Secure Plex and Kodi Media Server using Let's Encrypt SSL | ComputingForGeeks

Media servers play an important role in the entertainment sector, they are used to store and access/stream digital content such as videos, LiveTV, photos, podcasts, and music over the internet. There are many media servers that include Plex, Kodi, Subsonic, Madsonic, Universal Media Server, LibreELEC, Emby, Gerbera e.t.c.

Plex and Kodi media servers are amongst the highly used media servers around the world. When installed, these media severs work without reverse proxy. This is not secure as credentials travel across the unprotected wire(HTTP). This guide aims to demonstrate how one can secure traffic using HTTPS.

Setup Pre-reqs

For this guide to be a success, you need the following:

• Kodi/Plex media server installed.
• A Fully Qualified Domain Name(FQDN)
• sudo access to the server

The Plex Media Server can be installed using the below guides:

Kodi can as well be installed using the aid from the below guide:

• Install Kodi Media Server on Fedora

For Kodi, you need to enable the web interface by installing the web interface add-on under the add-ons tab as below.

Under Settings->Services->Control, allow HTTP on port 8080 as below. Also, set a password for the username.

Now you will have the Kodi web interface running on port 8080.

$ sudo ss -plunt|grep 8080
tcp   LISTEN 0      128           0.0.0.0:8080       0.0.0.0:*    users:(("kodi.bin",pid=128662,fd=17))                                                                                                    
tcp   LISTEN 0      128              [::]:8080          [::]:*    users:(("kodi.bin",pid=128662,fd=16))                                                                         

Now proceed and secure Plex and Kodi Media Server using Let’s Encrypt SSL with the steps below

Install and Configure Apache Web server (Reverse Proxy)

To be able to secure Plex and Kodi Media Server using Let’s Encrypt SSL we need to have a reverse proxy set up. For this guide we will use the Apache web server that can be installed using the command:

##On Debian/Ubuntu
sudo apt install apache2

##On RHEL/CentOS/Rocky Linux/Alma Linux
sudo yum install httpd

Once installed, create a virtual hosts file for Plex/Kodi.

For Plex, the file will have the content below

<VirtualHost *:80>
   ServerName plex.computingforgeeks.com
   ErrorDocument 404 /404.html

   #HTTP proxy
   ProxyPreserveHost On
   ProxyPass / http://localhost:32400/
   ProxyPassReverse / http://localhost:32400/

   #Websocket proxy
   <Location /:/websockets/notifications>
        ProxyPass wss://localhost:32400/:/websockets/notifications
        ProxyPassReverse wss://localhost:32400/:/websockets/notifications
   </Location>
</VirtualHost>

For Kodi, the file will be:

<VirtualHost *:80>
   ServerName plex.computingforgeeks.com
   DocumentRoot /
   LogLevel emerg
   ErrorLog /var/log/apache2/kodiserver_error.log
   CustomLog /var/log/apache2/kodiserver_access.log "vhost_combined"
   ProxyPass / http://localhost:8080/ nocanon
   ProxyPassReverse / http://localhost:8080/
   <Directory "/">
     allow from all
     Options +Indexes
   </Directory>
   AllowEncodedSlashes On
</VirtualHost>

Remember to replace the ServerName and the error log path on Rhel-based systems to /httpd.

On Debian/Ubuntu, enable the created site and several modules:

sudo a2enmod proxy_http
sudo a2enmod rewrite

On Rhel-based systems, set SELinux disabled.

sudo setenforce 0

Restart Apache.

##On Debian/Ubuntu
sudo systemctl restart apache2

##On RHEL/CentOS/Rocky Linux/Alma Linux
sudo systemctl restart httpd

Allow HTTP through the firewall.

##For Firewalld
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

##For UFW
sudo ufw allow http

At this point, you should be able to access the Kodi/Plex web interface via HTTP using the URL http://IP_address/web for Plex and http://IP_Address for Kodi.

Secure Plex and Kodi Media Server using Let’s Encrypt SSL

With the reverse proxy set up, proceed and secure the site. We will use Let’s Encrypt to issue free signed certificates for our FQDN.

Install the required package:

##On RHEL 8/CentOS/Rocky Linux 8/Fedora
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm 
sudo dnf install certbot python3-certbot-apache mod_ssl

##On Debian/Ubuntu
sudo apt updatesudo apt install certbot python3-certbot-apache

Proceed and issue certificates by executing:

sudo certbot --apache

Proceed as below.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): Enter a valid Email address here <email-address>         

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: plex.computingforgeeks.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

Created an SSL vhost at /etc/apache2/sites-available/plex-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/plex-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/plex-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/plex.conf to ssl vhost in /etc/apache2/sites-available/plex-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://plex.computingforgeeks.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=plex.computingforgeeks.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
 ....

Now you have SSL certificates generated for the domain name in the virtual host. Now you should be able to access the site via HTTPS. Allow the service through the firewall.

##For Firewalld
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

##For UFW
sudo ufw allow https

Access Plex|Kodi Media Server via HTTPS

Proceed and access the site via HTTPS with the URL https://domain_name/web for Plex and https://domain_name for Kodi.

Now you have your Plex/Kodi Media Server secured using Let’s Encrypt SSL. At this point, the fear of information traveling across unprotected wire has been swept away. I hope this was significant to you.

Related posts: