I'm using the regexp to test for client requests through a reverse proxy to PMS that should not require authentication:
"^/(web/{0,1}$|manage/{0,1}$|web/css/|web/js/|web/img/|web/fonts/|web/translations/|web/swf/|web/index.html|manage/index.html)"
See any that are missing? Should I just allow all of /web/, or could any restricted content be delivered from there?
All depends on your goal here, IMHO
If you go to http://:32400 you'll see an xml file listing all the root urls used within Plex, except /web, AFAIK
So if you want like streaming, you'll need /library as well
And /manage is AFAIK outdated, and only there for backwards compatibility
/T
I’m after the stuff that requires no authentication token, so certainly not /library 
Is every part of /web safe to allow unauthenticated access?
To (partially) answer my own question:
So far, it looks like /web/*, /manage/*, and /video/:/transcode/universal/session/* do not use authentication tokens for access (clients will not send "X-Plex-Token" when sending requests).
Any others?
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
