Ntouchable Posted March 19, 2019 Share Posted March 19, 2019 (edited) I have recently set up UnRaid mostly following "SpaceInvader One's" youtube videos. In particular this one - I struggled a lot to get it set up initially until I eventually realise that I could not port forward to WAN due to Carrier Grade NAT. I managed to get in contact with my ISP who were able to sort me out with a static IP. I have since managed to get https and my domain name working with LetsEncrypt and Nextcloud. However, I cannot seem to get Plex working with https and my domain name. It have managed to set it up behind the reverse proxy like so: And if I open up Plex I it is shows the green tick for Remote Access and I can connect remotely with my phone, etc. However, the last piece of the puzzle I have struggled with over the last month is: HTTPS - How to get https working using Let's Encrypt? Domain Name - How to set up Plex such that I can access it by simply going to "plex.mydomainname.com" in my browser? (I have pfSense running on my router with port 32400 forward to my UnRaid server). I assume I am probably missing something relatively obvious... Edited March 19, 2019 by Ntouchable Wrong Picture Quote Link to comment
Ntouchable Posted March 26, 2019 Author Share Posted March 26, 2019 I managed to fix this eventually in the following way: Mounted Let'sEncypt config files to inside the Plex docker config in the following manner: /letsencrypt = /mnt/user/data/letsencrypt/ Plex settings in browser > Network > Custom certificate location = /letsencrypt/keys/letsencrypt/privkey.pfx Custom certificate encryption key = /letsencrypt/keys/letsencrypt/privkey.pem Custom certificate domain = plex.XXXXXX.com Custom server access URLs = https://plex.XXXXXX.com:443 In the file in /mnt/appdata/letsencrypt/nginx/proxy-confs/plex.domain.conf > change the line "proxy_pass https://$upstream_plex:32400" to proxy_pass https://UnRaidServerIP:32400 Optional - 301 redirect so that it forces https - Go to /mnt/appdata/letsencrypt/nginx/site-confs/default > remove the "#" signs next to the code: server { listen 80; server_name _; return 301 https://$host$request_uri; } Optional - Plex UI in browser > Network > Secure connections = Required. Hope this helps someone out there. 1 2 Quote Link to comment
lewispm Posted May 7, 2019 Share Posted May 7, 2019 (edited) Thanks for the info, this is exactly what I am trying to do. I have a question about your solution for Plex. Quote 3. In the file in /mnt/appdata/letsencrypt/nginx/proxy-confs/plex.domain.conf > change the line "proxy_pass https://$upstream_plex:32400" to proxy_pass https://UnRaidServerIP:32400 Doesn't this bypass the nginx proxy and just go to the plex instance on the unraid server? I got emby to work with the following nginx proxy conf: # make sure that your dns has a cname set for emby, if emby is running in bridge mode, the below config should work as is, although, # the container name is expected to be "emby", if not, replace the line "set $upstream_emby emby;" with "set $upstream_emby <containername>;" # for host mode, replace the line "proxy_pass http://$upstream_emby:8096;" with "proxy_pass http://HOSTIP:8096;" HOSTIP being the IP address of emby # in emby settings, under "Advanced" change the public https port to 443, leave the local ports as is, set the "external domain" to your url, # and set the "Secure connection mode" to "Handled by reverse proxy" # to enable password access, uncomment the two auth_basic lines server { listen 443 ssl; server_name emby.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_emby binhex-emby; proxy_pass http://$upstream_emby:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } I'm trying to do the same with plex, but when I do, it doesn't remotely connect. Edited May 7, 2019 by lewispm Added emby conf Quote Link to comment
lewispm Posted May 7, 2019 Share Posted May 7, 2019 Ok, just tried it again, and actually read the subdomain conf comments at the top and I figured it out. Here's what I did, in case you want to do the same: 1. under the config for the letsencrypt docker, add plex as a subdomain. Apply, then check the logs that it accepted it, and says "server ready" at the bottom. 2. config for plex docker, select proxynet as network. ( I think you already have this) 3. edit /appdata/letsencrypt/nginx/proxy-confs/plex.subdomain.conf.sample # make sure that your dns has a cname set for plex, if plex is running in bridge mode, the below config should work as is, for host mode, # replace the line "proxy_pass https://$upstream_plex:32400;" with "proxy_pass https://HOSTIP:32400;" HOSTIP being the IP address of plex # in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443") server { listen 443 ssl; listen [::]:443 ssl; server_name plex.*; include /config/nginx/ssl.conf; client_max_body_size 0; proxy_redirect off; proxy_buffering off; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_plex plex; proxy_pass http://$upstream_plex:32400; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; proxy_set_header X-Plex-Device $http_x_plex_device; proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; proxy_set_header X-Plex-Platform $http_x_plex_platform; proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; proxy_set_header X-Plex-Product $http_x_plex_product; proxy_set_header X-Plex-Token $http_x_plex_token; proxy_set_header X-Plex-Version $http_x_plex_version; proxy_set_header X-Plex-Nocache $http_x_plex_nocache; proxy_set_header X-Plex-Provides $http_x_plex_provides; proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; proxy_set_header X-Plex-Model $http_x_plex_model; } } I didn't have to change this file, but if your plex docker is different than "plex" (i.e. binhex-plex) you'll have to edit that under "set $upstream_plex" 4. Save this file BUT REMOVE THE .sample from the file name. 5. As per the last line in the comments of this file - go into plex settings and : # in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443") Then I navigated to plex.mydomain.com and it worked. Hope it helps! Quote Link to comment
TheMannequin Posted September 11, 2019 Share Posted September 11, 2019 (edited) Hi, I followed the same videos from SpaceInvaderOne... but only for Nextcloud. I do have my own domain, and the LetsEncrypt docker is configured for all my subdomains. Now, when trying to change my Plex Docker to work via LetsEncrypt, when changing the docker network from custom:br0 (I configured a static IP) to proxynet, it doesn't assign a IP to the docker (actually ANY other network setting doesn't provide an IP) and when trying to start it on 'proxynet', show 'server error' Putting it back to the br0 network, with a static IP, and just changing the Letsencrypt plex.subdomain.conf file, I get '502 Bad Gateway'. With this method, I changed the 'proxy_pass' setting to $upstream_plex and the static IP of the docker, but still same error. (and yes, restarting letsencrypt for changes to take effect) I would prefer to keep my static IP....but if no other way, I will change. Any ideas? or am I missing something small?? Edited September 11, 2019 by TheMannequin more info added Quote Link to comment
Pure Posted September 21, 2019 Share Posted September 21, 2019 On 9/11/2019 at 11:22 AM, TheMannequin said: Hi, I followed the same videos from SpaceInvaderOne... but only for Nextcloud. I do have my own domain, and the LetsEncrypt docker is configured for all my subdomains. Now, when trying to change my Plex Docker to work via LetsEncrypt, when changing the docker network from custom:br0 (I configured a static IP) to proxynet, it doesn't assign a IP to the docker (actually ANY other network setting doesn't provide an IP) and when trying to start it on 'proxynet', show 'server error' Putting it back to the br0 network, with a static IP, and just changing the Letsencrypt plex.subdomain.conf file, I get '502 Bad Gateway'. With this method, I changed the 'proxy_pass' setting to $upstream_plex and the static IP of the docker, but still same error. (and yes, restarting letsencrypt for changes to take effect) I would prefer to keep my static IP....but if no other way, I will change. Any ideas? or am I missing something small?? Hi Did you manage to come right, getting exactly the same issue, bad gateway Running the plex official docker. and with the following setting in plexsubdomain config include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_plex PlexMediaServer; proxy_pass http://192.168.0.21:32400; Quote Link to comment
TheMannequin Posted September 25, 2019 Share Posted September 25, 2019 Hi, I got it working....but not with the official container... I changed my docker to the linuxserver one. I installed the Trakt.tv plug-in on (old) Plex, synced my watched up to Trakt.tv, installed the new linuxserver docker, installed trakt.tv and synced it down to my server again. Now I can add it to the custom network (proxynet) or normal and it works fine! Not the best way, but that's how I got round the problem. On 9/21/2019 at 5:54 PM, Pure said: Hi Did you manage to come right, getting exactly the same issue, bad gateway Running the plex official docker. and with the following setting in plexsubdomain config include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_plex PlexMediaServer; proxy_pass http://192.168.0.21:32400; Quote Link to comment
Spies Posted January 8, 2020 Share Posted January 8, 2020 Is it required that you add the letencrypt certificates to plex? Quote Link to comment
jpowell8672 Posted February 18, 2020 Share Posted February 18, 2020 Directly Accessing and adding a SSL cert to Plex on Unraid. https://www.target-bravo.com/blog/2018/7/10/blog-headline-1-6y3tj-49m5s-7tbal-gc7z3 Quote Link to comment
jlficken Posted April 29, 2020 Share Posted April 29, 2020 On 3/26/2019 at 1:43 PM, Ntouchable said: I managed to fix this eventually in the following way: Mounted Let'sEncypt config files to inside the Plex docker config in the following manner: /letsencrypt = /mnt/user/data/letsencrypt/ Plex settings in browser > Network > Custom certificate location = /letsencrypt/keys/letsencrypt/privkey.pfx Custom certificate encryption key = /letsencrypt/keys/letsencrypt/privkey.pem Custom certificate domain = plex.XXXXXX.com Custom server access URLs = https://plex.XXXXXX.com:443 In the file in /mnt/appdata/letsencrypt/nginx/proxy-confs/plex.domain.conf > change the line "proxy_pass https://$upstream_plex:32400" to proxy_pass https://UnRaidServerIP:32400 Optional - 301 redirect so that it forces https - Go to /mnt/appdata/letsencrypt/nginx/site-confs/default > remove the "#" signs next to the code: server { listen 80; server_name _; return 301 https://$host$request_uri; } Optional - Plex UI in browser > Network > Secure connections = Required. Hope this helps someone out there. Thank you for this!!!!! 1 Quote Link to comment
ytddewqf Posted July 25, 2020 Share Posted July 25, 2020 On 3/26/2019 at 6:43 PM, Ntouchable said: I managed to fix this eventually in the following way: Mounted Let'sEncypt config files to inside the Plex docker config in the following manner: /letsencrypt = /mnt/user/data/letsencrypt/ Plex settings in browser > Network > Custom certificate location = /letsencrypt/keys/letsencrypt/privkey.pfx Custom certificate encryption key = /letsencrypt/keys/letsencrypt/privkey.pem Custom certificate domain = plex.XXXXXX.com Custom server access URLs = https://plex.XXXXXX.com:443 In the file in /mnt/appdata/letsencrypt/nginx/proxy-confs/plex.domain.conf > change the line "proxy_pass https://$upstream_plex:32400" to proxy_pass https://UnRaidServerIP:32400 Optional - 301 redirect so that it forces https - Go to /mnt/appdata/letsencrypt/nginx/site-confs/default > remove the "#" signs next to the code: server { listen 80; server_name _; return 301 https://$host$request_uri; } Optional - Plex UI in browser > Network > Secure connections = Required. Hope this helps someone out there. This has just fixed what two days searching the Internet could not. THANK YOU!! 1 Quote Link to comment
Dent_ Posted October 20, 2020 Share Posted October 20, 2020 After setting up plex behind the reverse proxy does the Remote Access always show the Red ! and say not avaliable outside your network? Or does it mean I still have a problem to sort out? Quote Link to comment
Dent_ Posted October 20, 2020 Share Posted October 20, 2020 NVM, found out that remote access check does not work when using custom URLS on the plex forum. Quote Link to comment
Ptolemyiv Posted May 24, 2021 Share Posted May 24, 2021 On 3/26/2019 at 6:43 PM, Ntouchable said: I managed to fix this eventually in the following way: Mounted Let'sEncypt config files to inside the Plex docker config in the following manner: /letsencrypt = /mnt/user/data/letsencrypt/ Plex settings in browser > Network > Custom certificate location = /letsencrypt/keys/letsencrypt/privkey.pfx Custom certificate encryption key = /letsencrypt/keys/letsencrypt/privkey.pem Custom certificate domain = plex.XXXXXX.com Custom server access URLs = https://plex.XXXXXX.com:443 In the file in /mnt/appdata/letsencrypt/nginx/proxy-confs/plex.domain.conf > change the line "proxy_pass https://$upstream_plex:32400" to proxy_pass https://UnRaidServerIP:32400 Optional - 301 redirect so that it forces https - Go to /mnt/appdata/letsencrypt/nginx/site-confs/default > remove the "#" signs next to the code: server { listen 80; server_name _; return 301 https://$host$request_uri; } Optional - Plex UI in browser > Network > Secure connections = Required. Hope this helps someone out there. This worked a treat for me as well using Nginx proxy manager - only tweaks were to update the docker config path which I specifically limited to read-only on the certificate folder for the plex certificate for a little extra security. I also didn't need to do step 3 either and Plex is now working remotely via my own domain (including via web + android / tv apps). My main question (part out of curiosity, part to ensure no gaping security risk) is what is the above actually implementing? Is it that we effectively have SSL encryption from REMOTE DEVICE<->NGINX SERVER which is then reverse proxied but encrypted again between NGINX SERVER<->PLEX SERVER? (i.e. there is in essence one superfluous extra encryption running on the plex server in contrast to a typically https->http reverse proxy) Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.