Plex and reverse proxy nginx + cloudflare "not available outside your network"

Hi
I’ve successfully installed nginx as reverse proxy and cloudflare
I can access to my domain over 443 port and redirect it to 32400 port.
When I access to my domain I can play movies with no issue When I access to my server by mobile app it returns an bandwidth limit message because the indirect access.
I use reverse proxy because I dont know how to change plex port
Is it possible hide plex back to reverse proxy ?

here is the nginx configuration

server {

    rewrite     https://$host$request_uri?  permanent;
    error_log   /var/log/nginx/plex_error.log    error;
    access_log  /var/log/nginx/plex_access.log   combined;
    server_tokens off;  


    #ssl on;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate         /etc/ssl/cert.pem;
    ssl_certificate_key     /etc/ssl/key.pem;


    #Resolver set to CloudFlare
    resolver 1.1.1.1 1.0.0.1 valid=300s;
    resolver_timeout 10s;

    gzip on;
    gzip_vary on;
    gzip_min_length 1000;
    gzip_proxied any;
    gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
    gzip_disable "MSIE [1-6]\.";
    location / {
        # IP address of Plex Media Server
        proxy_pass          https://127.0.0.1:32400/;
        proxy_buffering     off;
        proxy_redirect      off;
        proxy_http_version  1.1;
        proxy_set_header    X-Real-IP       $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    Upgrade         $http_upgrade;
        proxy_set_header    Connection      $http_connection;
        proxy_cookie_path   /web/           /;
        access_log          off;
    }

_plex915×546 162 KB

It says" Not avilable outside your network" but I verified reverse proxy for example with python http server and it works

it Is mandatory open these ports ?

The following additional ports are also used within the local network for different services:

    UDP: 1900 (access to the Plex DLNA Server)
    UDP: 5353 (older Bonjour/Avahi network discovery)
    TCP: 8324 (controlling Plex for Roku via Plex Companion)
    UDP: 32410, 32412, 32413, 32414 (current GDM network discovery)
    TCP: 32469 (access to the Plex DLNA Server)

_plex21036×422 39.7 KB

_plex31005×449 33.5 KB

Thank you

Ports:

1 You open those additional ports on your LAN. They are not required for Remote Access.

2. The internal PMS port is always 32400. Your external port, port forward to 32400, is all that’s required,

Using your own FQDN

1. Settings - Server - Network - Show Advanced
2. Custom Server Access URLs (this address is published to Plex.tv)
   
   

   Screenshot from 2022-04-28 13-52-44596×524 179 KB
3. Make certain your FQDN certificate, which includes the CA, has been imported into PMS else you’ll get TLS/SSL errors blocking connection as is switches from your cert to PMS’ cert.

I imported crt here

_plex4819×611 174 KB

file reader permission is ok
custom server access URLs is https://domain.tld ( without ‘www’)
but it didn’t turn green.
If I understand correctly cloudflare has two type of certificate :
<<
Edge certificates are provided by Cloudflare and shown to your visitors. They will encrypt traffic between your visitors and CF. Origin is a certificate on your server and needed to encrypt traffic between your server and Cloudflare >>

my crt in /etc/ssl are “origin certificate” and they are pem format. Does Plex only accept PKCS #12 format ?

Edit:
Converted to PKCS #12 with no password

Screenshot from 2022-04-28 21-46-20719×201 61.5 KB

but it’s still red

I think it will accept PEM but not 100% on that.

I use P12 format.

You can verify the cert is being picked up by restarting PMS (DEBUG logging enabled), wait about 1 minute, then pull the logs.

You’ll see where PMS either imports (pins) or rejects the cert

Found this in PLec media server.log

Apr 28, 2022 22:02:36.073 [0x7f7a5d696b38] DEBUG - CERT: Certificate will not expire soon; we'll check again in a week.
Apr 28, 2022 22:02:36.076 [0x7f7a5dfa6b38] DEBUG - [CERT] Subject name is /CN=*.b2xxxxxxxxxxxxxxxxxxcca9.plex.direct
Apr 28, 2022 22:02:36.076 [0x7f7a5dfa6b38] DEBUG - [CERT] Installed certificate with fingerprint 03:xxxxxdb:7xxx5:07:88xxxxxxxxxxxxxxxxx.
Apr 28, 2022 22:02:36.076 [0x7f7a5dfa6b38] DEBUG - [CERT/OCSP] Stapling requests will be made to 'http://r3.o.lencr.org/'.
Apr 28, 2022 22:02:36.076 [0x7f7a5dfa6b38] INFO - [CERT/OCSP] Successfully retrieved response from cache.
Apr 28, 2022 22:02:36.076 [0x7f7a5dfa6b38] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.
Apr 28, 2022 22:02:36.076 [0x7f7a5dfa6b38] DEBUG - [CERT] MyPlex: Updating device connections (from timer: 0)
Apr 28, 2022 22:02:36.076 [0x7f7a5dfa6b38] DEBUG - [CERT] HTTP requesting PUT https://plex.tv/devices/39b31xxxxxxxxxxxxxxxxxx8?Connection[][uri]=https://"I've removed"&Connection[][uri]=http://

Found this error
com.plexapp.system.log

2022-04-28 22:02:36,857 (7f10d7b33b38) :  DEBUG (networking:143) - Requesting 'http://resources-cdn.plexapp.com/hashes.json'
2022-04-28 22:02:36,932 (7f10d7b33b38) :  ERROR (networking:196) - Error opening URL 'http://resources-cdn.plexapp.com/hashes.json'
2022-04-28 22:02:36,934 (7f10d7b33b38) :  CRITICAL (runtime:1299) - Exception getting hosted resource hashes (most recent call last):
  File "/usr/lib/plexmediaserver/Resources/Plug-ins-8cf78dab3/Framework.bundle/Contents/Resources/Versions/2/Python/Framework/components/runtime.py", line 1291, in get_resource_hashes
    json = self._core.networking.http_request("http://resources-cdn.plexapp.com/hashes.json", timeout=5).content
  File "/usr/lib/plexmediaserver/Resources/Plug-ins-8cf78dab3/Framework.bundle/Contents/Resources/Versions/2/Python/Framework/components/networking.py", line 242, in content
    return self.__str__()
  File "/usr/lib/plexmediaserver/Resources/Plug-ins-8cf78dab3/Framework.bundle/Contents/Resources/Versions/2/Python/Framework/components/networking.py", line 220, in __str__
    self.load()
  File "/usr/lib/plexmediaserver/Resources/Plug-ins-8cf78dab3/Framework.bundle/Contents/Resources/Versions/2/Python/Framework/components/networking.py", line 158, in load
    f = self._opener.open(req, timeout=self._timeout)
  File "/usr/lib/plexmediaserver/Resources/Python/python27.zip/urllib2.py", line 435, in open
    response = meth(req, response)
  File "/usr/lib/plexmediaserver/Resources/Python/python27.zip/urllib2.py", line 548, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib/plexmediaserver/Resources/Python/python27.zip/urllib2.py", line 473, in error
    return self._call_chain(*args)
  File "/usr/lib/plexmediaserver/Resources/Python/python27.zip/urllib2.py", line 407, in _call_chain
    result = func(*args)
  File "/usr/lib/plexmediaserver/Resources/Python/python27.zip/urllib2.py", line 556, in http_error_default
    raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 403: Forbidden

maybe this is wrong

Apr 28, 2022 22:02:36.076 [0x7f7a5dfa6b38] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.

Screenshot from 2022-04-28 21-46-20719×201 61.5 KB

I tried again with P12 format and with password but It can’t install that certificate

Apr 28, 2022 22:02:36.076 [0x7f7a5dfa6b38] ERROR - [CERT] Found a user-provided certificate, but couldn't install it.

Stupid question: Permissions are such that plex:plex can read it and you gave it the password?

(It does need the password . it doesn’t like a blank password)

No silly question…my fault I added the password . I changed path and I didnt check chown

Apr 28, 2022 22:55:26.607 [0x7f2d450d3d48] DEBUG - [CERT] Subject name is /CN=*.xxxxxxxxxxxxxxxxxxplex.direct
Apr 28, 2022 22:55:26.607 [0x7f2d450d3d48] DEBUG - [CERT] Installed certificate with fingerprint xxxxxxxxxxxxxxxxxxxx:77:89.
Apr 28, 2022 22:55:26.607 [0x7f2d450d3d48] DEBUG - [CERT/OCSP] Stapling requests will be made to 'http://r3.o.lencr.org/'.
Apr 28, 2022 22:55:26.607 [0x7f2d450d3d48] INFO - [CERT/OCSP] Successfully retrieved response from cache.
Apr 28, 2022 22:55:26.611 [0x7f2d450d3d48] DEBUG - [CERT] Loaded a user-provided certificate for /O=CloudFlare, Inc./OU=CloudFlare Origin CA/CN=CloudFlare Origin Certificate.
Apr 28, 2022 22:55:26.611 [0x7f2d450d3d48] WARN - [CERT/OCSP] Missing cert or issuer; skipping stapling

but it’s still red and I found this one but I dont know what it need
my ssh has private key

Apr 28, 2022 22:55:31.840 [0x7f2d43c76b38] DEBUG - NAT: UPnP, getPublicIP didn't find usable IGD.
Apr 28, 2022 22:55:31.841 [0x7f2d43c76b38] DEBUG - NAT: PMP::getPublicIP, couldn't send request for public IP
Apr 28, 2022 22:55:31.841 [0x7f2d43c76b38] DEBUG - HTTP requesting GET https://xxx-xxx-xx-48xxxx12xxxxxxxxxxxxxplex.direct:443/identity
Apr 28, 2022 22:55:31.855 [0x7f2d43ccdb38] WARN - [HttpClient] HTTP error requesting GET https://xxx-xxx-xxx-xxxxxxxxxxxxxxxxa9.plex.direct:443/identity (60, SSL peer certificate or SSH remote key was not OK) (SSL certificate problem: unable to get local issuer

Is that cert self-signed ?

yes the “origin certificate” I use it for nginx and plex .
afterwards I’ve converted it to p12 ( only for plex)

openssl pkcs12 -export -out cert.p12 -in cert.pem -inkey key.pem

but it’s not available outside your network

You can connect via LAN and be secure?

In your Remote Access port, do you specify 443 ?
With the FQDN (without port) in Server Access URL ?

Internally, you forward 443 → 32400 of the host.

Summary:
To solve I had disabled “Remote Access”
add p12 certificate and custom url

What I learned is that plex.tv request the url and he doesn’t care about remote access ?

@Disco2021

If you’re using your own FQDN & port number, with your own certificate,

Then you don’t need “Remote Access” brokering. Yes, you can turn that off.

The purpose of “Remote Access” is when you want to keep your host somewhat anonymous and have PMS handle the IP address changes (DHCP from ISPs).

If you have all that handled yourself, you don’t need Plex (which you’ve discovered).

I don’t use it. I let my firewall (pfsense) do all the address management with CloudFlare DNS and let pfsense handle primary access control (my PMS is not open to the world)

Thank you ChuckPa

When using Cloudflare & Nginx, those are presenting the certificates to the outside world.

Why bother loading a custom cert into Plex itself?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.