Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Background downloader does not take HTTP configuration into account causing asset downloads to fail for certain HTTP configurations #14945

Closed
1 of 3 tasks
sdebruyn opened this issue Dec 27, 2024 · 12 comments

Comments

@sdebruyn
Copy link
Contributor

The bug

The user can configure certain HTTP-related features; in my case I came across this issue because I use client certificate validation (mutual TLS / mTLS).

Some features in Immich use the background_downloader package. E.g. when downloading an asset. The HTTP configuration is not passed to this background_downloader package, causing all HTTP requests to fail.

In my case this means I'm unable to download assets.

Code reference

The OS that Immich Server is running on

Cloudflare Tunnel

Version of Immich Server

1.123.0

Version of Immich Mobile App

1.123.0

Platform with the issue

  • Server
  • Web
  • Mobile

Your docker-compose.yml content

irrelevant

Your .env content

irrelevant

Reproduction steps

  1. Configure Immich server with HTTP proxy or tunnel in front with mTLS
  2. Configure Immich to use mTLS
  3. Download an asset
  4. Result: downloads fail
    ...

Relevant log output

Nothing relevant in the logs

Additional information

No response

@DrieWielRr
Copy link

DrieWielRr commented Jan 1, 2025

I have the exact same problem, didged always-on VPN and started using mTLS a while ago and now the wifey started complaining that she's constantly unable to download pictures out of my shared album.
Testing her claim I was also unable to download cloud-only pictures to my phone (now running 1.123.0, updated from 1.121.0 to see if that fixed the problem but it didnt)..
After switching the app the the local-lan adres downloads worked fine again, setting it back on mTLS settings downloads where unavaileble again with the error "Download failed" and absolutely zero logs about the faillure.

Edit:
Im running mTLS directly on my Fortigate firewall with my own private PKI.

Edit 2:
I know its not related to this issue but just to get it out there once more I'd also really love to see a "dowload selected" option within the app..
Downloading multiple images is a PITA atm..

@EssGeeEich
Copy link

EssGeeEich commented Jan 4, 2025

I think this is the issue I'm currently facing.

I have nginx as a reverse proxy in the middle with a custom PKI, and apparently cannot download any file from the app nor can I stream a video that I don't locally have.

The nginx logs don't see anything being accessed from the app at all, not during a video stream request, nor when I try to download a file.

Web app works fine.

P.S. It's enough to just run a custom PKI, configuring client certificate is not necessary to trigger the issue.

I currently attribute my issue to the "ignore custom certificate errors" flag not being passed through.

Reconfiguring the proxy to allow http fixes this issue for me... until the issue is closed.

@bo0tzz
Copy link
Member

bo0tzz commented Jan 4, 2025

Reconfiguring the proxy to allow http

This seems like a bad idea. A better "workaround" would be using real WebPKI certificates.

@DrieWielRr
Copy link

I currently attribute my issue to the "ignore custom certificate errors" flag not being passed through.

That could be the case, my PKI is private as well.
Not planning on going with public PKI because the costs of managing it is just to much for me and LetsEncrypt is not an option for me because I have many IOT devices with certificates because many browsers are annoying with their war on self-signed certs so having your own CA that is trusted on every device within the LAN is great and I provides me the option of generating IOT useless-certificates with 50 year expiration dates just so browsers wont bug me when accessing the webinterfaces)..
My mTLS also runs based on that private CA and I have imported the CA into android with the mTLS client certificate that is required for more services than Immich (like HASS).
In Immich app I imported the certificate as wel and selected the self-signed cert checkbox to get it to connect, other then not being able to download it all works flawlessly.

@EssGeeEich
Copy link

EssGeeEich commented Jan 4, 2025

Reconfiguring the proxy to allow http

This seems like a bad idea. A better "workaround" would be using real WebPKI certificates.

I already evaluated risk-benefit. Not gonna do that. My instance is not public anyways and is only accessed through LAN or VPN. I can survive with unencrypted traffic for a while. I don't have the resources nor willpower nor any plan to make it a public instance just to have letsencrypt serve me a certificate for a private server with a subdomain that's completely local to my LAN, just to work around an evident bug.

Edit: of course other people should do their evaluations. For public facing instances you certainly don't want to run HTTP mode.

@EssGeeEich
Copy link

In Immich app I imported the certificate as wel and selected the self-signed cert checkbox to get it to connect, other then not being able to download it all works flawlessly.

Yup, another issue with Immich is that you need to flag the "ignore self signed cert" or the instance doesn't work.

Technically the certificate is in fact NOT self signed, it's just been signed by a CA that immich does not recognize. Even if I install the root CA on my android phone (which I did right as I configured my root CA...) Immich does not take that into account, au contraire I have other apps that don't have this issue i.e. Jellyfin, Nextcloud, NTFY...

@bo0tzz
Copy link
Member

bo0tzz commented Jan 4, 2025

make it a public instance just to have letsencrypt serve me a certificate

You don't have to make something publically accessible to get a let's encrypt cert. For example you can use a DNS-01 type challenge, which also lets you get a wildcard certificate if you like.

@DrieWielRr
Copy link

make it a public instance just to have letsencrypt serve me a certificate

You don't have to make something publically accessible to get a let's encrypt cert. For example you can use a DNS-01 type challenge, which also lets you get a wildcard certificate if you like.

Yes but I can't generate certificates with years of lifetime for my private services that require certificates but not the redicules enterprise grade expiration dates, so that's means having to keep monitoring certification expiration or my local services start failing if renewalls didnt succeed..
I already have that job outside of my home as an IT administrator don't need that for my local infrastructure that's just "private".

@ckuyehar
Copy link

i just created a guide documenting how to securely setup TLS reverse proxy on the Internet for anywhere Immich mobile app use.

you can review these docs, https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/guides/remote-access.md and https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/administration/reverse-proxy-tls.md

please note: this doesn't resolve the issue - this merely works around the existing capabilities of Immich today

@mmomjian
Copy link
Contributor

#15230

@mmomjian mmomjian closed this as not planned Won't fix, can't repro, duplicate, stale Jan 10, 2025
@DrieWielRr
Copy link

Closed as "Not planned"?
Does this mean mTLS stays broken for downloads?

@mmomjian
Copy link
Contributor

As explained in #15230 the dev team does not plan to work on these experimental features but if someone is interested in writing a PR we will consider it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants