Newbie setting up Caddy with immich using existing certs

1. The problem I’m having:

Trying to setup a reverse proxy for immich using existing wildcard certs.

2. Error messages and/or full log output:

2024-09-08 16:53:59 {"level":"error","ts":1725832439.52594,"logger":"http.log.error","msg":"dial tcp 127.0.0.1:8283: connect: connection refused","request":{"remote_ip":"172.18.0.1","remote_port":"40138","client_ip":"172.18.0.1","proto":"HTTP/2.0","method":"GET","host":"immich.mydomain.com:4430","uri":"/photos","headers":{"Sec-Fetch-Dest":["document"],"Accept-Language":["en-US,en;q=0.9"],"Cookie":["REDACTED"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"],"Sec-Fetch-Mode":["navigate"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-User":["?1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept-Encoding":["gzip, deflate, br, zstd"],"Priority":["u=0, i"],"Sec-Ch-Ua":["\"Chromium\";v=\"128\", \"Not;A=Brand\";v=\"24\", \"Google Chrome\";v=\"128\""],"Sec-Fetch-Site":["none"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mydomain.com"}},"duration":0.001480589,"status":502,"err_id":"yrd0qxb6i","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

3. Caddy version:

V2.8.4

4. How I installed and ran Caddy:

docker compose pull && docker compose up -d

a. System environment:

Windows Home - Docker Compose

b. Command:

N/A

c. Service/unit/compose file:

#
# WARNING: Make sure to use the docker-compose.yml of the current release:
#
# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
#
# The compose file on main may not be compatible with the latest release.
#

name: immich

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends:
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    volumes:
      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    ports:
      - 8283:3001
    depends_on:
      - redis
      - database
    restart: always
    healthcheck:
      disable: false

  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
      - model-cache:/cache
    env_file:
      - .env
    restart: always
    healthcheck:
      disable: false

  redis:
    container_name: immich_redis
    image: docker.io/redis:6.2-alpine@sha256:e3b17ba9479deec4b7d1eeec1548a253acc5374d68d3b27937fcfe4df8d18c7e
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always

  database:
    container_name: immich_postgres
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    healthcheck:
      test: pg_isready --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' || exit 1; Chksum="$$(psql --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
      interval: 5m
      start_interval: 30s
      start_period: 5m
    command: ["postgres", "-c", "shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"]
    restart: always

  caddy:
    image: caddy:latest
    restart: unless-stopped
    ports:
      - "8000:8000"
      - "4430:4430"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./certs/privkey.pem:/etc/caddy/privkey.pem
      - ./certs/cert.pem:/etc/caddy/cert.pem
    depends_on:
      - immich-server


volumes:
  model-cache:

d. My complete Caddy config:

## General Options
{
  ## Adjust ports to your needs
  http_port 8000
  https_port 4430
}

## Your wildcard domain
*.mydomain.com {
  
  ## Your wildcard certificate and its key
  tls /etc/caddy/cert.pem /etc/caddy/privkey.pem
  
  ## Immich Container
  @immich host immich.mydomain.com
  handle @immich {
    ## one of these two lines, depending on how you run your containers (adjust to your needs)
    reverse_proxy 127.0.0.1:8283
    #reverse_proxy immich_server:8283
  }

  ## Fallback for otherwise unhandled domains
  handle {
    abort
  }
}

5. Links to relevant resources:

Howdy @Cheeseball, welcome to the Caddy community.

Caddy tried to connect to the upstream server you specified and was rejected.

Since you have Caddy in a container in a standard Compose network, pointing at 127.0.0.1 is very unlikely to be correct.

I suspect the alternative line in your config (pointing to immich_server:8283) would have been correct.

I have tried both lines that are there, neither work. Here is the output/error from when I ran that version:

2024-09-09 07:20:21 {"level":"error","ts":1725884421.1324267,"logger":"http.log.error","msg":"dial tcp 172.18.0.6:8283: connect: connection refused","request":{"remote_ip":"172.18.0.1","remote_port":"39478","client_ip":"172.18.0.1","proto":"HTTP/2.0","method":"GET","host":"immich.mydomain.com:4430","uri":"/photos","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"128\", \"Not;A=Brand\";v=\"24\", \"Google Chrome\";v=\"128\""],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Cookie":["REDACTED"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Site":["none"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-User":["?1"],"Accept-Language":["en-US,en;q=0.9"],"Priority":["u=0, i"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"immich.mydomain.com"}},"duration":0.00346405,"status":502,"err_id":"i4wt5qze4","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

I ended up change the Caddyfile to specify the local 10. IP address and that seems to work. Initial connection is really slow but I was able to verify it works from outside my home network.

Ohh! Because the upstream isn’t actually listening on 8283:

It’s listening on 3001 and relying on Docker to expose 8283 on the host. (Why? I don’t understand the logic behind that, but oh well.)

Either way, I think the correct upstream to keep traffic within the Compose network would be: immich-server:3001

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.