Cloudflare CDN and Websockets

[pir8radio 1292]

Hey

Just came across this thread, using Cloudflare sounds like an interesting option.

When I got it right you need to purchase a domain name, so using a service like dyndns or no-ip won‘t be enough, right?

Somewhere I read that Cloudflare only forwards particular ports, so what do you do if your desired port is not on that list? (For another webservice than Emby)

 

Correct you have to own a domain name, and change the DNS settings for your domain to use cloudflares DNS servers.   Yes you would have to use normal ports like 80 and 443 with cloudflare.

[graphixmaker 2]

Do you see the same thing when on my server? I do not.   https://emby.media/community/index.php?/topic/19457-help-me-test-my-emby-server/?p=188745

 

Here is the stats on my websocket connections, So I know it does/can work.   Oh what does the rest of your config look like?  Any timouts set? 

 

 

Below is the rest of the config which are my ssl snippets

ssl_certificate /etc/letsencrypt/live/*****.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/*****.org/privkey.pem;

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Edited October 17, 2017 by graphixmaker

[graphixmaker 2]

For someone that has not yet ventured into CDN territory. Can anyone with more experience on the matter tell me what's the benefit for a traditional Emby setup, without reverse proxy?

 

Cheers,

anthonws.

 

For my needs it greatly improved my peering, obscuring my server's IP was just a bonus. My emby server is hosted with online.net in Europe and I'm on the west coast. There were times during heavy traffic, mainly evenings where we would get buffering in Kodi since I do not transcode. Using cloudlfare has completely eliminated all buffering for direct streaming. In fact it now performs as it did when I hosted the server locally. My wife was amazed when she couldn't even make it buffer by skipping way ahead in a movie.

[horstepipe 356]

hey @@pir8radio

would you mind to give more guidance on how to set it up?

I'm running a rented vps for my Emby server.

Next step will obviously be to buy a domain name from GoDaddy, namecheap.com or whatever.

But what comes next?

I'm quite confused about how to connect the vps, domain name and cloudflare, especially at which service I should begin to set it up.

 

I'd really appreciate some help if you have the time.

Best regards

[dcrdev 251]

Here's a basic step-by-step, but you should do some research on your own.

 

1. Buy a domain.
2. Set up a cf (CloudFlare) account using the domain name.
3. Change your domain's nameservers to CFs.
4. On CF under DNS create an A record pointing to your server's IP
5. (Optional) If you have a dynamic IP then use a ddns client with support for CFs API, to periodically update the dns entries as your IP address changes. There are multiple clients out there, CF even has an official one - I just use a bash script with curl.
6. Either set up a reverse proxy to Emby (if wanting to run multiple things off port 80/443) , or just change Emby's public http port to 80 and public https port to 443.

[Jdiesel 1113]

hey @@pir8radio

would you mind to give more guidance on how to set it up?

I'm running a rented vps for my Emby server.

Next step will obviously be to buy a domain name from GoDaddy, namecheap.com or whatever.

But what comes next?

I'm quite confused about how to connect the vps, domain name and cloudflare, especially at which service I should begin to set it up.

 

I'd really appreciate some help if you have the time.

Best regards

 

Depending on your needs it can be quite simple. In my setup I do not a reverse proxy setup on my server and only use Clouldflare as a reverse proxy.

 

1. Register a domain name.

2. Generate a SSL certificate, either self-signed or signed will work

3. Ensure your Emby server is accessable from out side your network on port 443

4. Create a Cloudflare account and enter your domain as domain.com or whatever it is

5. Change the nameserver in your domain name providers to use Cloudflare's nameservers

6. Wait for the switch to happen (should take less than 6 hours)

7. That's it, tweak your Cloudflare settings if you'd like based on feedback from members here

[horstepipe 356]

Here's a basic step-by-step, but you should do some research on your own.

 

 

• Either set up a reverse proxy to Emby (if wanting to run multiple things off port 80/443) , or just change Emby's public http port to 80 and public https port to 443.

 

 

So when I plan running a second service on port 443 I additionally have to setup ngnix for reverse proxy or is this step being done in cf, too?

 

Depending on your needs it can be quite simple. In my setup I do not a reverse proxy setup on my server and only use Clouldflare as a reverse proxy.

 

2. Generate a SSL certificate, either self-signed or signed will work

 

I thought cf would provide a signed cert for my site?

 

 

So just for clarification, I do not have to setup anything on my vps/the configuration page of my vps renter to make the „connection“ work in general? So there is no kind of verification that the person who sets up cf is the owner of the vps?

 

Thank you very much guys.

[dcrdev 251]

 

 

So when I plan running a second service on port 443 I additionally have to setup ngnix for reverse proxy or is this step being done in cf, too?

 

 

I thought cf would provide a signed cert for my site?

 

 

So just for clarification, I do not have to setup anything on my vps/the configuration page of my vps renter to make the „connection“ work in general? So there is no kind of verification that the person who sets up cf is the owner of the vps?

 

Thank you very much guys.

 

Yes if you are running multiple services on ports 80/443, then a reverse proxy will give you the flexibility to run those services at domain.com/service or service.domain.com. If utilising subdomains i.e. emby.domain.com then you would also create cname records for those subdomains within cf, if using domain.com/emby then an A record is sufficient

 

The reverse proxy would sit between cf and your server, so you would set this up separately using one of multiple solutions i.e.  Apache, nginx, HAProxy etc...

 

In regards to SSL - CloudFlare does present a valid certificate for your domain, but without implementing SSL at your end, the connection between your server and cf is unencrypted and therefore useless. If you absolutely have to do this then you need to enable flexible SSL in CF see: https://support.cloudflare.com/hc/en-us/articles/202680024-Do-I-need-an-SSL-certificate-installed-on-my-server-

 

You can just use a self signed cert, that will ensure that traffic is encrypted right along the chain. Since everyone who accesses your server will see the cf certificate, using a self signed one at your end is not an issue here.

Edited October 18, 2017 by dcrdev

[jscoys 143]

hey @@pir8radio

would you mind to give more guidance on how to set it up?

I'm running a rented vps for my Emby server.

Next step will obviously be to buy a domain name from GoDaddy, namecheap.com or whatever.

But what comes next?

I'm quite confused about how to connect the vps, domain name and cloudflare, especially at which service I should begin to set it up.

 

I'd really appreciate some help if you have the time.

Best regards

Let me know if yo succeed with namecheap I’m very interested in doing that too ;-)

 

 

Sent from my iPhone using Tapatalk

[jscoys 143]

The only thing which sucks is that you need to use the port 80 from home, but my isp is blocking every incoming traffic to that port..

 

 

Sent from my iPhone using Tapatalk

[Jdiesel 1113]

The only thing which sucks is that you need to use the port 80 from home, but my isp is blocking every incoming traffic to that port..

 

 

Sent from my iPhone using Tapatalk

 

You can try using one of these ports. Not sure if it will work or not as I don't have any experience with any port other than 443

 

https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with- 

[pir8radio 1292]

hey @@pir8radio

would you mind to give more guidance on how to set it up?

I'm running a rented vps for my Emby server.

Next step will obviously be to buy a domain name from GoDaddy, namecheap.com or whatever.

But what comes next?

I'm quite confused about how to connect the vps, domain name and cloudflare, especially at which service I should begin to set it up.

 

I'd really appreciate some help if you have the time.

Best regards

 

 

Looks like everyone beat me to it..   

 

But when you setup a VPS they will give you an internet IP address, sometimes a mini subnet of IP's.  The vps's nic will have one of these addresses.  Thats what your DNS will point to.  SO you buy a domain name, change the domain name's DNS servers to CF, then setup CF to point to your VPS IP..   in short thats all.. But there are some things you will learn along the way..  

Edited October 18, 2017 by pir8radio

[horstepipe 356]

Yeah thank you very much guys I‘m digging into this within the next days.

I‘m still a little confused about the ssl certificate. Thought when using https there has to exist a self signed cert anyway, but this doesn’t seem to be true...?

If someone has a nice guide for obtaining a certificate by letsencrypt or generating a self signed one on Ubuntu, I‘d appreciate to see it :-)

[dcrdev 251]

Yeah thank you very much guys I‘m digging into this within the next days.

I‘m still a little confused about the ssl certificate. Thought when using https there has to exist a self signed cert anyway, but this doesn’t seem to be true...?

If someone has a nice guide for obtaining a certificate by letsencrypt or generating a self signed one on Ubuntu, I‘d appreciate to see it :-)

 

It's been several years since I set this up, but I forgot that CF provides free origin certs now as well:

 

[horstepipe 356]

It's been several years since I set this up, but I forgot that CF provides free origin certs now as well:

 

Thank you

Will I have to configure this in Emby or in Ubuntu in general?

[dcrdev 251]

Thank you

Will I have to configure this in Emby or in Ubuntu in general?

 

It depends which part of your server is the public facing part.

 

If your just using Emby then you would need to import the certificate within Emby, you may have to convert the certificate into another format to do this.

 

If using a separate webserver as a reverse proxy, then you would specify the path to the certificate in your configuration for that.

[horstepipe 356]

I'll stay with Emby server as a start, thank you!

[horstepipe 356]

ok for now, a last question of understanding:

When everything is finished, my Emby server will be reachable on its domain name via cloudflare, but also without cloudflare on https://ip-of-my-vps:443, right? How can I accomplish that Emby server is only reachable via cloudflare?

[dcrdev 251]

ok for now, a last question of understanding:

When everything is finished, my Emby server will be reachable on its domain name via cloudflare, but also without cloudflare on https://ip-of-my-vps:443, right? How can I accomplish that Emby server is only reachable via cloudflare?

 

Could you try rephrasing that question? I don't understand what you're asking.

 

Once done, you'll be able to access Emby via CF with:

http://domain.com:80, https://domain.com:443 and also http/https://domain.com (without the port).

 

You'll also still be able to circumvent CF by going to your origin IP directly.

[horstepipe 356]

You'll also still be able to circumvent CF by going to your origin IP directly.

that's what I meant. Why should I want this and is there a way to prevent it?

[dcrdev 251]

that's what I meant. Why should I want this and is there a way to prevent it?

 

Not easily.

 

You would have to know which IP range CF uses and then use something like iptables, to create a rule that blocks all connections on 80/443 except those within that range.

 

But it's not necessary because you are the only one who knows the IP of your origin server. If someone does a DNS query on your domain, it'll return the IP of a CF node and not your server.

Edited October 19, 2017 by dcrdev

[horstepipe 356]

Not easily.

 

You would have to know which IP ranges CF uses and then use a firewall solution like iptables, to create a rule that blocks all connections on 80/443 except those within that range.

 

But it's not necessary because your are the only one who knows the ip of your origin server. If someone does a dns query on your domain, it'll return the ip of a CF node and not your server.

perfect, thank you!

[pir8radio 1292]

that's what I meant. Why should I want this and is there a way to prevent it?

 

If you use nginx on your server as a reverse proxy, you can tell nginx to throw an error to anyone connecting directly to your IP and not looking for your host name.  

[horstepipe 356]

lol already having trouble setting up Emby using port 80/443.

I'm getting

 System.Net.Sockets.SocketException (0x80004005): Access denied

 

when trying to start Emby

[Jdiesel 1113]

lol already having trouble setting up Emby using port 80/443.

I'm getting

 System.Net.Sockets.SocketException (0x80004005): Access denied

 

when trying to start Emby

 

What OS?