CloudFlare

Rather than repost the excellent instructions on how to initially set up Cloudflare as your DNS provider, here is the link to their page: https://support.cloudflare.com/hc/en-us/articles/201720164-Step-2-Create-a-Cloudflare-account-and-add-a-website

Note that if you have multiple sites you do NOT need a separate account for each. You can add multiple sites, each with a different IP, to the same Cloudflare account. They will all share the same API - which makes it easier to manage - but each has their own IPs, A Record(s), CNAMEs, Page Rules, etc.

Setup: Failure to configure CF correctly will result in cert errors, or too many redirect errors. Once you applied this changes, make sure you clear your browser cache!

• Any site you want to hide the actual IP from the public everything must have the "orange cloud" enabled.

• You need to have 1 A record listing the top level domain to the actual IP of your domain (i.e. mydomain.com)

  • A wildcard (*) under name for an A record pointing to an IP will not work for free accounts. If you have one, you may as well delete it. You have to create a separate listing for each sub-domain (i.e. portainer.mydomain.com)

• Use CNAMEs for the sub domains (i.e. portainer.mydomain.com) that are an alias of the TLD you listed for your A record.

• Crypto Settings

  • Always Online: Off
  • Cache Level: Bypass
  • SSL: Full (strict)
  • HTTPS Rewrites: On
    • No - this doesn't change the https provider info, it simply enforces the URL has an https at the front even if it wasn't typed.
  • scroll down Always use https
  • setup HSTS (recommended but optional)
  • set min tls to 1.2
  • Opportunistic Encryption On
  • onion Routing off
  • TLS 1.3: Enabled+0RTT
  • Auto https rewrites on

  3A. Cloudflare as Content Delivery Network (CDN) for Plex

When using Cloudflare and Traefik, use the following setup (yes - I know this is different than some other CDN instructions. Following the CDN instructions as written in other locations can result in intermittent remote access on dedicated and VPS.)

• Under "Network/Custom server access URLs" use https://plex.mydomain:443

  • Note the https and the :443 at the end. Seems redundant, but required!
  • TLD is plex.yourdomain.com or plex.yourdomain.net or whatever you're using

• Recommend under "Network/LAN Networks" and under "Network/List of IP addresses and networks that are allowed without auth" enter 172.17.0.0/16,172.18.0.0/16

  • Those are the internal subnets for the plexguide and bridge networks.
  • This suggestion isn't directly relevant to Cloudflare, but helpful regardless.

• Disbale "Remote Access" - yes when using traefik these instructions, everything will still connect!

• In Cloudflare under the "DNS" tab ensure you have a Plex CNAME.

  • Best business practice is to have one A Record that points your TLD without the prename (i.e. yourdomain.com NOT www.yourdomain.com.) All the other subdomains should be CNAME, www should be a CNAME.
  • So you'd add one CNAME for plex.yourdomain.com using Plex under the Name column and yourdomain.com under the Value column. Use tge @ symbol instead of typing yourdomain.com for the Value column!
  • In the Plex record make sure the orange cloud (using Cloudflare) is ENABLED
  • If using CNAME records, you must have AT LEAST the TLD included as an A record. That should have been pulled over automatically when you created your Cloudflare account. Check to ensure you have a line that tells Cloudflare what the IP for your server is, and the TLD to assoicate it with [the purpose of an A record] as in the screenshot below:

• In Cloudflare make a page rule for https://plex.TLD/* with the rules SSL: Full, Cache Level: Bypass, Automatic HTTPS Rewites: On

  • Note the /* at the end. Important. Required.
  • Again the "plex.TLD" is whatever you used in #1 (i.e. maybe plex.ihopethisfsckingworks.com)
  • Any other rules from other CDN guidelines aren't necessary. You can add them - they won't hurt - but why complicate things?

You'll also see the dreaded red ! by remote access IGNORE THIS. THIS IS NORMAL.