Post

Immich: A Free Self-hosted Google Photos Backup Replacement

A free photo backup solution that is free and you can do self-hosted at home. Combining with Cloudflare Access, you can sync from anywhere.

Immich: A Free Self-hosted Google Photos Backup Replacement

Self-Hosting Immich with Cloudflare Access: Sync Photos Securely from Anywhere

If you’re looking for a powerful self-hosted photo and video management platform that offers real-time syncing, AI-powered tagging, and mobile app support and for free, Immich is the best choice in 2025. But what makes it even better? Combine it with Cloudflare Tunnels and Zero Trust Access to securely sync photos from anywhere—without opening a single port on your router.

In this post, I’ll walk you through setting up Immich on Docker, mounting an external photo drive, and enabling secure remote access using Cloudflare.


Immich

Immich is an open-source, high-performance self-hosted alternative to Google Photos. It supports:

  • Auto-upload from Android/iOS devices
  • AI-powered image tagging and facial recognition
  • Sharing, albums, and search
  • GPU-based image processing
  • External storage support

It’s built using NestJS, PostgreSQL, Redis, and Next.js—and runs beautifully in Docker.



System Requirements & Apple Silicon Limitations

  • Immich heavily benefits from GPU acceleration (video transcoding, image processing).
  • On Apple Silicon, Docker does not have access to native GPU resources, which means video transcoding and other GPU-heavy features fall back to CPU.
  • For best performance:
    • Use a dedicated GPU on x86_64 Linux (NVIDIA recommended).
    • If you’re using an M1/M2/M3 Mac for self-hosting, expect longer processing times.

Setting Up Immich with Docker Compose

Here’s a quick minimal docker-compose.yml setup:

Pre-requisite: Docker and Docker Compose must be installed and configured.

1
2
3
4
5
6
7
cd immich-app

#starting immich
dockercompose up -d

#stopping immich
docker compose down

Immich Docker Setup


Mounting an External Photo Drive

To keep your main photo library on an external SSD/HDD:

  1. Plug in your external drive (e.g., /Volumes/Photos)
  2. Edit your docker-compose.yml to mount the drive: ```yaml volumes:
    • /Volumes/Photos:/mnt/photos # Replace with your actual mounted path ```
  3. Set the upload location in your .env file:
    UPLOAD_LOCATION=/Volumes/Photos/uploads
    

💡 Make sure the /uploads folder exists on your drive. If you change drives later, update both .env and volume paths. You may also need to re-scan your library using the Immich CLI.

⚠️ If you change the drive location later, move your entire folder and update both .env and Docker volumes. A re-scan may be required using Immich CLI.


Access Immich Locally

Once running, visit:
http://127.0.0.1:2283

  • Set up your admin account.

Immich Setup

  • Go to Profile → Administration → External Libraries
  • Add a new library and set the import path as defined in your volume (e.g., /mnt/photos).

External Library Setup


Sync with Mobile App

Download the Immich mobile app from your app store and start syncing.
Note: Large libraries may take several hours to process.

Immich Mobile Setup


Set Up Cloudflare Tunnel (Secure Remote Access)

Pre-requisite: A Cloudflare tunnel must be created and running.

  1. Edit Cloudflare config.yml:
    1
    2
    3
    4
    5
    
    tunnel: immich-tunnel
    ingress:
      - hostname: photos.example.com
     service: http://localhost:2283
      - service: http_status:404
    
  2. Add a CNAME record for photos.example.com in your Cloudflare DNS settings.

Protect Immich with Cloudflare Access as a SaaS App

  1. Go to Cloudflare Zero Trust > Access > Applications
  2. Add a new SaaS app:
    • Name: Immich
    • Domain: photos.example.com

Cloudflare SaaS Setup

  1. Add an Access policy to add admin and user access.

Add OIDC Redirect URLs

1
2
3
4
5
6
http://192.168.1.184:2283/auth/login
http://192.168.1.184:2283/user-settings
http://192.168.1.184:2283/api/oauth/mobile-redirect
https://immich.uniqueslug.win/auth/login
https://immich.uniqueslug.win/user-settings
https://immich.uniqueslug.win/api/oauth/mobile-redirect

Cloudflare OIDC Setup

Get OIDC credentials:

Copy your:

  • Issuer URL
  • Client ID
  • Client Secret

Cloudflare OIDC Setup

Configure OAuth in Immich:

In Immich:

  • Go to Administration → Settings → Authentication Settings → OAuth
  • Enter the OIDC details
  • Set the Mobile Redirect URI to:
    https://photos.example.com/api/oauth/mobile-redirect

Keep password login enabled until you confirm OAuth is working.

Cloudflare OIDC Setup

Cloudflare OIDC Setup

Cloudflare OIDC Setup


Setting up automatic URL switching

To automatically switch between local and remote access on the mobile app:

  1. Open the app
  2. Go to Settings → Networking
  3. Configure local and public domains

Immich Mobile Setup


Cloudflare Limitation: Upload Size

When using Cloudflare Tunnel for external access, there’s an upload limit of 100MB per file. This can affect large video syncs or high-res image bursts from mobile devices.

Workarounds:

  • Use local network upload to sync large files
  • Compress videos before upload
  • Use a VPN for full remote access without tunneling limitations
This post is licensed under CC BY 4.0 by the author.