Setting up PlexConnect when you're already using Apache

[jbiatek]

It took me a little while to figure this all out, so I thought I'd write out how I did it. Some of this is alluded to in the wiki, but some critical pieces are missing. Maybe this could be turned into a page in the wiki?

One thing I'm not 100% sure of is why localhost doesn't work for the reverse proxy configuration. It seems like it should.

PlexConnect and an existing web server

If you're already running a web server on the computer you want to run PlexConnect on, there's some work that has to be done. The problem is while PlexConnect can trick your Apple TV into thinking that your machine is trailers.apple.com, it can't trick the Apple TV into requesting data from a different port. Some configuration has to be done to have PlexConnect and your web server both share port 80 (and port 443 for SSL).

This information is for the system Apache installation on OS X. Similar principles can probably be applied to other servers and OSes.

Enable SSL

First, you will need SSL support turned on if it isn't already. Enable httpd-ssl.conf in httpd.conf. You'll also need to follow the instructions found in httpd-ssl.conf, on my machine this was also enabling socache_shmcb_module and ssl_module.

At this point, if you try to run Apache again it will probably complain that it doesn't have SSL certificates for your existing site(s). Go into httpd-ssl.conf and turn SSLEngine off to disable SSL for the default web server.

Configure PlexConnect

In the PlexConnect Settings.conf, you need to change 2 things:

1. Apache needs to use port 80, so change the PlexConnect port to something else. I used 8081.
2. Apache needs to be the one to handle SSL, so disable SSL in PlexConnect.

Follow the regular guide for PlexConnect to generate certificates and optionally install as a daemon. Copy trailers.pem and trailers.key into /etc/apache2 for the next step.

PlexConnect virtual host

You will also need a virtual host for PlexConnect if you don't have any already. Find the line about vhosts in httpd.conf and uncomment it. Then go into httpd-vhosts.conf, delete or comment out the existing stuff, and replace it with something like this:

<VirtualHost *:443>
        ServerName trailers.apple.com

        SSLEngine on
        SSLProxyEngine on
        SSLCertificateFile "/etc/apache2/trailers.pem"
        SSLCertificateKeyFile "/etc/apache2/trailers.key"

    <Proxy *>
        Require ip LOCAL_IP_ADDRESSES
    </Proxy>

        RequestHeader set User-Agent AppleTV
        ProxyRequests Off
        ProxyPass / http://YOUR_INTERNAL_IP_ADDRESS:8081/ nocanon
        ProxyPassReverse / http://YOUR_INTERNAL_IP_ADDRESS:8081/
</VirtualHost>
<VirtualHost *:80>
        ServerName trailers.apple.com
        SSLEngine off

    <Proxy *>
        Require ip LOCAL_IP_ADDRESSES
    </Proxy>

        RequestHeader set User-Agent AppleTV
        ProxyRequests Off
        ProxyPass / http://YOUR_INTERNAL_IP_ADDRESS:8081/ nocanon
        ProxyPassReverse / http://YOUR_INTERNAL_IP_ADDRESS:8081/
</VirtualHost>

The high level description is as follows:

• The web server is looking for traffic directed at trailers.apple.com
• When it sees such traffic, it forwards it to port 8081, where PlexConnect is running. The server also has to make sure that it uses the user agent AppleTV or else PlexConnect will complain.
• If an SSL connection comes in, the server will handle it using the PlexConnect generated keys that the Apple TV trusts. Note that the correct certificate file is the .pem one, not .cer.

Edited to add: Shortly after I posted this, I realized that this proxy was actually public: if someone outside your network opens a connection to your web server with the host set to trailers.apple.com, Apache would dutifully proxy the request. That'd never happen accidentally, of course, but an attacker could in theory use it to gain access to your Plex server outside of your network.

I added a restriction to LOCAL_IP_ADDRESSES only. Apache accepts "partial" IP addresses, like 192.168.1 to mean 192.168.1.*, so if that's the prefix that your local network uses, any client on your home network will be allowed to talk to the PlexConnect server, but nothing else will.

[Rycochet]

I did the same thing for https://github.com/Rycochet/PlexConnect-QNAP - but hadn't thought to disable ssl on PlexConnect so I guess an optimisation is required ;-)

Add to the wiki?

[Aireezz]

I can't find the httpd.conf, where is it normally located?

[jbiatek]

On my Mac it is in /etc/apache2/. The ancillary config files are under extra/ in the same directory.

[vin047]

@jbiatek thanks for this! Your notes helped me figure out how to get something similar setup using Caddy server.

For future reference in case anyone else is looking for a similar solution, here's what I did:

1. Follow PlexConnect certificate generation guide, keep all 3 (.pem, .cer, .key) files.
2. Continue setup of PlexConnect as usual.
3. Once all setup (installed the certificate, confirmed PlexConnect is working etc) stop PlexConnect.
4. In Settings.cfg, set enable_webserver_ssl = False.
5. In Settings.cfg, set port_webserver = whatever port number you wish that is available.
6. Start up PlexConnect.
7. Use the following as your caddyfile, substituting values accordingly, start up server after.
8. If your Caddy server is on same machine as PlexConnect, do not use localhost as the IP (thanks again to @jbiatek for his tip about this right at the beginning of this PR). I used the local LAN address of my Plex server (192.168.1.x). Not sure if 127.0.0.1 would work.

Caddyfile:

trailers.apple.com:80, trailers.apple.com:443 {
    proxy / http://PLEX_CONNECT_IP:PLEX_CONNECT_PORT_CHOSEN_BEFORE {
        websocket
        transparent
        header_downstream Host {host}
        header_downstream X-Real-IP {remote}
        header_downstream X-Forwarded-For {remote}
        header_downstream X-Forwarded-Proto {scheme}
        header_downstream Connection {>Connection}
        header_downstream Upgrade {>Upgrade}
    }
    tls LOCATION_OF_CERTS/trailers.pem LOCATION_OF_CERTS/trailers.key
}

[moodyblue]

Thanks for your proposed examples.

Wiki has been updated with apache and nginx examples.

[awb1015]

@jbiatek thanks for this! Your notes helped me figure out how to get something similar setup using Caddy server.

For future reference in case anyone else is looking for a similar solution, here's what I did:

1. Follow PlexConnect certificate generation guide, keep all 3 (.pem, .cer, .key) files.
2. Continue setup of PlexConnect as usual.
3. Once all setup (installed the certificate, confirmed PlexConnect is working etc) stop PlexConnect.
4. In Settings.cfg, set enable_webserver_ssl = False.
5. In Settings.cfg, set port_webserver = whatever port number you wish that is available.
6. Start up PlexConnect.
7. Use the following as your caddyfile, substituting values accordingly, start up server after.
8. If your Caddy server is on same machine as PlexConnect, do not use localhost as the IP (thanks again to @jbiatek for his tip about this right at the beginning of this PR). I used the local LAN address of my Plex server (192.168.1.x). Not sure if 127.0.0.1 would work.

Caddyfile:

trailers.apple.com:80, trailers.apple.com:443 {
    proxy / http://PLEX_CONNECT_IP:PLEX_CONNECT_PORT_CHOSEN_BEFORE {
        websocket
        transparent
        header_downstream Host {host}
        header_downstream X-Real-IP {remote}
        header_downstream X-Forwarded-For {remote}
        header_downstream X-Forwarded-Proto {scheme}
        header_downstream Connection {>Connection}
        header_downstream Upgrade {>Upgrade}
    }
    tls LOCATION_OF_CERTS/trailers.pem LOCATION_OF_CERTS/trailers.key
}

Hi @vin047 Any chance you're still running Caddy with PlexConnect? I've tried to get it to run as I also am self hosting a few web services but I can't seem to get it to play nice with PlexConnect. Are you able to post your Caddyfile for Caddy2?

[vin047]

Hi @awb1015, sorry for my late response. I'm still running PlexConnect with caddy successfully, but its with the original version of caddy. My caddy file is as per my post above. I've yet to upgrade to caddy 2, so the syntax might be different for that. Sorry I can't be of much help, but good luck. If you do/have figured it out, do post here as it'll surely be helpful for myself and others in future!