Server prompting to require ensecure connections (webpage stuck in loop)

Server Version#: Version 1.18.8.2527
Player Version#: web-Firefox
server OS: 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux

Web playback was working fine for last 2 months, no updates to Plex, then had following issue (note: since the problem was persistent and there was a stable new release of Plex available, I upgraded, hence the newer version listed as my server version)

I now get the following after connecting, launching, and logging in:

• If I logon as my “admin” account or local-user, then:
  • “Something went wrong”
  • click on one of my librarys and I have to choose “Allow insecure connections”
  • then I click “allow once” OR “allow always”
  • then the URL bar keeps refreshing over and over… only option is to “STOP” refresh in my web-browser and change the part of the url that says “secure=0” to “secure=1” and then wash-rinse-repeat

Steps taken:

1. If I open the browser ON my plex server, then it opens fine (same version of Firefox).
2. systemctl restart plexmediaserver (same symptoms)
3. Works fine on android and firestick

Screenshot from 2020-03-17 20-35-45692×290 30.6 KB

Stop Plex
Edit Preferences.xml
Before the closing /> put secureConnections="1" (preferred)
Save
Start
Open INCOGNITO window to the server
Sign in
Now you can download the logs and see what’s going on from them.
Also, consider if you should set the default to “Preferred” while resolving the problem

The default is currently set to preferred (since I can edit it from a webpage ON the plex server, I checked it).

• Do I still need to add it to the Preferences.xml? (It’s not in the xml, but it is set in the web-gui)
• and/or do you want me to download the logs?

Asking out of caution and to learn, not to disrespect/slow-down your help.

The edit I gave you was the “Let me set this NOW” edit.

It saves having to put it on the URL every time plus brings the server up in a less-restrictive mode and able to back off (e.g. insecure on your home LAN is 100% safe).

At home, I turn it all off. Don’t need it. WiFi is secure , wires are secure.

My LAN is declared the exception. Done.

Appreciate the respect VERY much. It’s also late here and everyone is a bit sick or tense so asking is always best to be certain.

Ahh, gotcha.

I just recreated the issue and here is a section of the only log file with time entries from that time:

Mar 18, 2020 07:30:18.626 [0x7f8bdd5c8700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:30:18.626 [0x7f8bceffd700] DEBUG - Request: [127.0.0.1:35566 (Loopback)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:30:18.626 [0x7f8bceffd700] DEBUG - Content-Length is -1 (of total: -1).
Mar 18, 2020 07:30:38.626 [0x7f8bdde4a700] DEBUG - Completed: [127.0.0.1:35566] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) GZIP 20000ms 5 bytes (pipelined: 1)
Mar 18, 2020 07:30:38.632 [0x7f8bdd5c8700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:30:38.632 [0x7f8bceffd700] DEBUG - Request: [127.0.0.1:35574 (Loopback)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:30:38.632 [0x7f8bceffd700] DEBUG - Content-Length is -1 (of total: -1).
Mar 18, 2020 07:30:58.632 [0x7f8bdde4a700] DEBUG - Completed: [127.0.0.1:35574] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) GZIP 20000ms 5 bytes (pipelined: 1)
Mar 18, 2020 07:30:58.643 [0x7f8bdde4a700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:30:58.643 [0x7f8bceffd700] DEBUG - Request: [127.0.0.1:35586 (Loopback)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:30:58.643 [0x7f8bceffd700] DEBUG - Content-Length is -1 (of total: -1).
Mar 18, 2020 07:31:18.360 [0x7f8bdde4a700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:31:18.360 [0x7f8bceffd700] DEBUG - Request: [127.0.0.1:35602 (Loopback)] GET /:/prefs (6 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:31:18.363 [0x7f8bdde4a700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:31:18.363 [0x7f8b46fed700] DEBUG - Request: [127.0.0.1:35604 (Loopback)] GET /accounts/1 (8 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:31:18.363 [0x7f8bdde4a700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:31:18.363 [0x7f8bc6ffd700] DEBUG - Request: [127.0.0.1:35606 (Loopback)] GET /myplex/account (8 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:31:18.364 [0x7f8bdd5c8700] DEBUG - Completed: [127.0.0.1:35606] 200 GET /myplex/account (8 live) GZIP 0ms 2619 bytes (pipelined: 1)
Mar 18, 2020 07:31:18.368 [0x7f8bdd5c8700] DEBUG - Completed: [127.0.0.1:35604] 200 GET /accounts/1 (8 live) GZIP 5ms 518 bytes (pipelined: 1)
Mar 18, 2020 07:31:18.371 [0x7f8bdde4a700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:31:18.371 [0x7f8bc6ffd700] DEBUG - Request: [127.0.0.1:35606 (Loopback)] GET /system/:/prefs (8 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:31:18.372 [0x7f8bc6ffd700] DEBUG - [com.plexapp.system] Sending command over HTTP (GET): /system/:/prefs
Mar 18, 2020 07:31:18.372 [0x7f8bc6ffd700] DEBUG - HTTP requesting GET http://127.0.0.1:34055/system/:/prefs
Mar 18, 2020 07:31:18.373 [0x7f8bdde4a700] DEBUG - Completed: [127.0.0.1:35602] 200 GET /:/prefs (8 live) GZIP 13ms 7655 bytes (pipelined: 1)
Mar 18, 2020 07:31:18.380 [0x7f8bc6ffd700] DEBUG - HTTP 200 response from GET http://127.0.0.1:34055/system/:/prefs
Mar 18, 2020 07:31:18.381 [0x7f8bc6ffd700] DEBUG - [com.plexapp.system] HTTP reply status 200, with 418 bytes of content.
Mar 18, 2020 07:31:18.381 [0x7f8bdde4a700] DEBUG - Completed: [127.0.0.1:35606] 200 GET /system/:/prefs (8 live) GZIP 9ms 734 bytes (pipelined: 2)
Mar 18, 2020 07:31:18.643 [0x7f8bdde4a700] DEBUG - Completed: [127.0.0.1:35586] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (8 live) GZIP 20000ms 5 bytes (pipelined: 1)
Mar 18, 2020 07:31:18.664 [0x7f8bdde4a700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:31:18.664 [0x7f8b46fed700] DEBUG - Request: [127.0.0.1:35602 (Loopback)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (7 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:31:18.664 [0x7f8b46fed700] DEBUG - Content-Length is -1 (of total: -1).
Mar 18, 2020 07:31:29.131 [0x7f8bce7fc700] DEBUG - Checking if time for scheduled update
Mar 18, 2020 07:31:38.665 [0x7f8bdd5c8700] DEBUG - Completed: [127.0.0.1:35602] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (4 live) GZIP 20000ms 5 bytes (pipelined: 2)
Mar 18, 2020 07:31:38.672 [0x7f8bdde4a700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:31:38.672 [0x7f8b46fed700] DEBUG - Request: [127.0.0.1:35616 (Loopback)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (4 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:31:38.672 [0x7f8b46fed700] DEBUG - Content-Length is -1 (of total: -1).
Mar 18, 2020 07:31:58.672 [0x7f8bdd5c8700] DEBUG - Completed: [127.0.0.1:35616] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) GZIP 20000ms 5 bytes (pipelined: 1)
Mar 18, 2020 07:31:58.679 [0x7f8bdde4a700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:31:58.680 [0x7f8b46fed700] DEBUG - Request: [127.0.0.1:35620 (Loopback)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:31:58.680 [0x7f8b46fed700] DEBUG - Content-Length is -1 (of total: -1).
Mar 18, 2020 07:32:18.680 [0x7f8bdde4a700] DEBUG - Completed: [127.0.0.1:35620] 200 GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) GZIP 20000ms 5 bytes (pipelined: 1)
Mar 18, 2020 07:32:18.687 [0x7f8bdd5c8700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:32:18.687 [0x7f8b46fed700] DEBUG - Request: [127.0.0.1:35624 (Loopback)] GET /player/proxy/poll?deviceClass=pc&protocolVersion=3&protocolCapabilities=timeline%2Cplayback%2Cnavigation%2Cmirror%2Cplayqueues&timeout=1 (3 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:32:18.687 [0x7f8b46fed700] DEBUG - Content-Length is -1 (of total: -1).
Mar 18, 2020 07:32:24.607 [0x7f8bdd5c8700] DEBUG - WebSocket: client initiated close
Mar 18, 2020 07:32:24.607 [0x7f8bdde4a700] DEBUG - NotificationStream: Removing because of close
Mar 18, 2020 07:32:24.608 [0x7f8bdd5c8700] DEBUG - handleStreamRead code 2: End of file
Mar 18, 2020 07:32:24.608 [0x7f8bdd5c8700] DEBUG - Completed after connection close: [127.0.0.1:39998] -3 GET /:/websockets/notifications (4 live) GZIP 46057468ms 2998601 bytes
Mar 18, 2020 07:32:24.666 [0x7f8bdde4a700] DEBUG - Auth: authenticated user 1 as sgabriel
Mar 18, 2020 07:32:24.666 [0x7f8b46fed700] DEBUG - Request: [127.0.0.1:35626 (Loopback)] GET /diagnostics/logs (3 live) GZIP Signed-in Token (sgabriel)
Mar 18, 2020 07:32:24.667 [0x7f8b46fed700] DEBUG - Diagnostics: Building logfile zip

Ignorantly to me, it seems odd that there isn’t any reference to my workstations’ IP address, only loopback, but that could just be my ignorance in “normal Plex log behavior”.

It is the lack of IP addresses from your workstation that are the problem.
There is no bidirectional communication.

they can ping each other, any suggestions?

Ping is immaterial. It’s icmp.
You need the full up https socket.

I can telnet to 443 and 32400 from client to server, what else can I check/test?

1. curl http://ip.addr.of.host:32400 Does that return XML ?
2. curl http://ip.addr.of.host:32400/web should return HTML
3. If you have both of those, PMS is talking to your browser. The browser isn’t talking back.

in response to
curl http://ip-host:32400
I get
<html><head><script>window.location = window.location.href.match(/(^.+\/)[^\/]*$/)[1] + 'web/index.html';</script><title>Unauthorized</title></head><body><h1>401 Unauthorized</h1></body></html>

in response to
curl http://ip-host:32400/web
I get NOTHING, however, if I go to it in my web-browser it redirects to:
http://ip-host:32400/web/index.html
which then quickly redirects to the logon page at plex.tv

Is that what should happen?

Yes.

This is the verification that the browser, pms, and plex.tv are all out of sync with each other.

This is the lesser of the two steps required to put it back in sync.

I made it to step 7, in my incognito window I logged in and now it is just repeating the following window over and over:

btw: Thank you for the attention/help!

Now go grab those logs. See what it’s complaining about.

Here is a pastebin of the logs from 2 minutes before my loop, to what I think was a little after the loop. My client’s internal IP is the 10.0.0.119.

ZIP file please. I need the full file. That wasn’t enough.

@sgabriel

Thanks for the logs.

If you look,

• The server comes up on the LAN connection

However,

• All streaming requests are from the WAN (Public IP) connection. Public IP will always be forced secure.

Do you have DNS rebinding protection blocking use of the LAN?

DNS Reflection is not something I’ve ever had to adjust/touch.
Does any of the below settings seem like what you are asking about?

Screenshot from 2020-03-18 23-13-53936×534 74.7 KB

Those are strictly for NAT. This is not about address translation. We are looking to Domain Name management…

I am specifically addressing anything which would indicate DNS rebinding (overlay) protection. The newer firmwares have it.

Other terms include “Private Network”.

On PfSense, the DNS resolver knows plex.direct is valid and ok to overlay onto the LAN’s domain (hessen.lan is my LAN DNS name)

Screenshot from 2020-03-19 10-59-08898×271 16.6 KB

I added your above snippet to my firewall and it’s working now!!
Thank you!

So, for my own learning, heres what I think you are saying was happening (please correct me so I learn from it):
Internally, after authenticating to plex.tv, the website is trying to redirect back to my private server buy using some FQDN ending in “plex.direct”. My DNS server is forwarding the request to a public DNS server instead of trying to locally resolve/broadcast?