Dual reverse proxy

[Pheggas]

Hello. Lately i've been deploying Immich with Traefik on top of it and Keycloak for authentication. I solved all issues until now. The problem here is the dual proxy setup. As Immich docs tells me, i can add custom reverse proxy on top of immich's nginx proxy. There was no issue with it until i want to implement Keycloak to this setup.

I quickly set up new realm and client in Keycloak, filled up all the required fields on both sides (Keycloak and Immich) and it turned into this error inside immich-server container:

[Nest] 1  - 06/11/2023, 2:19:46 PM   ERROR [ExceptionsHandler] getaddrinfo ENOTFOUND keycloak.local.dashrave.eu
Error: getaddrinfo ENOTFOUND keycloak.local.dashrave.eu
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:107:26)

It looks like Immich server can't resolve keycloak.local.dashrave.eu domain. On keycloak's end there isn't any mark of any action so immich server clearly can't get to the keycloak. And here's the issue with double proxy setup. If i directly connect immich-server container to the proxy network (made by Traefik) keycloak hostname with it's port can be resolved by Immich.

Did someone have issue like this? If so, how did you solve it? I might need to edit the nginx immich proxy in order to make it work. Btw, i found @PixelJonas having the same setup. At least he do have Keycloak as authentication for Immich.

PS: In case of need to see any configuration, i will provide of course.
PS2: I did a more detailed description of the issue here

[jrasm91]

Are you using oauth to integrate with keycloak? If so, the domain you use needs to be reachable from the mobile app, web app and from the immich-server container. This doesn't really have anything to do with the immich-proxy container or proxies in general. This is just good old networking and DNS resolution.

[Pheggas]

`Yup. As immich supports OIDC, i can set up Keycloak (or any authentication service like Authentik or Authelia) to log in with it rather than immich's login form. Honestly, i don't trust it so much i would open immich to the world and sleep peacefully. Keycloak is focused exactly to authentication and it's from RedHat so i think i can trust it more. Also, i'm planning to login only by identity provider so no name / password or 2FA authentication. Identity provider way is easy, fast, reliable and secure in my honest opinion.

To your reply, i didn't try mobile app as i don't have my local DNS server configured on phone yet. I'd like to change default DNS servers on my router but that is tied up with my ISP which is charing some money to do changes in the router and my admin account doesn't have permission to change DNS settings on the router. It is sad but it is what it is. Anyway, i configured my local DNS server on my computer so i can reach my custom local dns enteries and it works perfectly.

I tried to attach immich-server container to the proxy docker network and yup, you're right. Even there the domain isn't resolved. That means DNS isn't specified inside the proxy docker network. Do you think that if i specify DNS IP it would work?

UPDATE: So i attached pihole as my local DNS server to proxy docker network and set it's hostname to "pihole". Then i did

dns:
  - pihole
  - 8.8.8.8

To set the DNS on traefik container but that still doesn't work. The reason i set the first DNS "pihole" is that it is it's hostname and as IPs changes everytime the container is running, i think entering hostname is better option.

Any thoughts on this?

[PixelJonas]

As already discussed in private chat - this looks like a DNS issue.
Try:

1. exposing the pihole DNS on the host machine (so you get a static IP)
2. use that static IP for your DNS settings in the docker-compose (and not the hostname)

I think the proxies are not in the way of you authenticating via SSO but the DNS
If you have your SSO exposed to the network via a full domain name (e.g. sso.acme.com ) if so, try using that for your configuration in Immich
In the end the Name/IP configuration you are doing for SSO should be the same for the server - immich - as the client - your PC - as Immich will forward the client to the SSO the DNS Name should be the same and be resolvable for client and server alike.

[Pheggas]

From the DMs,

1. i have exposed PiHole to my LAN
2. I did try to define local DNS server by entering the same IP i set on my PC but when i try to ping some DNS records, it just doesn't work and those domains are unreachable anyway.

Yup. I'm trying to configure it that way so the same keycloak.local.dashrave.eu is resolved on my PC and in every docker container on the server. But i'm not able to.
I was only able to resolve the local domains if i add PiHole to the proxy docker network made by Traefik and then specify for every docker container the DNS settings like

dns:
   - 192.168.96.8
   - 8.8.8.8

Where 192.168.96.8 is the IP of PiHole INSIDE the proxy docker network (not the public IP on LAN).

PS: For anyone who will be solving same issue, i made topic on docker's discord server...let's see if someone reply there

[Pheggas]

The issue is most likely caused by stopping and disabling systemd-resolved through systemctl on host. I did such mistake after reading reddit post about PiHole won't start cause port 53 is already in use. Well, yes, it is already in use because of systemd-resolved. How do you handle such thing? Like, having local dns but also with systemd-resolved running?

EDIT: I found this discussion about making macvlan in docker. I never did such thing. Can someone approve such way?

[Pheggas]

It has been fixed. Turned out I just needed to keep systemd-resolved disabled and stopped and just edit /etc/resolv.conf such a way that the nameserver 127.0.0.88 line get changed to local loopback so nameserver 127.0.0.1 (or any IP that's your PiHole DNS server on). This is due to docker copies this file to every container as it's DNS list. So as i had the wrong IP, the local domain didn't have a chance to get resolved.

[PixelJonas]

glad you got it fixed and thank you for providing the solution for your environment

[Pheggas]

Thank you for contributing on my fix :)