I HAVE FIXED IT

basically the issue was thaty router doesn’t support NAT loopback, and as such when a request for the routers external IP comes from the inside, the router throws it out. This can be fixed by editing your computer’s host file to redirect the domain to the local IP of the server, or by setting up a dnsmasq proxy to make any requests redirect to the internal IP of the server.!!!

=======================================================

so, i have immich set up behind an nginx reverse proxy, here is the configuration:

server {
    server_name [my domain];
    # https://github.com/immich-app/immich/blob/main/nginx/templates/default.conf.template#L28
    client_max_body_size 50000M;

       location / {
        proxy_pass http://192.168.0.69:2283;
        proxy_set_header Host              $http_host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # http://nginx.org/en/docs/http/websocket.html
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_redirect off;
}

    listen 80;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/[my domain]/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/[my domain]/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
#server {
#    if ($host = [my domain]) {
#        return 301 https://$host$request_uri;
#     } # managed by Certbot


#    server_name [my domain]
#    listen 443 ssl
    # https://github.com/immich-app/immich/blob/main/nginx/templates/default.conf.template#L28
#    client_max_body_size 50000M;
#    listen 80;
#    return 404; # managed by Certbot
#}


http works at all times, (when connecting thru domain) and https ONLY WORKS if i am not on the local network (the sever is an old laptop) i i am using a vpn (or in another building) it works fine, and DNS requests from inside the same network resolve to the public IP, as expected.

I am stumped.

ps: the connection times out when connecting to it on the same network (with domain) and tcpdump and access.log dont pick up anything

Edit: formatting Edit2: the pinging works from the router (it has a debugging feature), but not from my pc (with https)

Edit3: i had wireshark open while curling the domain, and it pings my home ip (the good one) but receives no reply

  • theit8514@lemmy.world
    link
    fedilink
    English
    arrow-up
    4
    ·
    10 months ago

    Based on your edit about getting the public IP: Most firewall/routers are not configured to do this operation by default (called Hairpinning). If you request your firewall/router’s external IP address from the internal network you won’t get a response unless Hairpinning is enabled and some devices don’t allow you to do that. If you have an internal dns server, you should override the internal dns to return the private ip address so it goes to your nginx reverse proxy instead of the firewall/router.

    • BlisterexeOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      I did not have an internal DNS server, but I fixed it by making one, thank you!

    • BlisterexeOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      if i am unsure if i have an internal dns how would i check?

      • __ghost__@lemmy.ml
        link
        fedilink
        English
        arrow-up
        2
        ·
        10 months ago

        Most routers have an option to point at a custom DNS first with a fall through for external DNS providers. Best bet is to log into your router and poke around

  • Taleya@aussie.zone
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    10 months ago

    Internally the domain is resolving to your public IP. Check your modem isn’t trying to redirect the https request to itself

    • BlisterexeOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      the domain is (correctly, i think) resolving to my home ip, check the edit

      • Taleya@aussie.zone
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        yup.

        I had a similar driving me fcking nuts issue - it turned out that even though I had explicitly set the modem to run on a nonstandard port, to reject all http/https requests from the external interface and set it to point all http/https to my web server, every time I ran traffic internally from 192.168.0.1 to mydomain.com it went out, hit the the DNS, came back to my public IP and then for some reason I still cannot work the fuck out the modem then takes it and goes “oh that’s someone in my network talking to MEEEEEEEEEEE” and then I’d get a https bad request. Using a VPN negates this as it routes differently.

        • BlisterexeOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          did you find a way to fix it? (i am at my wits end)

          • Taleya@aussie.zone
            link
            fedilink
            English
            arrow-up
            1
            ·
            10 months ago

            internally? On my main rig I just edited my host file to hard direct all traffic for that domain to the box’s internal IP. Not sure if that will work for you. Externally, well…there’s no issue.

            • BlisterexeOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              10 months ago

              I was actually hoping I could fix it for everyone on the network, but fair enough

              • Taleya@aussie.zone
                link
                fedilink
                English
                arrow-up
                1
                ·
                10 months ago

                Could try tweaking your modem settings, but that’s extremely equipment specific as to what will/won’t work. If you run your own dns or can define hosts higher on the hierarchy, hardcoding there would also work

                • BlisterexeOP
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  10 months ago

                  Well, thanks for the help, I’ll just try to fuck around until I fix smth

            • BlisterexeOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              10 months ago

              What exactly did you put in your host file that fixed the issue?

              • Taleya@aussie.zone
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                10 months ago

                main rig is a win system, so I modified C:\Windows\System32\drivers\etc\hosts. NOTE: Always make a copy of your existing config (eg: hosts.old)

                add the following line

                internal IP domain

                so eg:

                192.168.0.10 MyDomain.com

                then save and go.

    • BlisterexeOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      How do I do that (sorry if that’s a dumb question)

  • lemmyreader@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    10 months ago

    You are not using a http to https redirect. Is that turned off for debugging ?

    Try using the openssl command line to connect with the advantage of not having to think about app or web browser caches :

    s_client can be used to debug SSL servers. To connect to an SSL HTTP server the command:

    openssl s_client -connect servername:443

    would typically be used (https uses port 443). If the connection succeeds then an HTTP command can be given such as “GET /” to retrieve a web page.

    • BlisterexeOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      openssl s_client -connect servername:443

      that times out, it doesnt give any information, thanks anyways though!

        • BlisterexeOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          10 months ago

          Turns out the issue is that my router does not support NAT loopback, and I’ve found a fix for that, thank you for the help tho

      • __ghost__@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        10 months ago

        I’ve been looking for a photo viewing solution for a nextcloud instance and immich seems really nice. Basically looking for something with similar features as iPhotos (stretch goal)

        Have you had any bad experiences with bugs or features not working correctly?

        • BlisterexeOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          10 months ago

          no it all works great, you can try it at demo.immich.app