Immich and Synology – Photos – Part 2/4

Background and recap

In the first post we set up all the infrastructure. In this post we will focus on Synology Photos and make sure it works from remote. In the next post we will compare Photos with Immich as well as set this up as well. If you have a Synology NAS you have Photos for free. It was called Photo Station at first, became Moments and now is Photos. Some of the official Synology apps like Videos or Music does not make me very impressed but Photos works quite nice. Most of us also already have the photos stored on the NAS so it is just a matter och clicks to get this up and running. And that means locally. There are some quite confusing methods of enabling external access like

  • Quick connect
  • External access with router configuration
  • NAT

In all the methods above you will experience some issues. It can be things like

  • Certificate errors
  • Playback issues
  • Security breaches /Bad security
  • Blocked domain / Unable to access for external users
  • Sharing links being wrong
  • Exposing DSM instead of Photos

If you ask Synology they will tell you how to fix this the Synology way. In most cases this is not good enough. There is also a chance that you will expose more then you want. Some people has also mentioned you could run all containers on your NAS. That is correct. Most models can. However I find it better to use my Intel NUC. Only files is running on my NAS.

Synology also has it´s own reverse proxy. It is in the Login Portal that we will configure later. I have choosed to use Swag in order to make things more flexible.

Setting up the site

To enable sites in swag we add configuration files in: /srv/docker/swag/config/nginx/site-confs. The path depends of where you have saved your docker container files. In sites-conf create a file called photos.conf. We will be using the domain photos.mydomain.org. See example below.

map $http_upgrade $connection_upgrade {
   default upgrade;
   ''      close;
}
server {
    listen       443 ssl;
    listen [::]:443 ssl;
    server_name  photos.mydomain.org;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    proxy_buffering off;
#    if ($lan-ip = yes) { set $geo-whitelist yes; }
#    if ($geo-whitelist = no) { return 404; }
    location / {
        proxy_pass http://192.168.0.111:5080;
        resolver 127.0.0.1 valid=30s ;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Notice that two lines is disabled. If you are using Maxmind enable them. I would also like to mention that there are other far way better then me of configuring nginx conf files. I have used trial and error and found something that works for me. There many templates in the folder “config/nginx/proxy-confs”. So it might be a good idea to use them.

The way a reverse proxy works is that it listens on one port. In this case 443. If the domain mathes the traffic is routed to the internal ip. In this case it does not matter if the internal communication is http. The ssl certificate and ssl is done from client browser to Swag.

So why are we using port 5080? Is this really the port that Synology Photos is using? You can have a look at the official Synology ports page.

But wait. It tells me it is using port 5000 /5001? The same port as DSM. DSM is the Synology main dashboard for those of you who do not know? So it might be tempting to forward it to 5000. However that would enable our NAS to be public. It might work but if you do so you would really like to add some extra layers of security.

This is not the only thing that would cause issues. So lets open up DSM via the NAS internal ip. Then open up Photos. The url looks something like this.

http://192.168.0.111:5000/?launchApp=SYNO.Foto.AppInstance

So again we can see that it is using the 5000 port. So how can we solve this. The trick is in the Login Portal.

Synology settings

There are some settings we would like to change. Open up settings and login portal. Edit Synology Photos.

Now do some changes. Change port like below. Add your customized domain. And if you want to change the loginscreen at the top. Also use the alias photo or anything else you want. Save.

It might be a good idea to add some other security settings later as well. Also I have use a name like dsm.mydomain.org internally or for testing. You can set this in login portal at the main settings for dsm.

Now restart your container Swag like below. Test in a browser and go to photos.mydomain.org

sudo docker-compose up -d

So it works. At least it should and if everything is set up right you should see this.

Adding users

Now add a test user via DSM. Just press next and at the screen below tick Synology Photos

Go to photos.mydomain.org again and you will se the image to login. Try to login with the user you just created.

You will see this. Why? This is because there are settings in the shared space that has to be configured. Open up Photos as admin, press your profile picture and settings. Press shared space like below.

Press Set Access Permissions. In my case I want everyone to see everything. I know that the access is a source of frustration for some as it is difficult to add just some folder in other folders. But this is also one of many things that makes me want to use Immich.

Choose the permissions you want and save. Now you should see some photos.

Configure Photos

I did another post about Photos digging into some AI capabilities as well as some general thoughts here. Some parts of these old post is covered in this. You might want to read about the memory expansion and tagging. Also try to share a conditional album now. As you notice the share link will be photos.mydomain.org/something. If we would have set this up another way the share links could be something involving the 5001 port. My old sharing via duckdns domain would also block the site for many users as it was considered unsafe for a good reason

Warning 1 ⚠️. I noticed that if you are using Cloudflare and your sites is set on proxied you will get an error. This is when using Photos app in your phone and photo backup with large files. You may get an http error 413. Usually this is solved by editing max upload in nginx.conf. In this case however it is a limit on Cloudflares free plan. So if you upload a large video it will fail. If you disable proxied it works. To solve this you could.

  • Pay for Cloudflare
  • Create a local dns name for photos to backup files when you are home
  • Disable proxied
  • Toggle proxied sometimes and let your largefiles be backed up.

Warning 2 ⚠️ I have been posting about this before but photos and videos are uploaded in the DCIM folder. Also videos. A little bit confusing as the app is called photos. There is another folder on you NAS called videos. It used to be for videostation. Files in this folder will not be shown in Photos. So you could create a folder in photos called video. And here is the but. Some older formats may be converted to H264/5 and this creates duplicates and takes space. Be careful what videos you put here.

Enabling MFA

But what about Mfa? Do you really want to expose all your photos to public? My goal is to implement Authelia into Swag but that will be in another post. Meantime I would recommend to enable the Synology Mfa. There are some things you should know.

Press settings in the “Enforce 2-factor authentication for the following users”. Add your new user here. Now open photos.mydomain.org again and refresh the page. As MFA now is enforced it will force you to use it. Make sure you use Verification code (OTP). Use your favorite authenticator app to add the code.

But we did we choose OTP and not Secure Sign In? Secure sign in Synologys own mfa app and works quite nice. If you open up the internal ip of your Synology and login in with your testuser you should be logged in to DSM. This is bacase the user is able to access DSM as it is in the settings->application privileges. You will just see some things like Photos. Press your avatar personal account icon in the top right corner. Choose the security tab. Enter password again. Try to add secure sign in as a method for MFA. You will see something like the image below.

But it shows dms.mydomain.org:5001? And as you probably have figured out this means we would have to open dms to the public. And we do not want to do that. So this is the reason we are using OTP. Maybe you do not want to enforce Mfa. One option would be to enable account protection in the security settings and account on your Synology. In this case Mfa would only be triggered if there is something strange going on.

So to summarize this post:

  • Photos works with a subdomain
  • You can access is externally
  • Mfa is activated via OTP
  • We have not exposed DSM and port 5000/5001
  • You have added more users to Photos