Is there an existing issue for this?
Current Behavior
Browsing albums in PlexAmp when using the Plex Subdomain config generates 401's in the Plex and NGINX logs for the path "GET /library/streams/xxxxx", leading to action from Fail2Ban.
Commenting out the pass request headers line of the Plex subdomain config file appears to resolve the issue.
location /library/streams/ {
set $upstream_app 10.0.0.245;
set $upstream_port 32400;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
Comment out this line > proxy_pass_request_headers off;
Expected Behavior
Standard browsing in the UI should not generate a 401 from the source app (Plex Media Server)
Steps To Reproduce
- Deploy Container
- Configure Fail2Ban per instructions https://www.linuxserver.io/blog/securing-swag
- Enable Plex subdomain config
- While not on LAN launch PlexAmp and browse albums / start playback multiple times
- Plex log / NGINX access log will document 401 Unathorized to /library/streams/xxxxx
- Fail2Ban will block source IP
Environment
- OS:Ubuntu 24.04
- How docker service was installed: Docker CE documentation for Ubuntu: https://docs.docker.com/engine/install/ubuntu/
- Plex Media Server 1.43.3.10793
- PlexAmp 4.12.4
CPU architecture
x86-64
Docker creation
---
services:
swag:
image: lscr.io/linuxserver/swag:latest
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=America/Los_Angeles
- URL=[mydomain].com
- VALIDATION=dns
- SUBDOMAINS=wildcard #optional
- CERTPROVIDER= #optional
- DNSPLUGIN=cloudflare #optional
- PROPAGATION=60 #optional
- EMAIL= #optional
- ONLY_SUBDOMAINS=false #optional
- EXTRA_DOMAINS= #optional
- STAGING=false #optional
- DISABLE_F2B= #optional
- SWAG_AUTORELOAD= #optional
- SWAG_AUTORELOAD_WATCHLIST= #optional
- DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind
- MAXMINDDB_LICENSE_KEY=[License Key]
- MAXMINDDB_USER_ID=[UID]
volumes:
- [Local/data/path]:/config
ports:
- 443:443
- 80:80 #optional
- 443:443/udp #optional
- 81:81 #swag dash
restart: unless-stopped
Container logs
[mod-init] Running Docker Modification Logic
[mod-init] Adding linuxserver/mods:swag-dashboard to container
[mod-init] Downloading linuxserver/mods:swag-dashboard from lscr.io
[mod-init] Installing linuxserver/mods:swag-dashboard
[mod-init] linuxserver/mods:swag-dashboard applied to container
[mod-init] Adding linuxserver/mods:swag-maxmind to container
[mod-init] Downloading linuxserver/mods:swag-maxmind from lscr.io
[mod-init] Installing linuxserver/mods:swag-maxmind
[mod-init] linuxserver/mods:swag-maxmind applied to container
[migrations] started
[migrations] 01-nginx-site-confs-default: executing...
[migrations] 01-nginx-site-confs-default: succeeded
[migrations] 02-swag-old-certbot-paths: executing...
[migrations] 02-swag-old-certbot-paths: succeeded
[migrations] done
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 1000
User GID: 1000
───────────────────────────────────────
Linuxserver.io version: 5.6.0-ls467
Build-date: 2026-06-27T06:35:26+00:00
───────────────────────────────────────
Setting resolver to 127.0.0.11
Setting worker_processes to 12
generating self-signed keys in /config/keys, you can replace these with your own keys if required
[cert stuff]
Variables set:
PUID=1000
PGID=1000
TZ=America/Los_Angeles
URL=[mydomain].com
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=dns
CERTPROVIDER=
DNSPLUGIN=cloudflare
EMAIL=
STAGING=false
Created .donoteditthisfile.conf
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for [mydomain].com will be requested
No e-mail address entered or address invalid
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /config/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for [mydomain].com and *.[mydomain].com
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Error determining zone_id: 9103 Error code: 403 - {'success': False, 'errors': [{'code': 9103, 'message': 'Unknown X-Auth-Key or X-Auth-Email'}], 'messages': [], 'result': None}. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /config/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
[mod-init] Running Docker Modification Logic
[mod-init] Adding linuxserver/mods:swag-dashboard to container
[mod-init] linuxserver/mods:swag-dashboard at sha256:9f9e09998071ba91bc6652366a02ebeba7c3d76e7f268e91ced25c4b412d47c6 has been previously applied skipping
[mod-init] Adding linuxserver/mods:swag-maxmind to container
[mod-init] linuxserver/mods:swag-maxmind at sha256:3310c2146849c483e15ce629422720d2fab0715685f526ccae5967c5f1ca5d66 has been previously applied skipping
[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] 02-swag-old-certbot-paths: skipped
[migrations] done
usermod: no changes
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 1000
User GID: 1000
───────────────────────────────────────
Linuxserver.io version: 5.6.0-ls467
Build-date: 2026-06-27T06:35:26+00:00
───────────────────────────────────────
using keys found in /config/keys
Variables set:
PUID=1000
PGID=1000
TZ=America/Los_Angeles
URL=[mydomain].com
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=dns
CERTPROVIDER=
DNSPLUGIN=cloudflare
EMAIL=
STAGING=false
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for [mydomain].com will be requested
No e-mail address entered or address invalid
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /config/log/letsencrypt/letsencrypt.log
Requesting a certificate for [mydomain].com and *.[mydomain].com
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Waiting 60 seconds for DNS changes to propagate
Successfully received certificate.
Certificate is saved at: /config/etc/letsencrypt/live/[mydomain].com/fullchain.pem
Key is saved at: /config/etc/letsencrypt/live/[mydomain].com/privkey.pem
This certificate expires on 2026-09-29.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New certificate generated; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
**** Applying the SWAG dashboard mod... ****
**** Adding goaccess to package install list ****
**** adding libmaxminddb to package install list ****
**** libmaxminddb already installed, skipping ****
**** Applied the SWAG dashboard mod ****
[pkg-install-init] **** Installing all mod packages ****
fetch http://dl-cdn.alpinelinux.org/alpine/v3.22/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.22/community/x86_64/APKINDEX.tar.gz
(1/2) Installing goaccess (1.9.4-r0)
(2/2) Installing libmaxminddb (1.9.1-r0)
Executing busybox-1.37.0-r20.trigger
OK: 190 MiB in 223 packages
Applying the maxmind mod...
Downloading GeoIP2 City database.
Applied the maxmind mod
[custom-init] No custom files found, skipping...
[ls.io-init] done.
Server ready
[mod-init] Running Docker Modification Logic
[mod-init] Adding linuxserver/mods:swag-dashboard to container
[mod-init] linuxserver/mods:swag-dashboard at sha256:9f9e09998071ba91bc6652366a02ebeba7c3d76e7f268e91ced25c4b412d47c6 has been previously applied skipping
[mod-init] Adding linuxserver/mods:swag-maxmind to container
[mod-init] linuxserver/mods:swag-maxmind at sha256:3310c2146849c483e15ce629422720d2fab0715685f526ccae5967c5f1ca5d66 has been previously applied skipping
[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] 02-swag-old-certbot-paths: skipped
[migrations] done
usermod: no changes
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 1000
User GID: 1000
───────────────────────────────────────
Linuxserver.io version: 5.6.0-ls467
Build-date: 2026-06-27T06:35:26+00:00
───────────────────────────────────────
using keys found in /config/keys
Variables set:
PUID=1000
PGID=1000
TZ=America/Los_Angeles
URL=[mydomain].com
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=dns
CERTPROVIDER=
DNSPLUGIN=cloudflare
EMAIL=
STAGING=false
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for [mydomain].com will be requested
No e-mail address entered or address invalid
dns validation via [mydomain] plugin is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
**** Applying the SWAG dashboard mod... ****
libmaxminddb
**** libmaxminddb already installed, skipping ****
**** goaccess already installed, skipping ****
**** libmaxminddb already installed, skipping ****
**** Applied the SWAG dashboard mod ****
Applying the maxmind mod...
Applied the maxmind mod
[custom-init] No custom files found, skipping...
[ls.io-init] done.
Server ready
Is there an existing issue for this?
Current Behavior
Browsing albums in PlexAmp when using the Plex Subdomain config generates 401's in the Plex and NGINX logs for the path "GET /library/streams/xxxxx", leading to action from Fail2Ban.
Commenting out the pass request headers line of the Plex subdomain config file appears to resolve the issue.
location /library/streams/ {
set $upstream_app 10.0.0.245;
set $upstream_port 32400;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
Expected Behavior
Standard browsing in the UI should not generate a 401 from the source app (Plex Media Server)
Steps To Reproduce
Environment
CPU architecture
x86-64
Docker creation
--- services: swag: image: lscr.io/linuxserver/swag:latest container_name: swag cap_add: - NET_ADMIN environment: - PUID=1000 - PGID=1000 - TZ=America/Los_Angeles - URL=[mydomain].com - VALIDATION=dns - SUBDOMAINS=wildcard #optional - CERTPROVIDER= #optional - DNSPLUGIN=cloudflare #optional - PROPAGATION=60 #optional - EMAIL= #optional - ONLY_SUBDOMAINS=false #optional - EXTRA_DOMAINS= #optional - STAGING=false #optional - DISABLE_F2B= #optional - SWAG_AUTORELOAD= #optional - SWAG_AUTORELOAD_WATCHLIST= #optional - DOCKER_MODS=linuxserver/mods:swag-dashboard|linuxserver/mods:swag-maxmind - MAXMINDDB_LICENSE_KEY=[License Key] - MAXMINDDB_USER_ID=[UID] volumes: - [Local/data/path]:/config ports: - 443:443 - 80:80 #optional - 443:443/udp #optional - 81:81 #swag dash restart: unless-stoppedContainer logs