Remote Access via Walled Garden

Server Version#: 1.32.3.7089
Player Version#: Plex Web 4.100.1

Looking for some help on a corner case. My setup is as follows:

Plex Server — Firewall w/ NAT — NGINX — Firewall — Client

The goal is for the client (which is just coming in via webpage) to be able to access my Plex server on my account. The problem is that the client is severely restricted and can only get to the NGINX server. It can’t get to app.plex.tv (or plex.tv at all) to authenticate. It can hit the NGINX server which sits in a DMZ. The Plex server sits behind another firewall which is providing NAT services. Both the plex server and the NGINX have the ability to get out to the internet as needed, the client does not. The NGINX server also only has the one IP, please do not think that it has a public and private side from the diagram above.

I’ve gone through and tried several configurations on the NGINX server with the following:

server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
server_name my.plex.server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
        proxy_set_header Host $host;
        proxy_set_header Referer $host;
        proxy_set_header Origin $host;
        proxy_set_header X-Real-IP $remote_addr;
        #When using ngx_http_realip_module change $proxy_add_x_forwarded_for to '$http_x_forwarded_for,$realip_remote_addr'
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
        proxy_set_header Cookie $http_cookie;
        proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
        proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
        proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;

location / {
    proxy_pass https://NAT-EXTERNAL-IP-OF-PLEX-SERVER:32400/;
}
}

I’ve also tried (found on a reddit post):

    proxy_set_header Referer    http://NAT-EXTERNAL-IP-OF-PLEX-SERVER:32400/web/index.html;      #IP of Plex Media Server
    proxy_set_header Host       IP-OF-NGINX;                                  #IP of Nginx Reverse Proxy Server
    proxy_set_header Origin     http://IP-OF-NGINX;                           #IP of Nginx Reverse Proxy Server

The IP of the NGINX server is listed on the Plex under the “List of IP addresses and networks that are allowed without auth”. I was having issues with this early on but I believe that it’s working now because I no longer get the “non-local” message, and it says Signed-In on several of the log messages.

Unfortunately, while I can get to the site, and the Plex logo comes up and from what I can tell in the logs the 20 or so .js files are all sent over, I get a redirect to app.plex.tv to login and that’s where it fails.

I realize there are security implications here, I have the firewall on the NGINX very tuned so that it’s only passing traffic between the client and the server, it’s not publicly reachable.

Can anyone tell what I’m missing or misconfigured? Thank you!

If the client is restricted from reaching plex.tv to authenticate at minimum,
it will never work.

Blocking public inbound (Public reachability) is correct.
Preventing the app from contacting Plex.tv and getting the reply is where it’s far too tight.

You need a pass rule which allows Plex.tv (domain)

Unfortunately there’s no way that’s going to be opened up. The walled garden has no internet connections by design. I thought the point of the “List of IP…” was to allow this kind of corner case. Is there a way on NGINX to do a rewrite and proxy the app.plex.tv login somehow? The NGINX server could be allowed to reach plex.tv.

When an HTTP request arrives, Plex checks the Referer, Origin, and Host headers (at least) to validate the source is from a local network. This precludes using both FQDNs and non-RFC-1918 network addresses normally (if you don’t want to have to authenticate). Try modifying the following in your reverse proxy’s server configuration:

proxy_set_header Host ip_address_of_proxy;
proxy_set_header Referer ip_address_of_proxy;
proxy_set_header Origin $remote_addr;

(Assumes both the client and the reverse proxy live in a private IP address space.)

A tell-tale sign that something is amiss is log entry along the lines of “Request came in with…” in your server logs, showing one of the headers above being non-local.

I was able to finally get this working by stacking the NGINX. There was no way to get it working with just the NGINX in the DMZ. The DMZ uses only public IPs so this was causing some issues. I ended up loading NGINX on the plex server, doing all the magic there, and then just have the NGINX in the DMZ point to the NGINX on the plex.

The one problem I’m having is that every time I load the page I am presented with the “pick your default libraries” screen. It doesn’t seem to be storing those settings anywhere. I can understand if they were logins from different devices, but it happens even if I just hit refresh on the same box. This is my NGINX config on the plex:

server {
ssl on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
auth_basic "Login";
auth_basic_user_file /etc/nginx/htpasswd;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
        proxy_set_header Host PLEX-IP-ADDRESS:32400;
        proxy_set_header Referer PLEX-IP-ADDRESS:32400;
        proxy_set_header Origin PLEX-IP-ADDRESS:32400;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
        proxy_set_header Cookie $http_cookie;
        proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
        proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
        proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;

location / {
    proxy_pass https://PLEX-IP-ADDRESS:32400/;
}
}

And this is the DMZ:

server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
server_name my.public.domain.name;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;

location / {
    proxy_pass https://my.plex.server.nginx/;
}
}

Any thoughts on where I’m losing the tracking?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.