Cloudflare Setup and CDN for Plex

CloudFlare

Rather than repost the excellent instructions on how to initially set up Cloudflare as your DNS provider, here is the link to their page: Creating a Cloudflare account and adding a website – Cloudflare Help Center

Note that if you have multiple sites you do NOT need a separate account for each. You can add multiple sites, each with a different IP, to the same Cloudflare account. They will all share the same API - which makes it easier to manage - but each has their own IPs, A Record(s), CNAMEs, Page Rules, etc.

Failure to configure CF correctly will result in cert errors or too many redirect errors. Once you applied this changes, make sure you clear your browser cache and purge the CF cache!


DNS Setup

  • 1 A record that is domain.com and points to your IP, enable orange cloud.
  • for each app, add a CNAME, use the appname for the Name and @ for the value, orange cloud on
  • To hide the actual IP from the public, everything must have the “orange cloud” enabled.
  • You need to have 1 A record listing the top level domain to the actual IP of your domain (i.e. domain.com)
  • Use CNAMEs for the sub domains (i.e. portainer.domain.com) that are an alias of the TLD you listed for your A record.
Type Name Value TTL Status
A domain.com 111.111.111.111 Automatic Orange :cloud:
CNAME plex @ Automatic Orange :cloud:
CNAME portainer @ Automatic Orange :cloud:
CNAME radarr @ Automatic Orange :cloud:
CNAME sonarr @ Automatic Orange :cloud:
CNAME nzbget @ Automatic Orange :cloud:
CNAME sabnzbd @ Automatic Orange :cloud:
  • Add CNames for the rest of the apps that you are using, use the appname as listed in PTS as the Name.
Type Name Value TTL Status
CNAME appname @ Automatic Orange :cloud:

Crypto Settings

Tab Setting Name Value
Overview SSL Full (strict)
Edge Certificates Always Use HTTPS :green_square: On
Edge Certificates HTTP Strict Transport Security (HSTS) :green_square: On, Include Subdomains: On, Preload: On
Origin Server Authenticated Origin Pulls :green_square: On
Edge Certificates Minimum TLS Version TLS 1.2
Edge Certificates Opportunistic Encryption :green_square: On
Network Onion Routing :red_square: Off
Edge Certificates TLS 1.3 Enabled
SSL/TLS Automatic HTTPS Rewrites :green_square: On
Network 0-RTT Connection Resumption :green_square: On
Edge Certificates Disable Universal SSL Keep Universal SSL On (do nothing)

Once you applied this changes, make sure you clear your browser cache and purge the CF cache!

Caching

Setting Name Value
Caching Level Standard
Browser Cache TTL Respect Existing Headers
Always Online Off
Development Mode Off

Page Rules

This step is very important Failure to setup this page rule will result in CF terminating your account! Note: You are limited to 3 page rules for free.

You need to bypass the CF cache for everything by adding the following rules:

  • SSL: Full

  • Cache Level: Bypass

  • Automatic HTTPS Rewrites: On


Cloudflare as Content Delivery Network (CDN) for Plex

  1. Go to plex web
  2. Go to settings
  3. Go to Network
  4. Enable Advanced Settings
Plex Network Setting Value
LAN Networks 172.17.0.0/16,172.18.0.0/16
Treat WAN IP As LAN Bandwidth Checked
Custom server access URLs https://plex.domain.com:443
  • You must have https:// and :443 , just like it’s listed above.

Plex Remote access

Disable “Remote Access”, Everything will still connect, including all the apps.

  • Note: You will see red ! next to remote access. Learn to ignore this, this is normal and expected. Everything will still connect just fine if you followed all of the configuration to a T.

Once you applied this changes, make sure you clear your browser cache and purge the CF cache!


Source Information


Thanks for the update @madmaximus :+1:

4 Likes

Got this working!

Curious what are the advantages of taking this approach?

Also, would like to note that I was having issues with my LG Smart TV streaming Plex because they use Let’s Encrypt certificates by default.

LG would not update Let’s Encrypt Root CA expiration back in September, so everything broke.

Approaching this method fixed the issue because when now streaming it points directly to my domain over HTTPS. Assuming using the CloudFlare cert.

Cool stuff! Maybe this will help someone experiencing the same.

1 Like