#Android app cant login via cloudflare tunnel, but works via chrome on the mobile.

I'm settings up a CF proxy and send external clients via CF tunnel to immich.
I have google auth and country then I "arrive" at the immich webpage and need to login again( which is fine for now I'm just using local accounts on immich will oidc later on )
everything works just fin via webbrowser on the mobile.
I have a domain immich.domain.com , and when I'm at home I directly connect to the immich server not to over load cloudflare and add unneccasary latency etc.
all works great via chrome on my mobile and laptop.
except the immich app! the app doesn't work via CF tunnel somehow.

locally works via chrome and app:
http://immich.domain.com/ (yes port 80 here) internal DNS -> 10.1.20.5:80 proxy -> 10.1.20.15:2283
http://immich.domain.com/api (yes port 80 here) internal DNS -> 10.1.20.5:80 proxy -> 10.1.20.15:2283

Externally chrome onm the mobile only works
http://immich.domain.com/ (yes port 80 here) external DNS -> CloudFlare proxy -> Google auth -> country verification -> CF tunnel -> 10.1.20.15:2283
This does not work app:
http://immich.domain.com/api (yes port 80 here) external DNS -> CloudFlare proxy -> Google auth -> country verification -> CF tunnel -> 10.1.20.15:2283
I can test essy by toggling WiFi on off, to test external access via LTE and internal access via WiFi/LAN with the same app settings. always works via LAN/WiFi but not via LTE on the same version as can be seem in the screenshots below:

:wave: Hey @hallow plinth,

Thanks for reaching out to us. Please follow the recommended actions below; this will help us be more effective in our support effort and leave more time for building Immich .

References

• Container Logs: docker compose logs docs
• Container Status: docker compose ps docs
• Reverse Proxy: https://immich.app/docs/administration/reverse-proxy

Checklist

1. :blue_square: I have verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: I have read applicable release notes.
3. :blue_square: I have reviewed the FAQs for known issues.
4. :blue_square: I have reviewed Github for known issues.
5. :blue_square: I have tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: I have uploaded the relevant logs, docker compose, and .env files, making sure to use code formatting.
7. :blue_square: I have tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

If this ticket can be closed you can use the /close command, and re-open it later if needed.

To recap, just using my mobile, I can via chrome login both externally via LTE and internally via WiFi.

On the app I can only login internally via WiFi, externally via Cloudflare tunnel

webb uses https://domin.com/ but the app uses http://domain.com/api , could the /api have anythin to do with the error?

This is the error message from the logs in the app:

#0 _ChunkedJsonParser.fail (dart:convert-patch/convert_patch.dart:1380) #1 _ChunkedJsonParser.parseNumber (dart:convert-patch/convert_patch.dart:1247) #2 _ChunkedJsonParser.parse (dart:convert-patch/convert_patch.dart:912) #3 _parseJson (dart:convert-patch/convert_patch.dart:35) #4 JsonDecoder.convert (dart:convert/json.dart:610) #5 JsonCodec.decode (dart:convert/json.dart:216) #6 ApiClient.deserialize.<anonymous closure> (package:openapi/api_client.dart:158) #7 compute.<anonymous closure> (package:flutter/src/foundation/_isolates_io.dart:19) #8 _RemoteRunner._run (dart:isolate:1090) #9 _RemoteRunner._remoteExecute (dart:isolate:1084) #10 _delayEntrypointInvocation.<anonymous closure> (dart:isolate-patch/isolate_patch.dart:300) #11 _RawReceivePort._handleMessage (dart:isolate-patch/isolate_patch.dart:184)

I don’t think this is supported. You need to use something like CloudFlare WARP to authenticate

Immich app doesn’t support the cloudflare login flow

Why do you use /api when log in from the app?

it says so in the example, and the error message is thes ame either way

I jsut tried it

in the light gray box where you enter the url, the example says with /api

a diagram to illustrate that the webbroser works, but no thte app

the app works when on WiFi

with the same URL

Its odd since its the local login with immich that doesnt work only

with browser it works just fine

hm ok the google auth is the issue with the app hm

I need to verify it

so perhaps if I remove cloudflare login google auth and just use OIDC login in immich

The issue is the same for everyone, especially now when there is a server cost, to share immich safely one needs to protect it

so This issue everyone got now

onless you publish immich via reverseproxy yourself

or use warp or tailscale etc

that require installation on the mobile unfortunately

but it seems that warp is the way to go then hm

with warp its not seamless

hm is there anythin that the app sends to immich server via CF that one could use for extra auth steps

FYI it was a bug or old config residue unseen that caused the issue in the mobile app!