Security: Change default site URLs to HTTP and add HTTPS init target

Signed-off-by: Michael Mayer <michael@photoprism.app>
2022-10-20 16:19:28 +02:00 · 2022-10-20 16:19:28 +02:00 · a579620a2e
commit a579620a2e
parent 6e5187fd0c
44 changed files with 184 additions and 105 deletions
--- a/2
+++ b/2
@ -12,4 +12,4 @@ WORKDIR "/go/src/github.com/photoprism/photoprism"

 # Copy source to image.
 COPY . .
-COPY --chown=root:root /scripts/dist/* /scripts/
+COPY --chown=root:root /scripts/dist/ /scripts/
--- a/docker-compose.ci.yml
+++ b/docker-compose.ci.yml
@ -18,7 +18,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "photoprism" # initial "admin" password (minimum 8 characters)
      PHOTOPRISM_AUTH_MODE: "public"          # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: "Open-Source Photo Management"
      PHOTOPRISM_SITE_AUTHOR: "@photoprism_app"
--- a/docker-compose.postgres.yml
+++ b/docker-compose.postgres.yml
@ -27,7 +27,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "photoprism"        # initial "admin" password (minimum 8 characters)
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: "Open-Source Photo Management"
      PHOTOPRISM_SITE_AUTHOR: "@photoprism_app"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -27,6 +27,7 @@ services:
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.photoprism.loadbalancer.server.port=2342"
+      - "traefik.http.services.photoprism.loadbalancer.server.scheme=https"
      - "traefik.http.routers.photoprism.entrypoints=websecure"
      - "traefik.http.routers.photoprism.rule=Host(`localssl.dev`, `app.localssl.dev`)"
      - "traefik.http.routers.photoprism.tls.domains[0].main=localssl.dev"
@ -39,7 +40,7 @@ services:
      PHOTOPRISM_ADMIN_PASSWORD: "photoprism"        # initial "admin" password (minimum 8 characters)
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
      ## External development server URL incl http:// or https:// and /path, :port is optional
-      PHOTOPRISM_SITE_URL: "https://app.localssl.dev/"
+      PHOTOPRISM_SITE_URL: "https://photoprism.me:2342/"
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: "Tags and finds pictures without getting in your way!"
      PHOTOPRISM_SITE_AUTHOR: "@photoprism_app"
@ -85,7 +86,7 @@ services:
      PHOTOPRISM_OIDC_CLIENT_ID: "photoprism-develop"
      PHOTOPRISM_OIDC_CLIENT_SECRET: "9d8351a0-ca01-4556-9c37-85eb634869b9"
      ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean):
-      # PHOTOPRISM_INIT: "gpu tensorflow"
+      PHOTOPRISM_INIT: "https tensorflow"
      ## Hardware Video Transcoding (optional):
      # PHOTOPRISM_FFMPEG_ENCODER: "nvidia"          # FFmpeg encoder ("software", "intel", "nvidia", "apple", "raspberry", "vaapi") Intel: "intel" for Broadwell or later and "vaapi" for Haswell or earlier
      # PHOTOPRISM_FFMPEG_ENCODER: "intel"           # FFmpeg encoder ("software", "intel", "nvidia", "apple", "raspberry", "vaapi") Intel: "intel" for Broadwell or later and "vaapi" for Haswell or earlier`
--- a/docker/develop/armv7/Dockerfile
+++ b/docker/develop/armv7/Dockerfile
@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"

 # Copy scripts and package sources config.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf

 # Update base image and add dependencies.
--- a/docker/develop/bookworm-slim/Dockerfile
+++ b/docker/develop/bookworm-slim/Dockerfile
@ -33,7 +33,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"

 # Copy scripts and package sources config.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/bookworm/sources.list /etc/apt/sources.list.d/bookworm.list

 # Update base image and add dependencies.
--- a/docker/develop/bookworm/Dockerfile
+++ b/docker/develop/bookworm/Dockerfile
@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"

 # Copy scripts and package sources config.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/bookworm/sources.list /etc/apt/sources.list.d/bookworm.list
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf

--- a/docker/develop/bullseye-slim/Dockerfile
+++ b/docker/develop/bullseye-slim/Dockerfile
@ -33,7 +33,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"

 # copy scripts and debian backports sources list
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/bullseye/sources.list /etc/apt/sources.list.d/bullseye.list

 # install additional distribution packages
--- a/docker/develop/bullseye/Dockerfile
+++ b/docker/develop/bullseye/Dockerfile
@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"

 # copy scripts and debian backports sources list
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/bullseye/sources.list /etc/apt/sources.list.d/bullseye.list
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf

--- a/docker/develop/buster/Dockerfile
+++ b/docker/develop/buster/Dockerfile
@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"

 # copy scripts and debian backports sources list
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/buster/sources.list /etc/apt/sources.list.d/buster.list
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf

--- a/docker/develop/impish/Dockerfile
+++ b/docker/develop/impish/Dockerfile
@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"

 # copy scripts and debian backports sources list
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf

 # update image and install build dependencies
--- a/docker/develop/jammy-slim/Dockerfile
+++ b/docker/develop/jammy-slim/Dockerfile
@ -33,7 +33,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"

 # Copy scripts and package sources config.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/

 # Update base image and add dependencies.
 RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
@ -43,7 +43,7 @@ RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
    echo 'APT::Get::Fix-Missing "true";' > /etc/apt/apt.conf.d/80fixmissing && \
    apt-get update && apt-get -qq upgrade && \
    apt-get -qq install \
-        libc6 ca-certificates sudo bash tzdata \
+        libc6 ca-certificates sudo bash tzdata avahi-utils \
        gpg zip unzip wget curl rsync make nano \
        jq lsof lshw sqlite3 mariadb-client imagemagick \
        exiftool rawtherapee librsvg2-bin \
--- a/docker/develop/jammy/Dockerfile
+++ b/docker/develop/jammy/Dockerfile
@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"

 # Copy scripts and package sources config.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf

 # Update base image and add dependencies.
@ -49,7 +49,7 @@ RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
    echo 'APT::Get::Fix-Missing "true";' > /etc/apt/apt.conf.d/80fixmissing && \
    apt-get update && apt-get -qq upgrade && \
    apt-get -qq install \
-        libc6 ca-certificates sudo bash tzdata \
+        libc6 ca-certificates sudo bash tzdata avahi-utils \
        gpg zip unzip wget curl rsync make nano \
        jq lsof lshw sqlite3 mariadb-client imagemagick \
        exiftool rawtherapee librsvg2-bin \
--- a/docker/examples/arm64/docker-compose.yml
+++ b/docker/examples/arm64/docker-compose.yml
@ -62,7 +62,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "none"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_WORKERS: 2                          # limits the number of indexing workers to reduce system load
--- a/docker/examples/armv7/docker-compose.yml
+++ b/docker/examples/armv7/docker-compose.yml
@ -57,7 +57,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "none"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_WORKERS: 1                          # Limits the number of indexing workers to reduce system load
--- a/docker/examples/docker-compose.yml
+++ b/docker/examples/docker-compose.yml
@ -54,7 +54,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_LOG_LEVEL: "info"                   # log level: trace, debug, info, warning, error, fatal, or panic
@ -80,8 +80,8 @@ services:
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
-      ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean):
-      # PHOTOPRISM_INIT: "gpu tensorflow"
+      ## Run/install on first startup (options: update https gpu tensorflow davfs clitools clean):
+      # PHOTOPRISM_INIT: "https gpu tensorflow"
      ## Hardware Video Transcoding (for sponsors only due to high maintenance and support costs):
      # PHOTOPRISM_FFMPEG_ENCODER: "software"        # FFmpeg encoder ("software", "intel", "nvidia", "apple", "raspberry")
      # PHOTOPRISM_FFMPEG_BITRATE: "32"              # FFmpeg encoding bitrate limit in Mbit/s (default: 50)
--- a/docker/examples/macos/docker-compose.yml
+++ b/docker/examples/macos/docker-compose.yml
@ -51,7 +51,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_LOG_LEVEL: "info"                   # log level: trace, debug, info, warning, error, fatal, or panic
@ -76,8 +76,8 @@ services:
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
-      ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean):
-      # PHOTOPRISM_INIT: "gpu tensorflow"
+      ## Run/install on first startup (options: update https gpu tensorflow davfs clitools clean):
+      # PHOTOPRISM_INIT: "https gpu tensorflow"
    ## Storage Folders: "~" is a shortcut for your home directory, "." for the current directory
    volumes:
      # "/host/folder:/photoprism/folder"                # Example
--- a/docker/examples/scheduler/docker-compose.yml
+++ b/docker/examples/scheduler/docker-compose.yml
@ -56,7 +56,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_LOG_LEVEL: "info"                   # log level: trace, debug, info, warning, error, fatal, or panic
@ -82,8 +82,8 @@ services:
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
-      ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean):
-      # PHOTOPRISM_INIT: "gpu tensorflow"
+      ## Run/install on first startup (options: update https gpu tensorflow davfs clitools clean):
+      # PHOTOPRISM_INIT: "https gpu tensorflow"
      ## Run as a non-root user after initialization (supported: 0, 33, 50-99, 500-600, and 900-1200):
      # PHOTOPRISM_UID: 1000
      # PHOTOPRISM_GID: 1000
--- a/docker/examples/sqlite/docker-compose.yml
+++ b/docker/examples/sqlite/docker-compose.yml
@ -54,7 +54,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_LOG_LEVEL: "info"                   # log level: trace, debug, info, warning, error, fatal, or panic
@ -75,8 +75,8 @@ services:
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
-      ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean):
-      # PHOTOPRISM_INIT: "gpu tensorflow"
+      ## Run/install on first startup (options: update https gpu tensorflow davfs clitools clean):
+      # PHOTOPRISM_INIT: "https gpu tensorflow"
      ## Run as a non-root user after initialization (supported: 0, 33, 50-99, 500-600, and 900-1200):
      # PHOTOPRISM_UID: 1000
      # PHOTOPRISM_GID: 1000
--- a/docker/examples/windows/docker-compose.yml
+++ b/docker/examples/windows/docker-compose.yml
@ -56,7 +56,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_DEBUG: "false"                      # run in debug mode, shows additional log messages
--- a/docker/photoprism/armv7/Dockerfile
+++ b/docker/photoprism/armv7/Dockerfile
@ -59,7 +59,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@ -93,7 +93,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \

 # Copy dist files, scripts, and debian backports sources list.
 COPY --from=build --chown=root:root --chmod=755 /opt/photoprism/ /opt/photoprism
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/

 # Update base image and add dependencies.
 RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
--- a/docker/photoprism/bookworm/Dockerfile
+++ b/docker/photoprism/bookworm/Dockerfile
@ -56,7 +56,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@ -89,7 +89,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_AUTO_IMPORT=300

 # Copy scripts.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/

 # Update pre-installed packages.
 RUN apt-get update && \
--- a/docker/photoprism/bullseye/Dockerfile
+++ b/docker/photoprism/bullseye/Dockerfile
@ -56,7 +56,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@ -89,7 +89,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_AUTO_IMPORT=300

 # Copy scripts.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/

 # Update pre-installed packages.
 RUN apt-get update && \
--- a/docker/photoprism/buster/Dockerfile
+++ b/docker/photoprism/buster/Dockerfile
@ -59,7 +59,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@ -93,7 +93,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \

 # Copy dist files, scripts, and debian backports sources list.
 COPY --from=build --chown=root:root --chmod=755 /opt/photoprism/ /opt/photoprism
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/buster/sources.list /etc/apt/sources.list.d/buster.list

 # Update base image and add dependencies.
--- a/docker/photoprism/impish/Dockerfile
+++ b/docker/photoprism/impish/Dockerfile
@ -59,7 +59,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@ -93,7 +93,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \

 # Copy dist files and scripts.
 COPY --from=build --chown=root:root --chmod=755 /opt/photoprism/ /opt/photoprism
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/

 # Update base image and add dependencies.
 RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
--- a/docker/photoprism/jammy/Dockerfile
+++ b/docker/photoprism/jammy/Dockerfile
@ -57,7 +57,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@ -90,7 +90,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_AUTO_IMPORT=300

 # Copy scripts.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/

 # Update pre-installed packages.
 RUN apt-get update && \
--- a/frontend/tests/unit/config.js
+++ b/frontend/tests/unit/config.js
@ -8,8 +8,8 @@ const clientConfig = {
  staticUri: "/static",
  apiUri: "/api/v1",
  contentUri: "/api/v1",
-  siteUrl: "https://photoprism.local:2342/",
-  sitePreview: "https://photoprism.local:2342/static/img/preview.jpg",
+  siteUrl: "http://photoprism.me:2342/",
+  sitePreview: "http://photoprism.me:2342/static/img/preview.jpg",
  siteTitle: "PhotoPrism",
  siteCaption: "AI-Powered Photos App",
  siteDescription: "Open-Source Photo Management",
--- a/frontend/tests/unit/model/link_test.js
+++ b/frontend/tests/unit/model/link_test.js
@ -19,11 +19,11 @@ describe("model/link", () => {
    const values = { UID: 5, Token: "1234hhtbbt", Slug: "friends", ShareUID: "family" };
    const link = new Link(values);
    const result = link.url();
-    assert.equal(result, "https://photoprism.local:2342/s/1234hhtbbt/friends");
+    assert.equal(result, "http://photoprism.me:2342/s/1234hhtbbt/friends");
    const values2 = { UID: 5, Token: "", ShareUID: "family" };
    const link2 = new Link(values2);
    const result2 = link2.url();
-    assert.equal(result2, "https://photoprism.local:2342/s/…/family");
+    assert.equal(result2, "http://photoprism.me:2342/s/…/family");
  });

  it("should get link caption", () => {
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -382,10 +382,10 @@ func (c *Config) StaticUri() string {
 	return c.CdnUrl(c.BaseUri(StaticUri))
 }

-// SiteUrl returns the public server URL (default is "https://photoprism.local:2342/").
+// SiteUrl returns the public server URL (default is "http://photoprism.me:2342/").
 func (c *Config) SiteUrl() string {
 	if c.options.SiteUrl == "" {
-		return "https://photoprism.local:2342/"
+		return "http://photoprism.me:2342/"
 	}

 	return strings.TrimRight(c.options.SiteUrl, "/") + "/"
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@ -433,7 +433,7 @@ func TestConfig_ContentUri(t *testing.T) {
 func TestConfig_SiteUrl(t *testing.T) {
 	c := NewConfig(CliTestContext())

-	assert.Equal(t, "https://photoprism.local:2342/", c.SiteUrl())
+	assert.Equal(t, "http://photoprism.me:2342/", c.SiteUrl())
 	c.options.SiteUrl = "http://superhost:2342/"
 	assert.Equal(t, "http://superhost:2342/", c.SiteUrl())
 	c.options.SiteUrl = "http://superhost"
@ -443,20 +443,20 @@ func TestConfig_SiteUrl(t *testing.T) {
 func TestConfig_SiteDomain(t *testing.T) {
 	c := NewConfig(CliTestContext())

-	assert.Equal(t, "photoprism.local", c.SiteDomain())
+	assert.Equal(t, "photoprism.me", c.SiteDomain())
 	c.options.SiteUrl = "https://foo.bar.com:2342/"
 	assert.Equal(t, "foo.bar.com", c.SiteDomain())
 	c.options.SiteUrl = ""
-	assert.Equal(t, "photoprism.local", c.SiteDomain())
+	assert.Equal(t, "photoprism.me", c.SiteDomain())
 }

 func TestConfig_SitePreview(t *testing.T) {
 	c := NewConfig(CliTestContext())
-	assert.Equal(t, "https://photoprism.local:2342/static/img/preview.jpg", c.SitePreview())
+	assert.Equal(t, "http://photoprism.me:2342/static/img/preview.jpg", c.SitePreview())
 	c.options.SitePreview = "http://preview.jpg"
 	assert.Equal(t, "http://preview.jpg", c.SitePreview())
 	c.options.SitePreview = "preview123.jpg"
-	assert.Equal(t, "https://photoprism.local:2342/preview123.jpg", c.SitePreview())
+	assert.Equal(t, "http://photoprism.me:2342/preview123.jpg", c.SitePreview())
 }

 func TestConfig_SiteTitle(t *testing.T) {
--- a/internal/config/config_tls.go
+++ b/internal/config/config_tls.go
@ -31,9 +31,11 @@ func (c *Config) TLSCert() string {
 		return certName
 	}

-	// Find and return public certificate.
+	// Try to find server certificate.
 	if fileName := filepath.Join(c.CertificatesPath(), certName); fs.FileExistsNotEmpty(fileName) {
 		return fileName
+	} else if fileName = filepath.Join("/etc/ssl/certs", certName); fs.FileExistsNotEmpty(fileName) {
+		return fileName
 	}

 	return ""
@ -49,9 +51,11 @@ func (c *Config) TLSKey() string {
 		return keyName
 	}

-	// Find and return private key.
+	// Try to find private key.
 	if fileName := filepath.Join(c.CertificatesPath(), keyName); fs.FileExistsNotEmpty(fileName) {
 		return fileName
+	} else if fileName = filepath.Join("/etc/ssl/private", keyName); fs.FileExistsNotEmpty(fileName) {
+		return fileName
 	}

 	return ""
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@ -360,7 +360,7 @@ var Flags = CliFlags{
 		Flag: cli.StringFlag{
 			Name:   "site-url, url",
 			Usage:  "public site `URL`",
-			Value:  "https://photoprism.local:2342/",
+			Value:  "http://photoprism.me:2342/",
 			EnvVar: "PHOTOPRISM_SITE_URL",
 		}}, {
 		Flag: cli.StringFlag{
--- a/scripts/dist/Makefile
+++ b/scripts/dist/Makefile
@ -18,6 +18,8 @@ clean:
 	/usr/bin/apt-get -y autoremove
 	/usr/bin/apt-get -y autoclean
 	/bin/rm -rf /var/lib/apt/lists/*
+https:
+	/scripts/install-https.sh
 gpu:
 	/scripts/install-gpu.sh
 tensorflow:
--- a/scripts/dist/create-users.sh
+++ b/scripts/dist/create-users.sh
@ -21,6 +21,8 @@ groupadd -f -r -g 109 renderd 1>&2
 echo "✅ added group renderd (109)"
 groupadd -f -r -g 115 render 1>&2
 echo "✅ added group render (115)"
+groupadd -f -r -g 116 ssl-cert 1>&2
+echo "✅ added group ssl-cert (116)"

 # create group 'videodriver'
 groupdel -f 937 >/dev/null 2>&1
@ -33,17 +35,17 @@ groupadd -f -g 1000 photoprism 1>&2
 echo "✅ added group photoprism (1000)"

 # add existing www-data user to groups
-usermod -a -G photoprism,video,davfs2,renderd,render,videodriver www-data
+usermod -a -G photoprism,video,davfs2,renderd,render,ssl-cert,videodriver www-data

 # create user 'videodriver'
 userdel -r -f videodriver >/dev/null 2>&1
-useradd -u 937 -r -N -g 937 -G photoprism,www-data,video,davfs2,renderd,render -s /bin/bash -m -d "/home/videodriver" videodriver
+useradd -u 937 -r -N -g 937 -G photoprism,www-data,video,davfs2,renderd,render,ssl-cert -s /bin/bash -m -d "/home/videodriver" videodriver
 echo "✅ added user videodriver (937)"

 # create user 'photoprism'
 userdel -r -f photoprism >/dev/null 2>&1
 userdel -r -f 1000 >/dev/null 2>&1
-useradd -u 1000 -N -g 1000 -G www-data,video,davfs2,renderd,render,videodriver -s /bin/bash -m -d "/home/photoprism" photoprism
+useradd -u 1000 -N -g 1000 -G www-data,video,davfs2,renderd,render,ssl-cert,videodriver -s /bin/bash -m -d "/home/photoprism" photoprism
 echo "✅ added user photoprism (1000)"

 add_user()
@ -51,7 +53,7 @@ add_user()
  userdel -r -f "user-$1" >/dev/null 2>&1
  groupdel -f "group-$1" >/dev/null 2>&1
  groupadd -f -g "$1" "group-$1"
-  useradd -u "$1" -g "$1" -G photoprism,www-data,video,davfs2,renderd,render,videodriver -s /bin/bash -m -d "/home/user-$1" "user-$1" 2>/dev/null
+  useradd -u "$1" -g "$1" -G photoprism,www-data,video,davfs2,renderd,render,ssl-cert,videodriver -s /bin/bash -m -d "/home/user-$1" "user-$1" 2>/dev/null
  printf "."
 }

--- a/scripts/dist/entrypoint-init.sh
+++ b/scripts/dist/entrypoint-init.sh
@ -26,6 +26,8 @@ case $DOCKER_ENV in
    INIT_SCRIPTS="/scripts"
    CHOWN_DIRS=("/photoprism" "/opt/photoprism" "/go" "/tmp/photoprism")
    CHMOD_DIRS=("/opt/photoprism" "/tmp/photoprism")
+    # Create test TLS certificates.
+    ./scripts/openssl/create-all.sh
    ;;

  *)
--- a/scripts/dist/install-https.sh
+++ b/scripts/dist/install-https.sh
@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+# Generates local HTTPS keys and certificates on Linux.
+# bash <(curl -s https://raw.githubusercontent.com/photoprism/photoprism/develop/scripts/dist/install-https.sh)
+
+PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/scripts:$PATH"
+
+# Abort if not executed as root.
+if [[ $(id -u) != "0" ]]; then
+  echo "Usage: run ${0##*/} as root" 1>&2
+  exit 1
+fi
+
+# shellcheck disable=SC2164
+CONF_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )/openssl"
+CERTS_PATH="/etc/ssl/certs"
+KEY_PATH="/etc/ssl/private"
+
+# Check if keys and certificates already exist.
+if [ -f "$CERTS_PATH/photoprism.local.issuer.crt" ] && [ -f "$KEY_PATH/photoprism.local.pfx" ] && [ -f "$KEY_PATH/photoprism.me.pfx" ]; then
+    echo "Keys and certificates for photoprism.local already exist in ${KEY_PATH} and ${CERTS_PATH}."
+    exit 0
+fi
+
+echo "Creating local HTTPS keys and certificates in ${KEY_PATH} and ${CERTS_PATH}."
+
+mkdir -p "${CERTS_PATH}" "${KEY_PATH}"
+groupadd -f -r -g 116 ssl-cert 1>&2
+
+# Generate issuer (CA) certificate.
+
+echo "Generating issuer (CA) certificate..."
+
+openssl genrsa -out "$KEY_PATH/photoprism.local.issuer.key" 4096
+
+openssl req -x509 -new -nodes -key "$KEY_PATH/photoprism.local.issuer.key" -sha256 -days 365 -out "$CERTS_PATH/photoprism.local.issuer.pem" -passin pass: -passout pass: -config "$CONF_PATH/ca.conf"
+
+openssl x509 -outform der -in "$CERTS_PATH/photoprism.local.issuer.pem" -out "$CERTS_PATH/photoprism.local.issuer.crt"
+
+# Generate server certificates.
+
+echo "Generating certificate for photoprism.local..."
+
+openssl genrsa -out "$KEY_PATH/photoprism.local.key" 4096
+
+openssl req -new -config "$CONF_PATH/local-csr.conf" -key "$KEY_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.csr"
+
+openssl x509 -req -in "$CERTS_PATH/photoprism.local.csr" -CA "$CERTS_PATH/photoprism.local.issuer.pem" -CAkey "$KEY_PATH/photoprism.local.issuer.key" -CAcreateserial \
+-out "$CERTS_PATH/photoprism.local.crt" -days 365 -sha256 -extfile "$CONF_PATH/local.conf"
+
+openssl pkcs12 -export -in "$CERTS_PATH/photoprism.local.crt" -inkey "$KEY_PATH/photoprism.local.key" -out "$KEY_PATH/photoprism.local.pfx" -passin pass: -passout pass:
+
+echo "Generating certificate for photoprism.me..."
+
+openssl genrsa -out "$KEY_PATH/photoprism.me.key" 4096
+
+openssl req -new -config "$CONF_PATH/me-csr.conf" -key "$KEY_PATH/photoprism.me.key" -out "$CERTS_PATH/photoprism.me.csr"
+
+openssl x509 -req -in "$CERTS_PATH/photoprism.me.csr" -CA "$CERTS_PATH/photoprism.local.issuer.pem" -CAkey "$KEY_PATH/photoprism.local.issuer.key" -CAcreateserial \
+-out "$CERTS_PATH/photoprism.me.crt" -days 365 -sha256 -extfile "$CONF_PATH/me.conf"
+
+openssl pkcs12 -export -in "$CERTS_PATH/photoprism.me.crt" -inkey "$KEY_PATH/photoprism.me.key" -out "$KEY_PATH/photoprism.me.pfx" -passin pass: -passout pass:
+
+# Change key permissions.
+
+echo "Updating permissions of keys in '$KEY_PATH'..."
+
+chown -R root:ssl-cert "$KEY_PATH"
+chmod -R u=rwX,g=rX,o-rwx "$KEY_PATH"
+
+# Run "update-ca-certificates".
+
+echo "Running 'update-ca-certificates'..."
+update-ca-certificates
+
+echo "Done."
--- a/scripts/dist/openssl/ca.conf
+++ b/scripts/dist/openssl/ca.conf
@ -8,6 +8,7 @@ prompt = no
 C = DE
 ST = Berlin
 L = Berlin
-O = Self-Signed
+O = Local HTTPS
+OU = Self-Hosted
 emailAddress = hello@photoprism.local
 CN = photoprism.local
--- a/scripts/dist/openssl/local-csr.conf
+++ b/scripts/dist/openssl/local-csr.conf
@ -10,7 +10,7 @@ C = DE
 ST = Berlin
 L = Berlin
 O = PhotoPrism
-OU = Local
+OU = Self-Hosted
 emailAddress = hello@photoprism.local
 CN = photoprism.local

--- a/scripts/dist/openssl/local.conf
+++ b/scripts/dist/openssl/local.conf
--- a/scripts/dist/openssl/me-csr.conf
+++ b/scripts/dist/openssl/me-csr.conf
@ -0,0 +1,25 @@
+[req]
+default_bits = 4096
+prompt = no
+default_md = sha256
+x509_extensions = v3_req
+distinguished_name = dn
+
+[dn]
+C = DE
+ST = Berlin
+L = Berlin
+O = PhotoPrism
+OU = Self-Hosted
+emailAddress = hello@photoprism.local
+CN = photoprism.me
+
+[v3_req]
+subjectAltName = @alt_names
+
+[SAN]
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = *.photoprism.me
+DNS.2 = photoprism.me
--- a/scripts/dist/openssl/me.conf
+++ b/scripts/dist/openssl/me.conf
@ -0,0 +1,8 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = *.photoprism.me
+DNS.2 = photoprism.me
--- a/scripts/openssl/create-all.sh
+++ b/scripts/openssl/create-all.sh
@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-
-SCRIPT_DIR=$(dirname "$0")
-
-"$SCRIPT_DIR/create-ca.sh"
-"$SCRIPT_DIR/create-certs.sh"
--- a/scripts/openssl/create-ca.sh
+++ b/scripts/openssl/create-ca.sh
@ -1,20 +0,0 @@
-#!/usr/bin/env bash
-
-# To add this certificate to your list of trusted issuers:
-# sudo cp storage/config/certificates/photoprism.local.issuer.crt /usr/local/share/ca-certificates/photoprism.local.issuer.crt
-# sudo update-ca-certificates
-
-# shellcheck disable=SC2164
-SCRIPT_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
-CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certificates"
-
-echo "OpenSSL Scripts: ${SCRIPT_PATH}"
-echo "HTTPS Cert Path: ${CERTS_PATH}"
-
-mkdir -p "${CERTS_PATH}"
-
-openssl genrsa -out "$CERTS_PATH/photoprism.local.issuer.key" 4096
-
-openssl req -x509 -new -nodes -key "$CERTS_PATH/photoprism.local.issuer.key" -sha256 -days 365 -out "$CERTS_PATH/photoprism.local.issuer.pem" -passin pass: -passout pass: -config "$SCRIPT_PATH/ca.conf"
-
-openssl x509 -outform der -in "$CERTS_PATH/photoprism.local.issuer.pem" -out "$CERTS_PATH/photoprism.local.issuer.crt"
--- a/scripts/openssl/create-certs.sh
+++ b/scripts/openssl/create-certs.sh
@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-
-# shellcheck disable=SC2164
-SCRIPT_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
-CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certificates"
-
-mkdir -p "${CERTS_PATH}"
-
-openssl genrsa -out "$CERTS_PATH/photoprism.local.key" 4096
-
-openssl req -new -config "$SCRIPT_PATH/openssl.conf" -key "$CERTS_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.csr"
-
-openssl x509 -req -in "$CERTS_PATH/photoprism.local.csr" -CA "$CERTS_PATH/photoprism.local.issuer.pem" -CAkey "$CERTS_PATH/photoprism.local.issuer.key" -CAcreateserial \
-out "$CERTS_PATH/photoprism.local.crt" -days 365 -sha256 -extfile "$SCRIPT_PATH/local.conf"
-
-openssl pkcs12 -export -in "$CERTS_PATH/photoprism.local.crt" -inkey "$CERTS_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.pfx" -passin pass: -passout pass: