I noticed that after exporting both http_proxy and https_proxy variables in the Plex server’s systemd service file that all outbound Plex traffic EXCEPT pubsub.plex.tv was using my proxy.
It is strange that all but one component of the server are using the proxy.
This seems like a strange place to suddenly not implement forward proxy capabilities.
Can anyone comment on why this portion of the server refuses to use the proxy?
Side note:
It appears that plex pubsub also uses hard coded IP addresses for this component.
I did a packet capture from boot for any port 53 and 443 traffic, and pubsub.plex.tv was NEVER queried despite several connection attempts to the various IPs of pubsub.plex.tv.
I even went as far as to block my proxy access as well as all DNS traffic for the entire Plex VM, and the server continued to make HTTPs port 443 requests to the various IPs of pubsub.plex.tv, EVEN after reboot. (Note: I block all traffic by default on my network firewall, so its not bypassing via another port or anything)
So unless the server is caching these IPs on disk (which might be more dishonorable…), it is indeed hard coding these IPs.
I don’t think its great practice to circumvent DNS lookups for any component of a server.
I was doing some searching and came across this forum post:
Reading that seems to imply that pubsub DEFINITELY hard codes these IPs.
Seems relevant to the main issue here though, as if someone is lazy enough to hard code the IPs in the pubsub component, it would also stand to reason that they would not implement proxy support…
Just attempted to do TLS mitm against the pubsub connections.
Despite putting a proper TLS CA cert in Plex’s store, located at /usr/lib/plexmediaserver/Resources/cacert.pem, I was unable to get pubsub to accept the CA. This CA store is functional and allows terminating TLS connections for all other Plex components (As I am presently doing for my HTTPs proxy).
This shows that pubsub is fairly removed from the first party Plex stack. Not sure if Plex has control over the development of that side of things?
Will investigate further.
Found a cool blog post about some other issue but mentions something interesting
The interesting line being this one:
plex.tv has us load pubsub.plex.tv which instructs your browser to make multiple follow-up requests for server discovery
And this forum post also has something similar:
According to that thread, here is the list of Plex pubsub servers:
https://plex.tv/services/pubsub/servers
One of the IPs you mentioned is listed there, and the thread gives reasons why others might not be listed. It isn't clear to me if their relay service uses those same IPs or different ones.
Currently it leads to an error html page asking you to sign in (I attempted to send my plex.tv account login cookie, but no go).
Reviewing my proxy logs for the plex.tv domain, I see the following request immediately before plex attemps to connect to pubsub.plex.tv:
So I can confirm that Plex is, for some reason, avoiding DNS lookups for pubsub and is instead distributing the IPs for the domain via their main plex.tv domain.
I don’t think this is a great practice. Whether or not this was done to purposely evade local security filtering, it nethertheless has the same end result: DNS filtering for pubsub is impossible.
