CloudFlare
Rather than repost the excellent instructions on how to initially set up Cloudflare as your DNS provider, here is the link to their page: https://support.cloudflare.com/hc/en-us/articles/201720164-Step-2-Create-a-Cloudflare-account-and-add-a-website
Note that if you have multiple sites you do NOT need a separate account for each. You can add multiple sites, each with a different IP, to the same Cloudflare account. They will all share the same API - which makes it easier to manage - but each has their own IPs, A Record(s), CNAMEs, Page Rules, etc.
Setup: Failure to configure CF correctly will result in cert errors, or too many redirect errors. Once you applied this changes, make sure you clear your browser cache!
- 1 A record that is mydomain.com and points to your IP, enable orange cloud.
- for each app, add a CNAME, use the appname for the Name and @ for the value, orange cloud on
- To hide the actual IP from the public, everything must have the "orange cloud" enabled.
- You need to have 1 A record listing the top level domain to the actual IP of your domain (i.e. mydomain.com)
-
DO NOT USE WILDCARDS They do not work for free accounts! If you have one, remove it! You have to create a separate listing for each sub-domain (i.e. portainer.mydomain.com)
-
DO NOT USE WILDCARDS They do not work for free accounts! If you have one, remove it! You have to create a separate listing for each sub-domain (i.e. portainer.mydomain.com)
- Use CNAMEs for the sub domains (i.e. portainer.mydomain.com) that are an alias of the TLD you listed for your A record.
| Type | Name | Value | TTL | Status |
|---|---|---|---|---|
| A | mydomain.com | 111.111.111.111 | Automatic | Orange |
| CNAME | plex | @ | Automatic | Orange |
| CNAME | portainer | @ | Automatic | Orange |
| Setting Name | Value |
|---|---|
| SSL | Full (strict) |
| Always Use HTTPS | On |
| HTTP Strict Transport Security (HSTS) | On, Include Subdomains: On, Preload: On |
| Authenticated Origin Pulls | On |
| Minimum TLS Version | TLS 1.2 |
| Opportunistic Encryption | On |
| TLS 1.3 | Enabled +0RTT |
| Automatic HTTPS Rewrites | On |
| Disable Universal SSL | Keep Universal SSL On (do nothing) |
-
Under "Network/Custom server access URLs" use https://plex.mydomain:443
- Note the https and the :443 at the end. Seems redundant, but required!
- TLD is plex.yourdomain.com or plex.yourdomain.net or whatever you're using
-
Recommend under "Network/LAN Networks" and under "Network/List of IP addresses and networks that are allowed without auth" enter 172.17.0.0/16,172.18.0.0/16
- Those are the internal subnets for the plexguide and bridge networks.
- This suggestion isn't directly relevant to Cloudflare, but helpful regardless.
-
Disable "Remote Access" - yes when using traefik with these instructions, everything will still connect! You will no longer need to use Plex's connect servers, clients will directly connect to you!
- Note: You will see red ! next to remote access. Learn to ignore this, this is normal and expected. Everything will still connect just fine if you followed all of the configuration to a T.
-
In the Plex record make sure the orange cloud (using Cloudflare) is ENABLED!
-
Important Failure to do this step may result in Cloudflare disabling your account!
- In Cloudflare make a page rule for
https://plex.mydomain.com/*with the rules SSL: Full (strict), Cache Level: Bypass (very important!), Automatic HTTPS Rewites: On - Note the /* at the end. Important. Required.
- In Cloudflare make a page rule for
Now you can You'll also see the dreaded red ! by remote access IGNORE THIS. THIS IS NORMAL.