You can use UFW to block any incoming on the Plex port not coming from your reverse proxy
Note, you should have a plex.local.yourdomain so that local clients don’t unnecessarily route through the public IP
not sure if it would fix this tho
Most reverse proxys terminate the SSL connection, inspect and reencrypt to the upstream server. Reencrypting on a localhost connection and/or a vlan isn’t really worth the overhead, unless it’s in the same LAN as the clients. The VLAN should be isolated from any other devices other than plex specific services.
Most traffic inspection on reverse proxys is for error logging and security purposes like setting up a WAF or injecting CSP headers
I do agree that forcing everything all traffic through a reverse proxy induces another point of failure. Had a few instances where seemingly unrelated config changes would force local clients to route through the public IP (in my case behind a CDN).
