Setup Immich via Docker Compose with WAF, CDN, DDoS protection, no port forwarding and automated image resizing
In this guide, we are using the docker compose setup that is recommended by the Immich team. Once everything is configured and running in your local network, we can expand on it.
The first recommended step is to use Cloudflare Tunnel to make your local instance globally available. This is free and you benefit from the native DDoS protection, WAF and CDN from Cloudflare. The cloudflared daemon basically makes an outgoing connection to Cloudflare and makes the designed interfaces available on the internet, without granting access to undesired parts of the network.
Start off by creating a Cloudflare account, going into the "Zero Trust" portion of the account and add a new tunnel. Give it a name and choose a domain that you want your instance to be available on. You can use the "Access" components (SSO/VPN) to lock down the access, if you want. Once you have to choose a local agent, select "Docker" and copy the token from the instructions. Add the following command into your docker-compose.yml and add your valid tunnel token.
cloudflared:
container_name: cloudflared
image: cloudflare/cloudflared:latest
depends_on:
- immich-server
restart: always
command: 'tunnel --no-autoupdate run --token YOUR-TOKEN'
Use docker compose to start this container, the UI should show your node being online now.
Now switch to "Public hostname" , add the desires subdomain for your immich instance, leave path empty and for the service you configure HTTP with immich_proxy:8080 as destination.
Once saved, your cloudflared daemon will automatically update and your immich is now available on the internet.
If you would like your pictures to be automatically resized - a feature which the Immich maintainers have declined - you can add the following code to your docker-compose.yml. Feel free to change the dimensions you are looking for.
upload-proxy:
container_name: upload_proxy
image: ghcr.io/jamescullum/multipart-upload-proxy:main
environment:
- IMG_MAX_WIDTH=1920
- IMG_MAX_HEIGHT=1080
- FORWARD_DESTINATION=http://immich-server:3001/api/assets
- FILE_UPLOAD_FIELD=assetData
- LISTEN_PATH=/api/assets
restart: always
You need to route uploads to this container now, which is easy to do via Cloudflare tunnel.
Create a new public hostname, use api/asset/upload as path and direct it via HTTP to upload_proxy:6743.
Submit and move this public hostname above the previous one.
Now all file uploads will be proxied and images automatically resized before being uploaded to Immich.
Hello @JamesCullum thank you for the quick answer.
It might work smoothly but it's because images are not being resized, as the new url path for the uploads is /api/assets and not /api/asset/upload the file uploads goes against the entry number 2 in the tunnel and dont get through the upload proxy. I've already played a little bit with the tunnel configuration but it's quite imposible because the code itself does not distinguish a POST from a PUT or a DELETE so everything gets treated the same way and for example the DELETE fails on when the code tries to get a field from a request that does not have it.
I have a rough sketch in my mind on how we could get around this with a golang code snippet I found on how to make a simple requests forwarder.
Will keep you updated on the repo as you suggested and try to have a PR ready tomorrow.