this post was submitted on 19 May 2025
22 points (86.7% liked)

Selfhosted

46685 readers
798 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
22
getting 522 error Cloudflaired + Jellyfin + fail2ban (startrek.website)
submitted 2 days ago by [email protected] to c/[email protected]
21 comments fedilink hide all child comments
 

So I'm trying to get Jellyfin accessible on the open web through a cloudflared tunnel

I have a default install of Jellyfin running that is still accessible locally.

I'm able to ping TV.myblogdomain.com

And the Cloudflared dashboard says the connection is up.

I have implemented page rules and caching rules to turn CDN off.

I have set the DNS server on the Jellyfin VM to be the Cloudflared DNS server.

It's pointed to https://jellyfin:8096/

And it wasn't working with or without a CIDR in the tunnel configuration.

Should I try uninstalling fail2ban and see if that helps? I thought I configured it right pointing it to the 8096 port but maybe I need to do 80/443?

Any tips or guides would be appreciated.

top 21 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 2 days ago (2 children)

I'm guessing the cloudflared daemon isn't connecting to jellyfin. You want to use http://. Also is jellyfin the hostname of the VM? Using localhost or 127.0.0.1 might be better ways to specify the same VM without relying on DNS for anything.

Personal opinion, but I wouldn't bother with fail2ban, it's a bit of effort to get it to work with cloudflare tunnel and easy to lock yourself out. Cloudflare's own zero trust feature would be more secure and only need fiddling around cloudflare's dashboard.

[–] [email protected] 2 points 2 days ago

Didn't work.

Gonna go to bed and kinda just hope this starts working and then try again after work when reality sets in.

[–] [email protected] 3 points 2 days ago (1 children)

The actual config uses

https://localhost:8096/

Not sure why I decided to "censor" it like that.

I'll try swapping it to http:// and removing f2b for now.

[–] [email protected] 1 points 2 days ago* (last edited 2 days ago)

You will want the actual IP address. Localhost can get lost in various circumstances. If Cloudflare tunnel service and Jellyfin are on the same virtual network it should be fine. But I wouldn't trust it.

But yes, your Cloudflare tunnel should only connect to http:// not https. It will serve https on the public side of things.

[–] [email protected] 10 points 2 days ago (1 children)

It should be noted that you’re not permitted to stream video through Cloudflare unless you use their CDN.

[–] [email protected] -1 points 2 days ago (3 children)

I believe this is incorrect. I can't find the forum post from Cloudflare but you cannot use the CDN to deliver video without paying for it, but you can use CF as a reverse proxy via Cloudflared to deliver video so long as you aren't on the CDN

They even have blog posts on using Cloudflared for hobby video streaming projects like a RPi pet cam. Unless it's assumed I have an enterprise account.

https://www.cloudflare.com/service-specific-terms-application-services/#content-delivery-network-terms

Unless you are an Enterprise customer, Cloudflare offers specific Paid Services (e.g., the Developer Platform, Images, and Stream) that you must use in order to serve video and other large files via the CDN. Cloudflare reserves the right to disable or limit your access to or use of the CDN, or to limit your End Users’ access to certain of your resources through the CDN, if you use or are suspected of using the CDN without such Paid Services to serve video or a disproportionate percentage of pictures, audio files, or other large files. We will use reasonable efforts to provide you with notice of such action.

[–] [email protected] 1 points 2 days ago* (last edited 2 days ago)

but you can use CF as a reverse proxy via Cloudflared to deliver video so long as you aren't on the CDN

I think this is a common misinterpretation, but based on the limits of free tier CDN. It explains that in order to use the CDN for serving video, you have to use their back end for the video storage, but it doesn’t say that you can stream through their nodes all you want as long as you’re not using their CDN. People have been pressing them for clarification on this but they refuse to comment on it.

Currently the only method to fully adhere to their terms of service is to use their CDN and to do so via the methods laid out here:

Unless you are an Enterprise customer, Cloudflare offers specific Paid Services (e.g., the Developer Platform, Images, and Stream) that you must use in order to serve video and other large files via the CDN.

You are free to gamble on them not enforcing restrictions on your account however. I only bring this up because many of us have just opted to not use Cloudflare for this.

[–] [email protected] 4 points 2 days ago (1 children)

My understanding is that it's technically against their TOS but loosely enforced. They don't specify precise limits since they probably change over time and region. Once you get noticed, they'll block your traffic until you pay. Hence you can find people online that have been using it for years no problem, while other folks have been less lucky.

Basically their business strategy is to offer too-good-to-be-true free services that people start using and relying on, then charging once the bandwidth gets bigger.

It used to be worse, and all of cloudflare's services were technically limited to HTML files, but selectively enforced. They've since changed and clarified their policy a bit. As far as I've ever heard, they don't give a toss about the legality of your content, unless you're a neo Nazi.

[–] [email protected] 5 points 2 days ago (1 children)

unless you're a neo Nazi

I hate being torn between my hatred of tech monopolies and love of seeing Nazis get their shit rocked.

[–] [email protected] 4 points 2 days ago

Don't get too excited, it took a fucking long ass time for them to start pulling down neonazi content. For years I heard Patrick Grey (risky.biz) bitch about how Cloudflare refused to take down Nazi content they were hosting.

[–] [email protected] 1 points 2 days ago (1 children)

Sure if you only intend to stream your pets RPi webcam nothing to worry :) ! But don't even get into streaming illegal content you don't own !

I mean, your jellyfin instance is not going to be hooked to a Arr stack, is it?

[–] [email protected] 2 points 2 days ago (1 children)

I don't know what that is. So no.

And obvious it's all movies and TV shows I own that's just conveniently ripped for sharing with friends and family :)

[–] [email protected] 1 points 2 days ago

Yeah, than you have nothing to worry I guess? I'm not versed into all this legal shit whatsoever...

However if you intend to use the arrstack (sonarr, radarr...) to download and manage your own video library (netflix like), I'm not so sure they will agree on it.

[–] [email protected] 6 points 2 days ago (1 children)

https://jellyfin:8096/

Port 8096 is the default HTTP protocol port, and you're trying to access it via HTTPS. Do you have certificates installed and available for your jellyfin instance? If not, it's very likely Cloudflare won't route it correctly.

I'm not saying this is your specific issue, but it'll be the one after you fix this one at least. You may need to mess with the cloudflare "current encryption mode" to get this to work.

[–] [email protected] 2 points 2 days ago (2 children)

I'll try swapping it to http unless you think I should run nginx or something to certify it. I don't know if that will help.

[–] [email protected] 3 points 2 days ago (1 children)

I always advocate for HTTPS. I run a caddy proxy and sidestep cloudflare all-together.

[–] [email protected] 1 points 2 days ago (2 children)

I assume a Caddy set up would get me a URL? I might look into that.

[–] [email protected] 1 points 1 day ago

Correct. Mine is 'jelly.domain.com' which bidirectionally forwards traffic between my domain and my home server.

[–] [email protected] 1 points 2 days ago (1 children)

You don't need caddy if you're running cloudflare tunnels.

[–] [email protected] 1 points 1 day ago

Fair, but if I'm technically violating TOS and CF tunnels aren't working anyways, I might as well try it.

[–] [email protected] 2 points 2 days ago

I run caddy to handle https certs. Works great and it's incredibly easy to setup