DNS Rewrite Help
Trying to set up a DNS rewrite for when I am on my local network, but keep the domain name so it works remotely. I cannot get the app to login when on my local network.
https://photos.mydomain.com properly redirects to my home server, proxied through NPM to Immich and works fine.
Remotely, https://photos.mydomain.com/api logins on the app, no issues (other than slow speeds).
On my home server, AdGuard Home set to redirect photos.mydomain.com to my NPM IP.
In my browser on LAN, I can access photos.mydomain.com and I can see the rewrite happen properly in the AdGuard queries. But when I try to login with the app, it fails. AdGuard processes the rewrite...so not sure where the failure point is. Any thoughts?
118 Replies
Are you using the default compose setup? Specifically the nginx proxy running on 2283, and redirecting /api internally to the server?
using the default compose setup
So NPM is proxied to IP:2283 for everything
If you're using everything vanilla like that, it should just be a matter of dns. External => router => npm => immich and Internal => adguard => npm => immich.
npm runs on 443, right?
Right, but the app fails. In a browser I can do Internal -> Adguard -> NPM -> Immich
And get the website, but the login isn't working?
Correct NPM is on 443, but there is no way to specify that in the rewrite?
Website works, mobile app on android fails
What do you mean by rewrite?
you mean dns => ip?
DNS rewrite in AdGuard - I have it as photos.mydomain.com and then localIPofNPM
AdGuard is functioning as a dns server right? So it's like a A record?
yup, works for all my other self-hosted apps. I have a wildcard DNS rewrite *.mydomain.com and all my apps are accessible, including Immich in a browser
only the app fails for some reason
Do you have any other self hosted app with mobile phones?
like either the /api doesn't pass through or there is a cert error somewhere
Can you open the dev tools in the web and look at the console for errors, and/or the network tab?
well the other apps I use (like Nzb360) have options for separate LAN and WAN domain/IPs. SOmething that has been requested for Immich but denied
What do you mean by that?
GitHub
[Feature]: Second server url for fallback / local ip to external do...
Feature detail It would be nice to automatically switch between uploading from the local network connection when at home to viewing from any location when outside. example: when at home, we connect...
Several mobile apps I use that connect to self-hosted software use this fallback method
gotcha
But I get that Immich doesn't want to, just struggling to troubleshoot this DNS rewrite method
You're being forced to solve it with networking instead 😛
haha correct
how do I open dev tools?
F12
or right click inspect element
or ctrl + shift + i
or ctrl + shift + j
got it
There should be a network tab
do you see any errors in that tab or in the console tab. Might need to do a page refresh
Looks okay, but again this is in my browser. The issue I have is the mobile app will not login when my DNS rewrite is enabled
Is it only mobile app, I thought you mentioned a problem in the web as well.
nope, web works perfectly on LAN with the rewrite
Oh, I think I misinterpreted a "Correct" which was referring to something else.
Is your phone "pointing at" adguard?
Do you see queries for the domain come in when you use the app?
yeah - I can see the query in Adguard being rewritten from my phone
and it's going to the right ip?
oh I think I know the issue
It sounds like everything should be working. What's the actual error you are getting?
I use Authelia normally
but have an auth_Request_off for /api requests
but for some reason, the DNS rewrite is not allowing it to bypass Authelia
Is this where you have to login with authelia first, and then it redirects you back to immich?
correct, which for the browser works fine. Usually for mobile apps I have an exception for /api requests
this prevents Authelia from getting in the way
And you added one for immich?
yes
What is the server url you are setting in the mobile app? Does it end with /api?
yes
so I am not sure why NPM does not see the /api after the DNS rewrite
Do you see the whole url in adguard or just the hostname?
just the hostname
What's the error in the mobile app specifically?
"Error logging you in, check server URL, email, and password"
Not Authelia actually, I disabled it and same error
You have https I'm assuming?
mobile app will not work with DNS rewrite
yes on the domain I do, with SSL cert
It's not self-signed is it?
nope, it's through NPM Let's Encrypt
should be all good then.
Does the mobile app work on mobile data, without being on the local network?
yup works perfectly
It does? It just doesn't work when you switch to wifi?
Correct
If the wifi on a different subnet?
nope, all same subnet 192.168.1.0/24
if I turn off DNS rewrite - then the app works on my LAN WiFi (but slowly obviously, since it goes out to WAN and back)
Can you send your (redacted) DNS rewrite settings?
Can you access immich directly by ip from the app?
and yes, if I put the Immich IP in my app then it works too
And that's the ip for npm?
yup
I feel like it's a security thing? My browser can load my domain using the DNS rewrite, but it makes me accept the unsecure connection
since Immich only uses HTTP
Wait, I thought you said https + certificate?
yes NPM has that with my domain
but an internal DNS rewrite shows insecure
I know if you use https in the mobile app it requires valid certificates
So that could be it.
Does the mobile app not go through npm still? Shouldn't the certificate be valid?
does a DNS rewrite break the https chain? Since when I have DNS rewrite my browser says my domain is insecure. But when I turn off the rewrite and my domain goes through WAN, then it is secure
dns has to do with resolving hostnames to ips, and the ssl part is independent of that, but the hostname on the request needs to match the certificate.
I'm not familiar with "Ad Guard rewrites", but I kind of assumed "answer with" means a dns response. If it is actually terminating ssl and proxy a new connection to immich it could be a problem.
yeah it certainly shouldn't be proxying any connection. I do wonder though if the IP that is answers with defaults to HTTP over port 80 instead of 443
does that make sense?
or should that not matter?
So you have dns to ip and separately you have the port of communication and separately you have the protocol.
got it
dns to ip is immich.domain to 192.168.x.x
That seems to be working fine
https://immich.domain.tld/api is using https (ssl) on the default port (443)
right, works in the browser, but loses SSL when "rewritten"
What is the actual certificate error you get?
In chrome you can click on the badge thing here and click on certificate to see some details
Or in the dev tools, there is a security tab
So it's a bit interesting and unclear what's happening, let me show you
And in more information
What about view certificate
And/or open the site in chrome if you have it installed and look at the security tab. That is usually clearer which part of the certificate is causing it to be "insecure".
oops will delete that after you look, didnt block my domain haha
Yeah, you can delete it
So what is the "security exception" that's been added? What about the connection is insecure?
when I click advanced it says this:
This server could not prove that it is photos.mydomain.net; its security certificate is from mydomain.net. This may be caused by a misconfiguration or an attacker intercepting your connection.
yeah, open the dev tools and go to the security tab
I do have a wildcard cert on the domain
Well that's it
but there is a cert there? and it's Let's Encrypt
Can you show me the cert details again (redacted)
and details
you have to click on individual items to see the details
The certificate error goes away when you turn off adguard though?
when I turn off DNS rewrite:
It's sending a different certificate
This one is issued by E1 oppose to R3 or whatever?
oh true, yeah, weird
and that's the error on the first one "ERR_CERT_COMMON_NAME_INVALID:
soooo where is this certificate coming from
one is using quic and one is using tls 1.3
One is issued by R3 and one is issued by E1
Do you have some things turned on in adguard that could be causing this? https filtering?
Not that I am aware of, only really use AdGuard to block ads
I'd guess the certificate is coming from adguard
Is there a place for whitelisting sites? Maybe add the immich one there
I think that's like the AdGuard browser plugin? separate from the DNS self-hosted server
AdGuard Home is just a DNS server
Well, something is fishy. You have two certificates issued by different intermediates. One is presumably coming from npm directly and another one must be coming from somewhere else.
yeah somehow NPM is issuing a different one when the DNS rewrite occurs
Is ad guard the only dns server on your network?
How does the web connect to npm when adguard is turned off? Or all queries go to adguard all the time, it's just the rewrite that you turn off?
yeah AdGuard is only DNS server (I have two instances running on separate servers for redundancy). My router tells clients the AdGuard IP for DNS queries
"turning the rewrite off" is just me deleting it from AdGuard and letting it use the normal DNS resolver
Yeah, I'm at a loss here. With it on/off the route to immich is taking two different paths, and tls is terminated two different places.
You could maybe try doing a wrong login on the web with the ad guard turned on and then off. In the server logs it should say "wrong login from {ip}" and maybe the ip would tell you what upstream server the request is coming from. Maybe they're different.
where can I see the server logs?
In Docker for the server container I see websocket connections, but no IPs listed
did you do a wrong login attempt on the web?
yeah
oh i see it
[Nest] 1 - 01/20/2023, 6:43:25 AM WARN [AuthService] Failed login attempt for user [email protected] from ip address ::ffff:172.21.0.8
same IP listed regardless of DNS rewrite, so weird
oh that's just the IP of the Immich proxy Docker
anyways - you've given more than enough time to troubleshooting this. I REALLY appreciate the effort and I learned a few things along the way. Ill keep workign on it slowly as I have time, but for now Ill just have to deal with DNS rewrite off and slow Immich uploads
Sounds good. You could try enabling docker logs for the proxy
If you remove those two lines you should have logs in the immich_proxy container, which should show the original ips
kk will try
Heading to bed now. Gl!
thanks! goodnight!
@jrasm91 figured it out!
just wanted to let you know, since you helped so much last night
Sweet, what was the issue?
So when you use Cloudflare for your DNS provider and use their DNS proxy, they use their own SSL cert. That was the external one that was working. When I use the DNS Rewrite, since it was bypassing Cloudflare it was using the SSL cert by NPM. I never realized that I was using Cloudflare's the whole time through their DNS proxy.
My NPM SSL cert was not configured properly (only for my domain, not *.domain), so it wasn't a true wildcard cert. I never noticed though since it appeared to be working externally although that was never my cert - was always Cloudflare's.
Once I reconfigured NPM's cert to be a true wildcard, everything works now. There are still two different certs depending on external vs internal connection, but both are now valid.
Your troubleshooting helped me identify the root issue - noticing that there were different certs. I traced the certs back and that's how I found out about the Cloudflare proxy one vs. my NPM one
Awesome! Good find. So now all your services should work locally and remotely, right?
correct!