Plex through reverse proxy + ip whitelist + https://app.plex.tv/desktop

So please tell me if what I’m trying to achieve is at all possible with the current state of Plex.

1. I want to use plex through reverse proxy only
2. Reverse proxy listens on 443
3. Plex listens only on 127.0.0.1:32400
4. Ips which can connect to the reverse proxy are whitelisted
5. A whitelisted ip client visits https://app.plex.tv/desktop and can use the shared plex server libs.

What I did for now:

1. Set up reverse proxy listening on address: https://plex.example.com:443 (only accepts tls 1.3 connections)
2. Set allowLocalhostOnly=“1” in Preferences.xml in Plex
3. Set “custom server access URLs” in plex to: https://plex.example.com:443
4. Added ips listed here https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt to whitelist

With the above setup whitelisted ips can reach: https://plex.example.com:443 in the browser,
but visiting https://app.plex.tv/desktop says:
“app.plex.tv is unable to connect to “PlexServer” securely Its “Secure connections” setting may be set to disabled, or you may need to adjust some settings on your network. You can .”

The Settings->Network->Secure connections is set to: Preferred.

If I set this to “Required” then https://app.plex.tv/desktop says:
“PlexServer is currently unavailable
Verify you have a network connection and that the server is online, or see our
tips for further assistance.”

If I click on Settings->Remote Access->Enable Remote Access, and check “Manually specify public port” and set it to 443, the page itself says: “Not available outside your network”
which is of course not true, since it is still available through: https://plex.example.com:443 in the browser.

Also the private address where it shows how it is not available: Private 10.1.1.1 : 32400 ← Public 1.2.3.4 : 443 X Internet
is totally wrong, for once beause I set allowLocalhostOnly=“1” so it only listens on 127.0.0.1, and for twice because I have multiple interfaces in the hardware and
even if I set the Settings->Network->Preferred network interface to a specific interface (this was before I manually set allowLocalhostOnly=“1”), the address shown in Private is a completely different interface’s address.

I though since Plex advertises this software as users connecting directly (of course when Settings->Network->Enable relay is unchecked, which it is in my case) to the server - as in p2p
then no matter what the webplayer (or apps, or whatever) does, it should just connect to the server from the client’s ip, which is whitelisted, and everything should just work.

So again… is this at all possible? If yes, how?

Thanks.

I achieved what you’re trying to do much simpler:

1. Define Alias in firewall
2. Add those who are allowed to that Alias (add by FQDN/DDNS name)
3. Add Plex’s servers to that Alias (they must also be able to ping the server)
4. Add firewall rule, constrained to pass only those on the Alias list, through to the server port.
5. Setup normal Remote Access with Plex.tv
6. Publish my alternate access URL (my FQDN & port) in settings.
7. Add my cert (Key, Cert, and CA in P12)
8. Anyone wanting to connect to me via browser can access via FQDN & port
   Plex apps find it automatically.

• Magic happens
• Only those on the Alias (Allowed List) can even see the server exists.

“Simpler” is a relative term. Your description seems way more complicated to me.
I also don’t understand what you mean by “Alias”

in your 3rd point you mean these 2 ips https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt must be able to not only access my tcp 443 port but have to be able to request icmp echo too?
Why would plex need to be able to ping the server’s address?
Noone is able to ping my server’s address (that is, send an icmp echo request) and that will never change. When only a direct connection is needed between the clients and the server why would plex send arbitrary packages to the server’s address?

I use PfSense firewall/router.

Its firewall is defined by rules (pass/ block) like all others.

Additionally, instead of saying pass/block, and giving a list of IP addresses, I can use a name that I created (aka. Alias).

In that “Alias” is the full list of everything I want to reference.
(Alias compacts a list to name)
Below, on this firewall page, I add the names/IPs I want to allow

Screenshot from 2023-03-04 11-07-161199×421 40.8 KB

To use this alias list, I write a PASS rule in the firewall which references it.

Screenshot from 2023-03-04 11-09-06765×654 63.6 KB

To read it:

• "From the WAN adapter,
• Restricted to any “PlexAllowedRemotes”
• Forward to 192.168.0.18, port 32400 (the server’s internal port)

In your post,
You are showing two servers which you’re allowing.

The best Plex IPs for you to use are listed in your own log files.

1. With DEBUG logging enabled (you need this)
2. Start Plex
3. Wait about 2 minutes
4. Download the logs ZIP file
5. Open “Plex Media Server.log”
6. Look for “pubsub” and “MyPlex”
7. You’ll see the specific list of server(s) which your PMS is talking to
   These are the IP addresses you want to allow.

Example: Here are mine. This is the Plex server my machine is using.

Mar 04, 2023 11:00:58.333 [0x7f6a63b27b38] DEBUG - [EventSourceClient/pubsub/172.104.216.125:443] Read HTTP reply header.
Mar 04, 2023 11:00:58.333 [0x7f6a63b27b38] DEBUG - [EventSourceClient/pubsub/172.104.216.125:443] MyPlex: We appear to have regained Internet connectivity.
Mar 04, 2023 11:00:58.334 [0x7f6a63b27b38] DEBUG - [EventSourceClient/pubsub/172.104.216.125:443] MyPlex: async reachability check - current mapped state: 'Unknown'.
Mar 04, 2023 11:00:58.334 [0x7f6a63b27b38] WARN - [EventSourceClient/pubsub/172.104.216.125:443] MyPlex: attempted a reachability check but we're not yet mapped.

Plex’s servers fluctuate (their cloud host IPs change) but do stay in a pool.
You’ll start out with a few but will eventually build up to about 8 (what I have for here in the US)

To my thinking, Proxies, IP whitelists, and all that are networking.
Therefore, I handle them in my networking equipment and not in my applications.

I see… so in pfsense,an alias is - at the end - just a bunch of ips. And you configured it to allow them.
That’s ok. That is what I’m doing also.
I also have some ips (the client ones) that are allowed to access tcp 443 port on my server.
I’ve also allowed the 2 ips listed in this file: https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt

Why these 2?
Because this website https://support.plex.tv/articles/200931138-troubleshooting-remote-access/ (section: IPs Being Blocked) says that “We’ve made an automatically-updated list of IPs that might be used for the connection attempt available.” so I’m dyanamically updating my list of allowed ips to those addresses. Currently that list only contains 2 ips for me, so that is what is whitelisted.

But I really don’t want to add arbitrary ip addresses to the whitelist (allowed list). I’d really like to understand why plex tries to be smart instead of just let the client (using the web, dekstop/mobile app, whatever) connect to the server (whose address plex already knows, since it has the “custom server access URLs” set.) with that already known address.
Since the client’s ip is whitelisted, it would just work and plex’s servers don’t have to connect to anything at all so they don’t need to be allowed.

They are really big on security. It used to be much as you describe & want but, thanks to people not understanding how to spell “networking”, being “completely as the user wants” stopped.

If you think of Plex.tv as a DNS broker for you, you’ll be a lot better off.

1. You give it the URLs you want it to publish.
2. The client will pull that URL from Plex.tv and use it to connect to you.
3. As that connection is inbound, it’s up to you (first) to pass through to the server if valid
4. Lastly, PMS (the software on your server) will enforce the “is this client allowed access to this server (and its library sections)” as you’ve defined in your Sharing settings.

What you describe here should make this whole thing I described in the 1st post just work.

1. I gave plex the url to “publish” (know about) in the “custom server access URLs”
2. Yes, that should happen
3. Yes, I’ve allowed the clients ips to access the published server address on port 443
4. Yes, that also should happen. Although right now I’m testing it only with my own account, which is also the account running the server, but that should not matter, since it definately has access to the libraries.

To add one thing to point.

I specify the FQDN/DDNS name.

pfsense evaluates it in real-time.

This is great for DDNS cases where everyone’s ISP is handing out DHCP addresses which can change in a heartbeat.

Don’t forget to make certain to add your FQDN’s cert (key, cert, and CA) in P12 to PMS. It’ll have a fit if you don’t.

Hmm… it seems this is some kind of CORS issue.

I’ve just checked the browser’s console and it complains about CORS.
For testing, I added (actually replaced) the “Access-Control-Allow-Origin” header with “*” and that seemed to make it work on app.plex.tv.

I need to investigate this further…

So far it seems that this was a reverse proxy misconfiguration.
Couple of headers were set to the wrong value and now https://app.plex.tv/desktop can indeed access the library properly.

So it seems - though it needs further testing, but I cannot do that until Monday - that it is indeed everything possible written in the OP, and the ips listed here: https://s3-eu-west-1.amazonaws.com/plex-sidekiq-servers-list/sidekiqIPs.txt don’t even need to be allowed at all, which is great.

Will report back on Monday and close this one then.

Yes, it definitely was a reverse proxy misconfiguration. It works as described now.

Hey there, I think I’m having the same problem as you with my reverse proxy and cors errors. What configuration changes did you make?

I rewrote my nginx config as described on this site:

and it works great now.

just wanted to throw this in here since your using nginx reverse proxies, you may as well go integrate cloudflare real quick, and then add a feature that the plex community has been begging for for the past 7-8 years.
GitHub - zmike808/Plex-Blackmagic: A cloudflare worker for plex that uses blackmagic to change default client bitrates! - it manually sets the transcode quality for users based on the quality they are currenlty using/your defined logic and or conidtions. been using for 3-4years at least.
I originally made it cause im sure plex will never give us this ability.
After all they teased us with “auto adjust quality” feature that has been sitting there un-updated for 4+ years Not talked about by the team pretended as if it doesn’t exist, but still not removing it either.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.