Hey folks,
I'm moving from NGINX to traefik and I love it, but I have odd issue - my plex shows traefik IP as a client instead of real ip on my lan.
here is my compose:
traefik:
image: traefik:v3.3
container_name: traefik
security_opt:
- no-new-privileges:true
environment:
CF_DNS_API_TOKEN: $CF_DNS_API_TOKEN
TRAEFIK_DASHBOARD_CREDENTIALS: $TRAEFIK_DASHBOARD_CREDENTIALS
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- $APP_DATA/traefik/traefik.yml:/traefik.yml:ro
- $APP_DATA/traefik/acme.json:/acme.json
- $APP_DATA/traefik/dynamic:/dynamic:ro
- $APP_DATA/traefik/logs:/logs
networks:
reverse-proxy:
aliases:
- auth.$DOMAIN_NAME
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=http"
- "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.${DOMAIN_NAME}`)"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=https"
- "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.${DOMAIN_NAME}`)"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.service=api@internal"
- "traefik.http.routers.traefik-secure.middlewares=crowdsec@file,authelia@docker"
depends_on:
dockersocket:
condition: service_started
authelia:
condition: service_started
crowdsec:
condition: service_started
plex:
extends:
image: lscr.io/linuxserver/plex
container_name: plex
environment:
VERSION: docker
PLEX_CLAIM: $PLEX_CLAIM
ADVERTISE_IP: https://plex.$DOMAIN_NAME:443
volumes:
- $APP_DATA/plex:/config
- $DATA/media:/data/media
- $TRANSCODE_DATA/plex:/transcode
ports:
- 32400:32400
devices:
- /dev/dri:/dev/dri
labels:
- "traefik.enable=true"
- "traefik.http.routers.plex.rule=Host(`plex.${DOMAIN_NAME}`)"
- "traefik.http.routers.plex.entrypoints=https"
- "traefik.http.routers.plex.tls=true"
- "traefik.http.services.plex.loadbalancer.server.scheme=https"
- "traefik.http.services.plex.loadbalancer.server.port=32400"
networks:
reverse-proxy:
driver: bridge
name: reverse-proxy
ipam:
driver: default
config:
- subnet: 172.23.0.0/16
gateway: 172.23.0.1
traefik config:
api:
dashboard: true
debug: false
log:
level: INFO
accessLog:
filePath: "/logs/traefik.log"
format: json
filters:
statusCodes:
- "200-299" # log successful http requests
- "400-599" # log failed http requests
fields:
headers:
defaultMode: drop # drop all headers per default
names:
User-Agent: keep # log user agent strings
# crowdsec bouncer
experimental:
plugins:
bouncer:
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
version: v1.4.2
entryPoints:
http:
address: ":80"
proxyProtocol:
trustedIPs:
- "172.23.0.0/16"
- "10.10.179.0/24"
forwardedHeaders:
trustedIPs: &trusted-ips
- "10.10.179.0/24"
- "10.13.13.0/24"
- "172.23.0.0/16"
transport:
respondingTimeouts:
readTimeout: 600s
idleTimeout: 600s
writeTimeout: 600s
http:
redirections:
entryPoint:
to: https
scheme: https
https:
address: ":443"
forwardedHeaders:
trustedIPs: *trusted-ips
proxyProtocol:
trustedIPs:
- "10.13.13.1/32"
- "10.10.179.0/24"
- "172.23.0.0/16"
serversTransport:
insecureSkipVerify: true
providers:
docker:
endpoint: "tcp://dockersocket:2375"
exposedByDefault: false
network: reverse-proxy
file:
directory: dynamic
watch: true
certificatesResolvers:
cloudflare:
acme:
email: admin@$DOMAIN_NAME
storage: acme.json
caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
dnsChallenge:
provider: cloudflare
#disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disables the need to wait for the propagation of the TXT record to all authoritative name servers.
#delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempted
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
and plex Custom Server URL:
https://plex.$DOMAIN_NAME:443
so my lan is 10.10.179.0/24 I can see from traefik access logs that my lan ip is captured but on plex it is Traefik ip 172.23.x.x
{"ClientAddr":"10.10.179.79:58277","ClientHost":"10.10.179.79","ClientPort":"58277","ClientUsername":"-","DownstreamContentSize":5807,"DownstreamStatus":200,"Duration":27561961,"OriginContentSize":5807,"OriginDuration":27412897,"OriginStatus":200,"Overhead":149064,"RequestAddr":"plex.$DOMAIN_NAME:443","RequestContentSize":0,"RequestCount":378,"RequestHost":"plex.$DOMAIN_NAME","RequestMethod":"GET","RequestPath":"/media/providers","RequestPort":"443","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"plex@docker","ServiceAddr":"172.23.0.19:32400","ServiceName":"plex@docker","ServiceURL":"https://172.23.0.19:32400","SpanId":"0000000000000000","StartLocal":"2025-04-27T16:28:58.713591463+01:00","StartUTC":"2025-04-27T15:28:58.713591463Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","TraceId":"00000000000000000000000000000000","entryPointName":"https","level":"info","msg":"","request_User-Agent":"Plex/1037 CFNetwork/3826.500.111.2.2 Darwin/24.4.0","time":"2025-04-27T16:28:58+01:00"}