I already considered getting PlexPass and then this. I am not suggesting that it is a huge risk, but I do have to rely on yet another HTTP service. Or am I mistaken and HTTPS is supported?
HTTPS is being developed and has limited support currently. Good news is the New plex.tv site and forums are now all in HTTPS by default :)
Would you be able to provide an update on full https support or a roadmap/timeline if there is one? I have nginx doing a rewrite for the web client and that works great, however I noticed the android client doesn't appear to like it. I'm assuming there are other clients that wouldn't as well. The nginx rewrite works for 99% of my uses, its just the last 1% now :)
Would you be able to provide an update on full https support or a roadmap/timeline if there is one?
No worries. I'm really happy to hear its being worked on!
There is another way, similar to vpn. SSH. It doesn’t work well on non-jail broken IOS devices because they (for battery saving reasons) only allow one active application at a time…which limits your connection time, or at least requires you to periodically switch back to your ssh app to keep the connection alive…
On other mobile devices it works fine. A properly secured SSH server is nearly impossible to hack. The best part is that your entire connection, from initial to credential exchange, to all traffic transmitted/streamed, is encrypted - and you can choose encryption level. (My current setup is 2048 bit).
To connect to the plex server, which is LAN only, you’d use an SSH tunnel by port forwarding IN the tunnel. For example I could forward my local port 4000 to the server port 32400. This means you only have port 22 open on the router (and even that can be locked down with two factor auth) then you forward to port 32400 through the tunnel.
For my example, once the ssh tunnel is properly configured, I’d point my browser to 127.0.0.1:4000.
It works great. I can use it on iOS devices too, but it’s only good for 3-5 minutes at a time.
Forgot to mention, if you don’t have a Linux host on your network, a raspberry pi works beautifully for this function, and they’re only about $50 and a little time/research for setting up and securing. Then only allow non-root users to connect via ssh, and if you’re really wanting to go above and beyond, use ssh key authentication with a password. This makes the server send you an encrypted challenge using the public key. (2048 bit is default for ssh v2, but can go higher) the server chooses which public key to use based on the username and device name you have specified to connect with. This challenge can only be decrypted by a private key that is on only the device you have generated it with. In order to access that private key, your local device requires a password.
cfarrally, I use SSH tunneling myself and it works like a charm, except for the android app. The plex web interface can be accessed through SSH, but the android app does not recognize the server made available through localhost. I’ve been trying to work around this in various ways, such as manually specifying the IP-addresses to the app, but to no avail.
(info sec professional)
OP raises an important , and valid security question/concern re exposing your plex server to the entire internet, via opening port 32400 (or a manual port your specify in plex server settings)
lets clear up a few things in regards to needing to have an open port on your public facing router (open port + dstnat rule to your server, is the technical term ) :
1- to be clear, the concern is that a hacker would exploit a known/un-know vulnerability in the plex software (mainly the plex web server you are running, and which is accessible to anyone on the internet). In such a scenario they dont need (or care) about your plex login/password. But rather would gain access to your system, though such an exploit. (or maybe they do have your plex login/pass and are one step closer to full access)
If we didnt have to open the 32400 port, this wouldnt even matter, as the service (plex web server) wouldn’t even be accessible in the first place.
**2- ** There are ways that plex cloud could accomplish exactly what they are doing now, without requiring users to open any ports. Apps like skype, facetime, home CCTV camera apps, all use this technique, all the time, and without issues. (ie how is it that on newer home CCTV/camera systems, you dont need to open any ports, yet you are able to remotely connect DIRECTLY to your home DVR from your iphone when you are not home) the answer is a technique know as: TCP Hole Punching (or UDP Hole Punching). Search Wikipedia for detailed explanation.
**(this is what plex should be using, to increase security). users should request / demand that they add support for this functionality ** (while still allowing the current method, if a user needs or rathers manually opening ports).
Below is a ROUGH outline of how TCP/UDP Firewall Hole punching works:
Plex App client wants to connect to your home server. (both are behind different Routers, in different locations, with no predefined “open” port 32400, on either side):
1- Plex App client device tells plex CLOUD - i want to connect to my home server but im not at home.
2- plex CLOUD then uses the constant connection that your HOME plex server maintains with Plex Cloud, to tell your plex server: hey server: Connect to this Public IP on port XYZ (ie the public IP of the Plex app Client device).
3- the plex client device then initiates a connection back to the plex server on this same, already now opened port (since the plex server has already initiated a connection to the plex app client’s public IP).
4- done ( plex app client is now connected to the Plex server, and no ports are EVER open to the public, 24/7)
(above is WAY over simplification of the process, but it works, and has been in use by MANY apps/servers for several years. We all use this almost daily and dont even realize it).
please request to plex devs that they implement “TCP Firewall Hole Punching” as an additional option that servers owners can enable if they wish.
thanks
(btw, until plex adds tcp Hole punching, you SHOULD change the port you use/open, from the default 32400 (to something random), on BOTH plex server, and on your router)
@jo2jo said:
(info sec professional)OP raises an important , and valid security question/concern re exposing your plex server to the entire internet, via opening port 32400 (or a manual port your specify in plex server settings)
lets clear up a few things in regards to needing to have an open port on your public facing router (open port + dstnat rule to your server, is the technical term ) :
1- to be clear, the concern is that a hacker would exploit a known/un-know vulnerability in the plex software (mainly the plex web server you are running, and which is accessible to anyone on the internet). In such a scenario they dont need (or care) about your plex login/password. But rather would gain access to your system, though such an exploit. (or maybe they do have your plex login/pass and are one step closer to full access)
If we didnt have to open the 32400 port, this wouldnt even matter, as the service (plex web server) wouldn’t even be accessible in the first place.
**2- ** There are ways that plex cloud could accomplish exactly what they are doing now, without requiring users to open any ports. Apps like skype, facetime, home CCTV camera apps, all use this technique, all the time, and without issues. (ie how is it that on newer home CCTV/camera systems, you dont need to open any ports, yet you are able to remotely connect DIRECTLY to your home DVR from your iphone when you are not home) the answer is a technique know as: TCP Hole Punching (or UDP Hole Punching). Search Wikipedia for detailed explanation.
**(this is what plex should be using, to increase security). users should request / demand that they add support for this functionality ** (while still allowing the current method, if a user needs or rathers manually opening ports).
Below is a ROUGH outline of how TCP/UDP Firewall Hole punching works:
Plex App client wants to connect to your home server. (both are behind different Routers, in different locations, with no predefined “open” port 32400, on either side):
1- Plex App client device tells plex CLOUD - i want to connect to my home server but im not at home.
2- plex CLOUD then uses the constant connection that your HOME plex server maintains with Plex Cloud, to tell your plex server: hey server: Connect to this Public IP on port XYZ (ie the public IP of the Plex app Client device).
3- the plex client device then initiates a connection back to the plex server on this same, already now opened port (since the plex server has already initiated a connection to the plex app client’s public IP).
4- done ( plex app client is now connected to the Plex server, and no ports are EVER open to the public, 24/7)
(above is WAY over simplification of the process, but it works, and has been in use by MANY apps/servers for several years. We all use this almost daily and dont even realize it).
please request to plex devs that they implement “TCP Firewall Hole Punching” as an additional option that servers owners can enable if they wish.
thanks
(btw, until plex adds tcp Hole punching, you SHOULD change the port you use/open, from the default 32400 (to something random), on BOTH plex server, and on your router)
is this implemented yet in Plex? I’m new to it but don’t want to open a port.
@john_casey, I’ve looked all through the Plex Media Server settings and it just says you need to open port 32400 or an alternate port you specify. You could change it to something besides the default, but that only provides a little more security (by obscurity).
Does anyone use the Relay option offered by Plex and not open their firewall at all? I know it is not ideal (limits content to 720p).
My ISP gave me a static public IP address and I have set my router IP object to open ports only to that single IP address (and not to any other). Is that secure enough?
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
