I'm currently using the inbuild-TLS for plex and it's working fine.
But having a reverse proxy is comfortable, like running plex on port 443 for remote connections. You can also add tools like overserr to your domains with a reverse proxy server. These Tools don't have an inbuild-TLS, so you have to use a reverse proxy for remote sharing anyways.
Also renewing certification automatically is easier with a reverse proxy, then doing it for plex only imo.
Some people say using a reverse proxy is safer, because you are hiding port 32400 (plex exclusiv). But more people are scanning on port 443 for weaknesses. So being "safer" is very controversial...
Edit: spelling
Plex auto applies ssl if you use the custom URL option in networking (http://IP:port). Plex will make a plex direct domain with a lets encrypt cert automatically on any port. Just another option if you don't want to use the default remote setup.
Is there an ELI5 for those of us who want to set something like this up, but don't speak networking? No one else really uses my server expect me on my own network, but I don't really have anything set up protection-wise.
But more people are scanning on port 443 for weaknesses. So being "safer" is very controversial...
Because there will be fewer exploits found on an open source, time tested, single function proxy server used by hundreds of millions of people than a closed source project that gets weekly updates like Plex.
There seems to be a lot of confusion surrounding security and what people are expecting in terms of security.
TLS is session security, in terms of making it difficult to determine the contents of the communication session - http in this case.
Cloudflare security is mainly the protection against DDoS attacks.
TLS and Cloudflare will not protect against any plex server vulnerabilities. That said, to date aside from plex being used as a vector for reflection/amplification attacks last year, the security posture of the plex media server has been stellar.
It should also be added that using Cloudflare for plex streaming is against their Terms of Service (Section 2.8) and they will terminate any accounts found to be performing such activity.
https://www.cloudflare.com/terms/
So, back to your original question; I have been running my plex server on TCP 32400 fore more than six years now, I am on a Gigabit fibre connection, and I have not noticed any sort of issues at all.
I have regular monitoring and alerting in place using Netdata and Nagios. In the past six years, the only issue I have observed is Philipps Hue misbehaving, which was quite easy to solve with my PiHole.
There's at least one benefit - traffic will go through standard https 443 port, and not custom 32400. Some hotels, AirBnB's, venues or other places may block non-standard port destinations. So Plex to your server in such places won't work with 32400 port. But standard https 443 port with your reverse-proxy will work just fine.
If I run Plex behind an nginx proxy server on a subdomain (like plex.mymediadomain.com) can I close port 32400 and just advertise 443?
I'm currently using the inbuild-TLS for plex and it's working fine.
But having a reverse proxy is comfortable, like running plex on port 443 for remote connections. You can also add tools like overserr to your domains with a reverse proxy server. These Tools don't have an inbuild-TLS, so you have to use a reverse proxy for remote sharing anyways.
Also renewing certification automatically is easier with a reverse proxy, then doing it for plex only imo.
Some people say using a reverse proxy is safer, because you are hiding port 32400 (plex exclusiv). But more people are scanning on port 443 for weaknesses. So being "safer" is very controversial...
Edit: spelling
Plex auto applies ssl if you use the custom URL option in networking (http://IP:port). Plex will make a plex direct domain with a lets encrypt cert automatically on any port. Just another option if you don't want to use the default remote setup.
Is there an ELI5 for those of us who want to set something like this up, but don't speak networking? No one else really uses my server expect me on my own network, but I don't really have anything set up protection-wise.
More replies
Because there will be fewer exploits found on an open source, time tested, single function proxy server used by hundreds of millions of people than a closed source project that gets weekly updates like Plex.
More replies
You can forward any external port you want directly to your PMS
More replies
There seems to be a lot of confusion surrounding security and what people are expecting in terms of security.
TLS is session security, in terms of making it difficult to determine the contents of the communication session - http in this case.
Cloudflare security is mainly the protection against DDoS attacks.
TLS and Cloudflare will not protect against any plex server vulnerabilities. That said, to date aside from plex being used as a vector for reflection/amplification attacks last year, the security posture of the plex media server has been stellar.
It should also be added that using Cloudflare for plex streaming is against their Terms of Service (Section 2.8) and they will terminate any accounts found to be performing such activity.
So, back to your original question; I have been running my plex server on TCP 32400 fore more than six years now, I am on a Gigabit fibre connection, and I have not noticed any sort of issues at all.
I have regular monitoring and alerting in place using Netdata and Nagios. In the past six years, the only issue I have observed is Philipps Hue misbehaving, which was quite easy to solve with my PiHole.
There's at least one benefit - traffic will go through standard https 443 port, and not custom 32400. Some hotels, AirBnB's, venues or other places may block non-standard port destinations. So Plex to your server in such places won't work with 32400 port. But standard https 443 port with your reverse-proxy will work just fine.
If I run Plex behind an nginx proxy server on a subdomain (like plex.mymediadomain.com) can I close port 32400 and just advertise 443?
More replies