Jump to content

HOW TO: emby with NGINX - With Windows Specific Tips and CSP options


pir8radio

Recommended Posts

Tur0k
On 9/20/2021 at 9:47 AM, judgey said:

Hey mate, im trying your config out but i get the following error

Sep 20 17:45:30 Emby nginx[3410328]: nginx: [emerg] "worker_processes" directive is not allowed here in /etc/nginx/sites-enabled/emby:1
Sep 20 17:45:30 Emby nginx[3410328]: nginx: configuration file /etc/nginx/nginx.conf test failed
 

there are 2 ways to setup NGINX one is centralized in your main nginx.conf file at the root of your nginx install (for me this was in /etc/nginx/nginx.cong).  I believe this is the preferred method because you can separate by subdomain (stuff before the ".mydomain.com" instead of after it (classically using space to the right of your "mydomain.com tends to break navigation in the emby app and it is easier for others to help with diagnostic.  The other way to configure nginx is separate files under/etc/nginx/sites-enabled/emby (older versions of nginx) or /etc/nginx/conf.d/xxx.conf ( pir8radio's config file does not belong here).

We need to know which version of nginx you are running and on which OS platform you are running on.  If it is a linux distribution you should be able to run:

nginx -version

My suspicion is that you may have put pir8radio's config in the wrong location.  If that is the case I would rename the file in question to "filename.conf.bak".  

Also note, at minimum you need to update two of the rows in pir8radio's config (see below) with your environmental variable (public subdomain and your emby server):

server_name emby.domainname.com;    ## enter your service name and domain name here example emby.domainname.com
proxy_pass http://127.0.0.1:8096;  ## Enter the IP and port of the backend emby server here.

I am running Ubuntu 20.04 and I ended up needing to put pir8radio's config (with my environmental variables) in /etc/nginx/nginx.conf.  the below is how I did it in ubuntu 20.04 your command structure may differ based on OS and permissions: 

sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak 
sudo nano /etc/nginx/nginx.conf

these commands back up the OEM nginx.conf file and creates a new blank nginx.conf file.  I then put pir8radio's config (with my environmental variable) in this new file save it ( ctrl o) and exit the file (ctrl x). then I tested my nginx config (the below is how I did it in ubuntu 20.04 your command structure may differ based on OS and permissions): 

sudo nginx -t

at this point I had 2 failures. 

1. Missing SSL certificate

2. I had to create the logs subdirectory and the error.log file in it. 

If your config does not fail you can reload your nginx config (the below is how I did it in ubuntu 20.04 your command structure may differ based on OS and permissions) :

sudo nginx -s reload

Let us know if this gets you unstuck.  

Edited by Tur0k
Link to comment
Share on other sites

judgey

Hey thanks for the tips, because the default config is being used i have had to go back to my original config. Here is my current config any tips would be great im a newbie so guidance is apricated thank u

 

 

server {
    if ($host = emby.xxx.stream) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name emby.xxx.stream;
        return 301 https://$server_name$request_uri;


}


server {
    listen 443 ssl http2;    ## Listens on port 443 IPv4 with http2 and ssl enabled

    server_name emby.xxx.stream;    ## enter your service name and domain name here example emby.domainname.com

        add_header Strict-Transport-Security "max-age=31536000";
        ssl_session_timeout 30m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_certificate /etc/nginx/ssl/emby.xxx.stream/emby.xxx.stream.cert.pem; # managed by Certbot
        ssl_certificate_key /etc/nginx/ssl/emby.xxx.stream/emby.xxx.stream.key.pem; # managed by Certbot
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

    client_max_body_size 0;


    location / {
        proxy_pass http://127.0.0.1:8096;
        proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## ADDITIONAL SECURITY SETTINGS ##
     ## Optional settings to improve security ##
     ## add these after you have completed your testing and ssl setup ##
    add_header 'Referrer-Policy' 'origin-when-cross-origin';
    add_header Strict-Transport-Security "max-age=15552000; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }

}

 

Link to comment
Share on other sites

LeidenSpain
On 10/1/2021 at 4:50 PM, pir8radio said:

the config can be intimidating at first..  but its really easy to learn if you have any kind of coding experience that helps, (html even) but i would suggest not using the proxy manager.. but that is really just my opinion since ive never used one, its hard for me to help troubleshoot..   I have no clue what the manager is doing to the configs..    it could be you change something manually, and the manager moves and rewrites things based on what it thinks is correct.

Some colleagues from a Telegram group (who really control and to whom I thank for all the help), have looked at the custom configuration that can be entered in npm

    proxy_hide_header X-Powered-By;   ## Hides nginx server version from bad guys.
    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
    proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

## ADDITIONAL SECURITY SETTINGS ##
## Optional settings to improve security ##
## add these after you have completed your testing and ssl setup ##
## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
    add_header 'Referrer-Policy' 'origin-when-cross-origin';
    add_header Strict-Transport-Security "max-age=15552000; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

 

Unfortunately the problem persists.
I don't know if with this new configuration you want me to send you a record.

Regards

 

Link to comment
Share on other sites

pir8radio
On 10/6/2021 at 4:38 PM, LeidenSpain said:

Some colleagues from a Telegram group (who really control and to whom I thank for all the help), have looked at the custom configuration that can be entered in npm




    proxy_hide_header X-Powered-By;   ## Hides nginx server version from bad guys.
    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
    proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

## ADDITIONAL SECURITY SETTINGS ##
## Optional settings to improve security ##
## add these after you have completed your testing and ssl setup ##
## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
    add_header 'Referrer-Policy' 'origin-when-cross-origin';
    add_header Strict-Transport-Security "max-age=15552000; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

 

Unfortunately the problem persists.
I don't know if with this new configuration you want me to send you a record.

Regards

 

so you are still getting an nginx error?   have you tried running a legit stand alone version of nginx?

 

 

Edited by pir8radio
  • Like 1
Link to comment
Share on other sites

LeidenSpain
9 hours ago, pir8radio said:

so you are still getting an nginx error?   have you tried running a legit stand alone version of nginx?

 

 

Good Morning,

Sorry, it's true, I have not specified what error continues:
With that configuration NPM does not give an error and it works, but emby in the MiStick still does not log in.

Regards

Link to comment
Share on other sites

On 10/6/2021 at 1:08 PM, judgey said:

Hey thanks for the tips, because the default config is being used i have had to go back to my original config. Here is my current config any tips would be great im a newbie so guidance is apricated thank u

 

 


server {
    if ($host = emby.xxx.stream) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name emby.xxx.stream;
        return 301 https://$server_name$request_uri;


}


server {
    listen 443 ssl http2;    ## Listens on port 443 IPv4 with http2 and ssl enabled

    server_name emby.xxx.stream;    ## enter your service name and domain name here example emby.domainname.com

        add_header Strict-Transport-Security "max-age=31536000";
        ssl_session_timeout 30m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_certificate /etc/nginx/ssl/emby.xxx.stream/emby.xxx.stream.cert.pem; # managed by Certbot
        ssl_certificate_key /etc/nginx/ssl/emby.xxx.stream/emby.xxx.stream.key.pem; # managed by Certbot
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

    client_max_body_size 0;


    location / {
        proxy_pass http://127.0.0.1:8096;
        proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## ADDITIONAL SECURITY SETTINGS ##
     ## Optional settings to improve security ##
     ## add these after you have completed your testing and ssl setup ##
    add_header 'Referrer-Policy' 'origin-when-cross-origin';
    add_header Strict-Transport-Security "max-age=15552000; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }

}

 

ok, couple questions:
1. is this config in "/etc/nginx/nginx.conf" or is this in "/etc/nginx/sites-enabled/emby"

2. Is your NGINX installed on the same server as your emby server?

Link to comment
Share on other sites

10 hours ago, Tur0k said:

ok, couple questions:
1. is this config in "/etc/nginx/nginx.conf" or is this in "/etc/nginx/sites-enabled/emby"

2. Is your NGINX installed on the same server as your emby server?

Hey, so its in /etc/nginx/sites-enabled/emby and nginx is on the same server mate. 

Link to comment
Share on other sites

  • 3 weeks later...
On 12/16/2020 at 10:34 AM, pir8radio said:

With NGINX or any reverse proxy ahead of an application server you have more control over your setup.

Hi! First I want to say thank you because following your proxy settings helped me solve an issue I was having. Could you or anyone provide a link or documentation where I can read what each header or proxy command is doing? For example, I don't understand these commands (they are not part of your setup) that I found:

add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
proxy_buffering off;
proxy_set_header Connection "Upgrade";

 

Link to comment
Share on other sites

pir8radio
On 10/28/2021 at 9:44 PM, Meyaez said:

Hi! First I want to say thank you because following your proxy settings helped me solve an issue I was having. Could you or anyone provide a link or documentation where I can read what each header or proxy command is doing? For example, I don't understand these commands (they are not part of your setup) that I found:

add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
proxy_buffering off;
proxy_set_header Connection "Upgrade";

 

here are all of the proxy module settings..    things that start with proxy_     http://nginx.org/en/docs/http/ngx_http_proxy_module.html

the reason buffering is off, is so that when streaming video, its already broken into chunks by emby, you dont want nginx messing with those chunks on its own. 

the "add header" and "set header"   are the nginx injecting headers that are not there, allowing them to pass, or removing them.   so what you really want to google is what the actual header does..     like   x-robots-tag    google that,  and  x-download-options       the connection header is for websockets..    look at my example config i broke the websockets out into its own chunk.     🙂

Edited by pir8radio
Link to comment
Share on other sites

  • 2 weeks later...
horstepipe

hey @pir8radio or anybody else,

could you please tell me how to make the nginx' error_log show origin IPs in its log instead of cloudflare's ones? So how can I tell it to use $http_CF_Connecting_IP in error log (but keeping the error message intact)? This is for fail2ban for another service.

Best regards

Link to comment
Share on other sites

pir8radio
8 hours ago, horstepipe said:

hey @pir8radio or anybody else,

could you please tell me how to make the nginx' error_log show origin IPs in its log instead of cloudflare's ones? So how can I tell it to use $http_CF_Connecting_IP in error log (but keeping the error message intact)? This is for fail2ban for another service.

Best regards

did ya' look at the config above in post #1?  🙂     I have a little note about connecting ip in there.  Just for you buddy...  😄 

    ## The below will create a separate log file for your emby server which includes
    ## userId's and other emby specific info, handy for external log viewers.
    ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP
    ## to log the real client IP address
    log_format  emby  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';

 

Edited by pir8radio
Link to comment
Share on other sites

horstepipe
4 hours ago, pir8radio said:

did ya' look at the config above in post #1?  🙂     I have a little note about connecting ip in there.  Just for you buddy...  😄 

    ## The below will create a separate log file for your emby server which includes
    ## userId's and other emby specific info, handy for external log viewers.
    ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP
    ## to log the real client IP address
    log_format  emby  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';

 

Hey 

sorry you misunderstood.

my question is not related to Emby but to nginx at all. I‘m having an app (boockstack) which writes missed login attempts to nginx ERROR log. So I need to change the log type THERE. 
I‘m not able to find a way doing that 😕

Link to comment
Share on other sites

pir8radio
10 hours ago, horstepipe said:

Hey 

sorry you misunderstood.

my question is not related to Emby but to nginx at all. I‘m having an app (boockstack) which writes missed login attempts to nginx ERROR log. So I need to change the log type THERE. 
I‘m not able to find a way doing that 😕

ohhh  i did misunderstand sorry...    but it sounds like it still runs behind nginx right?       your original question said "tell me how to make the nginx' error_log show origin IPs"   so that same info in the example config would work for that other app too....    or am i still missing something?

Link to comment
Share on other sites

horstepipe
45 minutes ago, pir8radio said:

ohhh  i did misunderstand sorry...    but it sounds like it still runs behind nginx right?       your original question said "tell me how to make the nginx' error_log show origin IPs"   so that same info in the example config would work for that other app too....    or am i still missing something?

Yes

tne problem is that the failed login attempt (by php) is being written to the nginx ERROR log, not the nginx access log.

Link to comment
Share on other sites

  • 3 weeks later...

So, I'm just curious. With a reverse proxy is it required to use https:// in front of the server address in emby apps?

I have my emby in a sub-directory behind a reverse proxy. In a browser all http traffic is redirected to https, but when I try either http://mydomain.com or  just mydomain.com in app.emby.media i get a connection failure. https://mydomain.com works perfectly.

Link to comment
Share on other sites

dhenzler

I appended the script you provided to nginx.conf   I couldn't find any details on where it would go otherwise.  So edited out the old stuff, and added your script.

Seems to work...

How about some details on where the script should be added !

You assume we newbies know too much !

Dave

Link to comment
Share on other sites

No it's not required.  Emby Server has a few options to set how https is handled.  One of the options is "proxy" which allows Emby to assume everything is https downstream and being handled by a proxy server.

That is one of the advantages of using a reverse proxy server as it can hand off/redirect to a non secured port on your local apps.  With Cloudflare you can actually run secured for clients without a local reverse proxy nor without setting any certs in Emby Server as Cloudflare will take care of this.

How you want to do this is completely up to you and how comfortable you are with parts of the communication not encrypted.  If you are not worried about man in the middle attacks between Cloudflare and you and back again it's not needed. If you're in a business environment where security checks are done checking everything for secured access then all traffic to and from the server must be encrypted.  This makes sense when financial data or personal data is involved as exploits can come from "inside" and not just the Internet.

With an Emby Server this is probably not a concern at all and you're using Cloudflare to bypass CGNAT from your ISP or just for Cloudflares protection and better routing as well as caching it does. Based on that criteria I myself wouldn't really have an issue running Emby this way as there is no personal information involved but I would not think about doing that with Bitwarden password manager, Synology Drive or some other things I have available as I would want those fully secured inside my home LAN as well as that's just smart.

Hope that helps

Link to comment
Share on other sites

Alexwerilles
On 12/12/2021 at 12:35 PM, cayars said:

No it's not required.  Emby Server has a few options to set how https is handled.  One of the options is "proxy" which allows Emby to assume everything is https downstream and being handled by a proxy server.

That is one of the advantages of using a reverse proxy server as it can hand off/redirect to a non secured port on your local apps.  With Cloudflare you can actually run secured for clients without a local reverse proxy nor without setting any certs in Emby Server as Cloudflare will take care of this.

How you want to do this is completely up to you and how comfortable you are with parts of the communication not encrypted.  If you are not worried about man in the middle attacks between Cloudflare and you and back again it's not needed. If you're in a business environment where security checks are done checking everything for secured access then all traffic to and from the server must be encrypted.  This makes sense when financial data or personal data is involved as exploits can come from "inside" and not just the Internet.

With an Emby Server this is probably not a concern at all and you're using Cloudflare to bypass CGNAT from your ISP or just for Cloudflares protection and better routing as well as caching it does. Based on that criteria I myself wouldn't really have an issue running Emby this way as there is no personal information involved but I would not think about doing that with Bitwarden password manager, Synology Drive or some other things I have available as I would want those fully secured inside my home LAN as well as that's just smart.

Hope that helps

 


my question concerns the download speed limitation for users. I want to limit the download speed of users here at home. Just limit the download speed of videos. I already use nginx and cloudflare

 

Link to comment
Share on other sites

dhenzler
44 minutes ago, Alexwerilles said:

 


my question concerns the download speed limitation for users. I want to limit the download speed of users here at home. Just limit the download speed of videos. I already use nginx and cloudflare

 

I'm unsure of your motive to limit download speed on your LAN.  Today most of us have Gigabit LAN's so unless you have a dozen concurrent users all watching movies @ 2-3MBps ???

As far as Cloudflare goes... I don't like getting involved with companies with monthly charges and crippleware for "FREE".  Nginx does what is needed, and that is encapsulation of the data stream so "Big Brother" can't easily see what you're transporting.

So... out of simple curiosity?  Why the limit ?

  • Agree 1
Link to comment
Share on other sites

Cloudflare doesn't cost anything the way most people use it and you get a lot for free. From DNS entries pointing to their servers vs your own wan to faster delivery to the client app due to their routing, to the much faster client experience and less bandwidth needed on your system since they cache your graphics.  Plus they have all the protect to mitigate things the average person would not be able to cope with.

It's not for everyone but there is definitely value to be had.

  • Agree 1
Link to comment
Share on other sites

dhenzler
55 minutes ago, cayars said:

Cloudflare doesn't cost anything the way most people use it and you get a lot for free. From DNS entries pointing to their servers vs your own wan to faster delivery to the client app due to their routing, to the much faster client experience and less bandwidth needed on your system since they cache your graphics.  Plus they have all the protect to mitigate things the average person would not be able to cope with.

It's not for everyone but there is definitely value to be had.

I guess the benefit is there if you have a large PUBLIC following.  I don't.  My upload is 15MB/sec and shared with web hosting.  Although my hosting is for low volume sites and likely doesn't create much of a load.  I don't share my content.

Caching Emby means a relatively HUGE amount of storage.  How does that work ?  Don't mean to challenge your expertise, but what more than SSL would be required to protect your content from prying eyes ?

Edited by dhenzler
Link to comment
Share on other sites

Not so much about man-in-the-middle attacks where someone sees the transmission.  It's more to do with the fact no one can determine where the source of the content is.  Your DNS records only point to Cloudflare IPs.  That also means you don't have to have port 443 open to the world but only to the IP block that Cloudflare uses to pull info from your server.  They also offer a free tunnel so you can have all ports closed.  So it's more about those types of things as well as the other defense things they do and the caching and quicker delivery they can do.  They of course have their own backbone so packet destined for locations outside your area will almost always have less latency and hops riding their backbone vs the public Internet as it's optimized for delivery.

Keep in mind they do not cache your video as that would be against their TOS for free accounts but just having them be able to deliver faster as well as cache graphics and scripts can make a world of a difference.  The slower you site is the more noticeable it is once the content is pulled the first time to be cached.

Make sense?

Link to comment
Share on other sites

dhenzler

I tried to get Cloudflare to work.  But it doesn't recognize any of my websites... ccskeet.com, rent14me.com, keystonebolt.com  All of these work just fine.

I give up... it's not for me !   Stuff that is that convoluted is beyond what I am willing to waste a day configuring.

 

 

Edited by dhenzler
Altered the whole thing
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...