Set up a CDN for Plex with CloudFlare & NGINX


#43

is there a way to change the button on the quickbox dashboard to go to the url? instead of ip:port which doesnt seem to work after doing this (im guessing its the part about blocking ports and changing access url)


#44

thanks a bunch for this guide Liza, worked perfectly my first attempt and my peering is SO SO much better/quicker


#45

Hi Liza,

I followed the guide and everything works until I attempt to access Plex via https://plex.yourdomain.com. I set up my keys correctly and that test command to make sure everything works reported the test successful. When I enter https://plex.yourdomain.com on my browser, I get a “Connection Refused” error. When I go to plex.yourdomain.com it shows a “It Works!” Apache page. Any idea on what could be the problem?


#46

I followed the guide and everything seems to work for Plex, except when I now go to the Quickbox home page at my domain I now get Privacy Error “Your connection is not private” If I proceed and open Rutorrent I get a lot of errors
[02.04.2017 19:55:46] WebUI started.
[02.04.2017 19:55:58] Bad response from server: (0 [error,portcheck])
[02.04.2017 19:55:59] Bad response from server: (0 [error,getintervals])
[02.04.2017 19:55:59] Bad response from server: (0 [error,setuisettings])
[02.04.2017 19:56:01] Bad response from server: (0 [error,setuisettings])
[02.04.2017 19:56:01] Bad response from server: (0 [error,gettotal])

I tried followed the steps in the install lets encrypt thread and everything seems ok but still get connection not secure and the errors

Also when I run sudo nginx -t I get this message “nginx: [warn] duplicate MIME type “text/html” in /etc/nginx/sites-enabled/plex.conf:58” But the test is successful.

If i remove iptables -A INPUT -p tcp --dport 32400 -j DROP I can see the server on my Samsung JS tv however when I reboot the rule comes back.


#47

Could be a potentially incorrectly setup plex.conf but it could also be an issue through CloudFlare – did you make sure to change the SSL type in your CF panel to at least full or full (strict)?

Nothing should be affected at all in the apache configuration, all we do is change the IP we bind to nothing else. The “Connection is not Private” error is in relation to a self-signed certificate or a certificate for a domain that is assigned to another domain than the one in use.

That warning message is just a warning and wouldn’t affect anything in your setup.

The Samsung TV is a known issue with CloudFlare proxy (see the note in the top paragraphs), in order to remove the rule permanently edit the file /etc/iptables/rule.v4 to prevent the rule from being applied at start up.


#48

Yep my apologies. Forgot to enter my actual domain name when producing the SSL certificate. All is well now!

One quick question: I noticed this does not work on my PS4 console. Is this a limitation due to using CF? If I wanted to use my PS4 to stream my media, what would be the process?

Thanks :slight_smile:


#49

There is a newer version of the conf on github which leaves port 80 default as http. If you remove the file /etc/nginx/sites-enabled/default and allow the server to connect to plex on port 80, it will start to work – you’ll also need to add http://plex.yourdomain.com:80 to the custom access urls. However once enabled, it will allow these clients to connect via unsecure connections


#50

Thank you for your reply.

Is there any possibility of you walking me through it by chance? I can pay you for your time and effort if you’d like. This is just honestly way over my head and had to re-do the tutorial several times. Just don’t want to mess it up again :slight_smile:

Thanks


#51

The first thing to do is check whether or not your plex.conf contains a forward block so that all traffic to port 80 is redirected to port 443.

The old version of the conf has this block:

server {
 	listen IP.OF.FAIL.OVER:80;
 	server_name plex.EXAMPLE.COM;
 
 	#See notes below (SSLLabs likes this on http as well as https)
 	#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 
 	return 301 https://$host$request_uri;
}

If your file has this, we want to move the listen parameter in this block to the next (main) server block then remove this server block.

Cut

 	listen IP.OF.FAIL.OVER:80;

And paste it right above the line

	listen IP.OF.FAIL.OVER:443 ssl http2;

Then remove the old server block entirely:

server {
 	server_name plex.EXAMPLE.COM;
 
 	#See notes below (SSLLabs likes this on http as well as https)
 	#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 
 	return 301 https://$host$request_uri;
}

Save the changes and exit.

Remove the file /etc/nginx/sites-enabled/default.

rm /etc/nginx/sites-enabled/default

Restart nginx

systemctl restart nginx

Finally in plex, add a second custom access url

http://plex.yourdomain.com:80

Make sure in network connections in Plex that SSL connetections are not set to required.

This should allow clients to access plex via http rather than https and will let clients such as Samsung SmartTVs and PS4s connect to the proxy (albeit insecurely)

I’m hesitant to add this to the main tutorial because I’m unsure of how this will affect future renewals of letsencrypt because we are effectively removing the webroot by deleting the default conf.

If this is too confusing, feel free to PM me and we can discuss options.


#52

so i got this working but didnt do letsencrypt for my original domain. i have the ip forwarded and can access quickbox from other subdomain and plex from plex subdomain but can’t get a certificate for quickbox sub domain now following other guides instructions?


#53

There are definitely some issues running LE after you setup a couple IPs and use them to bind to different web servers. I think the fix for the time being is to just stop nginx from running while trying to grab the certificate using the -apache flag for lets encrypt.

You may need to make certain LE didn’t mess with any of you bind options if nginx fails to restart after using let’s encrypt to grab a cert for apache.


#54

i ended up getting it to work by using acme.sh and using the cloudflare dns option then editing the default-ssl.conf for apache to point to these certs. Now im certified for both my quickbox subdomain and plex subdomain :slight_smile:


#55

I was succesful with all the steps until this:
“Now your Plex should be accessible via https://plex.yourdomain.com

I can connect to my site https://plex.mysite.com and 443 but not 80. None of this is going to the plex manage page though.

I’ve continued through the rest of the steps but plex.tv not able to find my server.

I’ve gone back to the steps about installing nginx and installing letsencrypt.

I saw that @cackai2 encountered a similar issue but he was able to fix it by creating the proper SSL cert, because he forgot to put his domain name. I had done this step correctly in the first place.

I’d appreciate some help.

Update: (Fixed) *resolved:
Fixed it by doing the ssl cert properly.

Now we can use Let’s Encrypt to grab an SSL certificate. Make sure your DNS is pointing at your failover (and not through cloudflare)

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d plex.yourdomain.com

My plex.yourwebsite.com was activated on cloudflare already prior to me initiating those steps. I had turned the cloud to grey (DNS mode only) and redid this step.

Update/Problem 2:
Now I am able to go to http:// plex.yourdomain.com and get to plex. When I try plex.tv, able to find my server sporadically.
When I turn on cloudflare, it doesn’t find it anymore within plex. Any idea?

Update 3: Figured it out. It was because for some reason cloudflare SSL type not set to FULL. On PC Chrome - I can see it as FULL from the moment I signed up for an account, but i decided to check on my phone’s browser and saw it was set to “flexible”. Changed it on the phone to “FULL” and now it’s working.


#56

I can access from my subdomain but how to I access it from my iPhone or other apps since I can’t type in a url on those apps?


#57

on my iphone i use the plex app and find my server find using this method…


#58

Well it works on my subdomain but the cloud flare didn’t really help peering all that much if at all. So I just deleted the firewall rule and let it all go through 32400 again


#59

You set it on the server and then it pushes that upstream to plex.tv - you log in normally with the iPhone app and plex.tv tells your phone where to go.


#60

Just wondering, but how’d you get Plexpy to work? I keep getting “Failed to access uri endpoint /:/prefs with error timed out” error. Not sure how to fix this =/


#61

@liza
any way around this ?
its rather annoying
but i dont wanna break it trying to change it XD


#62

Are you using Safari? I see this happening on Safari, but not on Chrome.

I’m having problems resuming playback after the video is paused for more than 3-4 minutes. Only if the video is transcoded or direct streamed, if direct played it resumes fine. Does anyone experience this problem?