May 18, 20251 yr My current setup is Traefik as a reverse proxy with a .com domain name and lets encrypt certs. I have a bunch apps I access through subdomain.mydomain.com. I've converted everything over to SSO with Authentik. My last app to solve is Immich. Immich uses Oauth2/OIDC for SSO. Right now standard username/password works. OIDC even works BUT only if Immich is configured to use the internal IP and port instead of auth.mydomain.com. I've tried trouble shooting the network issues but I'm not coming up with anything. All the containers are on the same custom docker network. Traefik is just using container names to connect on the back end with everything. Searching for troubleshooting steps people suggested ping, traceroute and curl. I've tried to run ping and traceroute against mydomain.com. They both show my external IP. If I try to curl -X POST https://immich.mydomain.com I just get a timeout. Curl for something like google.com works as expected for me. Has anyone else gotten Authentik and Immich to work with OIDC on their server with public domain name? Should curl work from my server to a it's public domain name or does that create some weird routing problem? I followed Ibracorp's guides for Traefik and Authentik but he only covers standard user/pw login. I'm using his templates from the app store and have a docker compose setup for Immich. Not sure what else to try here?
May 19, 20251 yr Community Expert possible yes, imich has other header that are needed adn documented in immich docs.. May need to use nginx revers proxy to add a 2fa before/after... I believe immich has support for oath 2fa... https://github.com/immich-app/immich/discussions/8175 ... yeah immich oath exisit in admin setting of immich...
May 19, 20251 yr Community Expert immich needs addition data in the header... review and see: https://immich.app/docs/administration/reverse-proxy/ not sure of Traefik as a reverse proxy but can confirm this works with nginx proxy manger and tailscale...
May 21, 20251 yr Author Solution On 5/19/2025 at 12:13 AM, bmartino1 said:immich needs addition data in the header... review and see:https://immich.app/docs/administration/reverse-proxy/ not sure of Traefik as a reverse proxy but can confirm this works with nginx proxy manger and tailscale...I don’t know if I fixed so much as I got a hack that works. First up I do have the headers. I’m going to stick with the docker compose over the CA store template because my pictures are more important than Oauth and that’s the method immich supports. Their docs already warn updates could blow up your data so I’ll take the most stable setup I can get. I did a bunch more searching and found mostly people failing but someone suggested to use host network but I still couldn’t curl 1 container from another using the public domain names. So I gave up on that.I remembered that oauth worked when I used my authentik IP address instead of public domain name. I found out it was possible to change unraid dashboard ports and moved my reverse proxy(traefik) over to 80 and 443. I’m using Technitium for a DNS server, added a record for authentik.mydomain.com to point to the local IP address and now it all works.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.