I have a PMS on my NAS with enabled public access. I setup a DNS for it and I can get into the app via url like plex.my.site.
But not only me. Everybody can. He or she will be presented with a SignIn/SignUp form. Where as I understand he/she can login or even create a new account. But how does it relate to my server?
What will happen if other people sign in into their accounts on my PMS? What will happen if they sign up (create a new account)?
How to restrict using PMS to a single user account?
@evilshrike said:
I have a PMS on my NAS with enabled public access. I setup a DNS for it and I can get into the app via url like plex.my.site.
Why using an own domain?
Using an own domain name makes the whole thing more complicated to configure securely.
Just activate remote access. When out of home, go to plex.tv and log in there with your Plex credentials.
Done.
But not only me. Everybody can. He or she will be presented with a SignIn/SignUp form. Where as I understand he/she can login or even create a new account. But how does it relate to my server?
Not at all.
What will happen if other people sign in into their accounts on my PMS? What will happen if they sign up (create a new account)?
They will be signed into their own plex.tv account, but still won’t have access to your server.
How to restrict using PMS to a single user account?
It is that way by default.
(Unless you used a preconfigured Plex jail from the internet which has security disabled.
But if you use a current release and don’t make complicated routings with reverse proxies etc, you are reasonably safe.)
Why using an own domain?
Using an own domain name makes the whole thing more complicated to configure securely.
Just activate remote access. When out of home, go to plex.tv and log in there with your Plex credentials.
Makes sense. But it’s strange for me to use some 3rd-party service in Internet to access my own device standing nearby.
I want my PMS to be accessible via an uniform url regardless where am I.
How to restrict using PMS to a single user account?
It is that way by default.
Not at all
(Unless you used a preconfigured Plex jail from the internet which has security disabled.
But if you use a current release and don’t make complicated routings with reverse proxies etc, you are reasonably safe.)
I installed the official package from plex.tv onto my NAS, enabled remote access, then setup port forwarding on my router. It’s mandatory for remote access to work, right? I already have a DNS for my NAS. Obviously it’s handy for many reason. So my PMS already was accessible from Internet (even w/o DNS). As you enabled remote access all that restrict from accessing your server is knowing your public IP. It’s not secure already.
Adding a DNS to this picture doesn’t make the configuration less secure. It makes it more handy for normal usage.
What will happen if other people sign in into their accounts on my PMS? What will happen if they sign up (create a new account)?
They will be signed into their own plex.tv account, but still won’t have access to your server.
I don’t want they to sign to their own account via my server. Even if they won’t get access to my media.
I want only me to be allowed using it.
So definitely PMS should has an ability to restrict usage of its WebApp to limited set of users and do not work as a public node of plex.tv.
Is it possible?
@evilshrike said:
Makes sense. But it’s strange for me to use some 3rd-party service in Internet to access my own device standing nearby.
I want my PMS to be accessible via an uniform url regardless where am I.
It may be strange, but doing so will achieve two things:
You’ll have a cryptographically secured connection to your server, with a certificate that is nailed to your particular server.
A uniform access URL, no matter where you are.
I already have a DNS for my NAS. Obviously it’s handy for many reason. So my PMS already was accessible from Internet (even w/o DNS). As you enabled remote access all that restrict from accessing your server is knowing your public IP. It’s not secure already.
Adding a DNS to this picture doesn’t make the configuration less secure. It makes it more handy for normal usage.
It makes it less secure, because you don’t have a fitting cryptographic certificate for your custom URL.
(one that is considered ‘trusted’ across all the different Plex client devices)
I don’t want they to sign to their own account via my server. Even if they won’t get access to my media.
I want only me to be allowed using it.
…
So definitely PMS should has an ability to restrict usage of its WebApp to limited set of users and do not work as a public node of plex.tv.
Is it possible?
No. There must be some means to initiate contact to your server from the outside. e.g. when you are out of home and want to start watching something from it.
The most normal way would be a sign-in form, IMHO.
You’ll have a cryptographically secured connection to your server, with a certificate that is nailed to your particular server.
What certificate do you mean? SSL?
I already have a DNS for my NAS. Obviously it’s handy for many reason. So my PMS already was accessible from Internet (even w/o DNS). As you enabled remote access all that restrict from accessing your server is knowing your public IP. It’s not secure already.
Adding a DNS to this picture doesn’t make the configuration less secure. It makes it more handy for normal usage.
It makes it less secure, because you don’t have a fitting cryptographic certificate for your custom URL.
(one that is considered ‘trusted’ across all the different Plex client devices)
Ah, do you mean SSL certificate for https?
By default you’re accessing your PMS remotely via plex.tv. So public WebApp on plex.tx accesses your server by its IP. That access is done via https. Very good. In this case your PMS is already accessible from Internet (even w/o custom domain). Using https doesn’t change anything here.
If I access my PMS via a custom domain then it’s done via http by default which is less secure I agree. But I can install a cert on my NAS’ Apache (and terminate SSL on it) or install it into Plex (it supports installing a cert for custom domain). But I’m not talking about securing the channel between client and PMS. But about preventing other people from logging in into my PMS (with their own accounts, yes).
It looks like Plex mixes up “remote access” of two natures: 1) accessibility of media server from plex.tv 2) accessibility of web app.
Opening PMS for the 1st reason automatically opens it from 2nd. As so adding custom domain doesn’t change much.
For the 1st reason we don’t need a public SignUp form, just API with good authentication.
To simplify the discussion I’d suggest to forget about custom domains. Let’s just imagine I have a PMS with remote access enabled. You know my public IP (forum admins can know it for example). You can sign in into my Plex WebApp. Is it normal? I believe it’s not.
No. There must be some means to initiate contact to your server from the outside. e.g. when you are out of home and want to start watching something from it.
The most normal way would be a sign-in form, IMHO.
Sure, sign in form, I’m not against it. But Plex WebApp on a home media server should NOT allow signing in other users (not me), moreover signing up a new ones.
It looks like a tremendous flaw.
@evilshrike said:
Sure, sign in form, I’m not against it. But Plex WebApp on a home media server should NOT allow signing in other users (not me), moreover signing up a new ones.
It looks like a tremendous flaw.
they are signing into their account. if you choose to share your server with their account they will have access to your server. if you to not want them to have access to your server then do not share with them. they cannot make a new account and somehow gain access to your or any other server. you need to specifically decide to invite them.
info on how to share your server is outlined here https://support.plex.tv/hc/en-us/sections/200295083-Server-Sharing
@BigWheel it’s clear, but don’t you thing that allow signing in anybody from the wild in my home media server is not a normal thing?
I believe that it should be disabled by default. Plex WebApp (server) should allow login only its home users and invited people, no more.
Currently it looks like a botnet. People install media server, allow remote access for themselves and automatically open plex webapp for the whole world.
Remote access is disabled by default. i’m unclear why you think “anyone in the wild” can access your Plex Media Server. no one can access your server unless you specifically decide to invite them.
and as soon as you sign in your server log in is required even locally, remotely it is always required. you can set specific IP addresses that do not require authentication but that is generally a bad idea except maybe localhost.
based on what you describe you have your NAS set up on a public IP anyone on the planet can access as it they are on the servers local network. that is your network treating others as if they are local and would be accessible if you had plex or not.
most people have their server behind a NAT. you do not.
@BigWheel Because as soon as you enabled remote access (which is obviously common thing) anybody can access your web app. And he or she will be presented with login form where they can sign in with any plex account event if they were not invited. Moreover they can even sign up. Via my home server. WTF?
I didn’t say they can access my library (normally they can’t) but they can use my PMS as webapp for their accounts. I don’t why. It doesn’t matter. It’s possible. And that’s terrible.
all communication by said user will be with Plex public servers and private servers shared to them by other users listed in that users profile
Ok, this makes sense. Thanks.
It’s just a bit unusual architecture for a web app )
