I no longer use Apache as a reverse proxy and moved to NGINX. No further updates will be made to this configuration. It may or may not work in the future, no warranty or support will be provided.
This VirtualHost configuration has been tested with the minimum requirements of Plex Media Server Version 1.16.5.1488
and Web Version: 3.108.2
.
The TLS configuration only allows clients that support TLS 1.2+, this may cause issues for legacy clients. You may need to adjust this if specific clients have issues connecting. If however you are OK with having just TLS 1.2+ support, you can also enable the "Disable weak TLS versions" setting on your Plex server, given the reverse proxy will prevent a successful TLS negotiation for such clients anyway.
- Apache 2.4.17 and above (for SSL/h2 related configuration)
- The following modules enabled:
proxy
,ssl
,proxy_wstunnel
,http
,dir
,env
,headers
,proxy_balancer
,proxy_http
,rewrite
This VirtualHost template uses four variables for easier configuration:
plex_url
- IP/local DNS name of your Plex server in your LAN (Not the public domain)plex_port
- Local Plex Media Server port (usually 32400)public_url
- The public DNS name for reverse proxy access i.e. plex.yourdomain.comemail
- ServerAdmin email address displayed on errors from Apache for the configured domain.
You may come across debates around configuring Plex with a reverse proxy. Technically you don't need to, Plex has it's own remote access feature which will forward port TCP 32400 externally through either uPnP (consider disabling uPnP for security) or through a custom port forward rule you've setup. A couple of advantages of a reverse proxy is being able to run Plex over SSL/TLS TCP 443 and taking advantage of SNI (Server Name Indication). Rather than forwarding loads of random services on different ports, you can have something like Nginx or Apache listen on TCP 80 and 443 and serve different domains/subdomains under a single IP address. Then using SNI, automatically return the correct site/service. In addition you could also get really creative and could also using something like HAproxy to serve different services based on the request, which can be more useful when you are dealing with more than just web based requests.
If you use Cloudflare for DNS, you can proxy your public Plex reverse proxy domain through it and benefit from better peering through their CDN, compared to directly connecting to your origin, which on average may have worse performance and Cloudflare could provide a better connection. This however may not always be true, so it may come with trade offs.
Note: You should prevent Plex traffic from being cached as this is potentially in violation of the Cloudflare ToS and could get your domain suspended.
It is worth highlighting that Plex is not directly designed with reverse proxy usage however, so support for it will be likely limited to community/other users. It is also possible, that a reverse proxy configuration can be broken at any time by a Plex update, which has happened before and may require tweaks or changes without warning.
If you want to force secure connections, this reverse proxy setup by default will actually be broken by this because it is proxying plain HTTP. If you wanted to force secure connections everywhere, you need to update the existing ProxyPass
and ProxyPassReverse
lines to https://.
ProxyPass / https://${plex_url}:${plex_port}/
ProxyPassReverse / https://${plex_url}:${plex_port}/
However, without additional configuration, Apache will likely not be able to negotiate the TLS connection due to the default certificate from Plex not matching the public DNS name in your SSL certificate. You could configure a custom certificate on Plex to make this match however.
You'll likely see the following error from Apache (with debugging on) Cert does not match for name 'plex.example.com'
You can however disable this check with:
SSLProxyCheckPeerName off
This will reduce your TLS security slightly, however you do not need to disable all SSL checks entirely such as SSLProxyVerify
, as the default Plex certificate is valid and from a trusted CA (Digicert).
Alternatively. Don't force secure connections, use the "Preferred" setting and leave it as is.
10-01-2022:
- Move
KeepAlive
to main VirtualHost configuration - Amend note about proxying Plex as TLS.
09-01-2022:
- Add
keepalive
to HTTP ProxyPass directive.
07-01-2020:
- Forcing secure connection info
29-12-2020:
- Forked original gist
- Added
unsafe-inline
to the style-src CSP policy to fix a console error and a mysterious white box! - Added
Access-Control-Allow-Origin
header to prevent CORS errors when the public reverse proxy domain is called by app.plex.tv - Wrapped header statements with
IfModule
- A 401 Unauthorized request can be seen in developer console for the
/media/providers
path, it appears to be because theX-Plex-Token
query parameter is not present on the request, that it fails. Checking for Updates hangs and takes a very long time to complete through the reverse proxy, but doesn't through app.plex.tv.
Based off the original template from hazcod which is based off this post on the Plex Forums.
Is the remote bandwidth working for you on the dashboard? It's not showing up for me.