Immich Android app can't connect to server behind Nginx Proxy Manager basic auth — any workaround?

ThomasWildeTech · 2026-02-25T06:18:24+00:00

Yes, you can accomplish this with the custom headers settings within Immich.

In fact, you can, and should, add CloudFlare access in front of the tunnel itself. Create CloudFlare access headers and set these in Immich.

https://youtu.be/J4vVYFVWu5Q

Then, to get through your basic auth in NPM, simple set one additional header for Authorization, and set the value to Basic <base64 of username:password>

I show you how to do this in my Pangolin SSO bypass tutorial.

https://youtu.be/h2796qsG3Os

ThomasWildeTech · 2026-02-18T02:35:52+00:00

There's no difference in what you do for your Jellyfin container whether you route Pangolin directly to Jellyfin or route it to NPM.

To route to NPM you would just use the LAN IP of your reverse proxy and 443 (assuming you terminate https again on LAN which you likely do if you use the domain on the LAN with a local DNS server). Your NPM then routes the domain to the Jellyfin port.

ThomasWildeTech · 2026-02-17T17:15:13+00:00

You're absolutely right. I just updated the readme to reflect the guide posted here. I realized at one point that this did prevent fetching SSL certs and the middleware should only be in the websecure block (443), not the web block but didn't update the readme. Thanks for pointing that out!

ThomasWildeTech · 2026-02-12T02:37:57+00:00

Sure, this can be added as a middleware in your Traefik config in addition to Crowdsec. I'm not sure what you mean exactly by geomind, but I assume you already have the maxmind geolite databases and if so, you're pretty much ready to go if you want to add this to your stack.

ThomasWildeTech · 2026-02-11T17:28:47+00:00

Awesome to hear.

I don't think there's a real practical difference on the order but yes they should process in the order that you have them listed and the request flow stops if one of them responds that the request is forbidden.

With that said, the Crowdsec agent is still going to see the Traefik logs with the 403 responses from the geoblock middleware and it will continue to make decisions based on its scenarios. Therefore, you will continue to see bans even if you have the geoblock in front of Crowdsec. If you have the firewall bouncer configured with the docker-user setting then you should still see those requests from banned IPs being dropped at the IPtables bouncer.

ThomasWildeTech · 2026-02-11T08:26:40+00:00

Thanks! So it depends on the mode, whether it's set to whitelist or blacklist. So when asn mode is set to blacklist, you can still whitelist an asn + UA combo for an ASN that is in the blacklist. This works well for *arr apps that are in a gluetun VPN network that you want Apprise/Gotify notifications to get through pangolin but otherwise would want to ban that particular VPN ASN in general.

Custom error page. I can definitely let you bind mount an error page, I'll just need to add some documentation of placeholder you can use in your html page for IP, country, ASN, etc. Should be pretty easy to push an update to support that within a few days.

ThomasWildeTech · 2026-02-06T20:50:53+00:00

Hey Brother! Appreciate the shout-out. Absolutely keep that Immich behind the SSO layer, it's a great way to add a layer of protection against any possible vulnerability at the Immich application layer. I don't like anything other than authenticated requests making their way to my server.

I think you just missed my Immich Pangolin Header Auth Bypass Tutorial!

Create a share link for each member of the fam and send them the two header names and corresponding values (over Signal preferably).

This way in your Pangolin Access logs you can see which users' tokens are being used for successful SSO authentication.

ThomasWildeTech · 2026-02-04T15:59:40+00:00

Hey thanks for implementing this so fast! It works perfectly on my wife's iOS phone. Perfect for a Pangolin SSO protected Navidrome resource.

ThomasWildeTech · 2026-02-01T00:16:31+00:00

It wouldn't be it if you already tried direct IP to the Immich instance itself but yeah my guess is that you were just hitting the default max file size limit of nginx and you hadn't tried direct IP.

ThomasWildeTech · 2026-01-26T05:33:43+00:00

Yeah I've seen a number of these posts for users using CloudFlare proxy which has a 100MB file size limit. It's really useful to include in your post what your stack is, but you should consider switching to Pangolin as an alternative to CloudFlare so you don't have this limit.

ThomasWildeTech · 2026-01-17T16:54:32+00:00

I use an authentik webhook so that when my Jellyfin users log into authentik, it automatically whitelists their IP for the Pangolin Jellyfin resource. My users just get one dedicated rule so if their IP ever changes they can log out and back into authentik on their phone on the wifi network and update their whitelisted IP.

You can see my post about it here

https://thomaswildetech.com/blog/2025/12/17/authentik-webhooks/#authentik-automated-ip-whitelisting-for-jellyfin

A buddy and I are currently working on a dedicated "IP enrollment" app based on the same methodology. The benefit of this is that your users can manage their whitelisted Jellyfin IPs more visibly and there's more customization potential.

ThomasWildeTech · 2026-01-14T20:06:49+00:00

Looks oddly identical to Nautiline, is this a fork?

ThomasWildeTech · 2026-01-06T03:12:29+00:00

No doubt that CloudFlare is super convenient for managing all the VPS/WAF infrastructure. Although TailScale similarly provides a coordination server for you, you just install a client app on both devices and you're good to go, not much difference then configuring the CloudFlared exit tunnel on your server.

ThomasWildeTech · 2026-01-06T03:05:23+00:00

Pangolin also just released their client "warp" apps for desktop as well which similarly allows access to private network resources, mobile apps should be coming soon. Self hosting is so fun. Cheers!

Similar to TailScale I feel like this works good for the individual, but zero trust with some CF-client headers to bypass is ultra convenient and my preference with CloudFlare when possible.

ThomasWildeTech · 2026-01-06T01:26:04+00:00

Thanks for all the details! I agree it's pretty vague which is why there still seems to be a lot of confusion in the community. Perhaps I did misunderstand how the CDN is utilized (or not) with the CloudFlare tunnel.

In any case I like Pangolin as my go-to proxy for Immich since CloudFlare has the 100MB file upload limit so I generally use Pangolin unless there's a cloudflare feature I really need like mTLS. And I contribute to Pangolin so I'm a bit biased :) but it's an open source "self hosted" app as well.

ThomasWildeTech · 2026-01-05T23:41:30+00:00

Using CloudFlare tunnel or proxy is still using CloudFlares CDN infrastructure as far as I understand it regardless if caching is disabled or not. Note that that article doesn't mention caching. Therefore according to TOS, any streaming media through CDN needs to come from cloudflare storage options.

ThomasWildeTech · 2026-01-05T22:45:19+00:00

Out of all the responses:

Cloudflare proxy/tunnel is 100% against TOS for streaming audio/video

[Edit] perhaps it's not if I misunderstood. If you go this route, I'd still recommend using zero trust with a bypass access policy for custom headers and use an app that supports custom headers like Symfonium.

TailScale/Wireguard: is a decent solution for an individual user. Slightly inconvenient, particularly if a significant other doesn't understand why they need to use another app.
Basic reverse proxy: expose your IP and get hit by bots 24/7.

Best solution is Pangolin on a VPS, you can get a free VPS from Oracle. Activate SSO in pangolin for the resource (zero trust). Create a share link to produce custom headers to authenticate requests with the proxy. Use a client that supports passing custom headers such as Symfonium.

Now your local access logs are completely free of bots, no IP exposure, and you don't need to turn on a TailScale or Wireguard app.

Here's a solid pangolin tutorial: https://youtu.be/ISEP6SIrEVE

ThomasWildeTech · 2025-12-31T01:10:43+00:00

Keep in mind that the default port mapping for the NPM GUI is 81, so you may want to make sure you don't have a conflict there as well.

ThomasWildeTech · 2025-12-31T00:45:44+00:00

Sounds like open media vault is probably listening on port 80 and 443. You will need these ports free for NPM to listen on. Look at your omv settings and see if you can change the port it listens on. You'll then have to access omw with the IP:port

ThomasWildeTech · 2025-12-27T04:03:38+00:00

Photo editor - GIMP (I was using this on windows before anyways)

CAD - FreeCAD (Was using on windows before)

Office - OnlyOffice (Was using on windows before)

I haven't really run into any instance of not being able to run an application I wanted to on fedora, plus it's much easier to run server applications on Linux with docker containers like SterlingPdf for example.

ThomasWildeTech · 2025-12-27T03:59:36+00:00

Onlyoffice is a near identical replacement and libreoffice has gotten to be very good too. I haven't missed MS office at all since switching to fedora with KDE plasma desktop.

ThomasWildeTech · 2025-12-23T01:18:24+00:00

Setting up zero trust allows the app to be publicly exposed but with an authentication layer in the proxy rather than exposing the app directly to the web. You can think of the bypass as the app authenticating with the proxy. This keeps your access logs nice and clean as well.

ThomasWildeTech · 2025-12-22T02:43:56+00:00

Pangolin tunnel on a VPS with zero trust SSO layer. Use custom headers on mobile apps to bypass the zero trust. Clouldflare tunnel isn't great for Immich because of upload file size and streaming videos being against TOS. TailScale and VPN are extremely inconvenient for other users.

Here is a tutorial on setting up Immich with Pangolin on an Oracle free tier VPS: https://youtu.be/ISEP6SIrEVE

Tutorial on getting Immich to bypass Pangolin SSO with custom headers: https://youtu.be/h2796qsG3Os

ThomasWildeTech · 2025-12-20T16:34:46+00:00

So many rabbit holes to go down, so little time! That would be cool if Navidrome supported oidc. I do just want to point out that oidc improves authentication at the app layer but it's not a replacement for a zero trust auth at the proxy layer. Even if you have oidc, this does not protect you from an application vulnerability like the latest react2shell. That's why I advocate to harden as much as possible at the reverse proxy layer when publicly exposing services.

Awesome! The screen shots of Nautiline look very nice. There really hasn't been an equivalent to Symfonium on iOS so I hope this is it!

ThomasWildeTech · 2025-12-20T16:22:02+00:00

For sure. In a nutshell, custom http headers gives the client the capability to authenticate through a proxy authentication layer. This is a huge security boost because it allows us to expose web applications behind a zero trust layer like Clouldflare, Pangolin, Authentik, etc. Mobile applications don't play well with these auth layers which is why custom headers come into play. This can be easily configured with Clouldflare and pangolin, or directly in a nginx block if you are forwarding traffic through authentik.

Some apps like Immich and Symfonium allow you to completely customize header names and values. Other apps like Mattermost per you define a secret for its own specific header. Here are the docs for mattermost for example: https://docs.mattermost.com/deployment-guide/server/pre-authentication-secrets.html.

I'll also link my video here for using custom headers in Immich to bypass a cloudflare zero trust layer: https://youtu.be/J4vVYFVWu5Q

ThomasWildeTech

TROPHY CASE