Cloudflare is a leading provider of reverse proxying and CDN services for the web. Their free tier offers huge benefits in performance and protection that you can take advantage of while using MediaCP, with a few important limitations. This document details how to use Cloudflare with the Media Control Panel.
Benefits
Performance
Cloudflare CDN provides a global network of servers, load balancing, optimized network routing, minification, browser caching, image optimization, and more. This can reduce your bandwidth costs thanks to caching and CDN usage and increase availability better handling traffic surges.
Security/Protection
Cloud Flare also provides Distributed Denial of Service (DDoS) protection, rate limiting and their Web Application Firewall (WAF) which protects the panel against from attacks such as cross-site scripting or SQL injection.
Limitations
Ports
By default, Cloudflare only supports standard web ports which do not cover all of the ports required by the Media Control Panel. Due to this, important ports such as 2020, or links for streaming for audio and video services such as 8000-9000, and 6800-7000 will be inaccessible. To work around this the panel, widgets, public pages and links can be moved to compatible 80/443 proxy links, but DJ's and Broadcasters will need to stream using your server IP instead of the panel domain.
Radio Caching
Cloudflare does not allow you to serve your web radio content via their cached CDN, as the content is a streaming audio file that isn’t cacheable via their traditional services.
Enabling Cloudflare with MediaCP
1. Enable Cloudflare
You can enable Cloudflare from the Cloudflare control panel the same way would with any website. Once completed there should be a little orange cloud next to your MediaCP server's domain which indicates that protection is enabled.
Once you’ve enabled Cloudflare support for your domain from the Cloudflare control panel, you need to enable the port 80/443 HTTP Proxy and swap your panel URL over.
2. Enable 80/443 HTTPS Proxy
One major limitation imposed by Cloudflare is that they do not forward incoming connections to your server that don’t come from the traditional web ports (such as the ones outlined above). By default, MediaCP serves radio stations on their port from 8000 to 9000, and video services though port 1935/1936 19350/19360 or through proxy links on port 2020. This means your listeners wouldn’t normally be able to connect on these ports.
To work around this, you can use the port 80/443 proxy feature to move all proxy links, public pages and widgets over to compatible 80/443 ports. We have a full guide and explanation of this feature in our Admin Server Manual but for most customers you can follow the default configuration:
- Connect to your server via SSH as root
- Run the http proxy command:
/root/init enable-http-proxy
3. Move Panel to Use Proxy
The default panel port 2020 is not supported by Cloudflare so in order for you panel to still be accessible through Cloudflare, you will need to move the panel to port 80. Once you have enabled the proxy this should be as simple as updating the MediaCP Full URL and ensuring that the panel is set to prefer proxy links.
1. Select Administration -> System Config on the side menu bar
2. Remove :2020 from the MediaCP Full URL field
3. Select Administration -> System Config on the side menu bar
4. Select the Services tab
5. Set the Preferred Connection option to "Prefer Proxy"
6. Select Save Configuration
Important Notes
Do Not Cache Radio Content
Cloudflare does not allow you stream radio streams as the content is a streaming audio file that isn’t cacheable via their standard service. You can disable caching for radio content by using the Page Rules feature. To create a new Page Rule:
- Visit the Cloudflare control panel, then Rules, then Page Rules.
- Click Create Page Rule.
- Enter the URL of your Media Control Panel, followed by /stream/* ex.
panel.domain.com/stream/* - Pick the Cache Level setting, set it to Bypass.
- Click Save and Deploy Page Rule at the bottom of the page.
About Incoming DJ Connections
Because Cloudflare blocks incoming connections that aren’t on the supported ports above, it will also block the incoming connections that your broadcasters/DJs trying to broadcast to their service. Unlike the panel and proxy links the port 80/443 does not proxy the incoming broadcast. To work around this your broadcasters/DJS will need to connect using your IP address rather than the panel domain.
Likewise with relays or anything else that uses unsupported ports you will need to use the server's IP address rather than the domain.
Enabling Cloudflare Proxy on Additional Ports / Spectrum
Cloudflare does support adding additional ports, but this requires setting up Spectrum and comes at a cost with their Enterprise plan, you can contact Cloudflare and read their documentation for more information on opening the panel ports: Spectrum applications / Support Request
