Making TrueNAS Available Outside Local Network NOTES

Prompt ``` Immich is running locally on my TrueNAS 24. How do I set up a reverse proxy so my family can access Immich outside my local network? Immich ports: tcp://0.0.0.0:30041:30041 tcp://:::30041:30041 TrueNAS local IP: //192.168.1.233/ TrueNAS MAC address: b4:96:91:45:c3:f1 ATT router IP: http://192.168.1.254/ Nginx IP: http://192.168.1.233:30020/ TrueNAS 24 uses Docker containers for apps. I don't think my ISP changes my public IP. I own a domain we can use (ethanyoung.dev, and we can use subdomains like photos.ethanyoung.dev), and my host makes it easy to get HTTPS/SSL cert. I have no experience setting up a reverse proxy on TrueNAS or port forwarding on my router. domain registrar/DNS provider is porkbun. ``` [[VPN vs Reverse Proxy vs Port Forwarding]] --- ## Complete Setup Guide for Remote Immich Access ### Step 1: Install Nginx Proxy Manager on TrueNAS SCALE Nginx Proxy Manager is available in the TrueNAS community apps catalog and requires TrueNAS 24.10.2.2 or newer. 1. Go to **Apps** → **Discover Apps** 2. Search for "**Nginx Proxy Manager**" 3. Verify it's from the Community train 4. Click **Install** and configure: - **Web Port**: Leave default (typically 30021 or similar high port) - **Storage Configuration**: - Create datasets for data and certs (use Generic preset) - Select "Host Path" and point to your datasets 5. Click **Install** and wait for it to deploy ### Step 2: Access and Configure Nginx Proxy Manager 1. Once running, click on the app and then **Web Portal** 2. Default login credentials are: username `[email protected]` and password `changeme` 3. You'll be forced to change the password on first login ### Step 3: Configure Port Forwarding on AT&T Router Access your AT&T router at `http://192.168.1.254/` and navigate to the Firewall section, then NAT/Gaming: 1. Log into your router at `http://192.168.1.254/` 2. Go to **Firewall** → Enter Device Access Code (found on router) → **NAT/Gaming** 3. Create two port forwarding rules: - **HTTP Rule**: - Service Name: "Nginx HTTP" - Protocol: TCP - External Port: 80 - Internal IP: 192.168.1.233 - Internal Port: [Your Nginx Proxy Manager HTTP port] - **HTTPS Rule**: - Service Name: "Nginx HTTPS" - Protocol: TCP - External Port: 443 - Internal IP: 192.168.1.233 - Internal Port: [Your Nginx Proxy Manager HTTPS port] 4. Save and apply the rules ### Step 4: Configure DNS at Porkbun To create an A record for your subdomain at Porkbun, log into your account and navigate to Domain Management: 1. First, find your public IP: Visit `whatismyip.com` 2. Log into Porkbun → **Account** → **Domain Management** 3. Find `ethanyoung.dev` and click **Details** 4. Click the edit icon next to **DNS Records** 5. Add an A record: - Type: **A - Address record** - Host: `photos` (for photos.ethanyoung.dev) - Answer: Your public IP address - TTL: 600 - Click **Add** ### Step 5: Create SSL Certificate in Nginx Proxy Manager 1. In Nginx Proxy Manager, go to **SSL Certificates** 2. Click **Add SSL Certificate** → **Let's Encrypt** 3. Enter: - Domain Names: `photos.ethanyoung.dev` - Email: Your email for Let's Encrypt notifications - Check "I Agree to the Let's Encrypt Terms" 4. Click **Save** ### Step 6: Configure Proxy Host for Immich This is the critical step with Immich-specific requirements. 1. In Nginx Proxy Manager, go to **Proxy Hosts** → **Add Proxy Host** 2. **Details** tab: - Domain Names: `photos.ethanyoung.dev` - Scheme: `http` - Forward Hostname/IP: `192.168.1.233` - Forward Port: `30041` - Enable **Websockets Support** (critical for Immich!) - Enable **Block Common Exploits** 3. **SSL** tab: - SSL Certificate: Select the one you created - Enable **Force SSL** - Enable **HTTP/2 Support** 4. **Advanced** tab - Add this custom Nginx configuration: Immich requires specific nginx configuration including a large client_max_body_size for photo/video uploads and proper websocket headers: ```nginx client_max_body_size 50000M; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Websocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; # Timeouts for large file uploads proxy_read_timeout 600s; proxy_send_timeout 600s; send_timeout 600s; ``` 5. Click **Save** ### Step 7: Test and Verify 1. Wait 5-10 minutes for DNS propagation 2. Test from outside your network (use mobile data) 3. Navigate to `https://photos.ethanyoung.dev` 4. You should see Immich with a valid SSL certificate ### Important Security Recommendations Since you're exposing Immich to the internet, security is crucial: 1. **In Immich settings**: - Disable public user registration immediately - Ensure all accounts use strong, unique passwords - Consider enabling 2FA for all users 2. **Keep everything updated**: - Regularly update TrueNAS SCALE - Keep Immich app updated - Update Nginx Proxy Manager 3. **Monitor access**: - Check Nginx Proxy Manager logs regularly - Monitor Immich user activity ### Alternative: Cloudflare Tunnel (More Secure) If you want additional security without exposing your home IP, consider Cloudflare Tunnel instead: - No port forwarding required - Hides your home IP address - Free tier is sufficient - Can be installed as a Docker container on TrueNAS ### Troubleshooting Tips - **Port verification**: Use `canyouseeme.org` to verify ports 80/443 are open - **DNS propagation**: Check `dnschecker.org` to verify DNS has propagated - If uploads fail with 413 errors, ensure client_max_body_size is set correctly in the nginx configuration - **AT&T CGNAT**: If your public IP starts with 100.x.x.x, contact AT&T for a public IP Would you like me to elaborate on any of these steps or help you with the Cloudflare Tunnel alternative if you prefer that approach? --- Dive deeper into Cloudflare Tunnel alternative. I added custom services at these ports: ![[Pasted image 20250829122412.png]] The list of devices (connecting app to port) was insane, so I inspected the HTML to find that "truenas" was connected to a mac address, and that mac address was connected to this id (so stupid): <option value="b4:96:91:45:c3:f1">unknownb4969145c3f1</option> Then I added them as entry points into applications: ![[Pasted image 20250829122403.png]] Successfully set up the port forwarding rules on AT&T router. ``` NAT/Gaming > Hosted Applications: Service, Ports, Device Nginx-HTTP, TCP: 80, truenas Nginx-HTTPS, TCP: 443, truenas ``` Added a new DNS record (Porkbun): Type A, host photos.ethanyoung.dev, answer 23.121.240.228 (public IP), TTL 600 Changed Nginx listening ports in TrueNAS app settings: - HTTP: 30021 → 80 - HTTPS: 30022 → 443 Error: "The port is being used by following services: 1) "0.0.0.0:443" used by WebUI Service" So I'm changing the ports around to match the Nginx listening config: Global Port range stays at 80 and 443 but Host Port is now 30021 and 30022. ![[Pasted image 20250829131339.png]] Next, I created a Nginx proxy for Immich (192.168.1.233:30041) and applied for SSL. I visited photos.ethanyoung.dev and I get ERR timeout oops. Forgot to add the services to the applications (I deleted to edit the services). I fixed that. Now I get (instantly): ERR_SSL_UNRECOGNIZED_NAME_ALERT oddly, the "device" for applications changed from truenas → Intel corporate https://dnschecker.org/ indicates photos.ethanyoung.dev is fully resolved. https://www.yougetsignal.com/tools/open-ports/ indicates ports 80 and 443 are open on 23.121.240.228. http://192.168.1.233:30021/ says: ``` # Congratulations! You've successfully started the Nginx Proxy Manager. If you're seeing this site then you're trying to access a host that isn't set up yet. Log in to the Admin panel to get started. ``` http://192.168.1.233:30022/ says: ``` # 400 Bad Request The plain HTTP request was sent to HTTPS port --- openresty ``` I can access immich locall at http://192.168.1.233:30041/auth/login. recreating the proxy host. Deleted the proxy. Created a SSL cert BEFORE creating the proxy host this time. Then selected the existing SSL cert. Port 80. Now photos.ethanyoung.dev says: ``` # 500 Internal Server Error --- openresty ``` So I tried entering the custom code in the advanced tab. and then the proxy went offline. Removed the code, it went back online. Bacl to 500 err. http://192.168.1.233:30041/auth/login IS WORKING just testing proxy settings: ``` Forward Hostname / IP - 192.168.1.233** Forward Port - 80 ``` Now photos.ethanyoung.dev loads my TrueNAS login page.... Realized I did the form wrong... correcting for port 30041... BOOM 😤 ![[Pasted image 20250829135942.png]] --- next: cinema.ethanyoung.dev, notes.ethanyoung.dev I did all the steps for plex, and it's working. [[Reverse Proxy Setup]]