Skip to content

CloudFlare

timekills edited this page Mar 13, 2019 · 5 revisions

Rather than repost the excellent instructions on how to initially set up Cloudflare as your DNS provider, here is the link to their page: https://support.cloudflare.com/hc/en-us/articles/201720164-Step-2-Create-a-Cloudflare-account-and-add-a-website

Note that if you have multiple sites you do NOT need a separate account for each. You can add multiple sites, each with a different IP, to the same Cloudflare account. They will all share the same API - which makes it easier to manage - but each has their own IPs, A Record(s), CNAMEs, Page Rules, etc.

Some important tips:

  • Any site you want to hide the actual IP from the public should have the "orange cloud" enabled.

  • You need to have at least one A record listing the top level domain to the actual IP of your domain (i.e. mydomain.com)

    • A wildcard (*) under name for an A record pointing to an IP will not work for free accounts. If you have one, you may as well delete it. You have to create a separate listing for each sub-domain (i.e. portainer.mydomain.com) A record for TLD
  • Use CNAMEs for the sub domains (i.e. portainer.mydomain.com) that are an alias of the TLD you listed for your A record.

  • Recommend at least one page rule in Cloudflare to ensure your apps work correctly:

    • Always Online: Off
    • Cache Level: Bypass
    • SSL: Full
    • HTTPS Rewrites: On
      • No - this doesn't change the https provider info, it simply enforces the URL has an https at the front even if it wasn't typed.
    • The URL you use should be https://*.yourdomain.com/*
      • The asterisk at the front and the /* at the back are critical to ensure all apps get the treatment and that if a link points to a sub-page it will also get the rule applied.
    • This should be the LAST rule if you have any other page specific rules. Rules are applied IN ORDER - so if you put this rule first, and a special rule for a specific page afterwards, that specific rule won't apply because this rule already applies to all pages (that's what the * in the front is for.) Universal page rule for Cloudflare

    3A. Cloudflare as Content Delivery Network (CDN) for Plex

When using Cloudflare and Traefik, use the following setup (yes - I know this is different than some other CDN instructions. Following the CDN instructions as written in other locations can result in intermittent remote access on dedicated and VPS.)

  • Under "Network/Custom server access URLs" use https://TLD:443

    • Note the https and the :443 at the end. Seems redundant, but required.
    • TLD is plex.yourdomain.com or plex.yourdomain.net or whatever you're using
  • Recommend under "Network/LAN Networks" and under "Network/List of IP addresses and networks that are allowed without auth" enter 172.17.0.0/16,172.18.0.0/16

    • Those are the internal subnets for the plexguide and bridge networks.
    • This suggestion isn't directly relevant to Cloudflare, but helpful regardless.
  • Under "Remote Access" check - yes, check - "Manually specify port" and use the standard 32400 port.

  • In Cloudflare under the "DNS" tab ensure you have a Plex CNAME (or A record - but you really should use CNAME pointers.)

    • Best business practice is to have one A Record that points your TLD without the prename (i.e. yourdomain.com NOT www.yourdomain.com.) All the other subdomains should be CNAME.
    • So you'd add one CNAME for plex.yourdomain.com using Plex under the Name column and yourdomain.com under the Value column. You can use the @ symbol instead of typing yourdomain.com for the Value column as a shortcut.
      • Whether you use a CNAME for each subdomain or create an A Record for each subdomain is up to you and somewhat immaterial to this discussion, but the correct way is to only have A record(s) point a domain (or domains) to an IP and the subdomains using CNAMEs. Either will work here however.
    • in the Plex record make sure the orange cloud (using Cloudflare) is ENABLED
    • If using CNAME records, you must have AT LEAST the TLD included as an A record. That should have been pulled over automatically when you created your Cloudflare account. Check to ensure you have a line that tells Cloudflare what the IP for your server is, and the TLD to assoicate it with [the purpose of an A record] as in the screenshot below: A record for TLD
  • In Cloudflare make a page rule for https://plex.TLD/* with the rules SSL: Full, Cache Level: Bypass, Automatic HTTPS Rewites: On

    • Note the /* at the end. Important. Required.
    • Again the "plex.TLD" is whatever you used in #1 (i.e. maybe plex.ihopethisfsckingworks.com)
    • Any other rules from other CDN guidelines aren't necessary. You can add them - they won't hurt - but why complicate things? Plex page rule for Cloudflare Now go back and retry in Plex/Remote access to enable remote access. BE PATIENT. It can take a while - 15 minutes+ if you're lucky, even longer often initially, and not until the status for Plex in Portainer shows green/healthy (not just "starting") - for your Plex server to restart and populate through Traefik and then Cloudflare, and sometimes even longer for Cloudflare to push the DNS settings through the global Internet, especially if new.

You'll also occasionally see the dreaded red ! by remote access when you go to settings in the future for a moment or two. That's normal. However, unlike the CDN settings, it will go back to the green check mark. If it ever doesn't after a few moments (it depends on how quickly Plex.tv is able to hit Cloudflare and then Cloudflare to reach your server...could be ms or could be a couple seconds) go and re-enable Remote Access.)

http://PGBlitz.wiki

Useful Starter Links

  1. Introduction
  2. Blitz YouTube Channel
  3. G-Suite Signup
  4. Recommended NewsHosts

Prior Planning 101

  1. Recommended Pre-Reading
  2. Server - Storage Planning
  3. Usenet or BitTorrent
  4. PG Editions
  5. PGBlitz Repos
  6. Common Issues

Deploy & Config

PGBlitz
  1. SSH Server Access
  2. Create a SUDO User
  3. Install PGBlitz
  4. WatchTower
  5. Remote Path Mappings

Data Transport
  1. PG Clone
    1. Google OAuth Keys
    2. PG Move
    3. PG Blitz
    4. 2nd HD Option

Key Components

  1. Traefik
  2. Port Guard
  3. PG Shield
  4. PG Press
  5. Google Cloud - GCE
    1. Automated setup
  6. Hetzner Cloud
  7. PG Fork
  8. Extra PG Commands

Blitz App Info

  1. Accessing PG Apps
  2. App Port Scheme
  3. Trigger Plex autoscan with Sonarr and Radarr

Tools & Services

Core Apps [Expand]
  1. Emby
  2. Jackett
  3. Jellyfin
  4. LazyLibrarian
  5. Lidarr
  6. Netdata
  7. NZBGet
  8. Ombi
  9. Plex
  10. Portainer
  11. qBittorrent
  12. Radarr
  13. RuTorrent
  14. SABNZBD
  15. Sonarr
  16. Tautulli
Community Apps [Expand]
  1. AirSonic
  2. AllTube
  3. Bazarr
  4. Beets
  5. Bitwarden
  6. BookSonic
  7. cAdvisor
  8. Cloud Commander
  9. DDClient
  10. Deezloaderremix
  11. Deluge
  12. DelugeVPN
  13. Dozzle
  14. Duplicati
  15. EmbyStats
  16. FlexGet
  17. Gazee
  18. Gitea
  19. Handbrake
  20. Headphones
  21. Heimdall
  22. HomeAssistant
  23. HTPCManager
  24. JDownloader2
  25. jd2-openvpn
  26. Kitana
  27. Logarr
  28. MakeMKV
  29. MariaDB
  30. McMyadmin
  31. MEDUSA
  32. Mellow
  33. Monitorr
  34. Muximux
  35. Mylar
  36. NextCloud
  37. NowShowing
  38. NZBHydra2
  39. NZBThrottle
  40. Organizr
  41. pyLoad
  42. qBittorrent
  43. Radarr4k
  44. Resilio
  45. rflood-openvpn
  46. rutorrent-openvpn
  47. ShareSite
  48. Shoko Anime Server
  49. SpeedTest
  50. SyncLounge
  51. Syncthing
  52. The Lounge
  53. Transmission
  54. Trakt.or
  55. Ubooquity
  56. vnc-xfce
  57. x TeVe
  58. Zammad

Misc Info & Articles

  1. Change Server Time
  2. Fail2Ban
  3. Custom Containers
Scripts
  1. Scripting Area
    1. Auto Upload for Sonarr and Lidarr
    2. Auto Delete Log
    3. Plex Plugin DB Backup
    4. Plex fast BACKUP
Clone this wiki locally
You can’t perform that action at this time.