Exposing locally and remotely
I'm sure this has been asked before. But I was planning to expose my immich instance through either an nginx reverse proxy on a VPS or a cloudflared tunnel.
So for both these services I'd be using https and setting the HTTPS termination on the cloudflared tunnel/VPS. Then I'd rely on wiregard/tailscale/whatever cloudflare uses to route it to my HTTP immich server on my local network. I don't really mind anyone sniffing my local network (but I wouldn't be against setting https on it either). The problem is that the APP only allows for 1 server URL, so it would be either immich.mydomain.com or 192.168.1.100:2283.
This means that the APP wouldn't be useful once I'm on my local network, since the local address would be
http://192.168.1.100:2283 instead of httpS://immich.mydomain.com, unless I set the address to immich.mydomain.com, but then that would require Internet connection on my local network, and all the traffic would get routed through the VPS/Cloudflare instead of going directly through my local network.
I know for example, Home Assistant app allows to set a local SSID and IP so the app will use that instead of the remote address when it detects that wifi SSID.
Anyways, I'd just want to discuss how to avoid this issue with the app. My router does not allow split-horizon, and I can't even change the DNS settings on my router to point to my machines. I can only disable a thing called "Safe DNS" that I don't even know what it does. The router I have is the Sercomm FG824CD.8 Replies
:wave: Hey @lpares12,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:What you want is a split DNS
a DNS server that returns the local address when coming from inside the network, as opposed to the IP address
Home Assistant has the Adguard add-on for instance, this does ad blocking and can be used for DNS rewrites
But as I understand the split dns should be in the router, no? In my case, this is not possible since my ISP router doesn't support it (and I can't replace it). Also, it wouldn't fix the issue of accessing with http vs https, since the termination is done in the VPS/Cloudflare tunnel not in the local.
Split DNS is however you want it to be
What you are thinking of is pinhole NAT
What split DNS does is, coming from the inside:
1. ask local resolver what ip address is for xyz
2. local resolver tells you it's 192.168.xyz
coming from outside the network, you don't ask the local resolver and it gives your external IP address
Right, but OP says that over LAN, the immich API endpoint is exposed through http, but over the interwebs its exposed through https.
It might be possible to set up an nginx proxy locally with a self-signed cert and use split DNS, but I don't think it's as simple as just setting up split DNS in the router.
I've never attempted to set up split DNS and only have a theoretical understanding, so I might be completely wrong on this.
I think the root problem is that you need to specify if the app should use http or https when setting up the API endpoint during initial setup. The app does not have the ability to use https when available and fall back to http locally.
This feature dropped in v1.22, 30 minutes after I typed this out lmao.
=))
jinx
That's what I meant yeah, but my router doesnt even allow to change the DNS servers, so I think I'm cooked for that.
Even with the http fallback changes, I don't have any way to tell my devices how to find my immich.mydomain.com when I'm on my network and Internet is down
If your internet is down, there would be no point in being able to resolve immich.mydomain.com because you can't reach Cloudflare's edge server anyway.
But with this update, your app switches to your local IP when you're connected to your home WiFi, so it should work without internet just fine.