Create ad hoc access rules for direct remote access

Feature Suggestions
1

Hi,

Today direct “Remote Access” of a plex client results in a direct TCP connection from anyone on the Internet to the Plex app inside the server’s network.
This means that anyone on the Internet can probe it for attack or even DoS it.

This is a bigger security risk over the “Relay” connection Plex enables instead, which is slower but more secure.

I suggest to somewhat enhance the direct option regarding security by creating an ad hoc access/Firewall rules by the server, so it will allow HTTP (desired even before, at the TCP level) access only to a real allowed client of this server.

Here how:

Today, if direct remote access is not possible – such exposure of the Plex server to its client can be done using Plex Internet servers as a relay mechanism, which intermediate, “negotiates” between the server and the client, so it can help also in this idea.

So, this mechanism can also realize my suggestion in the following way (and of course, the most external firewall/router still needs to open the Plex port for incoming traffic from any source on the Internet, as usual for direct access):

  1. The Plex edge server loads and send to the Plex system its IP address
  2. The Plex edge server is applying an access/Firewall rule of not allowing access to anyone from outside the allowed internal network
  3. A client from the Internet loads and connects to the Plex system
  4. The client authenticates to the Plex system
  5. The client’s IP address is recorded in the Plex system
  6. The Plex system verifies that the user who authenticated from this Client – is allowed access to the Plex edge server
  7. The Plex system sends the client’s IP to the Plex server
  8. The Plex server creates an access/Firewall rule to allow direct access to it only from this client (of course the same process can be repeated for allowing multiple specific users)
  9. The Plex server informs the Plex system that now it is ready to accept direct traffic from the specific allowed client
  10. The Plex system informs the client Plex app of the Plex server external IP and that it can access it directly
  11. The Plex client access directly to the Plex server
  12. The Plex server verify the source client’s IP and if there is a match – it is allowing direct access, while blocking access from all other sources
  13. Notes:
    13.1. There will be need to decide if client access behind a proxy is supported, as it adds some extra complexity
    13.2. The Plex edge server’s response to access from un-allowed sources will be minimal, not identifying the server as a Plex system – not in the human visible visuals and not in the HTML code nor in the HTTP response headers
    13.3. All traffic in all the above steps – will of course HTTPS based, authenticated, and encrypted

Thank you!