Plex seems to be very clearly doing something wrong here. When a reverse proxy is added into the mix and the request is forwarded to a different machine hosting plex, Plex logs the connecting IP of the proxy, instead of the client’s IP sent in both the X-Real-IP and X-Forwarded-For headers. This has been discussed before with ipv6 and internal ranges but in my case this is neither.
Take this GET request, obtained from a pcap:
T 144.217.x.x:37562 -> 176.9.x.x:32400 [AP]
GET /video/:/transcode/universal/session/4c2c5244-4b9f-483a-8c7f-b5c9dbf2a0e7-110/base/00594.ts?protocol=hls&mediaIndex=0&waitForSegments=1&X-Plex-Client-Profile-Extra=add-limitation%28scope%3DvideoCodec%26scopeName%3Dh264%26type%3DupperBound%26name%3Dvideo.level%26value%3D41%29&videoQuality=100&session=4c2c5244-4b9f-483a-8c7f-b5c9dbf2a0e7-110&maxVideoBitrate=4000&X-Plex-Token=A9L8RXs4z8DrfYx6FVzk&mediaBufferSize=50000&offset=0&partIndex=0&videoResolution=1280x720&directPlay=0&path=%2Flibrary%2Fmetadata%2F26887&directStream=1&skipSubtitles=1 HTTP/1.1..Host: xxxxx..X-Real-IP: 189.165.x.x..X-Forwarded-For: 189.165.x.x,172.69.x.x..X-Forwarded-Proto: http..Connection: Upgrade..Accept-Encoding: gzip..
As you can see there, the request includes both XRI and XFF headers:
Both the IP in XRI and the first IP in XFF are the true client IP. Yet, Plex doesn’t seem to care about de-facto client identification headers and just logs the proxy IP (144.217.x.x). Example:
Your reverse proxy appears to be in the same machine or possibly the same internal network as plex, judging by the WAN IP being an internal address. Seems to me like plex is (correctly) ignoring that internal IP in your case. My use case is different and the IP is public and plex chooses that over headers.
I’ve already tried 17 different versions of XRI and XFF, including a single IP in XFF. Nothing works.
Clearly some bug or something so the hope is that this thread brings back attention to this. Plex should under no circumstance pick connecting IP over headers. The headers, even if not standard, are de-facto used by the industry as a best practice and every single modern client/server implementation that I know of implements them properly (except plex).
I will try to set yet another reverse proxy in the same machine as Plex to see if that fixes my problem. This is however something that should just work, I shouldn’t need to be setting up unnecessary proxies to work around something as simple as this.
Maybe my scripts fail for a different reason but one HUGE annoyance is not being able to see the client IP in tautulli which is another very real problem for me.
I was going to suggest you test your theory that it needs to come from a local proxy. I have heard of others using cloud flair and other services that would be considered WAN addresses and they have worked?
Edit: I enabled my verbose logging and it seems X-Real-IP is not in the header. Try dropping that?
