Extra Security with Cloudflare

[jad3675 26]

I have my emby instance running behind a free cloudflare account. With the 'free' version of CF, there's no way to blacklist countries from connecting to the server. Enabling 'workers' in your account ($5/month for 10 million requests .50 for each additional 1 million req) you can put a javascript worker in front of emby and have it check for origin country.

 

If it's not in the allowed_countries var, you get redirected to aol.com.

 

It's nothing to smart, but any little bit helps.

 

//these countries get in

var allowed_countries = ['US'];

// Other countries can be added by the two char ISO country code

// Example:

// var allowed_countries = ['US', 'ES'];

addEventListener('fetch', event => {

event.respondWith(Redirect(event.request))

})

function inArray(needle, haystack) {

var length = haystack.length;

for(var i = 0; i < length; i++) {

if(haystack == needle) return true;

}

return false;

}

function mapCountry(country_code){

if (inArray(country_code,allowed_countries)){

return 'FQDN goes here';

}

//everyone else gets aol.com

return 'www.aol.com';

}

async function Redirect(request) {

var url = new URL(request.url);

correctHost = mapCountry(request.headers.get('CF-IPCountry'));

 

if (correctHost !== url.hostname){

url.hostname = correctHost;

console.log('redirecting to '+url.href);

return new Response('', {

status: 301,

headers: {

'Location': url.href

}

})

}

console.log('no redirect');

const response = await fetch(request)

return response

}

 

You could also change the response code from 301 to 404 if you don't want to do the redirect.

 

I modified the script I found here:

https://community.cloudflare.com/t/geoip-redirection-worker/14414?u=matteo

 

John

[mastrmind11 717]

cool, thanks.

[jad3675 26]

I couldn't leave well enough alone and came up with a cleaner solution.

 

addEventListener('fetch', event => {

event.respondWith(blockCountries(event.request))

})

//Add countries to this Set to allow them

const countries = new Set([

"US", // United States

"ES", // Spain

])

async function blockCountries(request) {

// Get country value from request headers

let country = request.headers.get('cf-ipcountry')

// Find out if country is on the block list

let countryAllowed = countries.has(country)

// If it's on the blocked list, give back a 404

if (!countryAllowed){

return new Response("Page Not Found",

{ status: 404, statusText: "Page Not Found" })

}

// Catch-all return of the original response

return await fetch(request)

}

[denz 426]

This would be a good feature request for emby to only allow access from the country you are in.

[Senna 368]

All of the above scripting only works if people are connecting with your domain name, right ?

[Carlo 4331]

I'm going to assume this will only work for browser as well and not for Emby dedicated apps?

[jad3675 26]

I'm going to assume this will only work for browser as well and not for Emby dedicated apps?

 

It works with emby apps - they connect through https to your emby instance.

 

 

All of the above scripting only works if people are connecting with your domain name, right ?

Yes and through cloudflare - you wouldn't be directly connecting to an IP with CloudFlare.

 

John

[C.S. 64]

Quick question: I set up Emby and Cloudflare more or less like this guide suggests - https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

 

But this guide seems to have been written before the "Secure connection mode" option was added under the Advanced section. So I'm wondering should I set it to Required for all remote connections or should it be what I've got it at now: Handled by reverse proxy. Assume I have all the domain and certificate stuff already input under Advanced.

 

I've had it set both ways and it seems to work either way. I'm just wondering what is proper. Thanks.

[Carlo 4331]

It works with emby apps - they connect through https to your emby instance.

 

 

Yes and through cloudflare - you wouldn't be directly connecting to an IP with CloudFlare.

 

John

I only briefly read the post and just assumed this was javascript which would only work for clients that supported this.

I DO need to go back and re-read this thread, but you've got my attention.

 

Can you elaborate for us exactly what this does and how this works?

 

 

Much appreciated,

Carlo

[Senna 368]

Yes and through cloudflare - you wouldn't be directly connecting to an IP with CloudFlare.

Do you know you also have free Firewall Rules (5 available with free account) with your free Cloudflare account, where you also can do Geo blocks with ?

[jad3675 26]

I only briefly read the post and just assumed this was javascript which would only work for clients that supported this.

I DO need to go back and re-read this thread, but you've got my attention.

 

Can you elaborate for us exactly what this does and how this works?

 

 

Much appreciated,

Carlo

 

Sure - You first need to follow Awel's blog on how to setup CloudFlare in front of your public facing emby server:

https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

 

That part is free and provides a CDN backed reverse proxy for your public facing emby iserver - which, if you're allowing internet access to your emby you really should use. Once you have that setup, you need to enable 'workers' in your account. That will run you $5/month for 10 million requests. Once you have workers enabled, you just need to copy-n-paste the second javascript I posted - it runs on the CloudFlare edge servers and uses their infrastructure to run. The script I provided uses CloudFlare to determine what your origin country is - and if the country is not in the list, it gives a 404. In my example, I have the US and Spain (ES) allowed. Every other country gets a 404.

 

John

[jad3675 26]

Do you know you also have free Firewall Rules (5 available with free account) with your free Cloudflare account, where you also can do Geo blocks with ?

 

Being able to block with the firewall rules by country is a 'bug' currently that shouldn't be available to the free plans. They could yank it at any time.

https://community.cloudflare.com/t/firewallaccessrules-api-not-entitled-country-block-code-10016/28475/4

 

John

Edited April 5, 2019 by jad3675

[Senna 368]

Being able to block with the firewall rules by country is a 'bug' currently that shouldn't be available to the free plans. They could yank it at any time.

https://community.cloudflare.com/t/firewallaccessrules-api-not-entitled-country-block-code-10016/28475/4

 

John

Your information is superseded, because of new Cloudflare policy regarding Firewall rules:

https://blog.cloudflare.com/announcing-firewall-rules/

 

This is the official Cloudflare FAQ now, how many rules you can use with each plan:

 

 

[jad3675 26]

Your information is superseded, because of new Cloudflare policy regarding Firewall rules:

https://blog.cloudflare.com/announcing-firewall-rules/

 

This is the official Cloudflare FAQ now, how many rules you can use with each plan:

 

 

 

Fair enough, but I *think* the ability to block by country isn't meant for the free plans and it may revert to 'challenge' at some point.

 

Regardless, as long as it works it's a great feature to use.

 

John

Edited April 5, 2019 by jad3675

[pir8radio 1292]

why wouldn't I just use a vpn and pick the country that you allow and bypass this?

[jad3675 26]

why wouldn't I just use a vpn and pick the country that you allow and bypass this?

 

Because it is just meant to help cut down on bot-driven malicious scanning. It's not the end all of security - but any little bit does help.

 

John

[pir8radio 1292]

Because it is just meant to help cut down on bot-driven malicious scanning. It's not the end all of security - but any little bit does help.

 

John

 

ehhhh....      I mean most of these scanners on the web use edge servers to do their work, meaning the server is usually in the country of the IP its scanning and wouldn't be restricted. It might limit some of the search engine bots and such..    I dunno, just seems you should secure your server then you don't need to hide it.

[metsuke 27]

Note that although using these Cloudflare firewall rules, which I do, prevents users from other countries from hitting your domain name, it does not prevent them from hitting your IP.  I get very few hits on the Cloudflare firewall event log, whereas my router logged many thousands of attempts just today against my IP.

[jad3675 26]

Note that although using these Cloudflare firewall rules, which I do, prevents users from other countries from hitting your domain name, it does not prevent them from hitting your IP. I get very few hits on the Cloudflare firewall event log, whereas my router logged many thousands of attempts just today against my IP.

If your router supports it only allow the CF IPs inbound tcp/443. Drop everything else.

 

John

[metsuke 27]

If your router supports it only allow the CF IPs inbound tcp/443. Drop everything else.

 

John

 

That also implies that cloudflare will act as your proxy, which should be fine for many, but I have it off for my setup.  In some instances, I run into issues with the caching and quasi-SSL support.