CloudFlare Tunnels - Secure Approach, or Tempting Fate?

[Flintfamily 6]

After using CF proxy with cache bypass on videos (+2 rules mentioned previously) for nearly a year on the free tier, yesterday CF started blocking videos with proxy setting turned on.

Would using the paid tier make any difference to this as I believe it's still against ToS even on the paid service.

So disappointing...
 

[kikinjo 162]

Check out BunnyCDN, cheap but also good CDN.

[Flintfamily 6]

Thanks @kikinjo first decent suggestion someone has made!

[neik 837]

Noob question incoming: Why do you guys need to cache your stuff on a CDN?

Due to limited upload bandwidth or do you guys just have so many users?

[vaise 304]

It’s only images that are cached.  Have to ignore the videos.

I am in Australia, And have family in Singapore, Bali, UK and Spain accessing emby.

I only allow those countries to connect (CF Firewall).

CF makes it a bit faster, hides your Ip address (not relevant if using CF Tunnels), and does lots of other cool security stuff.

[Flintfamily 6]

Yeah, just to speed up page loading from caching images as I'm a long way from my server. Other extras are just a bonus really.
I see that BunnyCDN has a 14 day free trial. I would be interested to see what difference full video caching would make as opposed to just images. Hard to justify the cost though.

[Flintfamily 6]

@kikinjo you mentioned in an earlier post that free accounts will be blocked for streaming. Do you think if I upgraded to the $20 standard I'd get a bit more flexibility with caching the images only or now videos are blocked there's no point?

[vaise 304]

10 hours ago, Flintfamily said:

Yeah, just to speed up page loading from caching images as I'm a long way from my server. Other extras are just a bonus really.
I see that BunnyCDN has a 14 day free trial. I would be interested to see what difference full video caching would make as opposed to just images. Hard to justify the cost though.

When cf has a bug that changed the caching, it caused vids to stutter.  I worked with pir8radio privately (he was in my system while I changed stuff) to figure out the latest required cache changes to fix it.  It’s in the forums somewhere.

[vaise 304]

I would hate to have an unknown bill for all that data.  500+ GB most months, charges I don’t want to wear from family and friends.

[Flintfamily 6]

3 hours ago, vaise said:

When cf has a bug that changed the caching, it caused vids to stutter.  I worked with pir8radio privately (he was in my system while I changed stuff) to figure out the latest required cache changes to fix it.  It’s in the forums somewhere.

I assume you're talking about this topic?

If so, these are the settings I have had in use forever and stopped working a couple of days ago.

As for BunnyCDN, free trial for 14 days costs nothing, what's to lose?

[kikinjo 162]

20 hours ago, Flintfamily said:

@kikinjo you mentioned in an earlier post that free accounts will be blocked for streaming. Do you think if I upgraded to the $20 standard I'd get a bit more flexibility with caching the images only or now videos are blocked there's no point?

Use professional account for 20$, you wont have any problems. Cache only images, never video.

[Flintfamily 6]

On 8/1/2022 at 3:54 PM, kikinjo said:

Use professional account for 20$, you wont have any problems. Cache only images, never video.

Setup that way from the start anyway. Cheers.

[pir8radio 1292]

 

On 7/31/2022 at 2:37 AM, Flintfamily said:

After using CF proxy with cache bypass on videos (+2 rules mentioned previously) for nearly a year on the free tier, yesterday CF started blocking videos with proxy setting turned on.

Would using the paid tier make any difference to this as I believe it's still against ToS even on the paid service.

So disappointing...
 

it is..   I'm still not blocked, but i'm not sure how they detect this..   we use it for tv every day...  however i think what is protecting me is that i run some crypto stuff on my domain too, which produces A LOT of traffic..    i think enough to meet the  "majority of traffic is not video" in their terms.       Just curious what kind of stats were you seeing in cloudflare?  I'm trying to figure out how they pick up and decide to block people.   
 

Here are mine for the last 30 days.. 

[pir8radio 1292]

On 8/1/2022 at 3:54 AM, kikinjo said:

Use professional account for 20$, you wont have any problems. Cache only images, never video.

the issue is, you still pass video through their system if you have the orange cloud enabled for that domain.  this is what they prohibit..  not caching of video, just passing it through cloudflare. 

[vaise 304]

I’m not blocked yet.  600gb through but 2gb cached.  I setup a new domain as a backup with nginx proxy manager.  Can’t port forward 443 to both systems though.  I’m considering the tunnel for cf and then the 443 to the backup domain system / nginx in case they block while I am overseas.  I will miss the geo country blocking WAF but hope to get the geoip stuff working in npm.

[vaise 304]

On 31/07/2022 at 19:11, kikinjo said:

Check out BunnyCDN, cheap but also good CDN.

I have checked this out, setup a new domain on google domains for it, as I could not use a subdomain on cloudflare as it is has HSTS.

I have read all the bunny.net doco - but it seems you have to edit your website itself to put the cdn location files in there.

Obviously, we cant do that at emby.

Do you have this working ?

Namely :

[vaise 304]

Further to this, I have been in touch with bunny support and their only solution to the above issue is this :

In case, there are no plugins available to rewrite the URLs of static content on the site for you and you're unable to change these URLs manually, the only option left would be to set up full site caching, following this guide here - https://support.bunny.net/hc/en-us/articles/360004592932-How-to-set-up-a-direct-IP-origin-URL-with-a-custom-hostname-using-Edge-Rules. 

That means hardcoding an ip adress to your home server, and there is no ddns type update for it - so it would fail if you IP address changes.  They say their future DNS solution will also NOT get around this issue.

Based on this, today, we have to assume bunnycdn is NO replacement for cloudflare.

 

 

[Flintfamily 6]

On 8/6/2022 at 9:55 PM, pir8radio said:

Just curious what kind of stats were you seeing in cloudflare?  I'm trying to figure out how they pick up and decide to block people.  

Not sure how to generate that view despite the fact I remember seeing it somewhere.

Unique visitors = 926, Total requests = 992k, 427GB traffic, 4GB cached.

[Flintfamily 6]

On 8/8/2022 at 1:34 AM, vaise said:

Further to this, I have been in touch with bunny support and their only solution to the above issue is this :

In case, there are no plugins available to rewrite the URLs of static content on the site for you and you're unable to change these URLs manually, the only option left would be to set up full site caching, following this guide here - https://support.bunny.net/hc/en-us/articles/360004592932-How-to-set-up-a-direct-IP-origin-URL-with-a-custom-hostname-using-Edge-Rules. 

That means hardcoding an ip adress to your home server, and there is no ddns type update for it - so it would fail if you IP address changes.  They say their future DNS solution will also NOT get around this issue.

Based on this, today, we have to assume bunnycdn is NO replacement for cloudflare.

 

 

I set up whole site caching, pretty sure it was working for images and VOD, but LiveTV would never play when accessing the bunnycdn cached site address so it's useless if you want to use LiveTV. My free trial has expired now so I'm unlikely to return to it given the limitation.

[chrismallia 12]

Are any of you still using zero trust with emby?

I tried it out but for some reason some video files do not play using the tunnel  while others play fine.

[vaise 304]

I am.  No issues.  Touch wood.  
Roughly 700gb/month usage.

[chrismallia 12]

11 hours ago, vaise said:

I am.  No issues.  Touch wood.  
Roughly 700gb/month usage.

Thanks for that.

I tried it again, its not that some movies dont play they are just slow to start like it buffers for some time while others start instantly. Did you change any settings in CF?  I am running on default.

[vaise 304]

2 hours ago, chrismallia said:

Thanks for that.

I tried it again, its not that some movies dont play they are just slow to start like it buffers for some time while others start instantly. Did you change any settings in CF?  I am running on default.

You have to change a few things.

there us a sticky thread in emby forum.

You must disable the caching for the videos themselves.  We only want the images cached.

HOW TO: Recommended Cloudflare Settings

[pir8radio 1292]

On 4/17/2022 at 9:18 PM, Thomas Straub said:

Hello all,

I've been browsing around the forums lately, and full disclosure: my serve is running on my Intel Mac Mini, but has a mix of Docker containers for certain services, and others run native apps (Emby being one).

My main way of securing my Emby server was via a Docker container called "Swag" (from LinuxServer.io) and then wrapping the traffic through Cloudflare DNS. It was all proxied via Cloudflare and working wonderfully. However, I had to have port 443 forwarded. For added security, my files are hosted via GDrive for Business and are encrypted via RClone. I also have a Firewalla Gold at my network entry point, which functions as an ingress firewall. I think all is well, since my users all use Emby Connect, and every certificate seems to work. In Emby's network pane, I use my domain emby.XXX.com, and "handled by reverse proxy".

Having some time over the weekend, I've migrated things from the Docker approach for encryption to using a CF tunnel. The CF tunnel seems to be able to ad DNS names for my services (e.g., emby.XXX.com, plex.XXX.com) from the web interface, requires "strict" certificates for TLS, and removes one Docker container from my set up. Its really easy to expose internal services externally this way, and appears to eliminate the need for port opening! Everything is still proxied via CF, as it was when I was using Swag.

In this regard, I've read that CF decrypts and views the traffic, which is surprising. I have things encrypted in GDrive, so I am not worried about prying eyes, or having any sort of "free version" hang ups like some folks have.

My questions are two-fold: (1) Is using a tunnel the wisest way to avoid intrusion at the moment (outside of VPNs and other device use cases that I cannot implement with non-tech savvy users)? and (2) Is my RClone encrypted traffic being actively sniffed by CF, such that this approach isn't viable; if so, what would you choose?

 

Love Emby, and wish I could change my display name here to my alias, but I don't think I realized when I made the account. Looking forward to the discussion!

Re-visiting this topic,  I Just started using CF tunnels for another project.     seems cool..  but as far as im aware is this tunnel is just that a tunnel around all of your own security into your server and network.     This is all great assuming CF doesn't have some kind of breach or bad employees..     Otherwise its just like you gave CF a key to your back door of your house, they can come into your PC and network any time they want.   CF has reputation to protect so i assume this would be very difficult, but still, you are trusting a third party to make sure their network is secure...   at least going through your own firewall the non-tunnel method, you have control.     It is nice for new people though i agree. 

[vaise 304]

I imagine a company like cf is very security aware.  A rogue employee a possible I guess.  My tunnel is only open to my emby instance ip address using the zero trust application config - not my whole network.  It also follows the waf so I only allow specific certain countries, block bots etc.  Just Australia can connect to mine.  I tested all that with a vpn to various bad places (inc USA).

Unlike my swag back door method I have (which I also use but is disabled unless cf shuts me down) which my unify firewall was reporting many attempts daily to connect to my wan port by known bad stuff.  I have a jail and geo blocking, but still baddie attempts.

Router venerabilities are reported all the time and old ones are never patched so for many users, that’s more likely to be a security issue with opening to the internet I believe.