SageTV Community  

Go Back   SageTV Community > General Discussion > General Discussion

Notices

General Discussion General discussion about SageTV and related companies, products, and technologies.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 07-03-2015, 12:15 AM
reggie14 reggie14 is offline
SageTVaholic
 
Join Date: Aug 2003
Location: Maryland
Posts: 2,760
pfSense and Plex HTTPS Problem

I finally got around to installing the new version of Plex with HTTPS support. But, it took me a while to get it working. And I had to do strange enough things that really makes me wonder whether I did it correctly. I know there are some Plex and pfSense users here, so I thought one of you may be able to provide some insight.

After I first installed the update, attempting to log in to my server via the web gave me a warning that "We're sorry, but we can't reach the server securely..."

I use the unbound resolver with my pfDense router, and saw the note on the Plex site about how to bypass DNS Rebinding Attack checks on plex.direct. But, adding that to my router config didn't help.

Then I saw a note on the forum (thanks Google cache) about adding a host override in unbound for plex.direct. That still didn't work. I noticed I could browse to my server by entering plex.direct as the hostname, but I was getting certificate warnings because the name in the certificate didn't match. I also noticed the DNS name embedded in the certificate (*.<hashvalue>.plex.direct) wasn't resolving, which I guessed was the cause of my problem.

I ended up creating a wildcard DNS entry in my unbound configuration, which resolves every *.plex.direct request to the internal IP address of my Plex server. Here's what I added to the "advanced" box in the "DNS Resolver" settings.

Code:
server:
local-zone: "plex.direct" redirect
local-data: "plex.direct 3600 IN A <internal-ip>"
This seems overly complex. Can anyone think of why I had to do this? I don't think I ever got NAT reflection working properly on my pfSense server. Any attempt to ask for help about that on the pfSense forums typically results in people yelling at you to use split DNS instead. Do you think that's why it didn't work for me initially, but it (apparently) works for other people?
Reply With Quote
  #2  
Old 07-05-2015, 03:25 PM
reggie14 reggie14 is offline
SageTVaholic
 
Join Date: Aug 2003
Location: Maryland
Posts: 2,760
Well, my problem appears to be unique, but I'll add to my thread in case someone stumbles upon it.

The fix I described above would likely break any attempts to access external Plex servers. While I will probably never do that, I'd rather not break it.

As I suspected, I made this far more complicated than I needed to. I'm pretty sure unbound on my pfSense box was initially blocking the proper DNS responses from plex.direct due to DNS rebinding attack checks. I thought I disabled those checks for plex.direct, but I missed a step.

Instead of what I previously added to my unbound advanced config, I just needed to add this line:
Code:
server:
private-domain: "plex.direct"

Last edited by reggie14; 07-06-2015 at 07:22 AM.
Reply With Quote
  #3  
Old 07-06-2015, 01:18 AM
Fuzzy's Avatar
Fuzzy Fuzzy is offline
SageTVaholic
 
Join Date: Sep 2005
Location: Jurupa Valley, CA
Posts: 9,957
I use plex through my pfsense all the time - but i've simply never cared about securing my plex stream.
__________________
Buy Fuzzy a beer! (Fuzzy likes beer)

unRAID Server: i7-6700, 32GB RAM, Dual 128GB SSD cache and 13TB pool, with SageTVv9, openDCT, Logitech Media Server and Plex Media Server each in Dockers.
Sources: HRHR Prime with Charter CableCard. HDHR-US for OTA.
Primary Client: HD-300 through XBoxOne in Living Room, Samsung HLT-6189S
Other Clients: Mi Box in Master Bedroom, HD-200 in kids room
Reply With Quote
  #4  
Old 07-06-2015, 07:27 AM
reggie14 reggie14 is offline
SageTVaholic
 
Join Date: Aug 2003
Location: Maryland
Posts: 2,760
Fair enough. It wasn't a feature I was desperate to see. But, I'm going to disable security features if I can avoid it.

The Plex folks did some clever things to get it working. While nothing should have required significant changes on the clients, I imagine getting their plex.direct infrastructure worked out, and working with DigiCert for the CA, probably took a fair bit of the developers cycles. It seemed like development slowed down leading up to the HTTPS release. Maybe we'll see faster development cycles again.
Reply With Quote
  #5  
Old 08-06-2015, 05:03 PM
derringer derringer is offline
Sage User
 
Join Date: Sep 2007
Posts: 67
pfsense

Technically, you shouldn't expose those services directly to the internet anyway. I'd make use of OpenVPN to make a tunnel and then do whatever like you would locally. Theres many ways to make an openvpn tunnel first, and then you lockdown all access from the internet to only allow openvpn. This security model is super safe, super accessible (openvpn clients exist for almost every entry O/S or client,) and it a high security model in this age of security concerns from all directions.

So.. as long as you have local services running, even insecure, you can know that none will be on your local network but your machines (I assume you've also locked down wireless or worked to make it more secure.) It is so much simpler to secure the entry tunnel and then leave things open once you're in.

I can expound if needed, but I recommend you consider the concept..

p.s. I think I misunderstood your question and your referring to just local access? I suppose I will leave my response above, in case it has some value.. I suppose I wouldn't worry too much about using https on a local, trusted network, because of what I've said above. I would try to get it working, but if it gave me problems, I'd just leave it http... if someone is on my local network listening and swiping my packets, I've got bigger issues...

Last edited by derringer; 08-06-2015 at 05:07 PM.
Reply With Quote
  #6  
Old 08-06-2015, 08:51 PM
reggie14 reggie14 is offline
SageTVaholic
 
Join Date: Aug 2003
Location: Maryland
Posts: 2,760
@derringer

In general I agree with you, but I've made an exception for Plex. I use OpenVPN to access most network resources remotely, but it's particularly convenient to access Plex without a VPN. Why? Mostly two reasons: 1) I sometimes bring a Roku on travel with me to access my Plex server, and there's no OpenVPN client for that, and 2) I can't use my work VPN and OpenVPN at the same time. A third reason is that it would complicate my connection to the Plex server. I'd either have to access the Plex server by internal IP or I'd have to set up my VPN clients to only use my local DNS server running on pfSense (which wouldn't be a problem if I routed all traffic over the VPN, but that frequently kills network performance).

If I hear of some vulnerability in Plex I'd change my tune very, very quickly, but for now I think it's relatively safe to keep Plex remotely accessible.

And, FWIW, you're right that the original issue I had was probably unique to accessing my Plex server locally. But again, as a general rule I really don't like the idea of disabling crypto. If I really had to I would have disabled it, but I didn't it to come to that.
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Plex On Xbox Taddeusz General Discussion 22 11-02-2014 10:20 PM
My time with Plex.. PLUCKYHD The SageTV Community 88 04-10-2014 04:35 PM
Plex as a front end for Sage wayner General Discussion 228 07-24-2012 01:40 PM
Comparing to Plex heffneil Batch Metadata Tools 20 01-08-2012 04:54 PM
Plex in a TV? What about sage? rwc General Discussion 9 09-05-2010 04:38 PM


All times are GMT -6. The time now is 10:41 AM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, vBulletin Solutions Inc.
Copyright 2003-2005 SageTV, LLC. All rights reserved.