Cloudflare Tunnel
Hi,
I am running immich on my server at home and i am using the cloudflare zero-trust tunnel to access it remotely from my phone. I got a tunnel set up, with which I can reach immich over the tunnel.domain.com address from outside my network. From the app however it says, that i used wrong password/username/domain.
I can however connect from my local network over the IP of the proxy container. I set the tunnel up, that it points the immich.domain.com address to the proxy container.
Is there something I am missing? I tried so many things, but nothing worked.
53 Replies
Did you add
/api to the address when entering it in the app?yes. When i am on my phone and I go to immich.domain.com/api/server-info/ping it returns "pong", but the app will not connect.
Maybe does it have something to do with the IMMICH_API_URL_EXTERNAL Variable? It doesnt seem to effect anything. I currently have it set to "http://immich-server:3001". I tried immich.domain.com, but without luck.
Maybe could it be some sort of ssl verification problem on the client side?
Unless you have a non-default setup, you shouldn't need to set any of those URL variables
It could be ssl, do you have a valid certificate?
cloudflare takes care of the certificates afaik.
i also run nextcloud in the same fashion and there are no certificate issues in their app
also browsers never complain about certificate issues
Can you show your redacted .env file?
Is this related?
https://github.com/immich-app/immich/issues/1305
GitHub
[Feature]: Ability to pass custom headers via mobile apps · Issue #...
Feature detail Hello there 👋 Firstly, I'd like to thank you for such an awesome project. It's incredible how fast it improves with brand-new features! 🚀 Context I set up Immich on m...
I dont think so. I dont want cloudflare to handle authentication. I just use it to connect a service to a public hostname. usually no headers are required
Ah, got it. Does it work on mobile network (data, no local WAN)?
When you connect in the browser do you get a warning about an insecure connection?
it does work on mobile connection and i get no warning in the mobile browser. I tried it also in a different browser from what i normally use in a private tab.
I mean does login to the app work on mobile data? Or does login always not work?
Ah, sorry. Yes login also works
So it only doesn't work on your local network via hostname
But you can see the website locally via hostname?
i can log into the app with the local IP. I cannot over the public hostname (regardless of local or mobile connection).
I can log into the website in any case
Ok, that seems like it would indicate an ssl issue problem maybe
How would i investigate that? The app does not show any relevant logs
Similar issue over here:
https://discord.com/channels/979116623879368755/1065861485798096936/1065872957689303080
I'd double check it shows everything is good for the certificate on chrome.
Man everything looks good
¯\_(ツ)_/¯
I am very clueless
do you selfsign the ssl certificate?
Perhaps related to this https://github.com/immich-app/immich/issues/765
GitHub
[BUG] Cannot access Immich behind HTTPS reverse proxy from Android ...
Describe the bug I run my own CA, and have root certificate installed in trusted store of all of my devices. Reverse proxy (Caddy) obtains certificate from the CA for every subdomain, and this work...
I assume you are using an Android
yes, using android
how is your certificate handled? self-sign?
i am not aware of self signing any certificates. the cloudflared service is doing all the https stuff
Got it
i am just telling cloudflare the local ip of the service. in my case http://localhost:2283 and it makes it available to immich.domain.com
have you tried with an actual IP, not localhost?
it also works if i tell it my local ip (http://192.168.1.87:2283)
Could the problem be, that cloudflare creates a wildcard certificate for the domain like *.domain.com
I am not sure, can we edit/remove the wildcard domain to test?
AHHHH.
I tried a different domain i had laying around. If i use just the base domain - no subdmain, It works and i can log into it from the app
This is super weird
Hmm
so like domain.com?
yes
that is weird
interestingly it is also a wildcard certificate
but they are from different trust sources
left is also a .com domain and on the right is my throwaway .win domain
if a use a subdomain on the .win domain, it also works. So it might be a problem with the Google Trust Serivices Certificate?
Yeah since it is the only difference
Last TLD (.xyz) i own also works from the app
i am hosting it now from a different domain and everything is fine now. Thanks for the help. I appreciate your work and the support!
should i create a ticket on that matter?
I don't see the need yet as this is not related to Immich, you can post in show-and-tell discussion thread on Github
Maybe its some sort of a problem for the Android App?
I think it might related to how Android handle certificate.
https://discord.com/channels/979116623879368755/1065861485798096936
This might solve your problem
Heres how I do it:
1) in the zerotrust app i made a policy that people with their warp app can bypass cloudfalre's authentication
2) then i set a warp login policy that uses their cf's typical way of login
3) after doing this i goto advance settings in my warp and login in using zerotrust and enter all the details after that all my domains are accessible without having to login for each one
4) then in my phone i just enter the public domain which is tunneled which I think OP has setup properly, followed by the auth uname and pass
5) that's it, rest of the app works fine as long as the vpn created by warp is kept online
this way people with zero trust login can access the app, for getting access to zerotrust they need to be in approved email list which is policy that you can set on their page
Will using Immich with CF tunnel not be violation of their TOS ?
what term would be violated?
They have some condition with bandwidth limit for media. Some accounts got banned while using Plex/Emby thru CF tunnel. I assume, the photos and videos upload/download via the tunnel will also b under same category.
good to know
i guess photos aren't hitting as hard as videos do imo that's why i haven't received any emails about my immich causing problems
@Alex Tran one more question related to cloudflare does immich have support for those custom headers? as in "service auth tokens" under cloudflare zerotrust
Like the app LunaSea does for it's modules
I think what might be happening here is the WAF/Anti-bot/DDoS protection of cloudflare kicking in.
Try disabling DDoS protection if you can.
https://support.cloudflare.com/hc/en-us/articles/218411427-Is-there-a-tutorial-for-PageRules-
Check the cloudflare firewall logs first.
?