Plex web got some 401 responses from plex server behind reverse proxy

Server Version#: 1.19.1.2645

I have setup a plex server behind reverse proxy(traefik), and found some requests from plex web got 401 response. All other requests works fine.

image1239×403 51.5 KB

Another request got 401 response was:

/media/providers?X-Plex-Product=Plex%20Web&X-Plex-Version=4.22.3&X-Plex-Client-Identifier=i4aerdqfmsp8qic4j1q2buln&X-Plex-Platform=Chrome&X-Plex-Platform-Version=80.0&X-Plex-Sync-Version=2&X-Plex-Features=external-media%2Cindirect-media&X-Plex-Model=bundled&X-Plex-Device=OSX&X-Plex-Device-Name=Chrome&X-Plex-Device-Screen-Resolution=1920x299%2C1920x1080&X-Plex-Language=en

And I found thoese logs on server(mask email address and remote ip):

Apr 17, 2020 13:38:19.143 [0x7f9d2b7fe700] DEBUG - Request: [192.168.29.1:50863 (Subnet)] GET /media/providers (7 live) TLS GZIP Signed-in Token (xxx@gmail.com)
Apr 17, 2020 13:38:19.144 [0x7f9d52ffd700] DEBUG - Using X-Forwarded-For: 111.203.244.2 as remote address
Apr 17, 2020 13:38:19.144 [0x7f9d52ffd700] DEBUG - Auth: authenticated user 1 as xxx@gmail.com
Apr 17, 2020 13:38:19.144 [0x7f9d2b7fe700] DEBUG - Request: [192.168.17.1:35068 (WAN)] GET /media/providers (7 live) GZIP Signed-in Token (xxx@gmail.com)
Apr 17, 2020 13:38:19.146 [0x7f9d537fe700] DEBUG - Completed: [192.168.29.1:50863] 200 GET /media/providers (7 live) TLS GZIP 2ms 3816 bytes (pipelined: 11)
Apr 17, 2020 13:38:19.146 [0x7f9d537fe700] DEBUG - Completed: [192.168.17.1:35068] 200 GET /media/providers (7 live) GZIP 2ms 3737 bytes (pipelined: 4)
Apr 17, 2020 13:38:19.163 [0x7f9d52ffd700] DEBUG - Using X-Forwarded-For: 111.xx as remote address
Apr 17, 2020 13:38:19.163 [0x7f9d52ffd700] DEBUG - Request: [192.168.17.1:35068 (WAN)] GET /media/providers (7 live) GZIP Signed-in
Apr 17, 2020 13:38:19.163 [0x7f9d52ffd700] DEBUG - Completed: [192.168.17.1:35068] 401 GET /media/providers (7 live) GZIP 0ms 357 bytes
Apr 17, 2020 13:38:19.163 [0x7f9d537fe700] DEBUG - Using X-Forwarded-For: 111.xx as remote address
Apr 17, 2020 13:38:19.163 [0x7f9d537fe700] DEBUG - Request: [192.168.17.1:35118 (WAN)] GET / (7 live) GZIP Signed-in
Apr 17, 2020 13:38:19.163 [0x7f9d537fe700] DEBUG - Completed: [192.168.17.1:35118] 401 GET / (7 live) GZIP 0ms 435 bytes

This causes a problem: I have fail2ban server setup on traefik server, one of the filters is filter all 401 responses and jail the IP, with the 401 responses mentioned above, I will be banned from traefik server shortly after I open plex web app.

My traefik config:

# place at /etc/traefik/conf.d/
[http.routers.plex]
  rule = "Host(`plex.{domain}.io`)"
  entrypoints = ["https"]
  service = "plex"
  middlewares = ["plex"]
  [http.routers.plex.tls]
    certResolver = "default"
    [[http.routers.plex.tls.domains]]
        main = "*.{domain}.io"

[http.services.plex]
  [http.services.plex.loadBalancer]
    passHostHeader = true
    [[http.services.plex.loadBalancer.servers]]
      url = "http://[plex-server]:32400"

[http.middlewares.plex]
  [http.middlewares.plex.headers]
  [http.middlewares.plex.headers.sslProxyHeaders]
    x-forwarded-for = "https"
  [http.middlewares.plex.headers.customRequestHeaders]
    x-forwarded-ssl = "on"

Fail2ban filter:

[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" 401 .+$

Explain the network:

192.168.29.x is the local LAN.
192.168.17.x is a virtual LAN composed by nebula(something like wireguard), as my ISP does not allow publish web port. And with this virtual LAN, I can access plex from a vps with public ip.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.