#SSL via Nginx reverse proxy.

Hi All,

I set up Nginx SSL reverse proxy as per the Immich documentation. Works great if accessed using a web browser but not with the phone app.

Any advice or tip would be greatly appreciated.

Thank you.

If you're using a reverse proxy then you should not be using the port in the URL

@sonic escarp Thanks mate for the reply. I did that because the server is behind a firewall with only one public IP and 443 is already used for something else. I'll try to temporarily assign 443 to immich and see if it will fix the issue... thanks again.

Again, web browser works fine (no port, just https) but not with the phone app.

What sort of certificate are you using?

Just FYI you should be using 443 for your reverse proxy and then sort it out through subdomains 😛

It's not mandatory to be clear, it's just how everyone else does it

I am using a legit wildcard SSL certifcate from goddady.

What is 443 used for..? Very confusing setup

Try adding /api at the end of the url in the app

Also ensure if iPhone the local network access is enabled

Using web browser it works inside and outside of the local network. https://immich.xxxxx.com from intside and outside works fine. but not via the app. https://192.168.2.131 from side using the browser also work fine but not the app.

Why are there no ports in your example urls here ..?

Also please try connecting the app to http://localip:2283 without any proxy in between

http://fqdn:2283 work fine. I tried port forwarding 2283 to 443 of the server running the container and nginx proxy server. Work fine with a browser but not with the app.

Are you using any kind of split DNS in your home setup

Why don’t you share here or DM to one of us your server URL. We can check the headers and SSL cert

Because something seems very broken here

Don't know what split DNS is bit what I have here is a cache only DNS serving only the local network so I can resolve local ip addresses within.

That sounds like split dns

😄

Split DNS is exactly that yes, a local DNS that resolves to local addresses, and a global NS that resolves to your public IP outside the local network

Then split DNS it is 😅

Hang on... I was making to may changes... let me set it up the way I had it before.

https://immich.dmtserv.com:2283

here is the iptables rules on the public facing linux fw: $IPT -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 2283
-m state --state NEW,ESTABLISHED -j DNAT --to $DMTDOCKER:443

Your SSL cert is invalid

ON the server running docker and nginx proxy server I set it up as per the Immich docs

? I get a valid wildcard one

curl  -v https://immich.dmtserv.com:2283 |less
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 72.12.171.218:2283...
* Connected to immich.dmtserv.com (72.12.171.218) port 2283 (#0)
* ALPN: offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [1948 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Something funky is going on

nmap -p 2283 --script ssl-cert immich.dmtserv.com
Starting Nmap 7.93 ( https://nmap.org ) at 2024-11-25 13:50 EST
Nmap scan report for immich.dmtserv.com (72.12.171.218)
Host is up (0.041s latency).

PORT     STATE SERVICE
2283/tcp open  lnvstatus
| ssl-cert: Subject: commonName=*.dmtserv.com
| Subject Alternative Name: DNS:*.dmtserv.com, DNS:dmtserv.com
| Issuer: commonName=Go Daddy Secure Certificate Authority - G2/organizationName=GoDaddy.com, Inc./stateOrProvinceName=Arizona/countryName=US
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-02-03T11:15:23
| Not valid after:  2025-03-06T11:15:23
| MD5:   f9310fc66b2446fa6f25f298eedb6862
|_SHA-1: 00eb50eab897cd2ec410d09505b740c0dd3f1591

Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds

This is from a remote PC.

Tried again from a Oracle cloud VPS, curl gives the same SSL error

It does work in browser

I wonder if this godaddy cert isn't fully trusted in all root stores, which would surprise me

The only way I could access it from outside securely is to connect to out VPN and then do http://192.168.2.131:2283 from the app.

Why use godaddy at all anyways? Let's Encrypt is free lol

(that's just a tangent, the cert should work afaik)

Can you dump the logs from the mobile app?

does it work for you?

Yes I get a valid cert in my browser

Haven't tried curl

browser works fine for me, multiple linux systems using curl and wget gets a no valid cert error

different OS / physical locations

I have to find out how to get a dump from the mobile app unless you know it.

Aha

I think the reverse proxy isn't sending the full cert chain

The app doesn't like that

And neither does curl

but browsers are fine with it

I just started using immich. I think it's a fantastic replacement for Google Photos. I am setting this up at my work for now since we already have a valid wild SSL cert, static ip addresses. I thought I will try it here first before I move it at home then I can use Let's Encrypt eventiually.

https://bo0.tz/u/TrgmqU.png

for comparison

Note the certificate chain section

Seems like some cursed knowledge to me

How did you set up your Nginx proxy server?

idk, I always use tools that just do the right thing by default so I have no idea how to configure them to do the right thing ;)

I use nginx proxy manager which is available in a container @wintry fox

any 80/443 -> NPM

Well at least I can go on from here.. it was just bizzare it work on browser but not from the app.... thanks @sonic escarp @tender olive @small kite

NPM has access to Lets Encrypt + Namecheap API to auto-gen any certs I need

You can replace the godaddy cert with the full stack one

I wasn't sure how this works but apparently you can literally just cat the cert and the intermediate cert into a full one 😛