CloudFlare with nginx and plex
Add the following to the http in /etc/nginx/nginx.conf. This tells nginx where the actually IP is coming from instead of showing as cloudflare.
# CF set real ip
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;
# use any of the following two
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;
This is the reverse proxy file /etc/nginx/sites-available/plex.domain.com. This is symlinked to
/etc/nginx/sites-enabled/plex.domain.com.
ln -s /etc/nginx/sites-available/plex.domain.com /etc/nginx/sites-enabled/
The contents of the file are below. You have to make sure to set the base URL on programs to match the base URL in nginx config. This site is for all of the tools.
server {
listen 443;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
add_header X-Frame-Options "SAMEORIGIN";
server_name sub.domain.com;
ssl_certificate /path/to/cert/sub.domain.com/crt;
ssl_certificate_key /path/to/cert/sub.domain.com/key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
access_log /path/to/log/sub.domain.com/access.log;
error_log /path/to/log/sub.domain.com/error.log;
root /usr/share/nginx/html/sub.domain.com;
index index.html;
gzip off;
#Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off;
proxy_buffering off;
client_max_body_size 100M;
location /ll {
proxy_pass http://localhost:5299/ll/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /nzbget {
proxy_pass http://localhost:1234/nzbget;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /plexpy {
proxy_pass http://localhost:1478/plexpy;
# Standard proxying headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# SSL proxying headers
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl on;
}
location /sonarr {
proxy_pass http://localhost:3698/sonarr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /radarr {
proxy_pass http://localhost:1598/radarr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /bazarr {
proxy_pass http://localhost:6167/bazarr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /lidarr {
proxy_pass http://localhost:4567/lidarr;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /grafana/ {
proxy_pass http://localhost:3099/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; }
}
This site is for actually plex
server {
listen 443 ssl;
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
add_header X-Frame-Options "SAMEORIGIN";
server_name plex.domain.com;
ssl_certificate /etc/nginx/ssl/plex.domain.com/crt;
ssl_certificate_key /etc/nginx/ssl/plex.domain.com/key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
access_log /ssd/log/nginx/plex.domain.com/access.log;
error_log /ssd/log/nginx/plex.domain.com/error.log;
root /usr/share/nginx/html/plex.domain.com;
index index.html;
#Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. (Haven't encountered any yet)
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript;
gzip_disable "MSIE [1-6]\.";
#Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off;
proxy_buffering off;
location / {
proxy_pass https://localhost:32400/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## Required for Websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 36000s; ## Timeout after 10 hours
}
location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; }
}
Make changes to the files as you need since your port numbers are going to be different. Next check nginx config for issues
nginx -t
If this comes back good then reload nginx
systemctl reload nginx
Now we are going to want to block plex from communicating out to the world only to localhost. These will be wipes upon restart. There are numerous ways you can use to keep it persistent.
iptables -A INPUT -p tcp -s localhost --dport 32400 -j ACCEPT
iptables -A INPUT -p tcp --dport 32400 -j DROP
Next we will go into plex and disable remote connections and then set the domain URL in the network config.
NETWORK option
<- OTHERS ->