[Apache] Reverse SSL Proxy not working (Solved)

Server Version#: 1.20.4.3517
Player Version#: web 4.46.2

So I have been using Reverse Proxy for a long time to allow me to go to plex.mydmain.com to access plex over web. I had it set up like @jugzadmin posted here: [Apache] Reverse SSL Proxy not working

But after update to Server Version 1.20.4.3517 it has stopped working, and the loading stops after the plex logo appears.

There are no errors in the network log in the web browser (Chrome F12), it just stops.
There are no errors in Plex Media Server.log.
There are no errors in apache.

So I’m pretty lost, anyone have working apache Proxy rewrite and combined ->https forward Reverse SLL proxy config for latest plex server release?

Ok, so I have done some digging with verbose logging and comparing the logfiles when using the proxy rewrite, and direct ip access.

The ProxyRewrite log stops just prior to this line appearing in the direct ip log comparison:
DEBUG - Request: [xx.xx.xx.xx:45090 (Subnet)] GET /web/translations/en.json (11 live) GZIP Signed-in

This leads me to beleive that this is something new, that now falls outside of the proxy rewrite code in the apache configuration. Since I did not develop this Proxy rewrite code (orginal thread linked), I’m struggeling a bit to turn on the big brain power here to figure out how to fix it. If this is actually the issue.

I suspect the translation request doesn’t trigger a rewrite condition? Here is that section of the apache site file from the original thread I linked above:

    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/web
    RewriteCond %{HTTP:X-Plex-Device} ^$
    RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
    RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
    RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
    RewriteRule ^/$ /web/$1 [R,L]

Any ideas? I’m paricularly looking at you @jugzadmin but anyone feel free to chime in, thanks!

Actually, it was none of that.

Turns out there is someting fubar in the one of the lines that tightens security, I started by commenting out most of them, but in the end, there was only one line in particular that was the source of the issue in the latest plex version, namely the line starting with “Header always set Content-Security-Policy”

Hi there.

I hadn’t used my web version for a long while. Mine is still broken. It is stuck at the Plex logo and I do not have the CSP enabled at all.

I do have an error in my Console:

chunk-2-9aec9d23ae81a4335ea6-plex-4.43.4-7bdeb4b.js:1 Failed to load resource: net::ERR_CONNECTION_RESET

I don’t know, it’s wokring for me now that I commented out that one line that was causing the issues. Here is my complete config for reference:

Replace <PLEXDOMAIN> <EMAIL> <CERTDOMAIN> with your settings.

<IfModule mod_ssl.c>
	DEFINE plex_url localhost
	DEFINE plex_port 32400
	DEFINE serv_name <PLEXDOMAIN>
	ServerTokens Prod
	SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
	SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
	SSLSessionCacheTimeout 300
	ModPagespeed Off
<VirtualHost *:80>
	ServerName ${serv_name}
	ServerAdmin <EMAIL>
Redirect / https://<PLEXDOMAIN>
	ErrorLog ${APACHE_LOG_DIR}/${serv_name}.error.log
	CustomLog ${APACHE_LOG_DIR}/${serv_name}.access.log combined
</VirtualHost>
<VirtualHost *:443>
	ServerName ${serv_name}
	DocumentRoot /var/www/html
	ServerAdmin <MYEMAIL>
	ErrorLog ${APACHE_LOG_DIR}/${serv_name}.error.log
	CustomLog ${APACHE_LOG_DIR}/${serv_name}.access.log combined
### Let's Encrypt Section ###
        SSLCertificateFile /etc/letsencrypt/live/<CERTDOMAIN>/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/<CERTDOMAIN>/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/<CERTDOMAIN>/fullchain.pem

	Options -Includes -ExecCGI
### Deny http1.0 requests ###
	RewriteEngine On
	RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
	RewriteRule ^ - [F]
### Harden Security ###
	ProxyRequests Off
	ProxyPreserveHost On
	ProxyTimeout 600
	ProxyReceiveBufferSize 4096
	SSLProxyEngine On
	RequestHeader set Front-End-Https "On"
	ServerSignature Off
	SSLCompression Off
	SSLUseStapling On
	SSLStaplingResponderTimeout 20
	SSLStaplingReturnResponderErrors Off
	SSLSessionTickets Off
	RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
	Header always set Strict-Transport-Security "max-age=15552000; preload"
	Header always set X-Content-Type-Options nosniff
	Header always set X-Robots-Tag none
	Header always set X-XSS-Protection "1; mode=block"
	Header always set X-Frame-Options "SAMEORIGIN"
	Header always set Referrer-Policy "same-origin"
	Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none';"
#	Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${serv_name}; media-src 'self' blob: ${plex_url} ${serv_name}; script-src 'self' 'unsafe-inline' ${plex_url} ${serv_name} plex.tv www.gstatic.com; style-src 'self' ${plex_url} ${serv_name}; img-src 'self' data: blob: ${plex_url} ${serv_name} plex.tv *.plex.tv; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${serv_name} plex.tv *.plex.direct *.plex.tv;"
	SSLCipherSuite ECDHE+RSA+AES256+GCM+SHA512:DHE+RSA+AES256+GCM+SHA512:ECDHE+RSA+AES256+GCM+SHA384:DHE+RSA+AES256+GCM+SHA384:ECDHE+RSA+AES256+SHA384:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
	SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
	SSLHonorCipherOrder On
### Plex Specific Section ###
	ProxyPass / http://${plex_url}:${plex_port}/
	ProxyPassReverse / http://${plex_url}:${plex_port}/
	ProxyPass /:/ ws://${plex_url}:${plex_port}/:/
	ProxyPassReverse /:/ ws://${plex_url}:${plex_port}/:/
	ProxyPass /:/ wss://${plex_url}:${plex_port}/:/
	ProxyPassReverse /:/ wss://${plex_url}:${plex_port}/:/
	LimitRequestBody 512000
	FileETag None
	TraceEnable off
	#Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
	Timeout 60
	<Location /:/websockets/notifications>
		ProxyPass wss://${plex_url}:${plex_port}/:/websockets/notifications
		ProxyPassReverse wss://${plex_url}:${plex_port}/:/websockets/notifications
	</Location>
	<Proxy *>
		Order deny,allow
		Allow from all
	</Proxy>
	RewriteEngine on
	RewriteCond %{REQUEST_URI} !^/web
	RewriteCond %{HTTP:X-Plex-Device} ^$
	RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
	RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
	RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
	RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
</IfModule>

I think it was a cache thing. I switched browsers and magically it started working again.

Had the same problem. This also worked for me. I am curious what the security implications of commenting this out presents.

Glad I could help. Not sure about the implications, but I have other sites where I have never had these setting, so I am not to worried.

This solution worked for me.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.