Today we are going to look at how to set up an SSL certificate for Plex using Nginx Proxy Manager.
This tutorial will be for people who are looking to expose Plex to the outside internet. If you’re interested in setting up an SSL certificate internally, your best bet is to create a self-signed SSL certificate. We will not be going over that in this tutorial.
My preferred approach when exposing services to the internet is to use a reverse proxy. There are various reasons why reverse proxies are great, but the most important one to me is that you can expose multiple services and only open ports 80 and 443 to the internet. I don’t want to get too far off-topic as this is a Plex SSL certificate tutorial, but you can find a simplified explanation of how a reverse proxy works below.
This tutorial will show how you can expose Plex to the internet using Nginx Proxy Manager. There are tons of other proxy managers, but I find Nginx Proxy Manager to be the easiest to use. If you haven’t set up Nginx Proxy Manager, I created a tutorial on how you can set it up on a Raspberry Pi. Please keep in mind that you will need some sort of domain name for this. If you don’t have a purchased domain, something like DuckDNS will work as well.
Instructions
1. Open Nginx Proxy Manager and Login. Select Proxy Hosts.
2. Select Add Proxy Host.
3. Enter the Domain Name, Forward Hostname/IP, and Forward Port. By default, the forward port will be 32400. Save the record. NOTE: Leave the scheme as http.
4. Plex is now linked to Nginx Proxy Manager.
5. Edit the record.
6. Select SSL, then under SSL Certificate, select Request a new SSL Certificate. Check off Force SSL, HTTP/2 Support, and then add your Email Address and agree to the terms of service. Select Save.
7. When you save the record, Nginx Proxy Manager will automatically fetch the SSL certificate and enable it on your domain. You can then click the domain name and you’ll see that you have an SSL certificate assigned to your domain. NOTE: All traffic will be sent through port 443 by default. If you’re asked to add the port anywhere in your setup, use port 443.
IMPORTANT NOTE
If you go to Plex’s settings and Remote Access, it will appear as if remote access is not configured. This is because we’re using a reverse proxy. You will be able to access your Plex resources using the domain name you configured above, but it will appear (to Plex) like it cannot be accessed outside of your network.
Conclusion – Plex SSL Certificate
If I’m being honest, this is not the traditional way of assigning an SSL certificate to Plex. However, if you’re exposing multiple services to the internet, the benefits of a reverse proxy are immense.
Thank you for reading the tutorial and if you have any questions, please leave them in the comments!
Hello,
I have my own wildcard certificate and when I use only http without certificate, it works but when I tried to add an SSL certificate, everything goes wrong -> connection failed
Even with let’s encrypt -> internal error
I tried to change the settings but no way.
Do you have any idea?
Thanks
Are you using HTTPS as the internal port? Basically, you want the external traffic to be HTTPS and the internal traffic to be HTTP as HTTPS isn’t always configured, and if it is, it could be configured for a different port. Are you trying to set this up for Plex? If so, you might have to enable HTTPS before it will work.
Let me know and we can continue troubleshooting!
in manually specified public port I added my domain name instead of port number. My Plex server then got connected to mothership.
@roy where is the Manually specified public port in NPM?
Very good tutorial. I have a doubt… if I have a wildcard SSL cert from other provider, like cloudns? How and where I have to install it?
Hopefully, this tutorial from Reddit will be able to help! https://www.reddit.com/r/unRAID/comments/kniuok/howto_add_a_wildcard_certificate_in_nginx_proxy/
You can have both. SSL and a valid remote access. You only need to add a “Stream” to Nginx Proxy Manager on TCP Port 32400.
By that the following happens:
https://plex.wundertech.net/ returns the encrypted Plex WebUI (valid SSL certificate from Nginx Proxy Manager)
If you play a movie (check this by the browsers developer tools):
https://blabla.plex.direct:32400/ returns the encrypted video stream (valid SSL certificate from Plex Inc.)
As far as I know the mobile clients use the plex.direct domain to communicate with your Plex server, so everything should be SSL protected, too.
The only downside of “Stream” is, that every domain points to the target port. So let’s say you added https://nextcloud.wundertech.net as a Proxy Host as well, https://nextcloud.wundertech.net:32400/ will open Plex, too.
Great input, thanks so much for sharing!
Heyy,
I’m trying to do this on a VPS while PMS is running on my own PC. But I can’t figure out how that would work if I would disable remote access. Is the only option then to keep ‘Remote Access’ enabled and make a firewall rule to block all communication from that port except communication coming from the VPS IP?
I don’t have your exact set up so it’s hard for me to say, but the reverse proxy method should allow you to keep “Remote Access” disabled. You should have traffic going through port 443 as opposed to port 32400.
Is there any way to add to Nginx Proxy Manager, more than one port to the same server?
For example, I want to leave only port 443 open in my router, but want to have nginx internally forward port 21, 80 and 32400 to the same plex server through plex.mydomain.com.
Can you clarify what you mean as the same destination? Meaning that the same local device, just different ports? If so, yes, you can – you will just have to use different domain names for each service.
I used NGINX as well. Except I used cloudflared’s free DNS service with a domain purchased through NameCheap (~5.00 annually). To maintain encrypted remote access, I set my plex client to require secure connections. Then, set the NGINX proxy host to https scheme. After that I configured the PMS setting Network>Custom Server Access URLs with the hostname registered within NGINX and Cloudflared. After this was done I enabled remote access and set Remote Access>Manually specify public port to port 443. The internal checks for remote connectivity might fail, but it works flawlessly. Additionally, I am doing this with several LXC PMS servers on a proxmox host with a free LE wildcard certificate.
This is awesome feedback. I’m glad you were able to get it working and thank you for sharing!
Hi Frank,
Thank you very much for all your tutorials.
I have followed the Nginx Proxy Manager Synology NAS Setup Instructions and managed to make it worked thanks to my second PIC IP address.
So now, I’m running NPM but I’m unable to create an SSL cetificate: Internal Error
Or if I try to open my proxy url, I got DNS_PROBE_FINISHED_NXDOMAIN
The status of my Plex proxy is Online.
Where can I find the log to try to sort this out ?
Thanks
Just to confirm, did you port forward 80/443 to the macvlan IP address?