X-Forwarded-For and X-Real-IP not used when request is coming from tailscale IP (100.x.x.x)

Plex Media Server Remote Access
,
1

Server Version#: Version 1.41.3.9276 - Ubuntu Server 22.04 - X86 - Docker
Player Version#: Version 4.141.0 (Web), but from any client

Setup:

Home Server: Running Plex in Docker (host mode) on a 5G connection behind CGNAT - no publicly reachable IP so therefore I have a VPS. Home server advertises 192.168.1.0/24 subnet range to rest of tailscale network.

VPS: Fixed public IP, acting as an Nginx reverse proxy using Tailscale to route traffic to the home server. - Ubuntu Server 24.04 - Nginx Proxy Manager in docker.

The Problem: Plex shows the Tailscale IP (e.g., 100.x.x.x) as the “remote IP” for clients instead of the real client IP, despite correct forwarding of the X-Forwarded-For header from Nginx.
Plex logs(verbose) show XFF: client ip (the real ip)and X-Real-IP as well.

Reverse proxy config for Plex

location / {
    proxy_pass https://192.168.1.12:32400/;

    # Override headers for Plex
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Pass only the first IP in X-Forwarded-For
    set_real_ip_from 100.64.0.0/10; #Tailscale range
    real_ip_recursive on;
    real_ip_header X-Forwarded-For;
}

Remote access is disabled in Plex server settings and public url(s) are entered in Custom server access URLs - https://plex.domain.com:443,http://plex.domain.com:80,https://192.168.1.12:32400.

Domain is registered on Cloudflare, but CF for plex is used as DNS only, not Proxied.

Everything else, other than client IP being shown as VPS tailscale ip (100.93.57.14) is working flawlessly. Every client I tested with can reach my server and use the content but also shows exact same IP.

I have seen this topic mentioned around the forums but nobody really offers a solution/explanation.

Can anyone advise what am I doing wrong here? I can provide logs (both plex and nginx).

Sample Log below:

Blockquote
MessageX-Forwarded-For: 80.233.xx.xx
Request: [100.93.57.14:48612 (WAN)] GET /updater/status (13 live) #15a93 TLS GZIP Signed-in Token (Mikicv) (iPhone) / accept => text/xml,application/xml / accept-encoding => gzip, deflate, br / accept-language => en-US;q=1, hr-IE;q=0.9 / baggage => sentry-environment=production,sentry-public_key=0f169be102bf41cdbdf13cc3e8902b91,sentry-release=com.plexapp.plex%408.43%2B9570,sentry-trace_id=342a9d7eea4049dfb9a7cc8f883df2bd / Connection => close / Host => plex.domain.com / sentry-trace => 342a9d7eea4049dfb9a7cc8f883df2bd-a9448832451d4965-0 / user-agent => PlexMobile/8.43 (iPhone; iOS 18.1.1; Scale/3.00) / X-Forwarded-For => 80.233.xx.xx / X-Forwarded-Host => plex.domain.com / X-Forwarded-Proto => https / x-plex-client-identifier => 7FBA2717-7129-45D6-AEA7-2A41049B9658 / x-plex-device => iPhone / X-Plex-Device-Name => iPhone / x-plex-device-screen-density => 3 / x-plex-device-screen-resolution => 1290x2796 / x-plex-device-vendor => Apple / x-plex-drm => fairplay:video / x-plex-features => external-media,hub-style-list / x-plex-http-pipeline => infinite / X-Plex-Language => en-IE / x-plex-model => 15,3 / x-plex-platform => iOS / x-plex-platform-version => 18.1.1 / x-plex-playback-id => 684FE1BF-E27A-4D14-898F-9E27461F97FA / x-plex-playback-session-id => 23B97980-2AFC-4150-B51B-A5925B105333 / x-plex-product => Plex for iOS / x-plex-provides => client,controller,sync-target / x-plex-session-id => C644A5C4-732C-4035-8D32-530E3DDF3E9F / x-plex-supported-commands => abort,changeQuality / x-plex-sync-version => 2 / x-plex-token => xxxxxxxxxxxxxxxxxxxx / x-plex-username => Mikicv / x-plex-version => 8.43 / X-Real-IP => 80.233.xx.xx

1 Like
2

Anyone able to shed some light on this issue?

3

Would any Plex staff be willing to look into the issue? There are a few posts describing very similar issue I am experiencing here, with no solutions listed, or responses from staff?

4

I have encountered same problem, the Plex server shows only the Tailnet IP (100.x.x.x) rather than the real WAN IP of the device.

I did the same thing as you. Correctly configured X-Forwarded-For and X-Real-IP in Nginx. Furthermore, I also tried Jellyfin to see what will it shows in the same condition. Jellyfin correctly treated all traffic from my reverse proxy server as remote accesses and shows the WAN IP. However, what I think magical is, when I access from another device directly via Tailscale (not in the same physical LAN with the server, the device was using cellular network, while the server was using the Ethernet), Jellyfin can also recognize this device is not accessing through a reverse proxy and will shows the Tailnet IP (100.x.x.x) rather than the WAN IP at this time.

I guess this is the issue with Plex server implementation, since the Jellyfin server can definitely handle this condition correctly.

I also did the same thing as Curious how people who use Tailscale manage subnet routing, to let my server treat all the traffic from Tailnet as remote access. But there seems no way to solve the IP showing problem now.

I will also leave a comment under https://www.youtube.com/watch?v=8iRgvhRpyK4, to see if the Tailscale staff has any solution.

5

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.