How to create a Let’s Encrypt SSL encrypted Reverse Proxy for Plex in OpenMediaVault
I’ve been messing around for a long time with creating reverse proxy‘s for the applications I use with OpenMediaVault. Creating a Let’s Encrypt SSL encrypted reverse proxy for Plex especially. But in the last few days I finally managed to achieve it. Today I’m going to share with you how to create encrypted Reverse Proxy for Plex in OpenMediaVault 2.x using Let’s Encrypt free SSL-certificates.
Initial Obstacles to Consider and Prerequisites
If you’ve followed my previous tutorial about reverse proxy’s for Radarr, Sonarr, Transmission and SABnzbd you’re approaching these apps using a Request URI such as /radarr or /sonarr. I’ve come to the conclusion that this isn’t going to work for Plex.
Because I approach OpenMediaVault at nas.mydomain.com/ and Plex doesn’t offer the option to modify the URL base, I’ve chosen to give Plex it’s own subdomain, e.g. plex.mydomain.com.
Plex is somewhat authistic when it comes to the routes it uses for requests. I didn’t investigate it any further, but its URL base needs to be /web/index.html. E.g. /plex/web/index.html seems to be unacceptable for the app. I’ve tried it and although its support forums are bloated with authors claiming they managed to make it work, I couldn’t.
This tutorial assumes that you’re familiar with creating subdomains and have updated your DNS-records with an A-record pointing towards the system serving Plex.
Since Let’s Encrypt doesn’t offer wildcard SSL-certificates, you need to generate a seperate certificate for the subdomain serving Plex, e.g. (red: the V2 API does support wildcard certificates). If you’re wondering how to create a Let’s Encrypt SSL certificate in OMV, I suggest you read this tutorial.plex.mydomain.com
How to create a Nginx Reverse Proxy for Plex in OMV
It’s quite simple to create a reverse proxy for Plex. Applications like SABnzbd and Sonarr offer the option to change the URL base, which means we only have to add a location-block inside the existing server-block to make the reverse proxy work. Plex needs its own server-block, because we can’t modify the URL base.
Create a new file within /etc/nginx/sites-available/ using your favourite text editor, e.g.
nano /etc/nginx/sites-available/openmediavault-plex
Paste the following contents inside the new file:
| server { | |
| listen [::]:443; | |
| server_name plex.mydomain.com; | |
| rewrite https://$host$request_uri? permanent; | |
| error_log /var/log/nginx/openmediavault-plex_error.log error; | |
| access_log /var/log/nginx/openmediavault-plex_access.log combined; | |
| ssl on; | |
| # These are the paths to your generated Let's Encrypt SSL certificates. | |
| ssl_certificate /etc/letsencrypt/live/plex.mydomain.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/plex.mydomain.com/privkey.pem; | |
| # To generate your dhparam.pem file, run `openssl dhparam -out /etc/nginx/dhparam.pem 2048` (without the quotes) in your terminal. | |
| ssl_dhparam /etc/nginx/dhparam.pem; | |
| ssl_session_timeout 1d; | |
| ssl_session_cache shared:SSL:60m; | |
| location / { | |
| # IP address of Plex Media Server | |
| proxy_pass http://127.0.0.1:32400; | |
| proxy_buffering off; | |
| proxy_redirect off; | |
| proxy_http_version 1.1; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $http_connection; | |
| proxy_cookie_path /web/ /; | |
| access_log off; | |
| } | |
| } |
Now we need to enable our newly created server-block by creating a symlink in the /etc/nginx/sites-enabled/ directory:
ln -s /etc/nginx/sites-available/openmediavault-plex /etc/nginx/sites-enabled/openmediavault-plex
After this all that’s left to do is to restart Nginx: service nginx restart and you’re done. Plex Media Server should be reachable from your browser at https://plex.mydomain.com.
All that’s left to do now is alter your router and Plex configuration. You can now close port 32400 within your router’s configuration and disable ‘remote access’ within Plex.
For your Plex Clients to ‘see’ Plex Media Server you need to add the URL’s to Settings > Network within Plex Media Server. Within the field Custom Server Access URL’s add http://plex.mydomain.com:80,https://plex.mydomain.com:443. Also make sure to change the Secure Connections setting to ‘Preferred’.
That’s it. Now your Plex Media Server is reachable through a fully SSL-encrypted Nginx Reverse Proxy. You’ve hardened your local networks security by closing a port and implementing an SSL-certificate for your connection.
the bandwidth statistics in “activity” is broken. It shows nothing when accessed from the outside.
Do you have a clue for that problem? The CPU statistics works fine.