commit 215b0b6593655936e236f63b858569aac7b8925d Author: hhf Date: Mon Oct 7 13:20:56 2024 +0530 Add README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..30ca924 --- /dev/null +++ b/README.md @@ -0,0 +1,77 @@ +I've just set this up using Cloudflare Tunnels and a SaaS app for Immich. This assumes you've already set up an Auth Provider in Cloudflare Zero Trust Settings/Authentication. An example setup for Google can be found [here](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/set-up-warp/). + +## Cloudflare Zero Trust / Networks Configuration + +1. **Setup a Public Hostname** + Create a public hostname in `Networks/Tunnels` for your tunnel (e.g., `immich.yourdomain.com`) with no access control. + +2. **Create a SaaS Application** + In Cloudflare Access, set up a SaaS application called **Immich**. + +3. **OAuth Setup** + Follow the OAuth setup for Immich as detailed [here](https://developers.cloudflare.com/cloudflare-one/setup/). + +4. **Redirect URIs Configuration** + In Cloudflare, configure the redirect URIs for Mobile, Local IP, and Hostname (the "public hostname" set in step 1): + - `https://immich.yourdomain.com/api/oauth/mobile-redirect` + - `http://local_IP:2283/auth/login` + - `http://local_IP:2283/user-settings` + - `https://immich.yourdomain.com/auth/login` + - `https://immich.yourdomain.com/user-settings` + + **Note:** Replace `local_IP` with the local LAN IP address for the Immich server, and `immich.yourdomain.com` with your public domain. + +5. **OpenID Connect (OIDC) Configuration** + - Choose **OpenID Connect (OIDC)**. + - Set **Scopes** to `openid email profile`. + - Ensure you have at least the following Redirect URIs/Origins configured: + - `https://immich.yourdomain.com/api/oauth/mobile-redirect` + - `http://local_IP:2283/auth/login` + - `http://local_IP:2283/user-settings` + - `https://immich.yourdomain.com/auth/login` + - `https://immich.yourdomain.com/user-settings` + +6. **Disable PKCE** + Disable **Proof Key for Code Exchange (PKCE)**. + +7. **App Launcher URL** + Set your App Launcher URL to your public hostname: `https://immich.yourdomain.com/`. + +8. **Custom Icon Link** + Add a custom icon link. + +## Policy Setup + +Under **Policies**, add a policy: +- **Policy Name:** email +- **Action:** Allow +- **Create Additional Rules:** Include Login Methods: Your Auth Provider + +Under Authentication, set it to whichever Identity Providers you want to support. + +## Immich Configuration + +1. Navigate to **Administration/Settings/OAuth Authentication**. +2. Input the values provided by Cloudflare Access for: + - Issuer (Issuer URL) + - Client ID + - Client Secret +3. Click **Save**. + +### Final Steps in Immich + +Once tested and confirmed working, you can do the following: +- Enable **Auto Launch** to streamline the process. +- Under **Password Authentication**, disable it (this will force users to use OAuth). + +This setup is working perfectly for me and integrates seamlessly with the app! + +Citations: +[1] https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/set-up-warp/ +[2] https://developers.cloudflare.com/cloudflare-one/setup/ +[3] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/cloudflared/ +[4] https://developers.cloudflare.com/learning-paths/secure-internet-traffic/initial-setup/create-zero-trust-org/ +[5] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/private-net/ +[6] https://www.youtube.com/watch?v=XYWJcS31PwI +[7] https://developers.cloudflare.com/cloudflare-one/policies/gateway/initial-setup/ +[8] https://community.cloudflare.com/t/how-do-i-set-up-zero-trust-step-by-step/658465 \ No newline at end of file