Part 2: Setting up Cloudflare with Emby

emby Jan 9, 2018

So far I have documented different approaches to access Emby securely remotely.

This guide uses Cloudflare for DNS records of your domain name, create and maintain your SSL cert and add security to your connection.

So for anyone who doesnt know, Cloudflare acts like a middle man, or more like a big bouncer. Imagine you own a bar and you want security. You hire a bouncer and he lets your customers in but keeps the riff raff out. This is what cloudflare does it adds security to your Server, while allowing authorised people to access your server.

This guide will assume you have Emby Server already setup and working on your LAN.

Getting a Domain Name.

For this to work we need a domain name. You can get a free one from FreeNom or buy your own .com or from a registrar such as NameCheap.

For this example I will use Freenom.

Search for the domain name you want. I will use

Click Checkout. Enter your details. You will then see a button to manage domain, click that. Next click on Management Tools and Nameservers. You will see the below screen. Leave this open for now, we will come back to it.


  • Head over to  Cloudflare Create an account with Cloudflare and then add your Domain name you entered above note. when adding your site and starting the scan it might fail due to DNS propagation. Give it 5-15 mins and try again.
  • Once your Domain Name appears in Cloudflare you can click 'Continue Setup' and you will see the page below.
  • Create an 'A Record'
  • Name = emby
  • Value = your WAN IP
  • Status = make sure its an Orange cloud

Select Free Plan

You will now be given Nameservers. Copy the 2 name servers from Cloudflare and enter them into FreeNom. If FreeNom has 4 delete all of them and only enter the 2 from cloudflare. Should look something like the below image.

It will take some time for DNS propagation before the Nameservers change to Cloudflare. In this time lets setup Emby Server and Port Forwarding on your router. Go to your Emby Server and Dashboard Manager > Advanced.

Change your Public HTTP port to 80 and HTTPS port to 443. Enter your new domain name. I get from the CloudFlare DNS page. Emby was the name of the DNS record, so the full record is

Save and Restart Emby.

Log into your router. All routers are different. Find the section to port forward and create a new rule. Forward External port 443 to internal port 8920 and IP address of your Emby Server. You can also forward 80 to 8096, however this will mean users can connect insecurely to your Emby server.

Head back to CloudFlare and click 'Recheck Nameservers' if successfull you will see a green bar, and Cloudflare Active.

  1. We now need to create a SSL cert for Cloudflare to connect to your Server Securely. On Cloudflare go to 'Crypto', and then 'Origin Certificates'.
  1. Click Create Certificate, on the next screen leave everything default and click next.
  1. You will now be given 2 boxes, A Certificate code and Private Key code. Copy both of them into separate notepads and Save both. Call them cert.pem and private.key respectively
  • Once you have your 2 files, cert.pem and private.key we need to convert it to a .pfx. Go to
  • Current type = Standard PEM
  • Type to Convert to = PFX/PKCS#12
  • PFX Password = "what ever you want"
  • Certificate File to convert = cert.pem
  • Private Key File = private.key

Click convert and you should end up with a PFX certificate.

  • Head back to Emby Server > Dashboard > Advanced.
  • Custom SSL certificate Path = your PFX file
  • Certificate Password = the one used above "what ever you want"

Save and Restart Emby.

  1. Head back to Cloudflare > Crypto Tab You now need to change SSL from Flexible to Full. (This means users connect to Cloudflare [uses cloudflare cert] Then Cloudflare connects to your emby server using the Cert we just created). Thus A Full SSL Path from user to server.
  1. go to and enjoy your movies.

Optional Steps

On Cloudflare > Crypto You can enable 'Always use HTTPS' and 'Automatic HTTPS Rewrites'. Anyone trying to browse to HTTP will be forwarded to HTTPS.

On Cloudflare > Page Rules Add the following rules to cache your images.

URL = **/images/*
Cache Level = Cache Everything
Edge Cache TTL = a month

Add a Second Rule

URL = **
Edge Cache TTL = a month

If you have a DHCP WAN IP then you will also need to do some additional steps so that Cloudflare forwards to your IP even if it changes. For this you need to use DNS-O-Matic, a Guide can be found HERE.

Whats Next?

Once you have Cloudflare Configured and your domain name now points to your Public IP address at home, there are now a few options you have to configure emby to be externally accessable.

Part 3A: Setting up Emby with NPM Docker Reverse Proxy (Advanced).

This option requires you have a Docker Server running at home. If you have that then this is a simple reverse proxy solution which automatically fetches an SSL certificate.

Part 3B: This Guide is for Direct Connection (Simple).

This option advertises your emby server on ports 80 (HTTP) and 443 (HTTPS) externally. You will need to create your own SSL either a free option which requires renwal every 90 days or a paid option with a much long expiry date.

Part 3C: Setting up Emby with NGINX on Windows Reverse Proxy (Advanced).

Dont have Docker, dont want docker then NGINX for Windows is your next best bet.


Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.