I’ve read through a bunch of the forum threads regarding reverse proxy usage, and just want to confirm…
Accessing from a custom URL is easy from a web browser, but the apps are a different story. I can reach Plex.mydomain.com with no problem, including from a browser on my phone with wi-fi off. But the app is showing my server as offline.
It seems like most threads on the issue come to an abrupt halt without any definitive resolution one way or the other. And I fully understand that @OttoKerner and @ChuckPa have explained why it doesn’t really accomplish much as far as security goes. But in the “because I just wanna see if I can” department, mobile apps and reverse proxy are a dead end?
What addresses does the Plex API command https://plex.tv/api/resources?includeIPv6=1&X-Plex-Token=<plextoken> return for your Plex Media Server (You can find your Plex token using the information in this support article)? If you post any of the information, make sure to redact the accessToken from the data as this is equivalent to your Plex account password.
Is plex.mydomain.com listed against the addresses for the server with the correct port?
Which certificate authority are you using for your reverse proxy and is it compatible with your Plex clients?
Not sure what you’re asking here. It returns the xml with all the connection info including my public IP address, my 127.0.0.1 address, and my internal 192.168.x.1 address.
I believe I’ve got the plex.mydomain.com set correctly, as it works from a web browser, just not the mobile apps. Certs are from LetsEncrypt. I presumed they were compatible, but never questioned it.
The XML tells you the information that your Plex mobile apps see when they ask Plex where your PMS is.
As you’ve published your token I can query the API and see that your custom plex.mydomain.com is not listed for any of your Plex servers only your localhost, internal Docker IPs, internal LAN IP and external WAN IP.
What this means is that your Plex clients don’t know that your custom domain exists. They will try to connect via the external WAN IP address instead. If they are using https they will get a certificate from your reverse proxy which doesn’t match what they’re expecting and will fail.
You need to set the full URL of your reverse proxy with your custom domain name in Custom server access URLs under the network settings for your server including whether it is http or https and the port it needs to connect to. It should then appear in the list of addresses returned for your server in the XML.
However, it will still list your external WAN IP so your mobile clients may try and connect to that first. To remove that disable remote access for your server and it will be removed from the list. Your custom server URL will still be there and will be flagged as the remote address for your mobile clients to use. It will also match the SNI that your clients are expecting in the certificate presented by the reverse proxy. Plex use Let’s Encrypt for the *.plex.direct domain so the CA should be accepted. You will still be able to remotely connect to Plex with remote access disabled, it will just not show it as active when you view the status.
Mobile devices on your local network will always continue to connect via local IP address.
In the server settings, I’ve got “Plex.mydomain.com:443” set as the custom address. In my reverse proxy, I’ve got it set for https and uses a Let’s Encrypt cert, so everything should be happy. When I use Plex.mydomain.com in a browser, it works.
But I’m still not seeing my custom URL. I see the correct IP addresses for both, and their correct OS.
Try https://plex.mydomain.com:443 as it needs to be the full URL otherwise it doesn’t know whether to use http or https. If you exclude the port then it defaults to 32400.
That doesn’t seem overly complicated at all. Just need to do it “right.” Now it seems odd that there’s years of people asking the same question without a straightforward answer like the one you provided.
Able to connect to my server with Remote Access turned off from my phone with wi-fi turned off so its not a local connection.
