May 3, 20251 yr The goal is to enable Plex to operate at full bandwidth even from Apps without relying on Plex Relay (capped at maximum 2mbps), ensuring secure and efficient access to your media server without opening ports in your router. Plex Relay is used by default because, even with a subdomain configured for browser access at full bandwidth, apps could not utilize the subdomain effectively. This guide provides a step-by-step walkthrough for setting up SWAG (Secure Web Application Gateway) with Plex on Unraid. Hoping to do something helpful because i haven’t found a guide on that, and I struggled a bit in configuring it, so I've written all the steps here.I assume that Plex and the Cloudflare tunnel are already configured and working. Plex on Unraid with Cloudflare and SWAG1. Install SWAGWhy: SWAG serves as a reverse proxy that secures your applications (like Plex) with HTTPS and handles incoming traffic smartly.Install SWAG from the Unraid Community Applications plugin. Configure the container with the following:Network Mode: Bridge (for flexibility and isolation).Ports: Map the container’s port 443 to a host port (e.g., 444).Environment Variables:URL: Your root domain (e.g., yourDomain.com).SUBDOMAINS: Add the subdomain for Plex (e.g., plex).VALIDATION: Use dns for DNS validation with Let's Encrypt.DNSPLUGIN: Set to cloudflare for Cloudflare integration.EMAIL: Your email for certificate notifications.Volumes: Map /mnt/user/appdata/swag on your host to /config in the container for configuration files. 2. Set Up DNS Validation for CertificatesWhy: Let’s Encrypt certificates ensure HTTPS security for your domain. DNS validation is automated with Cloudflare.Obtain a Cloudflare API token with the "Edit Zone DNS" template. Save the token in /config/dns-conf/cloudflare.ini as: dns_cloudflare_api_token = YOUR_API_TOKEN Restrict its file permissions using: chmod 600 /mnt/user/appdata/swag/dns-conf/cloudflare.ini SWAG will now be able to generate and renew certificates automatically. 3. Configure SWAG’s Reverse Proxy for PlexWhy: A reverse proxy routes plex.yourDomain.com traffic securely to your Plex container.Create a file named plex.subdomain.conf in /mnt/user/appdata/swag/nginx/proxy-confs/ with the following content: server { listen 443 ssl; listen [::]:443 ssl; server_name plex.yourDomain.com; include /config/nginx/ssl.conf; location / { proxy_pass http://yourInternalIP:32400; # Use your Plex IP and port proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } Replace yourInternalIP with your Unraid server's IP.This file ensures incoming requests are forwarded to Plex, with proper HTTPS headers. 4. Configure Cloudflare TunnelWhy: Cloudflare Tunnel hides your server’s IP while securely forwarding traffic to SWAG.From the Cloudflare Tunnel interface, set up an HTTPS service pointing to yourInternalIP:444 .Configure the Origin Server Name and HTTP Host Header to plex.yourdomain.com .Alternatively, create a Cloudflare Tunnel with the following ingress rule: ingress: \- hostname: plex.yourDomain.com service: https://yourInternalIP:444 \- service: http_status:404 Make sure the URL uses https:// and corresponds to the host port assigned to SWAG (e.g., 444). 5. Verify and Test ConnectivityWhy: Ensures SWAG and Cloudflare are properly configured.Access Plex locally to confirm it’s running: http://yourInternalIP:32400Test the reverse proxy:From an external network, visit: https://plex.yourDomain.com .If successful, Plex should be accessible securely. 6. Troubleshoot IssuesIf SWAG doesn’t seem to forward traffic properly:Check file names: SWAG only includes .subdomain.conf files from the proxy-confs directory.Reload SWAG after changes: Restart the container to reapply configurations.Use nginx -T to confirm your custom configuration is loaded.A 502 Bad Gateway error usually indicates a misconfigured proxy_pass directive or mismatched Host header. Ensure Cloudflare sends the correct SNI (plex.yourDomain.com) and HTTP Host Header. 7. Finalizing Plex SettingsWhy: Tells Plex to advertise the correct public access URL to clients.In Plex, go to Settings > Network > Custom server access URLs and set your Custom Server Access URL to: https://plex.yourDomain.com:443 Flow of TrafficExternal Client: Requests https://plex.yourDomain.com .Cloudflare Tunnel: Forwards the request to SWAG via https://yourInternalIP:444 .SWAG: Matches the domain to plex.subdomain.conf and proxies the request to Plex on http://yourInternalIP:32400 .Plex: Serves the content to the client. This setup ensures that your Plex instance is securely accessible over HTTPS with minimal exposure to the internet, thanks to the combination of Cloudflare Tunnel, SWAG, and DNS-based certificate validation.So now you can disable Plex Relay and access Plex at full bandwidth both from applications, your subdomain or local connection (if you are at home or via VPN).Hope everything is clear! Edited September 30, 2025Sep 30 by Sgine fix for cloudflare settings
September 8, 2025Sep 8 Hey there,Thanks for the writeup on this! I'm having some trouble with my configuration and had a couple questions.During 4. Configure Cloudflare Tunnel you say:On 5/3/2025 at 8:09 AM, Sgine said:From the Cloudflare Tunnel interface, set up an HTTPS service pointing to http://yourInternalIP:444/ .Configure the Origin Server Name and HTTP Host Header to http://plex.yourdomain.com/ .I'm a little confused as to what to use here. Should I actually be setting up http in the headers/service in CloudFlare or is that just a typo? I have the Cloudflare tunnel configured and was able to hit my Plex server using just that previously using it's default 32400 port, so I know that is working, but after adding Swag into the mix and adjusting the service on Cloudflare I'm getting this in the Cloudflared Tunnel container's logs:error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp myserverIP:444: connect: connection refused" connIndex=2 event=1 ingressRule=0 originService=https://myserverIP:444Any idea where the issue might be? Swag shows good and has pulled down the cert per it's logs, so I think that's good to go, but I think I missed something during this config.Here is a screenshot of my Cloudflare config as well to make this a little easier:Thanks again! Edited September 8, 2025Sep 8 by Skarm0ry
September 8, 2025Sep 8 A small update to my above post.I found that adjusting the HTTPS Service URL from myIP:444 to myIP:443 changed the error and got me to a point where it was complaining about TLS validation, which there was an option for in the services. If I enable that I no longer get any errors on the Cloudflare Tunnel logs, but I get a 400 Bad Request when attempting to connect.You hadn't mentioned anything about needing to make adjustments to the "No TLS Verify" option, so I think I might just be going down the wrong path here, but wanted to throw that out there if it helped understand where this might be breaking.Thanks again!Final update to this for anybody who might be having the same troubles.The issues were specifically with this part of the guide:4. Configure Cloudflare TunnelWhy: Cloudflare Tunnel hides your server’s IP while securely forwarding traffic to SWAG.From the Cloudflare Tunnel interface, set up an HTTPS service pointing to http://yourInternalIP:444/ .Configure the Origin Server Name and HTTP Host Header to http://plex.yourdomain.com/ .Alternatively, create a Cloudflare Tunnel with the following ingress rule:The Cloudflare Tunnel service needs to be pointed to the SWAG IP (or container name if they're on the same custom network) with 443 as the port. The Origin Server and HTTP Post Header don't need to be the full URL as stated in the guide, that causes TLS to freak out, so changing those to just subdomain.domain resolved these Bad Gateway errors that I was seeing. Here is how my config looks in Cloudflare after all is said and done.One last key thing that was left out of this guide that was necessary for this to work for me was:7. Finalizing Plex SettingsWhy: Tells Plex to advertise the correct public access URL to clients.In Plex, go to Settings > Remote Access and set your Custom Server Access URL to: https://plex.yourDomain.comIn Plex you will need to add the Custom Server URL as: https://plex.yourDomain.com:443 if this is not added with the port at the end, it will not work.Finally got this working, so I'm excited to do some testing now!@Sgine let me know if there is anything I'm not considering here as I am pretty new to all of this, but this was the only combo of configs that I could get to work for me. Edited September 8, 2025Sep 8 by Skarm0ry Update
September 30, 2025Sep 30 Author On 9/8/2025 at 4:21 AM, Skarm0ry said:A small update to my above post.I found that adjusting the HTTPS Service URL from myIP:444 to myIP:443 changed the error and got me to a point where it was complaining about TLS validation, which there was an option for in the services. If I enable that I no longer get any errors on the Cloudflare Tunnel logs, but I get a 400 Bad Request when attempting to connect.You hadn't mentioned anything about needing to make adjustments to the "No TLS Verify" option, so I think I might just be going down the wrong path here, but wanted to throw that out there if it helped understand where this might be breaking.Thanks again!Final update to this for anybody who might be having the same troubles.The issues were specifically with this part of the guide:The Cloudflare Tunnel service needs to be pointed to the SWAG IP (or container name if they're on the same custom network) with 443 as the port. The Origin Server and HTTP Post Header don't need to be the full URL as stated in the guide, that causes TLS to freak out, so changing those to just subdomain.domain resolved these Bad Gateway errors that I was seeing. Here is how my config looks in Cloudflare after all is said and done.One last key thing that was left out of this guide that was necessary for this to work for me was:In Plex you will need to add the Custom Server URL as: https://plex.yourDomain.com:443 if this is not added with the port at the end, it will not work.Finally got this working, so I'm excited to do some testing now!@Sgine let me know if there is anything I'm not considering here as I am pretty new to all of this, but this was the only combo of configs that I could get to work for me.Hey @SkarmOry, thanks a lot for pointing that out and sorry for the late reply! 😅You are absolutely right about the Cloudflare Tunnel part, I wrote it wrong in the guide. The correct setup is exactly as you described, so I’ll fix that to avoid any confusion.Regarding the “Custom server access URLs” in Plex: in my setup it worked even without :443, but you’re right, adding it is definitely the better approach to make sure all clients connect properly. I’ll update the guide with that!
October 21, 2025Oct 21 Thanks a lot for the guide.I do have a question, when steaming outside my network my stream shows as not secured in Tautulli, do you know if that’s something that can be ignored ?When changing the setting secured connections in plex to required I can no longer access Plex Media Server.I also disabled remote connections in the settings. Edited October 21, 2025Oct 21 by Hamilcar
October 24, 2025Oct 24 Author On 10/21/2025 at 9:02 PM, Hamilcar said:Thanks a lot for the guide.I do have a question, when steaming outside my network my stream shows as not secured in Tautulli, do you know if that’s something that can be ignored ?When changing the setting secured connections in plex to required I can no longer access Plex Media Server.I also disabled remote connections in the settings.I'm not using Tautulli so I do not know what kind of check it does, but if you are connecting through HTTPS it should be a secure connection. I think you can ignore it if you can see that only through Tautulli
November 8, 2025Nov 8 I love the write up and everything, but I'm not sure I can agree with your premise of "The goal is to enable Plex to operate at full bandwidth even from Apps without relying on Plex Relay (capped at maximum 2mbps), ensuring secure and efficient access to your media server without opening ports in your router. Plex Relay is used by default because, even with a subdomain configured for browser access at full bandwidth, apps could not utilize the subdomain effectively."I actually don't need the need for SWAG if you just setup your plex and cloudflare properly: https://mythofechelon.co.uk/blog/2024/1/7/how-to-set-up-free-secure-high-quality-remote-access-for-plexI got full remote access and full bandwidth from all my apps just by the setup described in the link above (unraid, plex, cloudflare tunnel, cloudflare configs, ext. domain).
December 21, 2025Dec 21 As previous posted said, no need for a reverse proxy. Just attached the Cloudflare docker container to whatever subnet you have Plex running it.
February 24Feb 24 You should be careful with this. I was also searching for a way to hide my IP and not exposing my Plex directly on the Internet, but according to many sources, it is not allowed to use their free services to stream video. You can look their terms and conditions and/or google about that.Here is the “interesting” part:Cloudflare’s content delivery network (the “CDN”) Service can be used to cache and serve web pages and websites. Unless you are an Enterprise customer, Cloudflare offers specific Paid Services (e.g., the Developer Platform, Images, and Stream) that you must use in order to serve video and other large files via the CDN. Cloudflare reserves the right to disable or limit your access to or use of the CDN, or to limit your End Users’ access to certain of your resources through the CDN, if you use or are suspected of using the CDN without such Paid Services to serve video or a disproportionate percentage of pictures, audio files, or other large files. We will use reasonable efforts to provide you with notice of such action.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.