I’ve recently moved from tailscale to wg-easy and port forward the port of the WireGuard vpn. I have allowed IPs set to only the local IP of the machine that is running my Immich and Nextcloud instances so that all other traffic doesn’t go through my home network. Is this fine from a security perspective? + WireGuard clients set to connect on demand on all networks other than the home network.

sure, you dont expose your immich even and use a secure vpn...

Is wg running on the same machine as the Immich and next cloud instances?

Yes…

I mean i don’t port forward any of the Immich stuff and to add clients it requires a config/qrcode per client

No dashboards exposed through a port, just the vpn

Yes, I understood that

Oh, I think there was a misunderstanding. Were you saying it was okay?

I'd probably just put the wg-easy in the same docker network so you don't have to worry about whitelisting IPs

Yes

I reverse proxy immich atm so i can send links to friends and family, but when they dont use it that often, i would also stick to vpn.

i use my reverse proxy for other things anyhow so I just expose immich as well...
though i dont use immich with all its features yet because there are a few things i am missing still 🙂
need to be able to move my wife away from google photos

I am able to upload 1GB+ from mobile with no problem using a free cloudflare tunnel account, the problem you mention should occur if you use the upload through the browser interface.

Yeah with mobile it works

But not with web and I need it so friends can add their assets

ohh? was chunked upload added to the mobile app?

#immich message

ok, so no but it still works now 😛
never noticed cause I mostly use an external library for now and just expose my reverse proxy

A great strategy is to expose Immich running in docker compose using traefik reverse proxy and protecting it with authelia. then to use the mobile app you can enroll your devices into tailscale and access the immich instance directly using the tailscale IP address or DNS name, bypassing the traefik and authelia layer for the public

not really, you still expose authelia that way... is probably just as likely to have a bug

Yes but of course everything can have bugs - which just ends up being the only answer to "Exposing Immich to the Internet" just be "no" and "no" and "no"

I think it is fine at one point to have some convenience and "I trust it enough" to expose immich and some other self-hosted software on the internet.

Personally for me, Nextcloud AIO and Caddy is what I trust most exposing to internet, and whatever else, less and less. Won't stop me exposing them though.

dont get me wrong, I expose plenty, including immich and a lot of other software people would be shocked to know to be exposed to the internet...

I completely agree to this "at one point to have some convenience and "I trust it enough" to expose immich and some other self-hosted software on the internet."
All I am saying is that yes, there is a risk... that risk is still there if you put authelia in front of it (most software had bugs which allow things like complete bypass or root access at one point).
You need to be aware, not be stupid, do some research to set up your environment to some best practices, keep software up to date and watch out for high risk CVEs on software you use.
Having the low hanging fruit removed for drive-by hacks, it is more than unlikely for something like a homelab to be "hacked", threat actors invest their resources into high value targets or large groups which combined offer a high value... they will not spend the time to bother to access the photos of some family to extort a few k$

I tend to agree to VPN only access for those that dont even need more than that, have little deep technical knowledge and dont enjoy spending the time to secure your setup just for the fun of it though.

@hidden lagoon basically what I meant is that: No, I dont think it is a great strategy to expose immich with traefik and authelia (authelia being "in front of it" and therefore not even the login via app is possible) and use a vpn for all other access...
I think in that case you might as well just expose immich and use authelia as Oauth source for 2FA

I see what you mean. Yea, might as well just use that as Oath insyead of going the long way for nothing. Agree.

I personally use Authentik and hw security keys for log in. Technically I am trying to only expose service that I both need, and also can take advantage of Oauth.

I also use Authentik, I never tried authelia.
I expose services I need (which includes a remote desktop for emails and access to files,etc., it has read-only access to my data) and stuff I am just trying out or deliberately only want accessed inside the network, I only allow my network to access it and dont use a public dns entry.
I also restrict access from countries I know I have no contact with (and therefore do not need to be sharing files with), knowing this does not protect me from anything but it keeps my access logs a bit more sane.
I also log scanning or exploitation attempts and put those IPs on a permanent block list (kind of like fail2ban or crowdsec but a bit more professional)

I dont really see a huge risk in exposing those services, there is a risk and I do tell everyone that there is a risk and people need to evaluate it for themselves.
I do see a big risk in people setting it up for the first time, not knowing how to properly configure it... misconfigurations leading to larger security risks (e.g. misconfiguring the reverse proxy or port forwarding everything to the host running the reverse proxy which then runs ssh and other containers you are not aware of to be exposed).

For me the reason I trust tailscale slightly more is due to its auto update feature. If a CVE pops up in tailscale a rapid update usually can pushed without much user intervention to fixit. In immiches case you can't auto update it due to risks of breaking it as its in alpha/beta

although I suppose the flipside is if one of tailscales control servers gets pwned they could push a malicious client update, which would be bad since tailscale on linux usually requires root

although compromising updates kinda is a equal threat regardless of client (immich rouge update = photos compromised, ubuntu rouge update = photos compromised) going back to your trust argument

auto-updates might patch a bug but they would still be happening... either way, it is unlikely someone will bother to "hack" your tailscale...
if immich or anything else... for "private" people, targeted attacks are unlikely, drive-by attacks maybe but then if you update(e.g. update notifier and then manual update) your containers regularly and do some basic protection, you will be pretty safe...
you will never be 100% safe

This. I use crowdsec on top of my nginx. And set certain restrictions on my services or websites, like amount of requests. But you are never truely safe, so i keep most of my applications local only and use tailscale to access it.

I have a domain, use Cloudflare to expose it. Instead o nginx, I use Cosmos Cloud which is much much easier. Also has authentication if I want to add it, but it doesn't work well with Immich so I just expose Immich directly. Cloudflare has a firewall mechanism where u can block countries, bots and such, it's pretty good

yea, i heard cloudflare is a nice option for homelabs to add some security...
I personally dont use it

I dont know Cosmos Cloud but if it just proxies immich, that will not work for the app... if you use Oauth (apparently cosmos cloud supports this), you might be able to use that instead to get 2FA

are there any security concerns with exposing to the internet? Right now I have it all accessible via my internal network, then any device I use is connected via tailscale... but then I can't create shared links sharable to anyone. Is it ok to expose to the world?

that is your decision, there are security concerns with any application but you have to weigh the risks yourself
just read a bit in this thread here

Just my 2 cents, im using netbird (very similar to tailscale in terms of functionality) and I love to have the possibility to give friends quick access to some of my services via enabling their device through netbird/tailscale gui
Makes it nice and easy to let them share their photos of a trip or whatever to my albums

thats nice and easy for you? that others need to install another app? 😛

must haev good friends

I have to use 5-6 messaging applications because I can't get all my friends to use the same one

the messenger apps with like one person on it get neglected and I tend to not even see their messages

e.g. signal keeps changing security stuff so I would have to adjust things on my firewall... I simply dont notice and dont care and then dont receive any messages 😄

that's why ideally everyone uses it 😄

but I also understand...

hence why I have a bunch

I only use WhatsApp, too few people use the rest

Easier than asking them to give me an usb stick with all photos, yes :)

I mean, im traveling with them, so i would assume they are good friends

All of them huge IT nerds like me, so installing an app for that kind of stuff is easier ahah

Hey. How do you manage exposing immich if you want it to attach to domain but doesn't have ability to open ports? I'm currently using cloudflare tunnel but it's painfully slow and oftentimes it just disconnects and the server isn't avalible for several seconds.

why wouldnt you have the ability to open ports?
but yea, basically you cannot, only with something like cloudflare tunnels which seem to be unreliable for you (most likely a problem on your side)

i have IPv6 from my provider and so it doesn't provide a way to open ports

cloudflare tunnels were fine for long time (like a year) and then suddenly it started to disconnecting and just be slow

do changes were made what so ever

So i blame cloudflare bottlenecking their services on free tier

What?

i don't have ipv4 address

my provider gave me ipv6 instead

And? How does that prevent you from opening a port?

when i open the port, can't connect to it

"opening a port" means updating your firewall rules

Port mapping which you have to use for ipv4 doesn't apply and generally isn't the thing that's preventing others from accessing stuff

IPv6 supports port forwarding. The DNS records which point to the IP address just need to have the IPv6 value. Then, as Daniel notes, port forward 443 on the router/firewall.

With v6 it's quite likely your devices have public ips though

At which point port forwarding is somewhat irrelevant

That is a fair point.

even if i somehow could do that, ipv4 client can't connect to ipv6 so it's useless for most of the clients on the internet anyway

Most of the clients nowadays use ipv6 tbh

none of the "clients" - mostly family members - have ipv6

Ok, alternatively you could proxy the traffic through a cheap VM somewhere

yeah. I mentioned i want it to be free

even the cheap VMs from hetzner are like 2€/m with pretty limited bandwidth

Oracle has free VMs

Oracle offers free VPSes in some regions. I have 4 free VPS in the US.

with unlimited bandwidth?

Sufficient for sure

The bandwidth is generous. I don't recall the exact value.

10TB?

Might not be the exact issue you have. But this reddit post helps me figure out the solution. It has been rock solid for the past year. Absolutely no disconnects.

https://www.reddit.com/r/CloudFlare/s/xLt5usGhct

The solution:

You can add a new environment variable to your docker compose:
TUNNEL_TRANSPORT_PROTOCOL and set it to http2.

I've gone with a cloudflare setup, with caddy running on a Raspberry Pi Zero w2 which assists with the reverse proxy.

It was fairly easy to setup and super low power. I could have caddy on the same server as Immich but I use reverse proxy for other devices and having that always up and independent is for peace of mind

👍 how do you use cloudflare if you use a reverse proxy already?

Thank you for helpful thread. However, i wasn't able to fix it that way. I added the env variable to the Cloudflared container and re-ran it but unfortunately, nothing really changed.

and it keeps to spam these messages. Alex told me it's not important message and i can ignore it

after it lags and begins to be unresponsive, i just simply reload the page and the logs looks like this:

so it definitely disconnects and reconnects the session

after scrolling the timeline a bit, it lags again:

after a while, the thumbnails finally loads and if i want to watch the video, it plays after the loading

note that if i load it locally via IP and port, it runs buttery smooth without any trouble what so ever. Maybe bad domain settings?

it would be awesome to find someone who runs exactly the same setup (via cloudflare tunnel) as me

@shadow hill

I have a cloudflare tunnel set up.

How are you deploying your tunnel?

I have best results deploying a dedicated micro PC such as PI or small gigabyte machine at every site. I deploy my VPN and Cloudflare tunnel services on it. I've found that running a VM can work. But is not always the best. Depending on NIC assigned to VM of course. If you have dedicated ports I would use those in case of VM for tunnel. I have much better tunnel performance and VPN performance this way. My whole network above the immich server is currently limited to 5Mbs up on a good day.

My photos load in an acceptable rate. Videos have no issues loading ahead of the play head and seeking works decently well.

Immich server details:
Immich version v1.99.0. Deployed with docker using docker-compose
6G memory
6 Cores
proxmox VM
VM is responsible for other loads in addition to immich.

Tunnel Server:
dedicated micro pc for couldflare tunnel. I've used many but my preferred is a PI with a POE hat on a POE switch with management. 🙂

It also goes without saying a good old restart on you tunnel deployment is often helpful. Sometimes I forget to manage my tunnel instances.

I don't believe the issue lies here. Cloudflare's free tier works perfectly fine for me. In my lab setup, I'm running 17 services through a single tunnel. One of these services can handle multiple 1080p streams and various other tasks. My main challenge seems to be with the upload speed provided by my ISP rather than the tunnel itself. When the lab was deployed with a 1 Gbps upload speed, I encountered no issues. However, with the current 5 Mbps upload speed, I sometimes experience buffering with 1080p streams, though the service remains remarkably stable.

In the past, I've relied heavily on Cloudflare tunnels while traveling with a mobile lab across the country. Dealing with varied internet connections, including CGNAT, unsecured networks, Wi-Fi, etc., Cloudflare tunnels proved to be invaluable. My setup consisted of a travel router at the forefront, with a Raspberry Pi running the Cloudflare tunnel, VPN services, and a media stack, connected to three HDDs via USB. Despite its makeshift nature, this setup allowed me to efficiently produce and host media for multiple users with minimal issues, all while utilizing Cloudflare's free domain connection.

It's worth mentioning that the above experiences don't apply to "immich" server, which performs exceptionally well on the 5 Mbps upload speed. I've never tested it on a better connection. Personally, I use Photoprism for my drone footage and Immich for my phone and camera footage, both of which deliver good performance even on unreliable internet connections.

Regarding your Cloudflare tunnel setup, I'm curious to know how you're hosting it and when was the last time you updated it. If you're encountering significant issues, it might be worth considering starting afresh by deploying a new Cloudflare instance, as they are relatively easy to set up.

Friendly reminder that streaming video over Cloudflare tunnels is against their terms of service and can get your account disabled.

Thank you for your share. Honestly, i don't have space to run another dedicated PC for such job. I decided to with EC2 instance in AWS cloud and netmaker. I'm curretly troubleshooting exposing the services beside netmaker on the instance and then it should be finally done.

That is one way to it. Sounds like you got it in hand. Good luck.

Interesting experience. I can approve it as i didn't have any issues what so ever for long time. However at some point of time (i can't remember exact time frame), it just started to have these issues i described. I can't recall if it was caused by change in setup as my parents changed ISP back and forth multiple times for multiple reasons (which i've been mad about but that's a different story). I'm not exactly friend with cloudflare as noone knows if CF can or can't read you traffic (so your private photos / videos in terms of Immich) so that's something i've been insecure for long time. So that's another reason i wanted to ditch off cloudflare. I wouldn't mind if the issue would be solvable really easily and quickly but i don't want to dig deep into the issue, troubleshoot it all the way from the source to the destination along the route.

I just use rathole without any port forwarding to get my port in the internet and then i use caddy to connect the port to my domain

As far as I know, they changed the TOS so now it's somehow allowed if you disable caching:

https://www.reddit.com/r/selfhosted/comments/13j4pft/goodbye_section_28_and_hello_to_cloudflares_new/

But it doesn't seem 100% clear

I am using traefik with no problem for all my services but I cannot get it to work with immich.
Can someone give me some light on how to troubleshoot this problem?

I get this error, log from traefik container

I was using the wrong port number, sorry for the spam

For those not using a VPN how do you secure your instance when exposing to net

Also how do you guys deal with critical security fixes

Under /api only expose endpoints that are actually needed. I disable image delete endpoint, admin, and user add/remove, and creating API keys

For the web UI I had it to require client certificates (I since took it down since nobody in my family uses the web UI)

Put it all behind some firewall, proxy.

mine is public and exposed but i use oauth to authentik

mine is public as well
I try to harden the system, harden the nginx reverse proxy, harden docker a bit, separate networks, use a firewall with ips and zeroday protection and I block anyone scanning, trying exploits or doing suspicious stuff

you do that via the reverse proxy? which urls do you have to block for that?
I might do that conditionally if accessed from a public IP

Doesn't that make immich only available with mobile apps?

And block web ui

https://immich.app/docs/api/create-user-admin
You can look at the API endpoints on this page

Yep nobody in my family uses the Web UI

Ah

Mhh, I use the web-ui to share stuff

you could use it in a manner that only allows /share/ path & /api/ path through and block the rest

that way api for mobile still work
and sharing still work

but everything else gets blocked off

i am not sure the value though the webui is just a UI
the attacks are going to be against the api

if i knew how I would block creating API keys and accessing immich as an admin from remote locations, but the rest only really matters if a password was brute-forced or bypassed
in case of a bug/vulnerability, it likely won't matter as the interest will likely be to enter the system somehow

what's the reverse proxy you are using?
there's probably docs on how to paths
then you can use refer to docs to see what path to block

yea i know how to block the paths, i just am not sure if I can block the entire /api/admin or if that would cause issues and how i could deny creating an api key without denying other apikey activities

maybe we need a community hardening guide for immich 😄

i use an nginx based reverse proxy btw (swag by linuxserver.io)

Block this https://immich.app/docs/api/create-api-key for creating API keys

You can probably block /admin/ and it’ll be fine.

Does swag run as root like a lot of other Linuxserver.io containers?

mhh? the docker daemon runs as the user you configure afaik, for most instances it will be root
inside the container, you can specify user ids (like in all linuxserver.io containers I know)

they however do not support their containers if you are running your docker deamon rootless afaik

Is there any good reason to prefer Cloudflare over a local reverse proxy?

i just moved from a local nginx instance to Cloudflare expecting to use zero trust functionality to lock access down to trusted devices. But al interesting features seem to be paywalled. I feel like it was a wasted effort.

use zero trust functionality to lock access down to trusted devices
did that part not worked out?

i think you should been able to access your services without opening it to the web if you used tunnels
(not the same as slapping an auth wall infront of a service)

personally i would want cf to protect my origin residential ip
currently using free domains so cf is no go
but i havent looked into tunnels

I am using the tunnel, not exposing my personal IP is a bonus but I consider that security through obscurity.
I haven't been able to lock the tunnel further down in a reasonable way. IP based filtering wont work due to dynamic IPs. I've tried the WARP client with whitelisted device serial's. Wasn't able to get that working.
The extra AUTH layer ont the tunnel was promising but breaks the mobile Immich app

well, you have some basic protection addedwith cf

but I prefer to run it via a local reverse proxy

my setup uses a local nginx with basic auth and a very agressive fail2ban policy. And the rest of the server is also hardened. And of course the login to immich is again different from the basic-auth login.

Plus I expose sharing to the Internet but that does not work with nginx and basic-auth (too many locations are needed). I have another webserver that is serving the share but under the same domain, Im just redirecting the /share location to the webserver and I have a script running that will automatically populate the webserver with all current shares but with a custom image gallery.

huh? lol

wtf? whats so funny about that?

Sorry I meant to continue to write.
It was an expression of confusion.
I don’t get what you are doing with the script/ second webserver

https://github.com/immich-app/immich/discussions/9921

Id like to share my images but didnt want to expose immich in any sort, neither open my network for an internal installation or open up nginx to trust immich alone for security (which I dont). And because I have another webserver thats really just a webspace with ssh access, Im creating a copy of all shares on this webspace, putting a single-file-image-gallery in each share directory (while not allowing directory listings) and call it a day

ok, so an image gallery thats not related with immich, just plain file drop and you would need the filename to be able to access the pictures?
so you share them one by one?

you can share as many pictures as you like and use the share link provided by immich. But you need the link to access a particular share, yes.

immich is behind an auth-wall? what do you mean by that? just basic-auth?

Obviously they mean the great wall of china /s

😄

as I have written in the post you replied initially to, yes basic auth. simple but effective, especially in conjunction with fail2ban (and thanks to https its also encrypted so its even save to use over unsafe connections)

the only issue with basic auth and immich is, that you have to inject the credentials into the URL when using the mobile app, so the credentials are therefore not stored in an encrypted manner

if ssl decryption is used anywhere, someone could see the basic auth
the URI should be encrypted in a TLS session though

i am not a big fan of fail2ban, nowadays brute-force would be done from a diverse set of IPs

if ssl decryption is used, then the entire concept of SSL is useless.
fail2ban still helps, as it increases the cost for such attacks by a great deal. Ive set it to block after 3 attempts and release after one hour. You need quite a lot of nodes to perform a useful attack, and thats not worth it for a small V-server.

yea, fail2ban sure helps and yes, either way, attacks would not really be worth it
you cant configure fail2ban to block on unsuccessful immich login attempts instead of basic-auth?
or you dont trust immich security here at all?

I dont trust it at all as there are hundreds of possible attack vectors that one cannot control and you would have a hard time to configure fail2ban to detect all possible entry points (thats close to a perfect vulnerability scan one has to peform).
NGINX + Basic auth is a single point of entry, which is pretty deep into development from lots of developers and therefore its likely to assume that there are only a few vulnerabilities and if there is there will be a quick fix as millions of servers rely on nginx.

immich on the other hand is a complex software solution in the early stages of development. It is open source which is good and bad at the same time (some attacker could just analyse the code and find possible attack vectors without creating a bug-report), but its mainly the huge amount of possible attack vectors against a software like immich, thus rendering direct exposure to the internet unsafe.

thats the basic principle most software-stacks nowadays are adhering to. At work we use a k8s cluster with multiple network layers and gateways that just perform authentication and load-balancing and safe routing between network zones, so that the micro-services inside the cluster are only exposed through some thorough security checks and therefore minimizing the attack vectors greatly and easing up the development and deployment of the micro-services. We have even seperated the authentication and the IAM services, which run as seperate clusters on their own.

For those using tailscale how fast is DERP relay speeds?

I've max seen 4Mbps aka (0.5 MB/s)

do you have a list of these endpoints?

Closest I could get to this is blocking:

/user-settings

/admin

and maybe /auth (idk how much doing this would break immich)

I gave up on whitelisting specific endpoints as there are quite many (depending on the apps you are using) and the endpoints are changing quite frequently in this early stage of development.

I was thinking about doing the opposite and blacklisting specific endpoints

to minimize breakage

for example theoreticaly you could block /auth and if you try to acess the /photos endpoint you would be kicked to /auth which would be blocked

Problem with security is the general threates when exposing to the net

like if most attacks are automated (and how smart is the automation)

Exactly. For me, I just exposed immich to the internet. My firewall only has port 80, 443 exposed and only allows ICMPv6 protocol. NGINX proxy manager is my middleware between a client and immich docker

On a unrelated note it would be nice once immich goes stable if they had a LTS like cycle

so you could throw a watchtower container at it without worrying it will blow up

Then again idk how much effort it would take to do that

blacklisting is never a good way when exposing something, as there are way too many unkown points of entry. Blacklisting only works for the other direction, to block specific ip ranges (like fail2ban does)

once its LTS this should work as by definition an LTS should not introduce breaking changes

I thought blacklisting to help reduce automated attacks (on top of using oauth)

as another layer

if your immicha domain by default had a 404 not found when going to directly (photos.example.com) and only say /photos and /api where open

it won't really help with human attackers though

but compare that to my approach. In my case there is only one way to enter the app and this is a well documented way and it was easy to setup. In your case there are thousands of possibilities you dont know of (and also others not, execpt for the attacker.

true

I'll just wait for LTS

and use tailscale for now

(although that has its own set of problems)

I can't really portforward on my network and tailscale can't do direct connections for me (heavly relient on DERP)

also tailscale on linux requires root to run

even when its LTS you cannot trust it. Thats the zero-trust approach. Always use a highly refined auth and autorization solution including an API-gateway that will make sure that only the wanted traffic reaches your software in the first place.

aside from wireguard (or any other vpn) aren't you sol

the mobile apps require /api to be exposed

and their isn't any options say for bearertoken authorization

What's the best way to integrate Cloudflare currently? I'm switching from PhotoPrism, there I just used an access group. If not in it, you couldn't log in. But that was janky since two logins (Cloudflare and the app). I see the general guide on using OAuth, but can't quite work out if that exposes Immich's login page to the net.

it does

I want to expose immich, but only for sharing photos to external people, not for adding users. I want to understand if I've set up something very badly or if it makes sense. Everything is set up on unraid with immich installed via docker compose. Currently my immich users (all on the lan or tailscale) need to log in with Authentik, where the log in using the local URL of the authentik outpost (which is also accessible via tailscale when not on out LAN). Then I have disabled the password login, so that OAuth is the only way for users to log in to immich. Then I have immich tunneled through a Cloudflared tunnel. This way the external links can be accessed through my domain, but only through the cloudflare tunnel. Then this is connected to Nginx Proxy Manager and reverse proxied to the immich container, with CF SSL certs running in NPM.

So far I have seen that when I share a link from immich to a non-user, they can see the photos that are shared, but if they click the immich icon on the top left, it will send them to the login page, where as expected the only option is OAuth. And because the OAuth URL is the local LAN address, it cabnot be accessed in any way off the LAN (without tailscale connected of course).
To me this seemed at first like a way to be able to share without allowing the opportunity to even try to login to the immich instance for external people, while still allowing me and local users to backup assets while not at home through tailscale.

First, is this actually an acceptable way to set this up? Or is this a risk somehow because it shows in the link on the OAuth button where it is trying to go, but cannot. Am I needlessly exposing more attack surface than I need to for basic sharing? In the end, I have zero plans to add users not in my house. Only to share assets with other family and friends.

Second, I am not sure what is the better way to use authentik in this type of setup. Is it "more secure" to set up as a forward auth in NPM? Thanks!

yea, i am not even sure I understand the whole setup but it does sound overcomplicated...
what are you using authentik for right now? nginx proxy manager reverse proxies to authentik reverse proxy which proxies to immich?
how are users accessing shares? you configured subpaths to be accessible without authentication?

Authentik is like Authelia, not a reverse proxy but an authentication service. They would be using it as the OIDC provider for Immich.

Using Authentik for immich and nextcloud right now, and also for SSO for a few other containers but only locally. And it is a bit complicated, but I started with only NPM, then added Cloudflared to that haha. And in the end I like to have everything behind a reverse proxy, so if I need to ditch the CF tunnel I can without too much effort.
Users access their account through tailscale, so through that they have "direct" access to the server where immich is hosted.
And Authentik is not used as a proxy but as an authentication provider. So here I have it set up an the OIDC provider for immich.

@zinc merlin you're right. I used this guide:
https://github.com/immich-app/immich/discussions/8299

I have password login disabled in Immich, is there anything else I should do for security? I guess I wonder if I should expose that page at this stage of Immich's development, but this app is so perfect for my family's use case that it's almost impossible not to.

I want to get rid of Cloudflare. I want to implement a reverse proxy + authentication locally. I'm considering the following 2 options:

1. Traefik
2. Caddy + Authelia

Any recommendations? I'm looking for a smooth experience with a little setup time as possible.

Would you use authelia with either? Otherwise that list does not make sense to me.

As I understood Caddy doesn't offer authentication by itself, whereas Traefik is a proxy + auth service

The traefik you're referring to is most definitely not a auth service

Traefik reverse proxy is just that - a reverse proxy

Right! I see. Thx.
I've read a lot of good things about Caddy, ease of use wise, so guess I'll look into this first

Caddy is definitely simpler, but a little less powerful.

Well actually, if stuff gets more complex imo traefik becomes easier than caddy

anyone ever try using tailscale with a custom derp server?

I'm curious if there could be any noticible speed improvments compared using their stock derp servers

I use Authentik myself, you can deploy it in a way that it will actually actually act as a proxy, though I have it deployed in forward auth mode.

thats your choice...
what I can say is:
I expose immich as well, even without OAuth
It is very unlikely someone will target you specifically or any specific immich instance for that matter
OAuth adds MFA but immich could still be susceptible to the same bugs with or without it
Any software can and does have bugs, especially as a private user, you are often fine as long as you update regularly
you can always add more security even while still exposing immich!
but if you dont have the need to expose it, a vpn is fine.

I use Swag and Authentik

Much appreciated. I'd love not to expose the actual login page, but if you're doing less and have not been ransomed, hopefully this is fine 😄

I'll just watch this thread to see what folks are doing.

I did not say I am doing less 😇
I am doing more but that is really for fun

I would probably expose immich just like that as long as I have backups (which I do)

I do have backups of everything though

I hardened the OS, nginx, I decrypt the traffic to be analyzed by IPS as well and I block every IP doing something suspicious/unexpected (like scanning, testing vulnerabilities, etc.)

Noted! This is a big area to learn for me, but probably out of scope for this thread.

🤷‍♂️ I guess this thread is for anything related to exposing immich, if it gets out of scope, you can also open a new discussion always

Based on that I guess I'll ask: in general, if using Google OAuth / Cloudflare with those whitelisted users, but still exposing the Immich login page to the web, should I do anything else to harden that?

via cloudflare... it doesnt go directly to your server then so not much more you can do as control is in cloudflare
you could use fail2ban with cloudflare as well if you like (though i doubt it necessary)
many things are done just because...
single immich users would not be a valuable target and even if immich could be accessed with admin rights, it would only bring money if it would be ransomed and for that, pictures would need to be encrypted.... highly unlikely

I had a pretty complicated setup before, but recently simplified it. For my own use (and my wife) I have Wireguard setup on my home router, and use Wireguard client on phones and laptop to connect to homenetwork when we are not at home. Works well, and does not require exposing Immich publicly.

👍

For public sharing, I have DNS for my subdomain pointed to my public home ip address. I have a single non-standard port opened in the router which forwards to an NGINX reverse proxy. The reverse proxy verifies from the headers that site was requested from subdomain, not IP address, and forwards request to Immich.

Then I have crowdsec installed on my server (which has the nginx reverse proxy, and the immich server) to look for suspicious activity and block ip addresses

FWIW obfuscating the port doesn't help anything and the reverse proxy cannot verify that site did indeed get accessed through the subdomain. You can always just pass the respective header and access using the IP

varying opinion on obfuscating port, I will agree the difference is negligible, but I still feel better knowing that someone scanning ports 80,443, will not see anything when targeting my home network. I see a MASSIVE reduction in traffic in my logs when using an obfuscated port. That alone is worth using an obfuscated port in my opinion.

Yeah that's fair

As far as reverse proxy not being able able top verify that site did indeed get accessed through the subdomain, I'm not sure what you mean. My nginx config checks the host header and verifies it was from my subdomain.

Yeah, nothing hinders me from just sending that header while accessing using the ip address

yes, but how would you do that if you didn't know the subdomain? And if you know the subdomain, then it doesn't matter anyway. 🙂

That's true lol

you should verify the IP is from intranet if your nginx handles both internal and external things
i have 2 domains pointed to my caddy
public domain(points to my router ip) and a private domain(points to 192.)
someone could curl public domain and -H Host: private domain to access internal services if you dont check for external ips

it's kind of like obfuscating a port. Does it really help? Maybe a small amount, maybe not. But it doesn't hurt, and it's one of line code in my nginx config, and most attackers will probably be trying to access my network via IP address.

and people who know me, and receive a share link, will access from the subdomain.

my nginx does not handle internal, I access internal directly. So anytime I am home, or "home via WG", it bypassess the proxy.

the proxy only handles traffic to my super secret obfuscated port! 😉

Let me guess.. 4242? :P

i see.. it tripped me and some of my friend when we arent aware of the Host header thing
though it's not straightforward since you need to guess the internal service domain to begin with

dang it! Now I need to change it again.

lmao

the only reason I even expose Immich publicly, is so I can send photos to friends and family. I don't have friends and family (other than wife) with accounts.

i made mine hang up if you access it directly(without proper domain)

but i am not concerned about ip scanners

hmm...any reason for that? If somebody already has access to your internal network, you are hosed anyway.

that's public and internal

because i dont use direct IP internally

it's the same but i am NOT showing my public ip lol

oh, gotcha, you meant direct via IP. I thought you meant direct to Immich without a RP.

i access even my internal services(immich, tubearchivist etc) through a domain that points to local ip
(because most services dont like being mounted to a path)

gotcha, yeah, I don't access anything "publicly" for my use. I am just used to accessing things via static IP's that I have setup and used for years. That, and I don't have modify host files to direct traffic internally instead of using public dns lookup, to find itself where it originated.

Anybody else using crowdsec as a tool for detecting and neutralizing attacks?

I just started using a little over a week ago, so still learning a lot about it, but it seems to be a pretty powerful tool.

Yep, that makes sense. I made the mistake of asking a friend with 30 years experience in financial infrastructure-type stuff who is a full-stack developer and he said "I would not expose ANYTHING on a commercial NAS." But that's not practical for me 🙂

I'll end up learning way more so I can make my own judgement, but for now this is getting put into use. It is too good.

you probably still will... whats your IP? 😄

commercial NAS systems should not be exposed,that is correct...
an up to date NAS running docker and you are exposing a container... thats different

My NAS completely died on me a few weeks ago. I wasn't running Immich on it anyway, but it was a pain having a NAS used for file storage and some services, and also a linux machine running some other others services. I used that NAS crash as an excuse to consolidate everything on a fresh server, using an external multi-drive box running software RAID on Arch (I use Arch btw). It is much simpler. Now my RP, all my services, and all my storage run on the same server hardware.

I have autoamated nightly backups of Immich db, and also automated nightly backup of my storage to the cloud.

I sleep better at night with a simpler setup and nightly backups.

Oh, neat. Thanks!

if it comes to exposing stuff to the internet... i am not too shy... I even expose a VDI secured by authentik so I can access my home stuff from any browser anywhere

forgive my bad drawing

what would the best way to use tailscale or wireguard using this setup?

tailscale can't form a direct connection to my mac running ubuntu while away

would it be better to run a wireguard server on oracle and have the client (android phone) and mac server connect to it

or would it be better to run a wireguard server on the mac directly and forward the port to oracle (say using a ssh reverse tunnel)

i dont know your entire setup but I would probably run it on the oracle VPS
that being said, because I dont know your exact setup, your mileage may vary and in the end its your choice
you can also have your mac be both client (to the vps) and server (to the clients)...

but that is even out of scope for this channel as it has nothing to do with exposing immich to the internet 😛

I am running immich on my mac

well, analyze your traffic flow and decide for yourself...
take traffic flow into consideration as well as ease of setup

if you trust all your wireguard clients and the oracle vps is your reverse proxy, then you can run run wireguard as server on your mac for those clients and still have it connect to the oracle vps as a client to avoid traffic from the vps while your mac is not online

you can also just have the mac as server for all for ease of setup

that decision is up to you though

I can;t speak to Tailscale, never used it, but I did something very similar to your drawing using Wireguard. I created a VPS, with WG on it, that was connected to my home lan. Clients would then connect to the VPS, which had nginx setup as a reverse proxy to connect to my home network via the WG tunnel. I have since reconfigured my setup and now run the reverse proxy inside my home network instead of the VPS. This slightly reduces latency, and saves money. If you are using Wireguard, and you aren't trying to give friends and family access, you probaly don't even need the RP, you can just use WG to direct connect to your home network.

I love how this thread just refuses to die

i thought threads in focus discussion are supposed to be long lived to discuss a certain topic?

They are, or at least that's how they are supposed to be used I believe.

I dont get what u mean. U had a VPS in the cloud directly wireguard tunneled into ur LAN environment? Sounds more dangerous than self hosting nginx on ur server.

How is that more dangerous? At a minimum it hides your actual IP and only tunnels the ports you want

Hey guys, a pretty naive question but I have an immich instance running behind a Tailscale. Is there any way to share images on that instance publicly (i.e. a share link) without making the whole immich service public?

Not really, no. You can block some endpoints with a reverse proxy but it's a but hacky

Cool, i suspected so too but thank you!

That's indeed true. I do expose it atm. So i can share links with people. Ive got crowdsec running on my nginx container.
But its true, my wordpress website that i host gets a huge amount of bot requests on known old breaches which usuallt my crowdsec blocks.
My immich subdomain gets nothing yet though.
A lot is also monitoring urself.

I use cloudflare proxy to hide my ip

is that unadvisable? i checked a test with devtools and i dont see a lot of stuff going on with the sharing view

sharing API frontend paths
/favicon.ico
/_app/immutable/*
/api/shared-links/me
/api/timeline/buckets
/api/timeline/bucket
/api/server-info/features
/api/server-info/config
/api/assets/*

downloads
/api/download/info
/api/download/archive

uploads
/api/server-info/media-types
/api/albums/*

You can give it a try. Don’t be surprised if things break 😅

personally not that concerned, just curious
i guess it will definitely be broken by refactor and so on
like https://github.com/immich-app/immich/pull/10677

I use swag for reverse proxy so I can access my immich instance at photos.mydomain.com and login is handeled via OAuth with Authelia

Thoughts on using proxy headers as a second layer of auth?

Basically set caddy (or similar reverse proxy) to allow connections with a specific auth header

interesting proposal

but it will break web

(if you intend to create publicly sharable links)

it would certainly be very hard for scanners to fudge out a weird header and value is needed before service responses properly

You could add a browser extension to clients to inject 💉 a custom header

https://github.com/didierfred/SimpleModifyHeaders/tree/v1.7.0

hmm ok good point but still if you wanted to share an albulm to someone who is not a user of your instance

Alternatively you could just rely on another auth service like authelia, authentic etc

that will be out of window

Yeah unfortunately no solution to that

I know this goes against the the spirt of the project but for me when sharing photos to another I just use a cloud service like Google photos

i dont think so

everyone has their own usecases here

and somehow it fits under the umbrella of what immich does offer

some would happily make it a private only instance if they dont have a reason to share links

My current set up is I have a Mac mini with ubuntu running immich and a few other services

They are relayed via wireguard to oracle vms

The oracle vms have unattended upgrades and auto reboot to stay up to date and they also barley have anything installed

Idea being you don't need to really trust if immich will have a zero day due to rapid updates

But that does conflict with sharing

I think Lewis Rossman mentioned his instance was fully disconnected from the net

that's neat way if you dont need external access
probably the most secure, even if inapplicable in most times
you cant pwn it if you cant connect to it

i dont have a vpn setup but i think that's a nice balance

dart it still wouldnt work on sharing to guest i guess

this is what i do as well, using a cloud flare ip.. is this really not enough for the standard user?

for a personal server?

hi guys what are you thoughts on cloudflare tunnels?

https://www.cloudflare.com/products/tunnel/

do you trust it?

and also would backing up large amounts of media over it be a violation of terms?

Max file size of 100 MB, I think they disallow video streaming.
Personally I don't really trust it since it's a MITM 🙂

fair

My current setup is having a wireguard server on oracle connected to my immich server and any clients

the immich server also runs caddy to avoid mitm from oracle

Yeah, that's a great way to bypass CGNAT while keeping privacy

I am curious what happens if if you upload more than 100mb?

they'll get refused , HTTP errors

Ah

Also has anyone been banned from streaming?

or is it a gray area

grey area I think

Is it really necessary?

it's not like these are high traffic servers

?

Wdym

what is the point of tunneling if the server isn't a target, isn't a CloudFlare domain and nginx enough

If you can't port forward and don't want to pay for a vps

Fair enough

Oracle free VPS 🙂

I do use oracle vps currently

I was checking all options

Gotcha. I prefer the oracle method, because no MITM

I use a wireguard vpn to it with a docker caddy instance on my host for extra privacy

Well it depends how it's setup

This is private

Indeed, you can’t run the proxy on the VPS

Just for tunneling purpose

Only downside is higher latency at home, can be fixed with split DNS tho

I do wonder how long they will keep the free tier

10 tb bandwidth, 200gb persistent disk, 24gb memory, 4 core

Free

Welp enjoy it till it lasts

MITM is my main issue with Cloudflare as well. I'm quite surprised how prevelant the advise to use their tunnel is.

Video streaming used to be on the list of disallowed activities, but they took that clause off the webpage a while ago.

I also found a forum post from two years ago where a "Cloudflare Team" person said that the only limitations to Tunnels are here: (https://developers.cloudflare.com/cloudflare-one/account-limits/) and doesn't include a 100MB max size limit.

I do think it used to be there, but they have since removed it as a limitation. It is also still a MITM, can't do much about that :D

All that to say I've been running Immich through a tunnel for months now with no problems that aren't my ISP's fault.

There is definitely still an upload limit. We get tickets on it every week here. On mobile app, we do something to sort of cheat it that sort of allows files around 800-900MB to fit through. Try uploading a 2-3 GB file using CF tunnels, I can all but promise you it will not work

https://developers.cloudflare.com/workers/platform/limits/#request-limits

Ah. Guess I'm just not making big enough videos then.

How is that more dangerous? The VPS hides my home ip, and all data transferred between the VPS is completely locked down to a single allowed source IP, requiring a public/private key, and this allows me to disable port forwarding completely on my home router. It was relatively easy to setup and worked flawlessly. The nginx server on the VPS also restricted allows paths so pretty much only publicly shared urls worked. For personal use, I didn't use the VPS/WG tunnel, I used WG direftly to my home router. The only reason for the VPS was to publicly share images and albums with friends and family members. My current setup does not use the VPS at all anymore. I found a simpler setup that offered the same level of protection.

I think what kees meant was in the rare event your vps is compromised wireguard out of the box will expose LAN to intrusion.

Although that can potentially be mitigated with a few firewall rules to limit what is acessible via wireguard

On my mac mini with ubuntu I have UFW to limit what ports is available to my oracle VPS

I also selectivly bind docker ports (since docker doesn't respect UFW) to only allow bare min to be avialable

oke i get it. Just figured you enter another middleman that could be vulnerable. But if you're completely secure and sure about that VPS, it's prolly much safer. I use cloudflare proxy and otherwise have authentik, crowdsec running on top of my apps. but that still doesnt cover it all. APIs etc, are still open sometimes. The only thing i do is sometimes check the logs. I might even create daily reports to see if any weird requests were made to my subdomains.

Hey folks, trying to expose a service for the first time and would love to get some advice 🙏

I have a single Proxmox server with one VM serving Immich. I don't intend to expose any other services at any time.

With proxmox firewall (didn't use pfsense since just 1 service to isolate), I set up rules so that the container cannot access the rest of my LAN, and only accepts incoming connections on tcp port 2283 (immich). Now, if I port forward from my router to the IP of the container on 2283, I can access Immich using my no-ip ddns address. Of course, this seems a little unsafe since Immich is under active development.

1. Would a reverse proxy help here? It seems like that's really only needed for more than 1 service since I'd have to open 1 port anyway
2. Would another authentication layer before getting to Immich login be more useful? Something like Authelia or Authentik?

Thank you in advance

At a minimum you need a reverse proxy to provide HTTPS. DO NOT forward 2283. It’s unencrypted

Past that you can do whatever. I’m comfortable with just a proxy but others are not

I see -- and https encryption is for preventing man in the middle attacks?

Not just MITM. Without HTTPS anyone along the path can read your data

What do you think about using cloudflare tunnel instead of a reverse proxy?

It’s fine if you’re ok with not being able to upload files > 100MB

I’m not a fan because cloudflare can see all your data. (MITM)

https://www.reddit.com/r/homelab/comments/vtqg9m/psa_any_xyz_domain_of_the_format_69_digitsxyz_is/

silly question does any one know how likely public networks are to block these types of domains

example 687678.xyz

Somewhat likely. For example on corporate wifi I’ve seen mine get blocked. I have one as a backup to my primary domain. I wouldn’t use it as my only domain if you’re often on corp wifi. I think its a great option for people who are currently using a self signed cert internally, though

wait "every year" too

last time i had a .xyz but it's only .99 for first year so i gave up holding to it

as for how likely to be filtered
i think it will be filtered to hell

xyz is already known for being "cheap domain"
not free like .tk but cheap enough for a motivated attacker

i think it depends on what kind of wifi you are talking about
random coffee shop wifi is probably not gonna care..
if it was school/corporate definitely
but at the extreme end IT admin could set it to filter everything except allowed, or well known sites
then no matter the TLD it would be filtered because your site is not popular enough

Public wifi like cosco

They block dynamic dns and even github.com

if they even block things like github i think it's lost cause anyways

Your right

Funny side note guess what's not blocked

https://urlfiltering.paloaltonetworks.com/query/

"newly registered" that might mean any newly registered domain would be blocked under same rule

part of it was the new domain the other part was the root of my new domain didn't have any content on it

palto alto ocassionally crawls new domains to classify them

if its unkown firewalls will just block acess

as a psuedo experiment I tried to take the root of my xyz domain and put a github pages demo page

(I wasn't using the root or www for anything anyway)

though it will probably take a month to figure out if that works

Hi all, I've seen a lot of discussion about Traefik + Authentik in here but not sure if it applies to my use case.

I followed this guide (https://www.smarthomebeginner.com/google-oauth-traefik-forward-auth-2024/) to get Traefik + Google OAuth set up, but can't seem to get Immich to work via the app when it's proxied to Google OAuth before actually reaching Immich.
Basic flow from what I understand: remote device -> cloudflare -> public ip exposed via 443 -> traefik -> google oauth -> immich (here you can use immich's OAuth directly, but I am trying to use it before Immich itself)
Does anyone have a similar flow working with Immich behind OAuth instead of using the OAuth settings inside Immich itself? If this isn't possible I could just bypass my Google OAuth (chain-no-auth in the guide linked) and only allow OAuth, but ideally I would want what I'm trying to do currently.

Why do you use forward auth? Immich supports OIDC/Oauth2 natively.

maybe if they dont trust immich to secure it
like paranoid mode so it has to go through auth first

One can always use OAuth login with Keycloak or what I use/demonstrated with Authentik here in combination with some form of reverse proxy and registered domain name (mine is with Cloudflare):

https://youtu.be/gVWGEoc0n3w

Basically what Thunder said. If I can make it so that unauthorized users can’t even get to the domain that would be nice, but from what I’ve tried, I can’t access it with that forward auth up when using the app.

I can’t access it with that forward auth up when using the app.
what do you get when you try to access the app with that setup?

i am not familiar with traefik so i cant be of help too much here
much less the google oauth stuff

i assume traefik is acting as reverse proxy here
from the site

    middlewares-oauth:
      forwardAuth:
```if the names can be trusted this seems like it's doing what you want? 
a forward auth check at the revese proxy level first

via the app, i just get Error logging you in, check server URL, email and password

what is your app login setting? is it email+pw, oauth etc?
if it's oauth you still need to set oauth on immich itself

and yes, traefik is doing what i want by doing traefik -> forward auth (google oauth) -> show immich , but for the app, im not sure it can handle the forward auth portion as it typically redirects to the google login page

right now it's email + pw and also oauth configured via immich itself

when i click oauth on the app as a login method, it'll say OAuth feature is not available on this server, which i presume is because we aren't able to get to the server at all with the forward auth up

because you will have to login twice
first you login to traefik's forward auth
then you get to see immich UI
finally you login to immich's auth

yea exactly

i can disable email+pw and also forward auth as a working solution to only have oauth via immich itself, but i was curious to see if it was possible to use the forward auth instead

i dont have a double auth setup so i cant comment
but i dont really see why this wouldnt work
you will login twice but SSO is SSO, user is already logged in so they will authenticate instantly

i dont think immich has "trust headers" that specifies user's account, because it was not built for forward auth
(or at least when i was setting up)

but if you setup oauth on immich too

the user experience shouldnt be much different

user access domain
traefik redirects to oauth
user sees immich login page
immich redirects to oauth again
user sees their account

if you have auto launch, there's no extra clicks for the user's part

i also dont see why immich behind forward auth cannot be use oauth

It does work behind forward auth for browsers, my only issue has been with trying to connect via the app

oh yeah not sure about that

you might be able to leave an escape hatch with the "custom proxy headers" setting

if the client sends a certain special custom header, make treafik drop the forward auth

it's not going to be as secure but i dont see other ways out of this

After putting a random github landing page my domain was reclassified as low risk (including sub domains not linked to github landing page)

Similar to this https://ycl6.github.io/GitHub-Pages-Demo/

Forked the repo and linked my domain to it

The newly registered domain category is there but in a month that should go away

i think at that point i might as well just remove the forward auth all together for immich and stick with the immich oauth implementation. It'd be too much to ask of my family to add custom headers to their app lol

thanks for the input 🙂

probably...

it aint that hard tho

but it adds more friction for non technically inclined users

You can use a browser extension to inject the header

from the iphone app?

Ah forgot about ios.......

Immich app yes

Browser no

Read context and yeah it would work for ios app

Header for ios app

And traffic login for web

(I haven't really used traffic much)

not exactly sure what you mean about how it would work for the immich ios app, but it would defeat the purpose if i needed to install something else to get passed the forward auth

Does traffic have its own auth portal?

Built in?

You could add a policy to allow connections if a specific header and key value is pressent

(Sry for ping)

Accident

It's kinda like if the app had a password to allow access through the reverse proxy

yeah thats what thunder said before, to us it isnt much to add that same header as thunder posted above, but for my family members it is an extra step that would be annoying

Yeah that's a convince vs security trade off unfortunately

the built in oauth with user/pw disabled is probably enough

That's what I am doing

i mean for app it is just 4 buttons
you can have it like this
forward auth IF NO secret header
then oauth to login

browsers get hit with forward auth
app uses the secret header as escape hatch

@shrewd thicket how many family members are you planning to make accounts for?

Just curious

planning for 8 but i doubt theyll all use it 🙂

Will you be setting the app up for them?

If your setting up app then header method per device wouldn't be to cumbersome one and done

^

If it's more your family are remote and your trying to setup though I can see the barrier

yeah they arent in the same household so it'd be me telling them how to do it, not that difficult, but more annoying than i would want

Makes sense

i guess stuff like fancy vpning is also out of question then

Do you use wireguard or tailscale?

Or something else?

no

No vpn?

trying to think of alternatives for them but i dont think that would work

Ah

if they have to get non technically inclined users onboard

i think the built in oauth is the best choice at this point

How often does wireguard get updated?

I'm curious with a oracle vm with only wireguard exposed how often updates (and reboots are needed)

is anyone using client certificates on a webserver/proxy to prevent clients without the right certificate even handshaking? Seems like it's one way to stop anything connecting to the site without the client cert installed? bit of hassle but another option vs vpn/tunnels?

You mean mtls?

I read about it one point 🫠

You can set up mtls for web ui and header auth for mobile apps

Only downside to mtls is it's probably going to ask you for the cert every time you access immich web

And the app probably doesn't support it hence the header auth work around

Anyone using authentik?

Does authentik work as a standalone reverse proxy and oath?

Ie you could replace caddy/ngnix with it?

Do you know if authentik can authorize reverse proxy before immich connection?

In cloudflare access you can set up a access policy to login to cloudflare first before you are given access to immich

And for the app there is service token via header

Trying to emulate that with authentik and say caddy

https://docs.goauthentik.io/docs/providers/proxy/server_caddy

by the nature of reverse proxy, it should be hit first...then route to your internal services

OR, you can just use the transparent proxy built into authentik (its rudimentary for literally just routing traffic through)

Does this support header auth?

Also does the transparent proxy allow policies to only allow specific paths?

yes

all this can be done by editing the provider and if necessary creating policies

One last question can authentik be made to authorize both the transparent proxy and immich via oath

For more details or further help regarding authentik, I recommend joining the authentik discord...

So when you login authentik auto allows access to immich login ui which routes to authentik via oauth and logs in to immich

Will do (also handy for rare security event notifications)

Thanks for the help

is it possible to use tailscale to route requests based on server name? e.g. I have several subdomains pointing to a public vps with tailscale. tailscale then acts as a reverse proxy and forwards the connection to the respective server?

basically can I use tailscale as a reverse proxy or will I need to run nginx with multiple tailscale connections

(I haven't used tailscale before)

I don’t understand the setup. Would the VPS be publically accessible or via tailscale only?

Are you using headscale (self hosted)?

my bad! so I have several services running on a homelab (including immich). I want to make them publicly available without port forwarding on my own network. I want to create a publicly available vps which acts as a proxy for my home network

I think I can use tailscale to create a VPN connection from the homelab to the VPS. yeah?

And what’s the goal of using a VPS here? Do you not have an ipv4 address?

Yes you can do that

I don't have a static IP and port forwarding is always a headache. Also I having a vps reverse proxy let's me have greater control and I can do some cool things with that in the future

Port forwarding is a less headache than a VPS proxy haha. IPs are easy to update. But yes, you can do that.

So just install nginx on the VPS then proxy_pass to the backend host:port for each service

In your case they would all be the same tailscale host presumably

wdym by tailscale host

proxy_pass http://home-server-tailscale-ip:2283;

For Immich for example

oh so for each connection to tailscale, it will have its own IP address which I can redirect traffic too

kinda like docker then?

Mhm

ah that's so cool! i use to selfhost quite a lot but had to stop because I was moving house quite a lot. I wish this was around when I was hosting

I used to do this when I was behind double NAT but if you’re not I don’t think it’s worth it. I just use dynamic IP and port fwd now

Assuming you have a vps why not just use wireguard directly?

to forward

https://docs.pi-hole.net/guides/vpn/wireguard/server/

I'm assuming your setup is local host (at home ) ----> vps via wireguard --> vps to web (reverse proxy either running on the vps or reverse proxy running on your home host)

I'm pretty sure tailscale is just a fancy VPN

it is just a more fancy wireguard rapper

its main benefit is it does some hole punching wizardery to avoid opening ports

and it has a backup derp relay

but if your using a vps to expose to net then the wizarery kinda is pointless

your mostlikelly going to have to open a port on the vps else tailscale is gonna use derp (which is very slow)

https://tailscale.com/kb/1082/firewall-ports

pretty much all ports are going to be open on the vps

its essentially going to be a bastion server

when I was setting up my vps (on oracle) they only opened port 22 by default

for incoming

I don't have that issue. even 25 is unblocked

(different host tho)

I guess what I'm trying to say is if your going to connect directly to the vps (and not use derp as a fallback) tailscale is kinda extra bloat

since the tailscale config on your reverse proxy and wireguard are most likely going to be identical

how much overhead could it possibly have? ive never tried it before but ive heard good things

little slower https://tailscale.com/blog/throughput-improvements

though to be fair day to day I doubt you'd see much of a difference

wireguard though has few lines of code and addons making it less likely to get borked

it also doesn't need to rely on another control server

for me main benefit I see with tailscale is if your using it with client apps vpn

since it can seamlessly switch between a direct connection (udp) and slower derp (tc)

hmm yeah

Like for example in my setup I used to route my immich local host to oracle via wireguard and then had tailscale installed on oracle on top

normally tailscale can't form a direct connection to my local host and uses slow derp

but in this case tailscale tries to establish a wireguard udp connection to oracle (which relayes it back to local host) for faster connection (faster than derp anyway)

if that fails derp kicks in which usually works on most firewalls at the cost of speed (since the wireguard tunnel is being funnled over https)

thats my two cents anyway

is this from experience or just how tailscale works?

my experience with trying to get immich to work on cosco wifi

ah perfect

the one wifi network that tends to be strict (they even blocked github)

I use it for testing (what if) on potentially strict networks

ohh! yeah I'm understanding now

because I have a public IP/vps, I'm kinda not using tailscale for the right reasons

more or less

https://immich.app/docs/guides/remote-access/

one last fun thing your gonna need to decide where you want to run your reverse proxy

you can run it on your local machine and route all traffic from your vps to your home machine (which would be most private) but port 80,443 on the vps will be exclusively locked to your local machine and you cant really host any other apps on your vps that uses those ports

I have a domain name so I'm planning on routing the traffic at the vps

only downside to routing on vps is you sorta need to trust the vps to not snoop on traffic

since https will terminate at vps (decrypt) and then be rencrypted back to your host

though the upside is the vps can kinda sheild your instance if you want (ie you can set it to only route to immich mobile apps if a specific header is present and also you can block acess to front end)

kinda like a selfhosted version of cloudflare tunnels

yeah

my thoughts exactly

also it just seams like a fun way to structure a network

there are definitely smarter and cheaper ways to do this

but they won't be as cool and I've done it before

Hi Guys! I solved using immich from outside using wireguard, but i was wondering if it's possible to implement a strategy only to "get" photos from outside using the immich app, so i can delete all my photos in local phone. The authentication can be the problem, but if it's possible recognize where the connection to immich server start (everthing but outside the LAN) the "write" operation could be avoided.

if you have a reverse proxy you can do some things that blocks the delete endpoints

you will need a reverse proxy
the reverse proxy can have normal rules for LAN
and a blocking rule for WAN, restricting access to certain destructive endpoints
here's the api endpoint list https://immich.app/docs/api/
also note that api endpoints may change after updates!

The reasons I did not go with Tailscale are, one - they have 3 users limit and I am already with 5 users
second being, all my (and my users) traffic goes through them, soI did not like that and also, I have scenarios where a user needs to upload huge files to my file server so I had no idea how Tailscale will limit me on this regard (which is also the reason I can not use Immich with CF tunnels).

I ended up setting up Headscale - which is an open source Tailscale-like controller that the Tailscale clients (which are open source) can use.

So no users limit and no upload limit.

For me my main use case for tailscale is the derp backup on public or corporate networks

At least it was anyway

Currently I just use plain old wireguard

Side note do you selfhost derp or do you use tailscale derp

If I recall headscale despite being selfhosted by default uses tailscale derp

it does but there are no user limits, and derp is e2ee

because, well, wireguard

But you run into the same speed limitations as tailscale directly

@clever cairn mentioned speed concerns

I think the suggestiom was to upload limits, which isn't exactly speed, refers to size like cloudflare (not sure if this is an actual limit)

I don't think derp has upload limits like cf

It's just painfully slow

True, I was referring to upload size limits.

I'm a software engineer doing this as a hobby, What is derp? 😅

https://tailscale.com/kb/1232/derp-servers

derp1f.tailscale.com

https://derp1f.tailscale.com

Does anyone use immich on ios with wireguard?

If you use a domain how do you handle home and away ip resolution?

me

How do you handle dns?

I've struggled a lot I've written something here "how to do"

i use duckdns and nginix proxy manager

How do you handle home and away ip

i can get the mysiteimmich.duckdns.org

Isn't your lan and wg ip deofferent

i've fritzbox that integrated wg

follow this

https://github.com/immich-app/immich/discussions/9231

it's me

split dns, public dns record plus something like pihole for internal dns resolution

this kinda works problem I sometimes run into is if a wifi network has rebind protection it can cause issues

mhh?
DNS should be over the wireguard tunnel, so wifi outside of your home should be fine?
and at home, simply disable it?

if you cant, you would need to configure nat on wireguard and route your public IP over the wireguard tunnel

https://www.opencve.io/cve/CVE-2023-44487

Kinda silly question on open cve changed for caddy (and similar http proxies)

NDV-CWE-noinfo

Is that anything to be worried about assuming latest version of go and caddy is used?

depends on your setup. its a dos attack. if you are running immich for just you, its highly unlikely that someone will go out of their way to attack you

caddy 2.7.5 and above is secure per this issue

I am running it behind wireguard

My phone and macmini (hosting immich) connect to oracle wireguard vps

Caddy is there just to make sure data is encrypted enough route between oracle

well if you are on the lastest version its fine

even if you weren't, its only a dos

they just added a link to the page. its a just a method for classifying common weaknesses

Ah thanks for clarification

I decided on wrapping a simple auth layer around the immich server. In the app, I can enter https://username:password@... and it works, and the browser just prompts for the credentials when visiting the URL. This is a bit annoying as one also has to login using immich, but I feel safer that way.

I use authentik for the webui and header authentication for the mobile apps

router/firewallproxmox:proxy:domain:vm:immich

is there a way to configure 2-way auth via the immich app, when using nginx (aka client certs)?

I'm trying to configure it using the provided Nginx example, but I'm having problems as port 80 is already used by my Nextcloud container. How can I have two "websites" on the same computer? Am a noob at everything Nginx-related lol

You’ll need to put Nextcloud behind nginx

Only nginx should have port 80 and 443

Ohhhh okay. So I'll assign Nginx those two ports, and then assign other "random" ports for Nextcloud, which will then make it so requests are forwarded to the Nextcloud server from Nginx?

Well you’ll need to configure all of this in nginx, but yes

if you are already using containers
anychance you are using docker compose?

you could use docker network for the other containers

and the nginx will act as the reverse proxy with host network

I use a separate bridge between every container and the reverse proxy and only add a separate network for outgoing traffic if that is needed

that's personally how i do it
every docker compose is in thier own network
if they need to, they join the gateway network which is where reverse proxy is

yea, mine is a bit more extreme i guess...
e.g. if a main container needs access to a database, i have a network just for that and another for maybe a worker image, then i have a reverse proxy network per compose project, some i share if they access to similar data (in total I have more than a dozen reverse proxy networks)

then i have one shared networks which is just for outgoing internet connectivity where containers cannot talk to eachother on (firewalled)
then i have one where there might be direct connectivity needed that can be accessed from outside that network as well (e.g. dhcp,dns)
and then i have a separate network just for the reverse proxy for incoming traffic.

all that is separate from my actual client networks

That is also how I handle networking in Docker.

maybe not needed but fun 😄

adds security...

interesting to see ways to take it up a step

i am just happy with each compose file(which counts as a "project")
having their own isolated network

e.g. several exploits end up running certain commands to then load actual malware or malicious scripts from the internet....
if your container only has a network to the reverse proxy but no internet access, those exploits get much harder to be used.... and for a private network its doubtful that the effort will be put into it

I think the security is worth the complexity.

🤷‍♂️ I think it adds a lot of security but might never be used...
just add layers of security...

just doing that and neglecting the rest would make that useless though 😄

question how do you do the docker container with no internet?
is it just

networks:
  no-internet:
    driver: bridge
    internal: true

internal:true does not allow exposing ports to the internal network.

ah

yea, that should stop outside connectivity

I like no-internet 😊

more like not external network access...
it wont communicate outside of the docker network(s)

disabling icc does the exact opposite, creating a bridge that allows external access but not between containers (unless some device outside of the network sends it back into it)

cant forget that default behavior of bridges is that they route between different networks... so it could happen that it passes a container and gets forwarded.... for that you can disable ip forwarding on the bridge

if you dont want the bridge to be internal but also dont want it to be natted to your host IP, you can disable ip masquerading on the bridge... if you make sure not to nat that ip range on your edge device, it would have access to external networks but not have internet access still

there is plenty of network options :[

I did it

Tried Nginx, but the IQ at hand wasn't sufficient.
Caddy worked really good with Immich and Nextcloud, after I reinstalled Nextcloud without the pre-made proxy-aimed installation rules. Works flawlessly now!

Just tell me off if that's a stupid way to do it for some reason. I am a noob at all this. But it's at least TLS now which I'm happy with

🤷‍♂️ guess any proxy will do...
i use swag, an nginx based reverse proxy with a bunch of templates

nice

Hey Guys, just looking to secure my Immich setup before i expose it to the world. The Caddy solution looks to be a good setup! How many are using this? I was going to look at Nginx but Caddy looks easy to setup and manage

🤷‍♂️ my guess would be that more people are using an nginx based reverse proxy but from what I have heard, caddy is easier to get going with
from what I could see, its not simpler when it comes to tightening security, modifying headers, etc.

I never tried Caddy and use an nginx based reverse proxy with a large community and templates for commonly self hosted applications called SWAG

i use caddy and dont havbe issues with it

you can rewrite headers with caddy too
something easy to manage means you actually know what you are doing and less chance of just relying and hoping on someone passed the correct information to you

but i dont see the differences in terms of securing it, just use the tool you are most comfortable with

I didnt mean to say it was complicated to e.g. change headers in Caddy, but from reading about it I think it is not easier than with nginx
Getting started to proxy anything at all seems easier with Caddy though

I ended up testing out Nginx Proxy Manager, seems to do the job

is it weird that immich resolves 404? i have crowdec and nginx setup so immich resolving 404 errors circumvents my nginx logs and in turn cant be analyzed by crowdsec. The expected behavior should be routing 404s to nginx. Should i submit an issue on github?

gonna also post this on help desk just saw that section

Yes it does for me, I’ve wrote some docs in GitHub. I can share foto or video hiding the rest of routes

rest of routes?
I like nginx... I guess cause I had to work so much with it to get the exact results I want

I currently have cloudflare tunnel set up for immich with access through google for web and through service auth for app. I am trying to allow public access to any shared url however struggling

Anyone done this successfully and can help 👏

Nginx proxy manager with cloudflare reverse proxy

Got it for 5 dollars an year super recent

Cloudflare?

Hello guys, In your opinion if I use oAuth and expose immich to the internet, it's safe?

define safe

using OAuth with 2FA makes it safer in general (assuming your OAuth Provider itself is "safe"), yes
if you expose it, it also depends on how you expose it (how well you did your config)
if you do everything well, you may consider it safe enough for yourself

I consider my install safe enough, but its never 100% safe from all imaginable threats (neither is any other public service)

yes, at the moment i'm using wireguard on ios... but it's really tricky activate wireguard and then open immich..

I'm looking for a shortcut on ios... so i don't have to click 2 apps

it's always a tradeoff between convivence and security
pick whatever compromise you feel most comfortable with

the fact is that I'm moving from google photo and I still use google photo for semplicity in search photos and no wireguard access. I want to do the same with immich so I can move definetly from google photo

thank you 🙂

just know, nothing you expose will be as "safe" as using wireguard
the risk will always be greater
but you can minimize the risks and attack surface...
and maybe keep in mind that this is a software that is usually used by single persons or families to host their photos, it is extremely unlikely someone would be focusing on you specifically... so unless there is a bug that would allow someone to circumvent all restrictions, it is probable that nothing will happen

my personal opinion is, that I am safe as long as I keep backups, verify the backups sometimes and even have backups not connected to the same machine

e.g. thus far I have not heard of anyone with any "security incident" with immich ^^
even those that simply publicly expose immich without any further actions

but like thunder said, you need to pick whatever you feel most comfortable with

Thank you very. much, yes i'm using duplicati as backup and 3 2 1 backup strategy

by the way...
while some of my services like nextcloud get scanned all the time
I have not yet observed a single illegitimate attempt to access my immich instance
it will happen at one point the same way it happened for my other services... I end up at some open WLAN or I travel with foreign mobile network services and they sniff out the sites I access and start probing them

Did you have add a redirect rule in your oauth. For eg: https://immich.domain.com/oauth/mobile-redirect to app.immich:/
I am getting 404 if I just do the redirect override and adding it to cloudflare oauth

Now I am wondering if I need to put nginx reverse proxy so that oauth maps to nginx which then redirects to app.immich:/

Hello @zinc merlin , very interesting security layer.
Could you please share an example of your configuration please ?As I am interested in applying something a similar 🙏
Thanks so much in advance

Also how do you harden your docker compose config ? The hardening tip in immich faq seems very soft to me. As the cap_drop only focuses on network calls, and also doesn't touch on postgres hardening.
From a production hardening standpoint, a container that can be used with a non-root user shouldn't need any capabilities. But if any is absolutely necessary (this should be avoidable ?), we do a cap_add and add them back.
@alex.tran1502 @nocturne vessel Could the immich team please possibly share the needed capabilities for each container ? Much appreciated 🙏

I dont harden my compose config, you can run it rootless which imrpoves security but not all containers support this and running docker rootless is system-wide
I personally dont run it rootless (using a non-root user inside the container and using a UID that is not root on the underlying system is not the same).

sharing an example is a bit difficult, it depends on how your network looks like and cannot just be copied
but basically I you just use different bridges.
most users only have one real network (one subnet and no router), so you would have your proxy connected to the "outside" as well as one bridge per container that needs to be proxied.
and each "project", I either create one shared network for the whole project or e.g. one network for the connection between immich and database, one between immich and the proxy, etc.

as an example, let me try to share an example immich compose file here:
https://dpaste.com/6428MRY5Q

@obsidian compass does that help?

PS: the network named "proxy" would be a different one for each service connecting via reverse proxy, so it would be e.g. proxy1-20

I know a little bit my way around networks (not docker specifically) I would know how to adapt

if you run separate subnets, you can use them with macvlans for example

I m specifacally.interested in :

• containers talking only through a proxy outside the bridge.
• containers banned from external and internal networks other than the external reverse proxy

you kinda have to do something like this... i do it mostly for fun 😛

containers banned from external and internal networks other than the external reverse proxy
-> this would be with the simple proxy network only that i showed in the example

I just saw your example. Let's take a look 😄

containers talking only through a proxy outside the bridge.
-> I assume this would be the "internet" network in the example I provided

though it allows all external connectivity, not specified to a specific proxy

Regarding the hardening though. I am not considering the rootless docker use-case. Namespaces were not thought for this unlike commun opinion and they do present vulnerabilities , many security experts talk about that

For non-root user. You still have to control the capabilities (calls to the socket)

not sure I completely understood what you were trying to say

Simply put, I consider that a rootful docker daemon + containers with non-root users (plus some hardening) is a superior (but harder to implement) design choice than rootless docker

So I, like you, use non-root users

understood now 😄 sorry takes me a while to understand things sometimes 😄

😆

guess I didnt quite understand what you were referring to with the namespaces and what each of the rest was actually referring to...
but your simplified version I understood 👼

did the example I created help, was that what you were looking for?

networking and security is the only thing I can really help out with here, thats my day job, just like MrAedis is the linux master 😄

Very helpfull, many thanks,
So the “enable_ip_masquerade: false” + “enable_icc” bridge options  in my use case would help me forces everything to go to the reverse proxy (on another host close to the firewall) only, as there is no nat and no inter container communication.
If I put one network per container with these options: eg. Isolate1, isolate2... Than I can make them communicate through the ("external") reverse-proxy.
I just need to block outgoing traffic to internet for these ranges on my edge firewall. And configure static routes from the reverse-proxy to these ranges on the router ( I assume these ranges would be different from the host IP)
I also need to understand how to block communication from the containers to the host IPs via the host firewall. I wonder if it’s not blocked by default ? as I never disabled nat in a docker bridge before.
Than how about the port publishing ? How does it work with enable_ip_masquerade: false ?
(I also wonder what does “gateway_mode_ipv4: routed” do in conjunction to enable_ip_masquerade: false ? The doc says it’s for direct routing but I am not sure I understand)
(All this seems fun indeed)

No, proxy would be what connects to an internal proxy

An external proxy makes little sense usually

Internet would provide general external connectivity but no connectivity between containers

Gotta go, I’ll be back in 1-2h and respond then

Thanks man 🙏

I actually confused "enable_icc" with "enable_ip_masquerade"
I edited my previous post to clarify my thoughts and questions.

So the “enable_ip_masquerade: false” + “enable_icc” bridge options  in my use case would help me forces everything to go to the reverse proxy (on another host close to the firewall) only, as there is no nat and no inter container communication.
-> no, it would only force it to leave the bridge network, if you disable masquerading, this would probably have some undesired effects. you would send the traffic with the original ip out the bridge network with no way to route it back

If I put one network per container with these options: eg. Isolate1, isolate2... Than I can make them communicate through the ("external") reverse-proxy.
-> its possible and depends on your network but I would just run some proxy inside your container networks instead

I just need to block outgoing traffic to internet for these ranges on my edge firewall. And configure static routes from the reverse-proxy to these ranges on the router ( I assume these ranges would be different from the host IP)
-> which router exactly?

I also need to understand how to block communication from the containers to the host IPs via the host firewall. I wonder if it’s not blocked by default ? as I never disabled nat in a docker bridge before.
-> not sure I understand but yes you can use the host firewall iptables or nftables to do this

Than how about the port publishing ? How does it work with enable_ip_masquerade: false ?
-> there is no port publishing with networks, you do not share the IP with the host, you get your own IP on each network

(I also wonder what does “gateway_mode_ipv4: routed” do in conjunction to enable_ip_masquerade: false ? The doc says it’s for direct routing but I am not sure I understand)
-> I dont use this, would probably just be the same as disabling masquerading if you set this to routed... though maybe you might need this if you want to route... I never used the docket network to actually do any routing though so I cannot assist on how to get routing working here

but it looks like on your specific use case, routed mode might be what you want

the docker host "should" then route it back to the respective bridge

but I haven't used this myself

That would be ideal indeed. Will test it soon.
I need the external reverse proxy as my https/tls terminations or configured on it. + WAF and IDS (more effective this way)
(Ragarding your question on the router. The router is my Distribution+edge router that connects my different lan subnets and my DMZ)

(Ragarding your question on the router. The router is my Distribution+edge router that connects my different lan subnets and my DMZ)
-> if this ^^
-> then that below is incorrect:
And configure static routes from the reverse-proxy to these ranges on the router

-> but I assume you know your way around networking to do the part necessary in your network

That would be ideal indeed. Will test it soon.
-> great, let us know if it works, in theory your host needs to have routing enabled and should then route it to bridges it knows of on its own

I myself run the proxy as a container as well but have the router/firewall outside as a physical device
so I only either provide internet access with no container connectivity or just internal container communication
the reverse proxy has one bridge to each container service that needs proxying and a macvlan for incoming connectivity

everything that goes through the firewall to the reverse proxy is decrypted and inspected

Thanks you sir

Come to think of it: taking off NAT is unecessery; as the containers, when NATed, don't see the host network. All I have said is redundant.
Your method is enough indeed !
(I didn't think straight sorry hhh)

All I need now is to figure out the capabilities needed by each container and it will be ready for production I think

no, taking off nat would be the right way to go...
otherwise you might have unexpected behavior if outgoing traffic is NATed to the hosts IP
disabling NAT completely and having your edge router handle NAT if necessary would be better

Needs some small LABing to test the difference

I dont use bridges for external connectivity, which is why I dont bother to take off NAT
as for the example internet one I gave you, that is fine if you just want internet connectivity through the host... but maybe not in your use-case

Indeed it's not

so routed mode might work out for you there but I have never used docker to route
so try it out and report 🙂
there is always a solution though 😄
so far I just didnt doubt whatever your plans were and just tried to answer questions...
if this doesn't work out, I'd need to know more about the network to better judge which solution might make more sense/work

either way, know that this is usally all considered overkill...
I do this for entertainment and knowledge gain mostly, the added security is a bonus 😄

The best mindset.
And Docker without propoer hardening is not production-ready, so it's more justified.
(A better runtime like givisor, good permission management, limited capabilities, firewalling tightening... + good network micro segmentation + proper auth/autorization management. And finally a good security layer (IPS, waf, api security, http headers control ...))

And of course the more we learn, the more new things we need to harden hahaha

My gripe with the different projects (not specific to immich) is that the burden of security is on the user always. We don't know how the containers communicate between them (in order to limit/ control network communication). what capabilities the need. What cpu memory lower the need (to avoid stravation)...

(And I don't think opening your family photos library to the internet is a subject to take lightly from a security stand point)

meh, thats where I take a completely different view...
They are the most precious to ME... noone else really... noone would bother to make an extra effort to view my family photos
someone might want to extort money by holding the photos hostage but for that case I try to keep a good backup strategy

in general, I love security but working with it also brings you down to earth on what is possible and what is likely...
that being said, I am sure my security is still in the upper 1% here

1% seems great 🤟

Respect your opinion of course

out of curiosity, which WAF/proxy/IPS are you using?

Coraza, caddy, Suricata + Crowdsec

on an appliance?

Baremetal yes

that comes like in a bundle or you just decided to run that together on there?

Opnsense + plugins + hardening

ok, so you are using an opnsense appliance with plugins which include coraza,caddy,suricata and crowdsec, yes?

Yes

got it 🙂

this has probably been asked many times but what do you think is the most secure way to have immich exposed to the internet so that the app can connect to it without the need of a vpn? I mean probably with a reverse proxy but anything else such as Cloudflare?

I remember reading that when setting up Cloudflare the app struggled to connect to the server so that's why I'm asking

If you use cloudflare you’ll be limited to 100MB uploads FYI

hmmm that's a big no for me, do you know of any other alternatives?

Just host it yourself with a reverse proxy

is that secure enough?

I'm asking because the documentation has this as a pro:

so I assume if I don't set something similar to Cloudflare my instance would be vulnerable to zero-day vulnerabilities

and also this:

if I expose it, should I expose the web interface and the API, or not necessarily both?

CF + Zero Trust Tunnel + client certificate in CF and you're good

the web interface requires the API to function otherwise it's just a pretty looking site and nothing more

if you are concerned do something that does not rely on immich guarding the gate

most of my apps are behind CF Zero Trust with a tunnel

vpn(you cant access immich without it, cf, tailscale etc)
SSO wall(you cant access immich without authing against a secured SSO)
certs(you cant access immich if you dont have the client cert)
are a few ways you could done it, there's probably others

personally i just set mine up to be accessible from the web and i am not worried about it

i am making a trade of security for convivence of access

can you upload files bigger than 100MB by doing it this way?

No. Due to the limitations of CF but I mainly have photos which are less than 100 MB.

I do have a fallback VPN if needed.

that's a good workaround I guess

could you explain how it is set up?

The VPN or the client cert?

CF + Zero Trust Tunnel + client certificate in CF

it's my first time doing this so any guidance would be highly appreciated

what I did was: Create a CloudFlare tunnel (https://one.dash.cloudflare.com/) for the 'public host name' to Immich (e.g. immich.foo.com). In the settings for the 'public hostname' disable the L7 Access security. This is needed so you don't get the login prompt. After that's working I created the certificate under SSL/TLS settings in the Cloudflare dashboard and entered the public hostname (immich.foo.com) in the field "Choose which host(s) you wish to enable mTLS" https://dash.cloudflare.com -> your domain -> SSL/TLS -> Client Certificates

thank you! one more question though - can Cloudflare access Immich data (photos) in any way? I mean if it would be possible for them to do it

Fie final step is to create a WAF-rule: Security -> WAF -> Custom rules -> (http.host wildcard "DOMAINNAMEHERE" and not cf.tls_client_auth.cert_verified)

Yes they can because the traffic is passing through their servers

isn't it encrypted

they decrypt the traffic to impose certain rules

it's really unlikely they keep it right?

I dont think they will

they might cache images though since thats part of what they do

You can disable caching

I see, thanks. What are the main benefits of doing this instead of just the remote proxy setup?

I don't have to own a server :P

I mean you can do a remote proxy and enable client certificates with no issues but you have to run a remote server, or expose a server from your own network.

I mean more in terms of security

They offer a free limited WAF which is nice, and other options to allow who can connect without having to roll your own. I like that

some applications are hidden behind Zero Trust Access, others are exposed for my home country without having other forms of authentication. If I weren't using CF I would need to figure that out on my own

the biggest downside is that CF is basically a man-in-the-middle

what does exactly Zero Trust Access accomplish?

I've followed your instructions and created the CloudFlare tunnel. I can access immich now however videos cannot be played. Do I need to create the certificate and the WAF-rule for videos to work?

nevermind it was my browser that had autoplay blocked

videos seem to load pretty slow though

If you were accessing local before, now you’re limited by your internet upload speed

well for some reason some videos won't load on firefox nor chromium, but do on the mobile app

they also won't load locally

I've been thinking about hosting Immich for a while, and the way I think I want to do it is host it locally at home on a local NAS and server, and tunnel the connection to a VPS using a WireGuard setup, that way the VPS has a static IP for me to pin a domain onto, and it's secured by only tunneling the one application (Immich Docker) to the VPS. Thoughts?

That works. However you can also just use your dynamic dns address as a CNAME record or update it automatically at the registrar

I’m not sure if it’s that much safer then hosting locally

Hosting locally requires that you set up a firewall directly at your home server and exposes your home IP to anyone performing a lookup of your DNS records.

Port forwarding is also done by port rather than by application, while tunneling a Docker container's ports only tunnels that one container, and it's the VPS that's exposed rather than my home network.

Obviously my home server will still have a firewall, just that it would be the only line of defense.

hosting locally and exposing a port is not much different than port forwarding through a tunnel from a VPS (unless that runs a proxy, which you could do in your home network as well)

I would prefer exposing one port directly over exposing it still via a VPS where others have or can have control of the VPS which gives access to my home LAN via a tunnel I terminate there...

This. And if you run the proxy on the VPS, the VPS technically can see all your images and data.

Use SWAG integrated with cloudflare zero trust authentication works like a charm.

i use swag as well... cloudflare zero trust is OAuth or yet another proxy in front of your proxy?

has anyone hosting on gigabit capable hardware and networking seen speed/performance issues with cloudflare's tunnels?

Specifically today?

Cloudflare had some network issues in Frankfurt, Germany around noon

in general. I sometimes see drops to ~10mb/s and I don't think it's related to my network's speed, tho better testing is needed. Just wanted to figure out if others have had a similar experience

ànd this doesnt happen without cloudflare tunnel?
i have seen quite a few running cloudflare tunnels and none of them had network speed issues caused by cloudflare tunnels, only because of other network issues

direct connection got me ~115 mb/s upload
cloudflare tunnel doesn't seem to want to go above ~20
But again, I've done very very little testing, I don't want to put blame on anything yet

direct connection meaning from inside your LAN or exposed to the internet without cloudflare tunnel?
if you know your speed with and without cloudflare tunnel from the same location its easier to compare

lan, direct ip

yea, i would assume thats an ISP issue rather than cloudflare but feel free to try a "direct" exposed connection to the internet
in the unlikely case its not your ISP, you could try to talk with cloudflare support

it's very likely not isp, I'll send a full demo video briefly

second video is briefly after the first one also on direct ip connection

first case is:
cloudflare dns -> cloudflare tunnel -> immich container
second:
local dns resolution to local ip -> immich container

The upload goes straight to an nvme raid
Connection is 1gbit symmetric (it's actually a 2.5 gb down to the server, but for the purpouses of wifi and phone to server it's a gigabit symmetric)

try exposing your immich for a few minutes to check to make sure it is not something on your end, if you get good speeds then try cloudflare support

that's actually a very good test idea, will do

Is a reverse proxy enough ?

is that the complete question or are you referring to a previous conversation?

complete question

yes

your question is not very clear though... but a reverse proxy is enough to be able to expose services (assuming you did port forward to the reverse proxy)

I have device "192.168.69.2" which is on my home network. I have that wireguarding to a VPS, let's just say "123.123.123.123". On the VPS I have a reverse proxy expsoing "192.168.69.2:2283" (with HTTPS of course 🙂 )

why?

CG-NAT

can't port forward

that sucks ^^

agreed

im in australia and the NBN in my area is even worse though

i'm talking dropouts every few days bad

how do you wireguard to it then? IPv6 only?

the Wireguard server is on the VPS

192.168.69.2 is the Wireguard IP of the local device running Immich

it's actually "192.168.0.122" on the real LAN

either way, the server needs to send packets back to the client... so you are connecting via IPv6?

what?

i don't know, it works though

i was more wondering about security

once the client handshakes, the NAT tables are populated

so it routes the traffic back properly

No reason your reverse proxy can't have login

does that work if I have other people also connecting?

wireguard is udp but no matter, go on, ask your questions

i was wondering if once I'm using HTTPS, is Immich safe to just let loose?

that depends on your definitions

As safe as any site with a loginpage 😄

you should set your reverse proxy up properly

what's considered "properly"?

and there will always be measure you can do to make it "more secure"

server {
    listen 2283 ssl;
    server_name immich;
    location / {
        proxy_pass http://192.168.69.2:2283;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_redirect     off;
        
        client_max_body_size 50000M;
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
        send_timeout       600s;
    }
}

this is what it currently is

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:MD5;

ssl stuff in the global config

Why are you still supporting TLSv1/1.1 ?

I could understand 1.2 but 1 and 1.1 have no business thre

best practices...

i copied it from a tutorial

only TLS 1.2 and above, best to adjust ciphers even... that would be security against eavesdropping or someone seeing the traffic

https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1k&guideline=5.7

security headers

TIL that exists 👀

Thanks! :)

It's super useful

should i use http2?

yes, though thats not security

you can e.g. set a default config to not expose your real certificate when they browse your IP or use a fake SNI header for probing

how do I do that?

are you familiar with nginx?

or apache?

im using nginx reverse proxy

are you familiar with it?

sort of

not totally

you know the config to catch default or not configured services?

just set it up to deliver a self-signed certificate

i can set up the certificates, how do i set up the config for default services?

`# redirect all traffic to https
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
return 301 https://$host$request_uri;
}
}

main server block

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
return 444;
ssl_reject_handshake on;

server_name _ "";`

am i meant to set server_name to something proper in the actual immich server?

currently it's just immich

yes, that would likely not work for you

actually this won't work, I have plex on port 443

?

and?

plex is not behind the reverse proxy?

i put it behind the reverse proxy

then its all good, no?

so set server_name to my server's DNS record?

yes

and then have those lines before the sites-enabled import?

mhh?

ok

you can also set additional headers, change/remove server response tokens

there is always more to further tighten security

i could auto-redirect to rick roll?

yes you could

when using IP instead of DNS record?

but you would still need to serve a certificate on https

self-sign some random cert?

if you have *.crushedasian255.ddns.net served, they can then probe subdomains

yes

i don't have any subdomains

but thats just obfuscation...

i should probably get a real DNS record instead of noip

domain name* not dns record

whatever you like but you should be able to use subdomains of it as well

but the ssl cert isn't a wildcart cert

it's just from letsencrypt

then serve a specific cert or get a domain