I have my Plex server set up on my network, with ZERO accessibility from outside my network except via VPN, so I have no need to authentication and frankly, hate it. I’ve added my subnet as well as the authorized subnets that can reach it via VPN to the ‘List of IP addresses and networks that are allowed without auth’ section, however, this only works if the server is accessed by IP - if accessed by private FQDN, I get redirected to the plex.tv authentication page - I DO NOT want this - I DO NOT want it redirecting under ANY circumstances. EVER. How can I COMPLETELY disable this?
As I have said in the HomeAssistant community related to their authentication, I get why the feature has been added - I get why it’s enabled by default, but you should also give a way to totally disable it for those that know what they’re doing. HomeAssistant seems to have fixed their issues and their ‘Trusted Networks’ list actually does work now - Plex’s does not work right (If it did, it would not matter if I connect via IP or FQDN as the source IP is the same either way). Further, and more importantly, HomeAssistant’s auth is all local - no connectivity to internet servers for auth, which made it merely a nuisance where it’s not required. Plex servers reach out for auth to internet servers, and if the Plex auth servers should become compromised, that means that there’s a compromised tunnel into my server. If it wasn’t for the fact that I pay for Plex Pass and use the DVR functionality, I would hard block all internet access for the Plex server at my firewall and only open it up if I add media or want to do updates that require internet access. My guess is that if I were to determine the IP range(s) that the Plex server uses for TV listing updates and block all other internet access, the DVR functionality would stop working as it would be unable to verify PlexPass subscription (Assuming it gets it listings from somewhere other than Plex).
If it is not possible to TOTALLY disable it, it SHOULD be an option - even if it’s an absurd process of ‘This will make your server vulnerable to attack’ > ‘Are you sure?’ > ‘Are you REALLY sure?’ > ‘Are you REALLY REALLY sure’ > ‘Are you REALLY REALLY REALLY sure?’ > ‘Are you REALLY REALLY REALLY REALLY sure?’. That way no one could ever say ‘my server was open to the internet and got hacked but no one told me’. Honestly, I’d LOVE to be able to TOTALLY disable and remove the ‘remote access’ portion of Plex as well. If you’re not on my network or one of the three VPN connected subnets, you’re not getting access. PERIOD. And I’m sure I’m not the only one.
Some people have no clue on how to secure their perimeter and would just open up their Plex server to the internet with no authentication. It’s for these people that this authentication exists. But some of us know how to secure our perimeter. And if this was just local authentication, it would be more of a nuisance at most, but because it has tendrils out to the Plex servers for auth, it’s a vulnerability. I HATE ‘the cloud’. I don’t want, nor do I have, ANY of my data in ‘the cloud’. If your servers should become compromised, I don’t trust that there’s NO WAY for that compromise to make it’s way into my server or other peoples servers.
So… HOW do we totally disable this? If it needs to reach out and ‘ping’ the Plex servers to make sure that the PlexPass is current, fine, but not being able to disable anything more than that being required is unacceptable.
