Immich Login Hangs/Freezes Behind Nginx Reverse Proxy - Cookie Directive Bug Fix

[Goluff]

Problem Description - Symptoms You May Experience

• Immich login page loads correctly through reverse proxy (https://yourdomain.com)
• Direct IP access works perfectly (http://127.0.0.1:2283 or http://server-ip:port)
• Login button becomes unresponsive - clicking login button causes infinite loading/hanging
• No error messages in browser console or Nginx error logs
• No 404, 301, or other HTTP errors in access logs
• Authentication appears successful in network debugging (POST /api/auth/login returns 201)
• WebSocket connections may fail to establish after login attempt
• Browser appears to freeze on login screen with spinning loader
• Cannot access Immich dashboard through reverse proxy domain
• SSL/HTTPS access broken while HTTP direct access works

Environment Details

• Immich Version: v1.134.0 (likely affects other versions)
• Setup: Rootless Podman containers with systemd quadlets
• Reverse Proxy: Nginx with SSL termination
• Issue: Nginx cookie directive causing malformed Set-Cookie headers

Root Cause Analysis

The issue is caused by Nginx proxy_cookie_path directive that duplicates cookie security flags, causing browsers to reject or mishandle authentication cookies.

What’s Happening Behind the Scenes

Normal Immich Cookie (working direct access):

Set-Cookie: immich_access_token=abc123; Max-Age=34560000; Path=/; HttpOnly; SameSite=Lax

Broken Cookie Through Nginx (with problematic directive):

Set-Cookie: immich_access_token=abc123; Max-Age=34560000; Path=/; HTTPOnly; Secure; HttpOnly; Secure; SameSite=Lax

Notice the duplicated HTTPOnly; Secure flags that break cookie parsing.

The Fix - Remove Problematic Nginx Directive

Locate the Problem Directive

Search your Nginx configuration files for this line:

proxy_cookie_path / "/; HTTPOnly; Secure";

Common locations:

• /etc/nginx/conf.d/ssl.conf
• /etc/nginx/snippets/ssl-params.conf
• /etc/nginx/sites-available/immich.conf
• /etc/nginx/conf/ssl_server.conf

Solution 1: Remove the Directive (Recommended)

Simply comment out or delete the problematic line:

# proxy_cookie_path / "/; HTTPOnly; Secure";  # COMMENTED OUT - CAUSES IMMICH LOGIN ISSUES

Solution 2: Fix the Directive (If You Need It)

If you specifically need to add cookie security flags:

# Only use if cookies don't already have security flags
proxy_cookie_path ~^/(.*)$ "/$1; HTTPOnly; Secure";

Apply the Fix

# Test Nginx configuration
sudo nginx -t

# Reload Nginx
sudo systemctl reload nginx

# Clear browser cookies for your Immich domain
# Then test login again

Why This Happens

1. Immich already sets proper cookie security flags (HttpOnly, Secure, SameSite)
2. Nginx directive adds duplicate flags on top of existing ones
3. Browser cookie parser gets confused by malformed Set-Cookie headers
4. Authentication cookies aren’t stored/sent properly
5. Login process hangs because session isn’t established

Debugging Steps That Led to Discovery

1. WebSocket Testing

# Test WebSocket connectivity (this worked fine)
websocat wss://immich.yourdomain.com/api/socket.io/\?EIO\=4\&transport\=websocket

2. Network Request Analysis

• Direct IP login: Clean cookie headers
• Reverse proxy login: Duplicated cookie flags in Set-Cookie headers

3. Created Test Application

Built simple Node.js + Socket.IO app to verify WebSocket functionality through reverse proxy (worked perfectly).

Related Issues and Solutions

If You’re Still Having Problems:

1. Check Content Security Policy headers - may block JavaScript execution

2. Verify IMMICH_TRUSTED_PROXIES includes your reverse proxy IP

3. Ensure WebSocket upgrade headers are properly configured:

   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection $connection_upgrade;

Complete Working Nginx Configuration Example

upstream immich {
    server 127.0.0.1:2283;
}

server {
    listen 443 ssl http2;
    server_name immich.yourdomain.com;
    
    # SSL configuration
    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;
    
    # Essential proxy headers
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    
    # WebSocket support
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    
    # File upload support
    client_max_body_size 50000M;
    proxy_buffering off;
    proxy_request_buffering off;
    
    location / {
        proxy_pass http://immich;
    }
    
    # DO NOT INCLUDE THIS LINE - IT BREAKS IMMICH LOGIN:
    # proxy_cookie_path / "/; HTTPOnly; Secure";
}

Prevention for Other Applications

This issue can affect any web application that:

• Uses authentication cookies
• Runs behind Nginx reverse proxy
• Has the proxy_cookie_path directive with duplicated flags

Applications potentially affected:

• Nextcloud
• Bitwarden/Vaultwarden
• Photoprism
• Jellyfin
• Home Assistant
• Any Node.js/Express applications

Additional Keywords for Search Engines

nginx proxy_cookie_path duplicate flags, nginx set-cookie header malformed, reverse proxy authentication cookies broken, nginx ssl cookie httponly secure duplicate, immich docker nginx login problem, immich podman systemd nginx issue, immich rootless container reverse proxy, nginx cookie rewrite causes login failure, immich nginx ssl termination login bug, immich nginx reverse proxy login not working, immich login hangs https, immich authentication infinite loading, immich nginx ssl login broken, immich reverse proxy websocket failed, immich login button unresponsive, immich proxy cookie problem

---

Time spent debugging this issue: ~8+ hours including custom test application development
Root cause: Single Nginx directive duplicating existing cookie security flags
Fix complexity: Comment out one line
Prevention: Let applications handle their own cookie security flags

[longregen]

Thank you and your kind soul. Add 4 hours to the counter of time spent debugging this issue!