Immich and In Transit Encryption
I'm new to Immich and I'm planning to use it soon, at the moment I'm just reading info around.
I will install it on my Raspberry to allow my family, when at home, to view photos, videos and so on.
Unfortunately, on my home network, there are untrustworthy devices which are able to sniff Wi-Fi packets. I'm not the proprietary of those devices, so I can't really disconnect them.
But I do not want that something could intercept the traffic between our phones/laptops and my Raspberry.
Does Immich handle the encryption layer automatically, or do I need to manage it myself?
If that's the case: is there any "transparent" solution, something you just set up & forget about?
I know how to setup and use SSH tunnels and VPNs, but others aren't as tech savvy as me and I want to avoid them the hassle to setup that every single time.
10 Replies
:wave: Hey @Lax,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :blue_square: verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.You're looking for a reverse proxy with https
As far as I understand (please correct me if I'm wrong), setting up a reverse proxy with HTTPS requires a purchase of a real domain name or, at the very least, to setup a local DNS server (which means I will have to change the DNS server for each device that has to use Immich).
And that also requires to install self-signed certificates on all the devices, which is inconvenient.
There's no simpler way?
No https without a domain name unfortunately. At least none that just works out of the box with any device.
It's either a domain name, or local dns with a self signed cert
The former is by far the easiest, you can get some domains for really cheap
I guess there's no third way then
Thanks
A dynamic DNS service with a (possibly free) subdomain would be your alternate option
Thanks for the suggestion, I'll leave an update if I succeed
I'm gonna go in here, drop https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate, and then :peepoLeave:
(for your use case you should really use a domain, domains are super cheap)
Hey everybody, thanks for all the replies, I managed to find the ideal solution I was searching for.
I just installed Immich in a test environment on my laptop, and I can successfully connect to it from my phone using https.
It's free, there's no need to buy a domain, there's no port forwarding involved, and no device has to be configured manually (no self-signed certificates, no messing around with custom CAs, etc).
I'll just leave it here in case somebody gets stuck like I have been until yesterday:
Step 0) I'll assume that Immich is installed on
192.168.1.123 and is listening on the default port, 2283.
Step 1) Use a DDNS like duckdns.org (free) to register a third-level domain, like example.duckdns.org, which must point to the local (yes, local) IP of the server where Immich is installed (as written above, in my case it was 192.168.1.123). Keep note of the token, it'll be required in the next step.
Step 2) You have to configure Let's Encrypt, thus Certbot and ACME, and then a reverse proxy, plus some more things. To do all this, I used Caddy (github.com/caddyserver/caddy) which does most of these things automatically or with just a few more lines of configuration (you can use nginx too or whatever else).
Since by design DuckDNS support isn't built-in in Caddy, download it from the official site: caddyserver.com/download?package=dns.providers.duckdns (search for dns.providers.duckdns); in alternative, use xcaddy (github.com/caddyserver/xcaddy).
Now, time to configure Caddy. This is my /etc/Caddyfile:
Step 3) Run /path/to/downloaded/caddy run (wait from seconds to hours for the certificate to be issued and for the DNS challenge to be solved; if you see a bunch of "challenge failed" due to "timeout"s, like I was, do not worry because probably you just need to wait some more time... until it suddenly just works).
Now, you should be able to access Immich on https://example.duckdns.org.
That's it.
Extra: do not forget to keep the local IP updated on DuckDNS, or it won't work anymore when the IP suddenly changes. A good and automated solution is to create a crontab script; DuckDNS itself offers an handy script, check it out: duckdns.org/install.jsp.