immich
immich copied to clipboard
immich-app
[Feature]: Running Immich behind a Reverse-Proxy configured with a Self-signed-certificate
Feature detail
I run a standard Nginx-Reverse-Proxy with a self-signed-certificate.
So I can access the service with a subdomain like https://immich.example.local
If I set VITE_SERVER_ENDPOINT=https://immich.example.local/api the Web-Container complains, that it can't reach the resource because of the self-signed-certificate.
If I set VITE_SERVER_ENDPOINT=http://immich-proxy:2283/api I get messages in the developer-console saying: Blocked loading mixed active content “http://immich-proxy:2283/api/asset".
Would be great if Immich could be run behind a custom reverse-proxy. Running latest docker on Ubuntu 20.04. And thanks for the great work on this one! Seems that Immich could be the missing piece in the selfhosting photo-puzzle.
Platform
Web
Hi @CKranebitter we were discussing your problem internally. We decided to remove all API-calls between the web and server containers and call the auth endpoint directly from the browser. This would probably solve your problem as you could use VITE_SERVER_ENDPOINT=https://... without any problem, as long as your browser supports your certificate.
We will probably change this within a few days. Thank you for the suggestion.
Sounds great. And thanks for letting me know this quickly. Looking forward to this PR. And the OIDC one. Best.
I just deployed immich a few hours ago for the first time and also setup a reverse proxy. I use nginx proxy manager (npm). I am able to access the webinterface and upload photos and I am able to run the android app and see those photos but when i start backup it spins forever ......is there something special needed to get configured on the reverse proxy?
In the env file i have like https://mydomain/api and the reverse proxy just forwards https://mydomain to http://ip:2328
Depends. Basically the Reverseproxy of the user needs to point to the Proxycontainer (or Server) of Immich. When using docker, container- and service-names can be used inside Nginx.
i looked at the reverse proxy logs .....does this
there are some warning lines
2022/07/16 12:20:11 [warn] 13996#13996: *427960 a client request body is buffered to a temporary file /tmp/nginx/body/4/57/0000028574, client: ###.###.###.###, server: immich#############.duckdns.org, request: "POST /api/asset/upload HTTP/1.1", host: "immich#############.duckdns.org" 2022/07/16 12:20:13 [warn] 13996#13996: *427964 a client request body is buffered to a temporary file /tmp/nginx/body/5/57/0000028575, client: ###.###.###.###, server: immich#############.duckdns.org, request: "POST /api/asset/upload HTTP/1.1", host: "immich#############.duckdns.org" 2022/07/16 12:20:14 [warn] 13996#13996: *427966 a client request body is buffered to a temporary file /tmp/nginx/body/6/57/0000028576, client: ###.###.###.###, server: immich#############.duckdns.org, request: "POST /api/asset/upload HTTP/1.1", host: "immich#############.duckdns.org" 2022/07/16 12:20:20 [warn] 13996#13996: *427973 a client request body is buffered to a temporary file /tmp/nginx/body/7/57/0000028577, client: ###.###.###.###, server: immich#############.duckdns.org, request: "POST /api/asset/upload HTTP/1.1", host: "immich#############.duckdns.org" 2022/07/16 12:20:22 [warn] 13996#13996: *427977 a client request body is buffered to a temporary file /tmp/nginx/body/8/57/0000028578, client: ###.###.###.###, server: immich#############.duckdns.org, request: "POST /api/asset/upload HTTP/1.1", host: "immich#############.duckdns.org" 2022/07/16 12:20:23 [warn] 13996#13996: *427980 a client request body is buffered to a temporary file /tmp/nginx/body/9/57/0000028579, client: ###.###.###.###, server: immich#############.duckdns.org, request: "POST /api/asset/upload HTTP/1.1", host: "immich#############.duckdns.org"
the accesss log looks like this
[16/Jul/2022:12:20:10 +0000] - 200 200 - GET https immich#############.duckdns.org "/api/asset/c1c7fca51b2a237ab9cfe131b7b7b8db0b89ba2a6677703c658d415960559ff2" [Client ###.###.###.###] [Length 2] [Gzip -] [Sent-to 192.168.178.132] "Dart/2.17 (dart:io)" "-" [16/Jul/2022:12:20:11 +0000] - 304 304 - GET https immich#############.duckdns.org "/api/server-info/ping" [Client ###.###.###.###] [Length 0] [Gzip -] [Sent-to 192.168.178.132] "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" "https://immich#############.duckdns.org/photos" [16/Jul/2022:12:20:11 +0000] - 200 200 - GET https immich#############.duckdns.org "/api/server-info" [Client ###.###.###.###] [Length 179] [Gzip -] [Sent-to 192.168.178.132] "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" "https://immich#############.duckdns.org/photos" [16/Jul/2022:12:20:12 +0000] - 400 400 - POST https immich#############.duckdns.org "/api/asset/upload" [Client ###.###.###.###] [Length 69] [Gzip -] [Sent-to 192.168.178.132] "Dart/2.17 (dart:io)" "-" [16/Jul/2022:12:20:13 +0000] - 400 400 - POST https immich#############.duckdns.org "/api/asset/upload" [Client ###.###.###.###] [Length 69] [Gzip -] [Sent-to 192.168.178.132] "Dart/2.17 (dart:io)" "-" [16/Jul/2022:12:20:16 +0000] - 400 400 - POST https immich#############.duckdns.org "/api/asset/upload" [Client ###.###.###.###] [Length 69] [Gzip -] [Sent-to 192.168.178.132] "Dart/2.17 (dart:io)" "-" [16/Jul/2022:12:20:20 +0000] - 200 200 - GET https immich#############.duckdns.org "/api/server-info" [Client ###.###.###.###] [Length 179] [Gzip -] [Sent-to 192.168.178.132] "Dart/2.17 (dart:io)" "-" [16/Jul/2022:12:20:20 +0000] - 200 200 - GET https immich#############.duckdns.org "/api/asset/c1c7fca51b2a237ab9cfe131b7b7b8db0b89ba2a6677703c658d415960559ff2" [Client ###.###.###.###] [Length 2] [Gzip -] [Sent-to 192.168.178.132] "Dart/2.17 (dart:io)" "-" [16/Jul/2022:12:20:21 +0000] - 400 400 - POST https immich#############.duckdns.org "/api/asset/upload" [Client ###.###.###.###] [Length 69] [Gzip -] [Sent-to 192.168.178.132] "Dart/2.17 (dart:io)" "-" [16/Jul/2022:12:20:21 +0000] - 304 304 - GET https immich#############.duckdns.org "/api/server-info/ping" [Client ###.###.###.###] [Length 0] [Gzip -] [Sent-to 192.168.178.132] "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" "https://immich#############.duckdns.org/photos" [16/Jul/2022:12:20:21 +0000] - 200 200 - GET https immich#############.duckdns.org "/api/server-info" [Client ###.###.###.###] [Length 179] [Gzip -] [Sent-to 192.168.178.132] "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" "https://immich#############.duckdns.org/photos" [16/Jul/2022:12:20:22 +0000] - 400 400 - POST https immich#############.duckdns.org "/api/asset/upload" [Client ###.###.###.###] [Length 69] [Gzip -] [Sent-to 192.168.178.132] "Dart/2.17 (dart:io)" "-" [16/Jul/2022:12:20:24 +0000] - 400 400 - POST https immich#############.duckdns.org "/api/asset/upload" [Client ###.###.###.###] [Length 69] [Gzip -] [Sent-to 192.168.178.132] "Dart/2.17 (dart:io)" "-"
@bertmelis localhost only if reverse proxy is on same host as immich but in my case it is not
The android app even shows the percentage for each photo going up to 100% but it stays spinning
...by the way .....i am using a letsencrypt certificate and not a self signed
I will try to change the env file and validate that it is working directly. I never tried it with the android app since backing up pictures is mostly important during vacation ....so I thought i use the reverse proxy from the very beginning which besides backing up photos works fine
This is what i see in immich (cli)
immich_redis | 1:M 16 Jul 2022 12:19:03.494 * 100 changes in 300 seconds. Saving... immich_redis | 1:M 16 Jul 2022 12:19:03.494 * Background saving started by pid 30 immich_redis | 30:C 16 Jul 2022 12:19:03.518 * DB saved on disk immich_redis | 30:C 16 Jul 2022 12:19:03.519 * RDB: 0 MB of memory used by copy-on-write immich_redis | 1:M 16 Jul 2022 12:19:03.594 * Background saving terminated with success immich-server_1 | [Nest] 8 - 07/16/2022, 12:19:59 PM LOG [WebsocketConnectionEvent] New websocket connection: z53ryBpMZa_FtYgrAAAX immich-server_1 | [Nest] 8 - 07/16/2022, 12:20:03 PM LOG [WebsocketConnectionEvent] New websocket connection: qYMY5uygIq9azGJJAAAa immich-server_1 | [Nest] 8 - 07/16/2022, 12:20:03 PM LOG [WebsocketConnectionEvent] New websocket connection: RAGEasHPkAwFGVWcAAAb immich-server_1 | [Nest] 8 - 07/16/2022, 12:20:48 PM LOG [WebsocketConnectionEvent] Client RAGEasHPkAwFGVWcAAAb disconnected from Websocket immich-server_1 | [Nest] 8 - 07/16/2022, 12:21:13 PM LOG [WebsocketConnectionEvent] Client qYMY5uygIq9azGJJAAAa disconnected from Websocket immich-server_1 | [Nest] 8 - 07/16/2022, 12:21:34 PM LOG [WebsocketConnectionEvent] Client z53ryBpMZa_FtYgrAAAX disconnected from Websocket immich_redis | 1:M 16 Jul 2022 12:35:34.015 * 100 changes in 300 seconds. Saving... immich_redis | 1:M 16 Jul 2022 12:35:34.015 * Background saving started by pid 31 immich_redis | 31:C 16 Jul 2022 12:35:34.073 * DB saved on disk immich_redis | 31:C 16 Jul 2022 12:35:34.073 * RDB: 0 MB of memory used by copy-on-write immich_redis | 1:M 16 Jul 2022 12:35:34.115 * Background saving terminated with success
....by the way ...i am testing it wich 3 photos which i like to backup
sorry ....i noticed that somehow in my environment the backup from the android client does not even work when I do not use a reverse proxy .......sorry ....somehow I was assuming that this is probably related to the reverse proxy but it turns out I was wrong.
@MrColumbo If you have problems with using the app, please open a new issue and provide the required info, I will take a look at your setup
I dont know if its just me. Mobile works. But web does not authenticate me. If I log in with my credentials I get logged in as undefined. Configuration-wise I deleted the vite-server-endpoint-directive in the env-file. The rest is as before.
@CKranebitter did you perform docker-compose pull to update the containers?
I am using docker swarm.
Therefore I removed all immich-services and deployed via a rerun of my stack file.
I assume that’s basically the same as with docker-compose pull as new images get pulled.
I just did a fresh install so that it is available at https://immich.domain.tld which works happily on the browser, but not in the ios app.
I have the HAProxy connect to port 2283 and expose the subdomain on port 443 and no mention of the api url. Is that necessary?
The only error given by the app is "Error logging you in, check server url, email and password"
If I add api with https://immich.domain.tld/api it still does not work...
Is there something else I should do?
Thanks
Are you on the latest version of the app and server? If you go to https://immich.domain.tld/api/server-info, what result do you get? (I would expect the api to be fine since the web app apparently works, but just to be sure)
Are you on the latest version of the app and server? If you go to https://immich.domain.tld/api/server-info, what result do you get? (I would expect the api to be fine since the web app apparently works, but just to be sure)
This is the api response through the browser
{"diskAvailable":"475.0GB","diskSize":"499.9GB","diskUse":"24.8GB","diskAvailableRaw":510185046016,"diskSizeRaw":536870912000,"diskUseRaw":26685865984,"diskUsagePercentage":4.97}
and I am using the default docker-compose with altran1502/immich-server:release and doing a docker compose pull says Skipped - Image is already present locally
For the app version, I am using the one from app store 1.24.0 - I could not find a testflight. Do I need to build from source with xcode?
Edit: I think I must have made a typo somewhere. It is working now. Cheers
@2600box if it works on the browser then there should be no problem working on the phone. Can you make sure you have enter the url and the username, password correctly?
@2600box if it works on the browser then there should be no problem working on the phone. Can you make sure you have enter the url and the username, password correctly?
Yeah, I think it must have been a typo on my part. App connects now.
Though I think I can't use it because I have my photo storage optimised with icloud.
Still getting 500 status codes, when i log in:
I guess this is because – as mentioned before – I use docker swarm.
Hence my immich-server-container has the docker-hostname: immich_server_ck.
In the Web-Server-Container the Server-Container-Adress is hardcoded in web/src/api/api.ts:
So I would need a possibility to set this via env-file-variable or something. Sorry for my derivative setup. Would be really great if there was a way to solve this
I think this was a bit of collateral damage when removing VITE_SERVER_ENDPOINT for the frontend. I agree that address should not be hardcoded.
I created a Docker Container from immich and putted it behind HAProxy
I configured this 2 ACLs:
acl path_is_immich url_beg /immich acl path_is__app url_beg /_app use_backend immich if path_is_immich use_backend immich if path_is__app
And it results in this error:
immich is great, thanks for help.
With the possibility to set the Dns of the services via Environment I can again access Immich. Thanks for the great work guys. Closing this one.
hi people!
If anybody could help me i would appreciate.
I have setup docker in windows 10, installed the Immich with default parameters for testing. Nginx installed also.
In localhost:2283, all is working fine even in the phone side with the app.
Then, outside the "home" network, i cannot access both. I have opened ports on my router just in case, ports 3000 to 3002 and 2283. I added a DDNS in my domain setup with "home.mydomain.pt". Then in Nginx i have setup a Host with: source: "home.mydomain.pt" and Destination as: 192.168.x.x:2283.
Result: nothing works outside home network, so over the internet i cannot access either Immich Web or the App.
Can anyone help me figure this out? I'm around this Immich thing about a week... Bcs i would like to have it for my personal use...
I am assuming, home.mydomain.pt points to 192.168.x.x:2283 ? If that is the case, you are pointing it to wrong ip. 192.* is reserved for private ips. You first need to check if you actually get public ip, if so point it to that public ip. But if you are behind NAT, you need to use wireguard / tailscale etc.
