Locally selfhosting photos, no internet (self-signed certificates)
I want to selfhost Ente Photos in my LAN and don't expose it to the internet. It would be ok for me to just do everything over
http as I use a VPN to connect to the Ente server when I'm away. But museum only accepts https traffic (see https://help.ente.io/self-hosting/administration/reverse-proxy).
Ok then I put a reverse proxy in front of it and serve museum over https with a self-signed certificate. This works on desktop in the browser once you trust the self-signed certificate in the systems truststore.
But the Ente App doesn't work this way. I doesn't accept the certificate even if it is added to the truststore. What can I do? I can't be the only one who doesn't want to expose Ente to the public internet if not needed.
How can I either:
- make the Ente app trust my self-signed certificate?
- connect to museum over http only?13 Replies
Ente's server, Museum, requires HTTPS for incoming traffic for security reasons.
To configure a reverse proxy, which is recommended for making application services accessible, you'll also need to configure HTTPS through SSL certificate management. See the reverse proxy documentation at https://help.ente.io/self-hosting/administration/reverse-proxy for more information.
To verify the setup, the Ente Photos web app should be accessible at https://web.ente.yourdomain.tld and Museum at https://api.ente.yourdomain.tld.
If you're using reverse proxy servers like NGINX or Traefik, refer to their respective documentation for specific configurations. You can find more information on configuring the Ente Photos web app at https://help.ente.io/self-hosting/administration/reverse-proxy#for-ente-photos-web-app and Museum at https://help.ente.io/self-hosting/administration/reverse-proxy#for-museum.
-# If your issue is resolved, feel free to use the /solved command to close this thread. If you'd like to ask me another question use /docsearch
Reverse proxy | Ente Help
Documentation and help for Ente's products
We highly recommend using HTTPS for Museum (Ente's server). For security reasons, Museum will not accept incoming HTTP traffic.I don’t think this is correct. I set up http localhost endpoints just fine.
I'm guessing you need to build the Ente client to use your certificate
It would be helpful to be able to select a certificate during custom service configuration. Certificate pinning also helps with security. Maybe you can add this as a feature request?
Apps can choose to not accept user-imported certificates, after all.
you could do everything over local ip not hostname
anywhere it says localhost type 0.0.0.0 or hardcode the IP
Will try that an report. Ty!
-# If your issue is resolved, you can use the /solved command to close the thread. If not, use /unsolve to cancel.
Thread has been reopened and unmarked as solved.
are you doing docker or manuel
I'm using docker and tailscale as VPN.
Tried it and at least I could login. Logging in was not working with self signed certs.
But I can't upload anything and existing images are not loading. Do you think this related? Or is this another problem I'm facing?
I have no errors in server logs
why not use cf proxy
I dont want to open my ente instance to the internet. I'm the only user and it would increase my attack surface unnecessarily.
You don’t need signed certificates for local network setup.
See if this helps: https://discord.com/channels/948937918347608085/1422123057274818611