Plex over Caddy 2 Reverse Proxy... Help

1. The problem I’m having:

I try to get my Plex server accessible over Caddy 2. I can access the website without much hassle, but transcoding always dies with “A critical Shaka error occurred: s1001” and this claims to be a network connection problem after some Google search.

2. Error messages and/or full log output:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

3. Caddy version:

caddy v2.10.2

4. How I installed and ran Caddy:

Home Assistant Docker from GitHub - einschmidt/addon-caddy-2: Caddy 2 is a powerful, open source web server with automatic HTTPS

a. System environment:

HAOS on a Intel NUC 9th Gen inside Docker

b. Command:

plexmp.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy https://192.168.181.79:32400 {
		transport http {
			tls_insecure_skip_verify
		}
		header_up Host {host}
		header_up X-Real-IP {remote}
	}
}

c. Service/unit/compose file:

ARG BUILD_FROM
# hadolint ignore=DL3006
FROM $BUILD_FROM

# Use bash as the default shell
SHELL ["/bin/bash", "-c"]

RUN \
  set -eux \
  \
  && mkdir -p \
    /data/caddy \
  \
  && apk add --no-cache \
    nss-tools=3.114-r0

# https://github.com/caddyserver/caddy/releases
ENV CADDY_VERSION="v2.10.2"

# Install Caddy
ARG BUILD_ARCH=amd64
RUN \
  set -eux \
  \
  && BINARCH="${BUILD_ARCH}" \
  && if [ "${BUILD_ARCH}" = "armhf" ]; then BINARCH="armv6"; fi \
  && if [ "${BUILD_ARCH}" = "armv7" ]; then BINARCH="armv7"; fi \
  && if [ "${BUILD_ARCH}" = "aarch64" ]; then BINARCH="arm64"; fi \
  \
  && curl -J -L -o /tmp/caddy.tar.gz "https://github.com/caddyserver/caddy/releases/download/${CADDY_VERSION}/caddy_${CADDY_VERSION//v/}_linux_${BINARCH}.tar.gz" \
  && tar zxvf /tmp/caddy.tar.gz -C /usr/bin caddy \
  && chmod +x /usr/bin/caddy \
  && rm -rf /tmp/caddy \
  && caddy version

# Copy root filesystem
COPY rootfs /

# ensure that nsswitch.conf is set up for Go's "netgo" implementation
# - https://github.com/golang/go/blob/go1.19.3/src/net/conf.go#L227-L303
# - docker run --rm debian grep '^hosts:' /etc/nsswitch.conf
# Alpine 3.16 includes nsswitch.conf
RUN set -eux \
  \
	&& if [ -e /etc/nsswitch.conf ]; then \
		grep '^hosts: files dns' /etc/nsswitch.conf; \
	else \
		echo 'hosts: files dns' > /etc/nsswitch.conf; \
	fi

ENV XDG_CONFIG_HOME=/data
ENV XDG_DATA_HOME=/ssl

# Build arguments
ARG BUILD_ARCH
ARG BUILD_DATE
ARG BUILD_DESCRIPTION
ARG BUILD_NAME
ARG BUILD_REF
ARG BUILD_REPOSITORY
ARG BUILD_VERSION

# Labels
LABEL \
    io.hass.name="${BUILD_NAME}" \
    io.hass.description="${BUILD_DESCRIPTION}" \
    io.hass.arch="${BUILD_ARCH}" \
    io.hass.type="addon" \
    io.hass.version=${BUILD_VERSION} \
    maintainer="Einschmidt" \
    org.opencontainers.image.title="${BUILD_NAME}" \
    org.opencontainers.image.description="${BUILD_DESCRIPTION}" \
    org.opencontainers.image.vendor="Einschmidt" \
    org.opencontainers.image.authors="einschmidt" \
    org.opencontainers.image.licenses="MIT" \
    org.opencontainers.image.url="https://google.com" \
    org.opencontainers.image.source="https://github.com/${BUILD_REPOSITORY}" \
    org.opencontainers.image.documentation="https://github.com/${BUILD_REPOSITORY}/blob/main/README.md" \
    org.opencontainers.image.created=${BUILD_DATE} \
    org.opencontainers.image.revision=${BUILD_REF} \
    org.opencontainers.image.version=${BUILD_VERSION}

d. My complete Caddy config:

{
	email reimer.daniel@freenet.de
	auto_https disable_redirects
	acme_ca https://acme-v02.api.letsencrypt.org/directory
}

(common) {
	header / {
		Strict-Transport-Security "max-age=31536000; includeSubdomains"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "same-origin"
		Permissions-Policy "geolocation=(self), microphone=()"
		Content-Security-Policy "frame-ancestors dreimer.de *.dreimer.de"
		-Server
	}
}

fb.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy 192.168.181.254:80 {
		header_up Host {upstream_hostport}
	}
}
frigate.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy 192.168.181.42:8971 {
		header_up Host {upstream_hostport}
	}
}
ha.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy 192.168.181.42:8123 {
	}
}
jellyfin.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy https://192.168.181.79:8920 {
		transport http {
			tls_insecure_skip_verify
		}
		header_up Host {upstream_hostport}
	}
}
nas.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy https://192.168.181.168:5001 {
		transport http {
			tls_insecure_skip_verify
		}
		header_up Host {upstream_hostport}
	}
}
plexmp.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy https://192.168.181.79:32400 {
		transport http {
			tls_insecure_skip_verify
		}
		header_up Host {host}
		header_up X-Real-IP {remote}
	}
}
repeater.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy 192.168.181.201:80 {
		header_up Host {upstream_hostport}
	}
}
repeater2.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy 192.168.181.202:80 {
		header_up Host {upstream_hostport}
	}
}
repeater3.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy 192.168.181.203:80 {
		header_up Host {upstream_hostport}
	}
}
tautulli.dreimer.de {
	import common
	encode {
		zstd best gzip 9
	}
	log
	reverse_proxy 192.168.181.42:8181 {
		header_up Host {upstream_hostport}
	}
}

5. Links to relevant resources:

I am using this with Plex

plex.mydom.com:443 {
	import main plex.mydom.com
	reverse_proxy 192.168.0.1:32400
}

I think you need to disable Plex’s own TLS since Caddy is doing it instead.

You may need to specify the external port Caddy is listening to in Plex settings.

Specify your external URL in “Settings->Network->Custom server access URLs”

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.