Security: Change default site URLs to HTTP and add HTTPS init target

Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-12-12 00:34:13 +01:00 · 2022-10-20 16:19:28 +02:00
parent 6e5187fd0c
commit a579620a2e
44 changed files with 184 additions and 105 deletions
--- a/2
+++ b/2
@@ -12,4 +12,4 @@ WORKDIR "/go/src/github.com/photoprism/photoprism"
 # Copy source to image.
 COPY . .
-COPY --chown=root:root /scripts/dist/* /scripts/
+COPY --chown=root:root /scripts/dist/ /scripts/
--- a/docker-compose.ci.yml
+++ b/docker-compose.ci.yml
@@ -18,7 +18,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "photoprism" # initial "admin" password (minimum 8 characters)
      PHOTOPRISM_AUTH_MODE: "public"          # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: "Open-Source Photo Management"
      PHOTOPRISM_SITE_AUTHOR: "@photoprism_app"
--- a/docker-compose.postgres.yml
+++ b/docker-compose.postgres.yml
@@ -27,7 +27,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "photoprism"        # initial "admin" password (minimum 8 characters)
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: "Open-Source Photo Management"
      PHOTOPRISM_SITE_AUTHOR: "@photoprism_app"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,6 +27,7 @@ services:
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.photoprism.loadbalancer.server.port=2342"
      - "traefik.http.services.photoprism.loadbalancer.server.scheme=https"
      - "traefik.http.routers.photoprism.entrypoints=websecure"
      - "traefik.http.routers.photoprism.rule=Host(`localssl.dev`, `app.localssl.dev`)"
      - "traefik.http.routers.photoprism.tls.domains[0].main=localssl.dev"
@@ -39,7 +40,7 @@ services:
      PHOTOPRISM_ADMIN_PASSWORD: "photoprism"        # initial "admin" password (minimum 8 characters)
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
      ## External development server URL incl http:// or https:// and /path, :port is optional
-      PHOTOPRISM_SITE_URL: "https://app.localssl.dev/"
+      PHOTOPRISM_SITE_URL: "https://photoprism.me:2342/"
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: "Tags and finds pictures without getting in your way!"
      PHOTOPRISM_SITE_AUTHOR: "@photoprism_app"
@@ -85,7 +86,7 @@ services:
      PHOTOPRISM_OIDC_CLIENT_ID: "photoprism-develop"
      PHOTOPRISM_OIDC_CLIENT_SECRET: "9d8351a0-ca01-4556-9c37-85eb634869b9"
      ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean):
-      # PHOTOPRISM_INIT: "gpu tensorflow"
+      PHOTOPRISM_INIT: "https tensorflow"
      ## Hardware Video Transcoding (optional):
      # PHOTOPRISM_FFMPEG_ENCODER: "nvidia"          # FFmpeg encoder ("software", "intel", "nvidia", "apple", "raspberry", "vaapi") Intel: "intel" for Broadwell or later and "vaapi" for Haswell or earlier
      # PHOTOPRISM_FFMPEG_ENCODER: "intel"           # FFmpeg encoder ("software", "intel", "nvidia", "apple", "raspberry", "vaapi") Intel: "intel" for Broadwell or later and "vaapi" for Haswell or earlier`
--- a/docker/develop/armv7/Dockerfile
+++ b/docker/develop/armv7/Dockerfile
@@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"
 # Copy scripts and package sources config.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf
 # Update base image and add dependencies.
--- a/docker/develop/bookworm-slim/Dockerfile
+++ b/docker/develop/bookworm-slim/Dockerfile
@@ -33,7 +33,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"
 # Copy scripts and package sources config.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/bookworm/sources.list /etc/apt/sources.list.d/bookworm.list
 # Update base image and add dependencies.
--- a/docker/develop/bookworm/Dockerfile
+++ b/docker/develop/bookworm/Dockerfile
@@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"
 # Copy scripts and package sources config.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/bookworm/sources.list /etc/apt/sources.list.d/bookworm.list
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf
--- a/docker/develop/bullseye-slim/Dockerfile
+++ b/docker/develop/bullseye-slim/Dockerfile
@@ -33,7 +33,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"
 # copy scripts and debian backports sources list
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/bullseye/sources.list /etc/apt/sources.list.d/bullseye.list
 # install additional distribution packages
--- a/docker/develop/bullseye/Dockerfile
+++ b/docker/develop/bullseye/Dockerfile
@@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"
 # copy scripts and debian backports sources list
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/bullseye/sources.list /etc/apt/sources.list.d/bullseye.list
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf
--- a/docker/develop/buster/Dockerfile
+++ b/docker/develop/buster/Dockerfile
@@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"
 # copy scripts and debian backports sources list
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/buster/sources.list /etc/apt/sources.list.d/buster.list
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf
--- a/docker/develop/impish/Dockerfile
+++ b/docker/develop/impish/Dockerfile
@@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"
 # copy scripts and debian backports sources list
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf
 # update image and install build dependencies
--- a/docker/develop/jammy-slim/Dockerfile
+++ b/docker/develop/jammy-slim/Dockerfile
@@ -33,7 +33,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"
 # Copy scripts and package sources config.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 # Update base image and add dependencies.
 RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
@@ -43,7 +43,7 @@ RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
    echo 'APT::Get::Fix-Missing "true";' > /etc/apt/apt.conf.d/80fixmissing && \
    apt-get update && apt-get -qq upgrade && \
    apt-get -qq install \
-        libc6 ca-certificates sudo bash tzdata \
+        libc6 ca-certificates sudo bash tzdata avahi-utils \
        gpg zip unzip wget curl rsync make nano \
        jq lsof lshw sqlite3 mariadb-client imagemagick \
        exiftool rawtherapee librsvg2-bin \
--- a/docker/develop/jammy/Dockerfile
+++ b/docker/develop/jammy/Dockerfile
@@ -38,7 +38,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PROG="photoprism"
 # Copy scripts and package sources config.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /.my.cnf /etc/my.cnf
 # Update base image and add dependencies.
@@ -49,7 +49,7 @@ RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
    echo 'APT::Get::Fix-Missing "true";' > /etc/apt/apt.conf.d/80fixmissing && \
    apt-get update && apt-get -qq upgrade && \
    apt-get -qq install \
-        libc6 ca-certificates sudo bash tzdata \
+        libc6 ca-certificates sudo bash tzdata avahi-utils \
        gpg zip unzip wget curl rsync make nano \
        jq lsof lshw sqlite3 mariadb-client imagemagick \
        exiftool rawtherapee librsvg2-bin \
--- a/docker/examples/arm64/docker-compose.yml
+++ b/docker/examples/arm64/docker-compose.yml
@@ -62,7 +62,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "none"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_WORKERS: 2                          # limits the number of indexing workers to reduce system load
--- a/docker/examples/armv7/docker-compose.yml
+++ b/docker/examples/armv7/docker-compose.yml
@@ -57,7 +57,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "none"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_WORKERS: 1                          # Limits the number of indexing workers to reduce system load
--- a/docker/examples/docker-compose.yml
+++ b/docker/examples/docker-compose.yml
@@ -54,7 +54,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_LOG_LEVEL: "info"                   # log level: trace, debug, info, warning, error, fatal, or panic
@@ -80,8 +80,8 @@ services:
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
-      ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean):
+      ## Run/install on first startup (options: update https gpu tensorflow davfs clitools clean):
-      # PHOTOPRISM_INIT: "gpu tensorflow"
+      # PHOTOPRISM_INIT: "https gpu tensorflow"
      ## Hardware Video Transcoding (for sponsors only due to high maintenance and support costs):
      # PHOTOPRISM_FFMPEG_ENCODER: "software"        # FFmpeg encoder ("software", "intel", "nvidia", "apple", "raspberry")
      # PHOTOPRISM_FFMPEG_BITRATE: "32"              # FFmpeg encoding bitrate limit in Mbit/s (default: 50)
--- a/docker/examples/macos/docker-compose.yml
+++ b/docker/examples/macos/docker-compose.yml
@@ -51,7 +51,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_LOG_LEVEL: "info"                   # log level: trace, debug, info, warning, error, fatal, or panic
@@ -76,8 +76,8 @@ services:
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
-      ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean):
+      ## Run/install on first startup (options: update https gpu tensorflow davfs clitools clean):
-      # PHOTOPRISM_INIT: "gpu tensorflow"
+      # PHOTOPRISM_INIT: "https gpu tensorflow"
    ## Storage Folders: "~" is a shortcut for your home directory, "." for the current directory
    volumes:
      # "/host/folder:/photoprism/folder"                # Example
--- a/docker/examples/scheduler/docker-compose.yml
+++ b/docker/examples/scheduler/docker-compose.yml
@@ -56,7 +56,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_LOG_LEVEL: "info"                   # log level: trace, debug, info, warning, error, fatal, or panic
@@ -82,8 +82,8 @@ services:
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
-      ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean):
+      ## Run/install on first startup (options: update https gpu tensorflow davfs clitools clean):
-      # PHOTOPRISM_INIT: "gpu tensorflow"
+      # PHOTOPRISM_INIT: "https gpu tensorflow"
      ## Run as a non-root user after initialization (supported: 0, 33, 50-99, 500-600, and 900-1200):
      # PHOTOPRISM_UID: 1000
      # PHOTOPRISM_GID: 1000
--- a/docker/examples/sqlite/docker-compose.yml
+++ b/docker/examples/sqlite/docker-compose.yml
@@ -54,7 +54,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_LOG_LEVEL: "info"                   # log level: trace, debug, info, warning, error, fatal, or panic
@@ -75,8 +75,8 @@ services:
      PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App"
      PHOTOPRISM_SITE_DESCRIPTION: ""                # meta site description
      PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
-      ## Run/install on first startup (options: update gpu tensorflow davfs clitools clean):
+      ## Run/install on first startup (options: update https gpu tensorflow davfs clitools clean):
-      # PHOTOPRISM_INIT: "gpu tensorflow"
+      # PHOTOPRISM_INIT: "https gpu tensorflow"
      ## Run as a non-root user after initialization (supported: 0, 33, 50-99, 500-600, and 900-1200):
      # PHOTOPRISM_UID: 1000
      # PHOTOPRISM_GID: 1000
--- a/docker/examples/windows/docker-compose.yml
+++ b/docker/examples/windows/docker-compose.yml
@@ -56,7 +56,7 @@ services:
    environment:
      PHOTOPRISM_ADMIN_PASSWORD: "insecure"          # INITIAL PASSWORD FOR "admin" USER, MINIMUM 8 CHARACTERS
      PHOTOPRISM_AUTH_MODE: "password"               # authentication mode (public, password)
-      PHOTOPRISM_SITE_URL: "https://photoprism.local:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
+      PHOTOPRISM_SITE_URL: "http://photoprism.me:2342/"  # public server URL incl http:// or https:// and /path, :port is optional
      PHOTOPRISM_ORIGINALS_LIMIT: 5000               # file size limit for originals in MB (increase for high-res video)
      PHOTOPRISM_HTTP_COMPRESSION: "gzip"            # improves transfer speed and bandwidth utilization (none or gzip)
      PHOTOPRISM_DEBUG: "false"                      # run in debug mode, shows additional log messages
--- a/docker/photoprism/armv7/Dockerfile
+++ b/docker/photoprism/armv7/Dockerfile
@@ -59,7 +59,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@@ -93,7 +93,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
 # Copy dist files, scripts, and debian backports sources list.
 COPY --from=build --chown=root:root --chmod=755 /opt/photoprism/ /opt/photoprism
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 # Update base image and add dependencies.
 RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
--- a/docker/photoprism/bookworm/Dockerfile
+++ b/docker/photoprism/bookworm/Dockerfile
@@ -56,7 +56,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@@ -89,7 +89,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_AUTO_IMPORT=300
 # Copy scripts.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 # Update pre-installed packages.
 RUN apt-get update && \
--- a/docker/photoprism/bullseye/Dockerfile
+++ b/docker/photoprism/bullseye/Dockerfile
@@ -56,7 +56,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@@ -89,7 +89,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_AUTO_IMPORT=300
 # Copy scripts.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 # Update pre-installed packages.
 RUN apt-get update && \
--- a/docker/photoprism/buster/Dockerfile
+++ b/docker/photoprism/buster/Dockerfile
@@ -59,7 +59,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@@ -93,7 +93,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
 # Copy dist files, scripts, and debian backports sources list.
 COPY --from=build --chown=root:root --chmod=755 /opt/photoprism/ /opt/photoprism
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 COPY --chown=root:root --chmod=644 /docker/develop/buster/sources.list /etc/apt/sources.list.d/buster.list
 # Update base image and add dependencies.
--- a/docker/photoprism/impish/Dockerfile
+++ b/docker/photoprism/impish/Dockerfile
@@ -59,7 +59,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@@ -93,7 +93,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
 # Copy dist files and scripts.
 COPY --from=build --chown=root:root --chmod=755 /opt/photoprism/ /opt/photoprism
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 # Update base image and add dependencies.
 RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
--- a/docker/photoprism/jammy/Dockerfile
+++ b/docker/photoprism/jammy/Dockerfile
@@ -57,7 +57,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_UPLOAD_NSFW="true" \
    PHOTOPRISM_DETECT_NSFW="false" \
    PHOTOPRISM_EXPERIMENTAL="false" \
-    PHOTOPRISM_SITE_URL="https://photoprism.local:2342/" \
+    PHOTOPRISM_SITE_URL="http://photoprism.me:2342/" \
    PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App" \
    PHOTOPRISM_SITE_DESCRIPTION="" \
    PHOTOPRISM_SITE_AUTHOR="" \
@@ -90,7 +90,7 @@ ENV PHOTOPRISM_ARCH=$TARGETARCH \
    PHOTOPRISM_AUTO_IMPORT=300
 # Copy scripts.
-COPY --chown=root:root --chmod=755 /scripts/dist/* /scripts/
+COPY --chown=root:root --chmod=755 /scripts/dist/ /scripts/
 # Update pre-installed packages.
 RUN apt-get update && \
--- a/frontend/tests/unit/config.js
+++ b/frontend/tests/unit/config.js
@@ -8,8 +8,8 @@ const clientConfig = {
  staticUri: "/static",
  apiUri: "/api/v1",
  contentUri: "/api/v1",
-  siteUrl: "https://photoprism.local:2342/",
+  siteUrl: "http://photoprism.me:2342/",
-  sitePreview: "https://photoprism.local:2342/static/img/preview.jpg",
+  sitePreview: "http://photoprism.me:2342/static/img/preview.jpg",
  siteTitle: "PhotoPrism",
  siteCaption: "AI-Powered Photos App",
  siteDescription: "Open-Source Photo Management",
--- a/frontend/tests/unit/model/link_test.js
+++ b/frontend/tests/unit/model/link_test.js
@@ -19,11 +19,11 @@ describe("model/link", () => {
    const values = { UID: 5, Token: "1234hhtbbt", Slug: "friends", ShareUID: "family" };
    const link = new Link(values);
    const result = link.url();
-    assert.equal(result, "https://photoprism.local:2342/s/1234hhtbbt/friends");
+    assert.equal(result, "http://photoprism.me:2342/s/1234hhtbbt/friends");
    const values2 = { UID: 5, Token: "", ShareUID: "family" };
    const link2 = new Link(values2);
    const result2 = link2.url();
-    assert.equal(result2, "https://photoprism.local:2342/s/…/family");
+    assert.equal(result2, "http://photoprism.me:2342/s/…/family");
  });
  it("should get link caption", () => {
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -382,10 +382,10 @@ func (c *Config) StaticUri() string {
 	return c.CdnUrl(c.BaseUri(StaticUri))
 }
-// SiteUrl returns the public server URL (default is "https://photoprism.local:2342/").
+// SiteUrl returns the public server URL (default is "http://photoprism.me:2342/").
 func (c *Config) SiteUrl() string {
 	if c.options.SiteUrl == "" {
-		return "https://photoprism.local:2342/"
+		return "http://photoprism.me:2342/"
 	}
 	return strings.TrimRight(c.options.SiteUrl, "/") + "/"
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -433,7 +433,7 @@ func TestConfig_ContentUri(t *testing.T) {
 func TestConfig_SiteUrl(t *testing.T) {
 	c := NewConfig(CliTestContext())
-	assert.Equal(t, "https://photoprism.local:2342/", c.SiteUrl())
+	assert.Equal(t, "http://photoprism.me:2342/", c.SiteUrl())
 	c.options.SiteUrl = "http://superhost:2342/"
 	assert.Equal(t, "http://superhost:2342/", c.SiteUrl())
 	c.options.SiteUrl = "http://superhost"
@@ -443,20 +443,20 @@ func TestConfig_SiteUrl(t *testing.T) {
 func TestConfig_SiteDomain(t *testing.T) {
 	c := NewConfig(CliTestContext())
-	assert.Equal(t, "photoprism.local", c.SiteDomain())
+	assert.Equal(t, "photoprism.me", c.SiteDomain())
 	c.options.SiteUrl = "https://foo.bar.com:2342/"
 	assert.Equal(t, "foo.bar.com", c.SiteDomain())
 	c.options.SiteUrl = ""
-	assert.Equal(t, "photoprism.local", c.SiteDomain())
+	assert.Equal(t, "photoprism.me", c.SiteDomain())
 }
 func TestConfig_SitePreview(t *testing.T) {
 	c := NewConfig(CliTestContext())
-	assert.Equal(t, "https://photoprism.local:2342/static/img/preview.jpg", c.SitePreview())
+	assert.Equal(t, "http://photoprism.me:2342/static/img/preview.jpg", c.SitePreview())
 	c.options.SitePreview = "http://preview.jpg"
 	assert.Equal(t, "http://preview.jpg", c.SitePreview())
 	c.options.SitePreview = "preview123.jpg"
-	assert.Equal(t, "https://photoprism.local:2342/preview123.jpg", c.SitePreview())
+	assert.Equal(t, "http://photoprism.me:2342/preview123.jpg", c.SitePreview())
 }
 func TestConfig_SiteTitle(t *testing.T) {
--- a/internal/config/config_tls.go
+++ b/internal/config/config_tls.go
@@ -31,9 +31,11 @@ func (c *Config) TLSCert() string {
 		return certName
 	}
-	// Find and return public certificate.
+	// Try to find server certificate.
 	if fileName := filepath.Join(c.CertificatesPath(), certName); fs.FileExistsNotEmpty(fileName) {
 		return fileName
 	} else if fileName = filepath.Join("/etc/ssl/certs", certName); fs.FileExistsNotEmpty(fileName) {
 		return fileName
 	}
 	return ""
@@ -49,9 +51,11 @@ func (c *Config) TLSKey() string {
 		return keyName
 	}
-	// Find and return private key.
+	// Try to find private key.
 	if fileName := filepath.Join(c.CertificatesPath(), keyName); fs.FileExistsNotEmpty(fileName) {
 		return fileName
 	} else if fileName = filepath.Join("/etc/ssl/private", keyName); fs.FileExistsNotEmpty(fileName) {
 		return fileName
 	}
 	return ""
--- a/internal/config/flags.go
+++ b/internal/config/flags.go
@@ -360,7 +360,7 @@ var Flags = CliFlags{
 		Flag: cli.StringFlag{
 			Name:   "site-url, url",
 			Usage:  "public site `URL`",
-			Value:  "https://photoprism.local:2342/",
+			Value:  "http://photoprism.me:2342/",
 			EnvVar: "PHOTOPRISM_SITE_URL",
 		}}, {
 		Flag: cli.StringFlag{
--- a/scripts/dist/Makefile
+++ b/scripts/dist/Makefile
@@ -18,6 +18,8 @@ clean:
 	/usr/bin/apt-get -y autoremove
 	/usr/bin/apt-get -y autoclean
 	/bin/rm -rf /var/lib/apt/lists/*
 https:
 	/scripts/install-https.sh
 gpu:
 	/scripts/install-gpu.sh
 tensorflow:
--- a/scripts/dist/create-users.sh
+++ b/scripts/dist/create-users.sh
@@ -21,6 +21,8 @@ groupadd -f -r -g 109 renderd 1>&2
 echo "✅ added group renderd (109)"
 groupadd -f -r -g 115 render 1>&2
 echo "✅ added group render (115)"
 groupadd -f -r -g 116 ssl-cert 1>&2
 echo "✅ added group ssl-cert (116)"
 # create group 'videodriver'
 groupdel -f 937 >/dev/null 2>&1
@@ -33,17 +35,17 @@ groupadd -f -g 1000 photoprism 1>&2
 echo "✅ added group photoprism (1000)"
 # add existing www-data user to groups
-usermod -a -G photoprism,video,davfs2,renderd,render,videodriver www-data
+usermod -a -G photoprism,video,davfs2,renderd,render,ssl-cert,videodriver www-data
 # create user 'videodriver'
 userdel -r -f videodriver >/dev/null 2>&1
-useradd -u 937 -r -N -g 937 -G photoprism,www-data,video,davfs2,renderd,render -s /bin/bash -m -d "/home/videodriver" videodriver
+useradd -u 937 -r -N -g 937 -G photoprism,www-data,video,davfs2,renderd,render,ssl-cert -s /bin/bash -m -d "/home/videodriver" videodriver
 echo "✅ added user videodriver (937)"
 # create user 'photoprism'
 userdel -r -f photoprism >/dev/null 2>&1
 userdel -r -f 1000 >/dev/null 2>&1
-useradd -u 1000 -N -g 1000 -G www-data,video,davfs2,renderd,render,videodriver -s /bin/bash -m -d "/home/photoprism" photoprism
+useradd -u 1000 -N -g 1000 -G www-data,video,davfs2,renderd,render,ssl-cert,videodriver -s /bin/bash -m -d "/home/photoprism" photoprism
 echo "✅ added user photoprism (1000)"
 add_user()
@@ -51,7 +53,7 @@ add_user()
  userdel -r -f "user-$1" >/dev/null 2>&1
  groupdel -f "group-$1" >/dev/null 2>&1
  groupadd -f -g "$1" "group-$1"
-  useradd -u "$1" -g "$1" -G photoprism,www-data,video,davfs2,renderd,render,videodriver -s /bin/bash -m -d "/home/user-$1" "user-$1" 2>/dev/null
+  useradd -u "$1" -g "$1" -G photoprism,www-data,video,davfs2,renderd,render,ssl-cert,videodriver -s /bin/bash -m -d "/home/user-$1" "user-$1" 2>/dev/null
  printf "."
 }
--- a/scripts/dist/entrypoint-init.sh
+++ b/scripts/dist/entrypoint-init.sh
@@ -26,6 +26,8 @@ case $DOCKER_ENV in
    INIT_SCRIPTS="/scripts"
    CHOWN_DIRS=("/photoprism" "/opt/photoprism" "/go" "/tmp/photoprism")
    CHMOD_DIRS=("/opt/photoprism" "/tmp/photoprism")
    # Create test TLS certificates.
    ./scripts/openssl/create-all.sh
    ;;
  *)
--- a/scripts/dist/install-https.sh
+++ b/scripts/dist/install-https.sh
@@ -0,0 +1,76 @@
 #!/usr/bin/env bash
 # Generates local HTTPS keys and certificates on Linux.
 # bash <(curl -s https://raw.githubusercontent.com/photoprism/photoprism/develop/scripts/dist/install-https.sh)
 PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/scripts:$PATH"
 # Abort if not executed as root.
 if [[ $(id -u) != "0" ]]; then
  echo "Usage: run ${0##*/} as root" 1>&2
  exit 1
 fi
 # shellcheck disable=SC2164
 CONF_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )/openssl"
 CERTS_PATH="/etc/ssl/certs"
 KEY_PATH="/etc/ssl/private"
 # Check if keys and certificates already exist.
 if [ -f "$CERTS_PATH/photoprism.local.issuer.crt" ] && [ -f "$KEY_PATH/photoprism.local.pfx" ] && [ -f "$KEY_PATH/photoprism.me.pfx" ]; then
    echo "Keys and certificates for photoprism.local already exist in ${KEY_PATH} and ${CERTS_PATH}."
    exit 0
 fi
 echo "Creating local HTTPS keys and certificates in ${KEY_PATH} and ${CERTS_PATH}."
 mkdir -p "${CERTS_PATH}" "${KEY_PATH}"
 groupadd -f -r -g 116 ssl-cert 1>&2
 # Generate issuer (CA) certificate.
 echo "Generating issuer (CA) certificate..."
 openssl genrsa -out "$KEY_PATH/photoprism.local.issuer.key" 4096
 openssl req -x509 -new -nodes -key "$KEY_PATH/photoprism.local.issuer.key" -sha256 -days 365 -out "$CERTS_PATH/photoprism.local.issuer.pem" -passin pass: -passout pass: -config "$CONF_PATH/ca.conf"
 openssl x509 -outform der -in "$CERTS_PATH/photoprism.local.issuer.pem" -out "$CERTS_PATH/photoprism.local.issuer.crt"
 # Generate server certificates.
 echo "Generating certificate for photoprism.local..."
 openssl genrsa -out "$KEY_PATH/photoprism.local.key" 4096
 openssl req -new -config "$CONF_PATH/local-csr.conf" -key "$KEY_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.csr"
 openssl x509 -req -in "$CERTS_PATH/photoprism.local.csr" -CA "$CERTS_PATH/photoprism.local.issuer.pem" -CAkey "$KEY_PATH/photoprism.local.issuer.key" -CAcreateserial \
 -out "$CERTS_PATH/photoprism.local.crt" -days 365 -sha256 -extfile "$CONF_PATH/local.conf"
 openssl pkcs12 -export -in "$CERTS_PATH/photoprism.local.crt" -inkey "$KEY_PATH/photoprism.local.key" -out "$KEY_PATH/photoprism.local.pfx" -passin pass: -passout pass:
 echo "Generating certificate for photoprism.me..."
 openssl genrsa -out "$KEY_PATH/photoprism.me.key" 4096
 openssl req -new -config "$CONF_PATH/me-csr.conf" -key "$KEY_PATH/photoprism.me.key" -out "$CERTS_PATH/photoprism.me.csr"
 openssl x509 -req -in "$CERTS_PATH/photoprism.me.csr" -CA "$CERTS_PATH/photoprism.local.issuer.pem" -CAkey "$KEY_PATH/photoprism.local.issuer.key" -CAcreateserial \
 -out "$CERTS_PATH/photoprism.me.crt" -days 365 -sha256 -extfile "$CONF_PATH/me.conf"
 openssl pkcs12 -export -in "$CERTS_PATH/photoprism.me.crt" -inkey "$KEY_PATH/photoprism.me.key" -out "$KEY_PATH/photoprism.me.pfx" -passin pass: -passout pass:
 # Change key permissions.
 echo "Updating permissions of keys in '$KEY_PATH'..."
 chown -R root:ssl-cert "$KEY_PATH"
 chmod -R u=rwX,g=rX,o-rwx "$KEY_PATH"
 # Run "update-ca-certificates".
 echo "Running 'update-ca-certificates'..."
 update-ca-certificates
 echo "Done."
--- a/scripts/dist/openssl/ca.conf
+++ b/scripts/dist/openssl/ca.conf
@@ -8,6 +8,7 @@ prompt = no
 C = DE
 ST = Berlin
 L = Berlin
-O = Self-Signed
+O = Local HTTPS
 OU = Self-Hosted
 emailAddress = hello@photoprism.local
 CN = photoprism.local
--- a/scripts/dist/openssl/local-csr.conf
+++ b/scripts/dist/openssl/local-csr.conf
@@ -10,7 +10,7 @@ C = DE
 ST = Berlin
 L = Berlin
 O = PhotoPrism
-OU = Local
+OU = Self-Hosted
 emailAddress = hello@photoprism.local
 CN = photoprism.local
--- a/scripts/dist/openssl/local.conf
+++ b/scripts/dist/openssl/local.conf
--- a/scripts/dist/openssl/me-csr.conf
+++ b/scripts/dist/openssl/me-csr.conf
@@ -0,0 +1,25 @@
 [req]
 default_bits = 4096
 prompt = no
 default_md = sha256
 x509_extensions = v3_req
 distinguished_name = dn
 [dn]
 C = DE
 ST = Berlin
 L = Berlin
 O = PhotoPrism
 OU = Self-Hosted
 emailAddress = hello@photoprism.local
 CN = photoprism.me
 [v3_req]
 subjectAltName = @alt_names
 [SAN]
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = *.photoprism.me
 DNS.2 = photoprism.me
--- a/scripts/dist/openssl/me.conf
+++ b/scripts/dist/openssl/me.conf
@@ -0,0 +1,8 @@
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = *.photoprism.me
 DNS.2 = photoprism.me
--- a/scripts/openssl/create-all.sh
+++ b/scripts/openssl/create-all.sh
@@ -1,6 +0,0 @@
 #!/usr/bin/env bash
 SCRIPT_DIR=$(dirname "$0")
 "$SCRIPT_DIR/create-ca.sh"
 "$SCRIPT_DIR/create-certs.sh"
--- a/scripts/openssl/create-ca.sh
+++ b/scripts/openssl/create-ca.sh
@@ -1,20 +0,0 @@
 #!/usr/bin/env bash
 # To add this certificate to your list of trusted issuers:
 # sudo cp storage/config/certificates/photoprism.local.issuer.crt /usr/local/share/ca-certificates/photoprism.local.issuer.crt
 # sudo update-ca-certificates
 # shellcheck disable=SC2164
 SCRIPT_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certificates"
 echo "OpenSSL Scripts: ${SCRIPT_PATH}"
 echo "HTTPS Cert Path: ${CERTS_PATH}"
 mkdir -p "${CERTS_PATH}"
 openssl genrsa -out "$CERTS_PATH/photoprism.local.issuer.key" 4096
 openssl req -x509 -new -nodes -key "$CERTS_PATH/photoprism.local.issuer.key" -sha256 -days 365 -out "$CERTS_PATH/photoprism.local.issuer.pem" -passin pass: -passout pass: -config "$SCRIPT_PATH/ca.conf"
 openssl x509 -outform der -in "$CERTS_PATH/photoprism.local.issuer.pem" -out "$CERTS_PATH/photoprism.local.issuer.crt"
--- a/scripts/openssl/create-certs.sh
+++ b/scripts/openssl/create-certs.sh
@@ -1,16 +0,0 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC2164
 SCRIPT_PATH="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
 CERTS_PATH="${SCRIPT_PATH}/../../storage/config/certificates"
 mkdir -p "${CERTS_PATH}"
 openssl genrsa -out "$CERTS_PATH/photoprism.local.key" 4096
 openssl req -new -config "$SCRIPT_PATH/openssl.conf" -key "$CERTS_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.csr"
 openssl x509 -req -in "$CERTS_PATH/photoprism.local.csr" -CA "$CERTS_PATH/photoprism.local.issuer.pem" -CAkey "$CERTS_PATH/photoprism.local.issuer.key" -CAcreateserial \
 -out "$CERTS_PATH/photoprism.local.crt" -days 365 -sha256 -extfile "$SCRIPT_PATH/local.conf"
 openssl pkcs12 -export -in "$CERTS_PATH/photoprism.local.crt" -inkey "$CERTS_PATH/photoprism.local.key" -out "$CERTS_PATH/photoprism.local.pfx" -passin pass: -passout pass: