Error loading image AND Authentication required (401)

dabernie · 2024-11-26T13:24:06.228Z

Hi, since two updates I get the popup "Authentication required (401)" when scrolling down in my timeline or uploading images in the WEB page. To explain the behavior: After logging in with either Authentik OAuth OR local users the timeline loads without an issue. But when scrolling down after apx. 100-200 previews I only get "Error loading image". Opening an image at the beginning works fine but when I get the error message, of course image opening is also no longer possible but creates an error popup "Authentication required (401)". Refreshing to the base URL gives me the login view again, from there I can login again via local or OAuth. Running v1.121.0 but it started happening with v1.119.0 I tried re downloading the compose file from https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml and do a fresh pull of the images, no change. On the hardware I already tried giving it more RAM but that doesn't seem to be the issue. I'm not sure if theres an issue in my config or a proper bug. Would be nice if you could guide me towards a solution, thanks a lot.

I

Immich•11/26/24, 1:24 PM

:wave: Hey @dabernie,

Thanks for reaching out to us. Please follow the recommended actions below; this will help us be more effective in our support effort and leave more time for building Immich :immich:.

References

Container Logs:
```
docker compose logs
```
```
docker compose logs
```
docs
Container Status:
```
docker compose ps
```
```
docker compose ps
```
docs
Reverse Proxy: https://immich.app/docs/administration/reverse-proxy

## Checklist

:ballot_box_with_check: I have verified I'm on the latest release(note that mobile app releases may take some time).
:ballot_box_with_check: I have read applicable release notes.
:ballot_box_with_check: I have reviewed the FAQs for known issues.
:ballot_box_with_check: I have reviewed Github for known issues.
:ballot_box_with_check: I have tried accessing Immich via local ip (without a custom reverse proxy).
:ballot_box_with_check: I have uploaded the relevant logs, docker compose, and .env files, making sure to use code formatting.
:ballot_box_with_check: I have tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

If this ticket can be closed you can use the

/close

/close

command, and re-open it later if needed.

Z

Zeus•11/26/24, 1:24 PM

Sounds like your oauth is logging you out / not storing the auth properly

D

dabernieOP•11/26/24, 1:25 PM

Yeah, thought that as well but it is the exact same when I use local immich users for the login.

D

dabernieOP•11/26/24, 1:28 PM

Currently I'm thinking about an nginx reverse proxy issue but I don't know the configs good enough to find the issue as it seems, will upload nginx config shortly.

Quickly tried it without reverse proxy and in the LAN directly seems to be working better.

Z

Zeus•11/26/24, 1:30 PM

Yeah, doesn’t seem like an immich issue either way

Z

Zeus•11/26/24, 1:30 PM

Maybe your proxy is stripping cookies somehow

D

dabernieOP•11/26/24, 1:30 PM

nginx config file


root@XXX:/etc/nginx/sites-available# cat immich.conf 
# Upstream where your immich server is hosted.
upstream immich {
    server 10.1.10.111:2283;
    # Improve performance by keeping some connections alive.
    keepalive 10;
}

map $http_upgrade $connection_upgrade_keepalive {
    default upgrade;
    ''      '';
}

server {
    include /etc/nginx/sites-available/ssl_options.conf;
    server_name xxx.pictures;
    ssl_certificate /root/.acme.sh/xxx.pictures_ecc/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/xxx.pictures_ecc/xxx.pictures.key;

    access_log /var/log/nginx/xxx.pictures.access.log;
    error_log /var/log/nginx/xxx.pictures.error.log;


#    proxy_buffers 8 16k;
#    proxy_buffer_size 32k;

    client_max_body_size 128m;

    location / {
        proxy_pass http://immich;
        proxy_ssl_verify off;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade_keepalive;
    }
}

server {
 listen 80;
 listen [::]:80;
 server_name xxx.pictures;
 location / {
  return 302 https://$host$request_uri;
 }
 location /.well-known/acme-challenge/ {
  root /var/lespace/;
 }
}


root@XXX:/etc/nginx/sites-available# cat immich.conf 
# Upstream where your immich server is hosted.
upstream immich {
    server 10.1.10.111:2283;
    # Improve performance by keeping some connections alive.
    keepalive 10;
}

map $http_upgrade $connection_upgrade_keepalive {
    default upgrade;
    ''      '';
}

server {
    include /etc/nginx/sites-available/ssl_options.conf;
    server_name xxx.pictures;
    ssl_certificate /root/.acme.sh/xxx.pictures_ecc/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/xxx.pictures_ecc/xxx.pictures.key;

    access_log /var/log/nginx/xxx.pictures.access.log;
    error_log /var/log/nginx/xxx.pictures.error.log;


#    proxy_buffers 8 16k;
#    proxy_buffer_size 32k;

    client_max_body_size 128m;

    location / {
        proxy_pass http://immich;
        proxy_ssl_verify off;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade_keepalive;
    }
}

server {
 listen 80;
 listen [::]:80;
 server_name xxx.pictures;
 location / {
  return 302 https://$host$request_uri;
 }
 location /.well-known/acme-challenge/ {
  root /var/lespace/;
 }
}


root@XXX:/etc/nginx/sites-available# cat immich.conf 
# Upstream where your immich server is hosted.
upstream immich {
    server 10.1.10.111:2283;
    # Improve performance by keeping some connections alive.
    keepalive 10;
}

map $http_upgrade $connection_upgrade_keepalive {
    default upgrade;
    ''      '';
}

server {
    include /etc/nginx/sites-available/ssl_options.conf;
    server_name xxx.pictures;
    ssl_certificate /root/.acme.sh/xxx.pictures_ecc/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/xxx.pictures_ecc/xxx.pictures.key;

    access_log /var/log/nginx/xxx.pictures.access.log;
    error_log /var/log/nginx/xxx.pictures.error.log;


#    proxy_buffers 8 16k;
#    proxy_buffer_size 32k;

    client_max_body_size 128m;

    location / {
        proxy_pass http://immich;
        proxy_ssl_verify off;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade_keepalive;
    }
}

server {
 listen 80;
 listen [::]:80;
 server_name xxx.pictures;
 location / {
  return 302 https://$host$request_uri;
 }
 location /.well-known/acme-challenge/ {
  root /var/lespace/;
 }
}


root@XXX:/etc/nginx/sites-available# cat immich.conf 
# Upstream where your immich server is hosted.
upstream immich {
    server 10.1.10.111:2283;
    # Improve performance by keeping some connections alive.
    keepalive 10;
}

map $http_upgrade $connection_upgrade_keepalive {
    default upgrade;
    ''      '';
}

server {
    include /etc/nginx/sites-available/ssl_options.conf;
    server_name xxx.pictures;
    ssl_certificate /root/.acme.sh/xxx.pictures_ecc/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/xxx.pictures_ecc/xxx.pictures.key;

    access_log /var/log/nginx/xxx.pictures.access.log;
    error_log /var/log/nginx/xxx.pictures.error.log;


#    proxy_buffers 8 16k;
#    proxy_buffer_size 32k;

    client_max_body_size 128m;

    location / {
        proxy_pass http://immich;
        proxy_ssl_verify off;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade_keepalive;
    }
}

server {
 listen 80;
 listen [::]:80;
 server_name xxx.pictures;
 location / {
  return 302 https://$host$request_uri;
 }
 location /.well-known/acme-challenge/ {
  root /var/lespace/;
 }
}

Z

Zeus•11/26/24, 1:30 PM

I would remove the keepalive to start with

D

dabernieOP•11/26/24, 1:31 PM

will do

D

dabernieOP•11/26/24, 3:12 PM

Tried remove the keepalive 10 but it didn't fix the problem.

I

ImmichAPP•11/26/24, 3:30 PM

https://immich.app/docs/administration/reverse-proxy

Z

Zeus•11/26/24, 3:30 PM

Try to emulate our example exactly

D

dabernieOP•11/27/24, 9:37 AM

Just started a fresh nginx server config file from the template you shared.
I only added the my ssl options, certificates and log directives.
Unfortunately no change.


server {
    server_name xyz.pictures;

    # allow large file uploads
    client_max_body_size 50000M;

    # Set headers
    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # enable websockets: http://nginx.org/en/docs/http/websocket.html
    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    # set timeout
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://10.1.10.111:2283;
    }
    location = /.well-known/immich {
        proxy_pass http://10.1.10.111:2283;
    }
    include /etc/nginx/sites-available/ssl_options.conf;
    
    ssl_certificate /root/.acme.sh/xyz.pictures_ecc/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/xyz.pictures_ecc/xyz.pictures.key;

    access_log /var/log/nginx/xyz.pictures.access.log;
    error_log /var/log/nginx/xyz.pictures.error.log;
}


server {
 listen 80;
 listen [::]:80;
 server_name xyz.pictures;
 location / {
  return 302 https://$host$request_uri;
 }
 location /.well-known/acme-challenge/ {
  root /var/lespace/;
 }
}


server {
    server_name xyz.pictures;

    # allow large file uploads
    client_max_body_size 50000M;

    # Set headers
    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # enable websockets: http://nginx.org/en/docs/http/websocket.html
    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    # set timeout
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://10.1.10.111:2283;
    }
    location = /.well-known/immich {
        proxy_pass http://10.1.10.111:2283;
    }
    include /etc/nginx/sites-available/ssl_options.conf;
    
    ssl_certificate /root/.acme.sh/xyz.pictures_ecc/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/xyz.pictures_ecc/xyz.pictures.key;

    access_log /var/log/nginx/xyz.pictures.access.log;
    error_log /var/log/nginx/xyz.pictures.error.log;
}


server {
 listen 80;
 listen [::]:80;
 server_name xyz.pictures;
 location / {
  return 302 https://$host$request_uri;
 }
 location /.well-known/acme-challenge/ {
  root /var/lespace/;
 }
}


server {
    server_name xyz.pictures;

    # allow large file uploads
    client_max_body_size 50000M;

    # Set headers
    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # enable websockets: http://nginx.org/en/docs/http/websocket.html
    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    # set timeout
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://10.1.10.111:2283;
    }
    location = /.well-known/immich {
        proxy_pass http://10.1.10.111:2283;
    }
    include /etc/nginx/sites-available/ssl_options.conf;
    
    ssl_certificate /root/.acme.sh/xyz.pictures_ecc/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/xyz.pictures_ecc/xyz.pictures.key;

    access_log /var/log/nginx/xyz.pictures.access.log;
    error_log /var/log/nginx/xyz.pictures.error.log;
}


server {
 listen 80;
 listen [::]:80;
 server_name xyz.pictures;
 location / {
  return 302 https://$host$request_uri;
 }
 location /.well-known/acme-challenge/ {
  root /var/lespace/;
 }
}


server {
    server_name xyz.pictures;

    # allow large file uploads
    client_max_body_size 50000M;

    # Set headers
    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # enable websockets: http://nginx.org/en/docs/http/websocket.html
    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    # set timeout
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://10.1.10.111:2283;
    }
    location = /.well-known/immich {
        proxy_pass http://10.1.10.111:2283;
    }
    include /etc/nginx/sites-available/ssl_options.conf;
    
    ssl_certificate /root/.acme.sh/xyz.pictures_ecc/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/xyz.pictures_ecc/xyz.pictures.key;

    access_log /var/log/nginx/xyz.pictures.access.log;
    error_log /var/log/nginx/xyz.pictures.error.log;
}


server {
 listen 80;
 listen [::]:80;
 server_name xyz.pictures;
 location / {
  return 302 https://$host$request_uri;
 }
 location /.well-known/acme-challenge/ {
  root /var/lespace/;
 }
}

Z

Zeus•11/27/24, 12:09 PM

What’s in ssl options.conf?

D

dabernieOP•11/27/24, 9:50 PM


cat ssl_options.conf 

listen *:443 ssl;
listen [2a03:cafe:cafe:cafe::cafe]:443 ssl;
http2 on;

# SSL options
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# SSL Stapling
ssl_stapling on;
ssl_stapling_verify on;

# sts
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# old apache config:
# Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
# Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
add_header Set-Cookie "HttpOnly; Secure";

# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header Expect-CT "max-age=43200, enforce" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Robots-Tag "noindex,nofollow" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Content-Type-Options "nosniff" always;
#add_header Referrer-Policy "strict-origin" always;

# robots.txt
location /robots.txt {
        alias /var/www/default/robots.txt;
}


cat ssl_options.conf 

listen *:443 ssl;
listen [2a03:cafe:cafe:cafe::cafe]:443 ssl;
http2 on;

# SSL options
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# SSL Stapling
ssl_stapling on;
ssl_stapling_verify on;

# sts
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# old apache config:
# Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
# Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
add_header Set-Cookie "HttpOnly; Secure";

# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header Expect-CT "max-age=43200, enforce" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Robots-Tag "noindex,nofollow" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Content-Type-Options "nosniff" always;
#add_header Referrer-Policy "strict-origin" always;

# robots.txt
location /robots.txt {
        alias /var/www/default/robots.txt;
}


cat ssl_options.conf 

listen *:443 ssl;
listen [2a03:cafe:cafe:cafe::cafe]:443 ssl;
http2 on;

# SSL options
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# SSL Stapling
ssl_stapling on;
ssl_stapling_verify on;

# sts
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# old apache config:
# Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
# Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
add_header Set-Cookie "HttpOnly; Secure";

# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header Expect-CT "max-age=43200, enforce" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Robots-Tag "noindex,nofollow" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Content-Type-Options "nosniff" always;
#add_header Referrer-Policy "strict-origin" always;

# robots.txt
location /robots.txt {
        alias /var/www/default/robots.txt;
}


cat ssl_options.conf 

listen *:443 ssl;
listen [2a03:cafe:cafe:cafe::cafe]:443 ssl;
http2 on;

# SSL options
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# SSL Stapling
ssl_stapling on;
ssl_stapling_verify on;

# sts
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# old apache config:
# Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
# Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
add_header Set-Cookie "HttpOnly; Secure";

# security headers
add_header X-XSS-Protection "1; mode=block" always;
add_header Expect-CT "max-age=43200, enforce" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Robots-Tag "noindex,nofollow" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Content-Type-Options "nosniff" always;
#add_header Referrer-Policy "strict-origin" always;

# robots.txt
location /robots.txt {
        alias /var/www/default/robots.txt;
}

Z

Zeus•11/27/24, 9:51 PM

You have a lot of headers and some cookie stuff there

Z

Zeus•11/27/24, 9:51 PM

I’d cut it down the bare minimum per our docs

D

dabernieOP•11/27/24, 9:52 PM

Will do some trial and error tests with that tomorrow, thanks so far for all your help and pointers.

Error loading image AND Authentication required (401)

References

Similar Threads

Similar Threads

References

Similar Threads