Unable to ReverseProxy to PhotoPrism for external access on NCP instance, 500 error

Hi all,

I’m a first time self-hoster looking to configure PhotoPrism to work alongside my functional, internet facing NCP instance. I have been beating my head against the wall trying to get this to work and want to make sure that what I’m trying to achieve is possible and not prevented because of some default NCP settings for privacy.

I have my NCP instance facing the internet using duckdns.org. This works great, and I’m very pleased! Incredible work from the nextcloud team and nachoparker for making nextcloud accessible for people like me.

I have PhotoPrism working on my local network on the default 2342 port. PhotoPrism works awesome locally, and I have it set up to use my Nextcloud Photos folder as the originals folder. I would like to be able to access PhotoPrism from the internet using my mysubdomain.duckdns.org if possible.

After some digging, I suspect that I will need to set up a reverse proxy to take a request and point it to my local PhotoPrism instance. To this end, I have tried to set up a reverse proxy using both mysubdomain.duckdns.org/photos and photos.mysubdomain.duckdns.org (duckdns by default allows wildcard sub-subdomains, so this should work too). I haven’t been able to get either of these to work.

I think I have gotten close (using the photos.mysubdomain.duckdns.org strategy), with the following photoprism.conf I have added to my /etc/apache2/sites-available/ directory and enabled with sudo a2ensite photoprism.conf. I additionally was able to get an SSL certificate for photos.mysubdomain.duckdns.org. Now, when I navigate to photos.mysubdomain.duckdns.org, I get a 500 internal server error. I do not know much about this, but I have 2 theories for why this may be happening.

  1. In my photoprism.conf, I am redirecting traffic on port 443 to a http://localhost:2342 domain, which may cause issues.

  2. There are NCP settings built into a local firewall (maybe iptables?) that prevent this kind of forwarding using the same duckdns subdomain I used for mysubdomain.duckdns.org (which directs traffic to my NCP instance). In this case, I am out of my depth and would need help.

Can anyone help me out with getting my PhotoPrism instance to face the internet alongside an NCP installation? I am posting here instead of at PhotoPrism first because I think the default iptables settings may be the issue. If this isn’t preventing me from having my PhotoPrism instance from facing the internet, I’ll move on and ask for help elsewhere.

Thank you.



I just managed to set up PhotoPrism with docker compose on my pc and used nginx on a VM to reverse proxy,
worked pretty much out of the box following NGINX - PhotoPrism

Thank you for the link. I have tried this, but, because I used NextCloudPi, the apache2 server that comes with NCP is already bound to ports 80 and 443. I can’t set up nginx alongside apache2 with the defaults. I don’t know enough about setting up either apache2 or nginx to confidently set them up side-by-side, so I was trying to use the already configured apache2 to reverse proxy to PhotoPrism.

I know, for example, that you cannot access the NCPi web-panel on port 4443 from your internet-facing DDNS server (like duckdns in my case) so I thought there may be some default setting in NCPi that prevents me from forwarding to PhotoPrism.

You are welcome

Could run Nginx on alternate ports or use docker and expose an alternate port (-p 3443:443 for example)

This for security reasons, safer to use ssh and ncp-config, but it is set in /etc/apache/sites-enabled/ncp.conf in the section

Require host localhost
Require local
Require ip 192.168
Require ip 172
Require ip 10

You can add a line with the IP of any device from which you want be able to access 4443, port needs to be forwarded in your router also ofcourse.

BTW what hardware are you on? PhotoPrism taking plenty time, cpu&ram for the initial indexing on my NUCi7, if like me you have tons of pictures to scan :wink:

I am using an RPi4 8GB. I don’t have many pictures, but they have already been indexed by PhotoPrism. PhotoPrism works very nicely locally for me. PhotoPrism is setup using docker-compose in my case as well. I don’t have many photos, so this seems to be working well for me at the moment. If I figure out how to get PhotoPrism to face the internet I would start thinking about a future upgrade. As of now, I’m still floudering about whether I have enough know-how to set that up.

I have just thought of something else that could potentially be causing an issue. I have 3 things set up on my RPi at the moment, Nextcloud, PhotoPrism and Wireguard. I have set up a Wireguard VPN tunnel that does allow me to access PhotoPrism on the local network when I turn it on. This is good, but I would like to be able to share links to my albums to friends using PhotoPrism. I set up some iptables rules when I set up Wireguard. I’m sorry to bug you, but do you think the following could be my issue? I have been blindly following directions with my new Pi and don’t understand every change I’ve made.

Address =
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o et$
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o $#

Thank you for your insights about the NCPi configurations. I didn’t understand the purpose of that rule, but it makes sense! I was hoping the same limitation on accessing 4443 would be involved in reaching my PhotoPrism instance, but unfortunately, that doesn’t seem to be the case.

Could run Nginx on alternate ports or use docker and expose an alternate port (-p 3443:443 for example)

So to do what you are suggesting, I think I would need to listen for my photos.mysubdomain.duckdns.org on a completely different port (3443 in your example) to then forward it along to my PhotoPrism docker instance. I am not sure how to make it so photos.mysubdomain.duckdns.org would not use the default 443 for SSL traffic when I go to that site.

I also feel like I’m missing something regardless, I’m not convinced that I would be able to access the PhotoPrism even if I did use nginx because of the internal server error I’m getting when I try to use my current photos.mysubdomain.duckdns.org.

Not a good idea, unless its in a test environment.

Also my knowledge of ip-tables is very limited, I use ufw to manage the rules for me.
Same goes for setting up proxy, I followed steps in docu-links above.
It is possible to set up a proxy using apache2 also, never tried it. Nginx is what I’m used to for proxy. Either way, Nginx or Apache2, you need to create a Virtual Host to expose the https_domain:port and forward it to photoprism http_internal_IP:port

Thanks again, you have been very generous with your time and expertise for this.

It’s probably best for me to not expose any ports to the internet besides the WireGuard server for now. You have reminded me that I have probably been too laissez-faire with exposing my current setup to the internet.

I’ll look into more about configuring my ReverseProxy using apache2. It may be best for me to start a fresh NextCloud instance on a different computer as a test environment (using snap or docker as opposed to NCP) and tinker with configuring nginx for the setup. In the meantime, my ability to use WireGuard to VPN into my local network works for my needs.

Have a great day, thanks again.