Force Plex Media Server (PMS) to use squid proxy

To be clear, not related to using plex behind a reverse proxy such as nginx. This is related to forcing plex to use a proxy server (such as squid) for its metadata, thumbnail, subtitles, other downloads and plex.tv communications.

May be helpful for enterprise environments / university campus where everything must support the proxy and nothing can go direct. Or if you run a proxy server at home for data efficiency/logging.

ENV:
Plex Media Server (Currently : v1.19) on CentOS 8.1.1911. Running as a LXC Container on Proxmox (PVE) VE 6.1.
Squid Cache v3.5.20 on Centos 7.7 same LXC env.

TL;DR for the following:
On centos add the following to the service file for PMS: /lib/systemd/system/plexmediaserver.service in the [Service] section

#!/bin/null /lib/systemd/system/plexmediaserver.service

Environment=http_proxy=http://<proxy-server>:3128/
Environment=https_proxy=http://<proxy-server>:3128/
Environment=no_proxy=127.0.0.1,localhost,<server-IP>,<HDHomerunIPs>,.plex.direct,<public-hostnames-of-your-PMS-server>
Environment=NO_PROXY=<same-entries-as-previous>

After that run a
systemctl daemon-reload
and restart the PMS service
PMS should now be using your squid proxy for all outbound web requests.

Background:
After a couple of attempts trying to find a way of forcing plex media server (PMS) to send all its outbound requests via a proxy server. Mainly looking at the following two forum posts on the plex site.
https://forums.plex.tv/t/how-to-make-plex-media-server-use-a-proxy/43006/9
https://forums.plex.tv/t/using-an-http-proxy-for-fetching-metadata/162215

A comment from ChuckPa (a rather arrogant Team Member at plex) stuck with me:

“Yes, PMS will honor whatever the host is configured for because it’s built into the host-OS networking layer.” https://forums.plex.tv/t/using-an-http-proxy-for-fetching-metadata/162215/4

ChuckPa, Plex.tv Team Member

Long Version: Using this I spent about 90 minutes learning all about the networking layer of my prefered linux OS, Centos, and how the system proxy setting gets passed through to apps as they start.

In Centos you set the system proxy in the /etc/profile.d/proxy.sh file and most services will receive this script as a part of the chain of files received from the system upon service start and honor it.

PMS likley does recieve this file and has some ENVars set but then runs a env_reset (Same as the one in sudoers) clearing the specified system proxy before making a single request.

Lucky this can be overridden in PMS’s .service file and as a workaround you can re-add the proxy env variables and plex will honor them from here.

Full /lib/systemd/system/plexmediaserver.service file, filtered

[Unit]
Description=Plex Media Server
After=network.target network-online.target

[Service]
Environment="PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR=/var/lib/plexmediaserver/Library/Application Support"
Environment=PLEX_MEDIA_SERVER_HOME=/usr/lib/plexmediaserver
Environment=PLEX_MEDIA_SERVER_MAX_PLUGIN_PROCS=6
Environment=PLEX_MEDIA_SERVER_TMPDIR=/tmp
Environment=LC_ALL=en_US.UTF-8
Environment=LANG=en_US.UTF-8
Environment=http_proxy=http://proxy.<domain>:3128/
Environment=https_proxy=http://proxy.<domain>:3128/
Environment=no_proxy=127.0.0.1,<pms-server-IP>,<HD-Homerun-IP>,.plex.direct,localhost,<public-server-hostname-1>,<public-server-hostname-1>:443,<public-server-hostname-2>
Environment=NO_PROXY=127.0.0.1,<pms-server-IP>,<HD-Homerun-IP>,.plex.direct,localhost,<public-server-hostname-1>,<public-server-hostname-1>:443,<public-server-hostname-2>
ExecStartPre=/bin/sh -c '/usr/bin/test -d "${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}" || /bin/mkdir -p "${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}"'
ExecStart=/bin/sh -c '\
PLEX_MEDIA_SERVER_INFO_VENDOR="$(grep ^NAME= /etc/os-release | awk -F= "{print \$2}" | tr -d \" )" \
PLEX_MEDIA_SERVER_INFO_DEVICE="PC" \
PLEX_MEDIA_SERVER_INFO_MODEL="$(uname -m)" \
PLEX_MEDIA_SERVER_INFO_PLATFORM_VERSION="$(grep ^VERSION= /etc/os-release | awk -F= "{print \$2}" | tr -d \" )" \
LD_LIBRARY_PATH=/usr/lib/plexmediaserver/lib \
"/usr/lib/plexmediaserver/Plex Media Server"'
Type=simple
User=plex
Group=plex
Restart=on-failure
RestartSec=5
StartLimitInterval=60s
StartLimitBurst=3

[Install]
WantedBy=multi-user.target

no_proxy items added for the following reasons:
127.0.0.1 – plex tried to talk to it self
<pms-server-ip> – again talking to it self
<HDHomerun-IP> – TV Recording were going across the squid proxy
.plex.direct – again talking to itself, eq to *.plex.direct
localhost – same
Public IPs* – again talking to it self.

After that run:
systemctl daemon-reload
to re-init the services file
and a:
systemctl restart plexmediaserver
then check your squid log file and see the traffic.

Filtered squid access log Example at library refresh

1586479264.215 0 TCP_MEM_HIT/200 8052 GET http://image.tmdb.org/t/p/w154/6vaqTxkRefvwjeLqyZbVuVR7Snv.jpg - HIER_NONE/- image/jpeg
1586479264.218 0 TCP_MEM_HIT/200 7790 GET http://image.tmdb.org/t/p/w154/jlHL2BH1esdApGiLnNQLQgdjMFd.jpg - HIER_NONE/- image/jpeg
1586479264.221 0 TCP_MEM_HIT/200 5992 GET http://image.tmdb.org/t/p/w154/w0HVTWoRsrYyhgCHFSFw5XfwPvw.jpg - HIER_NONE/- image/jpeg
1586479264.225 0 TCP_MEM_HIT/200 7474 GET http://image.tmdb.org/t/p/w154/lfOymv4rfpPhgfrztoW1zPr5wiV.jpg - HIER_NONE/- image/jpeg
1586479264.292 59 TCP_TUNNEL/200 9315 CONNECT meta.plex.tv:443 - HIER_DIRECT/104.18.157.41 -
1586479264.321 24 TCP_TUNNEL/200 6599 CONNECT api.tmdb.org:443 - HIER_DIRECT/104.16.60.155 -
1586479280.635 2657 TCP_TUNNEL/200 3686 CONNECT podnapisi.net:443 - HIER_DIRECT/91.185.207.128 -
1586479280.637 1335 TCP_TUNNEL/200 4907 CONNECT www.podnapisi.net:443 - HIER_DIRECT/91.185.203.249 -
1586479324.739 5614 TCP_TUNNEL/200 5396 CONNECT podnapisi.net:443 - HIER_DIRECT/91.185.207.128 -
1586479324.739 4293 TCP_TUNNEL/200 16785 CONNECT www.podnapisi.net:443 - HIER_DIRECT/91.185.203.249 -
1586479324.875 22 TCP_TUNNEL/200 3995 CONNECT api.tmdb.org:443 - HIER_DIRECT/104.16.60.155 -
1586479326.906 25 TCP_TUNNEL/200 6192 CONNECT api.tmdb.org:443 - HIER_DIRECT/104.16.60.155 -
1586479328.940 28 TCP_TUNNEL/200 4107 CONNECT api.tmdb.org:443 - HIER_DIRECT/104.16.60.155 -
1586479330.972 27 TCP_TUNNEL/200 9114 CONNECT api.tmdb.org:443 - HIER_DIRECT/104.16.60.155 -
1586479332.983 0 TCP_MEM_HIT/200 12132 GET http://image.tmdb.org/t/p/w300/q9XrQXC6rtfuO9H9IIG0wYyxqF9.jpg - HIER_NONE/- image/jpeg
1586479332.988 0 TCP_MEM_HIT/200 9054 GET http://image.tmdb.org/t/p/w300/6hTovH15GsjdhtrSBDJK1muq7Gl.jpg - HIER_NONE/- image/jpeg
1586479332.991 0 TCP_MEM_HIT/200 9762 GET http://image.tmdb.org/t/p/w300/blt0WllH3rtjkZEf31PabaELYwk.jpg - HIER_NONE/- image/jpeg
1586479332.995 0 TCP_MEM_HIT/200 12090 GET http://image.tmdb.org/t/p/w300/4e6SKFfR3fyuhZkJJxQjcd42ao7.jpg - HIER_NONE/- image/jpeg
1586479332.998 0 TCP_MEM_HIT/200 12249 GET http://image.tmdb.org/t/p/w300/36thzL1YC9o5pjjygQfA3EvVfDhq.jpg - HIER_NONE/- image/jpeg
1586479333.002 0 TCP_MEM_HIT/200 11387 GET http://image.tmdb.org/t/p/w300/3STQp5BJ9CsBWfrt1Evic7SFU6jC.jpg - HIER_NONE/- image/jpeg
1586479333.007 0 TCP_MEM_HIT/200 11636 GET http://image.tmdb.org/t/p/w300/bfZLuJflVoJK1Jx6FTikGcLYqlIe0.jpg - HIER_NONE/- image/jpeg
1586479333.014 0 TCP_MEM_HIT/200 9853 GET http://image.tmdb.org/t/p/w154/mRTPU9IcQGn3KRop5632C1HGPAPJ.jpg - HIER_NONE/- image/jpeg
1586479333.018 0 TCP_MEM_HIT/200 10445 GET http://image.tmdb.org/t/p/w154/vJPq5lyawTxSioft3orwQT3DHMGF.jpg - HIER_NONE/- image/jpeg
1586479333.021 0 TCP_MEM_HIT/200 13500 GET http://image.tmdb.org/t/p/w154/nxoaOLTAQNF4rtfh5LpofJIXu6ZV.jpg - HIER_NONE/- image/jpeg
1586479333.024 0 TCP_MEM_HIT/200 7374 GET http://image.tmdb.org/t/p/w154/iPZgLbfE9Ksn6uygeagOOPovP9fi.jpg - HIER_NONE/- image/jpeg
1586479333.331 299 TCP_TUNNEL/200 4242 CONNECT meta.plex.tv:443 - HIER_DIRECT/104.18.157.41 -
1586479341.433 1541 TCP_TUNNEL/200 7207 CONNECT plex.tv:443 - HIER_DIRECT/99.80.242.242 -
1586479342.518 37 TCP_TUNNEL/200 9102 CONNECT image.tmdb.org:443 - HIER_DIRECT/104.16.59.155 -
1586479264.215 0 TCP_MEM_HIT/200 8052 GET http://image.tmdb.org/t/p/w154/6vaqTud5noGwjeLqyZbVuVR7Snv.jpg - HIER_NONE/- image/jpeg
1586479264.218 0 TCP_MEM_HIT/200 7790 GET http://image.tmdb.org/t/p/w154/jlHL2BH1thyApGiLnNQLQgdjMFd.jpg - HIER_NONE/- image/jpeg
1586479264.221 0 TCP_MEM_HIT/200 5992 GET http://image.tmdb.org/t/p/w154/w0HVTWoRsrYkesCHFSFw5XfwPvw.jpg - HIER_NONE/- image/jpeg
1586479264.225 0 TCP_MEM_HIT/200 7474 GET http://image.tmdb.org/t/p/w154/lfOymv4rfpPhnitqeoW1zPr5wiV.jpg - HIER_NONE/- image/jpeg
1586479264.292 59 TCP_TUNNEL/200 9315 CONNECT meta.plex.tv:443 - HIER_DIRECT/104.18.157.41 -
1586479264.321 24 TCP_TUNNEL/200 6599 CONNECT api.tmdb.org:443 - HIER_DIRECT/104.16.60.155 -
1586479280.635 2657 TCP_TUNNEL/200 3686 CONNECT podnapisi.net:443 - HIER_DIRECT/91.185.207.128 -
1586479280.637 1335 TCP_TUNNEL/200 4907 CONNECT www.podnapisi.net:443 - HIER_DIRECT/91.185.203.249 -
1586479324.739 5614 TCP_TUNNEL/200 5396 CONNECT podnapisi.net:443 - HIER_DIRECT/91.185.207.128 -
1586479324.739 4293 TCP_TUNNEL/200 16785 CONNECT www.podnapisi.net:443 - HIER_DIRECT/91.185.203.249 -
1586479324.875 22 TCP_TUNNEL/200 3995 CONNECT api.tmdb.org:443 - HIER_DIRECT/104.16.60.155 -
1586479326.906 25 TCP_TUNNEL/200 6192 CONNECT api.tmdb.org:443 - HIER_DIRECT/104.16.60.155 -
1586479328.940 28 TCP_TUNNEL/200 4107 CONNECT api.tmdb.org:443 - HIER_DIRECT/104.16.60.155 -
1586479330.972 27 TCP_TUNNEL/200 9114 CONNECT api.tmdb.org:443 - HIER_DIRECT/104.16.60.155 -
1586479332.983 0 TCP_MEM_HIT/200 12132 GET http://image.tmdb.org/t/p/w300/q9XrQXC61rzuO9H9IIG0wYyxqF9.jpg - HIER_NONE/- image/jpeg
1586479332.988 0 TCP_MEM_HIT/200 9054 GET http://image.tmdb.org/t/p/w300/6hTovH15GsjdADLSBDJK1muq7Gl.jpg - HIER_NONE/- image/jpeg
1586479332.991 0 TCP_MEM_HIT/200 9762 GET http://image.tmdb.org/t/p/w300/blt0WllH3YlxZEf31PabaELYwk.jpg - HIER_NONE/- image/jpeg
1586479332.995 0 TCP_MEM_HIT/200 12090 GET http://image.tmdb.org/t/p/w300/4e6SKFfR3fHr3ZkJJxQjcd42ao7.jpg - HIER_NONE/- image/jpeg
1586479332.998 0 TCP_MEM_HIT/200 12249 GET http://image.tmdb.org/t/p/w300/36thzL1YC9o5pCKBQfA3EvVfDhq.jpg - HIER_NONE/- image/jpeg
1586479333.002 0 TCP_MEM_HIT/200 11387 GET http://image.tmdb.org/t/p/w300/3STQp5BJ9CsBWwX1Evic7SFU6jC.jpg - HIER_NONE/- image/jpeg
1586479333.007 0 TCP_MEM_HIT/200 11636 GET http://image.tmdb.org/t/p/w300/bfZLuJflVoJK1Jx6DZGcLYqlIe0.jpg - HIER_NONE/- image/jpeg
1586479333.014 0 TCP_MEM_HIT/200 9853 GET http://image.tmdb.org/t/p/w154/mRTPU9IcQGn3KRopyvaC1HGPAPJ.jpg - HIER_NONE/- image/jpeg
1586479333.018 0 TCP_MEM_HIT/200 10445 GET http://image.tmdb.org/t/p/w154/vJPq5lyawTxSEEw3orwQT3DHMGF.jpg - HIER_NONE/- image/jpeg
1586479333.021 0 TCP_MEM_HIT/200 13500 GET http://image.tmdb.org/t/p/w154/nxoaOLTAQNF4BiS5LpofJIXu6ZV.jpg - HIER_NONE/- image/jpeg
1586479333.024 0 TCP_MEM_HIT/200 7374 GET http://image.tmdb.org/t/p/w154/iPZgLbfE9Ksn6oVKagOOPovP9fi.jpg - HIER_NONE/- image/jpeg
1586479333.331 299 TCP_TUNNEL/200 4242 CONNECT meta.plex.tv:443 - HIER_DIRECT/104.18.157.41 -
1586479341.433 1541 TCP_TUNNEL/200 7207 CONNECT plex.tv:443 - HIER_DIRECT/99.80.242.242 -
1586479342.518 37 TCP_TUNNEL/200 9102 CONNECT image.tmdb.org:443 - HIER_DIRECT/104.16.59.155 -

Footnote:
I haven’t checked if plex is still sending some connections direct. This could be tested by configuring as per above and then firewall blocking all outbound connections from your plex server to the internet..

Cheers,
moon

  2 comments for “Force Plex Media Server (PMS) to use squid proxy

  1. Eduardo
    January 14, 2021 at 8:31 pm

    This is the first post I find with an actual solution. Thanks!

    In my case this is working for CentOS Linux release 8.3.2011

    Create a
    /etc/profile.d/proxy.sh

    # set proxy config via profie.d – should apply for all users
    #
    PROXY_URL=”http://10.10.1.10:8080/”

    export http_proxy=”$PROXY_URL”
    export https_proxy=”$PROXY_URL”
    export ftp_proxy=”$PROXY_URL”
    export no_proxy=”127.0.0.1,localhost”

    # For curl
    export HTTP_PROXY=”$PROXY_URL”
    export HTTPS_PROXY=”$PROXY_URL”
    export FTP_PROXY=”$PROXY_URL”
    export NO_PROXY=”127.0.0.1,localhost”

    source /etc/profile
    ——————————————————————————————————–
    Now I can see the traffic tunneled in squid.
    HTTP pro..
    2021-01-14 11:23:29
    171062 10.10.10.3 TCP_TUNNEL/200 5110 CONNECT webshows.provider.plex.tv:443 – HIER_DIRECT/104.17.67.195 –
    HTTP pro..
    2021-01-14 11:23:29
    171059 10.10.10.3 TCP_TUNNEL/200 5121 CONNECT podcasts.provider.plex.tv:443 – HIER_DIRECT/104.17.68.195 –
    HTTP pro..
    2021-01-14 11:23:29
    171063 10.10.10.3 TCP_TUNNEL/200 5191 CONNECT news.provider.plex.tv:443 – HIER_DIRECT/104.17.68.195 –
    HTTP pro..
    2021-01-14 11:23:29
    171068 10.10.10.3 TCP_TUNNEL/200 5088 CONNECT vod.provider.plex.tv:443 – HIER_DIRECT/104.17.67.195 –
    HTTP pro..
    2021-01-14 11:23:29
    171063 10.10.10.3 TCP_TUNNEL/200 5099 CONNECT epg.provider.plex.tv:443 – HIER_DIRECT/104.17.67.195 –
    HTTP pro..
    2021-01-14 11:23:33
    175423 10.10.10.3 TCP_TUNNEL/200 4592 CONNECT analytics.plex.tv:443 – HIER_DIRECT/130.211.32.175 –
    HTTP pro..
    2021-01-14 11:23:33
    174995 10.10.10.3 TCP_TUNNEL/200 3990 CONNECT together.plex.tv:443 – HIER_DIRECT/18.210.168.241

Leave a Reply

Your email address will not be published. Required fields are marked *