Using Caddy 1 as Reverse Proxy

Legacy Software

Caddy 1 reached end-of-life and only receives critical fixes. Consider upgrading to Caddy 2 whenever possible. If you continue to run Caddy 1, the Caddy community—not PhotoPrism—must be your primary support channel.

Caddy 1 can still proxy WebSocket and HTTP/2 traffic for PhotoPrism. Enable the websocket and transparent options so request headers reach the app unchanged.

Set the public Site URL to your external https:// address. If Caddy reaches PhotoPrism from an address outside Docker’s default internal range, add the proxy IP or CIDR to PHOTOPRISM_TRUSTED_PROXY so forwarded client and protocol headers are accepted:

example.com {
    gzip
    tls you@example.com

    proxy / photoprism:2342 {
        websocket
        transparent
        header_upstream X-Forwarded-Proto {scheme}
    }
}

The tls directive requests and renews certificates from Let’s Encrypt automatically. Use tls internal if you prefer to run your own CA, or tls /path/fullchain.pem /path/privkey.pem when supplying files manually.

Refer to the Caddy 1 documentation for additional directives and migration tips.

Why Use a Proxy?

If you install PhotoPrism on a public server outside your home network, always run it behind a secure HTTPS reverse proxy. Your files and passwords will otherwise be transmitted in clear text and can be intercepted by anyone, including your provider, hackers, and governments. Backup tools and file sync apps may refuse to connect as well.

Help improve these docs! You can contribute by clicking to send a pull request with your changes.