Subdomain for Immich using Tailscale and Nginx
so my registrar is squarespace; i added
photos.mydomain.com -> hostname.tailnet.ts.net (can't expose this computer without tailscale atm)
then on the computer i ran tailscale funnel --https=443 localhost:80
and in nginx
if i visit hostname.tailnet.ts.net, it takes me to immich and works properly
if i visit photos.mydomain.com, it says connection closed
if i visit http://hostname.tailnet.ts.net:80, it redirects me to photos.mydomain.com
curl -v http://photos.mydomain.com seems to pass okay, curl -v https://photos.mydomain.com says this
so chatgpt is telling me that to fix this i would either have to use cloudflare/a VPS or suck it up basically
is there any way y'all can think of that would let me use multiple subdomains on my domain to access Immich and the tools just with Squarespace, Nginx, Tailscale, and maybe making a cert? or is it just not possible120 Replies
:wave: Hey @💜Clari,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :blue_square: verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: read applicable release notes.
3. :blue_square: reviewed the FAQs for known issues.
4. :blue_square: reviewed Github for known issues.
5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.for the record setting
photos to the 100. IP from tailscale takes me to immich though it says not secure
presumably because i don't have an ssl cert for photos.mydomain.com?
@Damon both
i am logged in to tailscale rn or this wouldn't workAhh funnel is a different tech.
but ideally i want it to work for computers that are not logged in to tailscale
hence this setup
with the cname rec to the funnel URL
Ahh ok
Do you have a static external IP?
You can not have a custom domains for Tailscale funnels
not for the computer
I mean from your internet service provider.
all signs seem to be pointing to "get a cheap vps, configure nginx to forward photos.domain -> 100.x then configure nginx on the computer to get the service"
no
Do you know if you’re behind a CGNAT? If that means anything to you.
google oh that's an isp thing
no idea
it's eh
it's on my uni's network lmao
The plot thickens
yeahhh
hence why i'm kinda locked in to very limited methods of getting outside traffic to the computer
Yeah I was behind a CGNAT for ages so I was kinda in the same situation.
I’m pretty sure a cloudflare tunnel would work for you but it was privacy implications. As in cloud flare could see all the data you send through it if they wanted.
You could use a Tailscale funnel I think but you would have to use the URL it provides you. Which will not be memorable
i mean i remember it lmao
i just wanna make it easier for my less savvy team members
and also make it look more official by using our domain rather than ts.net
IMO a Cloudflare tunnel is the easiest solution. Might be worth looking into Pangolin but I haven’t used it.
huh
it really does seem like cloudflare is the..yeah
assuming this is correct
cloudflare is the only free option, at least
Caveat with cloudflare is it has a size limit to uploads
oh that's good to know, do you know what it is off the top of your head?
i would think i can still directly use my tailscale url to bypass the upload limit if it becomes an issue for a big file but for just photos i shouldn't think it's an issue
videos maybe
google says 100mb, that's abuot what i assumed
Yep that's correct
Also, given cloudflare is a reverse proxy they can see all your traffic in plain text. Not ideal either
right
so the only free option is cloudflare and the only "secure" option is a vps?
Sorry I haven't read the whole thread; what's the issue with tailscale (funnel) again?
i can't make subdomains and SSL gets mad if i try to CNAME directly to my ts.net url from squarespace because the tailscale cert is only valid for ts.net and not for photos.mydomain.com
none of my research has said that making a cert for photos.mydomain would help (probably because i can't uhhh tell tailscale to use that cert or whatever..idk the terminology for configuring certs)
Yeah that sounds very much correct
Maybe you can? https://tailscale.com/kb/1153/enabling-https#using-other-tls-certificates
Hm no doesn't look like it. You can just get other certs for your tailnet domain
hmm
i'm not super understanding what it's saying..yeah that was all i was getting
and you can't reuse certs across domains, right? that's not how certs work
You can make certs for multiple domains
It wouldn't be pretty
lmao
But you could do it lol
so make a cert that works for both my ts.net and my photos.mydomain?
intriguing
i was wondering why my ts.net url still works even though it's funneling 80 and not 2283, so i moved power-tools to the top of my nginx conf file
then went to ts.net and it tried to access power tools
so it's just because it's the first result, i guess - even though the subdomain doesn't actually match
i mean sounds jank as hell but like
The issue is kind of that I don't really know how you'd tell the cert auth that you are allowed to have a cert for the ts domain. Like, usually when you're using something like a DNS-01 challenge it'll make an api call and edit a DNS record at your domain registrar for those domains
hmm sure
well how does tailscale let us give alternate certs?
When Caddy gets an HTTPS request for a *.ts.net site, it gets the HTTPS certificate from the machine's local Tailscale daemonApparently caddy at least doesn't create a new one but only uses the tailscale one
oh
huh
why is it necessary then...
Honestly a VPS might be the simplest option...
God knows lol
yeah that's what i'm thinking
at least if i don't want to deal with the upload limit or have cloudflare watchng my traffic
Yea
*might be the simplest non-cloudflare option
:)
right
this idea came from https://canary.discord.com/channels/979116623879368755/994044917355663450/1388407845648859237 this long conversation btw
i was trying to make my own path but it doesn't seem like there are too many paths to get this result lol
How are they getting certs? 👀
suppose that's a good question
presumably on the vps..? and the normal way, since it's just registrar dns -> public vps ip for the first hop
Oh they also use a VPS? 👀
yeah
Another simple idea is a Tailscale funnel with a 301 redirect from your domain to the funnel url.
Why even tailscale funnel then lol
cuz it's free
I don't follow
mm
can't do multiple domains that way though
You'd that just have http-only?
believe he's suggesting i literally just have the path change from photos.mydomain to ts.net
assuming i understand redirects, would work fine for photos.mydomain.com but power-tools.mydomain.com would also redirect to the same ts.net and just get me immich again
No. Tailscale funnel creates a URL and a cert. You can’t have custom domains for funnels though. So you would go to photos.xxx.com and it would just bounce you to the funnel URL which is HTTPS
Yeah exactly, photos.xxx.com would be http-only though?
it wouldn't need a separate cert if it's just a redirect i believe? registrar should handle it?
If you're replying with a 301 you need a http server that sends that
Thus a cert
Depends on your provider. Cloudflare can generate a cert for it.
Oh right you could serve that from a CDN
Fair
ah i see what you mean
The other thing that kind of sucks about this approach is that you cannot use your actual domain for non-web clients. E.g., the Immich app doesn't follow 301's
Neither does our cli or immich-go afaik
My apps front page domain used to 301 to the GitHub repo and it was https.
Generally anything that isn't a web browser doesn't like following 301's
believe i would be doing it here because squarespace
Yeah. It’s not ideal by any means.
Yeah that'd be similar
that's a 301
Yep
i mean
this page is for configuring 301s
so that would be the easy way
as an alias
but again only works for one domain
Yeah, that'd allow you to at lesat enter your actual URL in a web browser
yea
Not necessarily?
unless i'm sorely mistaken i guess
You can have foo.mydomain.com redirect to a different URL
that's not what i mean
i have multiple services running on the same host
i'm using the example of immich and power tools, but if i get something working it would be expanded to other sites in the future
but since it's on the same host i only get one ts.net url
Hold on
I think I'm just dumb
nginx would handle sorting the subdomains into their proper services, but i get blocked by the ssl step because the tailscale cert isn't valid for photos.mydomain
You can use a CNAME
I do remember you being able to have multiple funnel ports for different paths
aw what
oh?
If you have a CNAME point at your ts.net domain and that links to a local reverse proxy, that local reverse proxy can get certs for that record
That doesn’t work with funnels.
:HUH:
I thought the only issue was certs?
do tell
i mean kinda
local reverse proxy like nginx or caddy?
Yes
i think tailscale catches it before it reaches nginx though
Oh that'd destroy it
:monkaHmm:
precisely
I tried using a CNAME to a funny before I got a static IP. I couldn’t get it to work. And the funnel docs said I can’t assign a domain to funnel.
Oh but I guess that's how they get certs in the first place 😅
I ended up bullying my ISP into giving me a static IP. Life is better now.
I mean static IP isn't even really necessary tbh
Just no CGNAT
I was CGNAT…
Or in this case UNAT (university NAT) I guess :D
LMAO yeah
I’m going to hit the hay. I’d recommend a 301 or Cloudflare tunnel (boo hiss). Hope you find a solution that works for you.
haha
thanks
:peepoSlam:
VPS
:peepoSlam:
i still wanna know what you were saying about funnelling multiple ports though..
yeah as i thought, if i set 301s for photos. and power-tools. they both redirect to ts.net and i just get immich either way
I think it was
—set-path then use a reverse proxy to redirect. I can’t remember. Eyes. Slowly. Closing.haha all good i'll look up set-path
Or look into a VPS so @Daniel stops spanking me
at first glance set-path looks like it does the same as what i was trying to do with nginx
/photos, will keep researching though
broke my chrome dns or something lmao
my other server is uhhh well if i go to .ts.net on the profile i want, it redirects to .ts.net/immich/
but if i go to .ts.net in guest mode it works fine
there we are; inspect -> Networks -> Disabe cache button fixed it
intriguing
it is the same thing, but it's very smooth, less faff than nginx (although nginx wasn't too bad either other than trailing slashes lmao)
anyways it doesn't work for immich so
holy fkn shit
so uh
on a whim i tried
not only does that work just fine (since /power-tools isn't recognized by immich, there's no reason not to hijack it)
it also fixed power tools???
well kindabefore it said this
now i get this
and if i go to like "rewind 2024" it just goes to .ts.net/rewind
so maybe i need a subdomain for power tools too
so i'm back where i started which is fine lol
....
okay so...when i go to my ts.net url, i successfully connect to immich, but i can't upload at least videos - console says 413 request entity too large
when i go to photos.mydomain.com, which i created as an A record pointing to the internal 100. tailscale url, it lets me upload the video... never mind, it's failing to connect to the websocket
i'm using
tailscale funnel --https=443 localhost:80, and nginx is handling the subdomain but i think i might need to just go back to funneling 2283 directly lol
and that doesn't explain why it can't connect to the websocket - unless it has to do with http vs httpsYou need to specifically enable websocket for nginx
Have you followed our nginx docs?
ahh
no
i look
haha i didn't know y'all explicitly put this in
yeh i found it
We got too many people help desk threads and issues lol
cough
whoops
You understand at least, that makes it a whole lot different lol
i like to think that even when i ask a billion questions i'm not super annoying because i either understand the answer or i know how to ask a followup so that i understand the answer later
for the most part
and i try lol
so anyways does it matter if the proxy headers are set in location or in server block?
I can confirm that :D
I don't do nginx lol
Idk
fair
i got my start config from chatgpt tbh, i was just curious because chatgpt had
but immich docs say
i'll match immich's though
Oh I see. Yeah I'd probably also rather trust whoever wrote it for us than chatgpt lmao
Quite possibly both just work though tbf
much improved (man, that "uploading" text is awful...)
that's my guess
:HUH: