Server Version#: 1.32.0.6973A
I’m running my Plex install behind a reverse proxy (nginx for the proxy and Plex is running in Docker) so that it is available at https://plex.example.com:443. That’s what I’ve added to the “Custom server access URLs” setting and I’ve disabled remote access but I still see clients connecting to 192-168-1-5..plex.direct:32400/
Is there a way to delete that from my Plex account so that all access is forced through the reverse proxy?
Short of signing your server out of your account (which would be self-defeating) no, there is no way to prevent your server’s local IP address from being published in this manner.
I am curious though why this would be beneficial for your use case. That URL will only be accessible for your server from local clients; remote clients will use your custom server access URL and will, presumably, be forced through your reverse proxy. Local clients will be able to access the server directly, assuming your network topology and configuration allow it.
Agreed that it isn’t a deal breaker but being able to funnel all traffic to Plex through one control point has benefits for centralized monitoring, reporting and enforcing security controls. The reverse proxy sits in front of a number of services so it’s easier to get an aggregate view using it’s logs than going to each individual service.
The reason this came up at all is that I had changed Plex to just listen on localhost (allowLocalhostOnly=“1” in Preferences.xml) and then have nginx talk to it over a localhost connection. When I did this my Sonos speakers could no longer play music (though I could browse the library). They ignored the custom URL and tried to connect to the plex.direct name which didn’t work because Plex was only listening on localhost:32400. Strangely I could Cast from the Plex app on my phone to the Sonos speakers.
So yes, it’s a corner case, but it doesn’t seem like setting a custom URL, disabling remote access and only listening on localhost work they way they should IMHO.
Fair, but one could argue that any additional security benefits afforded by funneling local clients through a reverse proxy would be negligible. It is already possible to force Plex to use a strict TLS configuration, which…
And any monitoring/reporting you enable/collect via the proxy would provide very little information in the way of determining how the users of your server use it. Connection stats, sure. But unless you’re MITMing these connections you’re still going to have to rely on Plex (or Tautulli, or something else) to see any real information about what they’re watching.
Given the undocumented nature of that particular setting, I don’t think it’s safe to make any assumptions about its operation and how it interacts with other functions 
. For all we know it could just be a leftover debug setting for internal testing, never intended to be used in a “production” environment.
Anyway, I’m just playing devil’s advocate here. I’m sure there are plenty of folks here who’d love this idea and I’m not necessarily against it myself. I just don’t particularly see the practical benefits of it.
You can use UFW to block any incoming on the Plex port not coming from your reverse proxy
Note, you should have a plex.local.yourdomain so that local clients don’t unnecessarily route through the public IP
not sure if it would fix this tho
Most reverse proxys terminate the SSL connection, inspect and reencrypt to the upstream server. Reencrypting on a localhost connection and/or a vlan isn’t really worth the overhead, unless it’s in the same LAN as the clients. The VLAN should be isolated from any other devices other than plex specific services.
Most traffic inspection on reverse proxys is for error logging and security purposes like setting up a WAF or injecting CSP headers
I do agree that forcing everything all traffic through a reverse proxy induces another point of failure. Had a few instances where seemingly unrelated config changes would force local clients to route through the public IP (in my case behind a CDN).
Do you mean a literal plex.local.example.com ? Or just make sure that my resolver hands out an internal IP for internal clients? I have things set up so that public DNS resolves to my external IP address and the DNS server on my LAN hands out the internal ip.
This is essentially the same as when I had Plex just listen on localhost. So this doesn’t work.
I think you’d need to somehow information shown in https://plex.tv/api/resources?includeHttps=1&X-Plex-Token=YOURTOKEN to list the proxy as a “local” address.
Yeah, that’s what i meant
Ah, to bad.
