CloudFlare Tunnels - Secure Approach, or Tempting Fate?

[Thomas Straub 1]

On 1/18/2023 at 4:43 PM, vaise said:

I imagine a company like cf is very security aware.  A rogue employee a possible I guess.  My tunnel is only open to my emby instance ip address using the zero trust application config - not my whole network.  It also follows the waf so I only allow specific certain countries, block bots etc.  Just Australia can connect to mine.  I tested all that with a vpn to various bad places (inc USA).

Unlike my swag back door method I have (which I also use but is disabled unless cf shuts me down) which my unify firewall was reporting many attempts daily to connect to my wan port by known bad stuff.  I have a jail and geo blocking, but still baddie attempts.

Router venerabilities are reported all the time and old ones are never patched so for many users, that’s more likely to be a security issue with opening to the internet I believe.

 

Same deal. My Emby instance (together with my other self hosted stuff I want exposed which is pretty much Heimdall, Sonar, Radar, and SAB) are all behind Zero Trust, CF tunnels and I use 1Password AND an ingress Firewalla. My DNS is also AdGuard Home via Docker. 
 

I have done all I can pretty much to ensure I can use Emby while at the same time access my encrypted media without the whole world having access. This has me putting a lot of trust in CF but if they ever went bust I could easily just hop back on Swag via Docker. 

[vaise 340]

HeHe - if they go bust, a load of the internet will be in trouble.

[Thomas Straub 1]

Agreed! I check back here frequently to see if there’s something else I should be doing but it doesn’t look like it — for now anyway. 

[mike_mcevoy 5]

Hi all, thanks for this thread, really use full for the config of the tunnel for emby. Connection seems good but just wondering if anyone has see an issue with transcoding through cloudflare. basically when I run it through CF it only transcodes a max of 1mbps however if I dont go through the tunnel its is 5mbps? just wondering is anyone knows is that is a limitation of the free account, maybe an upgrade route if nessessary but so far it is way better than VPN as I am on a starlink connection with about 300 down and 30 up currently. @vaise

[vaise 340]

I limit transcoding.  I have threatened friends and family that I will turn it off if they don’t upgrade to better playback devices.  They have all done that now.  I can’t say I have seen an issue in the past with transcoding however.

[Thomas Straub 1]

@vaiseAll of mine now have NVIDIA Shields because I carried out that same threat. My Emby set up became a whole home self-hosted thing over COVID lockdowns. That little Intel Mac Mini with Docker, Emby, RClone...it's really really been a staple. I am PETRIFIED of having to re-do it all.

[WadeWilson 0]

On 8/6/2022 at 4:56 PM, pir8radio said:

the issue is, you still pass video through their system if you have the orange cloud enabled for that domain.  this is what they prohibit..  not caching of video, just passing it through cloudflare. 

@pir8radioHate to use an old topic do ask this, but thought it better than opening yet another new topic about tunnels and proxy. The question I have is about that orange cloud selection you are referring to and CF video restrictions. What I am trying to find out is if that applies to both tunnels and/or just using their standard dns proxy and opening 443.  I would assume yes, but everything I find on the forums talks about using the tunnels when being banned. If so, this is leaving me to believe the only way to risk no ban for video would be disabling the orange cloud which would then expose my real IP, if that were a concern of mine.  Then would it be any safer to spin up a proxy server on say a linode (or some other cheap vps) and point dns in CF to that with no orange cloud, then point the vps to my home reverse proxy?  The other question would be when cloudflare blocks you does it ban the whole account, or just video transmissions? Can another account be created with another e-mail or would I just be out of luck with cloudflare at that point?  My domain is hosted through them as well so I want to try and avoid issues there if at all possible.  

[adminExitium 355]

It applies to everything as long as the actual traffic is passing through CF, that may be through a proxied domain, tunnels, workers etc. If you are just using them for DNS, that's not a problem.

[LAPS0082 13]

Dear all Cloudflare Tunnel users,

I am very interested in testing this so I can get rid of my nginx reverse proxy and the opened ports on my firewall. I am currently only using proxied cloudflare traffic with an A record (emby.mydomain.com, plus other exposed services) to my static IPv4 and the recommended page rules to bypass streaming traffic.

I have some questions you might help me with.

1. I am thinking about ditching my static IPv4 address as I will switch to fiber soon and the static IP is very expansive with the new provider. Does your IP address change regularly or do you all have a static IP? How fast does cloudflare tunnel handle these changes? Do I have to implment other tasks when my Ip changes?

2. Where do you run cloudflared? On a seperate container or on the emby server itself? Or do you run cloudflared on all tunneled services?

3. I currently have more services then Emby published with my reverse proxy (Homeassistant and Jellyseerr) Do you have any experience if these work too?

4. How do you handle certificates when on the internal LAN? Currently my nginx / certbot / letsencrypt changes the certificates. I use split brain DNS when I am on the internal LAN

5. Do the page rules apply when using cloudflare tunnel`?

6. Is there any guide with some screenshots how to set this up best practice?

[vaise 340]

Here is some answers - I am not an expert, but have been using it for ages. 

1. I am thinking about ditching my static IPv4 address as I will switch to fiber soon and the static IP is very expansive with the new provider. Does your IP address change regularly or do you all have a static IP? How fast does cloudflare tunnel handle these changes? Do I have to implment other tasks when my Ip changes?

**** Should not have any relevance - the tunnel is doing the work between the thing running it and CF.  My IP have changed lots in the past, no tunnel issues.

2. Where do you run cloudflared? On a seperate container or on the emby server itself? Or do you run cloudflared on all tunneled services?

*** I used unraid, and use the official cloudflared docker container.  I run more than just emby through it.

3. I currently have more services then Emby published with my reverse proxy (Homeassistant and Jellyseerr) Do you have any experience if these work too?

**** See 2 - I also run home assistant, Jellyseer, immich through mine.

4. How do you handle certificates when on the internal LAN? Currently my nginx / certbot / letsencrypt changes the certificates. I use split brain DNS when I am on the internal LAN

**** All my local stuff that access the local servers are http, and the remote stuff is pure https, until it hits the tunnel public hostnames you create on your 'network', which is what replaces your nginx reverse proxy like this :

5. Do the page rules apply when using cloudflare tunnel`?

**** Yes, but I no longer tunnel the video's - search my post of @HorsePDFwhere now the videos are via nginX only and the rest is via CF (in my case the tunnel, but Horsepdf does not tunnel).

6. Is there any guide with some screenshots how to set this up best practice?

**** Is there a best practice ?  Whatever works for you.  The tunnel and cloudflared setup is not related to emby at all.  Many youtubes on how to setup tunnels using this, its takes minutes to do, is ridiculously easy now and all gui - when I started there were config files to edit, but no more. 

 

[LAPS0082 13]

Thank you @vaisethis sounds very promising....

 

Only thing I dont like is the fact that I have to change the Emby server in my Emby app (same issue with homeassistant I think) on my smartphone when I leave my home. How do you handle these "hybrid" devices?

 

Thanks for all the input.

[vaise 340]

31 minutes ago, LAPS0082 said:

Thank you @vaisethis sounds very promising....

 

Only thing I dont like is the fact that I have to change the Emby server in my Emby app (same issue with homeassistant I think) on my smartphone when I leave my home. How do you handle these "hybrid" devices?

 

Thanks for all the input.

I think you mean like an iPad. Or iPhone app that could be in two places?  Never been an issue.  The server and port set for my external when on local or remote for these.  Ie https://emby.vaisewilliams.com and port 443.  I guess it goes it and back in if on lan, or you can manipulate your ip address if you have lan dns available too.  Ie redirect it to local ip of server.

[LAPS0082 13]

Yes, thats exactly what I mean.

Hmmm, I think I tried this at the initial setup but did not get it working. So I did a split brain DNS as I have a local DNS available.

If I stick with local DNS splitting and I give up my nginx reverse proxy I will run into certificate issues. 

[Q-Droid 989]

11 minutes ago, LAPS0082 said:

Yes, thats exactly what I mean.

Hmmm, I think I tried this at the initial setup but did not get it working. So I did a split brain DNS as I have a local DNS available.

If I stick with local DNS splitting and I give up my nginx reverse proxy I will run into certificate issues. 

It sounds like your emby server network settings might not be correct. Apps should switch automatically between LAN and WAN connections. 

[LAPS0082 13]

Hmm, never considered that my emby settings could be the issue as I looked at routing / nginx / dns errors.

 

Could you give me an example how I should configure my emby network settings correctly?

[Q-Droid 989]

41 minutes ago, LAPS0082 said:

Hmm, never considered that my emby settings could be the issue as I looked at routing / nginx / dns errors.

 

Could you give me an example how I should configure my emby network settings correctly?

Your Emby dashboard should display the right URLs for LAN and WAN connections. If left to do it automatically it can pick the wrong values. You can set them in the network settings page. 

[LAPS0082 13]

I got this running pretty quick. I'm now on cloudflare tunnels.

Buuuuuut, when I connect to my Emby Server when on LAN with the public URL (eg https://media.mydomain.com) I am treated like I am coming from the public WAN.

Here is some evidence:

1. My network settings:

 

2. When opening my browser on LAN and using https://media.mydomain.com I am welcomed with this screen:

3. I can't login as my main admin as this is only allowed on LAN.

 

4. When using http://192.168.178.43:8096 I get the login screen where I can select the users who are allowed to login when on LAN without a password.

 

5. When using https://media.mydomain.com on LAN with my browser and starting a movie I see my external IP in activities:

Any ideas why this is not working like @Q-Droid   and @vaise  described?

Maybe this is an IPv6 issue?

Any tips are appreciated.

[Q-Droid 989]

It is working as I described. Your public domain resolves to the tunnel entry point unless you have local DNS to override that and resolve to a LAN IP. If it's doing what I would expect your connection for the public domain name is leaving your network and coming back through the tunnel.

Unless your LAN is segmented in a way that Emby sees LAN clients as remote the apps which make use of the feature will switch between your In-home and Remote URLs as you move between networks. If your LAN is segmented (VLAN, subnet, etc.) then you can add those networks to the list of LAN networks in the settings. For in-home devices and browsers you can connect to the LAN URL or hostname if known within your network.

Are you trying to do something goofy like forcing HTTPS while on the LAN?

 

[vaise 340]

I guess I am not in exactly the same boat.

I use tailscale to access my network when I want to do ADMIN tasks, in whgich case, the device is on the LAN and all works as normal.

It only my wifes ipad that is a 'roaming' device, and always set to 1080p-5mbps.

Its only really used outside when we are on holiday as we have TV's in every room at home.

[vaise 340]

Your next task is to worry about being banned by CF for breaking rules..............  I never have been, but for last few months, I have split the media to only go via nginx, and everything else via CF - no no rules broken.

[pwhodges 2012]

1 hour ago, Q-Droid said:

Are you trying to do something goofy like forcing HTTPS while on the LAN?

This doesn't have to be goofy.  If your local DNS entry takes you to a local reverse proxy that does https, then it will work.  There should be no issue with both Cloudflare and your proxy having certificates for the same name (so long as they come from different suppliers, which is trivial).

Paul

[Q-Droid 989]

3 hours ago, pwhodges said:

This doesn't have to be goofy.  If your local DNS entry takes you to a local reverse proxy that does https, then it will work.  There should be no issue with both Cloudflare and your proxy having certificates for the same name (so long as they come from different suppliers, which is trivial).

Paul

How it gets done is irrelevant.  Unless their server is on a communal network there is no compelling reason to use https on a private LAN. Even less so for someone who doesn't quite know what they're doing so yes, it would be goofy and why I asked. If they're not forcing https then it's a non-issue and can be eliminated from the list of possible problems. First order of business would be to get the basics working. After that if the admin wants to play around and try other things like https on LAN that's fine and they would start from a working config.

 

[LAPS0082 13]

9 hours ago, Q-Droid said:

Are you trying to do something goofy like forcing HTTPS while on the LAN?

 No... I don't know. I think it's my inner Monk who must be satisfied to use always the same URL or something like that.

But do you mean browsers behave diffrent than the app when accessing the public URL? If that's the case I feel very stupid for not knowing and bothering you.

 

edit: no segmented LAN btw

Edited August 30, 2024 by LAPS0082

[pwhodges 2012]

7 hours ago, Q-Droid said:

How it gets done is irrelevant.  Unless their server is on a communal network there is no compelling reason to use https on a private LAN.

None at all in itself.  However, it enables the client to be set up to use the same URL whether in or outside the LAN, and when moving between them while playing.

Paul

[Q-Droid 989]

3 hours ago, LAPS0082 said:

 No... I don't know. I think it's my inner Monk who must be satisfied to use always the same URL or something like that.

But do you mean browsers behave diffrent than the app when accessing the public URL? If that's the case I feel very stupid for not knowing and bothering you.

 

edit: no segmented LAN btw

There are some things the Emby server will fight a bit and this is one of them. Yeah, browsers and apps handle this differently. When the apps connect they pull and save your LAN and WAN URLs then switch between them when a network change is detected, though not as smoothly as most would like. Browsers go where you point them and don't change unless redirected by something but they don't save or use these network settings. Browsers do follow HTTP redirects but apps don't. There are other checks and decisions made based on whether the session is seen on LAN or WAN. Being aware of these will help you decide which approach you take to configure and troubleshoot.