jad3675 26 Posted April 3, 2019 Share Posted April 3, 2019 I have my emby instance running behind a free cloudflare account. With the 'free' version of CF, there's no way to blacklist countries from connecting to the server. Enabling 'workers' in your account ($5/month for 10 million requests .50 for each additional 1 million req) you can put a javascript worker in front of emby and have it check for origin country. If it's not in the allowed_countries var, you get redirected to aol.com. It's nothing to smart, but any little bit helps. //these countries get in var allowed_countries = ['US']; // Other countries can be added by the two char ISO country code // Example: // var allowed_countries = ['US', 'ES']; addEventListener('fetch', event => { event.respondWith(Redirect(event.request)) }) function inArray(needle, haystack) { var length = haystack.length; for(var i = 0; i < length; i++) { if(haystack == needle) return true; } return false; } function mapCountry(country_code){ if (inArray(country_code,allowed_countries)){ return 'FQDN goes here'; } //everyone else gets aol.com return 'www.aol.com'; } async function Redirect(request) { var url = new URL(request.url); correctHost = mapCountry(request.headers.get('CF-IPCountry')); if (correctHost !== url.hostname){ url.hostname = correctHost; console.log('redirecting to '+url.href); return new Response('', { status: 301, headers: { 'Location': url.href } }) } console.log('no redirect'); const response = await fetch(request) return response } You could also change the response code from 301 to 404 if you don't want to do the redirect. I modified the script I found here: https://community.cloudflare.com/t/geoip-redirection-worker/14414?u=matteo John Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted April 3, 2019 Share Posted April 3, 2019 cool, thanks. Link to comment Share on other sites More sharing options...
jad3675 26 Posted April 5, 2019 Author Share Posted April 5, 2019 I couldn't leave well enough alone and came up with a cleaner solution. addEventListener('fetch', event => { event.respondWith(blockCountries(event.request)) }) //Add countries to this Set to allow them const countries = new Set([ "US", // United States "ES", // Spain ]) async function blockCountries(request) { // Get country value from request headers let country = request.headers.get('cf-ipcountry') // Find out if country is on the block list let countryAllowed = countries.has(country) // If it's on the blocked list, give back a 404 if (!countryAllowed){ return new Response("Page Not Found", { status: 404, statusText: "Page Not Found" }) } // Catch-all return of the original response return await fetch(request) } Link to comment Share on other sites More sharing options...
denz 426 Posted April 5, 2019 Share Posted April 5, 2019 This would be a good feature request for emby to only allow access from the country you are in. Link to comment Share on other sites More sharing options...
Senna 368 Posted April 5, 2019 Share Posted April 5, 2019 All of the above scripting only works if people are connecting with your domain name, right ? Link to comment Share on other sites More sharing options...
Carlo 4331 Posted April 5, 2019 Share Posted April 5, 2019 I'm going to assume this will only work for browser as well and not for Emby dedicated apps? Link to comment Share on other sites More sharing options...
jad3675 26 Posted April 5, 2019 Author Share Posted April 5, 2019 I'm going to assume this will only work for browser as well and not for Emby dedicated apps? It works with emby apps - they connect through https to your emby instance. All of the above scripting only works if people are connecting with your domain name, right ? Yes and through cloudflare - you wouldn't be directly connecting to an IP with CloudFlare. John Link to comment Share on other sites More sharing options...
C.S. 64 Posted April 5, 2019 Share Posted April 5, 2019 Quick question: I set up Emby and Cloudflare more or less like this guide suggests - https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby But this guide seems to have been written before the "Secure connection mode" option was added under the Advanced section. So I'm wondering should I set it to Required for all remote connections or should it be what I've got it at now: Handled by reverse proxy. Assume I have all the domain and certificate stuff already input under Advanced. I've had it set both ways and it seems to work either way. I'm just wondering what is proper. Thanks. Link to comment Share on other sites More sharing options...
Carlo 4331 Posted April 5, 2019 Share Posted April 5, 2019 It works with emby apps - they connect through https to your emby instance. Yes and through cloudflare - you wouldn't be directly connecting to an IP with CloudFlare. John I only briefly read the post and just assumed this was javascript which would only work for clients that supported this. I DO need to go back and re-read this thread, but you've got my attention. Can you elaborate for us exactly what this does and how this works? Much appreciated, Carlo Link to comment Share on other sites More sharing options...
Senna 368 Posted April 5, 2019 Share Posted April 5, 2019 Yes and through cloudflare - you wouldn't be directly connecting to an IP with CloudFlare. Do you know you also have free Firewall Rules (5 available with free account) with your free Cloudflare account, where you also can do Geo blocks with ? Link to comment Share on other sites More sharing options...
jad3675 26 Posted April 5, 2019 Author Share Posted April 5, 2019 I only briefly read the post and just assumed this was javascript which would only work for clients that supported this. I DO need to go back and re-read this thread, but you've got my attention. Can you elaborate for us exactly what this does and how this works? Much appreciated, Carlo Sure - You first need to follow Awel's blog on how to setup CloudFlare in front of your public facing emby server: https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby That part is free and provides a CDN backed reverse proxy for your public facing emby iserver - which, if you're allowing internet access to your emby you really should use. Once you have that setup, you need to enable 'workers' in your account. That will run you $5/month for 10 million requests. Once you have workers enabled, you just need to copy-n-paste the second javascript I posted - it runs on the CloudFlare edge servers and uses their infrastructure to run. The script I provided uses CloudFlare to determine what your origin country is - and if the country is not in the list, it gives a 404. In my example, I have the US and Spain (ES) allowed. Every other country gets a 404. John Link to comment Share on other sites More sharing options...
jad3675 26 Posted April 5, 2019 Author Share Posted April 5, 2019 (edited) Do you know you also have free Firewall Rules (5 available with free account) with your free Cloudflare account, where you also can do Geo blocks with ? Being able to block with the firewall rules by country is a 'bug' currently that shouldn't be available to the free plans. They could yank it at any time. https://community.cloudflare.com/t/firewallaccessrules-api-not-entitled-country-block-code-10016/28475/4 John Edited April 5, 2019 by jad3675 Link to comment Share on other sites More sharing options...
Senna 368 Posted April 5, 2019 Share Posted April 5, 2019 Being able to block with the firewall rules by country is a 'bug' currently that shouldn't be available to the free plans. They could yank it at any time. https://community.cloudflare.com/t/firewallaccessrules-api-not-entitled-country-block-code-10016/28475/4 John Your information is superseded, because of new Cloudflare policy regarding Firewall rules: https://blog.cloudflare.com/announcing-firewall-rules/ This is the official Cloudflare FAQ now, how many rules you can use with each plan: Link to comment Share on other sites More sharing options...
jad3675 26 Posted April 5, 2019 Author Share Posted April 5, 2019 (edited) Your information is superseded, because of new Cloudflare policy regarding Firewall rules: https://blog.cloudflare.com/announcing-firewall-rules/ This is the official Cloudflare FAQ now, how many rules you can use with each plan: Fair enough, but I *think* the ability to block by country isn't meant for the free plans and it may revert to 'challenge' at some point. Regardless, as long as it works it's a great feature to use. John Edited April 5, 2019 by jad3675 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted April 5, 2019 Share Posted April 5, 2019 why wouldn't I just use a vpn and pick the country that you allow and bypass this? Link to comment Share on other sites More sharing options...
jad3675 26 Posted April 6, 2019 Author Share Posted April 6, 2019 why wouldn't I just use a vpn and pick the country that you allow and bypass this? Because it is just meant to help cut down on bot-driven malicious scanning. It's not the end all of security - but any little bit does help. John Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted April 6, 2019 Share Posted April 6, 2019 Because it is just meant to help cut down on bot-driven malicious scanning. It's not the end all of security - but any little bit does help. John ehhhh.... I mean most of these scanners on the web use edge servers to do their work, meaning the server is usually in the country of the IP its scanning and wouldn't be restricted. It might limit some of the search engine bots and such.. I dunno, just seems you should secure your server then you don't need to hide it. Link to comment Share on other sites More sharing options...
metsuke 27 Posted April 6, 2019 Share Posted April 6, 2019 Note that although using these Cloudflare firewall rules, which I do, prevents users from other countries from hitting your domain name, it does not prevent them from hitting your IP. I get very few hits on the Cloudflare firewall event log, whereas my router logged many thousands of attempts just today against my IP. Link to comment Share on other sites More sharing options...
jad3675 26 Posted April 6, 2019 Author Share Posted April 6, 2019 Note that although using these Cloudflare firewall rules, which I do, prevents users from other countries from hitting your domain name, it does not prevent them from hitting your IP. I get very few hits on the Cloudflare firewall event log, whereas my router logged many thousands of attempts just today against my IP. If your router supports it only allow the CF IPs inbound tcp/443. Drop everything else. John Link to comment Share on other sites More sharing options...
metsuke 27 Posted April 6, 2019 Share Posted April 6, 2019 If your router supports it only allow the CF IPs inbound tcp/443. Drop everything else. John That also implies that cloudflare will act as your proxy, which should be fine for many, but I have it off for my setup. In some instances, I run into issues with the caching and quasi-SSL support. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now