immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2026-02-05 00:30:57 +03:00
Code Issues 11 Packages Projects Releases 10 Wiki Activity

[BUG] Cannot access Immich behind HTTPS reverse proxy from Android app on Caddy with self-signed CA #340

New Issue
Closed
opened 2026-02-04 19:49:42 +03:00 by OVERLORD · 29 comments
OVERLORD commented 2026-02-04 19:49:42 +03:00
Owner
Copy Link

Originally created by @FileGo on GitHub (Sep 30, 2022).

Describe the bug
I run my own CA, and have root certificate installed in trusted store of all of my devices. Reverse proxy (Caddy) obtains certificate from the CA for every subdomain, and this works great for all services on all of my devices.

I can access Immich via HTTPS from my phone's browser without any security warnings, but when I try to access it via app, I get the "Error logging you in, check server url, email and password" error message.

Task List

Please complete the task list below. We need this information to help us reproduce the bug or point out problems in your setup. You are not providing enough info may delay our effort to help you.

  • I have read thoroughly the README setup and installation instructions.
  • I have included my docker-compose file.
  • I have included my redacted .env file.
  • I have included information on my machine, and environment.

To Reproduce
Steps to reproduce the behavior:

  1. Have an HTTPS reverse proxy with trusted root certificate installed on the Android device, which points to Immich instance.
  2. Enter email and password.
  3. Set Server Endpoint URL as "https://immich.domain.tld/api".
  4. Click Login.

Expected behavior
The app should be able to login normally to Immich server, just as it does when accessing the instance directly (without reverse proxy).

Screenshots
If applicable, add screenshots to help explain your problem.

System

  • Android 12
  • Server Version: v1.30.0
  • Mobile App Version: 1.30.0 build.46

Additional context

docker-compose.yaml:

version: "3.7"

services:
  immich-server:
    image: altran1502/immich-server:release
    entrypoint: ["/bin/sh", "./start-server.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - .env
    environment:
      - NODE_ENV=production
    restart: always

  immich-microservices:
    image: altran1502/immich-server:release
    entrypoint: ["/bin/sh", "./start-microservices.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - .env
    environment:
      - NODE_ENV=production
    restart: always

  immich-machine-learning:
    image: altran1502/immich-machine-learning:release
    entrypoint: ["/bin/sh", "./entrypoint.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - .env
    environment:
      - NODE_ENV=production
    restart: always

  immich-web:
    image: altran1502/immich-web:release
    entrypoint: ["/bin/sh", "./entrypoint.sh"]
    env_file:
      - .env
    restart: always

  immich-proxy:
    container_name: immich_proxy
    image: altran1502/immich-proxy:release
    ports:
      - 2283:8080
    logging:
      driver: none
    depends_on:
      - immich-server
    restart: always

.env:

DB_HOSTNAME=db.domain.tld
DB_USERNAME=immich
DB_PASSWORD=pass...
DB_DATABASE_NAME=immich

REDIS_HOSTNAME=redis.domain.tld

UPLOAD_LOCATION=/data/immich

LOG_LEVEL=simple

JWT_SECRET=hU3...

PUBLIC_LOGIN_PAGE_MESSAGE=

ENABLE_MAPBOX=false
Originally created by @FileGo on GitHub (Sep 30, 2022). <!-- Note: Please search to see if an issue already exists for the bug you encountered. --> **Describe the bug** I run my own CA, and have root certificate installed in trusted store of all of my devices. Reverse proxy (Caddy) obtains certificate from the CA for every subdomain, and this works great for all services on all of my devices. I can access Immich via HTTPS from my phone's browser without any security warnings, but when I try to access it via app, I get the "Error logging you in, check server url, email and password" error message. **Task List** *Please complete the task list below. We need this information to help us reproduce the bug or point out problems in your setup. You are not providing enough info may delay our effort to help you.* - [x] I have read thoroughly the README setup and installation instructions. - [x] I have included my `docker-compose` file. - [x] I have included my redacted `.env` file. - [x] I have included information on my machine, and environment. **To Reproduce** Steps to reproduce the behavior: 1. Have an HTTPS reverse proxy with trusted root certificate installed on the Android device, which points to Immich instance. 2. Enter email and password. 3. Set Server Endpoint URL as "https://immich.domain.tld/api". 4. Click Login. **Expected behavior** The app should be able to login normally to Immich server, just as it does when accessing the instance directly (without reverse proxy). **Screenshots** If applicable, add screenshots to help explain your problem. **System** - Android 12 - Server Version: `v1.30.0` - Mobile App Version: `1.30.0 build.46` **Additional context** docker-compose.yaml: ``` version: "3.7" services: immich-server: image: altran1502/immich-server:release entrypoint: ["/bin/sh", "./start-server.sh"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - .env environment: - NODE_ENV=production restart: always immich-microservices: image: altran1502/immich-server:release entrypoint: ["/bin/sh", "./start-microservices.sh"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - .env environment: - NODE_ENV=production restart: always immich-machine-learning: image: altran1502/immich-machine-learning:release entrypoint: ["/bin/sh", "./entrypoint.sh"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - .env environment: - NODE_ENV=production restart: always immich-web: image: altran1502/immich-web:release entrypoint: ["/bin/sh", "./entrypoint.sh"] env_file: - .env restart: always immich-proxy: container_name: immich_proxy image: altran1502/immich-proxy:release ports: - 2283:8080 logging: driver: none depends_on: - immich-server restart: always ``` .env: ``` DB_HOSTNAME=db.domain.tld DB_USERNAME=immich DB_PASSWORD=pass... DB_DATABASE_NAME=immich REDIS_HOSTNAME=redis.domain.tld UPLOAD_LOCATION=/data/immich LOG_LEVEL=simple JWT_SECRET=hU3... PUBLIC_LOGIN_PAGE_MESSAGE= ENABLE_MAPBOX=false ```
OVERLORD commented 2026-02-04 19:50:00 +03:00
Author
Owner
Copy Link

@alextran1502 commented on GitHub (Sep 30, 2022):

I also use Caddy as a reverse proxy but with its own auto managed certificated and I am able to access the site just fine.

Besides checking your email/password and the server URL, I don't have any suggestion at the moment since this is very specific to your setup 🤔.

@alextran1502 commented on GitHub (Sep 30, 2022): I also use Caddy as a reverse proxy but with its own auto managed certificated and I am able to access the site just fine. Besides checking your email/password and the server URL, I don't have any suggestion at the moment since this is very specific to your setup 🤔.
OVERLORD commented 2026-02-04 19:50:04 +03:00
Author
Owner
Copy Link

@FileGo commented on GitHub (Oct 1, 2022):

That's because Caddy by default obtains a certificate from Let's Encrypt, whose root CA is trusted by pretty much every modern device connected to the internet.

I think this might be connected to this issue: https://github.com/flutter/flutter/issues/41781

@FileGo commented on GitHub (Oct 1, 2022): That's because Caddy by default obtains a certificate from Let's Encrypt, whose root CA is trusted by pretty much every modern device connected to the internet. I think this might be connected to this issue: https://github.com/flutter/flutter/issues/41781
OVERLORD commented 2026-02-04 19:50:08 +03:00
Author
Owner
Copy Link

@JaxTheWolf commented on GitHub (Nov 8, 2022):

I'm experiencing the exact same issue; I let Caddy handle my internal network SSL certs with my own root cert.
Perhaps could a switch be added to the login screen, explicitly telling the HTTP/S library in use in the mobile apps to ignore any certificate validation issues? Just shooting ideas here, as I have no idea how it's actually implemented.

@JaxTheWolf commented on GitHub (Nov 8, 2022): I'm experiencing the exact same issue; I let Caddy handle my internal network SSL certs with my own root cert. Perhaps could a switch be added to the login screen, explicitly telling the HTTP/S library in use in the mobile apps to ignore any certificate validation issues? Just shooting ideas here, as I have no idea how it's actually implemented.
OVERLORD commented 2026-02-04 19:50:25 +03:00
Author
Owner
Copy Link

@sirdeniel commented on GitHub (Nov 17, 2022):

I also use Caddy as a reverse proxy but with its own auto managed certificated and I am able to access the site just fine.

Besides checking your email/password and the server URL, I don't have any suggestion at the moment since this is very specific to your setup 🤔.

Hi, would you mind sharing your compose.yaml and .env to reproduce? I'm having trouble setting mine with the default Caddy. I think I got the proxy part working but the web server response is:

Error code 500
Internal Error
Verbose

{"message":"Internal Error"}

Many thanks for considering my request.
Deniel

@sirdeniel commented on GitHub (Nov 17, 2022): > I also use Caddy as a reverse proxy but with its own auto managed certificated and I am able to access the site just fine. > > Besides checking your email/password and the server URL, I don't have any suggestion at the moment since this is very specific to your setup 🤔. Hi, would you mind sharing your compose.yaml and .env to reproduce? I'm having trouble setting mine with the default Caddy. I think I got the proxy part working but the web server response is: ``` Error code 500 Internal Error Verbose {"message":"Internal Error"} ``` Many thanks for considering my request. Deniel
OVERLORD commented 2026-02-04 19:50:32 +03:00
Author
Owner
Copy Link

@alextran1502 commented on GitHub (Nov 17, 2022):

I also use Caddy as a reverse proxy but with its own auto managed certificated and I am able to access the site just fine.
Besides checking your email/password and the server URL, I don't have any suggestion at the moment since this is very specific to your setup 🤔.

Hi, would you mind sharing your compose.yaml and .env to reproduce? I'm having trouble setting mine with the default Caddy. I think I got the proxy part working but the web server response is:

Error code 500
Internal Error
Verbose

{"message":"Internal Error"}

Many thanks for considering my request. Deniel

@sirdeniel Can you share your Caddy setting. I used Caddy myself, here is the config

immich.mydomain.com {

  handle {
    reverse_proxy immich-internal-ip:2283
  }

}
@alextran1502 commented on GitHub (Nov 17, 2022): > > I also use Caddy as a reverse proxy but with its own auto managed certificated and I am able to access the site just fine. > > Besides checking your email/password and the server URL, I don't have any suggestion at the moment since this is very specific to your setup 🤔. > > Hi, would you mind sharing your compose.yaml and .env to reproduce? I'm having trouble setting mine with the default Caddy. I think I got the proxy part working but the web server response is: > > ``` > Error code 500 > Internal Error > Verbose > > {"message":"Internal Error"} > ``` > > Many thanks for considering my request. Deniel @sirdeniel Can you share your Caddy setting. I used Caddy myself, here is the config ```bash immich.mydomain.com { handle { reverse_proxy immich-internal-ip:2283 } } ```
OVERLORD commented 2026-02-04 19:50:37 +03:00
Author
Owner
Copy Link

@sirdeniel commented on GitHub (Nov 17, 2022):

@sirdeniel Can you share your Caddy setting...

@alextran1502 My Caddyfile has this:

immich.mydomain.com {
    reverse_proxy immich-web:3000
}

I'm on Caddy v2, prior to 2.6
My compose.yml, with commented default proxy part:

immich-compose.yml ``` version: "3.8" networks: default: name: internal 
services:
  immich-server:
    image: altran1502/immich-server:release
    container_name: immich-server
    entrypoint: ["/bin/sh", "./start-server.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - stack.env
    environment:
      - NODE_ENV=production
    depends_on:
      - redis
      - database
    restart: always

  immich-microservices:
    image: altran1502/immich-server:release
    container_name: immich-microservices
    entrypoint: ["/bin/sh", "./start-microservices.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - stack.env
    environment:
      - NODE_ENV=production
    depends_on:
      - redis
      - database
    restart: always

  immich-machine-learning:
    image: altran1502/immich-machine-learning:release
    container_name: immich-machine-learning
    entrypoint: ["/bin/sh", "./entrypoint.sh"]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - stack.env
    environment:
      - NODE_ENV=production
    depends_on:
      - database
    restart: always

  immich-web:
    image: altran1502/immich-web:release
    container_name: immich-web
    entrypoint: ["/bin/sh", "./entrypoint.sh"]
    env_file:
      - stack.env
    environment:
      # Rename these values for svelte public interface
      - PUBLIC_IMMICH_SERVER_URL=${IMMICH_SERVER_URL}
    restart: always

  redis:
    container_name: immich_redis
    image: redis:6.2
    restart: always

  database:
    container_name: immich_postgres
    image: postgres:14
    env_file:
      - stack.env
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      PG_DATA: /var/lib/postgresql/data
    volumes:
      - pgdata:/var/lib/postgresql/data
    restart: always

#  immich-proxy:
#    container_name: immich_proxy
#    image: altran1502/immich-proxy:release
#    environment:
#      # Make sure these values get passed through from the env file
#      - IMMICH_SERVER_URL
#      - IMMICH_WEB_URL
#    ports:
#      - 2283:8080
#    logging:
#      driver: none
#    depends_on:
#      - immich-server
#    restart: always

volumes:
  pgdata:

```

I manually set the container_name to match with Caddy immich-web.

My .env file:

DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_PASSWORD=postgres
DB_DATABASE_NAME=immich
REDIS_HOSTNAME=immich_redis
UPLOAD_LOCATION=/home/ubuntu/zcontainers/immich
LOG_LEVEL=simple
JWT_SECRET=185...
PUBLIC_LOGIN_PAGE_MESSAGE="Hosted by Deniel!"
@sirdeniel commented on GitHub (Nov 17, 2022): > @sirdeniel Can you share your Caddy setting... @alextran1502 My Caddyfile has this: ``` immich.mydomain.com { reverse_proxy immich-web:3000 } ``` I'm on Caddy v2, prior to 2.6 My compose.yml, with commented default proxy part: <details> <summary>immich-compose.yml</summary> ``` version: "3.8" networks: default: name: internal services: immich-server: image: altran1502/immich-server:release container_name: immich-server entrypoint: ["/bin/sh", "./start-server.sh"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - stack.env environment: - NODE_ENV=production depends_on: - redis - database restart: always immich-microservices: image: altran1502/immich-server:release container_name: immich-microservices entrypoint: ["/bin/sh", "./start-microservices.sh"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - stack.env environment: - NODE_ENV=production depends_on: - redis - database restart: always immich-machine-learning: image: altran1502/immich-machine-learning:release container_name: immich-machine-learning entrypoint: ["/bin/sh", "./entrypoint.sh"] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - stack.env environment: - NODE_ENV=production depends_on: - database restart: always immich-web: image: altran1502/immich-web:release container_name: immich-web entrypoint: ["/bin/sh", "./entrypoint.sh"] env_file: - stack.env environment: # Rename these values for svelte public interface - PUBLIC_IMMICH_SERVER_URL=${IMMICH_SERVER_URL} restart: always redis: container_name: immich_redis image: redis:6.2 restart: always database: container_name: immich_postgres image: postgres:14 env_file: - stack.env environment: POSTGRES_PASSWORD: ${DB_PASSWORD} POSTGRES_USER: ${DB_USERNAME} POSTGRES_DB: ${DB_DATABASE_NAME} PG_DATA: /var/lib/postgresql/data volumes: - pgdata:/var/lib/postgresql/data restart: always # immich-proxy: # container_name: immich_proxy # image: altran1502/immich-proxy:release # environment: # # Make sure these values get passed through from the env file # - IMMICH_SERVER_URL # - IMMICH_WEB_URL # ports: # - 2283:8080 # logging: # driver: none # depends_on: # - immich-server # restart: always volumes: pgdata: ``` </details> I manually set the `container_name` to match with Caddy `immich-web`. My .env file: ``` DB_HOSTNAME=immich_postgres DB_USERNAME=postgres DB_PASSWORD=postgres DB_DATABASE_NAME=immich REDIS_HOSTNAME=immich_redis UPLOAD_LOCATION=/home/ubuntu/zcontainers/immich LOG_LEVEL=simple JWT_SECRET=185... PUBLIC_LOGIN_PAGE_MESSAGE="Hosted by Deniel!" ```
OVERLORD commented 2026-02-04 19:50:44 +03:00
Author
Owner
Copy Link

@alextran1502 commented on GitHub (Nov 17, 2022):

It would be best if you did not uncomment the immich-proxy because it is used for the internal routing of the app.

@alextran1502 commented on GitHub (Nov 17, 2022): It would be best if you did not uncomment the immich-proxy because it is used for the internal routing of the app.
OVERLORD commented 2026-02-04 19:50:50 +03:00
Author
Owner
Copy Link

@sirdeniel commented on GitHub (Nov 17, 2022):

I see, I thought it would conflict with Caddy since that is what I use as a proxy. Caddy uses container names to reverse proxy. Uncommenting immich-proxy would require IMMICH_WEB_URL, IMMICH_SERVER_URL, and IMMICH_MACHINE_LEARNING_URL with their respective ports. Should I also reverse proxy them too?

@sirdeniel commented on GitHub (Nov 17, 2022): I see, I thought it would conflict with Caddy since that is what I use as a proxy. Caddy uses container names to reverse proxy. Uncommenting `immich-proxy` would require `IMMICH_WEB_URL`, `IMMICH_SERVER_URL`, and `IMMICH_MACHINE_LEARNING_URL` with their respective ports. Should I also reverse proxy them too?
OVERLORD commented 2026-02-04 19:50:55 +03:00
Author
Owner
Copy Link

@alextran1502 commented on GitHub (Nov 17, 2022):

I see, I thought it would conflict with Caddy since that is what I use as a proxy. Caddy uses container names to reverse proxy. Uncommenting immich-proxy would require IMMICH_WEB_URL, IMMICH_SERVER_URL, and IMMICH_MACHINE_LEARNING_URL with their respective ports. Should I also reverse proxy them too?

They are not required, you can see those values are commented out as optional

@alextran1502 commented on GitHub (Nov 17, 2022): > I see, I thought it would conflict with Caddy since that is what I use as a proxy. Caddy uses container names to reverse proxy. Uncommenting `immich-proxy` would require `IMMICH_WEB_URL`, `IMMICH_SERVER_URL`, and `IMMICH_MACHINE_LEARNING_URL` with their respective ports. Should I also reverse proxy them too? They are not required, you can see those values are commented out as optional
OVERLORD commented 2026-02-04 19:51:00 +03:00
Author
Owner
Copy Link

@d-sko commented on GitHub (Nov 21, 2022):

Hi, I have the same issue with Immich behind a traefik reverse proxy with certificates from my internal CA, which is trusted by my Phone (Android 13).

@d-sko commented on GitHub (Nov 21, 2022): Hi, I have the same issue with Immich behind a traefik reverse proxy with certificates from my internal CA, which is trusted by my Phone (Android 13).
OVERLORD commented 2026-02-04 19:51:07 +03:00
Author
Owner
Copy Link

@sirdeniel commented on GitHub (Nov 23, 2022):

TLDR:
I got it! Mapping nginx.conf to a Caddyfile produces the following:

yourdomain.com {
    handle_path /api/* {
        reverse_proxy immich-server:3001
    }
    handle {
        reverse_proxy immich-web:3000
    }
}

Explanation

  • handle_path takes /api/* and does the same as the line rewrite /api/(.*) /$1 break; in nginx.conf file. The intention is to map all /api/* requests to /*. e.g. yourdomain.com/api/something -> yourdomain.com/something, thus translating the request toimmich-server:3001/something
  • handle with no arguments takes the parent yourdomain.com to apply the reverse_proxy. e.g. yourdomain.com/myphotos ends up to immich-web:3000/myphotos/

I setup Caddy and Immich in Docker where they see each other inside an internal network with no internet access rendering Immich more secure. Only Caddy connects to another network with internet access to serve as a proxy.

@sirdeniel commented on GitHub (Nov 23, 2022): **TLDR:** I got it! Mapping `nginx.conf` to a Caddyfile produces the following: ``` yourdomain.com { handle_path /api/* { reverse_proxy immich-server:3001 } handle { reverse_proxy immich-web:3000 } } ``` **Explanation** - `handle_path` takes `/api/*` and does the same as the line `rewrite /api/(.*) /$1 break;` in `nginx.conf` file. The intention is to map all `/api/*` requests to `/*`. e.g. `yourdomain.com/api/something` -> `yourdomain.com/something`, thus translating the request to`immich-server:3001/something` - `handle` with no arguments takes the parent `yourdomain.com` to apply the `reverse_proxy`. e.g. `yourdomain.com/myphotos` ends up to `immich-web:3000/myphotos/` I setup Caddy and Immich in Docker where they see each other inside an internal network with no internet access rendering Immich more secure. Only Caddy connects to another network with internet access to serve as a proxy.
OVERLORD commented 2026-02-04 19:51:10 +03:00
Author
Owner
Copy Link

@d-sko commented on GitHub (Nov 23, 2022):

I've also fiddled around a bit and noticed that https://<url>/api returns a 404 if I only forward from traefik to the immich-proxy-container.

With the hint from @sirdeniel about the /api-route I changed the traefik config like here: https://github.com/immich-app/immich/discussions/437#discussioncomment-3609797 but still no login from the app. Also the OIDC-login-button does not appear. Web UI works though.

@d-sko commented on GitHub (Nov 23, 2022): I've also fiddled around a bit and noticed that `https://<url>/api` returns a 404 if I only forward from traefik to the `immich-proxy`-container. With the hint from @sirdeniel about the `/api`-route I changed the traefik config like here: https://github.com/immich-app/immich/discussions/437#discussioncomment-3609797 but still no login from the app. Also the OIDC-login-button does not appear. Web UI works though.
OVERLORD commented 2026-02-04 19:51:15 +03:00
Author
Owner
Copy Link

@d-sko commented on GitHub (Nov 28, 2022):

Small update: I enabled access logging in Traefik and while I can access Immich via browser on my phone without problems, I don't even get an entry in the access log when trying to use the app. It only says "Error logging you in, check server url, email and password". But when I try to connect with http instead of https I get entries in the access log.

@d-sko commented on GitHub (Nov 28, 2022): Small update: I enabled access logging in Traefik and while I can access Immich via browser on my phone without problems, I don't even get an entry in the access log when trying to use the app. It only says "Error logging you in, check server url, email and password". But when I try to connect with http instead of https I get entries in the access log.
OVERLORD commented 2026-02-04 19:51:31 +03:00
Author
Owner
Copy Link

@sirdeniel commented on GitHub (Dec 1, 2022):

I've also fiddled around a bit and noticed that https://<url>/api returns a 404 if I only forward from traefik to the immich-proxy-container.

My guess is you are trying to run both proxies, the immich-proxy and your trafeik one. They may interfere with each other, that's why I comment the immich-proxy section in my Docker compose immich-compose.yml shared above.

@sirdeniel commented on GitHub (Dec 1, 2022): > I've also fiddled around a bit and noticed that `https://<url>/api` returns a 404 if I only forward from traefik to the `immich-proxy`-container. My guess is you are trying to run both proxies, the `immich-proxy` and your `trafeik` one. They may interfere with each other, that's why I comment the `immich-proxy` section in my Docker compose `immich-compose.yml` shared above.
OVERLORD commented 2026-02-04 19:51:36 +03:00
Author
Owner
Copy Link

@d-sko commented on GitHub (Dec 1, 2022):

@sirdeniel yes thats right, I had both proxies running then. But thats not the case anymore as I wrote in the same message. I also have the immich-proxy section commented out and use only traefik. My current problem is that Immich is working in the browser on all my devices including my Android phone. I can login via OIDC (with Authentik as IDP), I can view and upload images, everything works. But if I try to use the app I don't even get an entry in traefiks access log. As if the app doesn't even try to connect. And thats very confusing to me. If I enter the url with http instead of https I get entries in the access log.

@d-sko commented on GitHub (Dec 1, 2022): @sirdeniel yes thats right, I had both proxies running then. But thats not the case anymore as I wrote in the same message. I also have the `immich-proxy` section commented out and use only traefik. My current problem is that Immich is working in the browser on all my devices _including_ my Android phone. I can login via OIDC (with Authentik as IDP), I can view and upload images, everything works. But if I try to use the app I don't even get an entry in traefiks access log. As if the app doesn't even try to connect. And thats very confusing to me. If I enter the url with http instead of https I get entries in the access log.
OVERLORD commented 2026-02-04 19:51:42 +03:00
Author
Owner
Copy Link

@kriskbx commented on GitHub (Jan 18, 2023):

I experience the exact same problem. I have my own root CA and self-signed certificates. Running immich behind a traefik proxy. I have a few devices lying around, and can confirm that it's definitely related to Android. It works with the iOS app and it works on web.

@kriskbx commented on GitHub (Jan 18, 2023): I experience the exact same problem. I have my own root CA and self-signed certificates. Running immich behind a traefik proxy. I have a few devices lying around, and can confirm that it's definitely related to Android. It works with the iOS app and it works on web.
OVERLORD commented 2026-02-04 19:51:53 +03:00
Author
Owner
Copy Link

@kriskbx commented on GitHub (Jan 20, 2023):

Here's a possible fix for all that are struggling with an immich instance in a local network and self-signed certificates: Use a real domain that you actually own and request a wildcard certificate using certbot and e.g. the DNS method (then you don't even need to spin up a server or something, you can do it from your local machine). Use that certificate with your local traefik proxy. If your router supports it, or you're using some kind of local DNS resolver like pihole you can point a chosen subdomain to your immich instance easily by setting an A record. It's a little bit or work and doesn't solve the issue itself, but it's cheap as you only need some kind of domain and I guess most of us have a spare domain lying around, right? Edit: And don't forget to put a reminder in your calendar to renew the certificate ;D

@kriskbx commented on GitHub (Jan 20, 2023): Here's a possible fix for all that are struggling with an immich instance in a local network and self-signed certificates: Use a real domain that you actually own and request a wildcard certificate using certbot and e.g. the DNS method (then you don't even need to spin up a server or something, you can do it from your local machine). Use that certificate with your local traefik proxy. If your router supports it, or you're using some kind of local DNS resolver like pihole you can point a chosen subdomain to your immich instance easily by setting an A record. It's a little bit or work and doesn't solve the issue itself, but it's cheap as you only need some kind of domain and I guess most of us have a spare domain lying around, right? Edit: And don't forget to put a reminder in your calendar to renew the certificate ;D
OVERLORD commented 2026-02-04 19:52:00 +03:00
Author
Owner
Copy Link

@greglook commented on GitHub (Jun 3, 2023):

How was this completed? As far as I can tell, this is still an issue and affected my recent setup of Immich. The underlying root issue in dart-lang is still open: https://github.com/dart-lang/sdk/issues/50435

I ultimately just allowed insecure HTTP traffic to the Immich server, which is obviously not a great end result.

@greglook commented on GitHub (Jun 3, 2023): How was this completed? As far as I can tell, this is still an issue and affected my recent setup of Immich. The underlying root issue in dart-lang is still open: https://github.com/dart-lang/sdk/issues/50435 I ultimately just allowed insecure HTTP traffic to the Immich server, which is obviously not a great end result.
OVERLORD commented 2026-02-04 19:52:08 +03:00
Author
Owner
Copy Link

@r01k commented on GitHub (Jun 9, 2023):

Same situation. Most likely the problem is that the Immich app is not trusting user-installed certificates. My solution will be to just get a publicly-trusted cert, which I was going to do anyways down the road.

Update:
Even with a publicly trusted cert the problem persists. In my case the error I get is "TLS/SSL communication failed: POST /oauth/config" when clicking Next on the endpoint screen. The same on all tested Android devices. On iOS is does work.

Update:
My problem was due to my certificate chain. See https://github.com/immich-app/immich/issues/2711

@r01k commented on GitHub (Jun 9, 2023): Same situation. Most likely the problem is that the Immich app is not trusting user-installed certificates. My solution will be to just get a publicly-trusted cert, which I was going to do anyways down the road. Update: Even with a publicly trusted cert the problem persists. In my case the error I get is "TLS/SSL communication failed: POST /oauth/config" when clicking Next on the endpoint screen. The same on all tested Android devices. On iOS is does work. Update: My problem was due to my certificate chain. See https://github.com/immich-app/immich/issues/2711
OVERLORD commented 2026-02-04 19:52:19 +03:00
Author
Owner
Copy Link

@Pheggas commented on GitHub (Jun 11, 2023):

Hello, @d-sko . I would have some questions about your setup as mine is really similar, could i get some contact info on you so we can chat about it? (maybe Discord / matrix / reddit)?

@Pheggas commented on GitHub (Jun 11, 2023): Hello, @d-sko . I would have some questions about your setup as mine is really similar, could i get some contact info on you so we can chat about it? (maybe Discord / matrix / reddit)?
OVERLORD commented 2026-02-04 19:52:28 +03:00
Author
Owner
Copy Link

@d-sko commented on GitHub (Jun 12, 2023):

@Pheggas sorry, I've given up on Immich, never got it to work with my internal CA, don't have it running anymore.

@d-sko commented on GitHub (Jun 12, 2023): @Pheggas sorry, I've given up on Immich, never got it to work with my internal CA, don't have it running anymore.
OVERLORD commented 2026-02-04 19:52:37 +03:00
Author
Owner
Copy Link

@Pheggas commented on GitHub (Jun 12, 2023):

It's alright. I've already solved my issue just now. Thank you for reply anyway.

@Pheggas commented on GitHub (Jun 12, 2023): It's alright. I've already solved my issue just now. Thank you for reply anyway.
OVERLORD commented 2026-02-04 19:52:44 +03:00
Author
Owner
Copy Link

@ioogithub commented on GitHub (Jul 23, 2023):

It's alright. I've already solved my issue just now. Thank you for reply anyway.

Hi @Pheggas How did you end up fixing the problem?

@ioogithub commented on GitHub (Jul 23, 2023): > It's alright. I've already solved my issue just now. Thank you for reply anyway. Hi @Pheggas How did you end up fixing the problem?
OVERLORD commented 2026-02-04 19:52:52 +03:00
Author
Owner
Copy Link

@Pheggas commented on GitHub (Jul 24, 2023):

It's alright. I've already solved my issue just now. Thank you for reply anyway.

Hi @Pheggas How did you end up fixing the problem?

I've had wrongly set DNS on server. Just browse my issues - I've noted my journey in one of those.

@Pheggas commented on GitHub (Jul 24, 2023): > > It's alright. I've already solved my issue just now. Thank you for reply anyway. > > Hi @Pheggas How did you end up fixing the problem? I've had wrongly set DNS on server. Just browse my issues - I've noted my journey in one of those.
OVERLORD commented 2026-02-04 19:52:58 +03:00
Author
Owner
Copy Link

@sjayanna01 commented on GitHub (Apr 12, 2024):

I have setup Caddy and Tailscale on synology NAS. Portainer and Tesmate are working fine over Tailscale HTTPS. But Grafana and Immich aren't working on similar grounds.

Immich is currently returning 404 in the caddy logs with a white screen in the UI. Can anybody please share your working caddy setups for immich, along with the docker composer details? Thank you!

@sjayanna01 commented on GitHub (Apr 12, 2024): I have setup Caddy and Tailscale on synology NAS. Portainer and Tesmate are working fine over Tailscale HTTPS. But Grafana and Immich aren't working on similar grounds. Immich is currently returning 404 in the caddy logs with a white screen in the UI. Can anybody please share your working caddy setups for immich, along with the docker composer details? Thank you!
OVERLORD commented 2026-02-04 19:53:04 +03:00
Author
Owner
Copy Link

@z1haze commented on GitHub (Jun 21, 2024):

Running into this issue on latest android app and latest immich server using traefik with cloud flare dns challenge Sadly more than 2 years later this is still unresolved

@z1haze commented on GitHub (Jun 21, 2024): Running into this issue on latest android app and latest immich server using traefik with cloud flare dns challenge Sadly more than 2 years later this is still unresolved
OVERLORD commented 2026-02-04 19:53:14 +03:00
Author
Owner
Copy Link

@mrspy87 commented on GitHub (Jun 25, 2024):

Same issue, please solve it.

@mrspy87 commented on GitHub (Jun 25, 2024): Same issue, please solve it.
OVERLORD commented 2026-02-04 19:53:17 +03:00
Author
Owner
Copy Link

@akostadinov commented on GitHub (Sep 8, 2024):

Can this be anyhow related to IMMICH_TRUSTED_PROXIES? I can't find any documentation about it. But might play a role.

Although it sounds like a specific device issue, in case maybe if it doesn't trust the proxy headers, it doesn't set secure cookies or something and some browsers consider this insecure, idk

PS I saw this env variable in https://immich.app/docs/install/environment-variables/

@akostadinov commented on GitHub (Sep 8, 2024): Can this be anyhow related to `IMMICH_TRUSTED_PROXIES`? I can't find any documentation about it. But might play a role. Although it sounds like a specific device issue, in case maybe if it doesn't trust the proxy headers, it doesn't set secure cookies or something and some browsers consider this insecure, idk PS I saw this env variable in https://immich.app/docs/install/environment-variables/
OVERLORD commented 2026-02-04 19:53:21 +03:00
Author
Owner
Copy Link

@da-wilky commented on GitHub (Apr 12, 2025):

Looks like a problem since 3 years.
Still no real fix for that. I also have a caddy setup in a local network and my root certificate installed on my android device.
I can access it via the browser (and ofc. https) but I can't set the url in the immich app - connection will fail that way. Inside the app its only possible for me on the 2283 port of the immich server, that I now need to expose instead of proxy it through caddy.
Pretty sad the app is not accepting the certificate added to android, even tho the browsers do.

@da-wilky commented on GitHub (Apr 12, 2025): Looks like a problem since 3 years. Still no real fix for that. I also have a caddy setup in a local network and my root certificate installed on my android device. I can access it via the browser (and ofc. https) but I can't set the url in the immich app - connection will fail that way. Inside the app its only possible for me on the 2283 port of the immich server, that I now need to expose instead of proxy it through caddy. Pretty sad the app is not accepting the certificate added to android, even tho the browsers do.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
changelog:enhancement
changelog:security
changelog:translation
cli
date-time
documentation
external-library
format
good first issue
needs-answer
nice to have
sharing
tech-debt
📱mobile
🖥️web
🗄️server
🧠machine-learning
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#340
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?