Hi there! First off want to thank the devs for creating such a great product! I’ve been using Caddy reverse proxy with Crowdsec and Authelia to host various sites and it’s been working perfectly! I’m just having trouble with the Immich app working with Authelia with Caddy as the reverse-proxy
1. The problem I’m having:
I’m using Caddy reverse proxy to host Immich with Authelia for authentication. It works perfectly on a web browser. However, using the app throws errors in the Caddy logs.
2. Error messages and/or full log output:
{"level":"error","ts":1709057882.656811,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"108.162.241.78","remote_port":"64374","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api","headers":{"Cf-Ipcountry":["CA"],"X-Forwarded-For":["38.85.165.230"],"User-Agent":["Dart/3.2 (dart:io)"],"Cf-Connecting-Ip":["38.85.165.230"],"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"Cf-Ray":["85c26d960a3a54a9-YYZ"],"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.003330541,"size":115,"status":401,"resp_headers":{"X-Frame-Options":["SAMEORIGIN"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi&rm=GET"],"Date":["Tue, 27 Feb 2024 18:18:02 GMT"],"Content-Type":["text/html; charset=utf-8"],"Permissions-Policy":["interest-cohort=()"],"X-Content-Type-Options":["nosniff"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Set-Cookie":[],"Content-Length":["115"],"Referrer-Policy":["strict-origin-when-cross-origin"],"X-Xss-Protection":["1; mode=block"],"Server":["Caddy"]}}
{"level":"error","ts":1709057882.8636556,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"108.162.241.117","remote_port":"42772","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api/.well-known/immich","headers":{"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"Cf-Ray":["85c26d9749df5437-YYZ"],"X-Forwarded-Proto":["https"],"User-Agent":["Dart/3.2 (dart:io)"],"Accept":["application/json"],"Cf-Ipcountry":["CA"],"X-Forwarded-For":["38.85.165.230"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Cf-Connecting-Ip":["38.85.165.230"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.000533741,"size":138,"status":401,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"],"Set-Cookie":[],"Permissions-Policy":["interest-cohort=()"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2F.well-known%2Fimmich&rm=GET"],"Date":["Tue, 27 Feb 2024 18:18:02 GMT"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["138"]}}
{"level":"error","ts":1709057883.0426967,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.34","remote_port":"9716","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api/server-info/version","headers":{"Cf-Ipcountry":["CA"],"X-Forwarded-For":["38.85.165.230"],"Cf-Ray":["85c26d987b7636db-YYZ"],"Cf-Connecting-Ip":["38.85.165.230"],"User-Agent":["Dart/3.2 (dart:io)"],"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.001520894,"size":139,"status":401,"resp_headers":{"Referrer-Policy":["strict-origin-when-cross-origin"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2Fserver-info%2Fversion&rm=GET"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["139"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"X-Frame-Options":["SAMEORIGIN"],"X-Content-Type-Options":["nosniff"],"Permissions-Policy":["interest-cohort=()"],"X-Xss-Protection":["1; mode=block"],"Set-Cookie":[],"Date":["Tue, 27 Feb 2024 18:18:02 GMT"],"Server":["Caddy"]}}
{"level":"error","ts":1709057883.1072989,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.34","remote_port":"9716","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api/server-info/features","headers":{"Cf-Ray":["85c26d994ca736db-YYZ"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Dart/3.2 (dart:io)"],"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"X-Forwarded-Proto":["https"],"Cf-Connecting-Ip":["38.85.165.230"],"Cf-Ipcountry":["CA"],"X-Forwarded-For":["38.85.165.230"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.001529564,"size":140,"status":401,"resp_headers":{"Server":["Caddy"],"Date":["Tue, 27 Feb 2024 18:18:03 GMT"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"X-Xss-Protection":["1; mode=block"],"Set-Cookie":[],"Permissions-Policy":["interest-cohort=()"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["140"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2Fserver-info%2Ffeatures&rm=GET"]}}
{"level":"error","ts":1709057883.176247,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.34","remote_port":"9716","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api/server-info/config","headers":{"Cdn-Loop":["cloudflare"],"Cf-Ipcountry":["CA"],"X-Forwarded-Proto":["https"],"Cf-Connecting-Ip":["38.85.165.230"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["38.85.165.230"],"Cf-Ray":["85c26d99ad5b36db-YYZ"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Dart/3.2 (dart:io)"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.001400052,"size":138,"status":401,"resp_headers":{"Permissions-Policy":["interest-cohort=()"],"X-Frame-Options":["SAMEORIGIN"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2Fserver-info%2Fconfig&rm=GET"],"Set-Cookie":[],"Content-Type":["text/html; charset=utf-8"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Content-Length":["138"],"Referrer-Policy":["strict-origin-when-cross-origin"],"X-Xss-Protection":["1; mode=block"],"X-Content-Type-Options":["nosniff"],"Date":["Tue, 27 Feb 2024 18:18:03 GMT"]}}
{"level":"error","ts":1709057905.3008428,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.242","remote_port":"14996","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api","headers":{"Cdn-Loop":["cloudflare"],"X-Forwarded-For":["38.85.165.230"],"X-Forwarded-Proto":["https"],"Cf-Connecting-Ip":["38.85.165.230"],"Cf-Ipcountry":["CA"],"Accept-Encoding":["gzip"],"Cf-Ray":["85c26e239da536d8-YYZ"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Dart/3.2 (dart:io)"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.001637642,"size":115,"status":401,"resp_headers":{"X-Content-Type-Options":["nosniff"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Server":["Caddy"],"Permissions-Policy":["interest-cohort=()"],"X-Xss-Protection":["1; mode=block"],"Date":["Tue, 27 Feb 2024 18:18:25 GMT"],"Content-Type":["text/html; charset=utf-8"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi&rm=GET"],"Set-Cookie":[],"Content-Length":["115"],"X-Frame-Options":["SAMEORIGIN"]}}
{"level":"error","ts":1709057905.4867058,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.68","remote_port":"11466","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"GET","host":"immich.mason.dad","uri":"/api/.well-known/immich","headers":{"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Dart/3.2 (dart:io)"],"Accept":["application/json"],"Cf-Ipcountry":["CA"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["38.85.165.230"],"Cf-Ray":["85c26e24d8bc3a04-YYZ"],"Cf-Connecting-Ip":["38.85.165.230"],"Cdn-Loop":["cloudflare"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.00161921,"size":138,"status":401,"resp_headers":{"X-Xss-Protection":["1; mode=block"],"Content-Length":["138"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2F.well-known%2Fimmich&rm=GET"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"Set-Cookie":[],"Date":["Tue, 27 Feb 2024 18:18:25 GMT"],"Content-Type":["text/html; charset=utf-8"],"Server":["Caddy"]}}
{"level":"error","ts":1709057905.6700306,"logger":"http.log.access.immich","msg":"handled request","request":{"remote_ip":"172.69.214.105","remote_port":"47890","client_ip":"38.85.165.230","proto":"HTTP/2.0","method":"POST","host":"immich.mason.dad","uri":"/api/oauth/authorize","headers":{"Cdn-Loop":["cloudflare"],"Cf-Ipcountry":["CA"],"Content-Length":["30"],"X-Forwarded-Proto":["https"],"User-Agent":["Dart/3.2 (dart:io)"],"Cf-Connecting-Ip":["38.85.165.230"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["38.85.165.230"],"Cf-Ray":["85c26e25fc3936ff-YYZ"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Content-Type":["application/json; charset=utf-8"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mason.dad"}},"bytes_read":0,"user_id":"","duration":0.00153216,"size":136,"status":401,"resp_headers":{"Set-Cookie":[],"Server":["Caddy"],"Content-Length":["136"],"Referrer-Policy":["strict-origin-when-cross-origin"],"Permissions-Policy":["interest-cohort=()"],"Location":["https://auth.mason.dad/?rd=https%3A%2F%2Fimmich.mason.dad%2Fapi%2Foauth%2Fauthorize&rm=POST"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["SAMEORIGIN"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Date":["Tue, 27 Feb 2024 18:18:25 GMT"],"Content-Type":["text/html; charset=utf-8"],"X-Xss-Protection":["1; mode=block"]}}
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
4. How I installed and ran Caddy:
Installed using Docker with multiple Caddy modules
‘’‘’
xcaddy build
–with GitHub - WeidiDeng/caddy-cloudflare-ip
–with GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare
–with GitHub - mholt/caddy-dynamicdns: Caddy app that keeps your DNS records (A/AAAA) pointed at itself.
–with GitHub - hslatman/caddy-crowdsec-bouncer: A Caddy module that blocks malicious traffic based on decisions made by CrowdSec.
“”“”
a. System environment:
Ubuntu 22.04 with Docker
b. Command:
N/A
c. Service/unit/compose file:
Caddy compose file
version: '3.8'
services:
caddy:
image: caddy:2
container_name: caddy
restart: always
ports:
- 60080:80
- 60443:443
- 60443:443/udp
- 2019:2019
volumes:
- ./caddy:/usr/bin/caddy:ro
- caddy-data:/data
- caddy-config:/config
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy-logs:/var/log/caddy
environment:
- CLOUDFLARE_API_TOKEN=MY_CLOUDFLARE_TOKEN
networks:
default:
ipv4_address: 172.50.0.4
security_opt:
- no-new-privileges=true
cap_add:
- NET_ADMIN
volumes:
caddy-data:
caddy-config:
caddy-logs:
networks:
default:
name: caddy-network
ipam:
driver: default
Authelia Compose file
version: '3'
services:
authelia:
image: authelia/authelia
container_name: authelia
volumes:
- ./config:/config
- authelia-logs:/var/log/authelia
- /myDrive/docker-volumes/authelia/auth-data:/data
networks:
caddy-network:
ipv4_address: 172.50.0.8
restart: always
environment:
- TZ=America/Toronto
networks:
caddy-network:
external: true
volumes:
authelia-logs:
d. My complete Caddy config:
{
email {$EMAIL}
acme_dns cloudflare {$CLOUDFLARE_API_TOKEN}
admin :2019
log {
include http.log.access.immich http.log.access.auth
level DEBUG
output file /var/log/caddy/access.log {
roll_size 50MB
roll_keep 50
}
}
order crowdsec first
crowdsec {
api_url http://172.50.0.6:8080
api_key {$CROWDSEC_API_KEY}
}
dynamic_dns {
provider cloudflare {$CLOUDFLARE_API_TOKEN}
domains {
mason.dad @ immich authelia
}
ip_source simple_http https://api64.ipify.org
ip_source simple_http https://ifconfig.me
ip_source simple_http https://icanhazip.com
check_interval 30m
versions ipv4
}
servers {
trusted_proxies cloudflare {
interval 6h
timeout 30s
}
}
}
immich.mason.dad {
forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.mason.dad/
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
crowdsec
reverse_proxy 10.10.10.10:2283
log immich
}
auth.mason.dad {
crowdsec
reverse_proxy authelia:9091
log auth
}