PlexConnect: run HTTPS on alternative port (not 443)

Dev Community Apps & Creations
1

A quick question: is it possible to have PlexConnect offer and advertise HTTPS connections on an alternative port to 443, or is that a hardcoded requirement from the AppleTV side?

 

I run Plex and Plex Connect on my Synology DS412+ NAS (both are great; thank you!). I'd *also* like to host a couple of personal web services on the 412+, but while the Synology  admin interface allows you to specify additional ports for HTTPS traffic, you can't disable port 443. The upshot of this is that I can't enable HTTPS for the web services (as the Plex Connect webserver has already claimed the port).

 

 

2

ATV uses 443, no way around that.

But you should be able to set up port forwarding on your NAS and reroute PlexConnect to another one.

Or let NAS/Apache handle the SSL stuff and don't use PlexConnect's SSL Server at all.

3

Thanks -- will give it a try. I'm no apache-config expert, so I suspect some googling is in my future...

4

I am sure in the Synology thread I had read about this being done already in the package for you, but maybe I did not read it correctly as I dont have a synology so have not followed the entire thread.

https://forums.plex.tv/topic/72356-plexconnect-on-synology/

5

The Synology package handles the port 80 virtual host/proxypass setup for Apache but seemingly there's something about the way the SSL certificate handling is set up which makes it difficult/impossible to create an SSL-enabled virtual host for proxypathing. There was one person who said they'd got it working (and posted sample config code) but I couldn't make it work for me, and there were a lot of people saying it would never work.

It looks like there might be an iptables portforwarding rule which should do the job; again, it's not working for me but I've posted in the other thread and will see how that goes.

6

Progress!

I now have Plexconnect working happily on my ATV3, streaming content from my Synology DS412+, while the Synology is also serving web pages on port 443 via HTTPS. It's not perfect, but progress is progress.

The problem:

A quirk in the way the webserver on the 412+ is set up means that while you can specify additional port(s) for HTTPS, you can't disable serving HTTPS from port 443. Unfortunately, serving content from port 443 is required for plexconnect to work.

The (mostly) fix:

As reported in another thread, it's possible to use ipTables to port forward from port 443 to a custom port you specify in plexconnect's settings.cfg, by restricting the forwarding to just one device (ip address).

The quirks:

The ipTables command to run looks like this:

iptables -t nat -A PREROUTING -i [interface] -p tcp --syn -s [source IP] -d [destination IP] --dport 443 -j DNAT --to-destination [destination IP]:[custom port]

where:

[interface] is the network interface active on your Diskstation: mine was eth0, but it depends on your model and configuration

[source IP] is the IP address of your Apple TV. Time to assign it a fixed IP address, if you haven't already. 

[destination IP] is the IP address of your Diskstation. This should also be fixed (and is probably static)

[custom port] is the new port number for the plexconnect SSL webserver you specified in Settings.cfg. 

Unfortunately when I first tried this I got an error message from ipTables about missing modules.

My solution, from start to finish:

1. Go to the package manager and stop the Plexconnect package. While you're here, install the VPN Server package from the official repo

2. Go to the Plexconnect folder (/volume1/@appstore/plexconnect/share/PlexConnect, probably) and edit the Settings.cfg file to change the port_SSL value to something other than 443. I went with 9999.

3.  From the main menu, go to the VPN Server and activate one of the servers. I activated the OpenVPN server. 

4. Add a new rule to the Firewall (Control Panel > Security > Firewall) which allows all from all. I'm not 100% sure this is required.

5. issue the iptables command, customised for your IP addresses and chosen port

6. Go back to the package manager and restart Plexconnect.

Problems/to do:

1. I don't really want to have an OpenVPN server running on my diskstation, but I haven't as yet figured out how to tell ipTables to load the relevant modules independently of the VPN server package. 

2. The firewall rule won't persist past a reboot, so I need to figure out where the 'rules loaded at boot' configuration file lives and edit it to make sure the port forwarding rule is added automatically

I'll update this once I figure out the problems/to-do (any hints happily received!)

7

Solution to problem 2 (rule doesn't persist past reboot) under DSM5.1. From a ssh session:

1. Create a new script in /usr/local/etc/rc.d. Call it S99fwrules.sh -- or whatever, provided it starts with S99 and ends with .sh. You can use vi, or nano if you have it installed.

2. My script looks like this:

#!/bin/sh
[ "$1" == "start" ] || exit
iptables -t nat -A PREROUTING -i eth0 -p tcp --syn -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy --dport 443 -j DNAT --to-destination yyy.yyy.yyy.yyy:zzzz

where xxx.xxx.xxx.xxx is the IP address of the AppleTV, yyy.yyy.yyy.yyy is the IP address of your Synology box, and zzzz is the new port number you told PlexConnect to listen for SSL on (I used 9999)

3. Once you've saved the script, run "chmod 755 S99yourscript.sh" to make it executable.

To test:

Assuming you haven't already run the iptables command or have freshly rebooted, type "iptables -t nat -L" and note the prerouting section will most likely be empty. Then execute your script ("./S99scriptname.sh start" from the rc.d folder), then look at the output of "iptables -t nat -L" again. You should see a line in the prerouting section about your appletv.

If that works, reboot your Synology box, ssh back in, and run "iptables -t nat -L" again. If the line referencing your appletv is there, you're done.

1 Like
8

Hello

I´m not sure if this is the best way to do this but it worked for me. Thanks for the post.

The only thing which won´t work is the start script. A tried to google a solution already. Can someone please explain to me the right syntax for a working start script on DSM 5.2. It works perfect at the command line. But is not executed at boot time.

Thanks

9

I’m curious as to how this turned out

10

You sir are smart

11

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.