howto configure apache for plex behind subdomain and https 443?

Question

this is what I currently have for apache and works, but how can I add that http is redirected to https for plex?

<VirtualHost *:80>
    ServerName plex.mydomain.com

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / http://localhost:32400/
    ProxyPassReverse / http://localhost:32400/

    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/web
    RewriteCond %{HTTP:X-Plex-Device} ^$
    RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>

this is how it works for other subdomains, but this doesn't work for plex:

<VirtualHost *:80>
    ServerName somesub.mydomain.com

    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^somesub.mydomain.com
    RewriteRule (.*) https://%{SERVER_NAME} [R,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName somesub.mydomain.com

    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / http://localhost:5555/
    ProxyPassReverse / http://localhost:5555/
</VirtualHost>

Answer 1

This is what i'm using now and works (Ubuntu 17.04, Apache2.4)

<VirtualHost *:80>
  ServerName my.sub.domain.com
  Redirect permanent / https://my.sub.domain.com/
</VirtualHost>

<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName my.sub.domain.com
    ServerAlias ""
    Options -Includes -ExecCGI

    RewriteEngine On
    RewriteCond %{THE_REQUEST} !HTTP/1.1$
    RewriteRule .* - [F]

    LimitRequestBody 512000

    SSLEngine              On
    SSLCertificateFile    /etc/letsencrypt/live/my.sub.domain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/my.sub.domain.com/privkey.pem
    SSLProtocol           +TLSv1.2

    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
    Header always set X-Frame-Options DENY
    FileETag None
    TraceEnable off
    #Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
    Header set X-XSS-Protection "1; mode=block"
    Timeout 60

    <Location /:/websockets/notifications>
        ProxyPass wss://localhost:32400/:/websockets/notifications 
        ProxyPassReverse wss://localhost:32400/:/websockets/notifications
    </Location>

    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>

    ProxyRequests Off
    ProxyPreserveHost On
    SSLProxyEngine On
    RequestHeader set Front-End-Https "On"

    ProxyPass / http://localhost:32400/
    ProxyPassReverse / http://localhost:32400/

    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/web
    RewriteCond %{HTTP:X-Plex-Device} ^$
    RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
    RewriteRule ^/$ /web/$1 [R,L]

  </VirtualHost>
</IfModule>

You'll need to change localhost (probably not) and my.sub.domain.com to your own values and generate the ssl certificates before restarting the apache service (I used LetsEncrypt)

This vhost configuration is something I've adapted from numerous posts (some from here, some from the plex forum). It may not be complete or optimized, but it does work

For more details/alternatives, visit https://forums.plex.tv/

Answer 2

Alex's answer is good, but all you need in order to redirect traffic from 80 to 443 are these lines of code added into your plex.conf file:

<VirtualHost *:80>
    ServerName plex.mydomain.com
    DocumentRoot /var/www/html
    ServerAdmin admin@plex.mydomain.com
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =plex.mydomain.com
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

For reference, here is my plex apache2 conf file:

EDIT: Update as of 4/17/2019. You will need to be using Apache2 >= 2.4.11 to use this and several mods (proxy, ssl, proxy_wstunnel, http, dir, env, headers, proxy_balancer, proxy_http, rewrite I think is all of them):

<IfModule mod_ssl.c>
    DEFINE plex_url 192.168.1.22
    DEFINE plex_port 32400
    DEFINE serv_name plex.domain.com
    ServerTokens Prod
    SSLStaplingCache "shmcb:${APACHE_LOG_DIR}/stapling-cache(150000)"
    SSLSessionCache "shmcb:${APACHE_LOG_DIR}/ssl_scache(512000)"
    SSLSessionCacheTimeout 300
    ModPagespeed Off
<VirtualHost *:80>
    ServerName ${serv_name}
    DocumentRoot /var/www/html
    ServerAdmin aw@hell.no
    RewriteEngine On
    RewriteCond %{SERVER_NAME} =${serv_name}
    RewriteCond %{HTTPS} Off
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    ErrorLog ${APACHE_LOG_DIR}/${serv_name}.error.log
    CustomLog ${APACHE_LOG_DIR}/${serv_name}.access.log combined
</VirtualHost>
<VirtualHost *:443>
    ServerName ${serv_name}
    DocumentRoot /var/www/html
    ServerAdmin aw@hell.no
    ErrorLog ${APACHE_LOG_DIR}/${serv_name}.error.log
    CustomLog ${APACHE_LOG_DIR}/${serv_name}.access.log combined
### Let's Encrypt Section ###
    SSLCertificateFile /etc/letsencrypt/live/${serv_name}/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/${serv_name}/privkey.pem
    #Include /etc/letsencrypt/options-ssl-apache.conf
    Options -Includes -ExecCGI
### Deny http1.0 requests ###
    RewriteEngine On
    RewriteCond %{SERVER_PROTOCOL} ^HTTP/1\.0$
    #RewriteCond %{REQUEST_URI} !^/404/$
    RewriteRule ^ - [F]
### Harden Security ###
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyTimeout 600
    ProxyReceiveBufferSize 4096
    SSLProxyEngine On
    RequestHeader set Front-End-Https "On"
    ServerSignature Off
    SSLCompression Off
    SSLUseStapling On
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors Off
    SSLSessionTickets Off
    RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
    Header always set Strict-Transport-Security "max-age=15552000; preload"
    Header always set X-Content-Type-Options nosniff
    Header always set X-Robots-Tag none
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "same-origin"
    Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none';"
    Header always set Content-Security-Policy "default-src 'self' https:; font-src 'self' data: ${plex_url} ${serv_name}; media-src 'self' blob: ${plex_url} ${serv_name}; script-src 'self' 'unsafe-inline' ${plex_url} ${serv_name} plex.tv www.gstatic.com; style-src 'self' ${plex_url} ${serv_name}; img-src 'self' data: blob: ${plex_url} ${serv_name} plex.tv *.plex.tv; worker-src *; frame-src 'none'; connect-src 'self' wss: https: ${plex_url} ${serv_name} plex.tv *.plex.direct *.plex.tv;"
    SSLCipherSuite ECDHE+RSA+AES256+GCM+SHA512:DHE+RSA+AES256+GCM+SHA512:ECDHE+RSA+AES256+GCM+SHA384:DHE+RSA+AES256+GCM+SHA384:ECDHE+RSA+AES256+SHA384:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On
### Plex Specific Section ###
    ProxyPass / http://${plex_url}:${plex_port}/
    ProxyPassReverse / http://${plex_url}:${plex_port}/
    ProxyPass /:/ ws://${plex_url}:${plex_port}/:/
    ProxyPassReverse /:/ ws://${plex_url}:${plex_port}/:/
    ProxyPass /:/ wss://${plex_url}:${plex_port}/:/
    ProxyPassReverse /:/ wss://${plex_url}:${plex_port}/:/
    LimitRequestBody 512000
    FileETag None
    TraceEnable off
    #Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure
    Timeout 60
    <Location /:/websockets/notifications>
        ProxyPass wss://${plex_url}:${plex_port}/:/websockets/notifications
        ProxyPassReverse wss://${plex_url}:${plex_port}/:/websockets/notifications
    </Location>
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/web
    RewriteCond %{HTTP:X-Plex-Device} ^$
    RewriteCond %{REQUEST_METHOD} !^(OPTIONS)$
    RewriteCond %{QUERY_STRING} (^|&)X-Plex-Device=(&|$) [OR]
    RewriteCond %{QUERY_STRING} !(^|&)X-Plex-Device=
    RewriteRule ^/$ /web/$1 [R,L]
</VirtualHost>
</IfModule>