Why Use Encryption?
If you install PhotoPrism on a shared server so that it is not only accessible to the local host, always secure the connection using HTTPS. Your files and passwords will otherwise be transmitted in clear text and can be intercepted by anyone, including your provider, hackers, and governments. Backup tools and file synchronization apps may also refuse to connect.
How To Enable HTTPS
HTTPS uses Transport Layer Security (TLS) for encryption. TLS is a network protocol that establishes an encrypted connection to an authenticated peer over an untrusted network. You have the following options to enable HTTPS for your own domain:
- Disable TLS in PhotoPrism by setting
PHOTOPRISM_DISABLE_TLS
in yourdocker-compose.yml
configuration to"true"
and use an existing HTTPS reverse proxy like Traefik. If you are running multiple services and already have a proxy set up, this may be the best option. - Set specific TLS certificate (
*.crt
) and private key (*.key
) files within thestorage/config/certificates
folder using thePHOTOPRISM_TLS_CERT
andPHOTOPRISM_TLS_KEY
environment variables in yourdocker-compose.yml
, or use the corresponding command flags. - Store a TLS certificate and a private key in the
storage/config/certificates
folder using the filenameshost.example.com.crt
andhost.example.com.key
, where you replace "host.example.com" with the actual server domain.
Note that after adding or updating certificates, it is required to restart PhotoPrism for the changes to take effect.
You can get valid certificates from a commercial certification authority (CA) or for free from Let's Encrypt.
Obtaining Certificates From Let’s Encrypt
We recommend using a Let's Encrypt client like LEGO to create free HTTP certificates that you can use with PhotoPrism. The main verification methods for this are HTTP-01, which requires you to be reachable via port 80 on the public Internet, or the DNS-01 challenge, which requires a supported DNS provider to be automated.
Wildcard Certificate with DNS Challenge
Creating an HTTPS wildcard certificate with LEGO requires a supported DNS provider to verify your domain ownership, for example DigitalOcean. If you are using Docker, the full command looks like this (change the domain and email as needed):
docker run --rm -v "/opt/photoprism/storage/config/certificates:/data/" goacme/lego -a --path=/data \
--email="tls@example.com" --dns=digitalocean --dns-timeout=180 -d "example.com" \
-d "*.example.com" run
Before running the command to request a certificate, also make sure that you have set your secret API token with the environment variable DO_AUTH_TOKEN
(you can create one in the customer dashboard). For other providers the configuration is different, so you need to check the documentation.
PhotoPrism® Documentation
For detailed information on specific product features, services, and related resources, see our Knowledge Base, or read the User Guide for help using the web user interface: