By UATeam in Immich

Immich Reverse Proxy: A Guide to Configuration and Best Practices

Immich is a self-hosted, open-source platform for managing and sharing personal media libraries. To ensure secure and efficient access to Immich, especially in a self-hosted environment, a reverse proxy is often used. This guide explores the role of a reverse proxy, how to configure it for Immich, and best practices for optimal performance.

What is a Reverse Proxy?

A reverse proxy acts as an intermediary between clients (e.g., browsers or apps) and the backend server (Immich in this case). It forwards client requests to the appropriate server and returns the server's response to the client.

Benefits of Using a Reverse Proxy with Immich

  1. Security: Protects the backend server by masking its IP address and providing SSL/TLS encryption.
  2. Load Balancing: Distributes traffic across multiple servers to enhance performance.
  3. Caching: Improves response times by caching frequently accessed resources.
  4. Simplified Configuration: Provides a single entry point for multiple services or domains.
  1. Nginx: Lightweight and highly customizable, ideal for most use cases.
  2. Apache: Robust and widely used, with extensive module support.
  3. Traefik: Designed for modern containerized environments like Docker.
  4. Caddy: Simple to configure and automatically manages SSL certificates.

Configuring a Reverse Proxy for Immich

Prerequisites

  1. An instance of Immich running on your server.
  2. A domain name pointed to your server's IP address.
  3. Installed and configured reverse proxy software (e.g., Nginx).

Example Configuration for Nginx

  1. Create a Configuration File:
    Create a new file for your Immich configuration (e.g., /etc/nginx/sites-available/immich).

Enable the Configuration:

sudo ln -s /etc/nginx/sites-available/immich /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Enable SSL (Optional but Recommended):
Use Certbot to install and configure a free SSL certificate:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.com

Add Reverse Proxy Settings:

server {
    listen 80;
    server_name your-domain.com;

    location / {
        proxy_pass http://127.0.0.1:3000; # Replace with Immich backend address
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }

    # Redirect to HTTPS
    location /.well-known/acme-challenge/ {
        allow all;
    }
}

Install Nginx:

sudo apt update
sudo apt install nginx

Example Configuration for Docker with Traefik

If you're running Immich in Docker, Traefik simplifies reverse proxy management.

  1. Configure Traefik:
    Ensure Traefik is set up to manage SSL and route traffic to Immich.

Deploy Your Stack:

docker-compose up -d

Add Traefik to Your Docker Compose:
Update your docker-compose.yml file:

version: '3.7'
services:
  immich:
    image: ghcr.io/immich-app/immich:latest
    container_name: immich
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.immich.rule=Host(`your-domain.com`)"
      - "traefik.http.routers.immich.entrypoints=websecure"
      - "traefik.http.routers.immich.tls.certresolver=myresolver"

networks:
  default:
    external:
      name: my-network

Best Practices for Using a Reverse Proxy with Immich

  1. Enable HTTPS:
    Always use SSL/TLS to secure communication between clients and your server.
  2. Use a Firewall:
    Restrict direct access to the Immich backend server. Only allow traffic from the reverse proxy.
  3. Monitor Traffic:
    Use tools like Nginx logs or Traefik’s dashboard to monitor requests and identify potential issues.
  4. Optimize Caching:
    Configure your reverse proxy to cache static resources for faster load times.
  5. Regular Updates:
    Keep your reverse proxy software up-to-date to patch security vulnerabilities.

Troubleshooting Common Issues

1. Reverse Proxy Not Forwarding Requests

  • Solution: Check the proxy settings, especially the proxy_pass URL.

2. SSL Certificate Errors

  • Solution: Ensure the domain is correctly configured and DNS records point to the correct IP address.

3. Slow Performance

  • Solution: Enable caching in the reverse proxy and verify server resource usage.

4. Connection Errors

  • Solution: Verify that the Immich backend is running and accessible from the proxy server.

Conclusion

Using a reverse proxy with Immich enhances security, performance, and scalability. Whether you choose Nginx, Traefik, or another tool, the configuration examples and best practices outlined here will help you set up a reliable and secure environment for managing your media library. With proper setup and monitoring, you can ensure a seamless user experience.