HOW TO: Recommended Cloudflare Settings

[jad3675 26]

2 hours ago, sross44 said:

I may need your help on doing this, but I’m going to check this out today. Sounds super interesting!! Great idea 

Few things to remember with the OCI - if use the Ubuntu image, they don't use ufw - it's iptables. You'll need to allow any internet traffic in on iptables and on the virtual network you have configured for the host.

mod_security gets cranky with playing video within emby. Easiest way to address that is to place this in your modsecurity.conf.

SecRule REQUEST_FILENAME "@contains emby" "id:1,phase:2,nolog,allow,ctl:ruleEngine=Off"

I'm sure there's a better and safer way to do it, but I haven't figured it out yet.

[sross44 230]

24 minutes ago, jad3675 said:

Few things to remember with the OCI - if use the Ubuntu image, they don't use ufw - it's iptables. You'll need to allow any internet traffic in on iptables and on the virtual network you have configured for the host.

mod_security gets cranky with playing video within emby. Easiest way to address that is to place this in your modsecurity.conf.

SecRule REQUEST_FILENAME "@contains emby" "id:1,phase:2,nolog,allow,ctl:ruleEngine=Off"

I'm sure there's a better and safer way to do it, but I haven't figured it out yet.

Ok, well now I'm completely lost lol. Maybe I'll avoid this setup for now haha. I really would just use this to set up Nginx though and whitelist my ip address like you said. This way I don't have to open my network to anything. 

Edited January 20, 2023 by sross44

[sross44 230]

10 hours ago, sross44 said:

Ok, well now I'm completely lost lol. Maybe I'll avoid this setup for now haha. I really would just use this to set up Nginx though and whitelist my ip address like you said. This way I don't have to open my network to anything. 

Well I got it set up, and I'm pretty sure I installed everything correctly... but I suck at command line and can't figure it out. I have the docker image running. I thought i set up IPTables correctly.... but damned if I can't access it. (I set it up via Nginx proxy manager, because that's what I've used lately) 

[jad3675 26]

On 1/20/2023 at 11:50 PM, sross44 said:

Well I got it set up, and I'm pretty sure I installed everything correctly... but I suck at command line and can't figure it out. I have the docker image running. I thought i set up IPTables correctly.... but damned if I can't access it. (I set it up via Nginx proxy manager, because that's what I've used lately) 

Did you set it up in Oracle Cloud? If so, you need to allow tcp/443 in on the default security list for your public vcn.

[JonBigTellyEmby 0]

Hi All, May I ask if anybody has this working on an Apple TV or iPhone. Cannot seem to get it working even though it works perfectly via a browser

What would be the setting for the IOS app / Host - embyserver.uk Port - 8096 and just get a spinning wheel is it something to do with HTTPS ?

have that port fwd on router using 8920

Thx for any help Jon

[jjo5555 0]

Should the recent change your password email stop my Emby working on Roku?

[sross44 230]

4 hours ago, jad3675 said:

Did you set it up in Oracle Cloud? If so, you need to allow tcp/443 in on the default security list for your public vcn.

Ok I’ll give that a try and see if I can get it working! Thanks 

[notuxnobux 9]

So... What's the alternative to cloudflare?

I'm using the SWAG reverse proxy (it uses nginx backend) and for Emby, the only thing I really need from the (cloudflare) service is to point emby.mydomain.com to my pubic IP, so the reverse proxy can do the rest.

I make use of more cloudflare features for my other subdomains however, so I'm only looking to get emby away from it, to prevent being TOS banned.

Will something like duckdns suffice? 

Edited February 23, 2023 by notuxnobux

[vaise 304]

It’s only the media that stops working when you are banned I believe.  So I have a backup system that is swag fully configured and waiting to go.  You have cf already doing the the pointing to swag, so just untick your emby.mydomain.com in cf dns and it will not be routed via cf anymore.  You can do that as a test.

personally, I have a bit more to do as I use cf tunnels and hence are not port forwarding so Ibhave to re-enable the port forwarding also.  It takes just seconds to roll out.

 

Edited February 23, 2023 by vaise

[seanbuff 840]

6 hours ago, notuxnobux said:

the only thing I really need from the (cloudflare) service is to point emby.mydomain.com to my pubic IP, so the reverse proxy can do the rest.

If you just use CF in "DNS" mode only (gray cloud icon) instead of "proxying" (orange cloud icon) which violates the TOS. Then let your SWAG setup take care of the rest locally. You should be all set.

[vaise 304]

48 minutes ago, seanbuff said:

If you just use CF in "DNS" mode only (gray cloud icon) instead of "proxying" (orange cloud icon) which violates the TOS. Then let your SWAG setup take care of the rest locally. You should be all set.

Much More detailed reply than my answer Sean.  Well done.

[notuxnobux 9]

2 hours ago, vaise said:

It’s only the media that stops working when you are banned I believe.  So I have a backup system that is swag fully configured and waiting to go.  You have cf already doing the the pointing to swag, so just untick your emby.mydomain.com in cf dns and it will not be routed via cf anymore.  You can do that as a test.

personally, I have a bit more to do as I use cf tunnels and hence are not port forwarding so Ibhave to re-enable the port forwarding also.  It takes just seconds to roll out.

58 minutes ago, seanbuff said:

If you just use CF in "DNS" mode only (gray cloud icon) instead of "proxying" (orange cloud icon) which violates the TOS. Then let your SWAG setup take care of the rest locally. You should be all set.

Thanks guys.

Quick question for either of you... won't doing this expose my IP address?

Edited February 23, 2023 by notuxnobux

[vaise 304]

Yep

[vaise 304]

Do what you can.  Add fail2ban or croudsec to swag.  I have moved to crowdsec now.  Still not banned yet!!!!

[notuxnobux 9]

2 hours ago, vaise said:

Yep

 

2 hours ago, vaise said:

Do what you can.  Add fail2ban or croudsec to swag.  I have moved to crowdsec now.  Still not banned yet!!!!

Thank you. I have already got fail2ban set up with swag. Might look into crowdsec, as I've heard good things about it.

[jhruan 0]

Now cloudflare has launched a lot of test functions for caching. Is there any recommended configuration?

[crusher11 851]

I have NGINX set up, but I'm using CloudFlare to handle IP blocking so my server is only available in Australia, which should solve 99% of security issues right off the bat.

I also don't really know how it all works, I just trust that guys on here with these sorts of threads do.

I'm running my server on a Synology NAS. Don't have fail2ban or any equivalent set up. So I'd need that, plus the geoblocking, at a minimum. I also currently have my admin account enabled for online access so I can do maintenance away from home, but people have recommended against that for obvious reasons and suggested some sort of alternative that still allows admin to be accessed remotely via some other setup? Not sure what the deal is there.

 

EDIT: CloudFlare also handles my SSL cert.

Edited March 9, 2023 by crusher11

[vaise 304]

Install tailscale on something in your lan, with advertised routes turned on, then on your remote device (laptop, phone), then easy secure access to anything in your network from anywhere, with no port forwarding.  Remove that admin then from remote, once you use tailscale, you are local then and admin will work.

Edited March 9, 2023 by vaise

[thunderclap 39]

Does the first post warning still apply if one uses NginxProxyManager? I run Emby in docker on Unraid and have over 20 dockers, including NgnixProxyManager, that forwards subdomains to specific ports. Does that obscure what data is being transferred through Cloudflare?

[crusher11 851]

On 3/10/2023 at 7:00 AM, vaise said:

Install tailscale on something in your lan, with advertised routes turned on, then on your remote device (laptop, phone), then easy secure access to anything in your network from anywhere, with no port forwarding.  Remove that admin then from remote, once you use tailscale, you are local then and admin will work.

I get an "invalid username or password" error from Emby when trying to sign in.

[vaise 304]

6 hours ago, crusher11 said:

I get an "invalid username or password" error from Emby when trying to sign in.

Is this after doing the tailscale config?  Does other stuff to your lab work?  On my tailscale, with advertised routes, my remote chrome browser bookmarks all work e a y the same as if I can on my lan.  No difference at all.  Every hosted service I can connect too.  Just prove tails ale all works like that.  All web pages etc.

[crusher11 851]

43 minutes ago, vaise said:

Is this after doing the tailscale config?  

Config?

 

43 minutes ago, vaise said:

Does other stuff to your lab work?  

Eh? 

[vaise 304]

19 minutes ago, crusher11 said:

Config?

 

Eh? 

You referenced my post, which was about tailscale, so the tailscale config I mention in my post.  Lab was a typo. Should be LAN.

 

Edited March 21, 2023 by vaise

[crusher11 851]

There doesn't seem to be any config, though? All I can find is a checkbox for the advertised routes thing, which I've checked.

I'm not aware of any other LAN access method from my phone than Emby. 

[vaise 304]

I use it with Linux, I have to pass parameters and config for the routes that tailscale will use, then I allow it in the tailscale gui.

By LAN, I mean access anything else on your lan to prove it works (not just emby). I.e,  I host cctv, sonarr, radarr, jellyseer, uptimeKuma, readarr, tdarr and multiple pihole instances on my lan.  Tailscale allows me to access any of these as if I am home.  That’s what I mean to prove access is working.