Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Apache2 reverse proxy vhost configuration for Plex. Rerquires modules ssl, proxy, wstunnel
This current configuration is based of at least Server Version 1.16.5.1488 and Web Version: 3.108.2.
This updated config file allows the playing of trailers and TV Show theme music where as the previous one did not.
## Requirements
1. Apache version > 2.4
2. A bunch of mod's enabled (proxy, ssl, proxy_wstunnel, http, dir, env, headers, proxy_balancer, proxy_http, rewrite)
3. Protocols h2 http/1.1 needs apachectl -V 2.4.17 and higher...
## Apache .conf file
```
DEFINE plex_url 127.0.0.1
DEFINE plex_port 32400
DEFINE public_url subdomain.plex.tv
DEFINE email admin@subdomain.plex.tv
ServerTokens Prod
SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
SSLSessionCacheTimeout 300
### If you have Google's Mod PageSpeed, disable it
#ModPagespeed Off
<VirtualHost *:80>
ServerName ${public_url}
DocumentRoot /var/www/offline
ServerAdmin ${email}
RewriteEngine on
RewriteCond %{SERVER_NAME} =${public_url}
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName ${public_url}
DocumentRoot /var/www/offline
ServerAdmin ${email}
ErrorLog ${APACHE_LOG_DIR}/${public_url}.error.log
CustomLog ${APACHE_LOG_DIR}/${public_url}.access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/${public_url}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${public_url}/privkey.pem
#Include /etc/letsencrypt/options-ssl-apache.conf
### Forbid the http1.0 protocol ###
Protocols h2 http/1.1
#Options -Includes -ExecCGI
#LimitRequestBody 512000
#FileETag None
#TraceEnable off
Timeout 360
ProxyRequests Off
ProxyPreserveHost On
ProxyTimeout 600
ProxyReceiveBufferSize 4096
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
ServerSignature Off
SSLCompression Off
SSLUseStapling On
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors Off
SSLSessionTickets Off
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
Header always set Strict-Transport-Security "max-age=15552000; preload"
Header always set X-Content-Type-Options nosniff
Header always set X-Robots-Tag none
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'unsafe-inline' 'unsafe-eval' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct 'unsafe-inline'; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;"
Header always set Feature-Policy "geolocation 'self'; midi 'self'; sync-xhr 'self'; microphone 'self'; camera 'self'; magnetometer 'self'; gyroscope 'self'; speaker 'self'; fullscreen 'self'; payment 'self'"
### Use next two for very secure connections ###
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Use next two for secure connections and supports more endpoints ###
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
#SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Actually proxy the traffic and really the only important part ###
ProxyPassMatch ^/.well-known !
ProxyPass / http://${plex_url}:${plex_port}/
ProxyPassReverse / http://${plex_url}:${plex_port}/
ProxyPass /:/ ws://${plex_url}:${plex_port}/:/
ProxyPassReverse /:/ ws://${plex_url}:${plex_port}/:/
ProxyPass /:/ wss://${plex_url}:${plex_port}/:/
ProxyPassReverse /:/ wss://${plex_url}:${plex_port}/:/
LimitRequestBody 512000
FileETag None
TraceEnable off
#Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
Timeout 60
<Location /:/websockets/notifications>
ProxyPass wss://${plex_url}:${plex_port}/:/websockets/notifications
ProxyPassReverse wss://${plex_url}:${plex_port}/:/websockets/notifications
</Location>
<Proxy *>
Require all granted
</Proxy>
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/web
RewriteCond %{HTTP:X-Plex-Device} ^$
RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
```
@mcallan83

This comment has been minimized.

Copy link

@mcallan83 mcallan83 commented Dec 31, 2015

Awesome! Does anyone know of a way to do this with nginx?

@matteos1

This comment has been minimized.

Copy link

@matteos1 matteos1 commented Jan 22, 2016

what is the complete procedure?

@hazcod

This comment has been minimized.

Copy link
Owner Author

@hazcod hazcod commented Feb 25, 2016

@matteos1 :(more or less) sudo apt-get install apache2 && a2enmod proxy ssl proxy_wstunnel && nano /etc/apache2/sites-enabled/default.conf supposing you're running debian/ubuntu/mint/..

@MacPower

This comment has been minimized.

Copy link

@MacPower MacPower commented Apr 4, 2016

Hi ! Thanks for sharing !
But, I have this little error when I reload my apache server "Invalid ProxyPass|ProxyPassMatch parameter. Parameter must be in the form 'key=value'"
Do you have any idea how to resolve this error ?

Thanks

@BeVeR86

This comment has been minimized.

Copy link

@BeVeR86 BeVeR86 commented Apr 5, 2016

Hi, I have the same problem as MacPower.
I will be looking into it but any help would be appreciated.

-Bever

@Madseason41

This comment has been minimized.

Copy link

@Madseason41 Madseason41 commented Apr 13, 2016

+1 Line 36 "Invalid ProxyPass|ProxyPassMatch parameter. Parameter must be in the form 'key=value'"

I never had any success.

@simkin

This comment has been minimized.

Copy link

@simkin simkin commented Apr 20, 2016

@Madseason41 @MacPower @BeVeR86 : Remove the comments "#plex here is resolved to my plex container"

@samux90

This comment has been minimized.

Copy link

@samux90 samux90 commented Apr 24, 2016

Hi, the configuration works as expected, thank you!

I have a question, this configuration redirect all the https traffic to 32400 port, but i woult like to redirect only a part, like www.mydomain/plex to 32400. How will change the Rewrite rules?
Thanks for your work!

@br2490

This comment has been minimized.

Copy link

@br2490 br2490 commented Apr 25, 2016

Great work dude! Thank you 👍

@beardsleym

This comment has been minimized.

Copy link

@beardsleym beardsleym commented Apr 29, 2016

I struggled with this, I got the SSL redirect to work with certificates obtained from Letsencrypt (just changed cert locations) but couldn't get the domain to resolve to :32400/web. I'm not really sure where my plex container is either. I have since stumbled on another way of doing this

Or you could simply log into your registrar's DNS editor and forward "plex.example.com" to "https://app.plex.tv/web/app".

@MacPower

This comment has been minimized.

Copy link

@MacPower MacPower commented May 7, 2016

@simkin

Thanks you so much ! , I didn't think about removing the comments, and definitively never gonna do it ! That was the issue.

Is this a bug or something like this ? Does apache normally have to ignore it ?

@psychosquirrel85

This comment has been minimized.

Copy link

@psychosquirrel85 psychosquirrel85 commented May 28, 2016

Thank you for this. It is working well, however I have a question on how to get the Plex apps like Android Xbox and TVs to use this. I have set up the custom URL in Plex to point to https://plex.example.com:443 and I'm not using remote access within Plex. When I try from these Plex apps though, it mentions that my server can't be found. My web server and Plex server are on two different AWS cloud instances in the same subnet. The URL works great from a web browser, just the apps don't work. Any suggestions?

@bgstack15

This comment has been minimized.

Copy link

@bgstack15 bgstack15 commented Sep 7, 2016

Excellent! Thanks; my attempt to write a reverse proxy just started a loop where it kept looking in a /web/ directory. /web/web/web/web ad nauseum.

@lordfiSh

This comment has been minimized.

Copy link

@lordfiSh lordfiSh commented Sep 27, 2016

Hmm not working for me.
The Web interface is reachable, but if I block tcp/32400 in my firewall it says Direct Connection unavailable

Can someone help squeeze pyplex in this config? http://localhost:8181 on /pyplex

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Nov 15, 2016

Hmm not working for me.
The Web interface is reachable, but if I block tcp/32400 in my firewall it says Direct Connection unavailable

I, too, have this issue. You'd think the 'custom server access urls' being set to your custom domain (https://plex.example.com:443) would solve that, but it doesn't. I would prefer that Plex doesn't require a port forward on my router, and everything is handled via the reverse proxy, but that doesn't appear to be the case.

Accessing my custom domain shouldn't have to route any traffic through Plex's servers, but with the port forward disabled it uses their 'Relay' system for Plex Web. My Android app appears to be able to make a direct connection, however, which is kind of odd to me.

Edit: If I click the 'disable remote access' button in my server settings, the Android app continues to work properly but Plex Web fails to connect to the server at all, even when I am local (but using my custom domain name). It appears as though for Plex Web to work, you MUST have the plex port forward in place AND have enabled remote connections.

@petwri

This comment has been minimized.

Copy link

@petwri petwri commented Feb 2, 2017

@bmupton Did you figure out any way to get both the Android app and Plex Web to work using this proxy setup?

@tijder

This comment has been minimized.

Copy link

@tijder tijder commented Mar 10, 2017

@bmupton remove those rewrite rules at the end and the web interface will work.

@petwri

This comment has been minimized.

Copy link

@petwri petwri commented Mar 14, 2017

@tijder @bmupton What rules do you need to remove? Removing everything from line 52 to line 56 doesn't fix the problem for me.

Edit: ok, for whatever reason the android app now started to work, but the web app is still not functioning properly. I get to the login screen, but then it keeps searching and tells me that the server is unavailable.

@Rhainland

This comment has been minimized.

Copy link

@Rhainland Rhainland commented Apr 16, 2017

@hazcod - Having some issues with websockets doing 401, any hints?

@snorre-k

This comment has been minimized.

Copy link

@snorre-k snorre-k commented May 21, 2017

@Rhainland: you could try this:

RequestHeader edit Origin ^(.+)://.*$ $1://localhost/

If you have problems with access without authentication, you can also add:

RequestHeader edit referer ^(.+)://.+/(.*)$ $1://localhost/$2

@tguless

This comment has been minimized.

Copy link

@tguless tguless commented Oct 8, 2017

Seeing this error 400 in my logs when I test the remote access with the opneded port.
54.194.240.140 - - [08/Oct/2017:07:39:12 -0400] "\x16\x03\x01\x02" 400 0 "-" "-"

@toekneelin

This comment has been minimized.

Copy link

@toekneelin toekneelin commented Jan 21, 2018

Has anyone gotten this to work to bypass the Plex Authentication? The reverse proxy functionality seems to be working, but then I get redirected to https://app.plex.tv/auth/ requesting to login.

@dohlin

This comment has been minimized.

Copy link

@dohlin dohlin commented Jul 17, 2018

@toekneelin I'm trying to do the exact same thing, and seem to be so close but am having the exact same issue. The only way I've been able to find to make it work is by removing:

RewriteEngine on
RewriteCond %{REQUEST_URI} !^/web
RewriteCond %{HTTP:X-Plex-Device} ^$
RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
RewriteRule ^/$ /web/$1 [R,L]

And appending /web to the base url when typing it in a browser. @hazcod any idea what might be causing this and how it could be prevented? Thanks!

@Thadah

This comment has been minimized.

Copy link

@Thadah Thadah commented Dec 24, 2018

I was having problems to connect due to "unable to connect to servername securely"

I added these lines to the Rewrite:

    RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
    RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=

And was able to connect with no issues

@iamdoubz

This comment has been minimized.

Copy link

@iamdoubz iamdoubz commented Apr 17, 2019

Stringing together all the comments and my own personal researching, here is an unnecessarily long (but thorough) apache2 conf for my plex server. You will need to be using Apache2 >= 2.4.11 to use this and several mods (proxy, ssl, proxy_wstunnel, http, dir, env, headers, proxy_balancer, proxy_http, rewrite I think is all of them):

<IfModule mod_ssl.c>
	DEFINE plex_url 192.168.1.22
	DEFINE plex_port 32400
	DEFINE serv_name plex.domain.com
	ServerTokens Prod
	SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
	SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
	SSLSessionCacheTimeout 300
	ModPagespeed Off
<VirtualHost *:80>
	ServerName ${serv_name}
	DocumentRoot /var/www/html
	ServerAdmin aw@hell.no
	RewriteEngine On
	RewriteCond %{SERVER_NAME} =${serv_name}
	RewriteCond %{HTTPS} Off
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
	ErrorLog ${APACHE_LOG_DIR}/${serv_name}.error.log
	CustomLog ${APACHE_LOG_DIR}/${serv_name}.access.log combined
</VirtualHost>
<VirtualHost *:443>
	ServerName ${serv_name}
	DocumentRoot /var/www/html
	ServerAdmin aw@hell.no
	ErrorLog ${APACHE_LOG_DIR}/${serv_name}.error.log
	CustomLog ${APACHE_LOG_DIR}/${serv_name}.access.log combined
### Let's Encrypt Section ###
	SSLCertificateFile /etc/letsencrypt/live/${serv_name}/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/${serv_name}/privkey.pem
	#Include /etc/letsencrypt/options-ssl-apache.conf
	Options -Includes -ExecCGI
### Deny http1.0 requests ###
	RewriteEngine On
	RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
	#RewriteCond %{REQUEST_URI} !^/404/$
	RewriteRule ^ - [F]
### Harden Security ###
	ProxyRequests Off
	ProxyPreserveHost On
	ProxyTimeout 600
	ProxyReceiveBufferSize 4096
	SSLProxyEngine On
	RequestHeader set Front-End-Https "On"
	ServerSignature Off
	SSLCompression Off
	SSLUseStapling On
	SSLStaplingResponderTimeout 5
	SSLStaplingReturnResponderErrors Off
	SSLSessionTickets Off
	RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
	Header always set Strict-Transport-Security "max-age=15552000; preload"
	Header always set X-Content-Type-Options nosniff
	Header always set X-Robots-Tag none
	Header always set X-XSS-Protection "1; mode=block"
	Header always set X-Frame-Options "SAMEORIGIN"
	Header always set Referrer-Policy "same-origin"
	Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none';"
	Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${serv_name}; media-src 'self' blob: ${plex_url} ${serv_name}; script-src 'self' 'unsafe-inline' ${plex_url} ${serv_name} plex.tv www.gstatic.com; style-src 'self' ${plex_url} ${serv_name}; img-src 'self' data: blob: ${plex_url} ${serv_name} plex.tv *.plex.tv; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${serv_name} plex.tv *.plex.direct *.plex.tv;"
	SSLCipherSuite ECDHE+RSA+AES256+GCM+SHA512:DHE+RSA+AES256+GCM+SHA512:ECDHE+RSA+AES256+GCM+SHA384:DHE+RSA+AES256+GCM+SHA384:ECDHE+RSA+AES256+SHA384:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
	SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
	SSLHonorCipherOrder On
### Plex Specific Section ###
	ProxyPass / http://${plex_url}:${plex_port}/
	ProxyPassReverse / http://${plex_url}:${plex_port}/
	ProxyPass /:/ ws://${plex_url}:${plex_port}/:/
	ProxyPassReverse /:/ ws://${plex_url}:${plex_port}/:/
	ProxyPass /:/ wss://${plex_url}:${plex_port}/:/
	ProxyPassReverse /:/ wss://${plex_url}:${plex_port}/:/
	LimitRequestBody 512000
	FileETag None
	TraceEnable off
	#Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
	Timeout 60
	<Location /:/websockets/notifications>
		ProxyPass wss://${plex_url}:${plex_port}/:/websockets/notifications
		ProxyPassReverse wss://${plex_url}:${plex_port}/:/websockets/notifications
	</Location>
	<Proxy *>
		Order deny,allow
		Allow from all
	</Proxy>
	RewriteEngine on
	RewriteCond %{REQUEST_URI} !^/web
	RewriteCond %{HTTP:X-Plex-Device} ^$
	RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
	RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
	RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
	RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
</IfModule>
@delize

This comment has been minimized.

Copy link

@delize delize commented Apr 24, 2019

@iamdoubz

Your file unfortunately does not work for me on the backside I receive this error:

[Tue Apr 23 22:35:26.051228 2019] [proxy_http:error] [pid 8219] (20014)Internal error (specific information not available): [client 192.168.2.1:57198] AH01102: error reading status line from remote server 192.168.2.8:32400, referer: https://plex.domain.org/web/index.html
[Tue Apr 23 22:35:26.055725 2019] [proxy_http:error] [pid 8366] (20014)Internal error (specific information not available): [client 192.168.2.1:57199] AH01102: error reading status line from remote server 192.168.2.8:32400, referer: https://plex.domain.org/web/index.html
[Tue Apr 23 22:35:26.055738 2019] [proxy:error] [pid 8366] [client 192.168.2.1:57199] AH00898: Error reading from remote server returned by /favicon.ico, referer: https://plex.domain.org/web/index.html
[Tue Apr 23 22:35:26.928378 2019] [proxy_http:error] [pid 8366] (20014)Internal error (specific information not available): [client 192.168.2.1:57199] AH01102: error reading status line from remote server 192.168.2.8:32400
[Tue Apr 23 22:35:26.942854 2019] [proxy_http:error] [pid 8222] (20014)Internal error (specific information not available): [client 192.168.2.1:57200] AH01102: error reading status line from remote server 192.168.2.8:32400
[Tue Apr 23 22:35:26.942888 2019] [proxy:error] [pid 8222] [client 192.168.2.1:57200] AH00898: Error reading from remote server returned by /web/index.html
[Tue Apr 23 22:35:27.066420 2019] [proxy_http:error] [pid 8222] (20014)Internal error (specific information not available): [client 192.168.2.1:57200] AH01102: error reading status line from remote server 192.168.2.8:32400, referer: https://plex.domain.org/web/index.html
[Tue Apr 23 22:35:27.078847 2019] [proxy_http:error] [pid 8217] (20014)Internal error (specific information not available): [client 192.168.2.1:57202] AH01102: error reading status line from remote server 192.168.2.8:32400, referer: https://plex.domain.org/web/index.html
[Tue Apr 23 22:35:27.078883 2019] [proxy:error] [pid 8217] [client 192.168.2.1:57202] AH00898: Error reading from remote server returned by /favicon.ico, referer: https://plex.domain.org/web/index.html


Has anything changed in your configuration in the past week? Any updates?

@iamdoubz

This comment has been minimized.

Copy link

@iamdoubz iamdoubz commented May 9, 2019

So I am on server version 1.15.5.994. And everything appears to still be working for me. I would diagnose by doing a few things...

  1. Make sure that you can actually get to 192.168.2.8:32400/web and that information shows up
  2. Comment out all "unnecessary" bulk from my config like all the "Header always set" items
  3. Possibly remove and/or comment out line "ModPagespeed Off" (unless you have the Google Apache2 mod_pagespeed installed)

Additional note, I forgot to add to the Content-Security-Policy in the media-src after 'self', blob:, which enables trailers now.

Let me know if this helps.

@iamdoubz

This comment has been minimized.

Copy link

@iamdoubz iamdoubz commented Aug 16, 2019

I need to update my above Plex configuration. This current configuration is based of Server Version 1.16.5.1488 and Web Version: 3.108.2. This updated config file allows the playing of trailers and TV Show theme music where as the previous one did not.

Requirements

  1. Apache version > 2.4
  2. A bunch of mod's enabled (proxy, ssl, proxy_wstunnel, http, dir, env, headers, proxy_balancer, proxy_http, rewrite I think is all of them)
  3. Protocols h2 http/1.1 needs apachectl -V 2.4.17 and higher...

Apache .conf file

    DEFINE plex_url 127.0.0.1
    DEFINE plex_port 32400
    DEFINE public_url subdomain.plex.tv
    DEFINE email admin@subdomain.plex.tv
    ServerTokens Prod
    SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
    SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
    SSLSessionCacheTimeout 300
### If you have Google's Mod PageSpeed, disable it
    #ModPagespeed Off
<VirtualHost *:80>
    ServerName ${public_url}
    DocumentRoot /var/www/offline
    ServerAdmin ${email}
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =${public_url}
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
    ServerName ${public_url}
    DocumentRoot /var/www/offline
    ServerAdmin ${email}
    ErrorLog ${APACHE_LOG_DIR}/${public_url}.error.log
    CustomLog ${APACHE_LOG_DIR}/${public_url}.access.log combined
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/${public_url}/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/${public_url}/privkey.pem
    #Include /etc/letsencrypt/options-ssl-apache.conf
### Forbid the http1.0 protocol ###
    Protocols h2 http/1.1
    #Options -Includes -ExecCGI
    #LimitRequestBody 512000
    #FileETag None
    #TraceEnable off
    Timeout 360
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyTimeout 600
    ProxyReceiveBufferSize 4096
    SSLProxyEngine On
    RequestHeader set Front-End-Https "On"
    ServerSignature Off
    SSLCompression Off
    SSLUseStapling On
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors Off
    SSLSessionTickets Off
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
    Header always set Strict-Transport-Security "max-age=15552000; preload"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Robots-Tag none
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'unsafe-inline' 'unsafe-eval' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;"
 ## If you want to be safer, remove the 'unsafe-inline' 'unsafe-eval' from above and use Chrome to get the sha-256 sums and input below (below was for Server version: 1.16.5.1488; Web version: 3.108.2)
	#Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'sha256-8yKKbip2qr14RHV8H1qDEbRAm9Mmf5ePeQh+wB5pMCw=' 'sha256-pKO/nNgeauDINvYfxdygP3mGssdVQRpRNxaF7uPRoGM=' 'sha256-mrLkgfrqAhdxc2TvIODT0I7QtvuQLMS9AgtfLL9eMXo=' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;"
    Header always set Feature-Policy "geolocation 'self'; midi 'self'; sync-xhr 'self'; microphone 'self'; camera 'self'; magnetometer 'self'; gyroscope 'self'; speaker 'self'; fullscreen 'self'; payment 'self'"
### Use next two for very secure connections ###
    SSLHonorCipherOrder On
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Use next two for secure connections and supports more endpoints ###
    #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
    #SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
### Actually proxy the traffic and really the only important part ###
	ProxyPass / http://${plex_url}:${plex_port}/
	ProxyPassReverse / http://${plex_url}:${plex_port}/
	ProxyPass /:/ ws://${plex_url}:${plex_port}/:/
	ProxyPassReverse /:/ ws://${plex_url}:${plex_port}/:/
	ProxyPass /:/ wss://${plex_url}:${plex_port}/:/
	ProxyPassReverse /:/ wss://${plex_url}:${plex_port}/:/
	LimitRequestBody 512000
	FileETag None
	TraceEnable off
	#Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
	Timeout 60
	<Location /:/websockets/notifications>
		ProxyPass wss://${plex_url}:${plex_port}/:/websockets/notifications
		ProxyPassReverse wss://${plex_url}:${plex_port}/:/websockets/notifications
	</Location>
	<Proxy *>
		Order deny,allow
		Allow from all
	</Proxy>
	RewriteEngine on
	RewriteCond %{REQUEST_URI} !^/web
	RewriteCond %{HTTP:X-Plex-Device} ^$
	RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
	RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
	RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
	RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
@hazcod

This comment has been minimized.

Copy link
Owner Author

@hazcod hazcod commented Aug 18, 2019

@iamdoubz thanks for your new config, I modified the gist.

@toekneelin

This comment has been minimized.

Copy link

@toekneelin toekneelin commented Nov 14, 2019

This updated configuration still does not allow you to bypass the Plex Authentication that requires a sign-in. Has anyone gotten this to work to bypass the Plex Authentication? The reverse proxy functionality seems to be working, but then I get redirected to https://app.plex.tv/auth/ requesting to login.

@jamesmacwhite

This comment has been minimized.

Copy link

@jamesmacwhite jamesmacwhite commented Jan 1, 2020

Thanks for the updated reverse proxy config. FYI for others. I ran this on CentOS 7 Apache 2.4.6 (I know it's lower than the recommended). Two incompatibilities are:

  • Protocols directive (doesn't exist, Apache will throw a syntax/config error)
  • Having SSLSessionTickets set to "Off" caused SSL_PROTOCOL_ERROR in Chrome and similar SSL errors in other browsers. Interestingly, curl worked fine.

Other than that, the config works fine.

@iamdoubz

This comment has been minimized.

Copy link

@iamdoubz iamdoubz commented Jan 3, 2020

Updated code for Content Security Policy for Server version: 1.18.4.2171; Web version: 4.12.3

    #Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'unsafe-inline' 'unsafe-eval' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;"
    Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'sha256-nUnhwEm5UMap/qFerb+ou1VJWqowlB1QcbhbmFX7Eu4=' 'sha256-8yKKbip2qr14RHV8H1qDEbRAm9Mmf5ePeQh+wB5pMCw=' 'sha256-pKO/nNgeauDINvYfxdygP3mGssdVQRpRNxaF7uPRoGM=' 'sha256-mrLkgfrqAhdxc2TvIODT0I7QtvuQLMS9AgtfLL9eMXo=' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;"

Thanks for the updated reverse proxy config. FYI for others. I ran this on CentOS 7 Apache 2.4.6 (I know it's lower than the recommended). Two incompatibilities are:

  • Protocols directive (doesn't exist, Apache will throw a syntax/config error)
  • Having SSLSessionTickets set to "Off" caused SSL_PROTOCOL_ERROR in Chrome and similar SSL errors in other browsers. Interestingly, curl worked fine.

Other than that, the config works fine.

The Protocols was added in version 2.4.17.
The SSLSessionTickets was added in version 2.4.11.

You should really think about updating! (However, don't go past 2.4.38... I ran into a bunch of TLS1.3 errors that made most of my websites stop loading :/)

This updated configuration still does not allow you to bypass the Plex Authentication that requires a sign-in. Has anyone gotten this to work to bypass the Plex Authentication? The reverse proxy functionality seems to be working, but then I get redirected to https://app.plex.tv/auth/ requesting to login.

True. This does not bypass that. I did figure it out once... Basically, you don't forward anything to the server (basically anyone that navigates to your plex website is treated as a localhost person), and then there is a setting to disable authentication for local users in Settings, Network, Advanced.

plex_nologin

@jamesmacwhite

This comment has been minimized.

Copy link

@jamesmacwhite jamesmacwhite commented Jan 4, 2020

Thanks for the info! I'm on CentOS 7 and using the EPEL repo. 2.4.6, is this latest available, CentOS does backport, so the version number doesn't always mean it's as old, but it doesn't have support those areas. It's one to watch out for as SSL tickets doesn't throw an error and will still allow httpd to start, you'll find SSL is broke though.

@jamesmacwhite

This comment has been minimized.

Copy link

@jamesmacwhite jamesmacwhite commented Jan 4, 2020

You may also want to consider adding this to the config:

ProxyPassMatch ^/.well-known !

If you use a LetsEncrypt SSL certs and the http challenge method for verification, it is likely to be swallowed by Plex itself, this will bypass the /web part and ensure the request hits the VirtualHost DocumentRoot set instead.

@hazcod

This comment has been minimized.

Copy link
Owner Author

@hazcod hazcod commented Jan 5, 2020

@oucil

This comment has been minimized.

Copy link

@oucil oucil commented Mar 19, 2020

@iamdoubz @hazcod Appreciate the work you guys have done keeping this up to date! Noticed something I thought I'd point out. I'm not sure how this is working for you in 2.4 unless you're using mod_access_compat (which isn't one of your listed requirements)...

<Proxy *>
	Order deny,allow
	Allow from all
</Proxy>

The new directive should be...

<Proxy *>
  Require all granted
</Proxy>

... should it not?

@oucil

This comment has been minimized.

Copy link

@oucil oucil commented Mar 19, 2020

@iamdoubz

Updated code for Content Security Policy for Server version: 1.18.4.2171; Web version: 4.12.3

    #Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'unsafe-inline' 'unsafe-eval' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;"
    Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'sha256-nUnhwEm5UMap/qFerb+ou1VJWqowlB1QcbhbmFX7Eu4=' 'sha256-8yKKbip2qr14RHV8H1qDEbRAm9Mmf5ePeQh+wB5pMCw=' 'sha256-pKO/nNgeauDINvYfxdygP3mGssdVQRpRNxaF7uPRoGM=' 'sha256-mrLkgfrqAhdxc2TvIODT0I7QtvuQLMS9AgtfLL9eMXo=' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;"

I'm using v1.18.8.2527 and the updated Content-Security-Policy you provided recently wasn't working, it froze during the request at the logo screen with an error logged in the console relating to the policy. Rolling back to the previous version (without the SHA hashes, and with the unsafe-*) allowed it to come up again.

@hazcod

This comment has been minimized.

Copy link
Owner Author

@hazcod hazcod commented Mar 19, 2020

@oucil: thanks for the input, I've removed the CSP policy and replaced the proxy directive.

@oucil

This comment has been minimized.

Copy link

@oucil oucil commented Mar 19, 2020

@hazcod my pleasure. As a related aside, has anyone ever had any luck with a reverse proxy setup that can fool Plex entirely into thinking the requests are all from localhost, so that the "Claim Server" process can be run from a remote address? I've been trying all sorts of reverse proxy vhost setups to mimic the SSH Tunnel approach to claiming a remote server, but nothing works. Somehow it can always figure out that the request via the proxy isn't local. Any ideas?

@iamdoubz

This comment has been minimized.

Copy link

@iamdoubz iamdoubz commented Mar 24, 2020

@iamdoubz @hazcod Appreciate the work you guys have done keeping this up to date! Noticed something I thought I'd point out. I'm not sure how this is working for you in 2.4 unless you're using mod_access_compat (which isn't one of your listed requirements)...

<Proxy *>
	Order deny,allow
	Allow from all
</Proxy>

The new directive should be...

<Proxy *>
  Require all granted
</Proxy>

... should it not?

Good catch.

@Steve8291

This comment has been minimized.

Copy link

@Steve8291 Steve8291 commented Dec 24, 2020

Thank you for the great work on this.
I'm trying to do something a bit different and was wondering if anyone had any thoughts on it. I wanted to run incoming traffic to plex through an apache proxy while allowing outgoing traffic to go out as usual. The reasoning was to be able to monitor ip addresses with the modsecurity application firewall in apache. So I don't actually have a different url that I'm proxying through apache. All incoming traffic to port 32400 hits my iptables rules and redirects. I think what is really messing things up is that I'm still trying to use SSL certs generated by the plex external servers (the way plex intends you to do it)
I've set up a nat PREROUTING firewall rule to redirect incoming traffic on the plex port 32400 to a different port 60000 that apache will listen on.

In Apache I've got a VirtualHost:

<VirtualHost _default_:60000>
	ProxyRequests Off
	ProxyPreserveHost On

	ProxyPass "/" "http://localhost:32400" connectiontimeout=5 timeout=30 keepalive=on
	ProxyPass "/:/" "ws://http://localhost:32400/" connectiontimeout=5 timeout=30 keepalive=on
	ProxyPass "/:/" "wss://http://localhost:32400/" connectiontimeout=5 timeout=30 keepalive=on
</VirtualHost>

Requests seem to be hitting the apache server but are met with a 400 status code and go no further. I'm getting requests that look like this in my apache access.log:
[Thu Dec 24 11:44:13 2020] 34.248.59.52 - "\x16\x03\x01\x02" 400 "-" "-" [-]
Which is plex trying to authenticate with the start of a TLS Handshake.
Anyone know what I need to do to allow those to pass through to plex?

@jamesmacwhite

This comment has been minimized.

Copy link

@jamesmacwhite jamesmacwhite commented Dec 28, 2020

A few observations with the reverse proxy setup. Streaming works fine with latest stable Plex release, when browsing the reverse proxy URL the following errors are observed in console, they don't occur on the app.plex.tv URL, so assuming specific to reverse proxy.

  1. The CSP policy might need unsafe-inline adding to style-src
  2. wss://plex.example.com/:/websockets/notifications?X-Plex-Token=xxxxxxxxxxxxxxxxxxx' failed: Error during WebSocket handshake: Unexpected response code: 500 is thrown
  3. 401 Unauthorized error for this request: https://plex.example.com/media/providers?X-Plex-Product=Plex%20Web&X-Plex-Version=4.47.3&X-Plex-Client-Identifier=xxxxxxxxxxxxxxxxxxxxxxxxx&X-Plex-Platform=Chrome&X-Plex-Platform-Version=87.0&X-Plex-Sync-Version=2&X-Plex-Features=external-media%2Cindirect-media&X-Plex-Model=bundled&X-Plex-Device=Windows&X-Plex-Device-Name=Chrome&X-Plex-Device-Screen-Resolution=926x969%2C1920x1080&X-Plex-Language=en-GB
  4. 401 Unauthorized error for this request: https://plex.example.com/?X-Plex-Product=Plex%20Web&X-Plex-Version=4.47.3&X-Plex-Client-Identifier=xxxxxxxxxxxxxxxxxxxx&X-Plex-Platform=Chrome&X-Plex-Platform-Version=87.0&X-Plex-Sync-Version=2&X-Plex-Features=external-media%2Cindirect-media&X-Plex-Model=bundled&X-Plex-Device=Windows&X-Plex-Device-Name=Chrome&X-Plex-Device-Screen-Resolution=926x969%2C1920x1080&X-Plex-Language=en-GB
  5. You might want to set the Access-Control-Allow-Origin header so you don't get CORS errors, if you access via app.plex.tv and it calls your reverse proxy domain with Header set Access-Control-Allow-Origin '*'. You can't use "always set" as it will double up on the plex.direct URL, which app.plex.tv will complain about, alternatively for Apache 2.4 Header setifempty Access-Control-Allow-Origin "*" should work.

For the two 401 unauthorised requests, it looks like these are missing the X-Plex-Token parameter.

@felmey

This comment has been minimized.

Copy link

@felmey felmey commented Jan 11, 2021

Thanks for updating this. My reverse proxy was freezing at the plex spalsh screen until I imported this update.

Now, after the splash screen, I am getting a weird box outline in the upper left corner of the plex player when using this setup. It is mostly covered up eventually when the player top and sidebar appear. However, there is still a portion visible.

Based on jamesmacwhite's post above I accessed the plex server through app.plex.tv and there was no weird box. Nor is it present when I bypass the reverse proxy and just use the ip address http://192.168.x.x:32400/web ... It only displays when using my reverse proxy.

Any ideas on how I might get rid of it?
Screenshot from 2021-01-11 10-47-40

@jamesmacwhite

This comment has been minimized.

Copy link

@jamesmacwhite jamesmacwhite commented Jan 11, 2021

@felmey I've seen the white box as well, but it's since gone away. I hadn't realised I've accidentally fixed this until your post. It is due to the CSP policy. You need add unsafe-inline to the style-src of the current CSP policy provided by this config. In my previous post, I was analysing some of the errors in console under the reverse proxy compared to app.plex.tv and I hadn't realised the white box and the CSP policy were connected until you pointed it out.

@felmey

This comment has been minimized.

Copy link

@felmey felmey commented Jan 12, 2021

You need add unsafe-inline to the style-src of the current CSP policy provided by this config.

@jamesmacwhite Thanks! That worked 100%. The box is gone after making that addition.

@hazcod

This comment has been minimized.

Copy link
Owner Author

@hazcod hazcod commented Jan 12, 2021

I've adapted the gist to include style-src: unsafe-inline.

@W3AXL

This comment has been minimized.

Copy link

@W3AXL W3AXL commented Feb 6, 2021

Is there a current guide for the proper way to generate Letsencrypt certs for the server? This and most other guides assume you already have your certificates generated and ready to use, and I haven't been able to find anything that mentions the process for generating these certs in the first place.

Obviously the usual certbot approach doesn't work for a custom setup like this, which is why I'm confused.

Update: Success! To use certbot, I set up my virtualhost to simply point to a directory where certbot could write its verification files. Once I had the certificates generated, I used the above virtualhost config and everything seems to be working properly.

One final question - how will renewal work with certbot? Doesn't it need to perform another http verification when renewing the certificates?

@jamesmacwhite

This comment has been minimized.

Copy link

@jamesmacwhite jamesmacwhite commented Feb 6, 2021

@W3AXL

Certbot should automatically have installed cronjob to regularly check for when the certificate needs to be renewed. This VirtualHost template actually handles being able to perform HTTP verification by bypassing the typical .well-known pathl, to avoid the request being sent to your Plex server, instead it should be processed by your web server and allow certbot to verify.

To be honest, I'm not sure why the template uses DocumentRoot /var/www/offline, it would be better to use the typical default of /var/www/html

@iamdoubz

This comment has been minimized.

Copy link

@iamdoubz iamdoubz commented Feb 18, 2021

Another update. I was working on a nginx conf for Plex.

UPDATE: This code that was here.... wasn't very good.

@jamesmacwhite

This comment has been minimized.

Copy link

@jamesmacwhite jamesmacwhite commented Apr 14, 2021

@iamdoubz You might want to review this configuration. It caused a few regressions with my reverse proxy setup. Remote streams worked but they were not picked up in the Now playing status even though I could see remote stream traffic and watch status i.e. watched and unwatched was broken amongst other things like resuming was not working. Reverting the Location and ProxyPass/ProxyPassReverse parts allows things to work again fine. Local clients were not affected.

I'd advise others to use the previous configuration due to the above. I'm thinking in particularly it's the proxying parts.

@tyjtyj

This comment has been minimized.

Copy link

@tyjtyj tyjtyj commented Sep 14, 2021

Anyone still using this? It seems stopped working(old and new version) last few days without any changes on the my setup.
There are lots of /:/websockets/notifications error in the logs too.

Client player cant fastforward / timeout/ unepected error on remote stream.

@iamdoubz

This comment has been minimized.

Copy link

@iamdoubz iamdoubz commented Sep 15, 2021

Don't use the Apache "Location" version. It was bad and I removed it from my previous post. My plex config still seems to be working with web version 4.62.1 and server version 1.24.2.4973.

@Tipz

This comment has been minimized.

Copy link

@Tipz Tipz commented Sep 16, 2021

Anyone still using this? It seems stopped working(old and new version) last few days without any changes on the my setup.
There are lots of /:/websockets/notifications error in the logs too.

Client player cant fastforward / timeout/ unepected error on remote stream.

What version of Plex do you have?
For Plex version 4.62.1 (version server 1.24.2.4973) - works, but I had to edit "Header always set Content-Security-Policy"

@iamdoubz

This comment has been minimized.

Copy link

@iamdoubz iamdoubz commented Sep 16, 2021

If you connect directly to Plex: http://ip.ad.re.ss:32400/web, do you experience these weird timeouts and/or transcoding problems?

@tyjtyj

This comment has been minimized.

Copy link

@tyjtyj tyjtyj commented Sep 16, 2021

If you connect directly to Plex: http://ip.ad.re.ss:32400/web, do you experience these weird timeouts and/or transcoding problems?

no issue when open port directly to plex(even via cloudflare. Issue only when i go thru apache proxy.

UPDATE: Found the root cause to be traffic proxy to plex docker seems to causing the timeout.

@jamesmacwhite

This comment has been minimized.

Copy link

@jamesmacwhite jamesmacwhite commented Sep 18, 2021

Reviewing my reverse proxy the CSP change needed is to do with img-src now, it seems images are now being served from a path of:

https://ip.hash.plex.direct, the rule of *.plex.direct no longer matches, because of the hash, subdomain of subdomain, you can probably get away with just allowing https: for img-src to avoid having to add loads of specific rules.

Otherwise, it works fine and can play content through the web and mobile app, no changes other than CSP.

@Tipz

This comment has been minimized.

Copy link

@Tipz Tipz commented Sep 18, 2021

For my configuration, a proxy server - it was enough to add the *.plex.direct:32400 for img-src

@jamesmacwhite

This comment has been minimized.

Copy link

@jamesmacwhite jamesmacwhite commented Sep 18, 2021

@Tipz Ah thanks, yes that's a better rule if you want to be selective. You could still use https: generally to avoid having all of the conditions, some of them might not be valid anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment