Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 3230 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Server Protection and Plex

Daniel Bingham

I am running Plex on CentOS7 and originally did the quick and dirty port forward of Plex's port 32400 to the world.

 

I thought that I would try and harden that cowboy method by using WAF.

 

This is what I did:

Protect --> Web Server --> Add

Name: Plex

Host: My CentOS Box

Port: 32400

Keep Alive: On

Timeout: 300

Disable backend connection pooling: Off

 

Protection Policies:

Add

Name: Plex Port

Pass Outlook Anywhere: Off

Mode: Reject

Cookie signing: off

Static URL hardening : on to /web (as Plex is http://server:32400/web

Form Hardening: Off

Antivirus: On | Mode: Sophos | Direction Downloads | Block unscannable content: Off | Limit scan size: Off

Block clients with bad reputation: On | Skip remote lookups for clients with bad reputation: On

Common threat filter: On

Rigid filtering: Off

Skip Filter rules: Blank

Everything else: Ticked on

 

Firewall Rule: Business App Rule --> WAF

Hosted Address: Port2

Listening Port: 32400

HTTPS: uncheck

domains: plex.mydomain.com

Web Server: Plex

Allowed client networks: Any IPv4

Advanced:

Protection: Plex Port

IPS: Off (Tried it on too)

Traffic shaping None:

Disable compression support, rewrite HTML and pass host header: unchecked

 

When doing this, plex reports an indirect connection and uses a relay which in turn ruins streaming quality.

If I do the quick and dirty port forward, it works great.

I then read at: https://forums.plex.tv/t/only-have-indirect-connection-to-my-plex-server-on-my-local-network/206836/7

That this can happen if DNS rebinding protection is in place in your router. 

 

I need somebody who understands WAF to assist me in resolving this issue.

 

Thanks



This thread was automatically locked due to age.
  • 0

    Hi 

    This is an interesting output. But I'd like to mention the difference of a connection when it goes through a DNAT vs WAF rule.

    When it goes through a DNAT, XG simply changes the Destination IP address keeping the source port number the same and forwards the connection to a real web-server.

    But when it goes through a WAF, XG will hold the connection and will make a new one from XG to a real web-server and forwards the response to the actual request.

    So Can you confirm with Plex if they allow this kind of traffic from Plex servers?

  • 0 in reply to Jaydeep

    Jaydeep said:
    difference of a connection when it goes through a DNAT vs WAF rule

     

    Sorry, I wrote DNAT in my original post, but it is a WAF rule.

     

  • +1 in reply to Daniel Bingham

    I assumed that. My question was if the Plex server configuration allows filtered traffic or not but I found that it does from a different community post here. Now I have two suggestions,

    1. Try disabling Static URL hardening and see if that helps?
    2. Since you have you configured an FQDN, can you change it to IP address(for testing only) and see if that helps. Test this with changes suggested in the first step and without it as well. I'm not sure if you can configure an IP address directly in your Plex app to access it from outside.
     

  • 0 in reply to Jaydeep

    Jaydeep said:
    I assumed that.

     

    haha Thank you for knowing what I meant!

     

    Well, I did step one and I am getting no message outlining "Indirect" so I believe the URL hardening was the key!

     

    If I am wrong, I will try step two and report back.

     

    Thank you

  • 0 in reply to Daniel Bingham

    You're welcome!

    And thanks for trying this so quick. It seems to me that it was indeed URL hardening. Since the other post I referred to, the issue got resolved after turning of request route and forwarding all paths to the Plex server. Glad that we have found a solution to this.

  • 0 in reply to Jaydeep

    Jaydeep said:
    And thanks for trying this so quick.

    Likewise! 

     

    Yes, I think you definitely have it sorted with having URL hardening off.

     

    Thank you