Proxy Plex through Apache on Debian

Proxy Plex through Apache on Debian

I have used Plex on and off for a while. After spending some time away from home I decided to get the software set up again. Plex makes it easy for less technical people, but it feels like some control is removed from advanced users. My first pet peeve was that there is not a great way to change the port or URL. You are stuck with something that looks like http://127.0.0.1:32400/web/. Second, to enable TLS they recommend you configure Remote Access. Remote Access will allow you to log into their protected website and it will direct you to the server. It is magic, but you loose the ability to use your own domain name.

I have been using Apache proxies at work for a few projects and wanted to setup the same thing for Plex. It turns out Matt Coneybeare decided to do this in 2013. Matt’s walk through is really good and you can find it here. I wanted to take it a step further and configure https/redirection.

The Basics

Here is a really quick overview of the initial setup. This guide was more to focus on the proxy piece, but if you have any questions about these items, be sure to post them in the comments.

  1. Install Debian Jessie 8.4
    • Install open-vm-tools (my setup is virtual)
    • Configure a static IP address
  2. Connect Debian to shares – I accomplished this with an arguably insecure method using cifs-utils and the /etc/fstab file. The problem with this method is fstab can be read by anyone and it could expose the password. However, I am the only one with server access and it is a read-only user.

    #/etc/fstab

    //nasip/folder /media/folder cifs username=plex,password=password01,iocharset=utf8,sec=ntlm  0  0

    mount -a     #should not return any errors if the syntax and access works

  3. Install Plex, I used the “Ubuntu” deb file

    dpkg -i plexmediaserver_*_amd64.deb

  4. Setup NAT and open firewall rules externally for 80 and 443
  5. Requested a certificate from my provider. You can also use Let’s Encrypt to get a free certificate!

Apache

apt-get install apache2
apt-get install openssl

a2enmod rewrite
a2enmod ssl
a2enmod proxy
a2enmod proxy_http

/etc/apache2/sites-enabled/000-default.conf

<VirtualHost *:80>

#Redirects any request on http to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

</VirtualHost>

/etc/apache2/sites-enabled/001-plex.conf

<VirtualHost *:443>

Header add Strict-Transport-Security: “max-age=15768000”

ServerName plex.domainname.com

#Cert requested from my provider
SSLCertificateFile /etc/apache2/ssl/ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/ssl.key
SSLCertificateChainFile /etc/apache2/ssl/bundle.crt

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:32400/
ProxyPassReverse / http://127.0.0.1:32400/

#Code from Matt’s blog
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/web
RewriteCond %{HTTP:X-Plex-Device} ^$
RewriteRule ^/$ .web.$1 [R,L]

</VirtualHost>

systemctl restart apache2

Security

I used ufw to apply a basic firewall configuration:

apt-get install -y ufw

ufw allow from 192.168.0.0/24 to any port 22     #Allows ssh access from only the internal network
ufw allow http     #This allows apache redirection to port 443
ufw allow https

ufw enable
ufw status

SSL Labs

The Debian repository includes an Apache version that has a pretty good default configuration. There were only two changes I made to my configuration files to up my grade on the SSL Labs test. I have talked about this in a previous blog post here.

The first change enabled HTTP Strict Transport Security and was added to the top of my main configuration file:

<VirtualHost *:443>
Header add Strict-Transport-Security: “max-age=15768000”

</VirtualHost>

The second change allows the server to use Forward Secrecy. Uncomment SSLHonorCipherOrder on near the bottom of the ssl.conf file located in /etc/apache2/mods-enabled/.

After making those changes I restarted Apache and tested the server.
systemctl restart apache2

Plex Security

After setting up the server I was talking to a friend and discovered that he could see my libraries and activity. On Matt’s blog I had overlooked that he setup Apache authentication using Basic HTTP Auth to present a password prompt to him and his wife. I did not consider that using ProxyPass basically makes the internet look like the local network to Plex.

A quick search found this article to require authentication for local network access. It was quick and easy to setup a pin on the primary account. The best thing is you can share your libraries with friends without managing a local password file manually.  Screenshot from 2016-05-26 13-37-38The green lock indicates a pin is set! My friend was immediately locked out after making this change.

Conclusion

This setup has been working well for me so far. It allows me to use my custom cert and domain name without exposing the entire Plex application to the internet.

Leave a Reply

Your email address will not be published. Required fields are marked *