Cloudflare CDN and Websockets

[horstepipe 356]

What OS?

Ubuntu (headless) 16.04

[horstepipe 356]

I used custom ports before which worked without problems. checked with netstat if something's using 80/443, but there's nothing

[Jdiesel 1114]

Ubuntu (headless) 16.04

 

Linux does not allow non-root users to bind to low level ports ( below 1024). You can either run Emby as root or create an IP tables rule to direct traffic from 443 to 8920.

 

 

https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux

Edited October 25, 2017 by Jdiesel

[horstepipe 356]

Linux does not allow non-root users to bind to low level ports ( below 1024). You can either run Emby as root or create an IP tables rule to direct traffic from 443 to 8920.

thank you, just came to my mind that cf also supports other ports, will try them at first.

[Jdiesel 1114]

I was originally using an iptables rule like this:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8920

but have since gotten lazy and now run Emby as root

[horstepipe 356]

ok one step forwar

 

I was originally using an iptables rule like this:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8920

but have since gotten lazy and now run Emby as root

why not just simply use one of the other ports supported by cf?

Ok http is half working, I'm getting a black screen, login doesn't show up. Guess now I have to dig into cloudflare's settings

[Jdiesel 1114]

ok one step forwar

 

why not just simply use one of the other ports supported by cf?

Ok http is half working, I'm getting a black screen, login doesn't show up. Guess now I have to dig into cloudflare's settings

 

Honestly it is because I would rather type https://mydomain.com rather than http://mydomain.com:8443

[horstepipe 356]

@@Jdiesel

maybe you have the command written down somewhere to convert the pem/key certificate files provided by cf into pfx needed by Emby server?

[Jdiesel 1114]

@@Jdiesel

maybe you have the command written down somewhere to convert the pem/key certificate files provided by cf into pfx needed by Emby server?

 

I'm not sure if I follow completely. Do you mean the pem/key from letsencrypt?

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

[horstepipe 356]

 

I'm not sure if I follow completely. Do you mean the pem/key from letsencrypt?

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

 

exactly, thank you very much.

I remember it was quite a headache for me finding out the correct commands the last time I had to do this :-)

[horstepipe 356]

mhh okay I added the certificate and now neither https nor http is working over cloudflare. I'm quite confused how to check what's going wrong. When trying to access the site cf says 502 bad gateway.

 

Edit: cf says bad gateway when entering http(s)://mydomain.com

When entering http(s)://mydomain.com:8443 it says 521 Web server is down

Edited October 25, 2017 by horstepipe

[horstepipe 356]

mhh okay I added the certificate and now neither https nor http is working over cloudflare. I'm quite confused how to check what's going wrong. When trying to access the site cf says 502 bad gateway.

 

Edit: cf says bad gateway when entering http(s)://mydomain.com

When entering http(s)://mydomain.com:8443 it says 521 Web server is down

 

Even if the cert needs some hours to become active, the plain http should still work, shouldn't it?

[Jdiesel 1114]

Even if the cert needs some hours to become active, the plain http should still work, shouldn't it?

 

First step is to make sure you can connect to your server via https before Cloudflare is enabled. Once you are able to do so you can enable Cloudflare and update your nameservers at which point the transition should be seamless. 

[horstepipe 356]

First step is to make sure you can connect to your server via https before Cloudflare is enabled. Once you are able to do so you can enable Cloudflare and update your nameservers at which point the transition should be seamless. 

my server is reachable via https when using its origin IP address (it says connection is not safe, but I guess this is because the cert is for the domain name used with cloudflare)

[Jdiesel 1114]

my server is reachable via https when using its origin IP address (it says connection is not safe, but I guess this is because the cert is for the domain name used with cloudflare)

 

What do you have entered in your external domain field? https://mydomain.com 

[horstepipe 356]

What do you have entered in your external domain field? https://mydomain.com 

You mean in Emby server advanced settings?

just

mydomain.com

without http/https

[Jdiesel 1114]

You mean in Emby server advanced settings?

just

mydomain.com

without http/https

 

Yes, try adding the https://

[horstepipe 356]

Yes, try adding the https://

Still, error 521 comes up.

Edited October 25, 2017 by horstepipe

[horstepipe 356]

ok looks like it just needs some more time whyever. Now the plain http site sometimes is reachable, sometimes 521 comes up.

Edited October 25, 2017 by horstepipe

[horstepipe 356]

Problem is solved, there was simply a second A-record which shouldn’t have been there, sorry for wasting your time on that.

 

Now I‘m facing the same problem as the OP: The websockets don’t keep alive. I am not using nginx, only Cloudflare.

So for the guys who do not have this problem, could we please clarify if you’re on Cloudflare‘s free or pro Plan?

I could imagine that this is a limitation of the free plan.

 

@@graphixmaker

Have you already been able to solve the problem?

Edited October 26, 2017 by horstepipe

[horstepipe 356]

@@Luke @@Angelblue05

Is there anything you can do about it?

Cloudflare closes websockets after 100s of inactivity.

So a ping every 60 seconds from server to client or vice versa would be a possible solution.

Edited October 26, 2017 by horstepipe

[dcrdev 251]

Problem is solved, there was simply a second A-record which shouldn’t have been there, sorry for wasting your time on that.

 

Now I‘m facing the same problem as the OP: The websockets don’t keep alive. I am not using nginx, only Cloudflare.

So for the guys who do not have this problem, could we please clarify if you’re on Cloudflare‘s free or pro Plan?

I could imagine that this is a limitation of the free plan.

 

@@graphixmaker

Have you already been able to solve the problem?

 

I'm on the free plan,

 

Up until about a year ago websockets weren't supported at all, now they are an advertised feature - I can assure you that if they were limited to 100s then they would be considered unsupported because it would defeat the purpose of websockets in the first place.

 

I have had no such issues with my configuration (albeit using Apache) - so I would suggest looking at your configuration again. 

[horstepipe 356]

I'm on the free plan,

 

Up until about a year ago websockets weren't supported at all, now they are an advertised feature - I can assure you that if they were limited to 100s then they would be considered unsupported because it would defeat the purpose of websockets in the first place.

 

I have had no such issues with my configuration (albeit using Apache) - so I would suggest looking at your configuration again. 

 

Thanks, I'll do.

I'm running into another problem now.

My site is not reachable via cf, I'm getting "Too many open files" when trying to open it.

[horstepipe 356]

@@dcrdev

I‘ll try to adopt your page rules and see if this helps.

[pir8radio 1292]

Problem is solved, there was simply a second A-record which shouldn’t have been there, sorry for wasting your time on that.

 

Now I‘m facing the same problem as the OP: The websockets don’t keep alive. I am not using nginx, only Cloudflare.

So for the guys who do not have this problem, could we please clarify if you’re on Cloudflare‘s free or pro Plan?

I could imagine that this is a limitation of the free plan.

 

@@graphixmaker

Have you already been able to solve the problem?

 

 

@@Luke @@Angelblue05

Is there anything you can do about it?

Cloudflare closes websockets after 100s of inactivity.

So a ping every 60 seconds from server to client or vice versa would be a possible solution.

 

 

I have the free plan and no websocket issues.   I don't think there's anything the emby/kodi developers can do about it, we will have to find the issue in your setup.