I’ve searched extensively for this on google but I found no one who had a proper solution for this. Is this a feature for plex premium? why can anyone login with any account to my server and this is a fresh image with docer. Please provide a solution otherwise I can’t really use plex with out the least bit of security?
who can login to your sever?
by default somebody would need YOUR credentials to login – except you’ve shared your library with somebody else by adding them as a Friend
https://support.plex.tv/articles/204226753-friends/
if you have a different problem… please provide some more details. you’re quite vague.
No. Only those you expressly authorize can use your PMS. You must also understand, PMS requires anyone who accessed your server to have been previously authorized by you (sharing). It is innate to basic PMS operation and not a PlexPass-only feature.
If you are experiencing unauthorized usage of your system then I assert someone has your credentials.
You can change your Plex password (Plex.tv - My Account - Settings) and forcibly log out all connected devices at that time. This way, if anyone has obtained your password, it will be immediately invalidated.
Ok sorry about being vague, But I will tell you mysetup:
I’m using the plex server contianer inside docker which has an nginx reverse proxy in front of it. The ssl and credentials work and the way I figured out anyone can login into my server is by making a seperate account to test it. Using a facebook account and then a native plex account, both were allowed into my server from my mobile data. Now they don’t have access to my content but they can still login and run their own servers under my domain. I feel like I’m missing a big part of the plex picture which has an obvious fix.
I just want me to have access to my domain and me only, I can setup a login page using php and js infront of a plex server but it will be redundent if there is a way to fix this.
Get rid of the proxy. It is not needed and presents a genuine security risk if configured improperly.
That’s an interesting point, as surely this must be the case with or without the proxy.
If you have a public facing PMS then anyone can login with a valid a plex account, as the authentication is handled externally via the plex servers.
It will of course not allow them access to the server owners content, it will just load the servers available to the logged in users account. But I guess it would still be using some resources on the actual server where you logged in.
As I test I just went to a friends server (not using an nginx proxy) and logged in with my account, which then loads my servers not his, but the url is the address of his server, so I guess is still using some resources on his server.
If this should not be possible, please let us know how this could be prevented. Thanks.
@blim5001 said:
That’s an interesting point, as surely this must be the case with or without the proxy.If you have a public facing PMS then anyone can login with a valid a plex account, as the authentication is handled externally via the plex servers.
It will of course not allow them access to the server owners content, it will just load the servers available to the logged in users account. But I guess it would still be using some resources on the actual server where you logged in.
As I test I just went to a friends server (not using an nginx proxy) and logged in with my account, which then loads my servers not his, but the url is the address of his server, so I guess is still using some resources on his server.
If this should not be possible, please let us know how this could be prevented. Thanks.
If PMS is public facing, it is inaccessible without a Plex account that you have expressly given permission to.
If you go to a friend’s home, log in with your credentials, of course it will load your servers. You see the same URL in the address bar because the page hasn’t been re-launched. The web client itself isn’t using any of his server. It is using his internet to reach through Plex.tv (get your server’s IP) for your instance of Plex/web to talk to your server.
@blim5001 said:
It will of course not allow them access to the server owners content, it will just load the servers available to the logged in users account. But I guess it would still be using some resources on the actual server where you logged in.As I test I just went to a friends server (not using an nginx proxy) and logged in with my account, which then loads my servers not his, but the url is the address of his server, so I guess is still using some resources on his server.
That is a misconception.
The only thing that is used, is a bit of storage from where the web app is loaded into the browser.
Once the web app is loaded, there is only traffic to the servers into which you are signed in. Not to the server from where the web app is loaded.
You might as well load the web app from here: https://app.plex.tv/desktop
It doesn’t change a thing.
So: loading the web app is not “using your server”.
“Using your server” would mean ‘browsing your media’ and ‘playing your media’.
And both those things are impossible if you are not the server owner or are invited.
Thanks to both of you for the clarification.
1 Like
