Mobile photo downloads fail through nginx HTTPS

Hello!

I am having trouble getting file downloads to work on mobile (both Android and iOS) when I am connected to my Immich server through an HTTPS connection. If I switch to HTTP (i.e. change the listening port to 80 and comment out the ssl lines), downloads work as expected. HTTPS downloads work as expected in a web browser.

I think this is a client-side issue because I don't see any web requests in the nginx access logs when I tap the download button. However, I am struggling to find any errors in the client logs, only a pop up message saying "download failed".

The TLS certificate is a wildcard cert signed by my own internal CA which I also use on about a dozen other self-hosted services without issue. The internal CA is trusted by my devices, but I still had to enable the "Allow self-signed SSL certificates" within the app to get it to connect.

Clients:
Google Pixel 7a
Android 14
Immich 1.123.0 build.172

Apple iPhone 13 mini
iOS 18.1
Immich 1.123.0 build.186

Server:
Ubuntu 24.04.1
Immich v1.123.0 installed via Docker Compose
nginx/1.24.0 (Ubuntu)

nginx site config:

upstream primary {
    server localhost:2283;
}

server {
    listen 443;
    server_name photos.example.com;

    ssl on;
    ssl_certificate /etc/ssl/star_example_com_chain.crt;
    ssl_certificate_key /etc/ssl/private/star_example_com.key;

    client_max_body_size 50000M;

    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://primary;
    }
}

upstream primary {
    server localhost:2283;
}

server {
    listen 443;
    server_name photos.example.com;

    ssl on;
    ssl_certificate /etc/ssl/star_example_com_chain.crt;
    ssl_certificate_key /etc/ssl/private/star_example_com.key;

    client_max_body_size 50000M;

    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://primary;
    }
}

Immich•14mo ago•

13 replies

RhubarbBread

Mobile photo downloads fail through nginx HTTPS

upstream primary {
    server localhost:2283;
}

server {
    listen 443;
    server_name photos.example.com;

    ssl on;
    ssl_certificate /etc/ssl/star_example_com_chain.crt;
    ssl_certificate_key /etc/ssl/private/star_example_com.key;

    client_max_body_size 50000M;

    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://primary;
    }
}

upstream primary {
    server localhost:2283;
}

server {
    listen 443;
    server_name photos.example.com;

    ssl on;
    ssl_certificate /etc/ssl/star_example_com_chain.crt;
    ssl_certificate_key /etc/ssl/private/star_example_com.key;

    client_max_body_size 50000M;

    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://primary;
    }
}

Mobile photo downloads fail through nginx HTTPS

Similar Threads

Mobile photo downloads fail through nginx HTTPS

Similar Threads

Similar Threads

Similar Threads