Why I Needed a Better Photo Backup System
I've been running Synology Photos for years. My NAS holds thousands of family photos, and the built-in backup from my phone works fine when I'm home. But I wanted something more capable—better facial recognition, faster search, and a way to access everything remotely without exposing my entire NAS to the internet.
I also wanted to keep using Active Backup for Business to handle my laptop backups. The goal was to have Immich handle photos with its superior AI features while Synology continued doing what it does best: reliable file storage and system backups.
My Setup Before Starting
Here's what I was already running:
- Synology DS920+ with 16TB storage
- Synology Photos indexing photos stored in /photos shared folder
- Active Backup for Business backing up my Windows laptop and phone
- Intel NUC running Proxmox with several Docker containers
- SWAG reverse proxy handling SSL for my services
- Cloudflare DNS for external access
Photos were stored on the NAS, but I wanted Immich to access them directly rather than duplicating everything.
Setting Up Immich with External Storage
I installed Immich on my NUC using Docker Compose. The key decision was mounting my Synology photo library as an external library in Immich rather than uploading everything again.
First, I mounted the NAS share on my NUC:
sudo mount -t nfs 192.168.0.111:/volume1/photos /mnt/synology-photos
Then I modified the Immich docker-compose.yml to include this mount:
volumes: - /mnt/synology-photos:/external-library:ro
The :ro flag is important—it mounts the library as read-only. Immich can read and index the photos but won't modify the originals on the NAS.
In Immich's admin panel, I added this as an external library. The initial scan took about 6 hours for roughly 40,000 photos. Immich's facial recognition started running immediately.
What Worked
Immich's facial recognition is significantly better than Synology Photos. It found faces I didn't even know were in some photos. The machine learning runs locally on my NUC, which has a decent CPU but no GPU. Processing time was acceptable—about 2 days to analyze all faces.
The search is also much faster. I can type "beach sunset" and actually get relevant results. Synology Photos tries, but Immich's CLIP-based search is in a different league.
What Didn't Work Initially
The mobile app kept failing to upload new photos when I was away from home. The issue turned out to be Cloudflare's free plan limiting upload sizes to 100MB. Videos larger than that would fail with an HTTP 413 error.
I tried increasing client_max_body_size in my nginx config, but that didn't help because the limit was on Cloudflare's side, not mine.
My solution: I created a separate DNS entry (photos-local.mydomain.org) that resolves to my internal IP when I'm home. The Immich app can use this for uploads when on my WiFi, bypassing Cloudflare entirely. For external access, I just disabled proxying in Cloudflare for the Immich subdomain, which removes the upload limit but also removes some of Cloudflare's protection.
Integrating with Active Backup
Active Backup for Business continues backing up my laptop to a separate folder on the NAS. I didn't want Immich to index those backups—they contain screenshots and random images that aren't personal photos.
The separation is simple: Active Backup stores in /backup, photos live in /photos. Immich only sees the photos mount.
One thing I learned: Active Backup's "mobile backup" feature uploads to the PhotoBackup folder inside your user's home directory on the NAS. If you want Immich to see those photos, you need to either:
- Point Active Backup to save in your main /photos folder instead
- Add the PhotoBackup folder as a second external library in Immich
I went with the second option because I wanted to keep Active Backup's default settings for easy recovery if needed.
Facial Recognition Tagging
Immich's facial recognition runs automatically after the initial library scan. It creates "people" clusters that you can then name.
The workflow I followed:
- Let Immich finish the initial face detection (took about 48 hours for my library)
- Go to the "People" section in Immich
- Review each cluster and assign names
- Merge duplicate clusters when Immich splits one person into multiple groups
The accuracy is good but not perfect. It occasionally splits one person into two clusters, especially if there are photos from very different time periods (childhood vs. adult photos). Merging is easy—just select the clusters and click merge.
One limitation: Immich doesn't automatically sync these face tags back to Synology Photos. The facial recognition data lives only in Immich's database. If you're using both systems, you'll have separate face tags in each.
Performance Notes
Face detection is CPU-intensive. My NUC (i5-8259U) handled it fine but ran warm during the initial processing. Ongoing detection for new photos is much lighter—usually processes within minutes of upload.
I didn't set up GPU acceleration because my NUC doesn't have a discrete GPU, and Intel's integrated graphics aren't well-supported for this workload. If you have an NVIDIA GPU, Immich can use it to speed things up significantly.
Reverse Proxy Configuration
I'm using SWAG (Secure Web Application Gateway) as my reverse proxy. The configuration for Immich is straightforward:
server {
listen 443 ssl;
server_name immich.mydomain.org;
include /config/nginx/ssl.conf;
client_max_body_size 50000M;
location / {
proxy_pass http://192.168.0.50:2283;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
}
The large client_max_body_size is necessary for video uploads. Even with this set, remember that Cloudflare's proxying will still enforce their limits unless you disable it.
Security Considerations
I'm not using Immich's built-in authentication alone. SWAG is configured with fail2ban to block repeated login attempts. I also enabled two-factor authentication in Immich itself.
For Synology Photos, I kept it on a separate subdomain (photos.mydomain.org) with MFA enforced through Synology's account security. I chose OTP-based MFA rather than Synology's Secure Sign-in because the latter requires exposing DSM's admin interface, which I want to avoid.
The NAS itself is only accessible internally. The only external exposure is through SWAG, which proxies to specific services on specific ports.
Current Workflow
Here's how everything works together now:
- New photos from my phone upload to Immich when I'm home (via local DNS) or away (via Cloudflare without proxying)
- Immich indexes and runs facial recognition automatically
- Original files are stored on the Synology NAS
- Active Backup continues handling laptop backups separately
- Synology Photos still works for family members who prefer it
- I can search and browse photos through Immich's superior interface
The external library approach means I'm not duplicating 200GB of photos. Everything lives in one place on the NAS, but Immich provides the smart features on top.
Key Takeaways
Immich's facial recognition is genuinely better than Synology Photos, but it requires patience during initial setup. The external library feature works well for avoiding duplication, but you need to think through mount points and permissions carefully.
Cloudflare's upload limits are a real constraint on the free plan. If you're uploading large videos regularly, either pay for Cloudflare or disable proxying for that subdomain.
Running both Synology Photos and Immich isn't redundant—they serve different purposes. Photos is reliable and integrated with the NAS ecosystem. Immich is powerful and modern. I use both, just for different things.
The biggest surprise was how much CPU time facial recognition actually takes. It's not a quick process, especially on older hardware. Plan for it to run for days on a large library.
