Anyone with Plex Fronted by Cloudflare?

#1

I wonder if I’m doing something wrong cause I keep getting these notices:


Cloudflare has deactivated your website from our network for a possible violation of our Terms of Service.

Your visitors will be routed directly to your origin server, where your website is hosted, and will not
receive any performance and security benefits from Cloudflare. Cloudflare’s Terms of Service are
available at Self-Serve Subscription Agreement | Cloudflare.

If you have any questions, please email us at abusereply@cloudflare.com.

Thank you for using Cloudflare.

The Cloudflare Team


I gets auto reactivated usually but it is kind of annoying. It doesn’t push that much traffic per month (1 TB roughly) but I don’t know how against the rules that is.

0 Likes

#2

That’s because you’re proxying a bunch of videos/movies through CloudFlare.

Their system doesn’t really care if you’re only pushing like 50 GB/mo, but 1 TB is pretty stupid considering you’re (probably) on the free plan. Having said that, you’d need to upgrade to their ‘enterprise plan’ if you want to proxy anything more than a few pages and images.

1 Like

#3

Hmm, that’s interesting. I have my Plex server running behind Cloudflare and I’m pushing several TB a month just fine, but the difference is probably that 0% of that content is being served via Cloudflare’s cache. I’m assuming that there’s something wrong with your configuration somewhere.

Generally speaking, people push Plex over Cloudflare for improved peering and faster dashboard load times, so your media shouldn’t ever be cached with them, hence why I don’t believe they have an issue with it.

1 Like

#4

From what I’ve heard from people that have worked at CloudFlare in the past, CloudFlare don’t really care too much about the bandwidth usage most of the time, if you’re actually using it for a website. I think using it for Plex would be against this part of the ToS:

2.8 Limitation on Non-HTML Caching

The Service is offered primarily as a platform to cache and serve web pages and websites. Unless explicitly included as a part of a Paid Service purchased by you, you agree to use the Service solely for the purpose of serving web pages as viewed through a web browser or other application and the Hypertext Markup Language (HTML) protocol or other equivalent technology. Use of the Service for the storage or caching of video (unless purchased separately as a Paid Service) or a disproportionate percentage of pictures, audio files, or other non-HTML content, is prohibited.

My guess is that pretty much all of the Plex stuff is “non-HTML content” and is not “web pages as viewed through a web browser”. However if @Wolveix is right and the videos aren’t proxied, then I would have thought they’d be okay with it.

As a side note, they do make exceptions for very popular sites… For example https://unpkg.com/ serves around 220 TB of data per month, but it’s all JavaScript files with no HTML pages, so technically it violates that part of the ToS.

1 Like

#5

Exactly this. Make sure that you don’t have a page rule with the setting Cache Everything. This has been a slower month, but here are my stats anyway:

0 Likes

#6

Well, no idea if they changed stuff, since a few people pushed 2PB on the free account.
I wonder now where they contact you.

0 Likes

#7

I don’t have any rules, at all. Yet for some reason it seems to have cached something and that seemed to happen yesterday. The cached bandwidth is minimal though.

And all in all that’s the only thing that got cached this month:

I don’t know what it was, they don’t have a URL report I can check.

I guess I’ll just create an explicit “Cache nothing” rule for the entire domain and see what happens.

0 Likes

#8

What’s the advantage of using Cloudflare if they don’t actually cache anything though? One of the main features of Cloudflare is that they cache content in PoPs near your users. Are you just using it for DDoS protection?

0 Likes

#9

Since they still handle routing, users further away from the server still get seemingly better peering. Since I’m fairly close to the server, I can’t speak from experience, but a few of my users that live around the world reported better loading times etc.

0 Likes

#10

Plus TCP and SSL termination closer to the end user = win.

Plex as it is can’t be cached anyway without crazy hacks anyway because it includes the device ID as part of the path to the content so you would essentially only be caching content that the same person would rewatch which is a minority of content.

1 Like

#11

Aren’t you just increasing the number of TLS terminations that are happening? My guess would be that this would have the completely opposite effect.

1 Like

#12

A few Plex clients also handle media streams in an unusual way causing unstable connections. Cloudflare makes a huge difference in this case.

0 Likes

#13

Usually, the middle mile (within the CDN’s network) and first mile (CDN to origin) are optimized as they’re on the backbone of the internet and has its persistent connection and other tcp related settings (congestion windows, buffers, etc) tweaked so the multiple terminations tend to not be an issue. Terminating once to a faraway origin is typically worse than terminating multiple times via a CDN due to these tweaks.

0 Likes

#14

I re-checked and had 0 rules. I added one to bypass cache and enabled developer mode which bypasses all of their cache. Let’s see how long it lasts after reactivation.

0 Likes

#15

You could always just email Cloudflare and ask them why they suspended it :stuck_out_tongue:

0 Likes

#16

do email the abuse email and ask. I never go over 30T but have not had any issues before, so I would be interested to know the reason they gave you for such little data.

0 Likes

#17

Thanks, I will. 1 TB might sound like a lot but this is nothing for a CDN as I know from experience that CDNs usually get charged on a 95/5 basis and if certain bursts don’t cause even the slightest ding, 1 TB of traffic from a single customer and that’s spread out evenly over the course of one month is essentially invisible in terms of billing agreements

0 Likes

#18

This is CF’s response. I don’t understand why i’d be flagged but other zones doing the same and pushing more traffic are not.


It appears that our network engineers have deactivated your site multiple times due to abusive behavior e.g. video streaming.

Per our Cloudflare Terms we do not allow video streaming over Cloudflare:

2.8 Limitation on Non-HTML Caching
The Service is offered primarily as a platform to cache and serve web pages and websites. Unless explicitly included as a part of a Paid Service purchased by you, you agree to use the Service solely for the purpose of serving web pages as viewed through a web browser or other application and the Hypertext Markup Language (HTML) protocol or other equivalent technology. Use of the Service for the storage or caching of video (unless purchased separately as a Paid Service) or a disproportionate percentage of pictures, audio files, or other non-HTML content, is prohibited.

On the site … , this has happened at least twice already so I would highly recommend looking into Cloudflare Stream if you need to push video over Cloudflare

1 Like

#19

Could be a matter of time.

0 Likes

#20

Out of interest, what does your Nginx vhost look like? It should somewhat resemble this:

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

#Upstream to Plex
upstream plex_backend {
    server 127.0.0.1:32400;
    keepalive 32;
}

server {
	listen 80;
	#Enabling http2 can cause some issues with some devices
	listen 443 ssl http2; #http2 can provide a substantial improvement for streaming: https://blog.cloudflare.com/introducing-http2/
	server_name plex.yourdomain.tld;

	send_timeout 100m; #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause (e.g. Chrome)

	resolver 1.1.1.1 1.0.0.1 valid=300s;
	resolver_timeout 10s;

	ssl_certificate /etc/letsencrypt/live/plex.yourdomain.tld/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/plex.yourdomain.tld/privkey.pem;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	#Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/letsencrypt/live/plex.yourdomain.tld/chain.pem;

	#Reuse ssl sessions, avoids unnecessary handshakes. Turning this on will increase performance, but at the cost of security.
	ssl_session_tickets off;

	#Use: openssl dhparam -out dhparam.pem 2048 - 4096 is better but for overhead reasons 2048 is enough for Plex.
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ecdh_curve secp384r1;

	gzip on;
	gzip_vary on;
	gzip_min_length 1000;
	gzip_proxied any;
	gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
	gzip_disable "MSIE [1-6]\.";

	#Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
	#Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
	client_max_body_size 100M;

	#Forward real ip and host to Plex
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";

	#Buffering off send to the client as soon as the data is received from Plex.
	proxy_redirect off;
	proxy_buffering off;

	location / {
		#Example of using sub_filter to alter what Plex displays, this disables Plex News.
		#sub_filter ',news,' ',';
		#sub_filter_once on;
		#sub_filter_types text/xml;
		proxy_pass http://plex_backend;
	}
}
0 Likes