HTTPS impossible on MacOS?
I'm trying to setup HTTPS also with Cloudflare, but I can't follow the instructions on this page: https://immich-distribution.nsg.cc/configuration/https/
because I must run this on a Mac (for various reasons), and I don't have the "snap" command that this seems to imply that I need.
131 Replies
:wave: Hey @iRedMC,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :blue_square: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:The thing I was using before, called HFS, the newer version has a pretty much one click button for generating this stuff and turning on HTTPS. Is this planned for Immich? I don't know how I'm supposed to do any of this, but I know I need to.
One of the problems is that Immich is on port 2283, which is what it said it needed to be on when I was setting it up I think, so I'm afraid to change that to anything else
Also hosting on port 80 is a REALLY bad idea in this house, because sometimes it'll just load into the router interface, which I'm assuming is extremely dangerous.
Immich will not include built in HTTPS/web service
The link you posted is not from immich but from a third party immich installer/binary
You will want to research into reverse proxy setup if you want to expose immich on port 80(HTTP) and 443(HTTPS)
I do not want to expose on either of those ports
For the reason I mentioned, and because I might in the future want something else there.
I did see that there's something called nginx or whatever, but I'm really trying not to have to run additional things that break
there is no way to access immich remotely without any additional tool (proxy, VPN, etc)
That doesn't seem right - I port forwarded it and it worked fine.
it's just not HTTPS
Ok, yeah that’s technically possible but you should never do that because it’s not https as you mentioned
Precisely why I'm doing this
So you need an additional tool
Then I'd need someone to literally step by step tell me what to do, because all of the resources available assume I'm some kind of Linux dev, of which I am very much not, and I don't want to break it like last time
You might want to look at something like Tailscale VPN. Pretty easy setup
We dont offer step by step setup for non immich networking stuff
a VPN is a lil too much - I'd probably have to connected to it on my phone, and I'd have to teach my ex how to do th- it's just a bad idea for my setup.
I'm using Clourflaire... isn't there a way I can just... idk do something easily with that?
Fair enough but idk where else I'd go.
To be honest you don’t have the body of knowledge that I would recommend you just host services exposed at your home
This requires actual reading/understanding what’s going on. It’s not a 123 step thing
If someone gave me the instructions, I'd be able to understand and contextualize what's going on
There’s heaps of videos and guides online. Nginx is a good starting point
use a cloudflare tunnel
yea that's why I'm trying to setup Cloudflare
cloudflare tunnel limitation is 100mb I think, thats the only problem. But its secure though
I saw someone talk about that too, but they were trying to move away from it - Probably because it requires some app to be running to connect to it on client?
well my up isn't faster than 20Mbps soooo I doubt I'd ever hit that limit outside the house anyway XD
that limitation is not speed
Oh that's a total transfer limit?
but the file size maximum
the fuck-
oh
Well that's completely out
I'm regularly sharing IMAGES larger than that
let alone videos
Because you can port forward and have cloudflare I recommend doing a reverse proxy
with crowdsec
for security
Thelimit is only on uploads FYI
I'm just looking to setup HTTPS through Cloudflare - one step at a time lol
I saw many talking about reverse proxies
you wont have any limitations on speed (except based on your home network speed) and can directly access it
dude, there are two ways, TUNNELS or Reverse Proxies
or VPN, but you dont want it
without any of these its not possible
Sadly it would still be out because someone uses my server that never comes inside the local network, and that's far too hard a limit - wouldn't matter for me since I'm almost always inside, but y-
I can help with the reverse proxy if you are new to it
do the vpn then
its easy
tailscale is secure and can login with your own google account
extremely fast aswell
Would I have to connect to a VPN every time on clients?
if so that's out
you can its optional
oh
hmmmm
on windows devices, android or ios you have to or can leave it on the whole time
for linux its just automated
as long as I don't need to do that, and there's no limit, and it's free, I think it'll work
oh
wait
If I have to have everyone connect to a VPN at all it's completely out
then reverse proxy it
These 3 are the only ways
Sounds like the best option
it says I can just use Cloudflare
on this page https://immich.app/docs/guides/remote-access/#option-3-reverse-proxy
Is this true?
you can experiment with any reverse proxy, but caddy is supposed to be the easiest one
ya but with limitation of 100mb
Well if I can just use CF, I'd much rather- oh
in uploads
balls
It mentions cloudflare because you can use a reverse proxy to connect your cloudflare domain to it
I have a Cloudflare domain as of like 20 mins ago
and then access your immich instance using cloudflare domain and security
then just use it as you can also reverse proxy it
Yea that's what I'm trying to figure out how to do lol
Caddy tutorial
or for best performance I suggest Nginx
that includes instructions for cloudflare?
wait what
huh?
search up a tutorial
for caddy
I did
with immich
oh
So that's a yes
DemonWarriorTech
YouTube
How to Setup Caddy with a Custom Domain (Beginner Friendly)
BuyMeACoffee
https://buymeacoffee.com/demonwarriortech
Docs Site
https://docs.demonwarriortech.com
Check out Our Discord if you need more help!
https://discord.gg/9DDRsn3jxD
How to Setup DDNS for Dynamic IPs
https://youtu.be/yz_rMCr2lU4
this guy also has an immich video
but if you want nginx I can provide my config
this seems to be another "provider" - Which I mentioned I already have one - Cloudflare, I'm paying for a domain, would I still have the limit even though I have a domain and everything?
Unless you are on CloudFlare business plan you do
I think
Even on the business plan it still has 500mb limit upload
At least the last time I checked it
you know what I'll deal with the limit, thanks for the other options, but this seems to be the best sweetspot for my situation - How would I go about setting this up for Cloudflare? I've tried searching it up, but I haven't really found much useful info somehow
Go to CloudFlare zerotrust
huh it seems to be taking me to a different dashboard for that
Then networks I think
Yes
You only have the limit with cloudflare if they proxy your traffic via your domain. If it's just doing resolution, there's no limit. Just as an fyi
I think I do have it set to do that
so yea
alrighty
Public hostname?
SpaceRex
YouTube
EASY Remote Access: How to setup CloudFlare Tunnels
Hire Me! https://yarboroughtechnologies.com/contact/?utm_source=YouTube&utm_medium=Description&utm_campaign=cloudflare-tunnels
Post on the Forums! https://forums.spacerex.co/
Links mentioned:
Synology model compatibility list: https://www.synology.com/en-us/dsm/packages/ContainerManager
Synology Recommendations*:
Hard drives I recommend: https...
one more thing - Is this going to allow me to do the same thing that I do now: Give anyone a link to a page they can view no matter what they're on
like they don't need to have anything running on their stuff to be able to view the page (in my case, it's usually an Immich album)
Yes
thank god
Yes, they only need internet
good
He seems to be tailoring this specifically for DSM on a NAS but I'm assuming most of the surrounding stuff I can follow.
I hope so anyway, since I'm not doing the Docker thing
It doesn't appear to be letting me use my domain for this
or the subdomain I created for it
He didn't have this problem
Also he said to disable TLS verification, which I think is... not what I'm trying to do, since the entire point of this is HTTPS
so yea I'd need to somehow stumble upon other resources..
it's also telling me I can't use my external IP.. so maybe it's looking for the internal one for my machine, since it's running a service on it?
nope doesn't work
yea I can't do what the guy did - It just says "service URL is not valid"
This video is for a specific purpose, and the info that it gives me can't be used for my case
Delete the existing record and tunnel and connect again
ok I got it to stop telling me my IP is invalid.. somehow - but now I just see this when I go to the "site"
Yes
What are your CloudFlare tunnel settings
For the public hostnames section?
The place where you enter the address
Is immich hosted on your Linux server or where?
I don't have a Linux server. It's a Mac mini on my local network.
So it's on docker?
Well ok screenshot coming up
yea
Run as a service on macOS · Cloudflare Zero Trust docs https://share.google/tTUX9R4MnK8bmXZcJ
Did you install the tunnel on the Mac mini
I installed the cloudflared thing
Its http
if that's the "tunnel", then yes
For the local network
Https after tunnel, http local
I didn't think it was running, ether, so I typed "cloudflared" in Terminal afterwards as well
The service type should be http
alright so https://im.iredredux.net/ should work?
oh
that's not what he did
I guess that's one of the differences
ok
It works
oh my god it works
Seems pretty fast on my side
not secure though - that was what I was trying to fix
How do I turn on HTTPS with this?
Or is this.... basically an "alternative"
so I wouldn't need it or something
Https is turned on
oh?
oh damn
ok
LOL
When you access the domain now it's https
Lol
Http is local
Ok so I should have a limit of 100MB upload PER FILE, not in total?
Remove the portforward from your network
just to be very carefully clear
Yes
ok
excellent!
Thanks so much
Setup immich network settings
wait one more thing
can I turn off port forwarding (through router) for 2283 and have this still work?
So it automatically switches to uploading on local network while at home so you don't have the limit when connected to home wifi
Yes it should
BRUUUG
awesome
If the IP in CloudFlare tunnel is set to 127.0.0.1:2283
I did notice that
oh
balls
hmmm
How I would I check that? Something in Terminal?
127.0.0.1 is loaclhost
Here the url
I'm aware
oh so the service
the service URL*
Change the IP from portforward to this
I have it pointing to my external IP
The external IP should not be proxied out without security or reverse proxy
Its unsafe
I'm not quite understanding - should I put the internal IP for that Mac mini in there instead?
Sure that works too
No but is that what I should be doing
I just said the loaclhost ip because when you change your network or something you have to change your device local ip again
Oh ok yes it does appear to work still
Make sure to setup CloudFlare google oauth
Basically google oauth in CloudFlare and then CloudFlare oauth in immich
The account I made was through that
does that mean I've already-
I'm guessing this is something else
Because when opening you website it asked for email and password of inmich
ye
This method might be unsafe
Oh
So make sure to secure it
With oauth setup
I mean there's no other options on the page
Such as this
Go to administration settings on immich
OH
The first option should be about logging in
OAuth Authentication | Immich https://share.google/ZwySdWo0NllMgHRuU
OAuth Authentication | Immich
This page contains details about using OAuth in Immich.
Here is the official immich guide for oauth
With google directly
Honestly this seems extra. I might try someday, but for now, as long as someone can't read my password out as plain text from an HTTP request or some shit, I've had my quota for the day XD
Thanks so much for your help
🙂
It's people like you who give me the highest faith in the open source community
Thanks man