Skip to content

Instantly share code, notes, and snippets.

@k0nsl

k0nsl/A - Information

Forked from doonga/A - Information
Created March 29, 2017 14:03
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save k0nsl/0dc5576161585750986b6f8a0d548286 to your computer and use it in GitHub Desktop.
Save k0nsl/0dc5576161585750986b6f8a0d548286 to your computer and use it in GitHub Desktop.
Download ZIP
Plex NGINX reverse proxy config using Cloudflare on Ubuntu 16.04
Raw
A - Information
Credit where credit's due, I mainly used these 3 resources to get this all working. There were several others but I don't exactly remember which is which. So at least here are the 3 main places that I used.
The vast majority of this came from this link, the others helped me make it work for Plex.
http://emby.media/community/index.php?/topic/30975-reverse-proxy-with-ssl-hostname-routing-and-embyopenvpn-port-sharing/
https://gist.github.com/spikegrobstein/4384954
https://forums.plex.tv/discussion/207725/ubuntu-14-04-4-lts-plex-incorrectly-handles-lower-case-headers#latest
The data flow here is:
User -> Cloudflare -> Origin IP -> Haproxy -> NGINX -> Plex
All caching and acceleration stuff is turned off on Cloudflare. I'm using Full(Strict) with Authenticated Origin pulls and HSTS. I'm mainly using it to obscure my real IP as well as get better peering for the few family members that I share with. Plus I wanted to see if I could make it work.
I have a fully automated Letsencrypt setup for NGINX, which isn't completely necessary, but when connecting locally I wanted trusted certs without having to roll my own CA and load the signer certificate everywhere. Also if I decide to stop using Cloudflare, then I'll have "real" certs on my endpoints so there won't be any trust issues.
I'm also using split DNS so hostnames within my home network resolve directly to the server hosting Haproxy.
Note: This works with the web client, Android TV, FireTV, Android. Chromecast via Android Plex doesn't work, if you use the webclient to cast to Chromecast it works fine.
Raw
haproxy.conf
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
defaults
log global
option dontlognull
option http-server-close
timeout http-request 5s
timeout connect 5000
timeout client 30000
timeout server 30000
frontend tls_router
bind *:443
mode tcp
option tcpka
# Define known networks for later use
acl local src 127.0.0.0/8 192.168.1.0/24
acl cloudflare src 199.27.128.0/21 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12 172.64.0.0/13 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32
#Rate-limiting measures, in case of DoS
# Table for connection tracking
stick-table type ip size 100k expire 30s store conn_cur
# Allow known CloudFlare IPs to bypass the rate-limiting
tcp-request connection accept if cloudflare
# Reject connection if client has more than 10 open
tcp-request connection reject if { src_conn_cur ge 10 }
tcp-request connection track-sc1 src
# Max inspection delay for SNI routing
tcp-request inspect-delay 2s
# Accept only SSL/TLS traffic
tcp-request content accept if { req_ssl_hello_type 1 }
# If SNI hostname is known server AND is from known IP, pass to backend
# Plex
acl plex_sni req_ssl_sni -i plex.example.com
# Root hostname
acl root_sni req_ssl_sni -i example.com
use_backend plex_tls if plex_sni cloudflare or plex_sni local
use_backend example_tls if root_sni cloudflare or root_sni local
default_backend example_tls
backend plex_tls
mode tcp
option tcpka
server server_plex_tls localhost:7443 send-proxy
backend example_tls
mode tcp
option tcpka
server server_example_tls localhost:443 send-proxy
Raw
nginx.conf
This is a nice proxylog line
log_format proxyLog '[$time_local] $real_ip - $remote_user - $server_name to: $upstream_addr: $status / upstream $upstream_status $request upstream_re
sponse_time $upstream_response_time msec $msec request_time $request_time body: $request_body';
Raw
plex.conf
# plex reverse proxy
#
# Intended to sit downstream from HAProxy, uses proxy protocol.
# Allows traffic from the local network, or from WAN w/ CloudFlare client cert
#
server {
# Using proxy protocol to get client info passed from HAProxy
listen 127.0.0.1:7443 ssl http2 proxy_protocol;
listen [::1]:7443 ssl http2 proxy_protocol;
keepalive_timeout 180;
proxy_bind 127.1.1.1;
# Log Rewrites
rewrite_log on;
access_log /var/log/nginx/plex_example_com.log proxyLog;
#error_log /var/log/nginx/plex_error.log debug;
# Who the hell am I?! Where's my stuff?!
server_name plex.example.com;
root /var/www/plex.example.com/public_html;
# Import some solid TLS settings
include snippets/solidtls.conf;
# Certs
ssl_certificate /srv/letsencrypt/certs/plex.example.com/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/certs/plex.example.com/privkey.pem;
ssl_trusted_certificate /srv/letsencrypt/certs/plex.example.com/fullchain.pem;
ssl_client_certificate /etc/nginx/ssl/cf-origin-pull-ca.pem;
# Client cert optional. We'll do our own access control rules in /
ssl_verify_client optional;
# Let's get the real client info from upstream proxy
include snippets/realip-cf-haproxy.conf;
# Set headers with real client info for downstream app
proxy_set_header Host $host;
proxy_set_header X-Real-IP $real_ip;
proxy_set_header X-Forwarded-For $real_ip;
proxy_set_header X-Forwarded-Proto $real_ip;
proxy_set_header X-Forwarded-Protocol $scheme;
# Turn off buffering for streaming purposes
proxy_buffering off;
# No request rewriting
proxy_redirect off;
# Send websocket data to the backend, courtesy @[member="Karbowiak"] on Emby forum
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Plex headers
# As of 0.9.17.0 this shouldn't be needed anymore since Plex now ignores case in headers
# proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
# proxy_set_header X-Plex-Device $http_x_plex_device;
# proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
# proxy_set_header X-Plex-Platform $http_x_plex_platform;
# proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
# proxy_set_header X-Plex-Product $http_x_plex_product;
# proxy_set_header X-Plex-Token $http_x_plex_token;
# proxy_set_header X-Plex-Version $http_x_plex_version;
# proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
# proxy_set_header X-Plex-Provides $http_x_plex_provides;
# proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
# proxy_set_header X-Plex-Model $http_x_plex_model;
# proxy_set_header X-Plex-Container-Start $http_x_plex_container_start;
# proxy_set_header X-Plex-Container-Size $http_x_plex_container_size;
# Test if IP from HAProxy is local - tweak to match your network
set $is_local_client false;
if ( $proxy_protocol_addr ~ 192.168.1.* ) {
set $is_local_client true;
}
# Force the use of our custom robots.txt
location /robots.txt {
try_files $uri /var/www/plex.example.com/public_html/robots.txt;
}
# Catch-all. Performs authentication based on client IP or certificate.
location / {
# Redirect if not an options request.
if ($request_method != OPTIONS ) {
set $test A;
}
if ($http_x_plex_device_name = '') {
set $test "${test}B";
}
if ($arg_X-Plex-Device-Name = '') {
set $test "${test}C";
}
if ($test = ABC) {
rewrite ^/$ https://$http_host/web/index.html;
}
# We'll return 418 later if client is authorized
error_page 418 = @authorized;
#Access rules
# Allow local clients without client cert
if ( $is_local_client = true ) { return 418; }
# Does client have valid client certificate?
if ( $ssl_client_verify = "SUCCESS" ) { return 418; }
# Deny all others, return 403 unauthorized
return 403;
}
# Handles 418 responses for authorized users. Does the actual proxying.
# Using the real IP of the Plex server instead of localhost
location @authorized {
proxy_pass https://192.168.1.20:32400;
}
}
Raw
realip-cf-haproxy.conf
#Local traffic, including HAProxy on localhost
set_real_ip_from 127.0.0.0/8;
#CloudFlare
#These need to be updated from Cloudflare as they may have changed
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
#Default state, assume local traffic/proxy protocol header
set $forwarded_ip_header proxy_protocol;
set $real_ip $proxy_protocol_addr;
# Is Cloudflare header set? Use that header/addr instead of proxy_protocol
if ($http_cf_connecting_ip) {
set $forwarded_ip_header CF-Connecting-IP;
set $real_ip $http_cf_connecting_ip;
}
# Tell Nginx which header to use
real_ip_header $forwarded_ip_header;
Raw
solidtls.conf
# Trustworthy SSL/TLS settings in a box
#
ssl on;
gzip off; # gzip allows for some attacks
# General params
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# Always use custom-generated DH params >2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
#Intermediate cipher config
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
#Modern cipher config
#ssl_protocols TLSv1.1 TLSv1.2;
#ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
#Perfect ssllabs score cipher list. Not super usable, works for CF-only setups
#ssl_protocols TLSv1.2;
#ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
# No downgrade attacks
ssl_prefer_server_ciphers on;
# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
# Stapling
ssl_stapling on;
ssl_stapling_verify on;
# DNS resolvers to use for cert verification
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment