Help with Caddy, Plex and Cloudflare

I’m a tinkerer just stepping into cloudflare, Caddy, etc. I’ve been working on getting all my Plex apps working through Caddy and Cloudflare and finally succeeded. Now I’m working on getting my Plex server to get behind Cloudflare but my issue is that it’s a completely separate computer from my webserver and plex apps. I’m trying, so far without success, to figure out how to get Caddy to work with my external Plex server. I’ve seen people list their Plex server in the proxy tags, but again I can’t seem to identify how to get it to point to a different server. I’ve done just the hostname, the IP and doing http:// as well as just // and nothing seems to make it work.

I guess distilled down, I just need to know, as a very early learner in this, is it possible to have Caddy serve up the web apps that are on the same server as itself as well as the traffic from a separate, physical server. Combining them onto the same server isn’t a big deal, but I like to keep them separate if possible.

For clarity, I’ll use generic names. I’ve also listed the default ports for the apps I use since I have custom ports I’ve configured. The headers are still being tweaked as well. I got an A+ score on io.headers but I know they still need work.

CPU1 = Plex Server CPU2 = Apps server (webserver, tautulli, sonarr, radarr, jackett, ombi)

Almost everything I’ve found assumes Plex running on the same server as the apps. I want to be able to disable remote access on Plex and have Cloudflare CDN handle the traffic. Here’s my (modified) caddyfile:

mydomain.com, www.mydomain.com, http://localhost {
on startup /caddy/php/php-cgi -b 127.0.0.1:9000 -c /caddy/php/php.ini
ext .html .htm .php
root /caddy/www/
gzip
tls myemail@address.com

log /caddy/logs/access.log {                          # Change path syntax for your OS or your preferred location!
    rotate_size 1          # Rotate after 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }

  errors /caddy/logs/error.log {                        # Change path syntax for your OS or your preferred location!
    rotate_size 1          # Set max size 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }
tls {
    dns cloudflare
    }
header / {
    Content-Security-Policy 
        default-src "*"
    X-Frame-Options "DENY"
    X-Content-Type-Options "nosniff"
    X-XSS-Protection "1; mode=block"
    Strict-Transport-Security "max-age=31536000;"
    Referrer-Policy "same-origin"
    Feature-Policy "self"
    }
proxy /tautulli :8181 {
    header_upstream X-Forwarded-Host {host}
    transparent
    }
proxy /sonarr :8989 {
    transparent
    }
proxy /radarr :7878 {
    transparent
    }
proxy /jackett :9117 {
    transparent
    }
proxy /ombi :5000 {
    transparent
    }
fastcgi / 127.0.0.1:9000 php
}

Before I reformatted my server setup at home I had caddy, sonarr, radarr, transmission, jackett, and tautulli running in docker with plex in a separate VM. Only thing I had to do was use a subdomain for Plex, as Plex does not work well when its dropped into a subdirectory.

plex.mydomain.com {
  gzip
  proxy / 192.168.1.1:32400/web/ {
    transparent
  }
}

When I get home ill post my caddyfile as I still have that from the previous setup.

Hi @thebadwolf79, welcome to the Caddy community!

Plex is indeed a notorious beast to proxy into a subfolder. It rears its ugly head occasionally around the Caddy forums - I use it myself, as well - but I’ve never personally managed to neatly partition it without just giving it a subdomain. I’m sure it’s possible…

@alexandzors has a great Caddyfile example.

I use an only slightly different version:

plex.example.com {
  redir {
    if {path} is /
    / /web/
  }
  proxy / plex:32400
}

But more generally speaking, I rely on https://app.plex.tv/.

2 Likes
plex.mydomain.net {
        gzip
        timeouts none
        proxy / 192.168.1.55:32400 {
                transparent
                }
}

this is whats actually in my caddyfile. you will need the timeouts none IF you have like a roku device or something that keeps timing out when buffering media.

2 Likes

Thank you very much! Everything seems to be working perfectly for that.

Now another question (that may require a new thread), I’m trying to do the same with the webui on QBittorrent that’s on another machine. So far I’ve been able to get it to work all the way up to receiving a 401 Unauthorized error. Strangely if I put the qbit directly next to the / then I get a page cannot be found (I’m guessing since it’s not on local machine like the other apps such as sonarr, radarr, etc.) but when I have it like this, I get the 401 unauthorized page. This led me to Reverse Proxy With QBittorrent Web UI - #2 by Whitestrake where I found the below sample that I modified for mine, but again it hasn’t really made it work. I’m toying with the idea that maybe there’s something I need to do on the qbit side but thought I’d check in here and kill two birds with one stone. Any assistance is welcome.

proxy / qbit 10.0.0.6:8080 {
        header_upstream X-Forwarded-Host {host}:8080
		header_upstream -Origin
		header_upstream -Referer
                }
}

I’m going to toy with this some and see what comes of it. I found the solution in another reply but I’ve been poking my head around this community enough looking for answers that I often find from your replies so you definitely have my attention with this. For immediacy I’ve got it working as posted below but I’m all about high-efficiency and will likely take some time next week (burning up PTO before the end of the year and took a week off) to mess around with different configs. I’m also going to look into seeing if I can get cloudinary to serve my images while cloudflare serves the rest of the content but that’s a whole different level of stuff that will be the next hurdle after I get my whole setup playing nicely.

There’s lots of ways this could be misconfigured, depending on exactly what kind of behaviour you want to achieve. Based on your other proxies in the original post, I’m guessing specifically that you want to proxy requests beginning with /qbit to your qBittorrent listener located at http://10.0.0.6:8080.

Putting aside the difficulty you’ll likely experience trying to “jail” qBittorrent to a subfolder, this part:

proxy / qbit 10.0.0.6:8080

Probably doesn’t do what you’re expecting. The proxy directive’s format is proxy [from] [to...]. That means the above is proxying all requests received (based on the catch-all /), and it’s sending them to two different upstreams - qbit and 10.0.0.6:8080. To be unambiguous, Caddy treats those as http://qbit:80 and http://10.0.0.6:8080.

I’d expect the former to be popular in Docker environments where DNS resolves container hosts by service name, and the latter in hand-configured private networking, but seeing the two together along with the fact that I doubt you’re load-balancing qBittorrents heavily implies that this is a misconfiguration.

Also, this part:

Also missed the logic outlaid in my post you linked:

You can see in the top example of that post that I used 443, and in the bottom example I used 4488 - as opposed to 9292 of the other OP’s qBittorrent listener.

So it looks like instead of using the port your browser connects on, you’ve given the port that the qBittorrent listener is on. That’s not the role that the X-Forwarded-Host header serves; it’s meant to provide information about the first request, the one issued by the original client - not the final destination. If they don’t match up, qBittorrent has a conniption, because the developers are opinionated about that kind of thing.

This is all assuming that you don’t in fact, as an end-user of your system, browse to example.com:8080 to access your services.

In regards to using https://app.plex.tv/ that you rely on, is that in place of the plex:32400 in the caddyfile? Forgive the basic questions, I’ve only partially got the whole cdn as it relates to Plex figured out in my head. If I point to that web address in my caddyfile, I would think that means that people who go to my site and are linked over to Plex from it, then it would be covered by cdn. Is that correct?

https://app.plex.tv/web is hosted remotely via Plex.tv. It allows you to “indirectly” access your server without having to portforward 32400 to WAN or tunnel Plex through 443 via a reverse proxy. Its basically a web client for your server hosted by Plex though your media is still being streamed from your server.

Like @alexandzors says, I don’t actually bother proxying Plex myself. Plex in your browser is a web app which your server can deliver, but I just let Plex do it themselves. Once the Plex app is downloaded and open in the browser, it connects to any servers that you have logged in to your Plex account. It’ll do this over LAN if it’s accessible, or Plex itself will punch a hole in NAT to make it accessible for content streaming over the internet.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.