Adding a custom Traefik reverse proxy (immich-proxy don't reach other immich containers)

Mr.Green Cake · 2023-06-11T08:48:23.710Z

Hello. I'm about to deploy Immich but i can't decide if i should completely replace the default Immich's reverse proxy or add another one (Traefik). I think it is more secure to add another one as the default one is properly configured out of the box and i would save myself some troubleshooting. My setup: - Traefik reverse proxy -> CrowdSec -> (Optional; Will definitely implement over time) Keycloak (Authentication via "Login with Google") -> Service (Immich) Experiences: - Already hosting 2 services on local domain and 1 service publicly via Traefik. - Didn't mess with headers yet so there would be some troubleshooting for sure. What do you suggest me as reverse proxy setup?

B

bo0tzz•6/11/23, 8:57 AM

I would keep immich_proxy, that way you don't have to worry about recreating its config

M

Mr.Green CakeOP•6/11/23, 9:00 AM

Yup, i thought the same. So theoretically, if i add labels to immich-proxy container section inside the docker-compose file like this:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.immich-local.rule=Host(`immich.local.example.eu`)"
      - "traefik.http.routers.immich-local.entrypoints=web, websecure"
      - "traefik.http.routers.immich-local.tls=true"
      - "traefik.http.routers.immich-local.tls.certresolver=cloudflare"
      - "traefik.http.routers.immich-local.tls.domains[0].main=local.example.eu"
      - "traefik.http.routers.immich-local.tls.domains[0].sans=*.local.example.eu"
      - "traefik.docker.network=proxy"

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.immich-local.rule=Host(`immich.local.example.eu`)"
      - "traefik.http.routers.immich-local.entrypoints=web, websecure"
      - "traefik.http.routers.immich-local.tls=true"
      - "traefik.http.routers.immich-local.tls.certresolver=cloudflare"
      - "traefik.http.routers.immich-local.tls.domains[0].main=local.example.eu"
      - "traefik.http.routers.immich-local.tls.domains[0].sans=*.local.example.eu"
      - "traefik.docker.network=proxy"

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.immich-local.rule=Host(`immich.local.example.eu`)"
      - "traefik.http.routers.immich-local.entrypoints=web, websecure"
      - "traefik.http.routers.immich-local.tls=true"
      - "traefik.http.routers.immich-local.tls.certresolver=cloudflare"
      - "traefik.http.routers.immich-local.tls.domains[0].main=local.example.eu"
      - "traefik.http.routers.immich-local.tls.domains[0].sans=*.local.example.eu"
      - "traefik.docker.network=proxy"

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.immich-local.rule=Host(`immich.local.example.eu`)"
      - "traefik.http.routers.immich-local.entrypoints=web, websecure"
      - "traefik.http.routers.immich-local.tls=true"
      - "traefik.http.routers.immich-local.tls.certresolver=cloudflare"
      - "traefik.http.routers.immich-local.tls.domains[0].main=local.example.eu"
      - "traefik.http.routers.immich-local.tls.domains[0].sans=*.local.example.eu"
      - "traefik.docker.network=proxy"

It should work correctly?

B

bo0tzz•6/11/23, 9:02 AM

I don't know traefik at all, but probably? :p

M

Mr.Green CakeOP•6/11/23, 9:03 AM

we'll see, lol. In case of trouble, should i create new topic or just write inside this one?

B

bo0tzz•6/11/23, 9:06 AM

If it's reverse proxy trouble, this one is fine

M

Mr.Green CakeOP•6/11/23, 10:59 AM

So, i deployed Immich (worked nicely) and then i did some casual edits to work with traefik reverse proxy. See

docker-compose.yml

docker-compose.yml

to see changes over original yml file.

.env file:

DB_HOSTNAME=immich_postgres
DB_USERNAME=postgresko
DB_PASSWORD=redacted
DB_DATABASE_NAME=immichko
REDIS_HOSTNAME=immich_redis
UPLOAD_LOCATION=/mnt/redacted/immich
TYPESENSE_API_KEY=redacted
PUBLIC_LOGIN_PAGE_MESSAGE="It works!"
IMMICH_WEB_URL=http://immich-web:3000
IMMICH_SERVER_URL=http://immich-server:3001
IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003

DB_HOSTNAME=immich_postgres
DB_USERNAME=postgresko
DB_PASSWORD=redacted
DB_DATABASE_NAME=immichko
REDIS_HOSTNAME=immich_redis
UPLOAD_LOCATION=/mnt/redacted/immich
TYPESENSE_API_KEY=redacted
PUBLIC_LOGIN_PAGE_MESSAGE="It works!"
IMMICH_WEB_URL=http://immich-web:3000
IMMICH_SERVER_URL=http://immich-server:3001
IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003

DB_HOSTNAME=immich_postgres
DB_USERNAME=postgresko
DB_PASSWORD=redacted
DB_DATABASE_NAME=immichko
REDIS_HOSTNAME=immich_redis
UPLOAD_LOCATION=/mnt/redacted/immich
TYPESENSE_API_KEY=redacted
PUBLIC_LOGIN_PAGE_MESSAGE="It works!"
IMMICH_WEB_URL=http://immich-web:3000
IMMICH_SERVER_URL=http://immich-server:3001
IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003

DB_HOSTNAME=immich_postgres
DB_USERNAME=postgresko
DB_PASSWORD=redacted
DB_DATABASE_NAME=immichko
REDIS_HOSTNAME=immich_redis
UPLOAD_LOCATION=/mnt/redacted/immich
TYPESENSE_API_KEY=redacted
PUBLIC_LOGIN_PAGE_MESSAGE="It works!"
IMMICH_WEB_URL=http://immich-web:3000
IMMICH_SERVER_URL=http://immich-server:3001
IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003

docker-compose.yml2.92KB

M

Mr.Green CakeOP•6/11/23, 11:01 AM

And now i'm getting errors in immich-proxy container:

2023/06/11 10:51:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
nginx: [emerg] host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-set-env-variables.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/default.conf.template to /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/06/11 10:52:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15

2023/06/11 10:51:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
nginx: [emerg] host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-set-env-variables.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/default.conf.template to /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/06/11 10:52:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15

2023/06/11 10:51:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
nginx: [emerg] host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-set-env-variables.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/default.conf.template to /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/06/11 10:52:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15

2023/06/11 10:51:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
nginx: [emerg] host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-set-env-variables.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/default.conf.template to /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/06/11 10:52:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15

M

Mr.Green CakeOP•6/11/23, 11:03 AM

The weird thing is that the "proxy" network doesn't contain the immich-proxy container:

M

Mr.Green CakeOP•6/11/23, 11:07 AM

if i open

immich.local.redacted.eu

immich.local.redacted.eu

immich.local.redacted.eu

immich.local.redacted.eu it will write

404 page not found

404 page not found

404 page not found

404 page not found and in traefik logs is basically the same

192.168.1.11 - - [11/Jun/2023:11:05:06 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 498 "-" "-" 0ms

192.168.1.11 - - [11/Jun/2023:11:05:06 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 498 "-" "-" 0ms

192.168.1.11 - - [11/Jun/2023:11:05:06 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 498 "-" "-" 0ms

192.168.1.11 - - [11/Jun/2023:11:05:06 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 498 "-" "-" 0ms

M

Mr.Green CakeOP•6/11/23, 11:10 AM

that's really weird. I just take a look into the docker compose file again and portainer / docker is somehow adding new line between

networks:

networks:

networks:

networks: and

-proxy

-proxy

-proxy

-proxy shown in the image:

M

Mr.Green CakeOP•6/11/23, 11:11 AM

Even if i stop the stack, remove the line and update the stack, it automatically throws the empty line back

M

Mr.Green CakeOP•6/11/23, 11:22 AM

.
.
.
.
.
.
.
.
.
.
SOLVED
I just needed to add every container in docker-compose.yml to it's netwrok (i called it

immich

immich

immich

immich) so instead of every container being in

immich-default

immich-default

immich-default

immich-default network generated automatically, it lives in defined network

immich

immich

immich

immich so the immich-proxy can reach every container and is in the

proxy

proxy

proxy

proxy network as well.

In case of someone having the same issue and don't know what to do, just mention me or write me a DM and i will help. Thank you @bo0tzz for guiding me and lettimg me fix my issue by myself. I learnt more this way and now it works perfectly!

A

Allram•6/11/23, 11:52 AM

Btw, you can use this plugin in Traefik, so that you don't need to have a separate bouncer for Crowdsec. It also have support for Redis caching

https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin

Crowdsec Bouncer Traefik Plugin

Middleware plugin which forwards the request IP to local Crowdsec agent, which can be used to allow/deny the request

M

Mr.Green CakeOP•6/11/23, 12:19 PM

Thank you!

Adding a custom Traefik reverse proxy (immich-proxy don't reach other immich containers)

Similar Threads

Similar Threads

Similar Threads