Add the following to the http in /etc/nginx/nginx.conf. This tells nginx where the actually IP is coming from instead of showing as cloudflare.

# CF set real ip
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

# use any of the following two
real_ip_header CF-Connecting-IP;
#real_ip_header X-Forwarded-For;

This is the reverse proxy file /etc/nginx/sites-available/plex.domain.com. This is symlinked to
/etc/nginx/sites-enabled/plex.domain.com.

ln -s /etc/nginx/sites-available/plex.domain.com /etc/nginx/sites-enabled/

The contents of the file are below. You have to make sure to set the base URL on programs to match the base URL in nginx config. This site is for all of the tools.

server {
        listen 443;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
        add_header X-Frame-Options "SAMEORIGIN";
        server_name sub.domain.com;
        ssl_certificate           /path/to/cert/sub.domain.com/crt;
        ssl_certificate_key       /path/to/cert/sub.domain.com/key;
        ssl on;
        ssl_session_cache  builtin:1000  shared:SSL:10m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        access_log              /path/to/log/sub.domain.com/access.log;
        error_log               /path/to/log/sub.domain.com/error.log;
        root                    /usr/share/nginx/html/sub.domain.com;
        index index.html;

        gzip off;

#Buffering off send to the client as soon as the data is received from Plex.
        proxy_redirect off;
        proxy_buffering off;

        client_max_body_size 100M;

location /ll {
    proxy_pass http://localhost:5299/ll/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /nzbget {
        proxy_pass http://localhost:1234/nzbget;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 }

location /plexpy {
        proxy_pass http://localhost:1478/plexpy;
        # Standard proxying headers
        proxy_set_header    Host                $host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-Host    $server_name;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        # SSL proxying headers
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_set_header    X-Forwarded-Ssl     on;
 }


location /sonarr {
        proxy_pass http://localhost:3698/sonarr;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /radarr {
        proxy_pass http://localhost:1598/radarr;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /bazarr {
        proxy_pass http://localhost:6167/bazarr;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location /lidarr {
        proxy_pass http://localhost:4567/lidarr;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}


location /grafana/ {
        proxy_pass http://localhost:3099/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; }

}

This site is for actually plex

server {
        listen 443 ssl;
        #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;";
        add_header X-Frame-Options "SAMEORIGIN";
        server_name plex.domain.com;
        ssl_certificate           /etc/nginx/ssl/plex.domain.com/crt;
        ssl_certificate_key       /etc/nginx/ssl/plex.domain.com/key;
        ssl on;
        ssl_session_cache  builtin:1000  shared:SSL:10m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        access_log              /ssd/log/nginx/plex.domain.com/access.log;
        error_log               /ssd/log/nginx/plex.domain.com/error.log;
        root                    /usr/share/nginx/html/plex.domain.com;
        index index.html;

#Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. (Haven't encountered any yet)
        gzip on;
        gzip_vary on;
        gzip_min_length 1000;
        gzip_proxied any;
        gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript;
        gzip_disable "MSIE [1-6]\.";

#Buffering off send to the client as soon as the data is received from Plex.
        proxy_redirect off;
        proxy_buffering off;

location / {
        proxy_pass  https://localhost:32400/;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_redirect off;
        proxy_buffering off;
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

        ## Required for Websockets
        proxy_http_version 1.1;
        proxy_set_header        Upgrade         $http_upgrade;
        proxy_set_header        Connection      "upgrade";
        proxy_read_timeout      36000s;  ## Timeout after 10 hours
   }
location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; }

}

Make changes to the files as you need since your port numbers are going to be different. Next check nginx config for issues

nginx -t

If this comes back good then reload nginx

systemctl reload nginx

Now we are going to want to block plex from communicating out to the world only to localhost. These will be wipes upon restart. There are numerous ways you can use to keep it persistent.

iptables -A INPUT -p tcp -s localhost --dport 32400 -j ACCEPT
iptables -A INPUT -p tcp --dport 32400 -j DROP

Next we will go into plex and disable remote connections and then set the domain URL in the network config.

NETWORK option
https://plex.domain.com:443