NginX – Photoprism Configuration

Create a new file /etc/nginx/sites-enabled/photoprism.example.com and put the following content in it. Keep in mind to change the domain (there a multiple entries!)

# PhotoPrism Nginx config with SSL HTTP/2 and reverse proxy

# This file gives you an example on how to secure you PP instance with SSL

server {

    # listen 80; # If you really need HTTP (unsecure) remove the “#” on the beginning. Not recommended!

    # listen [::]:80; # HTTP IPv6

    listen 443 ssl http2; # Listen on port 443 and enable ssl and HTTP/2

    listen [::]:443 ssl http2; # Same for IPv6

    # Put your domain name in here.

    server_name  photoprism.example.com;

    # – – – – – – – – – –

    # SSL security

    # – – – – – – – – – –

    ssl_certificate          /etc/letsencrypt/live/photoprism.example.com/fullchain.pem;

    ssl_certificate_key      /etc/letsencrypt/live/photoprism.example.com/privkey.pem;

    # Since the PP API is also used on Android, we have to keep TLS1.2 in here for a while.

    # A lot of the older Android devices do not support TLS1.3 yet :/

    ssl_protocols            TLSv1.2 TLSv1.3;

    # Use good and strong ciphers, disable weak and old ciphers

    ssl_ciphers              HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;

    # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)

    add_header Strict-Transport-Security “max-age=172800; includeSubdomains”;

    # This checks if the certificate has been invalidated by the certificate authority

    # You can remove this section if you use self-singed certificates…

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)

    ssl_stapling on;

    ssl_stapling_verify on;

    ssl_trusted_certificate /etc/letsencrypt/live/photoprism.example.com/fullchain.pem;

    # DNS Servers to use for OCSP lookups

    resolver 8.8.8.8 1.1.1.1 9.9.9.9 valid=300s;

    resolver_timeout 5s;

    # – – – – – – – – –

    # Reverse Proxy

    # – – – – – – – – –

    proxy_redirect           off;

    proxy_set_header         X-Real-IP $remote_addr;                        # Let PP know the clients real IP

    proxy_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;    # Let PP know that a proxy did forward this request

    proxy_set_header         Host $http_host;                               # Set Proxy host info

    proxy_http_version 1.1;                                                 # Required for WebSocket connection

    proxy_set_header Upgrade $http_upgrade;                                 # Allow protocol switch to websocket

    proxy_set_header Connection “upgrade”;                                  # Do protocol switch

    proxy_set_header X-Forwarded-Proto $scheme;                             # Let PP know that this connection used HTTP or HTTPS

    client_max_body_size 500M;                                              # Bump the max body size, you may want to upload huge stuff via the upload GUI

    proxy_buffering off;                                                    # Do not hold back the request while the client sends data, give the stream directly to PP

    location / {

            # Optional; additional protection with Basic Auth.

            # Note: This breaks WebDAV without additional configuration

            #       You also have to create a .htpasswd file using the command:

            #       “htpasswd -c /etc/nginx/.pp_htpasswd my_secret_user”

            # – – –

            # auth_basic           “PhotoPrism Pre Auth”;

            # auth_basic_user_file /etc/nginx/.pp_htpasswd;

            # pipes the traffic to PhotoPrism

            # Change this to your PhotoPrisms IP / DNS

            proxy_pass http://docker.homenet:2342;

    }

}

Have a look at the individual comments in the configuration for a further description.

Tip

Don’t forget to change the PhotoPrism IP / DNS on the bottom of the config… 😉

Was this helpful?

0 / 0