Add Custom Proxy Header Support for Cloudflare Zero Trust & Pangolin Tunnels

[radh21301]

It would be great if we could add custom headers (like CF-Access-Client-Id and CF-Access-Client-Secret) during login. This would enable integration with Cloudflare Zero Trust or Pangolin tunnels (P-Access-Token-Id, and P-Access-Token) for authentication. The config screen could have an option to add these headers, and the app would use them for all API requests.

This would allow secure use of Immich Frame when VPNs aren’t an option (e.g., on older Frameo devices) and add a strong layer of authentication using services like Cloudflare and Pangolin.

I found this feature request in Immich app where a similar feature was introduced. Maybe that explain it better:
immich-app/immich#1305

The immich mobile apps have this option under advanced section. user can add multiple custom headers.

[JW-CH]

This is related to #326, right

[radh21301]

Not really.

They are asking for paths that immich frame uses, that need to be bypassed from authentication for it to work. I suppose they plan to bypass the auth from pangolin or cloudflare and rely on the authsecret from immich frame.

Pangolin tunnels, and clouudflare have an option to bypass their respective authentication when the path matches a certain pattern OR they originate from a certain IP etc.
like: if path end with /api/*, then bypass auth.

This is useful for some apps that dont support proxy headers or oauth etc. but that is still a security risk I suppose, when you bypass certain paths.

[JW-CH]

I tried pangolin for myself and really like it. I need to play around a bit more to see how those headers will work, but I think we'll likely implement this.

This is only an issue when using the (android) app, right? When using immichFrame in the browser, you are able to log in to pangolin, correct?

[radh21301]

That is correct. When you use a broser, you are first presented with the login page for pangolin. And once you login, you are sent to the immich-frame page, and it works just fine.

I am not really sure about the normal android app - that can work with webview. I dont have one to test. The issue is applicable to frameo that does not have a recent version of webview, so need to disable that.

[3rob3]

I would be interested to see if this works in WebView. For non-WebView, we are already adding headers (for authentication secret), so adding more wouldn't be difficult. I think the bigger task is making this work for both versions, without it being confusing for users.

[radh21301]

I tried this on a friend’s Fire HD 8 tablet with WebView enabled and Pangolin auth enabled. As soon as I hit "save" after editing the config, it asks me to pick a browser and opens the login page there (Chrome, etc). Immich Frame itself doesn’t render the Pangolin login page.

Same device — when I disabled pangolin auth temporarily, Immich Frame loaded fine and showed the photos.

Maybe when auth is enabled, it causes some kind of redirect, and that’s why the app opens an external browser. I’m guessing if we could set custom auth headers directly, it might bypass that redirect and just load normally in the app.

Not totally sure how all of it works, but happy to test anything if it helps.

[3rob3]

I can change that redirect opening in browser. It is not needed anymore (we used have a landing page with links we wanted to open in a browser.

[radh21301]

Ah, that makes sense! If the redirect to browser isn’t needed anymore, then yeah — maybe adding custom headers could just work for WebView as well?

That way, users could probably log in through their provider directly in the app too — at least for WebView. Just something to keep in mind: those sessions might expire, so folks would need to plan for that (this would be applicable for auth headers as well - based on your settings). Let me know if you want me to test anything.

[JW-CH]

I just tried to pass the custom headers into the web view - what a pain. The problem is that the website we request (your immichframe instance) does its own requests. (get images, get metadata, etc.) We store the auth secret in local storage and the client uses that to request stuff with authentication.

If we disable opening a new browser window on clicking a link, pangolin will open normally (in web view) and a user can authenticate. - so this should not be an issue.

On the android client, we do the calls to the API ourselves - this is not an issue like @3rob3 said - adding more headers is easy.

My suggestion: turn the 'open in new browser' thing off and add auth headers for the native android app (frameo)

[3rob3]

I missed this somehow. If we remove the "open in browser" thing, then the new image info feature with link to open in Immich would open immich in the webview. Not sure we want that.

Side note, I am working on adding custom headers to Android app (agree.....what a pain). I think this should address your original need, correct?

[radh21301]

Not sure if that question was directed at me, but yes—that does address my original request!

[3rob3]

Not sure if that question was directed at me, but yes—that does address my original request!

Kind of, but more to the other devs. I can do this but we have since implemented a more info view with an open in immich link. If I remove this it will open that in the webview which isn’t ideal.

[synologyy]

is there any updates for pangolin? how can i bypass immich frame for appletv when pangolin sso is activated