I have been pulling my hair out to get PMS to run properly behind a Reverse HTTPS proxy since 1.1 came out because it stopped working then. It used to work fine on the 1.0.x release. Web access still works fine but PLEX Clients stopped working from 1.1
I think I just discovered why. I use the CUSTOM SERVER ACCESS URLS in NETWORKS to publish my server with the FQDN and port of my reverse proxy certificate and port. However - when checking the published URL’s in your API web service the CUSTOM URL is only listed as internal - not external.
So Im guessing all remote clients ignore the published custom url and try the IP address based one thats listed as remote. But my reverse proxy neither has my remote IP as a FQDN in it’s certificate, nor does it allow access without a properly formatted URL containing the Fully qualified certificate name.
Any chance to have the CUSTOM SERVER ACCESS URLS published as remote as well?
No, it will publish the URL i write in that box just fine. Trouble is it will be published and marked as local only - not remote. So all my clients (when being outside my home net) does not use the URL as it’s not marked for remote use. And I need that to have clients use a proper formatted URL to match my certificate on my reverse proxy.
all my clients (when being outside my home net) does not use the URL as it’s not marked for remote use. And I need that to have clients use a proper formatted URL to match my certificate on my reverse proxy.
Which clients ? and do you have logs ?
Last time this was raised, the feedback was that it did not matter that it was flagged as local
Specifically the IOS client. It will no longer connect if I put a reverse proxy in front. Direct Web access works fine as does the Windows Universal Client through he proxy.
It seems the IOS client does not use the custom URL (Perhaps because its marked “local”) and hence fails access as my reverse proxy only allows requests with the proper FQDN URL. The reverse proxy works if the proper FDQN URL is used.
I found no way to have the IOS client log what it does when attempting to connect, so I have no logs.
PLEX’s own “enable remote access” checker also seems to ignore the custom URL (since v1.1).
It will no longer say remote access is succesfully enabled even though it works. And i’m guessing thats because it’s denied in my reverse proxy because that requires the proper FQDN url. It used to work up until v1.1 of PMS.
So it appears to be two problem areas relating to the reverse proxy and domains
For the iOS issue,
I would suggest you raise it in the iOS forum with verbose logging enabled in the iOS debugging settings and getting all the Plex for iOS zipped logs (through Settings / Debugging / Email Debugging Data when it fails to connect and providing that zip with the connection info for your server
The ioS app does log connection attempts - did you try it with verbose enabled?
You can get that from https://plex.tv/pms/resources.xml?includeHttps=1&X-Plex-Token=xxxxxxxxxxxxxxxx
Before you upload zip of the xml with logs, edit it to mask out part of the data, eg your tokens, part of public IP address
The other would need plex web app log and plex media server.log when enabling remote access to see how it is handled- best to do it after a restart of plex media server
In fact, since the IP based autogenerated remote access URL does not work with my reverse proxy, is there any way I could have that removed from the publishing service (so it only contains my custom URL as the remote access URL)?
I have been working my but off getting this to work, but it seems Plex since v1.1 just will not work behind my reverse proxy. I have now studied logs and such, but enabling the remote access always fails (even though I now allow the IP based URL to be used in the reverse proxy). And since it fails, it never registers the remote access URL in the discovery XML.
So the only way to get it working remotely for some clients is to use the CUSTOM SERVER ACCESS URLS or CUSTOM CERTIFICATE DOMAIN. Both will register an URL that will work from remote even though its marked local, but apparantly the IOS client does not use URLS marked as local (contrary to the Windows Universal Client).
So I guess the main problem is my reverse proxy specifically does not work for the “Enable Remote Access” proces.
When the proces is failed I can still access my site through the Web Client or the Windows Universal Client. So generally, parts of the reverse proxy works.
Any idea what the “Enable Remote Access” process does that might fail through a reverse proxy? Does it do something outside of HTTP(s) which is then discarded?
