Hi.
In pms we have the ability to set custom URls, as noted per the option:
A comma-separated list of URLs (http or https) which are published up to plex.tv for server discovery.
Some of us want to use plex behind a reverse proxy, this is pretty easily done, i personally assumed that this setting would allow plex to be served through my domain, which isnt the case.
If you reverse proxy plex, but allow port 32400 to be open on the pms server, then plex isnt actually proxied - All requests are still sent to the pms ip:32400. This is not its intended behaviour when you reverse proxy plex…
When you submit a custom url of domain.com:443, one would assume that plex would access the pms at domain.com:443, but it actually access plex on pmsip:32400, which defeats the purpose.
By blocking port 32400 on the pms, all apps except smart TVs can access pms via domain.com:443 or :80, this is how it should work initially.
Why is plex forcing a connection attempt on port 32400, when you specifically configure plex not to?.
Can we have this fixed?
Regards
This seems to only impact certain apps, such as Plex for Samsung TVs. Using an appropriate nginx config, Plex for Android, Plex/Web and some others seem to work just fine by referencing the Custom URL that is configured.
I have not yet captured traffic from a Samsung TV to see if I can see what requests it is making, but it doesn’t seem to attempt to use the configured custom URLs “https://plex.example.com” or “https://plex.example.com:443” that work with everything else.
Another related issue:
The Server Remote access Checker doesn’t seem to check the Custom URL either. Even though my plex is fully functional via Plex Web, Plex for Android, etc. with only the reverse proxy Custom URL “https://plex.example.com” and no other ports forwarded or VPN tunnels or anything, the Remote access check says that I am inaccessible (yet it still works).
If someone could shed light onto how it is actually checking so we can either update the Reverse Proxy configuration or get Plex to fix their detection, that would be great.
To add to what demonspork said:
It is very crucial to understand exactly WHY this functionality is broken, so ill try to explain it as easily as possible.
If you reverse proxy plex “properly”, it will be accessable via your domain, however if you inspect the traffic from your browser when acceesing plex via your domain,it will send plex data, such as posters and media via the actual IP of your plex server, NOT via your domain name.
In order to actually proxy plex data through your domain, you MUST block port 32400 on the pms server because plex does NOT honor the custom URLs set in pms, plex apps will always try to use IP:32400. When 32400 is blocked, most apps will properly request data on your domain.
The issue is that some apps, like the samsung TV will attempt 32400 and only 32400. This is fine, if only a fallback was possible, but because the custom URL setting is not enforced, its not possible.
One would think that if domain.com:443 is set in pms, all requests will FIRST attempt domain.com:443, only if this fails will it try pms ip:32400. In this scenario, most plex apps will properly work through a CDN for example, blocking port 32400 would not be nessecary, and incompatible apps like samsung TV would still work.
But this as said is not the case, plex always attempts 32400 making the custom URL setting obsolete.
@Suspense said:
Why is plex forcing a connection attempt on port 32400, when you specifically configure plex not to?.
That is not what the setting does.
It allows you to specify an additional, alternate URL for Plex clients to try and use. Just in case the direct connection (per local/private IP and port 32400) is not usable.
Nowhere does it say that other routes to contact the server are switched off by this.
I have several threads on the issue, and as things stand right now you cannot properly Reverse Proxy Plex with SSL offload (for domain compliance).
Plex is simply not build with simple HTTP compliance as a requirement. All sorts of "non standard’ accesses are done by the clients (different scenario for every type of client).
So while you can make a workable solution with Nginx and some http tag sorting, it cannot work as a proper SSL offloaded reverse proxy on a NAT border firewall along side internal clients accessing the PMS directly.
Unfortunately there are to few of us with reverse proxy needs to get any attention from plex on the issue
@OttoKerner said:
@Suspense said:
Why is plex forcing a connection attempt on port 32400, when you specifically configure plex not to?.
That is not what the setting does.
It allows you to specify an additional, alternate URL for Plex clients to try and use. Just in case the direct connection (per local/private IP and port 32400) is not usable.
Nowhere does it say that other routes to contact the server are switched off by this.
Okay, so thats great. Then why is this option only working on some clients? Why is samsung TV not attempting to access these “other” urls?. Why are the scenarious so different across clients?.
We have the option to set additional urls then, as you say, are we not able to remove a url? Can we maybe get this? It seems to me this wouldnt be that big of an issue.
The absolute only thing that prevents a reverse proxy setup for working, is being able to order which custom URLs that should be prioritized, after this man years, why is this not something thats available? We already have a list of accessable URLs, all we need is to be able to order it.
The option makes it seem like we can use custom URLs, but as long as port 32400 is available on the pms, which is must anyway for smart TVs, the custom URLs wont ever be used, so id dare to say that in 99.9% of the cases, someone might add an url here but its actually quite useless.
So any chance of getting some changes made to this option?
@Suspense said:
Okay, so thats great. Then why is this option only working on some clients? Why is samsung TV not attempting to access these “other” urls?.
The Samsung client for models up to year 2015 is made by Orca, not by Plex. He implements what he knows about and what he thinks his users are needing.
Why are the scenarious so different across clients?.
Because they are different. They are developed independently. Each one has to adhere to the rules and restrictions of the hardware and software platform they are running on. Some are even not developed further (like some older LG TV or Dreambox for instance)
We have the option to set additional urls then, as you say, are we not able to remove a url? Can we maybe get this?
There is usually no info on future features of Plex.
I don’t really understand why you so badly need this. What is your use case here?
As long as your Plex clients can reach the server, all should be good and dandy, or not?
@OttoKerner said:
@Suspense said:
Okay, so thats great. Then why is this option only working on some clients? Why is samsung TV not attempting to access these “other” urls?.
The Samsung client for models up to year 2015 is made by Orca, not by Plex. He implements what he knows about and what he thinks his users are needing.
Why are the scenarious so different across clients?.
Because they are different. They are developed independently. Each one has to adhere to the rules and restrictions of the hardware and software platform they are running on. Some are even not developed further (like some older LG TV or Dreambox for instance)
We have the option to set additional urls then, as you say, are we not able to remove a url? Can we maybe get this?
There is usually no info on future features of Plex.
I don’t really understand why you so badly need this. What is your use case here?
As long as your Plex clients can reach the server, all should be good and dandy, or not?
I experience peering issues now and then, and this setup would eliminate that, would also fix issues with using plex at locations that blocks ports, aswell as save bandwidth and provide better speed for delivery of things like cover art.
Theres plenty of improvements from putting plex behind a reverse proxy, and it is unfortunate such small roadblocks prevents us from doing so.
My use-case is to have full control over the authentication layer in my environment. All of these different home focused applications don’t have any sort of federation or SSO built in and I generally don’t trust much of what they do implement. I would rather maintain a single auth system to control access that I can keep updated and secure.
I realize that is a little harder with Plex because of the need to share the server with friends, which is why the auth layer isn’t currently turned on for my plex site in the reverse proxy, but I want to be able to turn it on if I feel the need. My work-around though is probably to leave 32400 forwarded, and if a trigger event happens I will have my automation just block that port and enable the second auth layer if it sees something fishy in the Plex logs. I may also just set up a registered IP form, so that the friends I share with would only be able to see port 32400 if they first hit my portal from that IP (which most of them do anyway for things like plexrequests)
When I put Plex behind a reverse proxy (using this config) and started using my domain name in the “Custom server access URLs” option, I also had to completely disable the “Remote Access” option. After disabling that, Plex no longer tried to connect on 32400 (see my note in this pull request).
@sander1 said:
When I put Plex behind a reverse proxy and started using my domain name in the “Custom server access URLs” option, I also had to completely disable the “Remote Access” option. After disabling that, Plex no longer tried to connect on 32400.
Are you actually sure of that? Because i dont think this is what happens.
Go to plex in chrome or firefox, open the console and check network tab for the domain that metadata(like artwork) is requested from.
What you will see is a bunch of ip.randombunchofstuff.plex.direct on port 32400, its not actually going through your domain.
@Suspense said:
@sander1 said:
When I put Plex behind a reverse proxy and started using my domain name in the “Custom server access URLs” option, I also had to completely disable the “Remote Access” option. After disabling that, Plex no longer tried to connect on 32400.
Are you actually sure of that? Because i dont think this is what happens.
Yep, I’m sure. Working as expected for me (my domain is plex.ooo):
@sander1 said:
@Suspense said:
@sander1 said:
When I put Plex behind a reverse proxy and started using my domain name in the “Custom server access URLs” option, I also had to completely disable the “Remote Access” option. After disabling that, Plex no longer tried to connect on 32400.
Are you actually sure of that? Because i dont think this is what happens.
Yep, I’m sure. Working as expected for me (my domain is plex.ooo):
This is odd. Maybe cloudflare. What are you using as reverse proxy?
@Suspense said:
This is odd. Maybe cloudflare.
I’m not using Cloudflare in my setup.
What are you using as reverse proxy?
nginx with this config.
@sander1 said:
@Suspense said:
This is odd. Maybe cloudflare.
I’m not using Cloudflare in my setup.
What are you using as reverse proxy?
nginx with this config.
Interesting. I get the same result as you using your config, when i access plex on my domain without https. If i access it with https, its yet again not going through my domain.
The actual requests to plex are going through SSL, maybe this is a configuration error in the nginx config. But this is a step in the right direction(provided this didnt break samsung TVs).
I really appreciate your input here, now to figure out this ssl issue.
EDIT:
With the help from Sander1, it has been possible to run plex behind a cdn. While the settings in pms might be a little difficult to understand completely, my initial assumption that it was plex fault turned out to be untrue, it is possible to do this with plex, albiet a little troublesome.
