search

immich-app / immich

High performance self-hosted photo and video management solution.
https://immich.app
GNU Affero General Public License v3.0
44.17k stars 2.15k forks source link

IPV6 Connection issues since update to v1.102.0 #8931

Closed Morethanevil closed 4 months ago

Morethanevil commented 4 months ago

The bug

Since the latest update, the binding adress is 127.0.0.1:3001 I used the new env "HOST" to connect via IPV6 as always via my reverse proxy.

I tried HOST="::1" but I can not connect via my reverse proxy

Log says: LOG [ImmichServer] Immich Server is listening on http://[::1]:3001/ [v1.102.0] [PRODUCTION]

Then I tried HOST="::"<- all interfaces including IPV6 - works

Log says exactly the same, but it works now:

LOG [ImmichServer] Immich Server is listening on http://[::1]:3001/ [v1.102.0] [PRODUCTION]

I use the static IPV6 "fd00:112::2" for immich, the reverse proxy is installed on the host, so I need static adresses. I tried HOST="fd00:112::2" and it works too, as expected, the log then says correctly:

LOG [ImmichServer] Immich Server is listening on http://[fd00:112::2]:3001/ [v1.102.0] [PRODUCTION]

I tried HOST="localhost"too, it does not work either for IPV6.

Log exactly the same :)

LOG [ImmichServer] Immich Server is listening on http://[::1]:3001/ [v1.102.0] [PRODUCTION]

The OS that Immich Server is running on

Fedora 39 KDE

Version of Immich Server

v1.102.0

Version of Immich Mobile App

v1.102.0

Platform with the issue

Your docker-compose.yml content

name: immich
services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:release
    command: [ "start.sh", "immich" ]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    depends_on:
      - redis
      - database
    restart: always
#   ports:
#     - 2283:3001
    networks:
      innendienst:
        ipv4_address: 172.20.0.2
        ipv6_address: fd00:112::2
      default:

  immich-microservices:
    image: ghcr.io/immich-app/immich-server:release
    deploy:
      resources:
        reservations:
          devices:
            - driver: nvidia
              count: 1
              capabilities:
                - gpu
                - compute
                - video
    container_name: immich_microservices
    command: [ "start.sh", "microservices" ]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    depends_on:
      - redis
      - database
    restart: always
    networks:
      - default

  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:release-cuda
    deploy:
      resources:
        reservations:
          devices:
            - driver: nvidia
              count: 1
              capabilities:
                - gpu
                - compute
                - video
    volumes:
      - /docker/immich/modelcache:/cache
    env_file:
      - .env
    restart: always
    networks:
      - default

  redis:
    container_name: immich_redis
    image: redis:7.2-alpine
    restart: always
    networks:
      - default

  database:
    container_name: immich_postgres
    image: tensorchord/pgvecto-rs:pg16-v0.2.0
    env_file:
      - .env
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
    volumes:
      - /docker/immich/db:/var/lib/postgresql/data
    restart: always
    networks:
      - default

networks:
  innendienst:
    external: true

Your .env content

# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables

###################################################################################
# The Immich version to use. You can pin this to a specific version like "v1.71.0"
###################################################################################

#IMMICH_VERSION=release
HOST="::"

###################################################################################
# Database
###################################################################################
DB_HOSTNAME=immich_postgres
DB_USERNAME=posti
DB_PASSWORD=redacted
DB_DATABASE_NAME=immichdb
# Optional Database settings:
DB_PORT=5432
###################################################################################
# Redis
###################################################################################

REDIS_HOSTNAME=immich_redis
# Optional Redis settings:

# Note: these parameters are not automatically passed to the Redis Container
# to do so, please edit the docker-compose.yml file as well. Redis is not configured
# via environment variables, only redis.conf or the command line

# REDIS_PORT=6379
# REDIS_DBINDEX=0
# REDIS_USERNAME=
# REDIS_PASSWORD=
# REDIS_SOCKET=

###################################################################################
# Upload File Location
#
# This is the location where uploaded files are stored.
###################################################################################
UPLOAD_LOCATION=/weiteres/immichpics

Reproduction steps

Edit .env with HOST envs as explained above

Relevant log output

[Nest] 7  - 04/19/2024, 9:41:50 PM     LOG [ImmichServer] Immich Server is listening on http://[::1]:3001 [v1.102.0] [PRODUCTION]

Additional information

No response

bo0tzz commented 4 months ago

I don't quite follow what the issue is - you say you found some configurations that work, right? Binding to localhost is never expected to work with external connections.

Morethanevil commented 4 months ago

The issue is that now the server listens on 127.0.0.1:3001. The reverse proxy connects via IPV6 into the immich server container and this does not work anymore, because Immich only listens on IPV4. localhost:3001 would be better. But when I set HOST="localhost" via ENV it does not work either, but server log shows binding on [::1]:3001.

Binding on [::1]:3001 via HOST="::1" does not work too, but [::]:3001 binds to [::1]:3001. IPV6 connections worked without issues before v1.102

I need to bind to :: which is like 0.0.0.0. The IPV6 localhost ::1 does not work like 127.0.0.1 in Immich.

Logs with HOST="::1"

001

Logs with HOST="localhost"

localhost

Logs with HOST="::"

00

As you can see, only here is a connection possible and all three ways show the same listening. That is strange. The standard HOST="127.0.0.1" ignores all IPV6 traffic as expected.

miccico commented 4 months ago

I'm new to immich but i can confirm that the issue exists. If I don't set anything for HOST the server will listen on 127.0.0.1. If i put 0.0.0.0 there it will also listen on 127.0.0.1. If i put a static IP (10.214.xx.xx) it will claim to listen there but not answer requests. What i discovered when putting a "*" there is that i got a DNS resolution error which leads me to believe that the service is actually trying to resolve whatever was given before actually using it to bind.

MaZe3D commented 4 months ago

I can confirm that my setup broke, the host setting to HOST='::' fixed it for me

jrasm91 commented 4 months ago

Do we just need better documentation for this or do we need to revert the recent change where we add a dedicated host environment variable?

MaZe3D commented 4 months ago

Both would be acceptable. But would it be possible to get the old behavior if the variable is not set? If not documentation about this wild be great, I only discovered the New variable through this issue.

MaZe3D commented 4 months ago

I mean the host variable provides additional freedom for different setups, so i would appreciate if it would stay.

I it possible to use the old behavior if the variable is not set? Otherwise documentation is appreciated. That's at least what I think. There are maybe different opinions. I am ok with almost anything as long as ipv6 works and I know how to set it up with a Container if special configuration is necessary.

Morethanevil commented 4 months ago

The PR for this was made because of security reasons. Everyone on his network can access immich via IP. This could be fixed with pointing the reverse proxy directly into the container and commenting out the port in docker-compose.yml. I am doing exactly this, plus my container gets a static IP.

The HOST ENV is a good addition for those who need it. But why is ::1 not working? It is the same as 127.0.0.1 for IPV4 🤔 This problem stays at the moment.

I would revert to the old behavior and let those use the ENVs who needs them. For security reasons it is better to read about docker networking and commenting out ports.

NGINX Proxy Manager is mostly used by beginners. They can point to the container name immich_server and port 3001.

miccico commented 4 months ago

I for instance run all of my containers via MACVLAN Adapters in order to be able to do a couple of things (Moving between Hosts, Mounting NFS, ...). The current behavior does not allow me to expose the port directly on the MACVLan interface as i cannot get it to stop from listening to local only. I personally would prefer the option to be available but in a working condition. Default behavior being 127.0.0.1 is completely ok and would also allow the "default" use cases like port exposure on the host or a builtin proxy.

jrasm91 commented 4 months ago

The default behavior of specifically binding to 127.0.0.1 is different from omitting the host argument entirely. The documentation clearly states it will bind to ipv6 by default if it is available when host is omitted. I don't see any reason to change that behavior.

https://nodejs.org/api/net.html#serverlistenport-host-backlog-callback