Custom Headers not working on Automatic URL Switching External Server
So I've got a fully working setup, in general, using Cloudflare fronting everything and requiring Cloudflare Access HTTP Service Auth headers, and using the "Custom Headers" in the iOS Mobile app.
I was excited to try the new "Automatic URL switching" so that I could use a LAN address on home WiFi, seems like the perfect option so that the app doesn't always have to go out through Cloudflare when at home
However, I can't use it because I'm 99% sure that the way the settings page works in the iOS mobile app is when you enter the "External Network" endpoint, it looks like it tries to connect to the server to verify it works before saving the setting.
It appears that this server check must not be using the Custom Headers w/ my Cloudflare Service Auth headers, so it fails the check and won't save the external network server URL.
And thus, the whole point of Custom Headers to use Cloudflare Service Auth on WAN can't seemingly play nice with automatic URL switching, sadly
Unless I'm missing something...?
Any help would be greatly appreciated!
Thank you,
16 Replies
:wave: Hey @tomservo,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:Not fixing your issue (that actually sounds like a bug), but you're aware of the cloudflare security implications?
I am probably not aware of what specific thing you are thinking of
Cloudflare is able to access all your traffic, unencrypted
That's what you get when relying on someone else's proxy
Ah, yes, in that sense I'm fully aware of the trust required at that level using cloudflared tunnel
Thank you for being security-minded first though, always a good thing 🙂
K then it's good :)
Re: the bug I was talking about, I was just poking through the mobile code and it looks like, I think, the first network request it would make when entering this external server URL is the api service pingServer() function which (if I'm right) is getting a 403 from cloudflare and throws an ex, and blows up the whole thing
Regarding your actual issue I think it makes sense to open an issue on Github. You sound knowledgeable enough to me to assume it's not user error ;)
We've been doing that ping before as well though
But yeah, most likely a bug
Since I have your attention for a moment if you could point me at how the custom headers are applied to the http client (in general) i am more then happy to dig a bit from there and open a GH issue and maybe a PR to fix it if I can
Uhm sorry but I'm not a mobile dev, so I have no idea where that is either 😅
Ah no problem, I'll just do what I usually do (work backwards from the rendered text on a given page) 🙂
appreciate the time, thank you
Sounds great!
If you have any dev questions you can always ask in #contributing as well :D
We're always happy for new contributors and there currently aren't this many new ones haha
I tried to awhile ago for the mobile app but dart/flutter is fairly esoteric to me, I did get it all running and compiling though, so I can see if I can fix this bug 😉
Have a nice afternoon!
You too! :)
For anyone that may run across this thread in the future, I confirmed this was a real bug and a fix is in PR https://github.com/immich-app/immich/pull/14708