Immich behind reverse proxy

Wauw this took a while, ultimately I found the cause of all troubles myself. But all basic information I needed I gathered over the internet and via clause.ai.

My Setup

Upfront

The main reason why it took me multiple days was: the immich.domain.com I sued within CloudFlare, and with that the immic.domain.com I entered in Nginx caused problems and didn’t work. Whatever I tried….. when I tried another sub-domain: photo.domain.com being used in as well CloudFlare as Nginx it worked, with the following setup/configuration.

Using the word <Immich> in your (sub)domain might /wil cause problems because Immich possibly uses the domain name (with Immich in it) internally for certain routing or validation. These kinds of issues with specific subdomains sometimes occur in applications that have certain expectations about URL structures.

Mind you: the cash of CloudFlare and/or Nginx could give problems also when tryong something (with the right subdomain, but changind details that don’t work). IU ended up by creating a final subdomain and didn’t change anything anymore. You could sole this with:

Purge cache in Cloudflare:

• Go to Cloudflare dashboard
• Select your domain
• Go to Caching > Configuration
• Click on “Purge Everything” or purge your Immich URLs specifically

Or adjust your caching rules in Cloudflare:

• Go to Rules > Cache Rules
• Create a rule for your Immich subdomains
• Set the cache-control headers

In Nginx Proxy Manager (NPM) you can also clear the cache:

docker restart nginx-proxy-managerCopy

In Cloudflare you can also turn on Development Mode (temporarily) while testing things. This disables the cache for about 3 hours.

Setup / configuration that works for me

Nginx proxy host > Details tab

Scheme: http
Forward Hostname / IP: <IP address> of your Immich RPi
Forward Port: Port of your Immich RPi installation (default: 2283)
Block Common Exploits: ON
Websockets Supprt: ON

Nginx proxy host > SSL tab

Force SSL: ON
HTTP/2Support: ON

Nginx proxy host > Advance tab > Custom Nginx Configuration

client_max_body_size 50000M;

location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    
    proxy_http_version 1.1;
    proxy_pass http://<IP-RPi>:2283;
    proxy_buffering off;
}Code language: PHP (php)Copy

.ENV

# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables

# The location where your uploaded files are stored
UPLOAD_LOCATION=/immich
# The location where your database files are stored
DB_DATA_LOCATION=./postgres

# Immich server configuration
<strong><mark style="background-color:rgba(0, 0, 0, 0)" class="has-inline-color has-typology-acc-color">IMMICH_SERVER_URL=https://<Public domain pointing to your Immich RPi></mark></strong>

# To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_d>
TZ=Europe/Amsterdam

TYPESENSE_API_KEY=<API key>

# The Immich version to use. You can pin this to a specific version like "v1.71.0"
IMMICH_VERSION=release

# Connection secret for postgres. You should change it to a random password
# Please use only the characters `A-Za-z0-9`, without special characters or spaces
DB_PASSWORD=<PASSWORD>

# The values below this line do not need to be changed
###################################################################################
DB_USERNAME=postgres
DB_DATABASE_NAME=immichCode language: HTML, XML (xml)Copy

docker-compose.yml

#
# WARNING: Make sure to use the docker-compose.yml of the current release:
#
# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
#
# The compose file on main may not be compatible with the latest release.
#

name: immich

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends:
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    <strong><mark style="background-color:rgba(0, 0, 0, 0)" class="has-inline-color has-typology-acc-color">environment:
      - PUBLIC_DOMAIN_NAME=https://<public domain pointing to your Immich RPi></mark></strong>
    volumes:
      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the >
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
      - /immich:/immich:rw
    env_file:
      - .env
    ports:
      - '2283:2283'
    depends_on:
      - redis
      - database
    restart: always
    healthcheck:
      disable: false

  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where >
    volumes:
      - model-cache:/cache
    env_file:
      - .env
    restart: always
    healthcheck:
      disable: false

  redis:
    container_name: immich_redis
    image: docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always

  database:
    container_name: immich_postgres
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in >
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    healthcheck:
      test: >-
        pg_isready --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" || exit 1;
        Chksum="$$(psql --dbname="$${POSTGRES_DB}" --username="$${POSTGRES_USER}" --tuples-only --no-align
        --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')";
        echo "checksum failure count is $$Chksum";
        [ "$$Chksum" = '0' ] || exit 1
      interval: 5m
      start_interval: 30s
      start_period: 5m
    command: >-
      postgres
      -c shared_preload_libraries=vectors.so
      -c 'search_path="$$user", public, vectors'
      -c logging_collector=on
      -c max_wal_size=2GB
      -c shared_buffers=512MB
      -c wal_compression=on
    restart: always

volumes:
  model-cache:Code language: HTML, XML (xml)Copy

For completeness, check if these are all consistent:

1. Your IMMICH_SERVER_URL in .env
2. Your PUBLIC_DOMAIN_NAME in docker-compose.yml
3. Your domain name in NPM
4. Your DNS record in Cloudflare

They should all use e.g. photo.domain.com.

https://claude.ai
https://immich.app/docs/administration/reverse-proxy/