{"id":19712156,"url":"https://github.com/fmstrat/plex-ssl","last_synced_at":"2025-04-29T18:30:51.499Z","repository":{"id":20096116,"uuid":"23365557","full_name":"Fmstrat/plex-ssl","owner":"Fmstrat","description":"A guide to using NGINX to secure Plex via SSL","archived":false,"fork":false,"pushed_at":"2015-06-07T13:43:42.000Z","size":576,"stargazers_count":39,"open_issues_count":3,"forks_count":1,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-04-05T18:52:03.879Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Fmstrat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-08-26T20:22:46.000Z","updated_at":"2022-11-15T17:54:45.000Z","dependencies_parsed_at":"2022-07-17T15:00:37.104Z","dependency_job_id":null,"html_url":"https://github.com/Fmstrat/plex-ssl","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fmstrat%2Fplex-ssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fmstrat%2Fplex-ssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fmstrat%2Fplex-ssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Fmstrat%2Fplex-ssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Fmstrat","download_url":"https://codeload.github.com/Fmstrat/plex-ssl/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251559752,"owners_count":21609068,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-11T22:15:30.403Z","updated_at":"2025-04-29T18:30:51.215Z","avatar_url":"https://github.com/Fmstrat.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"#**plex-ssl**\n--------------\n\nA guide to using NGINX to secure Plex via SSL.\n\n**THIS IS CURRENTLY UNDER DEVELOPMENT BY JKIEL AND FMSTRAT. THIS IS EXPERIMENTAL AND HAS NOT YET BEEN TESTED THOUROUGHLY. THIS DISCLAIMER WILL BE REMOVED WHEN THE HOWTO AND CONFIGURATION FILES ARE UPDATED TO THEIR FINAL STATES AND TESTING IS COMPLETED.**\n\n**If you decide to use this MITM method, and stop using it, Plex.tv will continue to try to connect to HTTPS, causing failures. If you wish to stop using the MITM, change the configuration to use HTTP, reconnect Plex Media Server to Plex.tv, and THEN discontinue using the MITM.**\n\nThis guide is based on all the hard work by [jkiel](https://forums.plex.tv/index.php/user/91991-jkiel/) by tracing the HTTP/S requests between PMS, Plex.tv, and clients. His work, and this entire HOWTO, have been developed to overcome the security issue of the authorization token of Plex being passed unsecure over the internet, making it easy for anyone on a client's network to get full access to your server. We hope this is merely a temporary fix and that the Plex team will have a native solution relativly soon.\n\nThe post by [Fmstrat](https://forums.plex.tv/index.php/user/188868-fmstrat/) detailing this vulnerability and a proof of concept exploiting it can be viewed by any PlexPass members [in this thread](https://forums.plex.tv/index.php/topic/101886-proof-of-concept-token-exploit-please-fix-this-massive-security-hole/).\n\n![Before](https://raw.githubusercontent.com/Fmstrat/plex-ssl/master/images/mitm-before.png)\n  \n  \n![After](https://raw.githubusercontent.com/Fmstrat/plex-ssl/master/images/mitm-after.png)\n\nThis guide was developed for [**Ubuntu Server 14.04 LTS**](#ubuntu-server-1404-lts) and [**CentOS and RHEL variants**](#centos-and-rhel-variants).\n\nPlease have a look over the [Known Problems](#known-problems) before you decide to use this.\n\n\n#**Tested Clients**\n--------------\nAny Plex Web clients tested below were testing by going directly to the remote IP hostname, **not** to plex.tv.\n\nOS/Device|Client|Result|Notes\n----------------|----------------|----------------|--------------\nAndroid 4.x|Plex App|**Pass**|\niOS 7|Plex Web on Chrome|**Partial Pass**|Websockets do not work, breaking some features|\niOS 7|Plex App|Fail|Works, but transmits token insecurly over http\nOSX|Plex Web on Chrome|**Partial Pass**|Websockets do not work, breaking some features|\nRasPlex|PHT|**Pass**|\nWindows|PHT|**Pass**|\nWindows|Plex App|Fail|Works, but transmits token insecurly over http\nRoku 3|Plex App|Fail|Functions securely, but artwork fails, making browsing near impossible\nRoku 3|RarFlix|Fail|Functions securely, but artwork fails, making browsing near impossible\n\n\n#**Before you begin: Certificates**\n--------------\nThis method of securing Plex works by proxying connections between Plex Media Server and Plex.tv and between Plex Media Server and clients. It works by:\n- **Plex Media Server -\u003e Plex.tv:** Intercepting the call to Plex.tv that tells Plex.tv to inform clients of the machines IP address, and instead supplies a hostname and the schema of HTTPS. This way, Plex.tv tells clients to connect securely.\n- **Clients -\u003e Plex Media Server:** Proxying all traffic from the clients to Plex Media Server using SSL. It is required to use a proxy because we need to supply a validated certificate for our host, not the general plex.tv certificate that is included with Plex Media Server\n\nFor proxying between Plex Media Server and Plex.tv, we will create a self signed certificate, and add it to the trusted certificates for Plex Media Server.\n\nFor proxying between clients and Plex Media Server, we will require a \"trusted\" certificate in the form of a valid, purchased certificate from companies like RapidSSL, or a free certificate from companies like StartSSL. Free certificates do not generally work with all clients, but in testing, StartSSL certificates have been proven to function in the scenarios detailed in this guide. [StartSSL.com](https://www.startssl.com/) is the only CA known to have [free certificates](https://www.startssl.com/?app=1) that also have relativly broad browser support.\n\n\n*You must also own the domain name used to host your PMS. Free domains names from dyn.org, noip.com and the like will not work. Your email address won't be one of the administrative/authoritative ones listed in the WHOIS record for the domain.*\n\n#**Ubuntu Server 14.04 LTS**\n--------------\n\nThe Ubuntu configuration guide assumes the following:\n- You are running Ubuntu in a Virtual Machine (This is not required). If you are new to virtual machines, \u003ca href=\"https://help.ubuntu.com/community/KVM/Installation\"\u003eKVM\u003c/a\u003e is free, Open Source, and built into Ubuntu. \u003ca href=\"https://www.virtualbox.org/\" target=\"_blank\"\u003eVirtual Box\u003c/a\u003e is another free solution and \u003ca href=\"https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6_0\" target=\"_blank\"\u003eVmware Player 6.0.3\u003c/a\u003e is a free version of the commercial VMWare solution. All are good places to start.\n- That this is a fresh install of Ubuntu Server 14.04, with only the minimum packages installed\n- No other services have been installed on Ubuntu, except openssh-server\n\nOption 1: Use the configuration script\n--------------\n\n**The below script assumes you will be using StartSSL or similar provider.** If you already have a validated certificate, you will be asked during the script to use it or create a new one. If you wish to configure your system in a unique way beyond what the script handles, please follow the guide for [Option 2: Manual configuration](#option-2-manual-configuration) or follow the steps inside the configuration scripts manually.\n\nRun the script\n--------------\nThe configuration script supplied should do most of the hard work for you.  In an Ubuntu terminal/ssh session, enter these three lines, then carefully follow the instructions:\n\n```\n~# cd ~\n~# wget https://raw.githubusercontent.com/Fmstrat/plex-ssl/master/ubuntu/setup-ubuntu.sh\n~# sudo bash setup-ubuntu.sh\n```\n\nDuring configuration, you will be prompted for information used to generate a Certificate Signing Request (CSR).  It will ask for country, state, city, common name (your domain name), pass phrase, etc. Before filling this out, check with your [chosen Certificate Authority (CA)](http://www.sslshopper.com/certificate-authority-reviews.html), to see what they require.\n\nYou'll be asked copy out a Certificate Signing Request (CSR) and paste it to your chosen CA.  After your CA approves and returns a Signed Certificate,  you will need to paste that Signed Certificate back to the script. \n\nAt the end, the script will return a self signed certificate that's used to proxy plex.tv. You can find the certs and keys used by the secure and mitm proxy on your ubuntu proxy server in **/opt/plex-ssl/certs**.\n\n\nIntegrate proxy certificate into Plex Media Server(s)\n--------------\n\nAfter you've completed every step of this configuration, your PMS server will route all traffic destined for plex.tv through the NGINX proxy. This will not succeed until the self signed certificate is installed on the local PMS server(s) that you're securing.\n\nThis involves two steps. Installing the certificate in PMS, and installing as a trusted certificate in the operating system PMS is running on.\n\n#####Getting the certificate\n\nYou can copy the self signed certificate from the output of setup-ubuntu.sh and paste it into an empty file, or download the certificate from: \n```\nhttp://\u003cNGINX IP\u003e:8099/plex/certs/mitm.cer\n```\n\n#####Installing the certificate in PMS\n\nTo install the certificate in PMS, you will need to append the contents of the certificate to PMS's cacerts.pem file. We recomend that you make a copy of this file before modification. Also note that you will need to repeat this step after updating PMS to a new version.\n\nThe location of the file varies depending on your operating system, and where you chose to install PMS. Here are some common locations:\n\nOperating System|File Location\n----------------|--------------\nWindows |C:\\Program Files (x86)\\Plex\\Plex Media Server\\Resources\\cacert.pem\nLinux |/usr/lib/plexmediaserver/Resources/cacert.pem\nOS X |/Applications/Plex Media Server/Resources/cacert.pem ??\nNAS |/usr/lib/plexmediaserver/Resources/cacert.pem ??\n\nYou will need administrative or root access to edit this file.\n\nOn Windows, you can right click *Notepad*, select *Run as Administrator*, then open the cacerts.pem file from Notepad.\n(Hint: You'll need to change *Text Documents* to *All Files* in order to see cacert.pem)\n\nOn Ubuntu, you can run the below as root:\n```\n~# sudo cp /usr/lib/plexmediaserver/Resources/cacert.pem /usr/lib/plexmediaserver/Resources/cacert.pem.orig\n~# sudo cat mitm.cer \u003e\u003e /usr/lib/plexmediaserver/Resources/cacert.pem\n```\n\n#####Installing in PMS's host OS\n\nYou will need to complete this step if you would like to access plex.tv from your PMS server. If you do NOT wish to access https://plex.tv in browsers or commands (like wget) on the PMS system, this step is not necessary.\n\nUse \u003ca href=\"http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html\" target=\"_blank\"\u003eKerio's guide to installing trusted root certificates\u003c/a\u003e to install the self signed certificate on your PMS server's OS.\n\nEdit your hosts file\n--------------\n\nTo trick PMS into connecting to your NGINX proxy, so NGINX can intrstruct plex.tv to route all traffic from remote clients securly back to NGINX and then on to PMS, we must make your PMS server(s) believe that the NGINX proxy is plex.tv. To learn how to edit your host file, you can reference \u003ca href=\"http://www.rackspace.com/knowledge_center/article/how-do-i-modify-my-hosts-file\" target=\"_blank\"\u003ethis article\u003c/a\u003e.\n\nFor Ubuntu:\n\n```\n~# sudo vi /etc/hosts\n```\nAnd add:\n```\n192.168.3.207\tplex.tv\n```\n\n(Replacing 192.168.3.207 with your NGINX IP address)\n\n\nSetup your firewall\n--------------\n\nAt the end of the setup-ubuntu.sh script, you will see an output like:\n```\nTCP external:30443 TO \u003cNGINX IP\u003e:30443 (NGINX will forward to \u003cPMS IP\u003e:32400)\n```\nYou will see one line per PMS instance you have setup. These are the external port forwards you will need to create. If NGINX and PMS are installed on the same machine, the IPs will be the same, but you should forward from your router to the NGINX IP.\n\nFor instance, following the IP structure in this guide Use the following port forwarding options on your firewall.\n- External port 30443 -\u003e \u0026lt;NGINX HOST\u0026gt;:30443\n\nYou must close/remove/block any non HTTPS ports on your firewall and/or router that previously connected to your PMS server(s) over HTTP. \n\n\nSet up Plex\n--------------\n\nNow, configure Plex:\n- Visit: http://\u0026lt;PMS IP\u0026gt;:32400/web/index.html#!/settings/server\n- Goto **Connect**, sign in to Plex\n- Click **SHOW ADVANCED**\n- Check **Manually specify port**\n- Fill in 30443 (or whichever port was outputed in the script for each server)\n- Check **Require authentication on local networks**\n- Lastly, add media to your library\n\n\u003ca http=\"https://support.plex.tv/hc/en-us/articles/200890058-Server-Security-Local-network-authentication\" target=\"_blank\"\u003eEnabling Local Network Authentication\u003c/a\u003e in your PMS server is VERY IMPORTANT. The secure reverse proxy will make PMS think that all traffic from the proxy is local.\n\n \nOption 2: Manual configuration\n--------------\n\nYou can look through the detailed instructions for CentOS and RHEL below to get an idea of what you'll need to do.  Use 'sudo apt-get install nginx-extras' to install nginx with LUA.\n\n#**CentOS and RHEL variants**\n--------------\n\nFor the sake of this guide, the following settings are used:\n- Internal PMS hostname: *pms-vm*\n- Internal PMS IP: *192.168.3.207*\n- External hostname: *my.externalhost.com*\n- External port: *33443*\n\nIt is recommended you enable EPEL in CentOS. To do this, please visit this guide: http://www.tecmint.com/how-to-enable-epel-repository-for-rhel-centos-6-5/. \n\nUnfortunately, CentOS does not have a preconfigured nginx with lua available, even in EPEL. To overcome this, we will use the openresty packages from http://openresty.org/. As a note, nginx could be installed on a seperate machine, and is not required to be on the same machine as PMS.\n\n\nDownload and install Plex\n--------------\nUse the following commands to download and install Plex. You can get the URL for the latest version of Plex from https://plex.tv/downloads\n\n```\n[root@pms-vm ~]# wget http://downloads.plexapp.com/plex-media-server/0.9.9.14.531-7eef8c6/plexmediaserver-0.9.9.14.531-7eef8c6.x86_64.rpm\n[root@pms-vm ~]# rpm -Uvh plexmediaserver-0.9.9.14.531-7eef8c6.x86_64.rpm\n[root@pms-vm ~]# service plexmediaserver start\n[root@pms-vm ~]# chkconfig plexmediaserver on\n```\n\nNow, configure Plex:\n- Visit: http://pms-vm:32400/web/index.html#!/settings/server\n- Goto **Connect**, sign in to Plex\n- Click **SHOW ADVANCED**\n- Check **Manually specify port**\n- Fill in 33443\n- Check **Require authentication on local networks**\n- Lastly, add media to your library\n\n[Enabling Local Network Authentication](https://support.plex.tv/hc/en-us/articles/200890058-Server-Security-Local-network-authentication) in your PMS server is VERY IMPORTANT.  The secure reverse proxy will make PMS think that all traffic from the proxy is local if you do not.\n\nEdit your hosts file\n--------------\n\nTo trick PMS into connecting to your NGINX proxy, so NGINX can intrstruct plex.tv to route all traffic from remote clients securly back to NGINX and then on to PMS, we must make your PMS server(s) believe that the NGINX proxy is plex.tv. To learn how to edit your host file, you can reference \u003ca href=\"http://www.rackspace.com/knowledge_center/article/how-do-i-modify-my-hosts-file\" target=\"_blank\"\u003ethis article\u003c/a\u003e.\n\nFor CentOS:\n```\n[root@pms-vm ~]# vi /etc/hosts\n```\nAnd add:\n```\n192.168.3.207\tplex.tv\n```\n\nSet up your certificates\n--------------\n\nWe will need two sets of certificates, one that is used as a Man In The Middle (MITM) certificate that PMS will use when connecting to the \"fake\" plex.tv host, and another, trusted certificate to use when external hosts connect to your system. The free certs from http://StartSSL.com have been verified to work on Android and Plex Web so far.\n\n#####Creating the self signed certificate\n\nFirst, create your MITM certificate:\n```\n[root@pms-vm ~]# mkdir -p /etc/pki/tls/certs/mitm\n[root@pms-vm ~]# cd /etc/pki/tls/certs/mitm\n[root@pms-vm mitm]# openssl genrsa -out MITM_CA.key 2048\n```\nWhich should return:\n```\nGenerating RSA private key, 2048 bit long modulus\n..............................+++\n..........+++\ne is 65537 (0x10001)\n```\nAnd then run:\n```\n[root@pms-vm mitm]# openssl req -x509 -new -nodes -key MITM_CA.key -days 1024 -out MITM_CA.pem\n```\nAnd use the following values. Be sure to enter **plex.tv** as the **Common Name**.\n```\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [XX]:US\nState or Province Name (full name) []:\nLocality Name (eg, city) [Default City]:\nOrganization Name (eg, company) [Default Company Ltd]:\nOrganizational Unit Name (eg, section) []:\nCommon Name (eg, your name or your server's hostname) []:plex.tv\nEmail Address []:\n```\n\n#####Installing the certificate into PMS\n\nTo install the certificate in PMS, you will need to append the contents of the certificate to PMS's cacerts.pem file. We recomend that you make a copy of this file before modification. Also note that you will need to repeat this step after updating PMS to a new version.\n\nThe location of the file varies depending on your operating system, and where you chose to install PMS. Here are some common locations:\n\nOperating System|File Location\n----------------|--------------\nWindows |C:\\Program Files (x86)\\Plex\\Plex Media Server\\Resources\\cacert.pem\nLinux |/usr/lib/plexmediaserver/Resources/cacert.pem\nOS X |/Applications/Plex Media Server/Resources/cacert.pem ??\nNAS |/usr/lib/plexmediaserver/Resources/cacert.pem ??\n\nYou will need administrative or root access to edit this file.\n\nOn Windows, you can right click *Notepad*, select *Run as Administrator*, then open the cacerts.pem file from Notepad.\n(Hint: You'll need to change *Text Documents* to *All Files* in order to see cacert.pem)\n\nIn CentOS, set permissions and integrate into PMS:\n```\n[root@pms-vm mitm]# chmod 600 *\n[root@pms-vm mitm]# cp /usr/lib/plexmediaserver/Resources/cacert.pem /usr/lib/plexmediaserver/Resources/cacert.pem.orig\n[root@pms-vm mitm]# echo \"\" \u003e\u003e /usr/lib/plexmediaserver/Resources/cacert.pem\n[root@pms-vm mitm]# echo \"MITM\" \u003e\u003e /usr/lib/plexmediaserver/Resources/cacert.pem\n[root@pms-vm mitm]# echo \"=========================\" \u003e\u003e /usr/lib/plexmediaserver/Resources/cacert.pem\n[root@pms-vm mitm]# cat MITM_CA.pem \u003e\u003e /usr/lib/plexmediaserver/Resources/cacert.pem\n```\n\n#####Installing in PMS's host OS\n\nYou will need to complete this step if you would like to access plex.tv from your PMS server. If you do NOT wish to access https://plex.tv in browsers or commands (like wget) on the PMS system, this step is not necessary.\n\nUse \u003ca href=\"http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html\" target=\"_blank\"\u003eKerio's guide to installing trusted root certificates\u003c/a\u003e to install the self signed certificate on your PMS server's OS.\n\n#####Set up your external certificate\n\nNow we need to setup our external, valid certificate:\n```\n[root@pms-vm mitm]# mkdir -p /etc/pki/tls/certs/external\n[root@pms-vm external]# cd /etc/pki/tls/certs/external\n```\nAt this point, you should place your external, valid certificate and key here. We will call these **external.cer** and **external.key** from here out. If you are using a lower priced certificate, you will likely also have a Certificate Authority file, which we will call **CA.cer**. You should combine this and your external certificate into one file at this point, and set permissions:\n```\n[root@pms-vm external]# cat CA.cer \u003e external.bundle.cer\n[root@pms-vm external]# cat external.cer \u003e\u003e external.bundle.cer\n[root@pms-vm external]# chmod 600 *\n```\n**NOTE:** If you wish to access https://plex.tv from the machine that PMS is installed on, you must add the self signed certificate to [the trusted certificates for your PMS server's OS](http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html), and any browser that doesn't use the OS's trusted certificates list. Failure to do this will result in SSL errors in the browser due to running through the nginx proxy. If you do NOT wish to access https://plex.tv in browsers or commands on the PMS system, this step is not necessary.\n\nInstall nginx\n--------------\n\nIn Ubuntu, this os as easy as installing the nginx and nginx-lua packages, but CentOS does not have a preconfigured nginx with lua available, even in EPEL. To overcome this, we will use the openresty packages from http://openresty.org/\n\n```\n[root@pms-vm external]# yum install gcc pcre-devel openssl-devel\n[root@pms-vm external]# mkdir -p /opt/ngx\n[root@pms-vm external]# cd /opt/ngx\n[root@pms-vm ngx]# wget http://openresty.org/download/ngx_openresty-1.7.0.1.tar.gz\n[root@pms-vm ngx]# tar xvfz ngx_openresty-1.7.0.1.tar.gz\n[root@pms-vm ngx]# cd ngx_openresty-1.7.0.1\n[root@pms-vm ngx_openresty-1.7.0.1]# ./configure --with-luajit\n[root@pms-vm ngx_openresty-1.7.0.1]# gmake\n[root@pms-vm ngx_openresty-1.7.0.1]# gmake install\n```\n\nNow we need to configure nginx. First, backup the original configuration and edit the file:\n```\n[root@pms-vm ngx_openresty-1.7.0.1]# cd\n[root@pms-vm ~]# cd /usr/local/openresty/nginx/conf/\n[root@pms-vm conf]# mv nginx.conf nginx.conf.orig\n[root@pms-vm conf]# wget https://raw.githubusercontent.com/Fmstrat/plex-ssl/master/centos/conf/nginx.conf\n[root@pms-vm conf]# vi nginx.conf\n```\nMake sure you replace the external hostname and two occurances of your internal IP.\n\nTest the configuration with:\n```\n[root@pms-vm ~]# /usr/local/openresty/nginx/sbin/nginx -t\n```\n\nAnd if everything is OK, start up nginx and restart PMS:\n```\n[root@pms-vm ~]# /usr/local/openresty/nginx/sbin/nginx\n[root@pms-vm ~]# service plexmediaserver restart\n```\n\nYou can then follow the log files in */usr/local/openresty/nginx/logs* to make sure everything is functioning properly\n\nSetup your firewall\n--------------\n\nUse the following port forwarding options on your firewall.\n- External port 33443 -\u003e pms-vm:33443\n\nYou must close/remove/block any non HTTPS ports on your firewall and/or router that previously connected to your PMS server(s) over HTTP. \n\n#**Known problems**\n--------------\n\nThe following is a list of known issues thus far:\n\n1. Due to Plex Web's forced use of unsecure Web Sockets (ws:), instead of secure Web Sockets (wss:), Plex Web will still attempt to communicate via HTTP.  If accessed via plex.tv, this could be a security issue since the Plex Web delivered by plex.tv is on http, not https, allowing the insecure web socket to attempt connection. If Plex Web is used by directly accessing your secure domain, the connection will be https, and the insecure websocket connection attempts will be blocked by the browser.  Lack of web sockets impeads the functionality of Plex Web.\n2. Javascript on plex.tv will try to validate that a server is online or offline by requesting an image from the PMS server.  Unfortunatley, it requests that image over http instead of https.  To get around this, the secure proxy will detect the improper http request to an https port and forward it to an https request, but this has the side effect of potentialy opening up the security issue pointed out in issue #1.  A token could be exposed.\n3. Plex Media Server detects if a client is local or not by checking the client's IP address.  When using the secure reverse proxy, PMS will see the reverse proxy's IP address and assume the connection is local.  **You must turn on \"Local network authentication\" in PMS, else remote users could log in without authentication.**  Hopefully PMS will be updated to detect proxy use by looking at the request header for the client, and then mark any connection via proxy as non-local, but until then, BE CAREFUL!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffmstrat%2Fplex-ssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffmstrat%2Fplex-ssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffmstrat%2Fplex-ssl/lists"}