Access via nginx - ALMOST WORKS

Plex Media Server Remote Access
1

Server Version#: 1.18.3.2156-349e9837e
Player Version#: web player

I have nginx running in front of plex, both on the same subnet. 
Nginx is redirecting http://localsubnetplex:32400 Remote access 
to plex is disabled and the custom url is https://plex.____.io:443 . 
All requests for plex.___.io are https (using a 301 redirect for http). 
If I enter plex.____.io into the browser address bar it immediately 
changes to https://plex.____.com/web/index.html. It seems, therefore, 
that nginx is doing it's job and contact has been made with plex 
tcp/32400. And then, nothing...more precisely the Plex favicon 
downloads, the screen turns to the background color of plex but 
remains blank. I've tried the same with Caddy, same result. 
I'm not sure where to look next. Oh FYI, if I remove the reverse proxy, 
I can access plex using http just fine. I haven't been able to get 
secure access with certs working to port 32400. I've appended some log 
and config material immediately below. Any suggestions would be hugely
welcome :)

================================================

++++PLEX LOG++++

Dec 23, 2019 00:40:46.311 [0x7fcbc77fe700] DEBUG - Using X-Forwarded-For: [REQUEST IP] as remote address
Dec 23, 2019 00:40:46.311 [0x7fcbc67fc700] DEBUG - Request: [172.28.0.3:55964 (WAN)] GET /web/index.html (2 live) Signed-in
Dec 23, 2019 00:40:46.311 [0x7fcbc67fc700] DEBUG - Final path: “/usr/lib/plexmediaserver/Resources/Plug-ins-349e9837e/WebClient.bundle/Contents/Resources/index.html”
Dec 23, 2019 00:40:46.312 [0x7fcbc67fc700] DEBUG - Content-Length of /usr/lib/plexmediaserver/Resources/Plug-ins-349e9837e/WebClient.bundle/Contents/Resources/index.html is 10146 (of total: 10146).
Dec 23, 2019 00:40:46.313 [0x7fcbc7fff700] DEBUG - Completed: [172.28.0.3:55964] 200 GET /web/index.html (2 live) 1ms 10146 bytes (pipelined: 1)
Dec 23, 2019 00:40:46.341 [0x7fcbc77fe700] DEBUG - Using X-Forwarded-For: [REQUEST IP] as remote address
Dec 23, 2019 00:40:46.341 [0x7fcbc67fc700] DEBUG - Request: [172.28.0.3:55964 (WAN)] GET /web/chunk-2-e162212ebcf8fdffcb8f-plex-4.12.3-3f7851c.css (2 live) Signed-in
Dec 23, 2019 00:40:46.341 [0x7fcbc67fc700] DEBUG - Final path: “/usr/lib/plexmediaserver/Resources/Plug-ins-349e9837e/WebClient.bundle/Contents/Resources/chunk-2-e162212ebcf8fdffcb8f-plex-4.12.3-3f7851c.css”
Dec 23, 2019 00:40:46.341 [0x7fcbc67fc700] DEBUG - Content-Length of /usr/lib/plexmediaserver/Resources/Plug-ins-349e9837e/WebClient.bundle/Contents/Resources/chunk-2-e162212ebcf8fdffcb8f-plex-4.12.3-3f7851c.css is 976000 (of total: 976000).
Dec 23, 2019 00:40:46.345 [0x7fcbc77fe700] DEBUG - Using X-Forwarded-For: [REQUEST IP] as remote address
Dec 23, 2019 00:40:46.347 [0x7fcbc67fc700] DEBUG - Request: [172.28.0.3:55966 (WAN)] GET /web/js/chunk-2-e162212ebcf8fdffcb8f-plex-4.12.3-3f7851c.js (3 live) Signed-in
Dec 23, 2019 00:40:46.347 [0x7fcbc67fc700] DEBUG - Final path: “/usr/lib/plexmediaserver/Resources/Plug-ins-349e9837e/WebClient.bundle/Contents/Resources/js/chunk-2-e162212ebcf8fdffcb8f-plex-4.12.3-3f7851c.js”
Dec 23, 2019 00:40:46.347 [0x7fcbc67fc700] DEBUG - Content-Length of /usr/lib/plexmediaserver/Resources/Plug-ins-349e9837e/WebClient.bundle/Contents/Resources/js/chunk-2-e162212ebcf8fdffcb8f-plex-4.12.3-3f7851c.js is 4139330 (of total: 4139330).
Dec 23, 2019 00:40:46.472 [0x7fcbc77fe700] DEBUG - Completed: [172.28.0.3:55964] 200 GET /web/chunk-2-e162212ebcf8fdffcb8f-plex-4.12.3-3f7851c.css (3 live) 131ms 976000 bytes (pipelined: 2)
Dec 23, 2019 00:40:47.218 [0x7fcbc77fe700] DEBUG - Completed: [172.28.0.3:55966] 200 GET /web/js/chunk-2-e162212ebcf8fdffcb8f-plex-4.12.3-3f7851c.js (3 live) 872ms 4139330 bytes (pipelined: 1)

================================================

++++NGINX ACCESS LOG++++

- [23/Dec/2019:00:40:46 +0000] - [REQUEST IP] - "GET /web/index.html 
HTTP/2.0" 200 3580 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 
Safari/537.36 Edge/18.18362" "-" TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384
- [23/Dec/2019:00:40:48 +0000] - [REQUEST IP] - "GET 
/web/js/chunk-2-e162212ebcf8fdffcb8f-plex-4.12.3-3f7851c.js 
HTTP/2.0" 200 4139330 "https://plex.____.io/web/index.html" 
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362" 
"-" TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384
- [23/Dec/2019:00:40:49 +0000] - [REQUEST IP] - "GET /web/
chunk-2-e162212ebcf8fdffcb8f-plex-4.12.3-3f7851c.css HTTP/2.0" 
200 976000 "https://plex.____.io/web/index.html" "Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 
Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362" "-" 
TLSv1.2/ECDHE-ECDSA-AES256-GCM-SHA384

================================================

++++PLEX PREFERENCES.XML++++

<Preferences OldestPreviousVersion="1.18.3.2156-349e9837e" MachineIdentifier="[ ]" ProcessedMachineIdentifier="[ ]" AnonymousMachineIdentifier="[ ]" MetricsEpoch="1" AcceptedEULA="1" FriendlyName="[ ]" PublishServerOnPlexOnlineKey="0" PlexOnlineToken="[ ]" PlexOnlineUsername="[ ]" PlexOnlineMail="[ ]" PlexOnlineHome="1" DlnaEnabled="0" DvrIncrementalEpgLoader="0" CertificateVersion="2" CertificateUUID="[ ]" PubSubServer="[IP]" PubSubServerRegion="fra" PubSubServerPing="4" LastAutomaticMappedPort="0" GdmEnabled="0" customConnections="https://plex.____.net:443" ManualPortMappingMode="1" ManualPortMappingPort="32400" LanguageInCloud="1" LogVerbose="0" LogDebug="0"/>

================================================

++++NGINX PROXY CONFIG EXCERPT++++

location / {
proxy_pass http://plex_subnet_ip:32400; [same subnet as nginx]
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect      off;
proxy_buffering     off;

# Websockets
proxy_http_version   1.1;
proxy_set_header     Upgrade $http_upgrade;
proxy_set_header     Connection "upgrade";                                                                                }
================================================
2

First thing that catches my eye is that you’re mixing HTTP and HTTPS. It’s been years since I played with nginx and reverse proxies but iirc you can’t redirect HTTP to HTTPS and back to HTTP directly like that

3

Interesting…so this is what I think I have set up:

  1. https request for plex.____.net is initiated remotely.
  2. DNS routes the request to the plex host, it hits port 443 which nginx is listening to.
  3. nginx terminates the tls so this is the point that https —> http. FYI that’s the first half of the config file which I didn’t provide before but I’ve put it below for the sake of completeness. I’ve omitted the tls minutiae which are in the snippet file but it’s been tested with SSL Labs and had the A+ result.
  4. nginx ‘proxy_passes’ what is now the http request to plex’s listening port 32400.
  5. The final step(s) are plex responding in http, nginx converting it to https and delivering https as a response to the remote request, i.e. it all happens in reverse.

As I said, that’s what I think my setup and config files are designed to achieve but it would be great to get your perspective and any suggested modifications. I’m pretty new to this so all input is most welcome.

==================================
upstream plex-upstream {
server 172.28.0.2:32400;
keepalive 16;
}

server {
listen 80;
server_name plex..net;
return 301 https://plex..net$request_uri;
}

server {
listen 443 ssl http2;
server_name plex.____.net;

access_log /etc/nginx/logs/plex_access.log combined_ssl;

    ssl_certificate /acme/certs/____.net_ecc/fullchain.cer;
    ssl_certificate_key /acme/certs/____.net_ecc/____.net.key;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /acme/certs/____.net_ecc/ca.cer;
    resolver 1.1.1.1 valid=300s;
    resolver_timeout 5s;
    include snippets/ssl_and_security.conf;
4

This topic was automatically closed after 90 days. New replies are no longer allowed.