If you have not already, we suggest setting your Plex username to something else rather than email which is displayed on your posts in forum. You can change the username at https://app.plex.tv/desktop#!/account
Welcome to our forums! Please take a few moments to read through our Community Guidelines (also conveniently linked in the header at the top of each page). There, you'll find guidelines on conduct, tips on getting the help you may be searching for, and more!

Plex API - Sessions Status not honoring X-Forwarded-For & X-Real-IP with IPv6 clients

JesFLIXJesFLIX Posts: 31Members, Plex Pass Plex Pass

Hello,

I recently enabled IPv6 with my NGINX reverse proxy, and discovered that if client is IPv6, Plex API for session status returns IPv4 address of my NGINX server. Plex Server Logging shows IPv6 clients address correct, but the Plex API for session status[1] does not.
Instead, the API is returning an IPv4-Mapped IPv6 Address of my NGINX address.

It is my belief that for IPv6 addresses in X-Forwarded-For and X-Real-IP, they are ignored and the native client IP is used by default.

See PMS Log example below[2], with the same entry pulled from API status sessions[3]

How I observe the Player Address
[1]: http://SERVER_IP:32400/status/sessions?X-Plex-Token=YOUR_PLEX_TOKEN

Example PMS Log showing IPv6 client, with X-Forwarded-For and X-Real-IP headers set
[2]: https://hastebin.com/ukipunafuz.go

Example Plex Sessions Status output showing NGINX reverse proxy address instead of IPv6 client.
[3]: https://hastebin.com/usigufinef.xml

Tagged:

Answers

  • JesFLIXJesFLIX Posts: 31Members, Plex Pass Plex Pass
    edited January 19

    Sorry for the formatting

  • NapsterbaterNapsterbater Posts: 46Members, Plex Pass Plex Pass

    I'm noticing somthing else with X-Forwarded-For, for external clients they go through Cloudflare then hit my Nginx where they are proxied to my plex. It works great, for external clients plex is able to see and use the correct IP from X-Forwarded-For thus displaying the user's real public IP, and not cloudflare's (both are included client is assumed to be far left/1st in line).

    Though local clients hit just the Nginx server skipping cloudflare, I am using split horizon DNS, and only custom domain with the normal remote access turned off, local DNS give local IP for plex/Nginx server, the issue is plex seem to ignore X-Forwarded-For when the IP in the header is a Local IPv4 or an IPv6 address (same as what the op saw).

    I have confirmed Nginx is sending the correct IPs and info in the header field, only difference is, Local IPv4s and IPv6 in the X-Forwarded-For header are simply ignored.

    I do see many log entries like this "Using X-Forwarded-For: 68.###.###.56 as remote address", it just wont/dosn't happen if that IP is a v4 Local or IPv6.

    Easy to test, use plex with custom access URLs, disable the normal remote access feature (to 100% force custom URL), config Nginx (like below) with proper IP/Server same

    Quick snip of relevant Nginx server block, again plex works except for correct client IP when its a IPv4 Local or IPv6 address.

    server {
    listen 10.0.1.5:80; #Port can also be 443 is you have proper certs setup in Nginx for the domain in use.
    listen [2001:470:*****:1::5]:80; #Port can also be 443 is you have proper certs setup in Nginx for the domain in use.
    server_name plex.*********.net;
    location / {
    proxy_pass http://localhost:32400/;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 360s;
    }
    }

  • JesFLIXJesFLIX Posts: 31Members, Plex Pass Plex Pass

    @Napsterbater did you happen to test using external IPv6 ? If you are using CloudFlare you would need to forward-only not perform a 6to4 conversion. NGINX would need to see the IPv6 client address, not the IPv4. This is where I run into trouble with Plex not accepting an X-Forwarded-For header containing IPv6

  • NapsterbaterNapsterbater Posts: 46Members, Plex Pass Plex Pass

    Tested with Windows Plex app, verified it connected to Nginx via IPv6 directly (no cloudflare as this was local), plexpy shows plex reporting IP as 127.0.0.1 or ::1, yet at the same time other clients reporting correct IP.

    Either way whether Nginx connect to Plex on IPv4 or IPv6, currently its forwarding to localhost so could be 127.0.0.1 or ::1, shouldn't matter, that is the point of X-Forwarded-For it should show the original IP no matter the IP Family. And either way it should show the LAN IPv4 or the IPv6 of the client. Rokus being IPv4 on the same lan should show the LAN IPv4 but they also only also show in plex as 127.0.0.1 or ::1.

    Im betting there is somthing like a sanity check that is only looking for "valid"/non local IPv4 and ignores the header otherwise.

    Agin to be clear Nginx connecting to plex via IPv6 with a IPv4 client the header should (and seems to) still work, same vice versa, I dont think its the twp diffrent address family (IPv6 in header but connecting via IPv4) causing the issue, I just think its what ever check the header and "validates" it.

  • NapsterbaterNapsterbater Posts: 46Members, Plex Pass Plex Pass

    I have watched it over the past few day, and pretty much can confirm.

    Any client connecting with the X-Forwarded-For/X-Real-IP that contains a IPv6 ("local" or remote as they are all global IPs with IPv6) it is completely ignored, multiple clients. Same for clients with a "Local" IPv4.

    Just feels like somthing checks the field and ignores it if its not a non local IPv4.

  • rock7632rock7632 Posts: 78Members, Plex Pass Plex Pass

    Did anyone find a solution to this? I set up Cloudflare today and am having the same issue with the IP address of the NGINX proxy server being reported instead of the end-user's real IP address

  • NapsterbaterNapsterbater Posts: 46Members, Plex Pass Plex Pass
    via Email
    Plex does not recognize the headers that Cloudflare uses directly. What I
    actually do though is have Nginx in front of plex and behind cloudflare.
    (CF - > Nginx - PLEX). Nginx adds/modifies the headers appropriately giving
    me the real IPv4 of the user.. But this does not work for "private" IPs
    directed directly at Nginx or IPv6 users via CF or nginx direct. I think
    that part is effected by some kind of sanity check / filter.
  • rock7632rock7632 Posts: 78Members, Plex Pass Plex Pass

    @Napsterbater said:
    Plex does not recognize the headers that Cloudflare uses directly. What I
    actually do though is have Nginx in front of plex and behind cloudflare.
    (CF - > Nginx - PLEX). Nginx adds/modifies the headers appropriately giving
    me the real IPv4 of the user.. But this does not work for "private" IPs
    directed directly at Nginx or IPv6 users via CF or nginx direct. I think
    that part is effected by some kind of sanity check / filter.

    I have the exact same setup but it doesn't work if the end user has an ipv6 address. In that case, Plex reports the IP of my reverse proxy server instead of the user's real IP. If the end user doesn't have ipv6, it reports the IP just fine

  • JesFLIXJesFLIX Posts: 31Members, Plex Pass Plex Pass

    I hope the Plex devs can advise on this - I suspect it's a trivial fix in how they parse the headers for IPv6

  • NapsterbaterNapsterbater Posts: 46Members, Plex Pass Plex Pass

    @rock7632 said:
    I have the exact same setup but it doesn't work if the end user has an ipv6 address. In that case, Plex reports the IP of my reverse proxy server instead of the user's real IP. If the end user doesn't have ipv6, it reports the IP just fine

    Correct. If the Client has ANY kind of IPv6 or ANY "Private" IPv4/rfc1918 IP Address. Plex reports the reverse proxy.

  • NapsterbaterNapsterbater Posts: 46Members, Plex Pass Plex Pass
    edited August 26


    These Snips form PlexPy should show the issue better.

    In my case ::1 i.e. IPv6 Loopback address (same as 127.0.0.1) is Nginx as its running on the same system, note it doesn't matter if Nginx uses Loopback IP, LAN IP or if Nginx is on another system. Only difference is where you see ::1 you would see the IP Nginx is connecting from and not the real client IP from the headers.

    Again for me the "Local" Clients are connecting direct to the local Nginx then Plex. the "Remote" Clients are connecting via Cloudflare then to local Nginx them Plex. Note even if I bypass cloudflare it doesn't change the IPv6 being ignored in the header on the Remote Clients, plus Local doing it too, plus Local Ipv4 being ignored as well.

    Like I have said before, I bet there is something that tells Plex to ignore the header if it's not a Public IPv4, which explains IPv6 and Local IPv4s being ignored.

    If the reason for this is to prevent spoofing (which I could understand), how about a toggle to disable this.

    I mean in the scheme of things its not a huge deal, but would be nice to have a solution.

  • scream88scream88 Posts: 14Validating, Plex Pass Plex Pass

    On my site plex is reporting the private ipv4 backend address and not the public ipv6 in the x-forwarded-for header of my reverse Proxy (traefik).

    Any idea how to fix this issue?

  • NapsterbaterNapsterbater Posts: 46Members, Plex Pass Plex Pass

    Currently there is no way. This will require Plex Dev to fix the code that looks at the headers and currently ignores Private IPv4 and All IPv6 addresses.

  • NapsterbaterNapsterbater Posts: 46Members, Plex Pass Plex Pass

    Still such a pain seeing only the Nginx IP instead of the real IP from the headers.

Sign In or Register to comment.