You will also need an Http header to advertise your server’s support for http/3
ShellScript
add_headerAlt-Svc'h3=":443"; ma=2592000';
This will go in your Vhost file, as above. For Nginx, it will either go in the Server block or the Location block if you are running a reverse proxy. You need to verify that this header is there, or you have to add it yourself.
3) You will need a domain name and a valid, not self-signed, SSL certificate
4) You will need to use TLS 1.3. It’s sometimes a good idea to force TLS 1.3 as in the first example, adding ssl_protocols TLSv1.3. This is very appropriate, especially if only your own clients will be connecting to the instance, as opposed to a general website.
4) In your firewall, you need to open both TCP and UDP protocols for port 443
HTTP/3 uses UDP, unlike the previous versions of HTTP, which only used TCP. You will need to open TCP and UDP.
5) A modern web browser that supports Http/3 which is nearly all of them.
Also, TLS 1.3 has been available since 1998. I do not even try to support older hardware. Requiring TLS 1.3 enhances security at the expense of a few older clients. If you do not explicitly require TLS 1.3, the client can then downgrade to HTTP/2 or HTTP/0.9, which may allow hackers to take advantage of the vulnerabilities in these older protocols.
If you’ve ever experienced frustration when attempting to configure a reverse proxy, CloudPanel will simplify your life. CloudPanel is a free, no-frills hosting panel that is surprisingly robust and satisfying to use. It uses the Nginx server, ready for HTTP/3.
The self-hosting movement is in full swing, and CloudPanel is a perfect remedy for those of us who prefer a GUI hosting panel rather than using only the CLI. It excels at reverse proxies, even if—especially if—your project is Dockerized.
The best thing about CloudPanel is its built-in reverse proxy feature. CloudPanel will even add an SSL (Let’s Encrypt) certificate automatically, or you may import your own cert.
CloudPanel is so easy, in fact, I’m only going to post a few screenshots to explain everything you need to know.
You are halfway there!
Finished!
One final thing, you may want to turn on HTTP/3. Check out my blog post on how to use HTTP/3 in CloudPanel and Nginx.
So, you have installed Immich and are now realizing that it needs a reverse proxy or another method to add some security to your instance. OpenLiteSpeed to the rescue! This tutorial will help you configure OpenLiteSpeed (OLS) with your Immich app.
Immich is a fantastic Google Photos alternative if you are willing to self-host. While LightSpeed is “drop-in replacement for Apache,” OLS is not. OLS is from Mars; Apache is from Venus.
You may be wondering, if OLS is so quirky, then why use it at all? The answer is simple: speed, plus the fact that it is free. OLS supports HTTP/3, which will speed up our Immich instance immensely. For the record, Nginx also supports HTTP/3. Apache reportedly has an HTTP/3 module in development, but I can’t find the beta version anywhere at the time of writing.
Another reason to use OLS is because CyberPanel, a companion web hosting panel, is free (with frustrating adverts). It’s excellent for hosting a few websites free of charge. Not only will you get the speed of HTTP/3, but also a free SSL certificate, which is required for HTTP/3.
To make things a bit easier, you can create your website’s config files (vhost) using your hosting panel and install the corresponding SSL certificate using your (sub)domain. This way, we don’t have to create the website’s vhost configuration file from scratch.
We have two methods to configure OLS: the OLS admin control panel or by editing the config files directly. OLS has a dedicated admin panel, which you will find hidden on port 7080, i.e., https://myserver.mydomain.com:7080. The username should be admin. If you have forgotten your password, SSH into your server and issue
OLS forgotten password
ShellSession
/usr/local/lsws/admin/misc/admpass.sh
After you log in, click on Virtual Hosts. If you are starting from scratch, click on the + sign to create a new vhost. Otherwise, find and click on the website that you have already created for your Immich app.
Under the Basic tab, select NO to Enable Scripts/ExtApps, and then select YES to Restrained.
Next, select External App and select Web Server
Add 127.0.0.1:2283 for the web server address and provide your web server a name. You can use the information listed below. Click save.
Click on Context, then create a new Proxy —click on Next
Enter / for the URL,
Upgrade: $http_upgrade Connection: upgrade
For the Header operations. Click save.
Click on Listeners, then add your virtual host to each listener type.
Our Immich virtual host would need to be added to all three listener types in the above example.
Finally, you need to restart the OpenLiteSpeed server. Look for the big green button at the top and restart OLS. That’s it!
Another word about listeners. If you’re a keen observer, you’ve likely noticed that my configuration lacks the IPV6 listener for the default port. If your system doesn’t have IPV6, then you probably only have two listeners. If you are using IPV6, you should generally have 4 listeners. Even your mail servers need IPV6. We can see here that CyberPanel seemed to forget my IPV6 for the default port. Is it a bug or a feature? I had to add this manually.
Here is the final vhost config for OLS. I assume that you can simply use this config instead of going through all of the above steps with the OLS admin panel… but I don’t know for sure. Please let me know in the comments what you think!
This is a lot of work for a simple reverse proxy. CloudPanel has a built-in reverse proxy, and so does AApanel, my favorite open-source hosting panel. For the record, I have given up on CyberPanel. The project appears to be all but abandoned, and there are too many adverts on the admin panel to make it usable or any bit enjoyable.
