Understanding required headers to show real client ip in immich logs
Hello,
I have Immich setup behind a Traefik reverse proxy which is running in a VPS and proxying back to Immich via Tailscale. So it receives requests without any other proxies being involved. I would like to enable brute force detection with Crowdsec parsing my Immich log. I'm noticing when testing this that the failed auth's are attributed to the Tailscale ip address of the VPS rather than the real client ip.
Reading the Immich documentation I see that the headers
Host, X-Real-Ip, X-Forwarded-Proto, and X-Forwarded-For are required. Looking at Traefik's documentation it seems like they will set either X-Forwarded-For or X-Real-Ip but not both, and additionally will set X-Forwarded-Host instead of just Host. My own Traefik access logs seem to back this up.
So I guess my question is, for Immich to correctly attribute the client ip do the proxy headers need to be set exactly as it says in the documentation or is there anything I can do to have it work with what I'm getting from Traefik by default.
Thanks6 Replies
:wave: Hey @mrkey148,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :blue_square: verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: read applicable release notes.
3. :blue_square: reviewed the FAQs for known issues.
4. :blue_square: reviewed Github for known issues.
5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
https://immich.app/docs/administration/reverse-proxyWe need these 4 headers. I find it shocking that traefik wouldn’t support that but if so that’s a question for their team
Otherwise you could do trial and error by removing some and see if it still works
Got it. Best I've been able to tell they don't set XFF where traefik is the only proxy. They will only preserve it if set by a trusted proxy ahead of traefik.
I'll see if there's a way to manually set it.
FWIW can confirm that our docs work with nginx and fail2ban. So it does process the headers if correctly set
For anyone who finds this post in the future I did find a Traefik plugin that can manually construct the X-Forwarded-For header. It can set the value of one header as the value of another, but at the time of writing that only works for their concatenation function. So you have to first set the empty XFF header, then concat in the client ip with whitespace as the separator, then remove the whitespace, then concat in the proxy host ip. Extremely hacky but it does work with a config like the following
After getting this working my immich server was still not showing the correct ip, until I found a thread talking about the
IMMICH_TRUSTED_PROXIES environment variable, added that, and now my setup is working 🙃 . So I have no idea if any of this header rewrite stuff was necessary or not but I figured I'd share for entertainment purposes if nothing else.This thread has been closed. To re-open, use the button below.