[GH-ISSUE #210] Documentation about Outgoing Connections #39

New issue

Open

opened 2026-03-02 16:47:13 +03:00 by kerem · 1 comment

kerem commented

2026-03-02 16:47:13 +03:00

Owner

Originally created by @coolwanglu on GitHub (Oct 9, 2025).
Original GitHub issue: https://github.com/photoprism/photoprism-docs/issues/210

firewall.md lists a few hosts that should be allowed by firewall. I think we should further specify "which firewall".

Here's my findings, not necessarily accurate:

Server Setup
- dl.photoprism.app
Running Server
- my.photoprism.app
- places.photoprism.app
Client (e.g. browser)
- cdn.photoprism.app
- maps.photoprism.app
Not Used (removed?)
- places.photoprism.xyz

Originally created by @coolwanglu on GitHub (Oct 9, 2025). Original GitHub issue: https://github.com/photoprism/photoprism-docs/issues/210 [firewall.md](https://github.com/photoprism/photoprism-docs/blob/develop/docs/getting-started/troubleshooting/firewall.md) lists a few hosts that should be allowed by firewall. I think we should further specify "which firewall". Here's my findings, not necessarily accurate: - Server Setup - dl.photoprism.app - Running Server - my.photoprism.app - places.photoprism.app - Client (e.g. browser) - cdn.photoprism.app - maps.photoprism.app - Not Used (removed?) - places.photoprism.xyz

kerem commented

2026-03-02 16:47:14 +03:00

Author

Owner

@lastzero commented on GitHub (Dec 11, 2025):

In this context, "firewall" is meant in a fairly broad sense: anything that filters outgoing HTTP/HTTPS traffic — that can be a host firewall on the PhotoPrism server / container host, a corporate perimeter firewall, or an explicit HTTP/HTTPS proxy in between. That’s why the docs currently just say "if you have a firewall installed, allow requests to the following hosts".

The specific hosts that should be reachable are:

dl.photoprism.app – downloads for example configs, diagrams, and other assets.
my.photoprism.app – membership / license portal, only needed if you use Plus / Pro features.
cdn.photoprism.app – static assets (configs, diagrams, etc.), primarily from the browser / docs.
charts.photoprism.app – Helm charts, mainly relevant for Kubernetes installs.
maps.photoprism.app – vector map tiles used by the Maps & Places UI.
places.photoprism.app / places.photoprism.xyz – reverse geocoding API used when enriching location data.
Docker Hub endpoints – only need to be reachable from the Docker host / Kubernetes nodes, not from the browser.

From a firewall / proxy configuration point of view, the two important paths are:

Outgoing connections from the machine (or cluster) where PhotoPrism runs to our services and Docker Hub.
Outgoing connections from users’ browsers to our CDN and map endpoints, if those are filtered separately.

We could improve the docs by:

Explicitly saying "your PhotoPrism host or HTTP/HTTPS proxy must be allowed to reach the following hosts…"
Adding a short note that browsers may also need to reach cdn.photoprism.app and maps.photoprism.app if there is a separate outbound filter on the client side.
Keeping places.photoprism.xyz listed as it is still documented as a reverse geocoding endpoint.

Would this help?

@lastzero commented on GitHub (Dec 11, 2025): In this context, "firewall" is meant in a fairly broad sense: anything that filters outgoing HTTP/HTTPS traffic — that can be a host firewall on the PhotoPrism server / container host, a corporate perimeter firewall, or an explicit HTTP/HTTPS proxy in between. That’s why the docs currently just say "if you have a firewall installed, allow requests to the following hosts". The specific hosts that should be reachable are: - dl.photoprism.app – downloads for example configs, diagrams, and other assets. - my.photoprism.app – membership / license portal, only needed if you use Plus / Pro features. - cdn.photoprism.app – static assets (configs, diagrams, etc.), primarily from the browser / docs. - charts.photoprism.app – Helm charts, mainly relevant for Kubernetes installs. - maps.photoprism.app – vector map tiles used by the Maps & Places UI. - places.photoprism.app / places.photoprism.xyz – reverse geocoding API used when enriching location data. - Docker Hub endpoints – only need to be reachable from the Docker host / Kubernetes nodes, not from the browser. From a firewall / proxy configuration point of view, the two important paths are: 1) Outgoing connections from the machine (or cluster) where PhotoPrism runs to our services and Docker Hub. 2) Outgoing connections from users’ browsers to our CDN and map endpoints, if those are filtered separately. We could improve the docs by: - Explicitly saying "your PhotoPrism host or HTTP/HTTPS proxy must be allowed to reach the following hosts…" - Adding a short note that browsers may also need to reach cdn.photoprism.app and maps.photoprism.app if there is a separate outbound filter on the client side. - Keeping places.photoprism.xyz listed as it is still documented as a reverse geocoding endpoint. Would this help?