How to Make Your Plex Server More Secure Using a Simple Domain Name


Plex is the dominant software used to self-host a media library on Windows, Mac, and Linux. With it, you can access your movies, shows, and music from any device, anywhere. But thousands of users make a mistake that leaves their servers and networks vulnerable to hackers.

So what’s the deal with running Plex? How can you fix it? How to make your Plex server more secure?

Is your Plex server really secure?

The principle of Plex is simple. You keep a large media library at home; whether on a desktop PC, Raspberry Pi, or NAS, and with Plex server software, you can use dedicated apps or a browser to gobble up media at your leisure. If you pay for extras like the Plex Pass, you can even watch and record live TV shows and sync progress across devices.

You do this by directing devices in your home to access port 32400 on the host machine. If you want to consume media on the go, while traveling on the train, relaxing or working in a cafe, or at a friend’s house, for example, you need to open port 32400 on your router and forward traffic to that same port on your PC. You can access your Plex media server from anywhere with your.public.ip.address:32400. So far, so simple.

By default, network traffic to an individual IP address is not encrypted. And that can be a major problem.

Why is it dangerous to run Plex on an unencrypted connection?

By using an unencrypted connection, your traffic is vulnerable to a Man-in-the-Middle (MITM) attack. This means an attacker can spy on your network traffic, inject unwanted code into your traffic, and even intercept usernames and passwords.

The situation is exacerbated by Plex’s security vulnerabilities. These are regularly patched by the Plex security team and their details are leaked to the internet at large. Unfortunately, not all Plex users keep their Plex software up to date, and some users may not have updated in years. Server versions prior to 1.18.2, for example, have vulnerabilities through which an attacker can take control of your entire host system.

Criminals and other interested parties have access to open source tools, such as Robert David Graham’s MASSCAN, which can scan the entire Internet in five minutes. This makes it easier to identify IP addresses where port 32400 is open.

Why should you access Plex through a domain name with TLS

Most servers on the Internet are accessible through two standard ports: 80 for unencrypted HTTP traffic and 443 for encrypted traffic, using HTTPS (the extra “S” stands for “Secure”) and implementing Transport Layer Security (TLS) , who is immune to MITM attacks. If you’re using a Plex server behind one of these ports, a mass port scanner won’t reveal it to potential attackers, although obviously HTTPS is preferred.

Domain names are cheap or even free if you choose a provider like Freenom. And you can set up a reverse proxy so that web traffic to your Plex server goes through port 443 and port 32400 is never exposed.

One way to do this is to buy a cheap $10 Raspberry Zero W to act as a middleman.

How to Use a Raspberry Pi to Protect Your Plex Server

The first thing to do is visit your registrar’s office Advanced DNS settings page. Delete all records and create a new one A registration. Set the host to “@”, the value to your public IP address, and the TTL as low as possible.

Now login to your router admin panel. Open ports 80 and 443 and forward both to the local IP address of your Raspberry P i Zero. Close port 32400.

After installing Raspberry Pi OS, use the secure shell (SSH) to connect to your Raspberry Pi.

ssh pi@your.pi.local.ip

Update and upgrade all installed packages:

sudo apt update
sudo apt upgrade

Install the Apache server:

sudo apt install Apache2
sudo systemctl start apache2
sudo systemctl enable apache2

Install Certbot, a tool that will retrieve and manage both security certificates and keys from Let’s Encrypt, a service that configures SSL certificates.

sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt-get install python3-certbot-apache

Change directory and use the nano text editor to create a new Apache configuration file to forward all requests for your new domain name to the machine hosting the Plex server:

sudo nano plex.conf

A blank text file will be presented to you. Paste the following:

<VirtualHost *:80>
ServerName your-domain-name.tld
ProxyPreserveHost On
ProxyPass / http:
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]

Save and exit nano with CTRL+O then CTRL+X.

Activate the configuration and restart Apache:

sudo a2ensite plex.conf
sudo service apache2 restart

Run certbot to retrieve Let’s Encrypt SSL certificates and keys:

sudo certbot

Enter your email address when prompted and accept the terms and conditions, then select your domain name from a list and press return.

Certbot will retrieve and re-deploy Let’s Encrypt security certificates and keys. Restart Apache one more time.

Disconnect from your Raspberry Pi Zero:


Your Plex server is now hidden from the world!

By following these instructions, you’ve successfully closed port 32400 and hid the existence of your Plex server from port scanners, while ensuring that you can still access it using your custom domain name. All traffic to your Plex server will be encrypted and protected with TLS, meaning you can relax and enjoy the latest episodes of House of The Dragon without having to worry about who’s trying to break into your network.


Comments are closed.