Server accessible via reverse proxy at custom url and app.plex.tv, but not with PlayStation app

Server Version#:1.15.4.993
Player Version#:PS3 App, updated 7th May 2019

Hi folks,

This one is confusing me a little bit.

I have PMS running in the latest official docker container.
The server is accessible from outside the network at https://plex.mydomain.com via traefik reverse proxy, secured with Lets Encrypt SSL certs. Ports 80 & 443 are forwarded through the firewall to the reverse proxy, which forwards to the plex container on port 32400.
The reverse proxy forces HTTPS by redirecting incoming HTTP entrypoint connections to HTTPS.

I have entered https://plex.mydomain.com:443/ in the custom URLs field in Settings > Network in order to advertise this to plex.tv as a discoverable address. It seems to work fine as I can access the server using my plex.mydomain.com address, and the server appears green and as ‘remote’ when being accessed via app.plex.tv from outside the network. I can even get it to connect on mobile both inside and outside the network.
Remote access menu on plex web interface never shows that my server is accessible from outside the network, but I have come to realise that this is a kind of red herring. Whilst it isn’t accessible in the regular way plex is expecting (port forward 32400 through router direct to plex and using IP addresses instead of an FQDN), it is accessible outside the network thanks to custom URL, manual remote access port set to 443 and reverse proxy.

This set up works perfectly fine for accessing the server in a web browser on practically any device, as mentioned a moment ago I can access it using my custom url or via app.plex.tv. Oddly i got “plex is offline or unreachable” and I had to specify the manual server ip of my docker host on my smart tv, even though it is on the same local network as the docker host. I even put the local docker host ip in the custom URL and it didn’t take it. That’s not really an issue though as it works with manual server setting and I suspect it is a product of the server running in a bridged container on a different subnet to the host, it wasn’t being automatically advertised or something, possibly even DNS rebinding protection on the router? Not sure but not too bothered.

The issue comes when I tried to connect my friend’s Plex PS3 App to my server over the internet, as I have shared some libraries with him. He logged in fine and the server name was recognized, but we got the “plex is offline or unreachable”. Listed on the error page were all the entries in the custom URL field as well as the server’s public IP address, so it’s getting the correct settings it just can’t see the server properly:
dockerhost_local_ip, plex.mydomain.com, public_ip_address

I tried a few different variations of ports in the custom URL field (https://plex.mydomain.com:443,http://plex.mydomain.com:80/,https://plex.mydomain.com/32400), and I tried setting the manual server setting on the PS3 app to the following too:
public_ip_address:80
public_ip_address:443
public_ip_address:32400

None of those worked.

I’ve seen some evidence online to suggest that the PS3 Plex App doesn’t like to be forced down HTTPS, is there any truth in that? If so, is it likely to be the reverse proxy forcing HTTPS causing the issue?

Does anybody know a way around this? It’s a bit frustrating for it to work with pretty much every web browser on any device, both via custom url and app.plex.tv, and have it work on mobile, but for it to struggle with TV and Playstation apps. I’d tell my mate to just use safari on his iPad, but that thing is a bit of a relic and the experience would be frustratingly slow for him - I’m actually amazed it has survived as long as it has.

Any help greatly appreciated. If you want any logs or more info, or maybe for me to explain something more clearly with less waffle just let me know what you need.

Kind regards,
blairnet

I can’t help you, I just like to know “why”.
Because I see no good reason to do it that way.

A few reasons.
a) To learn about reverse proxy
b) To not open port 32400 to the world, only 80 and 443, thus minimising my attack surface as much as I can
c) I like the idea of people accessing it via my domain, a personal touch if you will

Sure it’s probably needlessly complicated, but I like to tinker. It sounds like you’re saying I shouldn’t bother, should remove it from behind the proxy and just punch a 32400 shaped hole through my router? (The recommended setup)

I don’t see the point in b)
IMHO it doesn’t matter whether you open port 80 or 32400. It’s just a different number. Plus you can pick any arbitrary number by simply changing the portforwarding rule.
a) and c) are very valid reasons, but still

Pretty much, yes.

Darn, alright. I was hoping someone might have an actual solution, or an idea where to start. I can see why the best advice is ‘do it how the wiki says’, but it is a little unsatisfying! Aha. If we could keep this open for a while to see if anyone else has an opinion they’d like to put forward?

Can you think of any reason I wouldn’t be able to continue to have it accessible at https://plex.mydomain.com/ via the reverse proxy, and also just punch 32400 through for things like the PS3 app? I know I know… no point… but I’m paying for the domain name now so I kinda wanna use it!

I don’t have any solution but just another silly question :
Aren’t ports 80 and 443 the most common ports used on a computer therefore the more easily detectable? I would rater use any other port than those to “hide” my plex server.

Well, yes, but plex isn’t the only thing behind the reverse proxy. There are a few different web servers/applications.
80/ 443 (HTTP/HTTPS) are the ports generally used for web traffic. Using these for the reverse proxy just makes things easier. Don’t have to type the port for one, as browsers know http and https use those ports.
The fact there is a reverse proxy there more or less ‘hides’ the plex server, because from outside it just looks like a regular web server.
I’m not really trying to ‘hide’ anything anyway, just restrict the ports that they are accessible on - instead of poking multiple holes in my firewall I just poke the two.

Still, as those ports are known to exist on any computer, they are more easy to monitor by an exterior party. Sorry my paranoia unleashed

Sure, you’re correct and you have a very valid point, I’m pretty security paranoid myself but as the majority of all websites are accessible on 80 or 443, I see the risk as pretty minimal honestly. If Amazon or <generic_corporation> aren’t worried about hosting their corporate websites on 443, I don’t see why I should be.

Alright, so I decided to just forward port 32400 from the Internet through my routers to my docker host. Remote Access is showing the happy green tick after manually specifying port 32400, and I haven’t made any changes to the reverse proxy, so it is still accessible from my custom URL: https://plex.mydomain.com/

I’ll get my buddy to try connecting on his PS3 app and see what happens, I suspect it is all gravy now though.

It would be great if the apps would play nicer with custom URLs and ports but hey-ho, it is what it is. If anyone comes across this and does have an answer or idea of something I can try, please don’t hesitate to comment - or if this thread has been closed, just wing me a PM - as I really would like to get this working without opening 32400.

I may yet change this port to something less well known.

Kindest regards,
Blairnet

This topic was automatically closed after 90 days. New replies are no longer allowed.