx with mod_security and deployed crowdsec on it. Whitelisted the public IP on my home firewall. It's probably 98% as good as CF from a WAF/Intrusion standpoint. Don't have the fancy webpanel like CF, but I can scrape the metrics into the CloudSIEM from Datadog and have an idea of what's going on.

 

John

I may need your help on doing this, but I’m going to check this out today. Sounds super interesting!! Great idea 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...