Accessing Immich remotely
Hey all!
Recently I decided to try to get my Immich running remotely. I have a domain that I have set up with Cloudflare. I set up an A record which goes through Cloudflare's proxy that points photos.mydomain.com to my home static IP. At home I have set up port 443 to go to 2283 and have opened port 80 , but I am getting error 525 (SSL certificate) when I go to my website. My question is if Immich HAS to go through a reverse proxy for something like this to work? Feel free to ask follow up questions!
27 Replies
:wave: Hey @Pando Porris,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:525 is a cloudflare error afaik
something with your cert and what theyre expecting doesnt line up
I personally use Twingate - its worked well for Homeassistant, 13ft ladder and now Immich
If you dont think you'll ever want to share Immich links to people then using some type of ZTNA app like Twingate or Cloudflare's is suitable
You should open port 80 and use that instead of 443, cloudflare will handle that (unless you have a SSL certificate on server side, not cf)
So
photos.yourdomain.com => your_public_ip (port 80) => Reverse proxy with nginx on port 80 => your immich instance (e.g. 127.0.0.1:2283)your advice is to have all traffic going to your house be unencrypted over port 80 ..?
Well Cloudflare actually handles the HTTPS part on their end. For ex. when you use Flexible SSL, people like him still connect to Cloudflare over HTTPS, but CF itself connects to his home server via plain HTTP. That connection isn’t exposed to the internet if he configures a firewall allowing only CF IPs so it’s not like serving anything unencrypted to the public.
If he wanted full encryption all the way through, he could install a Cloudflare Origin Certificate and switch to Full (Strict) mode, but on my opinion for now Flexible is totally fine for this setup. The traffic between him and CF is always encrypted
I feel like you are mixing cloudflare tunnels into this, which operates over its own encrypted tunnel. Certainly it is not normal or advisable to serve content on port 80 from your home server even if only to cloudflare IPs. Anyone in the network path can intercept and edit the data stream easily
I got what you mean, then I do agree it’s better practice to use the Full (Strict) with an Origin Certificate for E2E encryption
he need to get the Origin Certificate then
or tailscale is more simple i guess without custom domain
Either that or use CF tunnels which will handle the backend connection
Yeah but you have limit of 100MB
Chunked uploads 😭
which is also the case with the proxy service,? so nothing changes
No, only tunnels have the 100 MB limit
AFAIK
"Each user can only upload files with maximum size of 100MB at a time if your website is proxied by Cloudflare. If you do require your users to upload a file that is more than 100MB, unproxy the DNS record."
https://community.cloudflare.com/t/does-the-100-mb-limit-apllies-to-all-users-on-my-website/297261/6
oh i see
thanks for the clarification then
I probably should then unproxy the connection, as I often upload videos to that server.
That means I would absolutely need a SSL certificate
My only issue is I can't get my server to communicate that SSL certificate
No matter what I do, the certificate system doesn't work
I am using OMV an that supposedly has SSL certificate handling
But apparently that's only for the web admin panel
Even then it has openssl and that should work
I add my certificate to the correct directory and nothing
It seems I will need a reverse proxy and something different for certificate handling
What directory?
Immich doesn't have any SSL config so I'm curious as to where you're placing this
OMV comes with OpenSSL
I am suposedly placing it there
Why would that affect Immich? 🙂
Unless you're configuring OMV as proxy, which I don't think you can, the SSL config there has no effect on any of the apps you install with it
Ok so clearly I am the stupid one for thinking this will work
So will need a reverse proxy for this to work
Since Immich can't handle SSL
If you're willing to tinker a bit, you should be able to use the OMV Nginx as a proxy with the same SSL wildcart cert if you want immich on a subdomain @Pando Porris
One of my friends mentioned this and said it would a little hardcore so I might go with Caddy since it's supposedly much easier
Caddy or NPM are indeed very straightforward
So Caddy would be the one handling SSL?
Yes
Ok I see
I went without a reverse proxy because it was supposed to be easier, what an idiot I was
ignorance is not a sin
This thread has been closed. To re-open, use the button below.