Hi there, thank you so much for this config file! I found a small typo (I think):

Regarding:

#Upstream to Plex
upstream plex_backend {
#Set this to the IP address that appears in ifconfig (NATTED LAN IP or Public IP address) if you want the bandwidth meter in the server status page to work
server 127.0.0.1:32400;
keepalive 32;
}

Shouldnt ifconfig be ipconfig ?

Just wanted to let you know, it has the lowest priority :)

EDIT: After Google I found its the Linux command, so this issue can be closed.

NET::ERR_INCOMPLETE_CHUNKED_ENCODING

What at first was related to issue https://bugs.chromium.org/p/chromium/issues/detail?id=622313
Appears to be a continuing issue, not present in Opera (Which is based on Chrome's engine :/) or Firefox...

Tried setting Accept-Ranges and Connection keep-alive and increasing keep-alive but to no avail.

This isn't a plexpy issue:

#36

I can see it the regular plex UI. Can you tell me how you are trying to reproduce it? I opened a thread on plex forums as well. I can reproduce this with nginx and with caddy so I want to confirm it isn't an issue with something else I might be doing.

Having someone problems with downloading (not streaming) movies from Plex, using this Nginx configuration.
The downloads stop after exactly 1024MB.
Any else tried to download something from their Plex server behind Nginx?

Hey everyone,

I need help with a perplexing issue:

I'm running a Fedora 38 PC as a home server and want to set up a Plex Media Server. Nginx proxy manager is dockerized and Plex Media Server on bare metal.

What I did:

• Opened ports 80 and 443 on my router and forwarded them to the server's internal IP.

• Opened ports 80 and 443 on my Fedora PC's firewall.

• Bought a Namecheap domain and added an A record with "plex" as the host and my server's external IP.

• Set up an NGINX proxy for Plex with the following settings:

• Domain name: plex.mydomain.com

• IP: Fedora PC's internal IP

• Scheme: http

• Forwarded port: 32400

• Enabled WebSockets and blocked common exploits

• Requested a Let's Encrypt certificate, enabled force SSL, HTTP/2 Support, HSTS, and HSTS Subdomains.

NGINX Proxy Manager shows my proxy as active, with SSL enabled, and gives the impression that everything works. However, when trying to access Plex via https://plex.mydomain.com/, I get a "502 Bad Gateway" error (although the SSL certificate is valid), even though I added the URL in Plex as a custom URL. I can't even reach Plex locally via http://192.168.1.66:32400/ neither. Plex's settings show "Fully accessible outside your network" which I know shouldn't be the case since NGINX is handling remote access.

Weirdly, I can use Plex in the app, even outside my home network, with relay disabled.

I'm very confused as to why Plex works in the app but not via my domain. Here are my NGINX Proxy Manager logs (with domain and IPs replaced for privacy):

[20/Jun/2023:06:49:38` +0000] - - 502 - GET https plex.mydomain.lol "/" [Client 192.168.0.1] [Length 556] [Gzip -] [Sent-to 192.168.1.66] "Mozilla/5.0 (X11; U; Linux armv7l; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16" "-"

"[20/Jun/2023:06:50:46 +0000] - - 301 - GET http plex.mydomain.lol "/" [Client 192.168.0.2] [Length 166] [Gzip -] [Sent-to 192.168.1.66] "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36" "-"

"[20/Jun/2023:06:50:46 +0000] - - 502 - GET https plex.mydomain.lol "/" [Client 192.168.0.2] [Length 556] [Gzip -] [Sent-to 192.168.1.66] "Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36" "-"

"[20/Jun/2023:06:50:56 +0000] - - 301 - GET http plex.mydomain.lol "/" [Client 192.168.0.3] [Length 166] [Gzip -] [Sent-to 192.168.1.66] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36" "-"

"[20/Jun/2023:06:55:37 +0000] - - 502 - GET https plex.mydomain.lol "/" [Client 192.168.0.4] [Length 556] [Gzip -] [Sent-to 192.168.1.66] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" "-"

"[20/Jun/2023:06:55:40 +0000] - - 301 - GET http plex.mydomain.lol "/" [Client 192.168.0.4] [Length 166] [Gzip -] [Sent-to 192.168.1.66] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" "-"

"[20/Jun/2023:06:55:40 +0000] - - 502 - GET https plex.mydomain.lol "/" [Client 192.168.0.4] [Length 556] [Gzip -] [Sent-to 192.168.1.66] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" "-"

"[20/Jun/2023:06:59:09 +0000] - - 502 - GET https plex.mydomain.lol "/" [Client 192.168.0.4] [Length 556] [Gzip -] [Sent-to 192.168.1.66] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36" "-"

"[20/Jun/2023:07:00:02 +0000] - - 502 - GET https plex.mydomain.lol "/" [Client 192.168.0.5] [Length 154] [Gzip -] [Sent-to 192.168.1.66] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0

Hi!

I followed your nginx conf, and all worked like a charm, except one part:

Plex is still making direct connections in port 32400. When opening chrome console, I can read:

[Connections] Server Plex connected at https://522-14-247-211.3b13bacsdf4131412362b44360d47eaa7.plex.direct:32400/

I set up to allow ONLY secure connections...

Edit: I forgot to ask: Any clue?

Hi,

This works great - except that I'm unable to access my Chromecast via Plex, as all local traffic is still being treated as remote. (I wasn't able to swap the lo0 address for the local address as discussed in the latest commit, so that's probably part of it.)

It looks like there's some existing literature on this issue with Jellyfin - any idea how it translates to Plex? I'm hoping it's pretty straightforward.

Thank you!

I just realized Cloudflare's CDN works for regular nonencrypted HTTP traffic as well. I added the reverse proxy on my server for port 80 and pointed the the same backend Plex port 127.0.0.1:32400. And changed secure connection preference in Plex from "Required" to "Preferred". Now devices that doesn't support SSL/HTTPS should work (such as LG WebOS TV). Might help fix the issue for PS4 as well #5.

I would also recommend using UFW to block all 80/443 traffic except those originating from CloudFlare:

#!/bin/bash
sudo apt-get --assume-yes install ufw
sudo ufw default deny incoming
sudo ufw allow ssh
for i in `curl https://www.cloudflare.com/ips-v4`; do sudo ufw allow from $i to any port www comment "cloudflare"; done
for i in `curl https://www.cloudflare.com/ips-v4`; do sudo ufw allow from $i to any port https comment "cloudflare"; done
for i in `curl https://www.cloudflare.com/ips-v6`; do sudo ufw allow from $i to any port www comment "cloudflare"; done
for i in `curl https://www.cloudflare.com/ips-v6`; do sudo ufw allow from $i to any port https comment "cloudflare"; done 
sudo ufw enable

Hi there!

When i connect to my domain through my reverse proxy (Nginx) with the iOS app, it doesnt work. When i go to my domain in Firefox or Safari on my iPhone, it works fine. Are there any special settings i didnt configure right?

Regards,
Graxo

See the error below. Line three and it hits an issue. any ideas?

2018/03/12 16:14:22 [emerg] 2173#0: "ssl_session_cache" directive is not allowed here in /etc/nginx/nginx.conf:3

nginx -v
nginx version: nginx/1.12.0

I'm using the config from this repo, other than changing the paths to my certs, all else is the same.

nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

http works but https is broken.

curl https://plex.my-domain.com/
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

curl -I http://plex.my-domain.com/
HTTP/1.1 401 Unauthorized
Server: nginx/1.12.0
Date: Sun, 18 Mar 2018 15:23:02 GMT
Content-Type: text/html
Content-Length: 193
Connection: keep-alive
X-Plex-Protocol: 1.0
Cache-Control: no-cache

My backend works fine on either protocol (From the nginx server)

curl -k -I http://10.2.160.5:32401/web/index.html
HTTP/1.1 200 OK
Cache-Control: no-cache
Accept-Ranges: bytes
Connection: Keep-Alive
Keep-Alive: timeout=20
Content-Length: 9456
Content-Type: text/html
X-Plex-Protocol: 1.0
Date: Sun, 18 Mar 2018 15:23:40 GMT

curl -k -I https://10.2.160.5:32401/web/index.html
HTTP/1.1 200 OK
Cache-Control: no-cache
Accept-Ranges: bytes
Connection: Keep-Alive
Keep-Alive: timeout=20
Content-Length: 9456
Content-Type: text/html
X-Plex-Protocol: 1.0
Date: Sun, 18 Mar 2018 15:23:46 GMT

Even hardcoding the port is not helping

curl -v https://plex.my-domain.com:443/web/index.html
*   Trying xxx.xxx.xxx.xxx...
* Connected to plex.my-domain.com (xxx.xxx.xxx.xxx) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* gnutls_handshake() failed: An unexpected TLS packet was received.
* Closing connection 0
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.

I thought I would try via IP to the nginx server but it fails as well?

curl --verbose -H 'Host: plex.my-domain.com' 'https://xxx.xxx.xxx.xxx/web/index.html'
*   Trying xxx.xxx.xxx.xxx...
* Connected to xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 596 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*        server certificate verification OK
*        server certificate status verification SKIPPED
* SSL: certificate subject name (*.my-domain.com) does not match target host name 'xxx.xxx.xxx.xxx'
* Closing connection 0
curl: (51) SSL: certificate subject name (*.my-domain.com) does not match target host name 'xxx.xxx.xxx.xxx'

I really wanted to avoid opening an issue here, but I really need some assistance as I can't get this working with my config.

I am running NGINX on my router using this exact config. Plex is hosted on internal Windows server. I am not using CF (other than as a subdomain host for my LE cert).

The only difference is my ISP blocks 80 so I have NGINX listening on 443.

I can access fine using https://plex.mydomain.com and https://app.plex.tv.

However when trying to use apps like Android client or Roku I get limited connection (Plex Relay). Also, this is only if I keep Plex's remote connection enabled (on 443 and without opening up any additional ports). If I disable the remote connections option then the apps can't get any access at all. Web access continues to work in either scenario.

Best I can tell, apps should be able to work via https/secure, so me not having port 80 available shouldn't matter. Most of the posts I've found seem to reference a version of this config so I'm coming here begging for some guidance.

It seems mine just sits flat. Not of an issue, but more of a question if it’s due to my nginx configuration.

Observed issue: Trying to use Certbot to renew SSL Cert (only dry run for now, cert has not expired yet), CertBot throws a 401 Unauthorized error trying to access http://plex.domain.com/.well-known/acme-challenge/longkey, this is probably due to the root path redirect to the Plex server being pointed to root path.

Desired Result: Trying to use CertBot to auto renew certificate should work properly.

I was able to resolve this by changing the nginx.conf to ignore calls to /.well-know and pass to the original nginx path where the cert was verified. Might be worth adding to your code for other users.
Code:

location ^~ /.well-known {
alias /usr/share/nginx/html/.well-known;
}

Hi,

I'm having a strange issue where my server isn't being published to Plex.tv correctly. Just trying to nut out where the problem is.

Does anyone here have their server listed under:
https://plex.tv/pms/servers.xml

May have nothing to do with the configuration here I'm just seeing my server disappear from servers.xml when enabling my firewall.

Thanks,

Hey,

I'm already tryin like 5 hours to get it working, but i am just stuck at this moment.
I have the exactly same configuration like you, but it seems like theres just missing something...

Log says:
Over Internet:
2018/01/26 23:43:52 [error] 350#350: *6 connect() failed (113: Host is unreachable) while connecting to upstream, client: 192.168.2.1, server: xxxxxx.de, request: "GET / HTTP/2.0", upstream: "http://192.168.2.118:32400/", host: "xxxxxx.de"

Local:
2018/01/26 23:43:33 [error] 350#350: *3 connect() failed (113: Host is unreachable) while connecting to upstream, client: 192.168.2.109, server: xxxxxx.de, request: "GET / HTTP/2.0", upstream: "http://192.168.2.118:32400/", host: "192.168.2.130", referrer: "http://tower.local/Dashboard"

The thing is the host is reachable...

Im just clueless at this moment.
Would any advice appreciate.

Thank You :)

Just got the following email from CloudFlare:

Cloudflare has deactivated your website [xxxxx.xxx] from our network for a possible violation of our Terms of Service.

Your visitors will be routed directly to your origin server, where your website is hosted, and will not
receive any performance and security benefits from Cloudflare. Cloudflare's Terms of Service are
available at https://www.cloudflare.com/terms/.

If you have any questions, please email us at [email protected].

Thank you for using Cloudflare.

The Cloudflare Team

Anybody else ever see this? I haven't done anything outside of what's in this guide.

Hi,

Not really an issue but possibly something that could be solved with Nginx.

I've noticed that when using Chrome to stream Plex the speed jumps up and down. If I watch a 10Mbps transcoded movie occasionally I see spikes of bandwidth as high as 16Mbps. Because of these spikes I am forced to reduce my quality to much lower than 10.

Wondering if there might be a way to minimise this?

Is it possible to front multiple plex servers through a single nginx reverse proxy?
I'm thinking something like domain.com/server1 and domain.com/server2 or server1.domain.com and server2.domain.com

Thanks

I can't find Preferences.xml anywhere on my Windows file system. Is this file and the respective allowLocalhostOnly setting still exist? I also didn't see this setting under:

Computer\HKEY_CURRENT_USER\Software\Plex, Inc.\Plex Media Server

allowLocalhostOnly no longer exists as a plex option. Trying to set this in Preferences.xml will result in plex failing to start. Which is a shame, since it would have been a nice and convenient alternative to iptables/UFW =(

I'm not sure if it's related to TLS/SS, port, or client detection, but this set up isn't working for Plex for Kodi. Not quite sure how to troubleshoot.

I want to access plex using https://domain.com/plex, instead of https://plex.domain.com. How can I achieve this? What parts of your script should I change?

I just finally turned off my internal clients and pushed them to using the proxy as well.

I turned on verbose/debug and I can see the header looks good:

Aug 29, 2018 14:38:17.702 [0x7f5c13ffc700] VERBOSE -  * X-Real-IP => 192.168.1.105
Aug 29, 2018 14:38:17.702 [0x7f5c13ffc700] VERBOSE -  * X-Forwarded-For => 192.168.1.105
Aug 29, 2018 14:38:17.702 [0x7f5c13ffc700] VERBOSE -  * X-Forwarded-Proto => https

But for some odd reason, I'm seeing only the 127 address for the local LAN IPs instead of the internal address. I'm sure I'm missing something silly but can't seem to figure out what it is.

Hi! I have a weird problem. Every client works perfectly fine except my amazon fire tv stick. It just doesn't show any cover art, backdrops etc. I can't figure it out. Metadata and the actual videos are playing without a hitch.

I've looked into the device logs from the plex app on the fire tv stick with no luck. My nginx logs aren't indicating something abnormal as well. Plex logs are also fine.

Could this be a TLS issue? Are pictures somehow treated differently than metadata and videos?
Can you give me some tips to further investigate this issue on my own?

Hi,

My setup is like this,

Client -> Reverse Proxy 1 -> Reverse Proxy 2 -> Plex Server.

I am trying to figure out whether and what adjustments should be made to the Nginx config of a reverse proxy whose upstream is also a reverse proxy, like, Reverse Proxy 1 on the above. Like, should I only turn gzip on in the Nginx config of the Plex Server? If yes, are there any other lines that should be removed from the configs of a reverse proxy to another reverse proxy?

It's kind of not a real issue. End up here because I can barely find any related info.

Thanks!

According to this Q/A, you don't need to put "text/html" in gzip_types directive, which gives [warn] log. Thanks for the configuration script btw.

"2021/11/06 00:08:32 [emerg] 2800#15844: "ssl_session_cache" directive is not allowed here in C:\nginx/conf/nginx.conf:3
"

would be great if you could help me out.

As mentioned in my issue #46 , I have tested with this configuration that remote apps can connect with no issues with only port 443 forwarded via nginx (in fact my ISP blocks 80 so I am 100% certain that all communication is over 443).

In addition to testing my Roku on an external network, I have tonight confirmed that a remote PS4 is able to stream without issue from my Plex library.

Perhaps the README file should be updated.

Hello,

When trying to access plex through my domain I get:

Plex is not reachable.
Make sure your server has an internet connection and any firewalls or other programs are set to allow access.

Any ideas how to fix?

Cheers.

When I block port 32400 and add cloudflare domains with port 80 and 443 to the Plex settings and set SSL to Preferred, Roku 2 (maybe more clients) can't directly connect anymore and will be relayed (with a slow connection).

Relay: http://i.imgur.com/165uiCL.jpg
Plex Settings: http://i.imgur.com/xI4jL3P.jpg

The cloudflare proxy works on other clients, so far only Roku breaks.

I know this isn't an issue caused by this config (at least I think it's not) but maybe somebody else who stumbles upon this knows a fix for this.

Since setting up the reverse proxy in front of Plex, a few of my external clients are being reported as 127.0.0.1 when I look through Plexpy. (Xbox One, Chromecast, iOS (iPhone/iPad), Safari/Chrome Web)

I thought maybe those clients were indirectly connected to the server using Plex relay but i’ve investigated, and this is definitely not the case…I also tried adding all my LAN internal IP’s / Subnets in the PMS server “network” settings hoping this would help the server differentiate internal and external clients but that didn’t do the trick.

Any idea what i’m doing wrong?

Updated for 2021 with working Content Security Poilcy:

1. Can watch Live TV, Movies & Shows on Plex
2. Plays TV Show theme songs
3. Plays Movie trailers, extras, and featurettes

upstream plex {
    server localhost:32400;
}
server {
    listen 443 ssl http2;
    server_name plex.domain.com;
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/priv.pem;
    client_max_body_size 500M;
    send_timeout 100m;
    
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_stapling on;
    ssl_stapling_verify on;
    # For LetsEncrypt/Certbot, you can get your chain like this: https://esham.io/2016/01/ocsp-stapling
    ssl_trusted_certificate /path/to/intermediate/ocsp/cert-r3.pem;
    
    add_header Strict-Transport-Security max-age=15768000;
    add_header Referrer-Policy strict-origin-when-cross-origin;
    add_header X-Frame-Options deny;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Permissions-Policy "geolocation=(self), midi=(self), sync-xhr=(self), microphone=(self), camera=(self), magnetometer=(self), gyroscope=(self), fullscreen=(self), payment=(self)";
    # Pay attention to how many domains we need to allow
    add_header Content-Security-Policy "default-src 'none'; base-uri 'self' plex.domain.com; font-src 'self' data: plex.domain.com; media-src 'self' data: blob: plex.domain.com https://*.plex.direct:32400 https://video.internetvideoarchive.net https://*.cloudfront.net; script-src 'self' 'unsafe-inline' 'unsafe-eval' domain.com plex.domain.com; style-src 'self' 'unsafe-inline' plex.domain.com; img-src 'self' data: blob: https: plex.domain.com; worker-src * blob:; frame-src 'self'; connect-src 'self' https: domain.com plex.domain.com wss://*.plex.direct:32400 wss://pubsub.plex.tv; object-src 'self' plex.domain.com; frame-ancestors 'self' domain.com plex.domain.com; form-action 'self' plex.domain.com; manifest-src 'self' plex.domain.com; script-src-elem 'self' 'unsafe-inline' domain.com plex.domain.com www.gstatic.com";

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        root /path/to/503;
    }
    
    # gzip source: https://github.com/toomuchio/plex-nginx-reverseproxy/blob/master/nginx.conf
    gzip on;
    gzip_vary on;
    gzip_min_length 1000;
    gzip_proxied any;
    gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
    gzip_disable "MSIE [1-6]\.";

    # Forward real ip and host to Plex
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
	
    # If not using ngx_http_realip_module change '$http_x_forwarded_for,$realip_remote_addr' to $proxy_add_x_forwarded_for
    proxy_set_header X-Forwarded-For '$proxy_add_x_forwarded_for,$realip_remote_addr';
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
    proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
    proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;

    # Disables compression between Plex and Nginx, required if using sub_filter below.
    # May also improve loading time by a very marginal amount, as nginx will compress anyway.
    #proxy_set_header Accept-Encoding "";

    # Buffering off send to the client as soon as the data is received from Plex.
    proxy_redirect off;
    proxy_buffering off;

    # TO DO: rewrite /web/(.*) to just /index.html
    #try_files $uri $uri/ /index.html?$args;
    #if ($http_referer ~ /) {
        #rewrite ^/web/(.*) /$1? redirect;
    #}

    location / {
        proxy_pass http://plex/;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_ssl_verify off;
        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400;
    }
}

Hi @toomuchio

After setting this up with your script, i am noticing that when i access my plex domain with http, requests to and from my pms is sent via my ssl certificate through the domain as it should.

However, if i access my plex domain via https, requests are no longer being sent via my domain, instead it is using plex.direct.

Isnt this a bit odd? Do you have any idea whats causing this?

Regards

On the Reddit post regarding this configuration I saw some people having issues with using the PS4 native client with this setup, I don't have a playstation so I can't debug it or even confirm it.

If somebody can confirm this and provide me with some access logs to debug it I'm sure I can fix it, probably just requires another user-agent check in the main location block.

Plex recently added the root hit redirect into its server, rendering this unnecessary:

if ($request_method != OPTIONS) {
			set $test A;
		}
		if ($http_x_plex_device_name = '') {
			set $test "${test}B";
		}
		if ($arg_X-Plex-Device-Name = '') {
			set $test "${test}C";
		}
		if ($http_user_agent !~ (SmartTV)) {
			set $test "${test}D";
		}

		#If the client isn't an app like a SmartTV and such, forward them to the web interface.
		if ($test = ABCD) {
			rewrite ^/$ $scheme://$http_host/web/index.html;
		}

I'm running plex on my built NAS that has it's own dns entry.
For ease of use, I create a hostname pointing to the NAS ip.

And using the current configuration, it, for some reason didn't want to access the Plex Wen Interface.
You get the nice "Please Login" (aka. 401) view, which shouldn't be there since I'm on local network.

I still haven't found a better way around it, but if one sends the Token to Plex as a header, it will work correctly. But it depends if people want to use it like that.

Maybe include it as comment, in case nothing works for other people.
proxy_set_header X-Plex-Token "";

Hello,

I have successfully configured nginx reverse proxy with your config and guide but i cannot figure out for the life of me why all client IP under plex show as the nginx IP.....

#Forward real ip and host to Plex
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
#When using ngx_http_realip_module change $proxy_add_x_forwarded_for to '$http_x_forwarded_for,$realip_remote_addr'
proxy_set_header X-Forwarded-For $http_x_forwarded_for,$realip_remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;

Would appreciate the help

The current nginx.conf (as of commit 8d238de) does not properly redirect/rewrite from https://plex.domain.xyz/ to https://plex.domain.xyz/web/index.html when using Chrome 57. I'm server a 401 Unauthorized error instead. When manually appending /web or /web/index.html, it all works just fine.

I'm using the config as is with my own SSL certificates, OCSP and HSTS enabled without includeSubdomains.

My full config:

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

#Upstream to Plex
upstream plex_backend {
    server 127.0.0.1:32400;
    keepalive 32;
}

server {
	listen 80;
	listen 443 ssl http2; #http2 can provide a substantial improvement for streaming: https://blog.cloudflare.com/introducing-http2/
	server_name plex.domain.xyz;

	#Faster resolving, improves stapling time. Timeout and nameservers may need to be adjusted for your location Google's have been used here.
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;

	#Use letsencrypt.org to get a free and trusted ssl certificate
	ssl_certificate /etc/letsencrypt/live/plex.domain.xyz/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/plex.domain.xyz/privkey.pem;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	#Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

	#Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
	ssl_stapling on;
	ssl_stapling_verify on;
	#For letsencrypt.org you can get your chain like this: https://esham.io/2016/01/ocsp-stapling
	ssl_trusted_certificate /etc/letsencrypt/ssl/chain.pem;

	#Reuse ssl sessions, avoids unnecessary handshakes
	#Turning this on will increase performance, but at the cost of security. Read below before making a choice.
	#https://github.com/mozilla/server-side-tls/issues/135
	#https://wiki.mozilla.org/Security/Server_Side_TLS#TLS_tickets_.28RFC_5077.29
	#ssl_session_tickets on;
	ssl_session_tickets off;

	#Use: openssl dhparam -out dhparam.pem 2048 - 4096 is better but for overhead reasons 2048 is enough for Plex.
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	ssl_ecdh_curve secp384r1;

	#Will ensure https is always used by supported browsers which prevents any server-side http > https redirects, as the browser will internally correct any request to https.
	#Recommended to submit to your domain to https://hstspreload.org as well.
	#!WARNING! Only enable this if you intend to only serve Plex over https, until this rule expires in your browser it WONT BE POSSIBLE to access Plex via http, remove 'includeSubDomains;' if you only want it to effect your Plex (sub-)domain.
	#This is disabled by default as it could cause issues with some playback devices it's advisable to test it with a small max-age and only enable if you don't encounter issues. (Haven't encountered any yet)
	add_header Strict-Transport-Security "max-age=63072000; preload" always;

	#Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. (Haven't encountered any yet)
	gzip on;
	gzip_vary on;
	gzip_min_length 1000;
	gzip_proxied any;
	gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
	gzip_disable "MSIE [1-6]\.";

	#Forward real ip and host to Plex
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;

	#Websockets
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";

	#Buffering off send to the client as soon as the data is received from Plex.
	proxy_redirect off;
	proxy_buffering off;

	location / {
		if ($request_method != OPTIONS) {
			set $test A;
		}
		if ($http_x_plex_device_name = '') {
			set $test "${test}B";
		}
		if ($arg_X-Plex-Device-Name = '') {
			set $test "${test}C";
		}
		if ($http_user_agent !~ (SmartTV)) {
			set $test "${test}D";
		}

		#If the client isn't an app like a SmartTV and such, forward them to the web interface.
		if ($test = ABCD) {
			rewrite ^/$ $scheme://$http_host/web/index.html;
		}

		proxy_pass http://plex_backend;
	}
}

Hi,

I'm having trouble with a few channels that use ..video/ url for example Sub-Zero.

I keep getting 502 Bad Gateway on the when opening the channel:

https://domain.xyz/video/subzero?X-Plex-Product=...

I tried with port 32400:

https://domain.xyz:32400/video/subzero?X-Plex-Product=...

and it works..

Any ideas?

I get the following in nginx:

letsencrypt | 2018/12/03 18:25:13 [error] 373#373: *19 connect() failed (111: Connection refused) while connecting to upstream, client: 67.214.81.4, server: plex.domain.com, request: "GET /media/providers?X-Plex-Product=Plex%20Web&X-Plex-Version=3.77.2&X-Plex-Client-Identifier=asdf&X-Plex-Platform=Chrome&X-Plex-Platform-Version=70.0&X-Plex-Sync-Version=2&X-Plex-Device=Windows&X-Plex-Device-Name=Chrome&X-Plex-Device-Screen-Resolution=1920x978%2C1920x1080&X-Plex-Token=asdf&X-Plex-Language=en HTTP/2.0", upstream: "http://127.0.0.1:32400/media/providers?X-Plex-Product=Plex%20Web&X-Plex-Version=3.77.2&X-Plex-Client-Identifier=asdf&X-Plex-Platform=Chrome&X-Plex-Platform-Version=70.0&X-Plex-Sync-Version=2&X-Plex-Device=Windows&X-Plex-Device-Name=Chrome&X-Plex-Device-Screen-Resolution=1920x978%2C1920x1080&X-Plex-Token=asdf&X-Plex-Language=en", host: "plex.domain.com", referrer: "https://app.plex.tv/"

Not sure why this is failing. Any help?

Can't get nginx to work with the PLexamp app.

What's your score with your reverse proxy setup?
https://observatory.mozilla.org/

There is a bit of information in the following thread about the how Plex have changed their method of authenticating.

https://www.reddit.com/r/PleX/comments/71mbsr/plex_inc_just_cost_me_my_favorite_hobby_and/

I just noticed today that casting from my Phone to a chromecast now displays "Media Unavailable".

Are others having this issue too?

I am unable to edit the readme myself and pull request so I thought that I'd make this issue to let you know about something I found recently https://forums.plex.tv/discussion/comment/1192684/#Comment_1192684

Basically you add in allowLocalhostOnly="1" inside of your Preferences.xml, for me I added it before all of the other variables, then restart Plex. After that, my plex had stopped responding to remotely and only worked through local. This can be really helpful for those who don't have access to a firewall or are unable to use the default 32400 port so remote access being disabled works. Since if you use a custom port, it will still leak out.

Hi!

In my domain server.com, I use more than one port (ie: server.com:2020 for plexpy and server.com:3030 for deluge-web)

So, after setting up SSL, all connections to those ports answer with an SSL error, and cannot connect to any web different to PMS.

I imagine that the last part of the config file, is to fix this, but... can get it working!

Any clue?

BR!

#If you want to have plexpy ect.. on the same domain you can achieve it like this.
	#location /plexpy {
	#	proxy_pass http://127.0.0.1:8181;
	#}

TL;DR: How to avoid converting HTTP to HTTPS? URL changes from http://server.com:2020 to https://server.com:2020 and fails.