Jump to content

HOW TO: Recommended Cloudflare Settings


pir8radio

Recommended Posts

vaise
51 minutes ago, crusher11 said:

I don't have any of those things, though. 

Do you have a laptop or something you can install with tailscale, then use it remotely, and you should be able to ping things in your LAN if tailscale is working and routing to everything.  Maybe watch some tailscale setup YouTube videos or something. 

Link to comment
Share on other sites

crusher11

I definitely have my username and password correct, so it would seem to be a tailscale issue.

The fact that it logged me out at all would seem to imply this. 

Link to comment
Share on other sites

vaise
30 minutes ago, crusher11 said:

I definitely have my username and password correct, so it would seem to be a tailscale issue.

The fact that it logged me out at all would seem to imply this. 

Are you using an emby app on your phone ?  Maybe if you use a browser instead to hit the emby web page url, if you were not tailscale connected, and not routed, then that page would fail to connect at all.

Link to comment
Share on other sites

crusher11
3 hours ago, vaise said:

Maybe if you use a browser instead to hit the emby web page url, if you were not tailscale connected, and not routed, then that page would fail to connect at all.

Via LAN IP? Yeah, that's not connecting.

Link to comment
Share on other sites

crusher11
3 hours ago, vaise said:

Are you using an emby app on your phone ?  Maybe if you use a browser instead to hit the emby web page url, if you were not tailscale connected, and not routed, then that page would fail to connect at all.

Hang on...via the LAN IP in the Emby dashboard, or via the IP tailscale gives me? The former fails completely, the latter is treated as a remote connection by Emby.

Link to comment
Share on other sites

vaise

Do you have an old laptop or cheap pi you can install Linux and tailscale on ?

Link to comment
Share on other sites

vaise

A bit more googling, and maybe it can be done with windows.  I found this:

 

Link to comment
Share on other sites

  • 3 months later...
vaise

I have a question for the people that have been blocked by CF for the media streaming violation.

What exactly do you mean by blocked ?  Is the media just unable to be streamed anymore ?

Does everything else still work on the domain ?  They are not blocking your other stuff ?

For reference, I have three domains in my CF account now, one is doing just emby, one if the wifes art domain and has page redirects to her website, plus uses icloud+ for the 'business' email.  And finally, I have my work domain with has a web page redirect and also my email routing.  

If I was blocked on my media domain, I dont want the others to be affected in any way.

Link to comment
Share on other sites

darkassassin07
13 minutes ago, vaise said:

I have a question for the people that have been blocked by CF for the media streaming violation.

What exactly do you mean by blocked ?  Is the media just unable to be streamed anymore ?

Does everything else still work on the domain ?  They are not blocking your other stuff ?

For reference, I have three domains in my CF account now, one is doing just emby, one if the wifes art domain and has page redirects to her website, plus uses icloud+ for the 'business' email.  And finally, I have my work domain with has a web page redirect and also my email routing.  

If I was blocked on my media domain, I dont want the others to be affected in any way.

About 3 months ago my media stopped loading through cloudflare. The media player would open but just sit with a blank screen not actually playing anything and not throwing any errors.

 

Stopped proxying that single subdomain and it went back to working as normal.

Link to comment
Share on other sites

vaise
3 minutes ago, darkassassin07 said:

About 3 months ago my media stopped loading through cloudflare. The media player would open but just sit with a blank screen not actually playing anything and not throwing any errors.

 

Stopped proxying that single subdomain and it went back to working as normal.

Thats for that - the emaill routing on there would be stopped in that case, as that need the CF proxy - but I dont really use that. 

Still dont know why I have not been stopped as yet.  600-700GB a month goes through there.

Link to comment
Share on other sites

  • 4 weeks later...
Dazik

Hadn't tried CF in awhile, did today because I registered a new domain for my Emby hostname.
Setup security bypass and cache bypass rules today, then swapped it in as the live URL and within 10 minutes videos stopped streaming, checking the network tab in Chrome it was straight up downloading the full file in the browser and playing from the local file.

Anyway, for others here, and reading this guide. Even on a new setup with an old free account never connected to anything, it doesn't work anymore.
Tried at least 2 dozen cache rules, only thing that let it run for a short while was turning off cache entirely, and that lasted until their soft 250gb/mo limit.

My setup runs through an nginx rproxy offsite to an nginx rproxy onsite for the LAN connection.
I'm now looking at running redis on the frontend rproxy to cache static html/image/scripts because I don't think CF is viable anymore.

Link to comment
Share on other sites

pir8radio
19 minutes ago, Dazik said:

Hadn't tried CF in awhile, did today because I registered a new domain for my Emby hostname.
Setup security bypass and cache bypass rules today, then swapped it in as the live URL and within 10 minutes videos stopped streaming, checking the network tab in Chrome it was straight up downloading the full file in the browser and playing from the local file.

Anyway, for others here, and reading this guide. Even on a new setup with an old free account never connected to anything, it doesn't work anymore.
Tried at least 2 dozen cache rules, only thing that let it run for a short while was turning off cache entirely, and that lasted until their soft 250gb/mo limit.

My setup runs through an nginx rproxy offsite to an nginx rproxy onsite for the LAN connection.
I'm now looking at running redis on the frontend rproxy to cache static html/image/scripts because I don't think CF is viable anymore.

was it an MP4?  If you don't pass all of the correct headers, nginx will just sit there and try to download the whole file before playing it.  unless i misunderstood what you were saying. 

Link to comment
Share on other sites

Dazik
On 7/28/2023 at 10:51 PM, pir8radio said:

was it an MP4?  If you don't pass all of the correct headers, nginx will just sit there and try to download the whole file before playing it.  unless i misunderstood what you were saying. 

Nah you got it, but its any file.
I got it working via a new CF account btw, I think they are soft banning if you don't setup everything correctly before changing the records. My OG account can not stream any media now on any domain. Which is fine, the rest of the stuff on it is web hosting/articles/etc.

 

 

Link to comment
Share on other sites

vaise
5 hours ago, Dazik said:

Nah you got it, but its any file.
I got it working via a new CF account btw, I think they are soft banning if you don't setup everything correctly before changing the records. My OG account can not stream any media now on any domain. Which is fine, the rest of the stuff on it is web hosting/articles/etc.

 

 

Oh .  They stoped all domains on your account?  Not just the one that was an issue?  I have three domains there inc my emby one, maybe I should create three accounts then going forward if others are affected.  The others don’t do any media though……. Yet.

  • Agree 1
Link to comment
Share on other sites

  • 2 weeks later...
vaise

They don’t seem to have a process to move domains to new accounts.  The notes say You have to move away to another domain provider first, then move back to new account  That’s two more payments and delays!!!!!!!   Omg.

Link to comment
Share on other sites

  • 3 weeks later...
redjacket69
On 3/17/2022 at 5:04 PM, redrobot2121 said:

is there any way to server the only video directly from the origin server but everything else should be proxied ??? 

@pir8radiohey, i was searching for something like this. So what i understand, https://emby.example.com/emby/videos/* only this path can not be unproxied in cf. so it can be something like this. it can be something like this, https://emby.example.org for user interface and https://emby-streams.example.org for the actual stream. Is it doable in cloudflare ?

ref: 

 

Link to comment
Share on other sites

  • 4 weeks later...

Hi!

At first thank you all for all this work and guides and stuff. Especially @pir8radioWithout your help I would never have been able to come this far with my Emby setup. I have been reading a lot. But now I have to make my first post because I need your help.

 

My setup is like this:

  • Emby Server running on Windows 10 on a dedicated machine
  • Nginx running on a VM on my Proxmox server
    • Letsencrypt for public certificates
  • Both servers are on the same subnet hosted in my homelab
  • Own a public domain
    • Using a subdomain for emby (eg: emby.example.com) 
    • Switched DNS servers to cloudflare recently

I don't get whats wrong.  🙄

When I use cloudflare in DNS only mode image.png.17ab05bcd87e832f76842d704c69d9b3.png everything works fine. No problems. As soon as I switch to image.png.f9ddc0d2e0b33787cff58ee2dcac14a0.pngI get Error code 552 from cloudflare:

image.png.d783e2abd5a929476538c88dd81109e0.png

 

 

 

I use exactly the config of @pir8radiofor nginx and the recommended settings for CF with the rules and all stuff.

 

I only changed the two parts in your config because it was mentioned so in the commented section:

## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP
## to log the real client IP address
    log_format  emby  '$http_CF_Connecting_IP - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';


    log_format default '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port';

$http_CF_Connecting_IP in line 3

 

##  proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
    proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.

$http_CF_Connecting_IP in line 2

 

There is nothing showing up in my logfiles on nginx (access.log / emby.log / error.log).

 

Is my ISP maybe blocking cloudflare? Is there any way I can test this?

Is there an issue because my certificate is provided by letsencrypt?

 

I appreciate any help. Thank you!

 

Link to comment
Share on other sites

  • 4 weeks later...
mattykellyuk

Thanks for the guide, I used this after changing domain and I'm having problems with cloudfare. I don't think the cache is bypassing video or working for images too as I'm not getting any 'hits' and its affecting load speeds. Any suggestions would be great.

Link to comment
Share on other sites

  • 2 weeks later...
est3ban129

I am using Argo tunnel for my server but it happens that the applications change the domain URL of my server by the IP:port automatically, this can be fixed because the server is not accessible by the port and therefore you have to retype the domain URL every time you want to access the server.

Link to comment
Share on other sites

No issues my side. Not touched my cf config in years.  Except to add a backup tunnel also so they load balance.

Link to comment
Share on other sites

est3ban129

Does it happen to anyone that is using Argo tunnel and randomly in the EMBY applications the tunnel URL is changed by the ip+port but this is inaccessible because port is closed? 

Also, since I have a dynamic ip, when I reboot the router it will stop working and I will have to put the tunnel URL again.
In addition to not making use of Argo if it connects by IP spontaneously.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...