Immich, Authentik, Caddy with Docker
Hi, I have all three running and functioning in Docker containers. They're all able to communicate with each other. I also have dnsmasq setup to redirect traffic from Immich to Caddy. Caddy is then configure to redirect the traffic to Authentik.
Immich - > Caddy - HTTPS
Caddy -> Authentik - No HTTPS
Immich is configured to issuer URL:
https://authentik.local/application/o/immich/
Also, I have that Immich error I shared when clicking Login with OAuth, but docker-compose doesn't show me any updated logs after I click the button and get the error.
Containers are able to communicate with each and via Caddy. The error I'm getting appeared to be something to do with HTTP or HTTPS protocol error maybe?
58 Replies
:wave: Hey @Dudesss,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.Oh you have self-signed certs?
I'm not 100% but I'm rather sure we don't support those
I'm not sure if the connection from immich to caddy is using self-signed or LetsEncrypt
Caddy to Authentik uses no https
Well you cannot possibly get a real cert for
*.localOoh
What's the solution for local development?
Or LAN solutions?
For development there are pretty minimal identity provider and I wouldn't even use https for communication
For every other use case I would use a real cert 😅
Ok 🙂
All this Caddy work lol
Huh?
You can absolutely keep using caddy
Sweet 🙂
I'll change, https://authentik.local/application/o/immich/ to http://authentik.local/application/o/immich/ via the Immich OAuth config
And setup Caddy to receive communication via HTTP
You're only working in a dev environment?
Yeah
Just on my local desktop
What are you working on? 👀
I'd like to setup Authentik to create a portal to home apps
Including Immich and others
So it's not a dev environment?
Eventually no
Gotcha
I'm just at the beginning phase
Eventually I'll setup a domain, dynamic dns
Just please make sure you won't use http when exposing your home network
100%
Thanks though
Np :)
Exposing my home network scares me. I'd like to separate the network somehow.
There's a whole (very long by now) thread about it here, though it's obviously not an Immich specific topic
https://discord.com/channels/979116623879368755/1122615710846308484 this is the thread
Thank you!
I have some friends in ITSec
But also lots of resources out there
But will definitely check out that thread
Ah even better!
And don't use cloudflare proxy ;)
At least if you care about privacy
I won't
Trying to find EU alternative
Or EU-friendly
For what?
I don't know
dynamic dns
I personally use cloudflare for DNS only and it's great imo
And for the dynamic part you can just run some software on your host that frequently updates the entry if it has changed
Yeah, then connect to duckdns or some sort?
I'd say just get your own domain
And don't use duckdns
Aight
But you sound like you're willing to learn and are already more knowledgable than many others here tbh 😅
I think you'll easily figure it out :D
Thanks dude
I don't want to ping you much more, but do you know if I should change this RS256 to something without encryption?
If I'm using HTTP
That's the signing algorithm of the oauth handshake, not the https part
So yes, you should leave that set per our docs
Oh, it's working now without https 😛
Do you need to expose it? Why not VPN?
I was originally planning on going down the reverse proxy route, but now use WireGuard + Caddy + dnsmasq so I can have custom domains. I decided the risk of internet exposure wasn’t worth it.
Ignore if not relevant 🙂
Would VPN be safer?
I feel like then I'm opening my network even more
A VPN is safer than a reverse proxy for sure.
Yes, and WireGuard is extremely fast.
You wouldn't be exposing more to the internet with a VPN. You would be opening a single port to the internet (e.g., 51280), and it requires specific "handshakes" from private keys on your devices (e.g., iPhone) paired to stored public keys on your server. Without those keys, the port on your server isn't accessible.
If you choose to open port 443/80 on your server for a reverse proxy instead, you are relying on your own server security setup (e.g., fail2ban + caddy + some cloudflare CDN), whatever authentication method you've implemented, and Immich's web security.
This is not a knock on the Immich devs (I love Immich :), but AFAIK the app wasn't primarily designed with security as the foremost priority. Any vulnerabilities in Immich could potentially be exploited by attackers.
You are potentially risking someone compromising all of your photos.
Of course, this is a low risk. But still a real one.
Unless you're 100% confident in your security configuration skills, I think VPN is the safer choice.​​​​​​​​​​​​​​​​
I definitely agree with that and a VPN is always safer, though I want to throw in one more aspect to consider:
We're generally pretty good at keeping our Software updated (I'd say), so any "trivial" vulnerabilities are rather unlikely I think
Id be scared of opening my whole home network to the VPN. Instead, I'd want to restrict it to a sub section separate from other devices.
But I also want to continue using my desktop like I normally do, so maybe I should run the Immich part of my desktop in a VM on a separate subnet or something
a VPN is a point to point connection between your server and your client. you are not opening anything
you can't run a vpn without either an open port at one end or a trusted party in the middle (i.e. tailscale)
an open UDP port is not the same as a TCP
Uh, I guess so, I don't see how you can say that you "aren't opening anything" though
you are opening a UDP port haha
Care to elaborate?
I assume they mean because they are harder to scan/probe because they just drop all unknown traffic
there's no handshake in UDP. if you don't send valid keys on the first connection, it gets dropped, no error, no reponse. so a point of attack is harder
whereas with TCP you can identify that the port is open. but it doesn't change that you have a hole into your network where a service is reading outside data
and given how many people use the default port for VPNs I don't think that's that much of a difference
You don't get any feedback that's fair
(it takes almost no time to scan the port space BTW so if your VPN does have a vulnerability regardless of what port it's on, scanning your UDP space is easy)
Oh, so like only access to my VM and nothing else in my network