Immich Server Custom Domain with SSL
Complete instructions to set up your Immich server with a custom domain using Nginx as a reverse proxy and secure it with Let's Encrypt SSL certificate. This guide covers domain configuration, SSL automation, and troubleshooting.
Prerequisites
• Immich Server: Ensure your Immich server is running and accessible locally (e.g., at http://localhost:2283 or the internal IP of your server)
• Domain: You own the domain example.your-domain-name.com and have access to its DNS settings
• Server: You have a server with Nginx installed and root or sudo access
• DNS Setup: Point your domain example.your-domain-name.com to your server's public IP address by creating an A record in your DNS provider's control panel
Step 1: Configure Nginx for Your Custom Domain
We'll create an Nginx configuration to proxy requests from example.your-domain-name.com to your Immich server.
1. Create an Nginx Configuration File:
Open a terminal on your server and create a new Nginx configuration file:
sudo apt install nginxsudo nano /etc/nginx/sites-available/immich
2. Add the Nginx Configuration:
Based on the Immich documentation, use the following configuration. Replace <backend_url> with the internal address of your Immich server (e.g., localhost or your server's internal IP):
server {
server_name example.your-domain-name.com;
# Allow large file uploads
client_max_body_size 50000M;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Enable WebSockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
# Set timeout for long-running processes (e.g., Repair page)
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
# Proxy all requests to Immich
location / {
proxy_pass http://localhost:2283;
}
# Ensure Let's Encrypt compatibility for /.well-known/immich
location = /.well-known/immich {
proxy_pass http://localhost:2283;
}
}Notes: Replace http://localhost:2283 with the actual address of your Immich server if it's running on a different host or port. The location = /.well-known/immich block ensures compatibility with Immich's mobile clients.
3. Enable the Configuration:
Create a symbolic link to enable the site:
sudo ln -s /etc/nginx/sites-available/immich /etc/nginx/sites-enabled/
4. Test the Nginx Configuration:
Verify the configuration for syntax errors:
sudo nginx -t
5. Reload Nginx:
Apply the changes by reloading Nginx:
sudo systemctl reload nginx
6. Test Access:
Open a browser and navigate to http://example.your-domain-name.com. If your DNS is correctly set up and Immich is running, you should see the Immich web interface.
Step 2: Add SSL Certificate with Let's Encrypt
To secure your domain with HTTPS, we'll use Let's Encrypt with Certbot to obtain and install an SSL certificate.
1. Install Certbot:
On Ubuntu/Debian, install Certbot and the Nginx plugin:
sudo apt updatesudo apt install certbot python3-certbot-nginx
2. Obtain an SSL Certificate:
Run Certbot to automatically obtain and configure the SSL certificate for your domain:
sudo certbot --nginx -d example.your-domain-name.com
Follow the prompts: Provide an email address for renewal notifications, agree to the terms of service, and choose whether to redirect HTTP traffic to HTTPS (recommended: select the redirect option).
3. Automatic Nginx Configuration:
Certbot will modify your Nginx configuration to include SSL settings. Your updated Nginx configuration will look like this:
server {
server_name example.your-domain-name.com;
# Allow large file uploads
client_max_body_size 50000M;
# Set headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Enable WebSockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
# Set timeout for long-running processes
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
# Proxy all requests to Immich
location / {
proxy_pass http://localhost:2283;
}
# Ensure Let's Encrypt compatibility for /.well-known/immich
location = /.well-known/immich {
proxy_pass http://localhost:2283;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.your-domain-name.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.your-domain-name.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = example.your-domain-name.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name example.your-domain-name.com;
return 404; # managed by Certbot
}4. Test the Nginx Configuration:
Verify the updated configuration:
sudo nginx -t
5. Reload Nginx:
Apply the changes:
sudo systemctl reload nginx
6. Test HTTPS Access:
Visit https://example.your-domain-name.com in your browser. You should see the Immich web interface over a secure connection.
Troubleshooting
DNS Issues: Ensure example.your-domain-name.com resolves to your server's IP using dig example.your-domain-name.com or ping example.your-domain-name.com
Firewall: Allow ports 80 and 443:
sudo iptables -I INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPTsudo iptables -I INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPTsudo apt-get updatesudo apt-get install iptables-persistent -ysudo netfilter-persistent savesudo netfilter-persistent reloadsudo ufw allow 80sudo ufw allow 443
Step 3: Verify Immich Compatibility
• Mobile Client Access: Ensure the /.well-known/immich path is correctly proxied. Test by accessing Immich from a mobile client to confirm you don't get the 'Your app major version is not compatible with the server' error
• Large File Uploads: The client_max_body_size 50000M setting allows uploads up to 50GB. Adjust if needed for your use case
• Timeouts: The 600-second timeouts should prevent issues with the Repair page or large uploads
Step 4: Automate Certificate Renewal
Let's Encrypt certificates expire every 90 days, but Certbot sets up automatic renewal.
1. Test Renewal:
Simulate a certificate renewal:
sudo certbot renew --dry-run
2. Verify Cron Job:
Certbot typically adds a cron job or systemd timer to renew certificates automatically. Check with:
sudo systemctl status certbot.timer
If not enabled, enable it:
sudo systemctl enable certbot.timersudo systemctl start certbot.timer
Troubleshooting
DNS Issues: Ensure example.your-domain-name.com resolves to your server's IP using dig example.your-domain-name.com or ping example.your-domain-name.com
Firewall: Allow ports 80 and 443:
sudo iptables -I INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPTsudo iptables -I INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPTsudo apt-get updatesudo apt-get install iptables-persistent -ysudo netfilter-persistent savesudo netfilter-persistent reloadsudo ufw allow 80sudo ufw allow 443
Immich Not Loading: Verify the Immich server is running (curl http://localhost:2283) and check Nginx access logs (/var/log/nginx/access.log)
SSL Errors: Ensure Certbot installed correctly and the certificate paths in the Nginx config are valid
Final Notes
• Your Immich instance is now accessible at https://example.your-domain-name.com with proper SSL termination
• The configuration adheres to Immich's requirements (root path, headers, timeouts, and /.well-known/immich compatibility)
• Regularly monitor your server and certificate status to ensure uninterrupted service
This setup ensures your Immich server is accessible via a custom domain with proper SSL security and mobile client compatibility.