nginx config for proxying requests for plex over a hostname-based virtualhost.

nginx.conf

upstream plex-upstream {
	# change plex-server.example.com:32400 to the hostname:port of your plex server.
	# this can be "localhost:32400", for instance, if Plex is running on the same server as nginx.
	server plex-server.example.com:32400;
}

server {
	listen 80;

	# server names for this server.
	# any requests that come in that match any these names will use the proxy.
	server_name
		tv
		plex
		tv.example.com
		plex.example.com;

	# this is where everything cool happens (you probably don't need to change anything here):
	location / {
		# if a request to / comes in, 301 redirect to the main plex page.
                # but only if it doesn't contain the X-Plex-Device-Name header
		# this fixes a bug where you get permission issues when accessing the web dashboard
		if ($http_x_plex_device_name = '') {
			rewrite ^/$ http://$http_host/web/index.html;
		}

		# set some headers and proxy stuff.
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_redirect off;

		# include Host header
		proxy_set_header Host $http_host;

		# proxy request to plex server
		proxy_pass http://plex-upstream;
	}
}

Thank you so much for this! I had a different issue than you, but your config helped me figure it out. I had been trying to get this to work for a few days prior.

Is there any way to get auth_basic working for this? I've tried enabling just under 'location / {' and now it's throwing me into a redirect loop asking me for a password over and over :(

Anyone ever tried to mount plex in a folder?

@cbetta what do you mean, exactly?

i think cbetta want to access plex at hisdomain.tld/plex/ by puting the proxy_pass inside a 'location /plex/'
I tried this without success but if you have a solution i'll be happy to know it

@Quark-X10 ahhh, I see.

yeah, so that would not work because proxy_pass will pass the whole URI, including the prefix (/plex/) to Plex. What you need to do is rewrite the URI to remove the prefix before calling proxy_pass:

rewrite /plex(/.*) $1 break;

# proxy request to plex server
proxy_pass http://plex-upstream;

note: this is untested, so it may not work. but try it out. (based on example at: http://wiki.nginx.org/HttpProxyModule#proxy_pass)

For anyone looking to do authentication, here's how I have it setup in mine. This will allow a connection from 10.10.10.1 and from 192.168.1.1-192.168.1.255 without authentication. If you are coming from outside those IP addresses, you will be prompted for a username and password.

If you don't want the ip address bypass, just leave those lines out.

satisfy any;
allow 10.10.10.1/32;
allow 192.168.1.1/24;
auth_basic   "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;

I've found a clean solution to authenticate plex on the localhost - run either plex, or nginx, inside of a docker container. If you're unfamiliar with Docker, the "easy" choice is to run nginx, here's the quick version if you are only using nginx for plex:

1. Install docker (see docker.io)
2. Stop your current nginx (for debian/ubuntu, that's sudo service nginx stop)
3. Update your "plex-upstream" to point to the IP address of your computer (use the IP address, like 192.168.x.x or 10.x.x.x, don't use 127.0.0.1)
4. Start nginx inside a docker container
   sudo docker run -d -p 80:80 -v /etc/nginx/sites-available:/etc/nginx/sites-available -v /etc/nginx/sites-enabled:/etc/nginx/sites-enabled -v /var/log/nginx:/var/log/nginx dockerfile/nginx

== Long version ==

Plex is incapable of authenticating 127.0.0.1 because their architecture requires this to be open. All current solutions I've seen enable HTTP basic authentication. This is imperfect, because

• Plex detects connections from localhost and allows these connections to modify server settings. Anyone with HTTP basic access suddenly has access to modify all your server settings.
• apps such as Android, Roku, etc, don't always support basic auth. You can embed the U/P in the URL, but after trying to explain this to one family member over the phone I realized this is a bad solution if you have novice users

Basically, if you use docker to "contain" either nginx or plex, you get an isolated system (docker basically gives you a really tiny virtual machine - like less than 5MB tiny). This means that plex and nginx will have different IP addresses. So you can still use your proxy, but you can toss out HTTP authentication and use myplex authentication instead, which integrates properly with plex.

BTW, the error log reports a lot of these (and there are lots of notifications of connection lost from the webUI):

request: "GET /:/websockets/notifications HTTP/1.1", upstream: "http://127.0.0.1:32400/:/websockets/notifications", host: "plex.foobar.me"
2014/04/20 03:55:01 [error] 32207#0: *753 upstream prematurely closed connection while reading response header from upstream, client: 93.115.92.169, server: plex.foobar.me, request: "GET /:/websockets/notifications HTTP/1.1", upstream: "http://127.0.0.1:32400/:/websockets/notifications", host: "plex.foobar.me"
2014/04/20 08:41:56 [error] 6#0: *21 upstream prematurely closed connection while reading response header from upstream, client: 93.115.92.169, server: plex.foobar.me, reque

which I seem to be able to stop by adding a few websocket items to the proxy:

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

I'm no wiz with websockets or nginx - perhaps someone can help ID if this is indeed a fix, and if so can perhaps modify the config so that a connection is only upgraded for the /websockets URL - I think these lines try to upgrade every http connection

thanks @hamiltont!

unfortunately, I'm currently running plex in OSX, so Docker isn't an option, but I think I might move to that when I build my new mediaserver (I've already been running minecraft server in a docker container to learn it). The current setup is running Plex on OSX and nginx is doing all the proxying through one of my linux servers.

I'll get the websocket upgrade stuff in my config set up and make sure everything is working right.

Thought I should share since this config helped me get going when I first started.

The recent plexweb 2.0 upgrade broke my config because of the way nginx does urlencode. Maybe my config broke because I am proxying multiple things; not sure. If your setup was affected, you can see how I got around it here: https://forums.plex.tv/index.php/topic/108354-trouble-recently-proxying-web-interface/

Woops...posted that in a plexpass only forum. Here is a better link. Cheers!

https://forums.plex.tv/index.php/topic/108070-cannot-play-media-from-wan/page-2?p=654460

This works great so far! However, when I access my plex server from the LAN it requires me to login to an account rather than the typical LAN behavior of letting you go right in. I tried playing around and fixing it but was not successful. Anyway to make this happen?

I think there was an update in plex recently which broke this for auto login. The below is the configuration I use that is working great for me.

The geo stuff allows me to say which IP address ranges are allowed "unrestricted" access, as I have plex configured to Require authentication on local networks. This means only 127.0.0.1 gets full access, but my local lan address of my plex box, needs to login. This means plex must be running on the same machine as nginx.

# Plex.
# Determine local or remote.
geo $geo {
  default           0;
  127.0.0.1/32      1;
  192.168.1.0/24    1;
}
upstream plex-upstream {
  server 127.0.0.1:32400;
}
upstream plex-remote-upstream {
  server 192.168.1.253:32400;
}
server {
  listen       80;
  server_name  plex;

  location / {
    set $test "";

    # If a request to / comes in, 301 redirect to the main plex page,
    # but only if it doesn't contain the X-Plex-Device-Name header or query argument.
    # This fixes a bug where you get permission issues when accessing the web dashboard.
    if ($http_x_plex_device_name = '') {
      set $test A;
    }
    if ($arg_X-Plex-Device-Name = '') {
      set $test "${test}B";
    }
    if ($test = AB) {
      rewrite ^/$ http://$http_host/web/index.html;
    }

    proxy_set_header    Host            $http_host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;

    if ($geo = 1) {
      proxy_pass          http://plex-upstream;
    }
    if ($geo = 0) {
      proxy_pass          http://plex-remote-upstream;
    }

    # Plex proxy settings.
    proxy_redirect      off;
    proxy_buffering     off;

    ## Required for Websockets
    proxy_http_version      1.1;
    proxy_set_header        Upgrade         $http_upgrade;
    proxy_set_header        Connection      "upgrade";
    proxy_read_timeout      36000s;         ## Timeout after 10 hours
  }
}

Quick question is it possible to do the following:
After setting up a Plex for remote access and registering such server with plex.tv.
And after sharing the libraries on this server with another user
can I then set up and twin server with the exact configuration
register that second server with plex.tv
Setup a proxy load balancer and have the user sign in at plex tv and see any of the two servers behind the proxy as one? That is the short version. Remember BOTH server are mirror images of each other...

Does somebody has the right configuration for Plex with HTTPS ?

👍 thanks

I'm very new to nginx and I've tried using this gist but to redirect traffic to plex when fetching from domain.tld/location instead of just domain.tld. E.g.: my.server.com/plex. I've tried the rewrite rule mentioned earlier but without success. Anyone has got this going, and if so, care to share the solution?

If somebody wants to get /plex path to work, I have published my nginx configs for /plex and /deluge over at https://github.com/alexgorbatchev/nginx-plex-deluge-proxy

I tried your conf file and it works great, however when I load my dashboard it can't reach my server. Could the NAT be causing the issue? Am currently Mapping a public IP to a private IP(Proxy) which then sends the request to the actual Plex server. Any help would be greatly appreciated.

Awesome <3

Hey, thanks so much for this it really helped a lot! I had to modify it a little bit to get Plex working properly on my server so I'm dropping some information here in case anybody else runs into my problem.

OS: CentOS 7
Server version: 0.9.12.11.1406-8403350

Whenever I opened Plex in my browser and started clicking around I kept getting kicked back to the login screen and a notification would show saying

"<host> went away." 

This happened very frequently and would even interrupt shows I was watching and kick me back to the login page.

I checked the activity log and saw multiple instances of the same message.

Unable to listen for events on <host>

I looked in the nginx error log file (/var/log/nginx/error.log) and I found these error messages

2015/09/16 23:24:17 [error] 30117#0: *39 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.245, server: <host>, request: "GET /status/sessions HTTP/1.1", upstream: "http://[::1]:32400/status/sessions", host: "<host>", referrer: "http://<host>/web/index.html"
2015/09/16 23:25:14 [error] 30117#0: *88 upstream prematurely closed connection while reading response header from upstream, client: 192.168.1.245, server: <host>, request: "GET /:/websockets/notifications HTTP/1.1", upstream: "http://127.0.0.1:32400/:/websockets/notifications", host: "<host>"
2015/09/16 23:25:14 [error] 30117#0: *88 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.245, server: <host>, request: "GET /:/websockets/notifications HTTP/1.1", upstream: "http://[::1]:32400/:/websockets/notifications", host: "<host>"
2015/09/16 23:25:14 [error] 30117#0: *39 no live upstreams while connecting to upstream, client: 192.168.1.245, server: <host>, request: "GET / HTTP/1.1", upstream: "http://plex-upstream/", host: "<host>", referrer: "http://<host>/web/index.html"

After searching around for a long time with no results I noticed the config file posted by @techmunk and decided to take some pieces of it to see if they helped. The following is the resulting config file which solved my problem.

upstream plex-upstream {
    # change plex-server.example.com:32400 to the hostname:port of your plex server.
    # this can be "localhost:32400", for instance, if Plex is running on the same server as nginx.
    server localhost:32400;
}

server {
    listen 80;

    # server names for this server.
    # any requests that come in that match any these names will use the proxy.
    # replace <host> with actual server name (obviously).
    server_name <host>

    # this is where everything cool happens (you probably don't need to change anything here):
    location / {
        # if a request to / comes in, 301 redirect to the main plex page.
                # but only if it doesn't contain the X-Plex-Device-Name header
        # this fixes a bug where you get permission issues when accessing the web dashboard
        if ($http_x_plex_device_name = '') {
            rewrite ^/$ http://$http_host/web/index.html;
        }

        # set some headers and proxy stuff.
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # include Host header
        proxy_set_header Host $http_host;

        # proxy request to plex server
        proxy_pass http://plex-upstream;

        proxy_redirect off;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 36000s;
    }   
}

I no longer have any problems and the activity log shows the proper message

 Opened connection to <host>, listening for events.

Hopefully this helps someone else who is having the same issue I was.

Getting errors trying to set this up in my existing nginx proxy...

Creating a new CONF for plex = http://pastebin.com/HUb8byv1
Creating a new CONF for plex-specific proxy = http://pastebin.com/TVb08q93
Output when restart nginx = http://pastebin.com/RNBZmm07

Please note using an IP address or resolved name makes no difference...

Any ideas?

@james-d-hasselman solution worked for me with plex-pass version 0.9.15.1.

With redirecting to /web/index.html as above I had a problem connecting via the Plex.tv web app (with custom server access URL defined). I got a Response for preflight is invalid (redirect) message in the Chrome dev console.

If this happens to you, only redirect with its not an OPTIONS requests as below.

 # Redirect if not an options request.
    if ($request_method != OPTIONS ) {
        set $test A;
    }
    if ($http_x_plex_device_name = '') {
        set $test "${test}B";
    }
    if ($test = AB) {
        rewrite ^/$ http://$http_host/web/index.html;
    }

I had to add this for playing to work:

proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;

Wow this drove me absolutely nuts, thank you so much @thomasjwebb

Used @james-d-hasselman's code plus @thomasjwebb's header. worked perfectly. thanks guys

I've managed to get the streaming working over the web in browser with the header from @thomasjwebb, but my Android clients fail to stream, the message recommends to restart the client and server.

iOS works fine.

Any suggestions?

I'm not sure what I'm doing wrong, this code doesn't seem to work. I tried Subtletree's combo of hasselman and thomaswebb's code and was met with this message:

nginx: [emerg] "upstream" directive is not allowed here in /usr/local/etc/nginxnginx.conf:1

I even went as far as copying the code directly from the zip and unzipping the file directly in it's place and get the same error message? I'm using nginx-1.8.1_2,2.

I don't know a terrible amount about reverse proxies except that I set up the first one for the majority of the services running in my Freenas box, and I wanted to get this to work for Plex to make it easier to access from everywhere. I will continue to read the documentation about nginx to see if I have something wrong or what have you until I see someone respond. Do I need to install additional packages to get this to work? Thank you for any insight into the matter!

update... got this to work. Problem was missing a lot of necessary code I think... I had to add some of the basic data like worker_processes 1; and some other code; is that code truly necessary for this to work? updated code below:

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;


upstream plex-upstream {
    # change plex-server.example.com:32400 to the hostname:port of your plex server.
    # this can be "localhost:32400", for instance, if Plex is running on the same server as nginx.
    server localhost:32400;
}

server {
    listen 80;

    # server names for this server.
    # any requests that come in that match any these names will use the proxy.
    # replace <host> with actual server name (obviously).
    server_name plex
                tv;

    # this is where everything cool happens (you probably don't need to change anything here):
    location / {
        # if a request to / comes in, 301 redirect to the main plex page.
                # but only if it doesn't contain the X-Plex-Device-Name header
        # this fixes a bug where you get permission issues when accessing the web dashboard
        if ($http_x_plex_device_name = '') {
            rewrite ^/$ http://$http_host/web/index.html;
        }

        # set some headers and proxy stuff.
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;

        # include Host header
        proxy_set_header Host $http_host;

        # proxy request to plex server
        proxy_pass http://plex-upstream;

        proxy_redirect off;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 36000s;
    }   
}
}

I had to add a few things to get this all working:

        # Plex headers
        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;

The /web redirect was also a problem with the Fire TV, it doesn't send headers, it uses query strings so I had to make some tweaks there too otherwise the Fire TV would say that it couldn't connect.

                # Redirect if not an options request.
                if ($request_method != OPTIONS ) {
                        set $test A;
                }
                if ($http_x_plex_device_name = '') {
                        set $test "${test}B";
                }
                if ($arg_X-Plex-Device-Name = '') {
                        set $test "${test}C";
                }
                if ($test = ABC) {
                        rewrite ^/$ https://$http_host/web/index.html;
                }

Hopefully that helps someone.

Doonga - helped me, thanks!

I used Doonga's Headers but I'm not sure if it mattered. I used the orginal config in this gist but had to change proxy_pass http://plex-upstream; to proxy_pass http://plex-upstream/;

Notice the trailing / at the end? That made it work for me. Now when ever any one visits my URL they get plex and do not have to enter the port or the url.

This configuration forces me to log into Plex account from LAN. So I can reach the Web GUI only from localhost. I'm running Plex Server 1.1.4.2757.
Am I the only one having this weird thing going on?

Had some problems setting this up for plex, couchpotato, sabnzbd etc.

Problems seem to have been fixed by changing:

upstream plex-upstream {
    server localhost:32400;
}

to:

upstream plex-upstream {
    server 127.0.0.1:32400;
}

Hey all,

After a few hours of hacking and testing, I was able to get Plex Media Server v1.3.3.3148 working behind an NGINX reverse proxy on my local LAN, without it prompting for any authentication. Here is my gist with the configuration.

The key was the following configuration, which forces plex to see the request as coming from an IP in the whitelisted network:

    proxy_set_header        Host                      $server_addr;
    proxy_set_header        Referer                   $server_addr;
    proxy_set_header        Origin                    $server_addr; 

Hope this helps others!

Devin

Having some problems with downloading (not streaming) movies from Plex, using this Nginx configuration.
The downloads stop after exactly 1024MB.
Any else tried to download something from their Plex server behind Nginx?

Edit: This is a Plex bug, I think.

https://forums.plex.tv/discussion/256039/download-stopping-at-exactly-1024mb#latest
https://www.reddit.com/r/PleX/comments/5ulg53/downloading_stops_after_1024mb/

So I am having this same problem on latest version of plex and version 1.10.2 of nginx.

Here is my code:

`upstream plex-upstream {
# change plex-server.example.com:32400 to the hostname:port of your plex server.
# this can be "localhost:32400", for instance, if Plex is running on the same server as nginx.
server asm-tv-pc01.me.local:32400;
}

server {
listen 80;

    # server names for this server.
    # any requests that come in that match any these names will use the proxy.
    server_name
            tv
            plex
            tv.example.com
            plex.me.local;

    # this is where everything cool happens (you probably don't need to change anything here):
    location /plex {
            # if a request to / comes in, 301 redirect to the main plex page.
            # but only if it doesn't contain the X-Plex-Device-Name header
            # this fixes a bug where you get permission issues when accessing the web dashboard
            if ($http_x_plex_device_name = '') {
                    #rewrite ^/$ http://$http_host/web/index.html;
                    rewrite /plex(/.*) $1 break;
            }

            # set some headers and proxy stuff.
            # Plex headers
            proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
            proxy_set_header X-Plex-Device $http_x_plex_device;
            proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
            proxy_set_header X-Plex-Platform $http_x_plex_platform;
            proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
            proxy_set_header X-Plex-Product $http_x_plex_product;
            proxy_set_header X-Plex-Token $http_x_plex_token;
            proxy_set_header X-Plex-Version $http_x_plex_version;
            proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
            proxy_set_header X-Plex-Provides $http_x_plex_provides;
            proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
            proxy_set_header X-Plex-Model $http_x_plex_model;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_redirect off;

            # include Host header
            proxy_set_header Host $http_host;
            proxy_set_header        Host                      $server_addr;
            proxy_set_header        Referer                   $server_addr;
            proxy_set_header        Origin                    $server_addr;

            # proxy request to plex server
            proxy_pass http://plex-upstream;
    }

}
`

Getting this in my logs:

2017/03/15 19:37:37 [error] 65282#100149: *1 open() "/usr/local/www/nginx/plex" failed (2: No such file or directory), client: 10.150.1.192, server: localhost, request: "GET /plex HTTP/1.1", host: "nginxtest.me.local"
2017/03/15 19:40:37 [error] 65944#100248: *2 open() "/usr/local/www/nginx/plex" failed (2: No such file or directory), client: 10.150.1.192, server: localhost, request: "GET /plex HTTP/1.1", host: "nginxtest.me.local"
2017/03/15 19:42:21 [error] 66013#100268: *1 open() "/usr/local/www/nginx/plex" failed (2: No such file or directory), client: 10.150.1.192, server: localhost, request: "GET /plex HTTP/1.1", host: "nginxtest.me.local"

thanks

Did you ever get it working @andrewm659 ?

Update: The original gist without the proxy_set_headers as mentioned in follow-ups works well.
Thanks @spikegrobstein.