¶ Notifiarr Client - Cloudflare Configuration
None of this is required or necessary. We recommend NOT exposing your
Notifiarr client to the Internet at all. In other words, don't do any of this. But you can if you want to access your local Notifiarr Client from the internet
Many users use Cloudflare's "Cloudflare Tunnel" feature or additional Cloudflare security features to provide / protect external access to their Notifiarr Client box. Specific configuration required for Cloudflare's various options are detailed below.
¶ Cloudflare Tunnel
This assumes that you already have a Cloudflare Tunnel set up on your system. If you want to get started with Cloudflare Tunnels follow this YouTube guide first: Cloudflare Tunnel: Creating Tunnels via GUI - Bypass CG-NAT
by IBRACORP
- Login to your Cloudflare teams account at dash.teams.Cloudflare.com
- Click Tunnels and then configure next to the Cloudflare Tunnel you would like to use
- In your Tunnel section click on Public Hostname and add a new hostname by clicking on Add a public hostname
- Fill in the public hostname information
Subdomain: Notifiarr (or whatever else you want it to be)Domain: choose one of your domainsService: HTTP + Your Local IP Address for Notifiarr
- Save Hostname
- Enter
notifiarr.YourDomain.cominto your Notifiarr Client Settings
That's it! The Notifiarr service will now connect to your local server via a Cloudflare Tunnel.
¶ WAF Rule
Free accounts can create 5 Firewall rules
- Login to your Cloudflare account and open the domain
- Click Security and then WAF
- In the WAF section add a new rule by clicking on Create Firewall Rule
- Fill in the rule information
Name: NotifiarrField: User AgentOperator: EqualsValue: NotifiarrAction: Skip (Cloudflare removed the "ALLOW" option and replaced it with Skip)
- Save the firewall changes
¶ Increased Security
This is optional
If you want to increase the security of your local server follow these steps to only allow the Notifiarr service access to your "notifiarr.yourdomain.com" subdomain. There are to steps to this.
¶ 1. Limit Access To All Subdomains
- Login to your Cloudflare teams account at https://dash.teams.Cloudflare.com/
- Click on Applications and then Add an application
- Select Self-hosted
- Fill in the Application Configuration information
Application Name: Whatever you want. I usually call this "Domain Catch All"Session Duration: Whatever you want. I usually choose "1 month" so I don't have to re-authorize very often.Subdomain: * (that will ensure that this application rule will apply to ALL subdomains on this domain)Domain: select your domain
- Turn on "Skip identity provider selection if only one is configured" at the bottom of the page and click next.
- Fill in the following Policy information
Policy Name: Whatever you want. I usually call this "Email"Rule Action: Select AllowConfiguration Rule Selector: select emailsConfiguration Rule Value: enter your personal email address
- Click next
- On the next page don't make any changes and click Add Application
Now when you're trying to access ANY of your Cloudflare Tunnel subdomains you first have to authorize yourself (via email, once a month) before you can access them:
This works very well for your services such as Radarr and Sonarr, for example. Obviously the Notifiarr service won't be able to verify itself via email so we need to make an exception for Notifiarr next.
¶ 2. Give Access To Notifiarr Service
- Login to your Cloudflare teams account at https://dash.teams.Cloudflare.com/
- Click on Applications and then Add an application
- Select Self-hosted
- Fill in the Application Configuration information
Application Name: Whatever you want. I usually call this "Domain Notifiarr Bypass"Session Duration: Whatever you want.Subdomain: notifiarrDomain: select your domain
- Turn on "Skip identity provider selection if only one is configured" at the bottom of the page and click next.
- Fill in the following Policy information
Policy Name: Whatever you want. I usually call this "Allow IP"Rule Action: Select BypassConfiguration Rule Selector: select IP rangesConfiguration Rule Value: First do:
ping origin-proxy.notifiarr.com
(Grab the result and use the response ip adress as the value)
- Click next
- On the next page don't make any changes and click Add Application
That's it! You now gave one specific IP address (Notifiarr service) permission to BYPASS the Cloudflare email authorization check. Only the Notifiarr service will have access to notifiarr.yourdomain.com. (You will still have access to it as well via email authorization).