HOW TO: Recommended Cloudflare Settings

[crusher11 851]

37 minutes ago, pwhodges said:

Cloudflare thinks your server is down - is it?

Paul

I don't know? I can access it locally. Haven't changed any of the CloudFlare or network settings recently that I'm aware of/can remember. 

[lorac 100]

Public IP changed?

[crusher11 851]

No. 

[crusher11 851]

I'm unable to access my server via PUBLICIP:8096 or PUBLICIP:443. But I'm not sure if that's normal given the CloudFlare/NGINX setup or not. 

[lorac 100]

Port forwarding is all good on your router and local firewall is open? Can you reach your PC using a different service via IP (RDP as an example)

You could remove anything related to connecting securely as a test and then see if you can connect via public IP.

When I have the cert configured i'm unable to connect via public IP as well.

[crusher11 851]

Not at my PC at the moment, but I haven't changed any of my router or firewall settings.

Don't know what RDP is. 

[C.S. 62]

What does your CF dashboard say for bandwidth used over the last 30 days? Do you get a monthly email telling you how much data you used? I believe they only send an email when you use more than a certain amount, but I don't know what the threshold is.

[Pog22 50]

42 minutes ago, C.S. said:

What does your CF dashboard say for bandwidth used over the last 30 days? Do you get a monthly email telling you how much data you used? I believe they only send an email when you use more than a certain amount, but I don't know what the threshold is.

I don't think that's true, I get one for ~2MB data used for as domain I'm not using

[crusher11 851]

1 hour ago, C.S. said:

What does your CF dashboard say for bandwidth used over the last 30 days? 

100MB, why? 

[C.S. 62]

1 hour ago, crusher11 said:

100MB, why? 

MB, not GB? So you basically haven't used it at all in the past month?

I was thinking maybe they banned you, but you don't really use it, so probably not.

[crusher11 851]

47 minutes ago, C.S. said:

MB, not GB? So you basically haven't used it at all in the past month?

I was thinking maybe they banned you, but you don't really use it, so probably not.

I'm not sure how long it's been down for TBH. 

[C.S. 62]

I think we can say at least 30 days. Did you get the emails? Do you know how much data you've been pushing?

[crusher11 851]

3 minutes ago, C.S. said:

I think we can say at least 30 days. Did you get the emails? Do you know how much data you've been pushing?

Well the reason I don't know is it rarely gets used, so the lack of data the last month is really no indicator one way or the other.

How much data I've been pushing is irrelevant. The answer isn't going to resolve my issue one way or the other. 

[crusher11 851]

CanYouSeeMe is negative on 8096 and 443, but again I don't know if that's normal with NGINX/CloudFlare.

Still haven't established if it's an Emby issue, and NGINX issue, or a CloudFlare issue.

[samuelqwe 313]

14 hours ago, crusher11 said:

CanYouSeeMe is negative on 8096 and 443, but again I don't know if that's normal with NGINX/CloudFlare.

Assuming you usually connect using HTTPS, port 443 should be open on your router and CanYouSeeMe should be able to see it as open if Nginx is actually accepting the connection. Otherwise, there is port 80 for HTTP traffic, but you don’t actually need if you connect exclusively using HTTPS.

So if you’ve checked that port 443 (and/or 80) is open on your router and that it is pointing to the device hosting the Nginx server on your LAN, and that your public ip is correctly entered in your CloudFlare DNS rules, then it’s likely an issue with the Nginx configuration.

Port 8096 (or 8920 for secure connections) would only need to be open and reachable on CanYouSeeMe if you were connecting directly to Emby with your plugins on public IP instead of your domain, so it shouldn’t need to be open in this case.

Also, just to be sure, have you checked that your domain has not expired and is still active? Just looking at all the possibilities here.

[vaise 304]

I have found the cloudflare tunnels have really taken all this pain away.  Tunnel is now either up or down, it has detailed logging, and no reverse proxy to worry about.  And no ports to open on the router.

Edited November 28, 2022 by vaise

[crusher11 851]

Yep, turns out it's NGINX, which had completely stopped running. Attempting to restart gives the error "Docker API has failed. Please visit Docker Log for more information." Docker log:

Start container nginx2 failed: {"message":"Bind mount failed: '/volume1/Emby Libraries/emby.log' does not exists"}.

[wmd1942 3]

My emby server (a docker container) is accessed remotely through Cloudflare tunnel to the port 8096 of emby server. There is no problem to log in from my laptop's web browser. When I tried to connect the server (same host name) from android app, the log in screen will show up but I can't log in. It will always show "Sign In Error Invalid username or password. Please try again" even though the correct information was provided. The server log shows a single line: "Error Server: Access token is invalid or expired". Any help is appreciated.

Update:

Issue is resolved if port 443 is specified (instead of left empty)

Edited December 29, 2022 by wmd1942
Issue resolved

[vaise 304]

9 hours ago, wmd1942 said:

My emby server (a docker container) is accessed remotely through Cloudflare tunnel to the port 8096 of emby server. There is no problem to log in from my laptop's web browser. When I tried to connect the server (same host name) from android app, the log in screen will show up but I can't log in. It will always show "Sign In Error Invalid username or password. Please try again" even though the correct information was provided. The server log shows a single line: "Error Server: Access token is invalid or expired". Any help is appreciated.

Update:

Issue is resolved if port 443 is specified (instead of left empty)

I use all ports on my tunnel config - no issues on my side reported from any remote family.  Maybe they dont have any android phones however.....  Plenty of google TV and a few chromecasts.

Maybe it is something in your application policy config ?

Maybe update your cloudflare tunnel version ?  I am using docker - cloudflare/cloudflared:2022.12.1-amd64

[jad3675 26]

Well my number came up tonight and CF TOS'ed me.

It was a good 5 year run.

Got a nginx reverse proxy stood up in the cloud pretty quickly and had everything working after an hour 

 

[sross44 233]

On 1/16/2023 at 8:47 PM, jad3675 said:

Well my number came up tonight and CF TOS'ed me.

It was a good 5 year run.

Got a nginx reverse proxy stood up in the cloud pretty quickly and had everything working after an hour 

 

I had the same thing happen to me last month. I switched everything over to nginx reverse proxy as well..... but I did love the Cloudfare setup. I have a feeling more and more people are going to start having this happen to them.

[jad3675 26]

53 minutes ago, sross44 said:

I had the same thing happen to me last month. I switched everything over to nginx reverse proxy as well..... but I did love the Cloudfare setup. I have a feeling more and more people are going to start having this happen to them.

If CF's defense, I was averaging ~4TB/month. I am honestly beyond surprised I was able to skate for the better part of 5 years.

Rather than setup a ngninx reverse proxy on my home network and open 443 up to the world, I spun up an Ampere A1 instance in the Oracle Cloud (it's free!) - 1GB bandwidth, 10TB egress/month and a public IP address. Installed nginx with mod_security and deployed crowdsec on it. Whitelisted the public IP on my home firewall. It's probably 98% as good as CF from a WAF/Intrusion standpoint. Don't have the fancy webpanel like CF, but I can scrape the metrics into the CloudSIEM from Datadog and have an idea of what's going on.

 

John

[vaise 304]

My public ip changes on average once every 2 weeks.  That would be a pain I think.  CF only 489gb last month.

[jad3675 26]

14 hours ago, vaise said:

My public ip changes on average once every 2 weeks.  That would be a pain I think.  CF only 489gb last month.

My pub ip changes if my firewall gets rebooted. CF is doing my DNS, though. I have the name record that nginx uses to connect back to emby updated via the cloudflare-ddns script and then another script (on the reverse proxy) that reloads nginx if the DNS record changes. A bit convoluted (and a few minutes of downtime while DNS changes) but it works.

 

[sross44 233]

On 1/19/2023 at 9:57 AM, jad3675 said:

If CF's defense, I was averaging ~4TB/month. I am honestly beyond surprised I was able to skate for the better part of 5 years.

Rather than setup a ngninx reverse proxy on my home network and open 443 up to the world, I spun up an Ampere A1 instance in the Oracle Cloud (it's free!) - 1GB bandwidth, 10TB egress/month and a public IP address. Installed nginx with mod_security and deployed crowdsec on it. Whitelisted the public IP on my home firewall. It's probably 98% as good as CF from a WAF/Intrusion standpoint. Don't have the fancy webpanel like CF, but I can scrape the metrics into the CloudSIEM from Datadog and have an idea of what's going on.

 

John

I may need your help on doing this, but I’m going to check this out today. Sounds super interesting!! Great idea