Immich•2y ago

Adding a custom Traefik reverse proxy (immich-proxy don't reach other immich containers)

Hello. I'm about to deploy Immich but i can't decide if i should completely replace the default Immich's reverse proxy or add another one (Traefik). I think it is more secure to add another one as the default one is properly configured out of the box and i would save myself some troubleshooting. My setup: - Traefik reverse proxy -> CrowdSec -> (Optional; Will definitely implement over time) Keycloak (Authentication via "Login with Google") -> Service (Immich) Experiences: - Already hosting 2 services on local domain and 1 service publicly via Traefik. - Didn't mess with headers yet so there would be some troubleshooting for sure. What do you suggest me as reverse proxy setup?

13 Replies

bo0tzz•2y ago

I would keep immich_proxy, that way you don't have to worry about recreating its config

Mr.Green CakeOP•2y ago

Yup, i thought the same. So theoretically, if i add labels to immich-proxy container section inside the docker-compose file like this:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.immich-local.rule=Host(`immich.local.example.eu`)"
      - "traefik.http.routers.immich-local.entrypoints=web, websecure"
      - "traefik.http.routers.immich-local.tls=true"
      - "traefik.http.routers.immich-local.tls.certresolver=cloudflare"
      - "traefik.http.routers.immich-local.tls.domains[0].main=local.example.eu"
      - "traefik.http.routers.immich-local.tls.domains[0].sans=*.local.example.eu"
      - "traefik.docker.network=proxy"

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.immich-local.rule=Host(`immich.local.example.eu`)"
      - "traefik.http.routers.immich-local.entrypoints=web, websecure"
      - "traefik.http.routers.immich-local.tls=true"
      - "traefik.http.routers.immich-local.tls.certresolver=cloudflare"
      - "traefik.http.routers.immich-local.tls.domains[0].main=local.example.eu"
      - "traefik.http.routers.immich-local.tls.domains[0].sans=*.local.example.eu"
      - "traefik.docker.network=proxy"

It should work correctly?

bo0tzz•2y ago

I don't know traefik at all, but probably? :p

Mr.Green CakeOP•2y ago

we'll see, lol. In case of trouble, should i create new topic or just write inside this one?

bo0tzz•2y ago

If it's reverse proxy trouble, this one is fine

Mr.Green CakeOP•2y ago

So, i deployed Immich (worked nicely) and then i did some casual edits to work with traefik reverse proxy. See docker-compose.yml to see changes over original yml file. .env file:

DB_HOSTNAME=immich_postgres
DB_USERNAME=postgresko
DB_PASSWORD=redacted
DB_DATABASE_NAME=immichko
REDIS_HOSTNAME=immich_redis
UPLOAD_LOCATION=/mnt/redacted/immich
TYPESENSE_API_KEY=redacted
PUBLIC_LOGIN_PAGE_MESSAGE="It works!"
IMMICH_WEB_URL=http://immich-web:3000
IMMICH_SERVER_URL=http://immich-server:3001
IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003

DB_HOSTNAME=immich_postgres
DB_USERNAME=postgresko
DB_PASSWORD=redacted
DB_DATABASE_NAME=immichko
REDIS_HOSTNAME=immich_redis
UPLOAD_LOCATION=/mnt/redacted/immich
TYPESENSE_API_KEY=redacted
PUBLIC_LOGIN_PAGE_MESSAGE="It works!"
IMMICH_WEB_URL=http://immich-web:3000
IMMICH_SERVER_URL=http://immich-server:3001
IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003

docker-compose.yml

Mr.Green CakeOP•2y ago

And now i'm getting errors in immich-proxy container:

2023/06/11 10:51:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
nginx: [emerg] host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-set-env-variables.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/default.conf.template to /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/06/11 10:52:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15

2023/06/11 10:51:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
nginx: [emerg] host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-set-env-variables.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
20-envsubst-on-templates.sh: Running envsubst on /etc/nginx/templates/default.conf.template to /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/06/11 10:52:43 [emerg] 1#1: host not found in upstream "immich-server:3001" in /etc/nginx/conf.d/default.conf:15

Mr.Green CakeOP•2y ago

The weird thing is that the "proxy" network doesn't contain the immich-proxy container:

Mr.Green CakeOP•2y ago

if i open immich.local.redacted.eu it will write 404 page not found and in traefik logs is basically the same

192.168.1.11 - - [11/Jun/2023:11:05:06 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 498 "-" "-" 0ms

192.168.1.11 - - [11/Jun/2023:11:05:06 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 498 "-" "-" 0ms

Mr.Green CakeOP•2y ago

that's really weird. I just take a look into the docker compose file again and portainer / docker is somehow adding new line between networks: and -proxy shown in the image:

Mr.Green CakeOP•2y ago

Even if i stop the stack, remove the line and update the stack, it automatically throws the empty line back . . . . . . . . . . SOLVED I just needed to add every container in docker-compose.yml to it's netwrok (i called it immich) so instead of every container being in immich-default network generated automatically, it lives in defined network immich so the immich-proxy can reach every container and is in the proxy network as well. In case of someone having the same issue and don't know what to do, just mention me or write me a DM and i will help. Thank you @bo0tzz for guiding me and lettimg me fix my issue by myself. I learnt more this way and now it works perfectly!

Allram•2y ago

Btw, you can use this plugin in Traefik, so that you don't need to have a separate bouncer for Crowdsec. It also have support for Redis caching 👌 https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin

Crowdsec Bouncer Traefik Plugin

Middleware plugin which forwards the request IP to local Crowdsec agent, which can be used to allow/deny the request

Mr.Green CakeOP•2y ago

Thank you!

Gaming

Programming

Adding a custom Traefik reverse proxy (immich-proxy don't reach other immich containers)

Did you find this page helpful?