-
-
Save hazcod/3ef10a15f52c171a7839 to your computer and use it in GitHub Desktop.
| This current configuration is based of at least Server Version 1.16.5.1488 and Web Version: 3.108.2. | |
| This updated config file allows the playing of trailers and TV Show theme music where as the previous one did not. | |
| ## Requirements | |
| 1. Apache version > 2.4 | |
| 2. A bunch of mod's enabled (proxy, ssl, proxy_wstunnel, http, dir, env, headers, proxy_balancer, proxy_http, rewrite) | |
| 3. Protocols h2 http/1.1 needs apachectl -V 2.4.17 and higher... | |
| ## Apache .conf file | |
| ``` | |
| DEFINE plex_url 127.0.0.1 | |
| DEFINE plex_port 32400 | |
| DEFINE public_url subdomain.plex.tv | |
| DEFINE email [email protected] | |
| ServerTokens Prod | |
| SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)" | |
| SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)" | |
| SSLSessionCacheTimeout 300 | |
| ### If you have Google's Mod PageSpeed, disable it | |
| #ModPagespeed Off | |
| <VirtualHost *:80> | |
| ServerName ${public_url} | |
| DocumentRoot /var/www/offline | |
| ServerAdmin ${email} | |
| RewriteEngine on | |
| RewriteCond %{SERVER_NAME} =${public_url} | |
| RewriteCond %{HTTPS} off | |
| RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] | |
| </VirtualHost> | |
| <VirtualHost *:443> | |
| ServerName ${public_url} | |
| DocumentRoot /var/www/offline | |
| ServerAdmin ${email} | |
| ErrorLog ${APACHE_LOG_DIR}/${public_url}.error.log | |
| CustomLog ${APACHE_LOG_DIR}/${public_url}.access.log combined | |
| SSLEngine On | |
| SSLCertificateFile /etc/letsencrypt/live/${public_url}/fullchain.pem | |
| SSLCertificateKeyFile /etc/letsencrypt/live/${public_url}/privkey.pem | |
| #Include /etc/letsencrypt/options-ssl-apache.conf | |
| ### Forbid the http1.0 protocol ### | |
| Protocols h2 http/1.1 | |
| #Options -Includes -ExecCGI | |
| #LimitRequestBody 512000 | |
| #FileETag None | |
| #TraceEnable off | |
| Timeout 360 | |
| ProxyRequests Off | |
| ProxyPreserveHost On | |
| ProxyTimeout 600 | |
| ProxyReceiveBufferSize 4096 | |
| SSLProxyEngine On | |
| RequestHeader set Front-End-Https "On" | |
| ServerSignature Off | |
| SSLCompression Off | |
| SSLUseStapling On | |
| SSLStaplingResponderTimeout 5 | |
| SSLStaplingReturnResponderErrors Off | |
| SSLSessionTickets Off | |
| RequestHeader set X-Forwarded-Proto 'https' env=HTTPS | |
| Header always set Strict-Transport-Security "max-age=15552000; preload" | |
| Header always set X-Content-Type-Options nosniff | |
| Header always set X-Robots-Tag none | |
| Header always set X-XSS-Protection "1; mode=block" | |
| Header always set X-Frame-Options "SAMEORIGIN" | |
| Header always set Referrer-Policy "strict-origin-when-cross-origin" | |
| Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'unsafe-inline' 'unsafe-eval' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct 'unsafe-inline'; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;" | |
| Header always set Feature-Policy "geolocation 'self'; midi 'self'; sync-xhr 'self'; microphone 'self'; camera 'self'; magnetometer 'self'; gyroscope 'self'; speaker 'self'; fullscreen 'self'; payment 'self'" | |
| ### Use next two for very secure connections ### | |
| SSLHonorCipherOrder On | |
| SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH | |
| SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |
| ### Use next two for secure connections and supports more endpoints ### | |
| #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 | |
| #SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |
| ### Actually proxy the traffic and really the only important part ### | |
| ProxyPassMatch ^/.well-known ! | |
| ProxyPass / http://${plex_url}:${plex_port}/ | |
| ProxyPassReverse / http://${plex_url}:${plex_port}/ | |
| ProxyPass /:/ ws://${plex_url}:${plex_port}/:/ | |
| ProxyPassReverse /:/ ws://${plex_url}:${plex_port}/:/ | |
| ProxyPass /:/ wss://${plex_url}:${plex_port}/:/ | |
| ProxyPassReverse /:/ wss://${plex_url}:${plex_port}/:/ | |
| LimitRequestBody 512000 | |
| FileETag None | |
| TraceEnable off | |
| #Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure | |
| Timeout 60 | |
| <Location /:/websockets/notifications> | |
| ProxyPass wss://${plex_url}:${plex_port}/:/websockets/notifications | |
| ProxyPassReverse wss://${plex_url}:${plex_port}/:/websockets/notifications | |
| </Location> | |
| <Proxy *> | |
| Require all granted | |
| </Proxy> | |
| RewriteEngine on | |
| RewriteCond %{REQUEST_URI} !^/web | |
| RewriteCond %{HTTP:X-Plex-Device} ^$ | |
| RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$ | |
| RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR] | |
| RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device= | |
| RewriteRule ^/$ /web/$1 [R,L] | |
| </VirtualHost> | |
| ``` |
You need add
unsafe-inlineto the style-src of the current CSP policy provided by this config.
@jamesmacwhite Thanks! That worked 100%. The box is gone after making that addition.
I've adapted the gist to include style-src: unsafe-inline.
Is there a current guide for the proper way to generate Letsencrypt certs for the server? This and most other guides assume you already have your certificates generated and ready to use, and I haven't been able to find anything that mentions the process for generating these certs in the first place.
Obviously the usual certbot approach doesn't work for a custom setup like this, which is why I'm confused.
Update: Success! To use certbot, I set up my virtualhost to simply point to a directory where certbot could write its verification files. Once I had the certificates generated, I used the above virtualhost config and everything seems to be working properly.
One final question - how will renewal work with certbot? Doesn't it need to perform another http verification when renewing the certificates?
Certbot should automatically have installed cronjob to regularly check for when the certificate needs to be renewed. This VirtualHost template actually handles being able to perform HTTP verification by bypassing the typical .well-known pathl, to avoid the request being sent to your Plex server, instead it should be processed by your web server and allow certbot to verify.
To be honest, I'm not sure why the template uses DocumentRoot /var/www/offline, it would be better to use the typical default of /var/www/html
Another update. I was working on a nginx conf for Plex.
UPDATE: This code that was here.... wasn't very good.
@iamdoubz You might want to review this configuration. It caused a few regressions with my reverse proxy setup. Remote streams worked but they were not picked up in the Now playing status even though I could see remote stream traffic and watch status i.e. watched and unwatched was broken amongst other things like resuming was not working. Reverting the Location and ProxyPass/ProxyPassReverse parts allows things to work again fine. Local clients were not affected.
I'd advise others to use the previous configuration due to the above. I'm thinking in particularly it's the proxying parts.
Anyone still using this? It seems stopped working(old and new version) last few days without any changes on the my setup.
There are lots of /:/websockets/notifications error in the logs too.
Client player cant fastforward / timeout/ unepected error on remote stream.
Don't use the Apache "Location" version. It was bad and I removed it from my previous post. My plex config still seems to be working with web version 4.62.1 and server version 1.24.2.4973.
Anyone still using this? It seems stopped working(old and new version) last few days without any changes on the my setup.
There are lots of /:/websockets/notifications error in the logs too.Client player cant fastforward / timeout/ unepected error on remote stream.
What version of Plex do you have?
For Plex version 4.62.1 (version server 1.24.2.4973) - works, but I had to edit "Header always set Content-Security-Policy"
If you connect directly to Plex: http://ip.ad.re.ss:32400/web, do you experience these weird timeouts and/or transcoding problems?
If you connect directly to Plex: http://ip.ad.re.ss:32400/web, do you experience these weird timeouts and/or transcoding problems?
no issue when open port directly to plex(even via cloudflare. Issue only when i go thru apache proxy.
UPDATE: Found the root cause to be traffic proxy to plex docker seems to causing the timeout.
Reviewing my reverse proxy the CSP change needed is to do with img-src now, it seems images are now being served from a path of:
https://ip.hash.plex.direct, the rule of *.plex.direct no longer matches, because of the hash, subdomain of subdomain, you can probably get away with just allowing https: for img-src to avoid having to add loads of specific rules.
Otherwise, it works fine and can play content through the web and mobile app, no changes other than CSP.
For my configuration, a proxy server - it was enough to add the *.plex.direct:32400 for img-src
@Tipz Ah thanks, yes that's a better rule if you want to be selective. You could still use https: generally to avoid having all of the conditions, some of them might not be valid anymore.
@hazcod The header 'Feature-Policy' can be renamed to 'Permissions-Policy' due to the specification change, it may need reformatting as the specification changed.
Does anyone know how to fix the errors regarding /:/websockets/notifications? I am constantly getting the videos freezing and the logs showing Error during SSL Handshake with remote server returned by /:/websockets/notifications.
@simao-silva That would suggest the WebSocket requests are not being properly proxied. Do any console errors show up related to WebSocket issues when browsing your reverse proxy domain?
As a debugging step you could try applying the following:
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
However, be mindful this basically disables any SSL/TLS validation, so don't leave enabled but for testing purposes.
Does your reverse proxy have a valid SSL certificate?
After long battle with freezing video. I fixed it with few changes. I am not sure which one really fixed it.
On plex ensure the certificate.pfx is set to my to domain generated. U need to put full path from root
Custom certificate location: /var/lib/plexmediaserver/certificate.pfx
Debug and restart plex make sure the cert is used. clear the cert cache if needed(i forgot how)
https instead of http.
ProxyPass / https://${plex_url}:${plex_port}/
ProxyPassReverse / https://${plex_url}:${plex_port}/
Keep alive on. I got random proxy timeout without this. Seems there is too much thread opened. Thus keepalive on to prevent that.
KeepAlive on
I dont have error after make these setting.
Server version: Apache/2.4.51 (Debian)
@tyjtyj Interesting, thanks for sharing. Adding keepalive to the ProxyPass might be something to add to the main config.
It is worth pointing out if you change the ProxyPass/ProxyPassReverse to https, you must configure a valid SSL certificate. I believe this means configuring a custom one your Plex instance, otherwise you will get "Error during SSL Handshake" errors. This will be because of a common name mismatch. The configuration detailed here, typically focuses on providing a valid SSL certificate for the proxy, but not for the traffic between the proxy, which is why it's using plain http.
You can technically change the proxy to https:// without doing this but you'll have to disable one or more SSL checks, which is not recommended due to higher risk of MITM, however if the traffic is being proxied locally, then it's not as bad.
Below is a "test" config for using Plex as a subdirectory. It needs an additional apache2 mod called proxy_html and assumes a subdirectory of "plex":
### Plex subdirectory test
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/plex/web
RewriteCond %{HTTP:X-Plex-Device} ^$
RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
RewriteRule ^/$ /plex/web/$1 [R,L]
<Location /web>
ProxyPass http://192.168.1.109:32400/web retry=0
ProxyPassReverse http://192.168.1.109:32400/web
SetOutputFilter proxy-html
ProxyHTMLURLMap http://192.168.1.109:32400/web
</Location>
RewriteRule ^/web$ /plex/web/ [R]
<Location /media>
ProxyPass http://192.168.1.109:32400/media retry=0
ProxyPassReverse http://192.168.1.109:32400/media
SetOutputFilter proxy-html
ProxyHTMLURLMap http://192.168.1.109:32400/media
</Location>
RewriteRule ^/media$ /plex/media/ [R]
<Location /plex/:>
ProxyPass wss://192.168.1.109:32400/:
ProxyPassReverse wss://192.168.1.109:32400/:
</Location>
RewriteRule ^/plex/:$ /plex/:/ [R]
<Location /plex>
ProxyPass http://192.168.1.109:32400 retry=0
ProxyPassReverse http://192.168.1.109:32400
SetOutputFilter proxy-html
ProxyHTMLURLMap http://192.168.1.109:32400
</Location>
RewriteRule ^/plex$ /plex/ [R]
In my testing, it appears to be working. Tested playing some music and hearing the TV Show theme music play. Make sure you change the 192.168.1.109:32400 to the IP and port of your Plex server.
Very cool of you to share the config.
I tried it but I cannot get it to work.
If I set it up with the modifications needed for my system I only get a 404 page not found.
When I modify the http to https here:
ProxyPass / https://${plex_url}:${plex_port}/
ProxyPassReverse / https://${plex_url}:${plex_port}/
I get Error during SSL Handshake with remote server
If I then add these lines:
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
I get again the 404.
Any Idea where I'm doing something wrong?
Thanks Chris
@chrihuc Is this proxying a subdomain or sub directory? Check that you can access the path being proxied outside of Apache first. 404 suggests it's hitting something, but maybe not what you think.
The SSL handshake error is expected without additional configuration not covered here, as the SSL certificate you provide for a custom domain is not going to match the Plex domain that is proxied. For simplicity, just proxy HTTP, but you'll have to keep Plex secure connections as "preferred" and not set it to "forced". Also be aware disabling all those SSL directives is a security risk. You actually only need SSLProxyCheckPeerName off to avoid the 502 error.
I'm proxying a subdomain, doing this already for Grafana.
Anyway I was about to look into it again right now, and guess what, it works... I have not changed anything. Not sure if I had still a bad route in my laptop.
Thanks all the same!
btw. I had the SSL directives only shortly active, just for testing. Deactivated them directly after they did not improve the situation.
I was using this and it was working fine for all plex apps except for infuse: it was very slow within the infuse app. Adding
SSLProxyCheckPeerName off
to the SSL section solved this issue ...
Error I was seeing in the logs was:
Internal error (specific information not available): AH01084: pass request body failed to 172.20.1.2:32400 (172.20.1.2)
Error during SSL Handshake with remote server returned by /:/websockets/notifications
"Plex subdirectory test"
Unfortunately I am not getting this to work. No matter what I do Plex likes to respond from https://domain.com/web instead of https://domain.com/plex/web, however https://domain.com/plex actually forwards me to https://domain.com/web
Any ideas? I did use the provided configuration just by changing the Plex server IP address and each http:// to https://
Ubuntu 22.04.2 LTS
Apache 2.4.52
Plex Media Server 4.100.1
Thank you for this vhost configuration! After applying this configuration, I constantly got an error in /var/log/apache2/error.log containing these two lines:
"AH00898: Error during SSL Handshake with remote server returned by /:/websockets/notifications"
"AH01097: pass request body failed to <Local Plex Server IP Address>"
In the browser console it said that it could not connect to "wss://plex.<domain>.<tld>/:/websockets/notifications?X-Plex-Token=<token>" as well.
I then figured out what to change in the configuration to fix it. These errors made me unable to see new content popping up on the dashboard after scanning libraries. I had to refresh the page to see the new content. Context menus would also stop working randomly. Here are the changes I did to fix this:
The configuration below now contains "ws" instead of "wss":
Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${public_url}; media-src 'self' blob: data: https: ${plex_url} ${public_url} *.plex.direct *.plex.tv plex.tv; script-src 'self' 'unsafe-inline' 'unsafe-eval' ${plex_url} ${public_url} plex.tv *.plex.tv gstatic.com *.gstatic.com *.plex.direct; style-src 'self' ${plex_url} ${public_url} *.plex.direct 'unsafe-inline'; img-src 'self' data: blob: ${plex_url} ${public_url} plex.tv *.plex.tv *.plex.direct; worker-src *; frame-src 'none'; connect-src 'self' ws: https: ${plex_url} ${public_url} plex.tv *.plex.direct *.plex.tv;"
I have commented out these lines since I don't think they are necessary. It does not affect the problem, though:
#ProxyPass /:/ wss://${plex_url}:${plex_port}/:/
#ProxyPassReverse /:/ wss://${plex_url}:${plex_port}/:/
The two lines inside the Location directive now contains ws instead of wss:
<Location /:/websockets/notifications>
ProxyPass ws://${plex_url}:${plex_port}/:/websockets/notifications
ProxyPassReverse ws://${plex_url}:${plex_port}/:/websockets/notifications
</Location>
Restart Apache, and the errors should no longer appear, at least for systems with similar setup and configuration described below. Maybe someone finds this helpful.
Setup:
Debian 12
Apache 2.4.57
Plex Media Server 4.108.0
My setup uses no SSL certificate for Plex itself, only for Apache with reverse proxy.
I'm having a strange problem with my reverse proxy... If I use a web browser on my local network, the cover art doesn't show up in Plex... If I use a browser from outside my network, the cover art displays fine. If I'm on the local network and bypass the reverse proxy and go directly to the plex server, the cover art displays. And if I use app.plex.tv from inside or outside my network, the cover art is displayed... If I use the Plex app itself, both inside and outside my local network, the cover art is displayed fine (although I had to logoff and relogin to get it to get it to display on the Shield's Plex App). Does anyone happen to have any ideas what might be going on? I've been trying to figure this out for days ... Bottom line, I'm not getting cover art on plex when using a web browser within my local network when going through the reverse proxy.
I'm having a strange problem with my reverse proxy... If I use a web browser on my local network, the cover art doesn't show up in Plex... If I use a browser from outside my network, the cover art displays fine. If I'm on the local network and bypass the reverse proxy and go directly to the plex server, the cover art displays. And if I use app.plex.tv from inside or outside my network, the cover art is displayed... If I use the Plex app itself, both inside and outside my local network, the cover art is displayed fine (although I had to logoff and relogin to get it to get it to display on the Shield's Plex App). Does anyone happen to have any ideas what might be going on? I've been trying to figure this out for days ... Bottom line, I'm not getting cover art on plex when using a web browser within my local network when going through the reverse proxy.
I had similar issues. Not anymore.
Here's what I have as my Apache2 config for Plex.
Put under root domain e.g. felmey.net config. Plex is then accessible via felmey.net/plex.
Plex server IP in this config is 10.50.0.10
# Plex (Media Server)
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/plex
RewriteCond %{REQUEST_URI} !^/plex/web
RewriteCond %{HTTP:X-Plex-Device} ^$
RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
RewriteRule ^/$ /plex/web/$1 [R,L]
<Location /web>
ProxyPass https://10.50.0.10:32400/web retry=0
ProxyPassReverse https://10.50.0.10:32400/web
SetOutputFilter proxy-html
ProxyHTMLURLMap https://10.50.0.10:32400/web
</Location>
RewriteRule ^/web$ /plex/web/ [R]
RewriteRule ^/web/(.*)$ /plex/web/$1 [R,L]
<Location /media>
ProxyPass https://10.50.0.10:32400/media retry=0
ProxyPassReverse https://10.50.0.10:32400/media
SetOutputFilter proxy-html
ProxyHTMLURLMap https://10.50.0.10:32400/media
</Location>
RewriteRule ^/media$ /plex/media/ [R]
<Location /plex/:>
ProxyPass wss://10.50.0.10:32400/:
ProxyPassReverse wss://10.50.0.10:32400/:
</Location>
RewriteRule ^/plex:$ /plex/:/ [R]
<Location /plex>
ProxyPass https://10.50.0.10:32400 retry=0
ProxyPassReverse https://10.50.0.10:32400
SetOutputFilter proxy-html
ProxyHTMLURLMap https://10.50.0.10:32400
</Location>
RewriteRule ^/plex$ /plex/ [R]
RewriteRule ^/plex/$ /plex/web/ [R]
With this config I haven't had any issues.
@felmey I've seen the white box as well, but it's since gone away. I hadn't realised I've accidentally fixed this until your post. It is due to the CSP policy. You need add
unsafe-inlineto the style-src of the current CSP policy provided by this config. In my previous post, I was analysing some of the errors in console under the reverse proxy compared to app.plex.tv and I hadn't realised the white box and the CSP policy were connected until you pointed it out.