Good Morning,
I came across the new indirect relay feature recently, and was wondering how to turn this off. I currently have a Plex Pass, but for the time being still wish to not use the remote access functions. Remote Access has been disabled, but I have not been able to find an option to disable the relays. Any assistance with this would be appreciated.
Currently, there is not a way to turn this feature off. It is being worked on and will hopefully be configurable in a future update.
Okay as a PlexPass user I have a HUGE EFFING PROBLEM with this.
I have my Plex shared with a number of friends and because of this Indirect access my PMS CPU gets slammed with transcoding tasks when its set to OFF for Remote Access.
tl;dr - You’re killin me Smalls!
Then what must be done in order to break this feature on the server, because this is a problem.
@docwho76 said:
Okay as a PlexPass user I have a HUGE EFFING PROBLEM with this.
- How the heck does Indirect access work?
Plex becomes a middle mad between your server and client bypassing port forwrding requires and such. You can read more on it here https://support.plex.tv/hc/en-us/articles/216766168-Accessing-a-Server-through-Relay.- I would like Indirect access to work for JUST MY OWN ACCOUNT, not ANY of my friends
Currently not possible- WHY ON EARTH CAN I NOT TURN THIS OFF NOW?
I don’t know why this was not possible on the initial release, but it is being worked on and will be turn-offable in a future update.
I have my Plex shared with a number of friends and because of this Indirect access my PMS CPU gets slammed with transcoding tasks when its set to OFF for Remote Access.
If your remote access is configured properly, you wouldn’t need the indirect connection. This is a fallback when remote access isn’t working.
I haven’t tried but in Windows there is a relay.exe (or similar) that runs to enable the relay function. You can try renaming/removing that file, which should prevent relay from working.
So the only controls we still have left with regards to our hardware and media on it is to share or not share with specific users?
I would just like to add that I am pretty bummed that Plex would implement this feature without a good explanation of the technology behind it and a way to enable it (it should be delivered off by default, IMHO). Plex has said numerous times in the past that they have no idea what you are streaming and that all streaming connections are between the remote client and the server and that Plex is not in the middle of that. It appears that they have now implemented a method to be in the middle and opted everyone in without an opt out option. I am sure it was communicated in some way, since there is a Plex support page for it, but I sure don’t remember seeing it, and something like this should be VERY visible.
My personal take on this is somewhat like Google’s methods of tracking every where and any when someone goes to a web site. This started out small and ballooned into what it is today. Everyone using Plex could possibly expect (at some future time) adds based on their movie or TV watching habits to come through on their Plex clients.
This “feature” sets up the possibilities for this to occur, in any case. And since this isn’t something a local admin can turn off it has the potential for becoming a nightmare. Like watching YouTube with 2 or 3 adds interrupting the video you are streaming, Plex could as easily insert adds into our own media. The tracking mechanics are now in place. It’s the add placement part that tells me when it’s time to move to a different solution.
Gone are the days of watching what you want without Big Brother getting involved. Everything any one watches has the potential of being recorded by a Plex main server someplace, and tracking the information for user analytics just became a nightmare for the small admins out there. When our users start complaining about unwanted adds we’ll know what the reason is…
It really is sad to say this. These new "features without the option to turn them off are being implemented over a lot of user requested features and fixes. It’s making me look more and more at Emby every day now.
To try and clarify some things:
“But we are providing you with a “free” service! Why the hate?”
/sarcasm
As many that will read this will know I have been, and continue to be, one of the harsher critics of Plex’s trend toward removal of choice in much of their recent actions. However, in this case, I believe what the Plex people have said and that is was simply a mistake that the “indirect connection” feature was introduced without the ability to turn it off and that turn off ability will be added expeditiously.
Furthermore the “indirect connection” feature seems to be beneficial and non-intrusive for those using remote access and it does not seem that it lends itself to nefarious operations any more than the simple use of Plex does itself. There are much easier, and less obvious, ways Plex could monitor viewing data than this new feature and, so far, there is no indication that Plex has designs on doing anything that would be deemed a misuse of user info or data, conspiracy theorists aside.
Remember that just because something “can” be done does not mean that it “will” be done.
And as far as Emby goes I actually trust the Plex people more than I do Emby’s. While there is nothing I have run into from Emby that I would at all consider “shady” I just get a bad feeling when dealing with them. Somehow they have over qualified too many statements about both user privacy and monitoring.
Corporate sponsorship means corporate leverage. That leverage is a lot more than any one or group of users can apply. What may not be in the plans of the Team RIGHT NOW could very well be in the plans of the corporations that have sponsored Plex and the Team’s furthered development of the application, simply though this leverage.
I’m not going to belabor the point, though. @“Chris C” thanks for taking the time to reply. While you haven’t allayed my fears, you at least acknowledged that this one feature came out incomplete. (As did @MovieFan.Plex for that matter.) Thanks for the efforts.
@Chris C said:
To try and clarify some things:
- As MovieFan has mentioned, we absolutely plan to let the server admin control whether Relay/Indirect Connections are allowed. It’ll basically be tied to the Remote Access feature so that if you explicitly disable Remote Access, then Relay won’t be allowed, either. (Similarly, if you have Remote Access enabled and it’s working successfully, then Relay won’t need to be used in the first place.
- We absolutely agree that the server admins should have the choice and in a perfect world the feature would have soft launched with that in place. It’s unfortunate that wasn’t the case here.
- If someone makes use of Relay, we do not look at what you’re streaming. We don’t care what it is. And if you’ve enabled secure connections for your app/server, then we couldn’t look anyway.
- This is not some nefarious thing. It’s not an attempt to Big Brother anyway and see what you’re watching. We’re trying to make the experience better for users in an “it just works” kind of way. For those who want their content to be accessible when away from home, but maybe they’re having trouble with Remote Access, this is a way that lets them do so.
Thanks for your reply @Chris C
That being said, will the possibility to uncheck the box of the relay implemented in 0.9.17.X ?
@starbetrayer said:
That being said, will the possibility to uncheck the box of the relay implemented in 0.9.17.X ?
Sorry, I don’t know exactly when the change will be included in a release. It’s not even as clear as saying “the next one” (if that were, indeed, the case) since we have multiple kind of parallel server branches for different things going on at the same time. So, I can’t give you a specific “when” or a version, but it’s definitely being worked on.
@Chris C said:
To try and clarify some things:
- We absolutely agree that the server admins should have the choice and in a perfect world the feature would have soft launched with that in place. It’s unfortunate that wasn’t the case here.
- If someone makes use of Relay, we do not look at what you’re streaming. We don’t care what it is. And if you’ve enabled secure connections for your app/server, then we couldn’t look anyway.
I wanted to further comment on these two points. I would like to keep remote access enabled, but disable relaying. It sounds like they will be tied together, but why can they not be separated?
Secure connections, when you are “relaying,” will only be maintained if you are tunneling the initial ssl connection within another connection. Otherwise, you, being in the middle, will have your own connection between the client and yourself, then a second connection between you and the server. What is there in the middle of those two connections could certainly see decrypted data (no technical controls, only you saying that you don’t). That is just the way SSL/TLS works.
I “trust” Plex as much as anyone else (not too much really), but money talks and when push comes to shove, as Plex grows and gets more attention, I fear money will drive them into a different business model than we have grown up with using Plex.
I don’t support any others but my immediate family, do not need to stream to the world at large, and really have a limited range of clients (Roku, iOS). I will begin evaluating other solutions, if for not other reason than to keep my options open moving forward.
@drinehart said:
- I wanted to further comment on these two points. I would like to keep remote access enabled, but disable relaying. It sounds like they will be tied together, but why can they not be separated?
For now, at least, it’s not going to be possible to control them independently. But if you have your regular Remote Access working, then an app is going to use that and not use Relay/Indirect Connections. So in practical terms, you do have some control over that yourself: if you have real Remote Access available, then Relay won’t be used. There are basically three possibilities:
- Secure connections, when you are “relaying,” will only be maintained if you are tunneling the initial ssl connection within another connection. Otherwise, you, being in the middle, will have your own connection between the client and yourself, then a second connection between you and the server. What is there in the middle of those two connections could certainly see decrypted data (no technical controls, only you saying that you don’t). That is just the way SSL/TLS works.
That’s not quite accurate here. The Relay connection is just an SSH tunnel for the actual traffic. When using a secure connection, it is not terminated on our Relay server, so all the bytes flowing through are encrypted end-to-end from the Plex Media Server to the client app. Only your PMS has the cert.
- I wanted to further comment on these two points. I would like to keep remote access enabled, but disable relaying. It sounds like they will be tied together, but why can they not be separated?
I think the idea is once Remote Access is configured properly relaying won’t happen anymore. I tested this using my Android device and when relaying it’s quite clear you don’t have a direct connection. In that case it’s probably quite easy to just refrain from streaming the media. Should your remote connection suffer issues for some reason or another Relay will kick in and allow you to stream anyway.
@“Chris C” gave a better response
@Chris C said:
@drinehart said:
- I wanted to further comment on these two points. I would like to keep remote access enabled, but disable relaying. It sounds like they will be tied together, but why can they not be separated?
For now, at least, it’s not going to be possible to control them independently. But if you have your regular Remote Access working, then an app is going to use that and not use Relay/Indirect Connections. So in practical terms, you do have some control over that yourself: if you have real Remote Access available, then Relay won’t be used. There are basically three possibilities:
- Remote Access is fully disabled: Nothing is used and content’s not accessible outside your network.
- Remote Access is enabled, but it’s not working (e.g. Double-NAT): A direct connection can’t be made when outside your network, but Relay can be used.
- Remote Access is enabled and working: The direct connection will be used when outside your network.
- Secure connections, when you are “relaying,” will only be maintained if you are tunneling the initial ssl connection within another connection. Otherwise, you, being in the middle, will have your own connection between the client and yourself, then a second connection between you and the server. What is there in the middle of those two connections could certainly see decrypted data (no technical controls, only you saying that you don’t). That is just the way SSL/TLS works.
That’s not quite accurate here. The Relay connection is just an SSH tunnel for the actual traffic. When using a secure connection, it is not terminated on our Relay server, so all the bytes flowing through are encrypted end-to-end from the Plex Media Server to the client app. Only your PMS has the cert.
Isn’t that what I said, though, in the area bolded? And yes, if you are tunneling that traffic rather than relaying it, then I agree, there is no additional risk to the data stream. I wish you guys had called it tunneling rather than relaying.
Thanks for the clarification!
Isn’t that what I said, though, in the area bolded? And yes, if you are tunneling that traffic rather than relaying it, then I agree, there is no additional risk to the data stream. I wish you guys had called it tunneling rather than relaying.
I think the word “relay” better conveys the data flow to an average user as opposed to “tunneling”. But I can understand how you might think we were terminating the SSL connections on our servers, which we are most definitely not.
@MovieFan.Plex or @Chris C
Can you guys do us a solid and make one of the following happen?
Currently the only way I can do #1 is if I run PMS on Windows and use someone elses 3rd party setup for that which is sort of garbage. #2 would be nice because then I could turn off remote access to everyone but myself (something that currently isnt possible without having to remove sharing rights to all my friends which is clunky and dumb)
