Immich is a self-hosted photo and video backup solution that, by default, runs on http://[your-server-ip]:2283. That works fine on your local network, but it leaves you with no SSL encryption and no way to reach your photos when you are away from home — unless you are using a VPN like Tailscale. Putting Immich behind a reverse proxy with a proper domain name and a free SSL certificate from Let’s Encrypt solves all of that. You get a clean URL like https://photos.yourdomain.com, HTTPS encryption, and a mobile app that works from anywhere in the world.
What You Need Before You Start
Before touching any config files, make sure you have the following in place:
- A running Immich instance accessible at
http://[server-ip]:2283on your local network - A domain name you control (e.g.
yourdomain.com) - A subdomain A record pointing to your public IP address (e.g.
photos.yourdomain.com → your.public.ip) - Ports 80 and 443 forwarded on your router to the machine running Nginx
- Nginx installed on the machine that will act as the reverse proxy (this can be the same server running Immich, or a separate one)
- Certbot installed for obtaining Let’s Encrypt certificates
If you have a dynamic IP address from your ISP, consider using a dynamic DNS service (such as DuckDNS or Cloudflare’s free DNS) to keep your A record up to date automatically.
How the Traffic Flows
It helps to understand what you are building before writing a single line of config. The path a request takes looks like this:
Internet → Your Router (port 443) → Nginx → Immich (port 2283)
Your router receives the incoming HTTPS request and forwards it to Nginx on your server. Nginx handles the SSL certificate, decrypts the traffic, and passes the request on to Immich running locally. Immich never needs to know anything about SSL — that is entirely Nginx’s job. The response comes back through the same chain in reverse.
The Nginx Configuration
Create a new Nginx server block for your Immich subdomain. On most systems this lives in /etc/nginx/sites-available/. The official Immich documentation provides a recommended configuration that covers several important requirements — large file uploads, WebSocket connections for real-time features, and the /.well-known/immich path that both Let’s Encrypt and the mobile app depend on.
server {
listen 80;
server_name photos.yourdomain.com;
# Redirect all HTTP traffic to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name photos.yourdomain.com;
# SSL certificate paths (filled in by Certbot)
ssl_certificate /etc/letsencrypt/live/photos.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/photos.yourdomain.com/privkey.pem;
# Allow large photo and video uploads
client_max_body_size 50000M;
location / {
proxy_pass http://127.0.0.1:2283;
# Required for correct Immich operation
proxy_buffering off;
proxy_request_buffering off;
# WebSocket support (needed for live features)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Forward correct headers to Immich
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
}
# Required for Let's Encrypt verification and the mobile app
location /.well-known/immich {
proxy_pass http://127.0.0.1:2283;
}
}Replace photos.yourdomain.com with your actual subdomain throughout, and adjust 127.0.0.1:2283 if Immich is running on a different machine on your network. If Nginx is on a separate server, use the LAN IP of your Immich host (e.g. 192.168.1.100:2283).
Why These Settings Matter
client_max_body_size 50000M — Immich handles large RAW files and videos. Without this, Nginx will reject any upload over its default 1MB limit with a 413 error.
proxy_buffering off and proxy_request_buffering off — These are specifically required by the Immich project. Without them, you may experience issues with uploads stalling or connections behaving incorrectly.
WebSocket headers — Immich uses WebSockets for real-time updates in the web interface. The Upgrade and Connection headers, along with proxy_http_version 1.1, ensure these connections are passed through correctly rather than being dropped by Nginx.
/.well-known/immich — This location block must route to Immich. It is used by the mobile app for server discovery and is also the path that Let’s Encrypt uses to verify domain ownership during certificate issuance.
Enable the Site
Once the config file is saved, enable it and check the syntax before reloading:
sudo ln -s /etc/nginx/sites-available/immich /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginxIf nginx -t reports any errors, fix them before proceeding. A common mistake is a missing semicolon or a typo in the server name.
Obtaining Your SSL Certificate with Certbot
With Nginx running and your DNS A record pointing to your public IP, you can now obtain a free SSL certificate from Let’s Encrypt using Certbot. If you have not already installed Certbot, install it along with the Nginx plugin:
sudo apt install certbot python3-certbot-nginxThen run Certbot, pointing it at your subdomain:
sudo certbot --nginx -d photos.yourdomain.comCertbot will verify that you control the domain (using the /.well-known/ path over port 80), issue the certificate, and automatically update your Nginx config with the correct SSL certificate paths. It will also set up automatic renewal, so you never need to think about expiry.
Once complete, reload Nginx one more time:
sudo systemctl reload nginxTesting Your Setup
Open a browser and navigate to https://photos.yourdomain.com. You should see the Immich login page with a valid SSL padlock in the address bar. A few things to verify:
- The padlock is present and the certificate is valid (issued by Let’s Encrypt)
- Visiting
http://photos.yourdomain.comredirects to HTTPS automatically - You can log in and browse your library without errors
- Try uploading a file to confirm the
client_max_body_sizesetting is working
If anything is not working, check the Nginx error log at /var/log/nginx/error.log for clues. Common issues include the Immich container not being accessible on the expected port, or a firewall rule blocking port 443 on the server itself.
Pointing the Mobile App at Your New URL
Open the Immich mobile app on your phone. If you previously had it configured with the local IP address, go to Settings → Account → Server URL and update it to https://photos.yourdomain.com. The app will verify the connection — this is where the /.well-known/immich location block is used. Once saved, the app will work on both your home Wi-Fi and over mobile data.
Alternative: Nginx Proxy Manager
If editing config files manually is not your preference, Nginx Proxy Manager (NPM) provides a web-based GUI for managing reverse proxies. You deploy it as a Docker container alongside Immich, then add a proxy host through the interface. NPM handles Let’s Encrypt certificate requests with a single toggle. It is a solid choice for beginners or anyone who prefers a visual interface over hand-crafted config files. The same core requirements apply — you still need ports 80 and 443 forwarded and a valid DNS record.
If you would rather avoid opening any ports on your router entirely, Cloudflare Tunnel is worth investigating. It creates an outbound tunnel from your server to Cloudflare’s edge, meaning no inbound ports need to be exposed. That is a larger topic covered separately, but it is a genuinely useful option if your ISP blocks incoming connections or you want an extra layer of security.
Related Immich Guides
- Immich: The Complete Self-Hosted Google Photos Alternative
- What Is Immich? The Self-Hosted Google Photos Alternative
- How to Install Immich with Docker Compose
- Immich vs Google Photos: Is Self-Hosting Worth It?
- How to Set Up Immich Mobile Backup on iPhone and Android
- How to Run Immich on Proxmox: LXC Container Setup
- Immich Hardware Requirements: Raspberry Pi, NUC, or NAS?
- Immich Face Recognition and Smart Search: How to Enable It
- How to Back Up Immich: Protecting Your Photo Library
- Immich vs PhotoPrism vs Piwigo: Best Self-Hosted Photo App?
