Cloudflare and DNS-O-Matic

enter image description here

Following on from the CloudFlare with Emby post. HERE

If your ISP issues you with a DHCP WAN IP then you need something to update Cloudflare with your WAN IP when it changes.

The simplest way to do this is with DNS-O-Matic. Unlike many other DDNS services DNS-O-Matic works as a middle man for many DDNS and other services.

  1. Head over to DNS-O-Matic and create and account
  2. Add a services and choose Cloudflare from the list.
  3. Add the following details into the boxes.
email = your Cloudflare username (usually the email address)
API Token = On the Overview page on Cloudflare use the Global API token
Hostname = Your A record name from Cloudflare for example ddns.mymedia.cf
Domain = your top level domain mymedia.cf
  1. We now need to setup a way for our router to update DNS-O-Matic. I use a Unifi USG as my router and it requires the following details
Service = dyndns
Hostname = ddns.mymedia.cf
username = DNS-O-Matic email address
password = DNS-O-Matic password
server = updates.dnsomatic.com

DNS-O-Matci also offer a small program which can run on your LAN and update the details automatically.

Setting up Cloudflare with Emby

enter image description here

enter image description here

So far I have documented different approaches to access Emby securely remotely.

This guide uses Cloudflare for DNS records of your domain name, create and maintain your SSL cert and add security to your connection.

So for anyone who doesnt know, Cloudflare acts like a middle man, or more like a big bouncer. Imagine you own a bar and you want security. You hire a bouncer and he lets your customers in but keeps the riff raff out. This is what cloudflare does it adds security to your Server, while allowing authorised people to access your server.

This guide will assume you have Emby Server already setup and working on your LAN.

Getting a Domain Name.

For this to work we need a domain name. You can get a free one from FreeNom or buy your own .com or .co.uk from a registrar such as NameCheap.

For this example I will use Freenom.

  1. Search for the domain name you want. I will use mymedia.cf

MyMedia

  1. Click Checkout. Enter your details. You will then see a button to manage domain, click that. Next click on Management Tools and Nameservers. You will see the below screen. Leave this open for now, we will come back to it.

enter image description here

CloudFlare

  • Head over to Cloudflare Create an account with Cloudflare and then add your Domain name you entered above mymedia.cf. note. when adding your site and starting the scan it might fail due to DNS propagation. Give it 5-15 mins and try again.

  • Once your Domain Name appears in Cloudflare you can click 'Continue Setup' and you will see the page below.

  • Create an 'A Record'

  • Name = emby

  • Value = your WAN IP

  • Status = make sure its an Orange cloud

cloudflare

  1. Select Free Plan

cloudflare

  1. You will now be given Nameservers. Copy the 2 name servers from Cloudflare and enter them into FreeNom. If FreeNom has 4 delete all of them and only enter the 2 from cloudflare. Should look something like the below image.

freenom

  1. It will take some time for DNS propagation before the Nameservers change to Cloudflare. In this time lets setup Emby Server and Port Forwarding on your router. Go to your Emby Server and Dashboard Manager > Advanced.

  2. Change your Public HTTP port to 80 and HTTPS port to 443. Enter your new domain name. I get emby.mymedia.cf from the CloudFlare DNS page. Emby was the name of the DNS record, so the full record is emby.mymedia.cf.

emby

  1. Save and Restart Emby.

  2. Log into your router. All routers are different. Find the section to port forward and create a new rule. Forward External port 443 to internal port 8920 and IP address of your Emby Server. You can also forward 80 to 8096, however this will mean users can connect insecurely to your Emby server.

  3. Head back to CloudFlare and click 'Recheck Nameservers' if successfull you will see a green bar, and Cloudflare Active.

cloudflare

  1. We now need to create a SSL cert for Cloudflare to connect to your Server Securely. On Cloudflare go to 'Crypto', and then 'Origin Certificates'.

enter image description here

  1. Click Create Certificate, on the next screen leave everything default and click next.

enter image description here

  1. You will now be given 2 boxes, A Certificate code and Private Key code. Copy both of them into separate notepads and Save both. Call them cert.pem and private.key respectively

enter image description here

  • Once you have your 2 files, cert.pem and private.key we need to convert it to a .pfx. Go to https://www.sslshopper.com/ssl-converter.html
  • Current type = Standard PEM
  • Type to Convert to = PFX/PKCS#12
  • PFX Password = "what ever you want"
  • Certificate File to convert = cert.pem
  • Private Key File = private.key

Click convert and you should end up with a PFX certificate.

  • Head back to Emby Server > Dashboard > Advanced.
  • Custom SSL certificate Path = your PFX file
  • Certificate Password = the one used above "what ever you want"

Save and Restart Emby

enter image description here

  1. Head back to Cloudflare > Crypto Tab You now need to change SSL from Flexible to Full. (This means users connect to Cloudflare [uses cloudflare cert] Then Cloudflare connects to your emby server using the Cert we just created). Thus A Full SSL Path from user to server.

enter image description here

  1. go to https://emby.mymedia.cf and enjoy your movies.

Optional Steps

  1. On Cloudflare > Crypto You can enable 'Always use HTTPS' and 'Automatic HTTPS Rewrites'. Anyone trying to browse to HTTP will be forwarded to HTTPS.

enter image description here

  1. On Cloudflare > Page Rules Add the following rules to cache your images.
URL = *mymedia.cf/emby/item/*/images/*
Cache Level = Cache Everything
Edge Cache TTL = a month

Add a Second Rule

URL = *mymedia.cf/*
Edge Cache TTL = a month

If you have a DHCP WAN IP then you will also need to do some additional steps so that Cloudflare forwards to your IP even if it changes. For this you need to use DNS-O-Matic, a Guide can be found HERE.

Emby to advertise HTTPS when on NGINX

embylogo

If you run Emby behind NGINX, then you would normally Connect to NGINX with HTTPS then NGINX will forward the request over your LAN using HTTP. This prevents double de-crypt/encrypt which uses more CPU cycles.

However if you use Emby Connect or Alexa for Emby then you will probably have noticed that on the Emby Server Dashboard is displays your external connection as HTTP and using port 80, which means Alexa wont work as it requires HTTPS on port 443.

So rather than create a double de-crypt/encrypt scenario we can edit the Emby system.xml file which fakes emby into advertising its external connections on HTTPS and port 443.

First we do need to create a real .pfx cert with a password. There are 2 ways to create a SSL cert:-

  1. Zero SSL Tool Uses an automated tool.
  2. DNS Verification Uses manual TXT records on your DNS.

Once you have that. Head over to your Emby Dashboard and go to Advanced.

Change your settings like the image below Emby Settings

Public HTTP - 80
Public HTTPS - 443
External Domain - your emby subdomain
SSL Certificate - point it to your .pfx
Certificate password - your .pfx password
Require HTTPS - UNTICKED!

Save and Restart Emby.

Now head to your emby server install location. Normally on windows its C:\Users\%username%\AppData\Roaming\Emby-Server\config

open up system.xml in notepad or notepad++ and look for the line

<EnableHttps>false</EnableHttps>

change false to true

<EnableHttps>true</EnableHttps>

save and then restart emby again.

Your emby dashboard should now be advertising https:// on port 443.

SSL Config For NGINX

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      E:\le64\Domain.crt;
ssl_certificate_key  E:\le64\Domain.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


proxy_hide_header X-Powered-By;
add_header x-xss-protection 1;
proxy_hide_header X-Frame-Options;
add_header X-Content-Type-Options "nosniff"  always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header 'Referrer-Policy' 'origin';
add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";
add_header X-Frame-Options "ALLOW-FROM https://home.mydomain.media";

Unifi Firewall Logging with syslog

enter image description here

How to Enable syslogging of Unifi Firewall.

It's fairly easy to enable syslog in Unifi Controller, however to log blocked or dropped traffic at the firewall needs a few extra steps. By default anything blocked by the firewall isnt logged.

Unifi config.json.

The Unifi USG comes with pre-defined firewall rules. We need to edit these rules which can be done on the USG using command line and then also needs a json file to persist after a reboot or re-provision. We also need to create some new rules and enable syslog server.

First we need to find a syslog server. For this example I will use kiwi syslog which is free.

enter image description here

Download here

Install to an easy to find location and run the console, we will come back to configure it later.

Login to your Unifi controller and go to settings and enable remote logging and enter the IP of where the kiwi syslog server is and normally the default port is 514.

enter image description here

Now go to Routing and Firewall and select firewall.

We need to create 2 new rules, both identical, 1 in WAN_LOCAL and the other in WAN_IN

New Rule

Name - LAST - default drop and log
Enabled - ON
After pre-defined rules
Drop
All
Advanced - Enable Logging
Tick New, Established, Relate, Invalid
Dont match on ipsec
Leave rest default

enter image description here

So we should have something like this

enter image description here

enter image description here

Next we need to change the pre-defined firewall rules on the USG.

SSH onto your USG and login

configure
set firewall name WAN_LOCAL rule 3002 log enable
set firewall name WAN_IN rule 3002 log enable
commit
save

Next we need to configure Kiwi to capture the logs.

More to come soon

The next part is optional. The syslog logs in kiwi contain alot of information but this doesnt really mean much to us. I recommend using something like sumologic to collect parse and visualize the data.

Below is a screenshot of my dashboard. It displays the number of blocked connections by their geo-location. A list of top 10 blocked IPs, the total number of blocked requests over 24 hours and finally a graph of the number of blocked connections in 30 min increments. These numbers come from the firewall rule [WAN_LOCAL-4000-D].

enter image description here

Head over to the next Guide "Syslog to SumoLogic" to setup the visualization of the logs.