I would like to configure Plex Local Network Authentication behind Nginx Proxy Manager:
In Plex Settings > Network > List of IP addresses and networks that are allowed without auth I added 172.25.10.0/255.255.255.0 for my local network. Accessing Plex through https://<PlexServerIP>:32400 does allow me to access the server.
In NPM i have a host for plex https://plex.domain.tv pointing to https://<PlexServerIP>:32400.
Going to the Plex using the domain from the Network allowed redirects me to Plex Authentication. In Plex Console I get:
Request came in with unrecognized domain / IP 'plex.domain.tv' in header Host; treating as non-local
This means that plex cannot see the correct headers values to bypass Authentication. I have tried this but it did not help:
The reverse proxy is not exposed to the internet and only accessible through local network. I have properly setup and checked firewall and implimented restrictions on the reverse proxy. I like using domains because it is more convenient.
There is no need for a domain. Not even when using the web app.
This whole setup is making things much more complicated for practically no gain.
If you need to use the web app anywhere, just bookmark https://app.plex.tv
All other Plex apps are fetching the automatically assigned FQDN of your server by themselves from plex.tv. There is no need whatsoever to use a domain name.
I disagree with this. Your assumption is that we ALWAYS have internet access. This is not always the case. I have been burned multiple times by plex trying to force me to auth when our internet connection was out, and being unable to use plex for the entire internet outage. What fun having “no auth for local IPs” was when plex still refused to let me in because it doesn’t honor flags for initial connections.
It’s much easier for someone to remember plex.internaldomain.com (that gets reverse proxied securely) than to add bookmarks to every machine.
Rather than debating the merrit and reasons why someone might want to reverse proxy their plex (internally), why does plex ignore X-Forwarded-For when trying to connect the first time?
Dec 04, 2024 10:43:09.785 [139850723355448] VERBOSE - X-Forwarded-For: 10.1.1.139
Dec 04, 2024 10:43:09.785 [139850723355448] VERBOSE - Comparing request from ::ffff:172.22.0.4 against ::ffff:10.1.1.0/120
Dec 04, 2024 10:43:09.785 [139850668870456] DEBUG - Request: [172.22.0.4:41110 (WAN)] GET /identity (7 live) #4a0 TLS GZIP Signed-in / accept => text/plain, */*; q=0.01 / accept-encoding => gzip, deflate, br, zstd / accept-language => en /
Host => plex.intranet.com / referer => https://plex.intranet.com/web/index.html / sec-fetch-dest => empty / sec-fetch-mode => cors / sec-fetch-site => same-origin / user-agent => Mozilla/5.0 (X11; Ubuntu; Linux x86_64; r
v:133.0) Gecko/20100101 Firefox/133.0 / X-Forwarded-For => 10.1.1.139 / X-Forwarded-Proto => https / X-Forwarded-Scheme => https / X-Plex-Client-Identifier => redacted / X-Plex-Device => Linux / X-Plex-Device-Name => Firefo
x / X-Plex-Device-Screen-Resolution => 1920x995,2560x1440 / X-Plex-Features => external-media,indirect-media,hub-style-list / X-Plex-Language => en / X-Plex-Model => bundled / X-Plex-Platform => Firefox / X-Plex-Platform-Version => 133.0 /
X-Plex-Product => Plex Web / X-Plex-Session-Id => 5e3109ee-46cb-49f5-8136-d9fb34a937f6 / X-Plex-Version => 4.141.0 / X-Real-IP => 10.1.1.139 / x-requested-with => XMLHttpRequest
Dec 04, 2024 10:43:09.785 [139850668870456] VERBOSE - It took 0.0 sec to serialize a list with 0 elements
Here is a debug log when my nginx proxy manager (ran in docker, you can see the 172.22.0.4 IP) reaches out to the plex docker container (10.1.1.10, which is ran in host mode since I cannot get the plex container to work in anything but host mode). You can see the X-Forwarded-For header contains the IP of my desktop 10.1.1.139, which IS part of the no-auth subnet, but plex ignores this.
This is a painful bug. Why does plex ignore this header? I cannot easily fix the IP of the reverse proxy docker container, because docker is meant to use hostnames, not fixed IPs, and it regenerates IPs each restart.
If a server is publically accessble, it might make sence to delegate security and authentication to Plex.tv, but not for local-only servers. If all data for user profiles and watch history are saved locally, there is no reason to depend completely on Plex Servers for authentication. I personally had almost 8 weeks of internet outage in the past 12 months due to very weak infrastructure. Almost every time a 1+ week outage happens, a device or two in my household signs out, require new authentication and are rendered unusable.
As a Plex Pass user, I would rather just use an activation code on the server to unlock features and have local only authentication rather than constantly authenticating agains a Plex.tv account. It might sound redundant but the point of self hosting to have independence from online services.
Plex Network Authentication is a method to bypass authentication from local IP/Subnet. It does not provide any access to local user profiles and watch history. It is true I am trying to reverse proxy into Plex and use Network Authentication, but only to remove http warning and make it easier to access the server during internet outage. This is not a greate solution but making best of a bad situation.
Just to be clear, I (and I believe everyone else interested in this feature) are not trying to have publiclly available domains. We’re home lab users with larger intranets and we have a lot of reverse proxies used for various services. Trying to pull Plex into that for simple and centralized SSL and for convenience.
Just today it rained and I have not had Internet for 20 hours now. the home theater PC got restarted and kept trying to auth into plex’s servers instead of realizing it’s a local machine. Frustrating.
At least this time I had the backup path of pointing it at the IP and port with the /web postfix but that’s frustrating for my family when they were used to just typing Plex/ and it getting redirected. I learned my lesson after the last Internet outage
Plex doesn’t ignore the header, it uses it for logging and stats/reporting.
If Plex trusted the X-Forwarded-For header for auth bypass, anybody could send that header to any Plex server on the Internet and get admin access.
If the proxy is truly only internal you could try adding it to ... allowed without auth instead. You might have to disable the X-Forwarded-For header, I’m not sure.
But obviously that would be very bad if the proxy is also externally accessible. Don’t do this if the proxy is accessible externally.
This sounds like the Proxy server is sending an unrecognized Host name header to Plex. Do you have a custom domain configured in Plex itself? One option is to configure the custom domain in Plex, to match what the Proxy server is sending. But you don’t need to - you could also have the Proxy server send requests to Plex by IP address instead, without the ‘plex.domain.tv’ Host header.
Exactly. as mentioned, Requests from home network using https://<IP>:32400/web will get through. when the request is with reverse proxy https://plex.localdomain.tl/web it does not.
then going to https://plex.localdomain.tl/showhost, it will show the correct remote host ip address but Plex would still not recognise it and redirects to plex.tv
The proxy is not externally accessible. I did try adding the proxy IP to allowed without auth and it did not accept it. I saw some murmurs online that it only honors certain IP ranges (RFC1918, I assume, which is what my docker ip’s are).
It keeps giving me the same error Request came in with unrecognized domain / IP 'plex.domain.com' in header Host; treating as non-local
I have this exact domain in “Custom server access URLs”. No idea where else I can put the domain to make it happy… Plex is acting like it doesn’t know why this host name is coming in, even though it’s added to the configuration.
Edit:
So i’ve spent some time playing with this. I forced the nginx config to change the host header to be the server’s IP, and then it did allow me to go without having to auth. However, it then sent a 302 response with https://10.1.1.10/web/index.html, which doesn’t work, because it changed the host, and now the reverse proxy is not being addressed.
So there is some issue/flag I’m missing with setting a custom host that plex will accept. It just does not seem to honor the custom server access URL for local access…
Edit 2:
I SOLVED IT.
The secret was I have to overwrite the hostname in docker. It’s not an environment variable, it’s actually a setting for the docker compose file. Same level that you would have networks: or volumes:, you need to add a hostname: plex.yourdomain.com line to the docker compose file. At this point, it started accepting the domain name as local and not authing it.
New problem was when i go to plex.mydomain.com (internal domain/link), it does not automatically go to /web. So now I need to chase that issue down… I tried redirecting to /web, but that did not work…
