I’ve been using Immich on my home server for a while now. My family and I use the phone app to back up our photos, which works great on Android and iOS. The only problem was that you couldn’t access the photos from outside your local home network. This was quite an annoyance because even if all the photos exist locally on your device you can’t use the helpful Immich features like face recognition or image search because the database sits on the home server.

Tailscale

Tailscale is a service that allows you to VPN into local networks from outside to access local devices. So instead of using a VPN, for example, to get a french IP address to circumvent local media restrictions you VPN into your home internet. And when you are on your home network, you will be able to access your Immich data. They even mention this as a method for remote access in their documentation here.

I like that the Tailscale client application is open source but the control server sadly isn’t. There is an open source control server which I host on my server called Headscale which works without issues until now. If you don’t want to go through the hassle of setting up the server on your own there is a free tier for Tailscale which should be enough for your use case.

But one of the problems with Tailscale is that it does not use the same IP address for your server as when you are on your local home network. Tailscale will use an IP address in the range of 100.x.y.z while your server uses a local address like 192.168.0.34 for example. So when you want to use Immich from outside you will have to use the address given by tailscale which means you have two different addresses for the same service.

Reverse Proxy

There is an option in the app to automatically switch URLs of the Immich server based on if you are at home or not. This means that when you are on your home network it will use the local IP address of your home server and as soon as you exit this network it switches to a public IP address.

My problem with this solution is that you need a server with a public facing IP address. The problem with this is that I don’t want to make my server visible to the open internet because there may be a chance it gets hacked. And secondly I would also like to be able to type a URL into the browser to access Immich instead of an IP address. For this reason I decided to use an approach using a local DNS server, reverse proxy and Tailscale’s magic DNS.

Local DNS Server

Setting up a local DNS server is simpler than it may seem. I will be using dnsmasq. You have to first install it and then enable it via your init system (most probably systemd).

Then you have to go into the settings of your homes router and change the DNS address to the one of your server. If possible leave a second fallback DNS. This means that when you enter a URL in your browser at home the DNS server on your home server will look if it has the IP address of the site you are looking up, if not then it sends the request to another DNS.

Now you can add some of your own links. It’s as simple as editing the /etc/hosts file on your server. It should look something like this:

192.168.0.34    my-home-server.local

First the IP address and then the domain you want to use to access it. You can set whichever domain you want, including ones that are active. Just remember that you will not be able to visit this site anymore because it will always direct you to your own server first.

Nginx Reverse Proxy

Setting up a reverse proxy in Nginx is not that hard if you were already able to set up an Immich instance. If you want to use another web server like Apache feel free to do so.

First you need to create a file in /etc/nginx/sites-available/, The file can be named however you want. Then you can paste this into it:

server {
    server_name <public_url>;

    # allow large file uploads
    client_max_body_size 50000M;

    # disable buffering uploads to prevent OOM on reverse proxy server and make uploads twice as fast (no pause)
    proxy_request_buffering off;

    # increase body buffer to avoid limiting upload speed
    client_body_buffer_size 1024k;

    # Set headers
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # enable websockets: http://nginx.org/en/docs/http/websocket.html
    proxy_http_version 1.1;
    proxy_redirect     off;

    # set timeout
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://<backend_url>:2283;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
    }

}

Change <public_url> with the domain you want to use, just make sure the domain points to your server. You can also use a subdomain like immich.my-home-server.local. The <backend_url> is just localhost so put 127.0.0.1 there. You can read more about the nginx file as it may change here.

Then you have to link the file to the /sites-enabled directory

ln -s /etc/nginx/sites-available/immich /etc/nginx/sites-enabled

And then you have to reload nginx

systemctl reload nginx

You should see it working now.

I have not yet added an ssl certificate so this will only run on http but I am working on a way to get https.

Tailscale Magic DNS

While using a Tailscale connection you are automatically using a Tailscale Magic DNS server. It gives you the option of setting a domain which points to individual devices on your home network, in this case your home server for example.

If you are using headscale you can follow the guide here. Add this to your /etc/headscale/config.yaml file:

  extra_records:
      - name: "immich.my-home-server.local"
        type: "A"
        value: "100.64.0.2"

Switch the value field with the Tailscale IP address of your home server. Add the same domain as before and it should work.

Now you just have to change the address in the immich app and that’s it. With this setup you can keep using the same domain, whether you’re home or out.