Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Rather than repost the excellent instructions on how to initially set up Cloudflare as your DNS provider, here is the link to their page: https://support.cloudflare.com/hc/en-us/articles/201720164-Step-2-Create-a-Cloudflare-account-and-add-a-website
Note that if you have multiple sites you do NOT need a separate account for each. You can add multiple sites, each with a different IP, to the same Cloudflare account. They will all share the same API - which makes it easier to manage - but each has their own IPs, A Record(s), CNAMEs, Page Rules, etc.
Some important tips:
Any site you want to hide the actual IP from the public should have the "orange cloud" enabled.
You need to have at least one A record listing the top level domain to the actual IP of your domain (i.e. mydomain.com)
- A wildcard (*) under name for an A record pointing to an IP will not work for free accounts. If you have one, you may as well delete it. You have to create a separate listing for each sub-domain (i.e. portainer.mydomain.com)
Use CNAMEs for the sub domains (i.e. portainer.mydomain.com) that are an alias of the TLD you listed for your A record.
Recommend at least one page rule in Cloudflare to ensure your apps work correctly:
- Always Online: Off
- Cache Level: Bypass
- SSL: Full
- HTTPS Rewrites: On
- No - this doesn't change the https provider info, it simply enforces the URL has an https at the front even if it wasn't typed.
- The URL you use should be
- The asterisk at the front and the /* at the back are critical to ensure all apps get the treatment and that if a link points to a sub-page it will also get the rule applied.
- This should be the LAST rule if you have any other page specific rules. Rules are applied IN ORDER - so if you put this rule first, and a special rule for a specific page afterwards, that specific rule won't apply because this rule already applies to all pages (that's what the * in the front is for.)
When using Cloudflare and Traefik, use the following setup (yes - I know this is different than some other CDN instructions. Following the CDN instructions as written in other locations can result in intermittent remote access on dedicated and VPS.)
Under "Network/Custom server access URLs" use https://TLD:443
- Note the https and the :443 at the end. Seems redundant, but required.
- TLD is plex.yourdomain.com or plex.yourdomain.net or whatever you're using
Recommend under "Network/LAN Networks" and under "Network/List of IP addresses and networks that are allowed without auth" enter 172.17.0.0/16,172.18.0.0/16
- Those are the internal subnets for the plexguide and bridge networks.
- This suggestion isn't directly relevant to Cloudflare, but helpful regardless.
Under "Remote Access" check - yes, check - "Manually specify port" and use the standard 32400 port.
In Cloudflare under the "DNS" tab ensure you have a Plex CNAME (or A record - but you really should use CNAME pointers.)
- Best business practice is to have one A Record that points your TLD without the prename (i.e. yourdomain.com NOT www.yourdomain.com.) All the other subdomains should be CNAME.
- So you'd add one CNAME for plex.yourdomain.com using Plex under the Name column and yourdomain.com under the Value column. You can use the @ symbol instead of typing yourdomain.com for the Value column as a shortcut.
- Whether you use a CNAME for each subdomain or create an A Record for each subdomain is up to you and somewhat immaterial to this discussion, but the correct way is to only have A record(s) point a domain (or domains) to an IP and the subdomains using CNAMEs. Either will work here however.
- in the Plex record make sure the orange cloud (using Cloudflare) is ENABLED
- If using CNAME records, you must have AT LEAST the TLD included as an A record. That should have been pulled over automatically when you created your Cloudflare account. Check to ensure you have a line that tells Cloudflare what the IP for your server is, and the TLD to assoicate it with [the purpose of an A record] as in the screenshot below:
In Cloudflare make a page rule for https://plex.TLD/* with the rules SSL: Full, Cache Level: Bypass, Automatic HTTPS Rewites: On
- Note the /* at the end. Important. Required.
- Again the "plex.TLD" is whatever you used in #1 (i.e. maybe plex.ihopethisfsckingworks.com)
- Any other rules from other CDN guidelines aren't necessary. You can add them - they won't hurt - but why complicate things? Now go back and retry in Plex/Remote access to enable remote access. BE PATIENT. It can take a while - 15 minutes+ if you're lucky, even longer often initially, and not until the status for Plex in Portainer shows green/healthy (not just "starting") - for your Plex server to restart and populate through Traefik and then Cloudflare, and sometimes even longer for Cloudflare to push the DNS settings through the global Internet, especially if new.
You'll also occasionally see the dreaded red ! by remote access when you go to settings in the future for a moment or two. That's normal. However, unlike the CDN settings, it will go back to the green check mark. If it ever doesn't after a few moments (it depends on how quickly Plex.tv is able to hit Cloudflare and then Cloudflare to reach your server...could be ms or could be a couple seconds) go and re-enable Remote Access.)