Welcome to our forums! Please take a few moments to read through our Community Guidelines (also conveniently linked in the header at the top of each page). There, you'll find guidelines on conduct, tips on getting the help you may be searching for, and more!

Plex API - Sessions Status not honoring X-Forwarded-For & X-Real-IP with IPv6 clients

JesFLIXJesFLIX Members, Plex Pass Posts: 31 Plex Pass

Hello,

I recently enabled IPv6 with my NGINX reverse proxy, and discovered that if client is IPv6, Plex API for session status returns IPv4 address of my NGINX server. Plex Server Logging shows IPv6 clients address correct, but the Plex API for session status[1] does not.
Instead, the API is returning an IPv4-Mapped IPv6 Address of my NGINX address.

It is my belief that for IPv6 addresses in X-Forwarded-For and X-Real-IP, they are ignored and the native client IP is used by default.

See PMS Log example below[2], with the same entry pulled from API status sessions[3]

How I observe the Player Address
[1]: http://SERVER_IP:32400/status/sessions?X-Plex-Token=YOUR_PLEX_TOKEN

Example PMS Log showing IPv6 client, with X-Forwarded-For and X-Real-IP headers set
[2]: https://hastebin.com/ukipunafuz.go

Example Plex Sessions Status output showing NGINX reverse proxy address instead of IPv6 client.
[3]: https://hastebin.com/usigufinef.xml

Tagged:

Answers

  • JesFLIXJesFLIX Members, Plex Pass Posts: 31 Plex Pass
    edited January 19

    Sorry for the formatting

  • NapsterbaterNapsterbater Members, Plex Pass Posts: 40 Plex Pass

    I'm noticing somthing else with X-Forwarded-For, for external clients they go through Cloudflare then hit my Nginx where they are proxied to my plex. It works great, for external clients plex is able to see and use the correct IP from X-Forwarded-For thus displaying the user's real public IP, and not cloudflare's (both are included client is assumed to be far left/1st in line).

    Though local clients hit just the Nginx server skipping cloudflare, I am using split horizon DNS, and only custom domain with the normal remote access turned off, local DNS give local IP for plex/Nginx server, the issue is plex seem to ignore X-Forwarded-For when the IP in the header is a Local IPv4 or an IPv6 address (same as what the op saw).

    I have confirmed Nginx is sending the correct IPs and info in the header field, only difference is, Local IPv4s and IPv6 in the X-Forwarded-For header are simply ignored.

    I do see many log entries like this "Using X-Forwarded-For: 68.###.###.56 as remote address", it just wont/dosn't happen if that IP is a v4 Local or IPv6.

    Easy to test, use plex with custom access URLs, disable the normal remote access feature (to 100% force custom URL), config Nginx (like below) with proper IP/Server same

    Quick snip of relevant Nginx server block, again plex works except for correct client IP when its a IPv4 Local or IPv6 address.

    server {
    listen 10.0.1.5:80; #Port can also be 443 is you have proper certs setup in Nginx for the domain in use.
    listen [2001:470:*****:1::5]:80; #Port can also be 443 is you have proper certs setup in Nginx for the domain in use.
    server_name plex.*********.net;
    location / {
    proxy_pass http://localhost:32400/;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 360s;
    }
    }

  • JesFLIXJesFLIX Members, Plex Pass Posts: 31 Plex Pass

    @Napsterbater did you happen to test using external IPv6 ? If you are using CloudFlare you would need to forward-only not perform a 6to4 conversion. NGINX would need to see the IPv6 client address, not the IPv4. This is where I run into trouble with Plex not accepting an X-Forwarded-For header containing IPv6

  • NapsterbaterNapsterbater Members, Plex Pass Posts: 40 Plex Pass

    Tested with Windows Plex app, verified it connected to Nginx via IPv6 directly (no cloudflare as this was local), plexpy shows plex reporting IP as 127.0.0.1 or ::1, yet at the same time other clients reporting correct IP.

    Either way whether Nginx connect to Plex on IPv4 or IPv6, currently its forwarding to localhost so could be 127.0.0.1 or ::1, shouldn't matter, that is the point of X-Forwarded-For it should show the original IP no matter the IP Family. And either way it should show the LAN IPv4 or the IPv6 of the client. Rokus being IPv4 on the same lan should show the LAN IPv4 but they also only also show in plex as 127.0.0.1 or ::1.

    Im betting there is somthing like a sanity check that is only looking for "valid"/non local IPv4 and ignores the header otherwise.

    Agin to be clear Nginx connecting to plex via IPv6 with a IPv4 client the header should (and seems to) still work, same vice versa, I dont think its the twp diffrent address family (IPv6 in header but connecting via IPv4) causing the issue, I just think its what ever check the header and "validates" it.

  • NapsterbaterNapsterbater Members, Plex Pass Posts: 40 Plex Pass

    I have watched it over the past few day, and pretty much can confirm.

    Any client connecting with the X-Forwarded-For/X-Real-IP that contains a IPv6 ("local" or remote as they are all global IPs with IPv6) it is completely ignored, multiple clients. Same for clients with a "Local" IPv4.

    Just feels like somthing checks the field and ignores it if its not a non local IPv4.

  • rock7632rock7632 Members, Plex Pass Posts: 78 Plex Pass

    Did anyone find a solution to this? I set up Cloudflare today and am having the same issue with the IP address of the NGINX proxy server being reported instead of the end-user's real IP address

  • NapsterbaterNapsterbater Members, Plex Pass Posts: 40 Plex Pass
    via Email
    Plex does not recognize the headers that Cloudflare uses directly. What I
    actually do though is have Nginx in front of plex and behind cloudflare.
    (CF - > Nginx - PLEX). Nginx adds/modifies the headers appropriately giving
    me the real IPv4 of the user.. But this does not work for "private" IPs
    directed directly at Nginx or IPv6 users via CF or nginx direct. I think
    that part is effected by some kind of sanity check / filter.
  • rock7632rock7632 Members, Plex Pass Posts: 78 Plex Pass

    @Napsterbater said:
    Plex does not recognize the headers that Cloudflare uses directly. What I
    actually do though is have Nginx in front of plex and behind cloudflare.
    (CF - > Nginx - PLEX). Nginx adds/modifies the headers appropriately giving
    me the real IPv4 of the user.. But this does not work for "private" IPs
    directed directly at Nginx or IPv6 users via CF or nginx direct. I think
    that part is effected by some kind of sanity check / filter.

    I have the exact same setup but it doesn't work if the end user has an ipv6 address. In that case, Plex reports the IP of my reverse proxy server instead of the user's real IP. If the end user doesn't have ipv6, it reports the IP just fine

  • JesFLIXJesFLIX Members, Plex Pass Posts: 31 Plex Pass

    I hope the Plex devs can advise on this - I suspect it's a trivial fix in how they parse the headers for IPv6

  • NapsterbaterNapsterbater Members, Plex Pass Posts: 40 Plex Pass

    @rock7632 said:
    I have the exact same setup but it doesn't work if the end user has an ipv6 address. In that case, Plex reports the IP of my reverse proxy server instead of the user's real IP. If the end user doesn't have ipv6, it reports the IP just fine

    Correct. If the Client has ANY kind of IPv6 or ANY "Private" IPv4/rfc1918 IP Address. Plex reports the reverse proxy.

Sign In or Register to comment.