This is my Plex Nginx configuration file.
Works exceptionally well, only port 80 and 443 are allowed on the router.
The caveat is that “Remote Access” will always show as unavailable, but this will still work. Make sure to add “yourdomain.com:443” to Custom server access URLs in Plex network settings.
upstream plex_backend {
server <IP ADDRESS>:32400;
keepalive 32;
}map $http_upgrade $connection_upgrade {
default upgrade;
” close;
}server {
if ($host = plexserver.domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name plexserver.domain.com;
return 301 plexserver.domain.com$request_uri;
}error_log /var/log/nginx/plexserver.domain.com.error.log;
access_log /var/log/nginx/plexserver.domain.com.access.log;server {
listen 443 ssl http2; #http2 can provide a substantial improvement for streaming: https://blog.cloudflare.com/introducing-http2/
server_name plexserver.domain.com;send_timeout 100m; #Some players don’t reopen a socket and playback stops totally instead of resuming after an extended pause (e.g. Chrome)
#Faster resolving, improves stapling time. Timeout and nameservers may need to be adjusted for your location Google’s have been used here.
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 5s;#Use letsencrypt.org to get a free and trusted ssl certificate
ssl_certificate /etc/letsencrypt/live/plexserver.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/plexserver.domain.com/privkey.pem; # managed by Certbotssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kE$#Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
ssl_stapling on;
ssl_stapling_verify on;
#For letsencrypt.org you can get your chain like this: https://esham.io/2016/01/ocsp-stapling
ssl_trusted_certificate /etc/letsencrypt/live/plexserver.domain.com/chain.pem;#Reuse ssl sessions, avoids unnecessary handshakes
#Turning this on will increase performance, but at the cost of security. Read below before making a choice.
#https://github.com/mozilla/server-side-tls/issues/135
#https://wiki.mozilla.org/Security/Server_Side_TLS#TLS_tickets_.28RFC_5077.29
#ssl_session_tickets on;
ssl_session_tickets off;#Use: openssl dhparam -out dhparam.pem 2048 – 4096 is better but for overhead reasons 2048 is enough for Plex.
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
#ssl_ecdh_curve secp384r1;#Will ensure https is always used by supported browsers which prevents any server-side http > https redirects, as the browser will internally correct any request to https.
#Recommended to submit to your domain to https://hstspreload.org as well.
#!WARNING! Only enable this if you intend to only serve Plex over https, until this rule expires in your browser it WONT BE POSSIBLE to access Plex via http, remove ‘includeSubDomains$
#This is disabled by default as it could cause issues with some playback devices it’s advisable to test it with a small max-age and only enable if you don’t encounter issues. (Haven’t$#add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload” always;
add_header Strict-Transport-Security “max-age=120; includeSubDomains; preload” always;#Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. (Haven’t encountered any yet)
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
gzip_disable “MSIE [1-6]\.”;#Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
#Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
client_max_body_size 200M;#Forward real ip and host to Plex
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Plex headers
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;proxy_set_header Host $server_addr;
proxy_set_header Referer $server_addr;
proxy_set_header Origin $server_addr;#Websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;#Disables compression between Plex and Nginx, required if using sub_filter below.
#May also improve loading time by a very marginal amount, as nginx will compress anyway.
proxy_set_header Accept-Encoding “”;#Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off;
proxy_buffering off;location / {
#Example of using sub_filter to alter what Plex displays, this disables Plex News.
#sub_filter ‘,news,’ ‘,’;
#sub_filter_once on;
#sub_filter_types text/xml;
proxy_pass http://plex_backend;
}
}