#Exposing Immich to the internet

what i am trying to get at is that you focus a lot of effort on things that bring minor improvements (if at all)

true

down the line I'll probably just toss oracle and authentik and portforward wireguard

better spend that time on something thats well documented and gives you usable knowledge after as well

because, lets be honest... i dont know anyone who would take the effort to "hack" into anyones immich instance

Fair

unless you are a super hot hollywood star and they are horny hackers ^^

to be fair apple and google aren't going to do much better

I think few holloywould stars had icloud/google photos leaks

though thats mostly due to weak passwords

https://immich.jenniferlawrence.com might actually be a target
immich.deemo.com or immich.questionario.com are likely not 😛

fair

deemo.com

yea... stupid ^^ bet none of them used a password manager and all had simple and reused passwords

never seen that game

Its a Taiwanese rythem game

though I haven't played it in a long while

Regarding WireGuard, do you install via Docker or outside of Docker?

I like to install everything in a docker but I have not found a proper maintained image with pure wireguard and without management which I prefer
there is one from linuxserver with "automatic" creation of the files and there is wg-easy with web-ui...

if you find a pure wireguard docker that is maintained, let me know
however I understand that there isn't because wireguard is in the kernel and is basically already there

either way I use wireguard but I dont use it for immich, I use it only for actual VPN connections to family

just create your own go for a blank alpine or debian image and install wireguard

I think thats not the question. many attackers or groups are scanning the whole internet with masscan or tools like shodan.io,censys or just using the google search.

Many attacks or footholds are automatic I see daily people who tries to use log4shell against erverything... so they dont know if you are a hospital, snoop dogg or john doe they just attack and try to make money...

When you search on shodan for public smb,sonarr,radarr etc you can see a bunch of hacked instances xd

besides that there are many scriptkiddies with to much time on the hand.

So the better question is do you really need to expose immich? which contain a lot of sensitive data. (my instance have many child o pics and so on...)

I would never do this not even for money if you do:

• have a firewall with good rules and monitoring for example block ips from china or russia, implement a WAF etc
• seperate your homelab into couple of networks like dmz, server network and client networks
• have a good backup concept
• use MFA for example with authentik or keycloak
• use ssl and a reverse proxy optional things like fail2ban or crowdsec to prevent bruteforce
  (keep in mind to use a seperate proxy for internal things and exposed stuff!)
• more monitoring and alerting you want to know if someone logs in from a weird location or tries bruteforce you

https://www.shodan.io/search?query=immich

not a really good search but to get a feeling look into it

can also be used to search for your own ip

when a cve comes out you can automaticly extract all ips from the search and attack you cant patch this fast xd

too lazy, I just use the lsio one that is based on alpine and use it with manual configurations

I think thats not the question. many attackers or groups are scanning the whole internet with masscan or tools like shodan.io,censys or just using the google search.
exactly what I have always been writing here, those are legal and official instances that mass scan and keep all the information in a database that can be purchased, of course officialy by security researchers for legal purposes (for which it does get used a lot!) but this gets used by hackers as well.
What I had been trying to say is that those groups or even highly skilled individuals are extremely unlikely to target a specific person.
If there is a CVE that could compromise a large group of users in a way that could be used for financial gain, then that is a likely scenario to happen for all known instances.
That is also the reason I keep telling people who create their own reverse proxy, to create a default config with an unrelated certificate which does not leak any information, which gets presented if the proxy is accessed via IP or any unknown/not configured SNI. this does help immensely in not appearing on those auto-scanned lists.
Many attacks or footholds are automatic I see daily people who tries to use log4shell against erverything... so they dont know if you are a hospital, snoop dogg or john doe they just attack and try to make money...
Yes, again my point... it gets tried against everything, mass scanned IPs and known domains (e.g. if you use ssllabs and choose not to hide the results...)
what I said before was related to targeted attacks, it is unlikely someone will be trying to access a random persons homelab as they could use the time to do something that earns them money.
When you search on shodan for public smb,sonarr,radarr etc you can see a bunch of hacked instances xd

besides that there are many scriptkiddies with to much time on the hand.
all true! 🙂

So the better question is do you really need to expose immich? which contain a lot of sensitive data. (my instance have many child o pics and so on...)
yes, that is a question for everyone... but not just immich, the same would apply for putting the same data on dropbox or google photos, etc.
I would never do this not even for money if you do:
you mean if you don't, right?
have a firewall with good rules and monitoring for example block ips from china or russia, implement a WAF etc
yes, keep in mind though that geoblocking is good for smaller logs but attacks from thouse countries will still happen from other countries and often even IPs that are local to you, so from the same country. it is good to geoblock countries that should never be accessing any of your data anyhow and where you have neither friends, family, acquaintances or vacation plans
seperate your homelab into couple of networks like dmz, server network and client networks
agree, separation with security devices in between helps contain possible breaches
have a good backup concept
always!!! that is THE most important... if a "private entity" gets attacked, it usually is ransoming your data... so if you have backups and no data that would be emberrassing if it leaked... there is not much they can use to extort money from you
use MFA for example with authentik or keycloak
always good and should be done wherever possible/useful
use ssl and a reverse proxy optional things like fail2ban or crowdsec to prevent bruteforce
definitely also a good thing to make it a bit harder and therefore make you a less attractive target
(keep in mind to use a seperate proxy for internal things and exposed stuff!)
makes sense only if you have your network segmented, which most do not... this is one point where I would say yes but it is unlikely that something would happen for private entities

more monitoring and alerting you want to know if someone logs in from a weird location or tries bruteforce you
yes but mostly an unreasonable thing to ask of private entities... that is more for enthusiasts trying to learn or for companies... is it good practice though? yes, it is

no, that is a good search... one of many reconnaissance possibilities that if elaborated on here, would scare the shit out of many people...
it is less scary than it seems though but the fact is that information about exposed things get known eventually and those will be saved and will be accessible by people who know how to access this kind of data for any purpose

1. the alternative is to put it behind wireguard or openvpn because when this services has a critical cve we have another big problem haha
2. sure
3. of course geo blocking is not good Im a fan of whitelisting but this is much work and i dont want go to deep xd. tldr: ip adresses os the easiest things to change besides from hashes
4. ah kinda they can leak/public your data hurts nyways but yes when your a private person its not so interesting like a leak from apple. Whats also important backups can be deleted or crypted from a attacker too

sure sure Im coming from a it sec background doing forensics/dfirs and pentests as a job so maybe im a little paranoid and have a another view to this things

but yes you are right do thats why I put all these things behind my wireguard or open it for 1-2 hours if needed

the only things that i have public is wireguard and ssh as backup (only key login)

same here, I work in Cyber Security as well

I would argue that exposed ssh is less secure than most other things

even with key only

why?

I would say if you configure ssh correctly and do hardning its pretty secure.

with hardening, yea
but for the average person....

I ude this only as backup if wg is down or something like this

alternative you can use port knocking xd

with ssh you are a step closer than just having an exploit on some webservice

true

lol... security through obscurity... never been a fan but realistically in real life very secure 🙂

anyhow, i gotta go now... be back later

see ya

Hey guys before I throw in the towel trying to set up the WireGuard server, could someone check what I'm doing wrong. I've been trying to connect the app to the server either publicIP:51820, 192.168.1.123:2283, but can't connect.

Disabled firewall (For the time-being)
Port-fowarded 51820 on the router
Public IP: 75.123.75.123
Local IP: 192.168.1.123

Server config:

[Interface]
PrivateKey = 123
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = 321
AllowedIPs = 10.0.0.2/32

Client config:

[Interface]
PrivateKey = 789
Address = 10.0.0.2/32

[Peer]
PublicKey = 456
Endpoint = 75.123.75.123:51820
AllowedIPs = 10.0.0.0/24, 192.168.1.123/32

what is 192.168.1.123:2283?

and btw, please use at least real private IPs in examples, nothing is going to happen if anyone knows your private IP but many mistakes can happen here that are not obvious when you change those or the other way around

@vast briar

@zinc merlin That is my local IP. Using 192.168.1.123:2283 on my browser brings up the login page

well, thats the basic config... you can use post and pre up scripts, adjust mtu, add dns and some other stuff but the tunnel should come up and you should see traffic sent and received

I see that the handshake between the server and client, but can't connect to the internet on the client side. For now, I'm trying to connect to the internet using my Wireguard server, and figure out how to connect to Immich later.

Steps I've done:
Intel MacOS running Docker
Wireguard image from linuxserver.io
Forward 51820 on the router
Disable firewall
Traceroute shows only one line/IP?
Added pass in proto udp from any to any port 51820 in pf.conf
Immich compoe and .env are untouched

Server config

[Interface]
PrivateKey = [redacted]
Address = 10.13.13.1/24
ListenPort = 51820

[Peer]
PublicKey = [redacted]
AllowedIPs = 0.0.0.0/0

Client config:

[Interface]
PrivateKey = [redacted]
Address = 10.13.13.2/32

[Peer]
PublicKey = [redacted]
Endpoint = 77.123.77.123:51820
AllowedIPs = 0.0.0.0/0

Upon searching, looks like my issue is with linuxserver.io's image.
https://github.com/linuxserver/docker-wireguard/issues/355

Would switching to wg-easy or wireguard-tools help me in this case?

I recommend checking wireguard docs and do some basic network troubleshooting
your tunnel seems to be established with your first peer, have you tried pinging the wireguard IP of the server? and from the server to the client?
once that works, next step... (decide if you want to NAT or route and check either NAT or routing (in your case you would likely want NAT so make sure your iptables are set up for it), etc.) and check connectivity

but try to get help in wireguard related forums, a self-hosted photo software discord is not the ideal place for that as your request has no direct relation to it

PS: I won't respond here to this anymore as I will be gone for two weeks now

Do people directly forward their reverse proxy ports to their router for remote access? Right now I use WireGuard but want to give access to family and setting up a vpn is not feasible for everyone.

I just read some of the messages in this thread and seems like not?

Yes, if you have a reverse proxy setup you would forward 80 + 443

Ya. But is that what people are doing. Straight to their home routers? Are y’all using a vps or cloud flare to proxy? Or are people mostly just using vpn

I see some people are using cloud flare. But I’d rather stay away from them

That’s what I do. Ask 100 people and you’ll get 101 answers

straight to the router

You can setup fail2ban and crowdsec for monitoring / blocking

Ya that’s the plan. With authentik

Ok this sounds good. Thank you!

This is very true lol

I expose mine but through a firewall, my reverse proxy is "hardened" to at least avoid scanning and my firewall blocks some of the more well known public legal scanners (by blocking their publicly listed ip-ranges) in order to avoid appearing on a publicly available list with all the software I am running so anyone could abuse a zeroday
at a minimum if you publicly expose it, try to block access if only the IP is accessed directly without a SNI and do not serve your certificate containing your domain name on it
this is just to minimize scanning, it generally is not really an issue if a "person" knows your public IP or the URL to your immich instance

IMO a wildcard cert is a better way to avoid subdomain leaking

subdomain leaking, a little bit maybe
but if you just serve a self signed snake oil certificate as the default site (anything that is not configured), that is even better (in my opinion)

i am doing it straight from router
duckdns subdomain -> my router -> my caddy reverse proxy -> immich
this is after evlauating my risk and convenience factor i decide this is the best compromise for me
(edit best way everyone should find their own way)

Ok y’all lost me with these last two comments. I’m not as advanced with networking and reverse proxies.

Right now my domain is literally my name. My subdomains are all local and use traefik. I use DNS challenge with my domain provider and let’s encrypt to issue certificates. All of them have been whitelisted for local ips only even though I haven’t forwarded the port yet. When I forward the port, I’ll setup authentik and crowdsec (looking into that rn actually) and allow other ips for Immich only.

If I understand y’all’s discussion, your saying make it a self signed certificate and not the let’s encrypt certificate?

better to even avoid "domain leaking" and therefore subdomain probing
wilcard certs are good against subdomain leaking because there are public records on all issued certificates, so if you issue one for a subdomain, that becomes public knowledge

nono self signed is a hassle to configure for everyone else unless it's just you or your are an IT admin of a company

everyone else will see red warnings about how this site is insecure

That’s what I thought. Also the app doesn’t like self signed certs

i personally see it as a pointless act
i do use wildcard domains but i do not try to obscure it
just immich.mything.duckdns.org

no, lets encrypt is perfect...
but serving a self-signed one as the default server avoids someone knowing your domain by just probing your IP

I’d also like to learn about this hardening. I live with my parents and use their router and stuff.

serving a self-signed one as the default server
or you could drop connections to the plain IP(without Host: header = reject it)

doing that protects you from scanners only which is often plenty

or that, but that sometimes gets circumvented at least enough to get the cert
I do both, I return 444 and only server a self signed snake oil cert on the default server

hmm that's out of my depth to that end
my is caddy based so i think certs are bound to domain blocks

its a rabbit hole....
you can spend a lot of time reading up on it
reading up on it is the only way you will learn about it

These are all interesting ideas. I’m going to start researching and then maybe ask some more questions here. I like the idea of snake oil cert but seems complicated for me

Lol yep. Gonna start now

Thank you all

google is your friend finding documentation
once you did that, you could read up on
https://www.cisecurity.org/benchmark/nginx
but dont do that without having the knowledge prior, blindly configuring options will just lead to issues

since you are using traefik as your proxy you should look up about it more
cant help you directly about that one

but at the end of the day remember everything is a tradeoff between security and convenience
it is up to you to decide where is the sweet spot

you could have the most secure wireguard setup but that would render it pain to access by yourself
and probably hassle for everyone that they decide maybe they dont want to use it anymore

there's a compromise btw you could keep it LAN only
it's lower effort but it still provide "good enough security" provided we stand ontop of some other assumptions that our AP is secure

the tradeoff being unable to access it remotely instead of "having to do a lot of complicated vpn setup"

for my setup i have two blocks of hosted services
one is LAN (only 192.xxx can access) and one is WAN(anyone can access if they know my service subdomain)
when i am lazy enough to secure it i host it on my LAN only subdomain(it's functionally identical EXCEPT my subdomains points to an 192.168.0.xxx)

for some, wireguard access is all they need without real loss of convenience (mostly if they are the only user)
I definitely recommend those happy with wireguard, to stay with wireguard... if that is all you need!

it's only issue if you want to share access

yea

i am not convincing my parents if they had to have a vpn thing running 24/7
also personally i used adguard for my vpn sooo yeah

Oh, I see what you mean. Any guide on how to set this up?

but those that dont need to, I recommend to stay with wireguard...
self-hosting is often for fun and requires a lot of time to do correctly
just using wireguard saves you from a lot of trouble of reading documentation

And/or how to configure nginx to completely ignore these request?

completely ignore I dont think can be done but hold on

You said block access if accessed without the SNI maybe that’s the same thing

i assumed this would do it for caddy

:433 {
abort
}

Prevents any response to the client by immediately aborting the HTTP handler chain and closing the connection. Any concurrent, active HTTP streams on the same connection are interrupted.

i dont know caddy that well

since :433 is the fallback "if nothing else matches" https port yeet that connection out

First, generate a self-signed certificate. Use the following command to create the private key and certificate:
openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/snakeoil.key -out /etc/ssl/certs/snakeoil.crt -days 3650 -nodes (read up on further config options, e.g. I like to configure some messages into it, e.g. for the CN... e.g. "GET LOST")
Next, configure your NGINX server to use this certificate for the default server. In your NGINX configuration (usually /etc/nginx/nginx.conf or /etc/nginx/sites-available/default), set up a default server block to handle requests to any unconfigured domain or IP. This block should look like this:

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    ssl_certificate /etc/ssl/certs/self-signed.crt;
    ssl_certificate_key /etc/ssl/private/self-signed.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    location / {
        return 444;
    }
}`

To enhance SSL security (not necessarily needed in this case but best practice), generate Diffie-Hellman parameters by running the following command:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
This adds extra security during the SSL handshake. Once you’ve made these changes, restart NGINX
Now, any request that doesn’t match a specific server block will receive the self-signed certificate and immediately be disconnected with a 444 status, ensuring no domain information is leaked.
You can verify this behavior by making a request to an unconfigured domain (e.g. by pointing this domain manually on your host to that IP) or by accessing the IP directly.
This should show the self-signed certificate and close the connection without any response.

do you use the ssl_dhparam for all sites or just this one?

ty!

there are lots of best practices regarding hardening...
e.g. it is best practice to remove the Server header, X-Powered-By and X-Provided-By...
I replace the Server header with a different one (lighthttpd instead of nginx) which stops scanners from trying to find out the hidden Server with other probing...

all sites! you dont really need it for the default one but I do it anyways as I have it for all others

I use this: server_tokens off;

I think that hides the headers

Both of u are using caddy?

if you are interested in this level of detail you should use nginx IMO

most other proxies are focused on simple setup and may lack some of these features

Makes sense

that hides only the Server header, not the others...
that is already good!
I instead decided not to remove it but to replace it with a fake header, automatic tools believe in this right away and dont try to find out the Server software a different way

yes, I use an nginx based proxy
afaik, Caddy can configure at least the ones I mentioned now, just differently
cant help with that though as I dont use Caddy

gotta go for a bit now, son needs some taking care of 😄

Works perfectly ty 🙂

no problem

and if anyone wants to go down that rabbit hole, knowingly investing more time than its worth... i will be happy to point anyone in the right direction (not do it for you but give pointers) for as far as my knowledge goes (which is far from the end of that road)

I will defs take u up on that offer soon! Are u ok with being dmd

I’ll use your header config if it’s easy to paste here 🙂

No, we should do that here so others who stay quiet lurkers can benefit. If you have some private config, that’s different

That’s a good point

443/tcp open  ssl/http nginx
| ssl-cert: Subject: organizationName=
| Not valid before: 2024-12-01T20:37:22
|_Not valid after:  2124-11-07T20:37:22

🙂

Aaand I locked out my VPS from my home since crowdsec didn't like the nmap. I guess that's a good confirmation

i still need to do crowdsec...
i guess having a VPN as a backup policy might been interesting way

I have one small issue with exposing services to the internet. If somebody requests the one port I forward to my nginx server via http (not https) they get a 400 bad request error, "The plain HTTP request was sent to the HTTPS port". I would like to return a 444 instead of the 400, but I can't figure out a way to configure this with nginx.

I am checking for the hostname in the virtual server and rejecting requests that dont match the server name, but somehow ip address requests made to the listening port return a 400 instead of 444. It seems that this happens before my check for the hostname. Is there a way to have my virtual server listen to a port, and reject http request with a 444 instead of the 400 bad request?

Use the error_page directive for that, so error_page 444

but wouldn't I have to set up a 444 error page for that? I don't want the server to send a response.

Is it no response or 444 response

well, the error code I want to throw is 444, but the body should have no response. I got it figured out.

error_page 497 =444 /444.html

Turns out internally nginx throws a 497, but in it's response it throws a 400, so you must set 497 =444 not 400 =444. You don't even have to create a 444.html, it is ignored and not served.

Thanks for pointing me in the right direction.

Glad you got it figured out

Anybody have thoughts on using crowdec bouncer at the linux firewall level via cs-firewall-bouncer vs. at the nginx level using the nginx bouncer?

would highly recommend the iptables (ipset) bouncer based on my personal experience

nginx bouncer will not catch as much traffic and will take more network resources, also can put other ports at risk

good to know, thanks! Setting up the nginx bouncer has proven to be a major pain since I don't use a common Linux distro like Ubuntu. If it works better at the firewall level anyway, and is easier to setup that sounds ideal.

Well ofc you will have to see if they package the firewall for you

I used this section after installing: https://docs.crowdsec.net/u/bouncers/firewall/#ipset

I don't have a firewall setup at all, but I can easily set that up with iptables or one of the other supported firewalls.

make sure you install iptables-persistent and ipset-persistent and then netfilters-persistent save once you have the rules so they persist for reboots

I also made a DROP rule for FORWARD and DOCKER_USER in addition to INPUT

not sure if that's needed

I just did this like this past weekend lol

fresh in your mind then. 🙂 I have no experience with linux firewalls, I use my router to block everything except a single port, and a somewhat hardened nginx config to keep out the rifraff, never saw a need for a specific software firewall in between those two.

but for Crowdsec, I will make an exception 🙂

I just had like the default debian iptables running

I never had anything configured on it before, router like you said

444 gives no page, it disconnects

I run a pretty lean/un-opinionated distro so no default network management, firewall, or anything like that. I can't imagine iptables being too difficult to setup

Yes, that is what I wanted.

in nginx you just "return 444"

you installed crowdsec for nginx?

I run crowdsec in docker and mount the various logs into the container

Sshd, nginx , etc

My problem was nginx was returning a 400 bad request for a non-secure http request made to a port listening with SSL. So I couldn't return 444, it was happening at a level before I could do that.

🤷‍♂️ never tried it on non-ssl

yeah, essentially, I am trying to make it so that any request made to my ip address and a specific port, it would return 444. It worked fine with https, my virtual host returns 444 if the hostname is not the server name. But in the case of http, before it would check the hostname, it was detecting a non-http request with a listening port with ssl enabled...and so before it would check the config in the virtual server, it was responding with the 400 bad request error. The error_page seems a little awkard, but works fine and just drops the connection (does not try to return an error page)

Thanks i stole your solution

When you say don’t serve certificate with domain name on it, what do you mean.

I use let’s encrypt with DNS challenge with my domain provider. I didn’t read about any options like that from the docs when I set up my certs

Where does it become public knowledge. Can I go to let’s encrypt and ask to see all valid signed certs?

did you read all i wrote above? its all explained in detail, its not a public certificate and has nothing to do with letsencrypt

all signed public certs have a record, you can see 10 year old entries even
"research data" like this or things like "who runs node.js version X and below?" are also sold for "analysis" and completely legal

Ya I saw your posts and saved them. Especially the one where u showed how to generate the cert and then put it in the config. Maybe I’m just still confused. I’ll read up more

Ok wow. I just found them all online. That’s crazy

it becomes public knowledge the moment the cert is created

look up your own domain on crt.sh

Good reason to use wildcard certs

yep mine is wildcarded but idk i think caddy makes it sorta a pain to do it that way

i have one *.my.duckdns.org server block
then i regex out the subdomains(actually i think it's just host matching, only one service gets the regex treatment so i can have different virtual "profiles")

Obfuscation, great to do on top of good security

DNS records aren’t exactly secret either though

They aren’t? They are AFAIK

Perhaps secret isn’t the correct word but they are private unless otherwise known / shared

There is a site that you can view DNS record requests. I think someone linked it in #off-topic at one point.

I think the site you’re referring to collects subdomains from the SSL cert

I don’t know how a third party would track DNS requests

^^ they are based on certs
see https://crt.sh and key in your own apex domain to see if anything got picked up

personally i dont bother much other then wildcarding
my service names are pretty sensible after all
it's like immich.my-domain.duckdns.org

Mhm, nothing unexpected there

so if you have a long enough list of stuff maybe you will find it all and i think i am fine with that

you can defo ratelimit attempt to access invalid host but i cba shrugs
since *.my-domain.duckdns.org -> 123.456.789
your IP would recieve Host: A. , Host: B. enumeration request attempting to bruteforce for a service
you can probably make your server log invalid subdomain somewhere and have fail2ban or something that can pick it up

DNS is not encrypted most of the time, that data is sometimes collected and sold.
They are also crawled by public or non official crawlers for common ones

Some devices send telemetry data including all dns or urls

E.g. In kali you can use subfinder, there are many tools to aggregate infos and find dns records…
If you use immich for example, that name is on wordlists and easily found, same with photos, fotos or other words

This is the site! Thank you

Good thing I don’t use any of those 😉

First time hearing about subfinder...I just used it...blew my mind. I am making some changes!

lol

no real need to

its a rabbit hole that is not worth going into, infos about you will be found

do a little bit with little effort only

ahhh...but I find obscurity is very helpful. Of course obscurity isn't even close to a replacement for security, but I have found obscurity to make so very few people/crawlers ever even make it to my front-door

but too much isnt worth it

The people that are fooled by obscurity aren't the ones you need to worry about, and the ones you need to worry about don't bother with obscurity

1. obscurity is so easy to setup when it comes to domain lists and a wildcard cert, so why wouldn’t you bother
2. eliminating a lot of the chatter / “noise” makes it much easier to focus on the actual threats

It’s a common misconception to say “why bother” but this isn’t accurate from a systems engineering or alarm fatigue perspective

doing a little bit with little effort is usually worth it but like Mraedis said, after that its worth investing more in actual security

Yeah I don't mean just don't bother at all 😄

oh for sure...I am making changes to both.

just dont mistake obscurity for security

i mean it's good to know and be aware of it so you can make an informed decision
(which doing absolutely nothing is also an equally valid choice)

exactly

I decided to do a little obscurity and go overboard with security :[

obscurity isn't really necessary when it comes to fully public facing services on the internet, but when the services are partially public, meaning only meant for friends and family, I think it makes sense to at least spend the time to make your service not easily visible through free services like crt.sh and subfinder.

Bet you do ssh port knocking

What do you have that you consider overboard?

absolutely this at the end of the day
obscurity just makes it harder to unlock the door(break into your things)
but if the lock(security) is shit, it amounts to nothing at the end of the day

I think of obscurity as making hard to find the front door, and security being the locks on the door.

I do not...
but I do inbound ssl decryption to actually analyze the traffic for "zero days"

How/with what?

my plan now is to start using only wildcard cert, and change all my subdomains to ones never used before to get a cert, and use sub-names that are obfuscated and unlikely to show up in a curated list

wildcard cert, yes
obfuscated subdomains? not worth it imo

why is that? Wouldn't that make it less likely that somebody could determine subdomains through a tool like subfinder, essentially meaning somebody would have "brute-force" to find my subdomains?

i mean not worth it to do something like skjdhfkjhsh.mydomain.com
when jjphotos.mydomain.com works as well

and noone will use a tool like subfinder on you

ok...yeah...I'm with you there. I don't plan on making it so hard that I have to look it up everytime 🙂

sometimes people think they would be hunted 😛
your subdomains will be found out easier by telemetry data from e.g. an airport 😛

already not exposing a service through IP goes a long way... if you dont get into the net of automated scanners...

Yeah, I understand that is unlikely that I would be directly targeted by hacker, but I still don't want some crawler script looking common for subdomains like "photos" or "immich" and try to exploit a zero day or something like...but yeah, I get it...we are talking 1/100,000,000 odds there.

it doesnt go that far with crawlers

Are you thinking of connecting to airport wifi and then browsing to ones domain?

yea... or a cafe, any other place or even some small ISP?
whoever decides to look at your traffic, encrypted or not will see it

not such a big issue though... just be aware that such things are not secrets

Wanted to make sure you didn't have something else in mind. 😊

you mean me?
the analyzing for zero days?
I use a Firewall for that with ATP

I got Crowdsec setup and working iptables last night. Found out there is crowdsec collection for immich that detects brute force attacks and bans ips.

brute force... not likely 😛

Sure, but 3 minutes to add it for an additional layer of security is good enough for me. 🙂

yea

I don't do any oauth, or fail2ban, or anything like that, so something like that works with crowdsec which is already set up is kind of ideal for me. I'm holding out on hope that one day the Immich devs change their mind about 2fa with TOTP built-in to Immich.

It doesn’t work lol. Pretty sure it’s a GPT invented plugin because the LOG_FILE env var does not exist

huh...good to know...I was planning on actually testing if it worked tonight after work.

maybe I'll take a stab at making it work and publishing it.

if you want to go down that route take a look at modsec owasp

I've been down that route. 🙂

did you drown or did you implement it? 😄

the first one...lol

lol

its what I would try to implement if I didnt already have my firewall

I can't actually remember why...I started looking into at a weird time, where I think a major change was happening...like change of ownership, or moving to open source, or some major change where it seemed like things were in flux.

and you are telling me to not go overkill? 😉

Probably doable with journalctl logging (that’s how I do fail2ban)
Lmk what you find

I was thinking I'd parse the immich logs directly.

…how/what files? 🙂

with obscurity 😛
i said i went overboard with security 😄

I don't rightly know. Never looked into it. I assumed immich logs requests...???

you mean reverse proxy access logs?

I didn't mean that...but now I do. 🙂

😛

yeah...I just looked at the immich_server container logs...nothing helpful looking in there

crowdsec just looks for invalid login attempts / brute force on any app and puts those on a crowd curated list for everyone to use, is it?

I don't think it is so simple. It depends on what bouncers, and configurations you have setup. I don't think it automatically looks for invalid login attempts/brute force on any app by default. It will block requests on those lists though, but I think you have to configure it excplicity to look for invalid/brute force attacks on a specific service.

There are pretty generic rules you can put in place though that would filter out and block a lot of traffic based on the speed of the requests, location, repeatedly attempting the same path, etc...

but if you want to actually take action based on a particular behavior, you have to use a log parser and create rules for those logs. I don't really plan on going very far down that rabbit hole, I just wanted the general protection and blocklists.

Immich_server will log failed logins to stdout which appear in docker logs

The insane thing is you can’t configure docker to log a container to a flat file. So I use journalctl for fail2ban

Immich logging could be greatly improved. Maybe I’ll look at that someday

@green dome you happen to know how to use whois to query for all ip ranges with a certain organization?

nop

Even with wildcard dns, the obfuscation is very little right? Because the certs are all available and u can find all the signed subdomain online?

Actualy maybe I see the point for local services that aren’t issued certs

The certs don’t contain the subdomains if you’re using wildcard. That’s what we’re talking about

Ohh. Then I’m doing something wrong. Nice this is good. I thought I was using wildcard but I can see the subdomain. So I must not be

You can check the subdomains like this: echo '' | openssl s_client -connect domain.tld:443 | openssl x509 -noout -text

Awesome thank you!

I got wildcard cert working this evening. crt.sh show just the wildcard domain *.mydomain.com. Subfinder does not see the new subdomains I created and am now using.

It actually will be easier going forward to renew my wildcard cert now too instead of my multi-sub-domain cert. I was having to open ports in my firewall just for certbot everytime to renew, but since the wildcard cert is using dns for verification, I no longer have to do this. Although I now I realize I probably could have just been using dns validation before as well, I just didnt realize that until now.

honestly, I dont think exposing immich is a problem
have backups just in case but you will be fine
blocklists, geoblocking, etc. all help keep logs cleaner though

information about you can be found quickly either way 😄

Indeed. Immich isn't the only service I expose. There is also the hassle of restoring everything, I've been ransomwared before, and it is a yucky feeling knowing somebody has been in your stuff. The data itself isn't that important as my backup system is robust.

but you have been ransomwared by being tricked into downloading something malicious and then executing it, right?

having a robust backup system is the best protection there is 😄
PS: I had been ransomwared before as well, wasnt an issue as I just nuked the machine and restored from backups...
just showed me you always need to watch out and cannot blindly trust even people you know 😄

Nope. I am suspicious of everything, have never been tricked like that. It is even more embarassing than that. I had a NAS with a firmware that was over a year out of date, and the FW had a critical vulnerability that was exploited. Some crawler found my site, probed for services, detected my NAS and exploited a vulnerability. This was years ago, and at the time I had backups, but not automated 3-2-1 backups, so I ended up losing some stuff, and spent a couple days getting everything back up and running fully. Lost some data, but nothing critical. I no longer have a NAS, and run DAS on a Linux server instead. I also have local and remote backups now.

I honestly don't remember what my network setup was back then (I've learned a lot since then), but it is likely I was just port fowarding 443 directly to my NAS login page, so the ransome-ware attack probably didn't really have to probe for services to detect my NAS. But, if I can make it so the vast majority of people never even see my front-door through obscurity, it cuts down on the chance that somebody can even start attacking my security. I have been spending a lot of time working on security as well, via iptables, and crowdsec.

ok yea... NEVER expose a NAS to the internet, those things barely get patched

and yes, now you have it set up well!
sufficient

just dont expect jjphotos.yourdomain.com to not be found 😄

lol...yeah...I needed to know that about 4 years ago.

yea, its a shame... ransomwared NAS are quite common

I only expose 2 things…. Nginx running as non root docker (80&443) and ssh in a VM on a non standard port with very locked down settings, no root login and only public keys

non root docker?
you run docker engine in rootless mode?

No, the container runs as a user

As far as I know the benefits are similar. Using the user: ####:#### in docker compose

mhh, afaik quite a difference still
rootless is a whole different story and brings problems along with the added security (as usual)

the problem afaik is that it is too difficult to run some containers rootless and those that need to as root
but i am no expert here, Mraedis could probably shed more light into that

Perhaps I will move nginx to its own docker daemon if there’s a big difference. I don’t want to deal with rootless docker daemon for all my containers

I considered an un privileged LXC but would prefer not to share a kernel on bare metal with my main ingress

most containers are set up in a way that if you get access to it, you can also gain root access
if not you would need a privilege escalation

in rootless it is completely isolated afaik

nginx is only the proxy...
lets say you run... plex (randomly chosen) and you have plex reachable through nginx, you can gain access to the plex container without affecting the nginx container

Yes most of my containers also run as a user

I’m not sure how that’s exploited but i know running a container in user mode certain sys calls like set uid are blocked

I’m sure there’s still vectors but it reduces it

i think running to different engines on a single host is difficult, though i havent tried

definitely

Yes I would probably have to make another VM just for that which wouldn’t be a bad idea anyway

too much effort :[ but for fun, yes

Hi all! I'm kinda new to immich. I want to expose my server to only 2 devices that can go remote, my phone and my SO's phone. I was thinking about 2 filtering rules on 2 IPv6 address, but the content is still HTTP and so still vulnerable to MITM. What solution would you consider?

an https proxy

Okay, so something like nginx on my server with certbot/letsencrypt?

Yep!

You can use nginx proxy manager, it's probably what you want

or caddy

any pros or cons of one over the other?

I prefer npm for the nice GUI

but they're pretty equivalent

My server is a headless pi so not so much GUI haha

thanks, will check both out

GUI = web interface

oh they have a web interface, nice

You can also use just nginx with config files

yea, i use swag which is basically just config files, maybe good to customize things

I’ve started learning more about nginx.

If I’m understand right, by this comment and your snake hole cert, anyone who tries to go to ur IP in web browser will not be able to find your domain because the snake hole cert doesn’t have any info. Am I understand properly?

yes

Nice

Thank you to all of you! Especially questionario and zues.

I managed to move to nginx as my reverse proxy and learnt so much more in the process. I was also able to do the snake hole cert and it’s funny and cool!!

Has anybody successfully set up crowsdsec to work using the crowdsec-firewall-bouncer with Immich? I was feeling really good about myself a couple days ago getting it all setup and appeared to be working fine with Immich. However, with the release of 1.122.0, I upgraded and was not able to successfully restart the immich_server docker container. I was getting an error related to iptables and Docker, so not something specific to Immich, but rather, my crowdsec implentation with crowdsec-firewall-bouncer, was breaking docker. I had to disable crowdsec and iptables in order to get the container to start.

it is usually recommended to not touch iptables with docker as it becomes quite complicated sometimes because docker uses it...
requires some reading into how docker does it and how to avoid your changes to affect docker

btw, i called it snake oil, not snake hole 😄

i personally dont use crowdsec (its just a crowd powered fail2ban for me) but maybe someone else can chime in

i would like to use modsec someday though 😄
if i find the time 😉

Hi all, Is there anyone using Immich on a Windows laptop who also has access to the Internet for family and friends?
I have done the installation with Docker, and Immich is working,
but I'm not sure how to access this Immich app from anywhere which is totally secure.
OR if this is any good option at all.

Can someone help please?

windows? you might not have issues now... maybe later 😉
totally secure? never ^^

you can read this thread, there has been a LOT of discussion on how to do this...
read and when you have a question, search if it has been asked here and if you still have questions then ask them here, referring to which part is still unclear

otherwise Id start explaining from Adam and Eve 😉

Thank you for the reply.
My goal is to organize photos and have access from anywhere.
Which is replacing Google photos in a way coz I want to it local and have no issues with storage.

I don't want start buying NAS etc. so thought will try first in my laptop only and then if needed will setup NAS.
But please tell me one thing, if I keep using Immich in my laptop at home network then it's not a problem right?
The data is secure?

if you dont make it accessible from the internet it's fine

i think you can probably run it on windows and be fine(i mean some servers ARE indeed window)
but most community resources expects unix based systems...
i think only ent stuff host services on win server

also i would personally prefer if my workstation and my service is on a different hardware
if your laptop is not used for working you could reformat into a unix os
OR you could get a new disk to dualboot off of

it is perfectly fine to host things on Windows Server
That is definitely not a problem.
However, Docker Engine is for linux, if it runs on Windows, its always a form of emulation or virtualization.
For Docker containers it is best to run them on Linux

Also if you keep immich on your laptop in your home network... is it 100% secure?

• That depends what you are talking about, in a sense of secure from "hackers" then yes and no. if you dont expose it, it is obviously safe from external threats. However, if you use the laptop for surfing, you can just as well get a ransomware malware a different way. Obviously, the less you make it accessible, the more secure it is.
• One thing you always need to think about is data security in a sense of having backups. Immich itself is not a backup system, it is one copy of that data, for something as precious as photos, you should make sure to have sufficient backups

https://immich.app/docs/administration/backup-and-restore

I use a cheap hetzner vps and have a reverse proxy setup there. So all the traffic to my home server is routed through hetzner first

Was already using that VPS for other things so I am not paying anything extra like I would have to with cloudflare to be able to forward connections from ports other than 443 or 80

for what reason?
if its a reverse proxy, it will take a longer path but will end up on your end services anyhow or does hetzner offer additional security options?

Prevents your home ip from being directly exposed to the internet as well as ddos protection.

Also, a second advantage is if you are connected to your home wifi, you can't actually reach your public ip.

Who wants to tell them about hairpin nat 😉

lol

Interesting. I guess thats an option too.

proxying via vps does not add security on its own...
if the provider offers ddos protection, then yes, you have added ddos protection on the vps IP (assuming someone is actually ever going to target your homelab with a ddos attack...)
if they do, they will likely find your "home ip" anyhow

not saying it is bad to use a vps to proxy...
just making you aware that if you think it adds security, then... well only if the provider actually also gives you additional protection (which would usually be paid or very limited)

You cant ddos a closed port. One detail I forgot to mention is traffic in is whitelisted to only be allowed from my hetzner vps.

if you use a vps
your vps needs to be responsible of mitigating it(ratelimiting, banning ip etc)
OTHWERWISE everything just gets forwarded back to your homelab

No one is gonna DDOS your homelab and if they do who cares lol

otherwise i dont see issues with that, it does add an extra hop but it also allows you to do some nice stuff

Anyways, how would an attacker find my home ip anyways?

vps is probably nicer then cf...

cf with it's annoying limitation

Yes, bc CF only works on port 80/443 unless you pay up a hefty sum

the size limit too which immich runs into
(some other app chunks files for this reason)

well, do you know that they do that or do you assume?
unless it would affect them, they are likely to do nothing

??

again, not such a big issue for people to know your home IP

i did not make an assumption i am making a conditional statement

IF they are not mitigating on vps then the all the ddos traffic will simply be forwarded back, making it pointless

only they know what they did, that i do not know hence i made a conditional statement

It kind of is. At the very least its a privacy concern.

If you know someone's home ip, you know there approximate geolocation. You can port scan their home ip to see what applications they are running (since most people keep the default ports).

Due to Universal Plug and Play people may also have ports they never knew were open, open

Then, if there is a vulnerability in the device/app the port is forwarded to you can exploit that

those ports get scanned either way and those are made publicly available

the approximate geolocation for my IP for example is within 35km

OK, but the difference is if someone knows this domain belongs to you (very very feasible situation), and this domain leads to your home ip, they can associate that ip with you.

For example, I host immich at photos.mydomain.com

If someone knows i own mydomain.com

It is trivial to find the subdomains associated with it

And find the ips behind those subdomains

i dont see the relevance here?
isnt that the same if you host at a vps?
only difference is one is your home ip, the other is not

Besides, that is actually the reason even my open ports are whitelisted to my vps only

also, unless you are a person of interest... who would bother? 😄

The difference is hosted VPS ips are secured by the provider. And don't create an attack vector for your personal home network.

Which can be a serious privacy concern.

I mean if I was happy with "someone is probably not gonna target me" i'd be using google photos 😂

Thats the point of apps like immich. Your data. Your hands.

ok, the nation-state hackers attacking your domain will get directed to your hosted applications via your reverse proxy anyways

Besides one day I'm gonna conquer the world

nope, that is something COMPLETELY different

So I'll become a person of interest then

Better secure my data!

yep, in that case you better suit up and increase your security!
a vps as reverse proxy isn't going to cut it then though

OK, but then the attack vector is limited to JUST vulnerability in immich which is containerized in docker.

no, like you just said, scanners will find other subdomains and the attack vector just opened up to all your hosted applications

And again, hetzner filters some of the malicious traffic. They do provide ddos protection.

Thats the advantage of cloud hosting. They are better at filtering malicious traffic in general.

yes, that little ddos protection you have... at least if its not application based but traffic based 😄

they do not filter malicious traffic though

If you get ddos, there are patterns that can be identified to segment malicious traffic from legit so they do

Or at least claim to.

OVH, is probably better for this particular purpose though.

ok, to get back to the point i made...

But exposing your public ip is a totally legit and valid concern

a reverse proxy on a VPS on its own, does not increase the security of your applications

They add ddos protection to your application. But security of the specific application as I told you isn't the primary concern herem

sure, if your goal is to hide your public IP from (against whom again? those nation-state hackers that would find out either way?) others, then yes...

They main thing is i dont want my public ip exposed.

I actually did use to work somewhere i was a person of interest.

Not from state actors

But from private individuals

(Since you don't need state level resources to do some naughty things with someone's ip)

then definitely up your security!
but not through a VPS, get proper security hardening

Hmm. Like what?

you do not, I was exaggerating to make my point come across
you need resources and those dont get wasted unless there is profit somehow

Why would a VPS not be sufficient for my purpose?

i think that does it
vps would serve to require a detour before your service can be accessed
IMO it wouldnt help ddos unless you our your provider does extra work of mitigation
IMO it wouldnt make your application more secure, it's not a WAF it will not block someone exploiting vulnerabilities
i do not see the point of needing to explain yourself if you want to hide your home IP...
even as an exercise there's nothing wrong with doing that

like hardening? e.g. reverse proxy hardening, your OS hardening, docker hardening
network security hardening
adding an IPS, firewall, zero day protection, etc.

You have to realize I'm already hosting this VPS for running a mail server on the cloud. There is no additional cost to me to use it as a reverse proxy

And it adds added security.

You cannot argue it doesn't increase security

It does.

You can argue "you can do more"

i didnt say there is something wrong with it
everyone is free to hide their IP if they want to for whatever reason

I was only stating, that reverse proxying through a VPS alone is not going to make your application more secure

I respectfully disagree.

if you want to hide your IP just because, then that is a fully valid reason to do so

If you are doing a good job of hiding your home ip, thats added security

Just in and of itself

i guess this is simply a disagreement of how both view "security"

and it is ok for you to disagree
I am not telling you to have to agree with me 🙂

you add obscurity and many people like to do so... that is completely fine
A lot of people think that this adds security to their applications on its own

And ofcourse it adds ddos protection. You can argue "but no one is gonna ddos you!" But thats not the point.

nope, I agree...
the added ddos protection is a valid point

(totally unrelated side note but I just want to give a kudos to y'all for having a respectful, on-topic discussion. On the Internet that's not to be expected these days 😅)

they offer a firewall as well, also added security

personally i think the ddos protection is conditional...(your provider or you)
BUT shouldnt be too much work if you just have basic iptable ratelimiting rules on your VPS it beats nothing
(i think it's not good to just assume protections exist for you from thin air)

So then you agree its an invalid statement to say reverse proxies through a cloud vps isnt gonna make an application more secure. Because being harder to ddos is by definition, "more secure".

you are twisting my words, I said the reverse proxy functionality on a VPS alone is not going to make your application more secure

Ok true. For example if your dns exposes your home IP then that defeats half the point.

if they add other security features, like Cloudflare does or Hetzner with ddos and firewall, then THAT is additional security

its debatable on how effective that would be... BUT it is added security

Then there is also the aspect a reverse proxy is an alternative to "hairpin nat".

Which tbh didnt know i could do but good to know

I disagree 😄

it is a different way to achieve what you wanted but it is not an alternative to hairpin nat
with hairpin nat you have the full speed of your internal network, with a reverse proxy you are limited to your outside connectivity speed

Yep thats what I meant.

@cinder adder The reason I say this so specifically is because there have been several occasions here where individuals create a reverse proxy on a VPS and for some reason think that they are almost fully protected because the provider itself is secure and attackers would have to go through the vps provider first... which is why I pick apart the reverse proxy functionality and the added offered security features to make those with a setup like this aware!

There is absolutely nothing wrong with using a vps but people need to be aware of what it really means.

just by the way, there is also nothing wrong with using a vps as reverse proxy or even a reverse proxy on your home network and calling it a day...
it is plenty enough for many and always your own decision and so far I have not heard of anyone who used a reverse proxy to expose immich having had any sort of break-in that way (which does not mean it didn't happen)

Y u no use VPS as encrypted TCP tunnel

Technically I already do with dem self signed https certs transmitting data over tcp (vps to home server; public internet to vps is legit https cert) 🤓

Yeah but your VPS provider can see all your data 👀👀

Semantics

Thats the beauty: they cant

Its end-to-end encrypted

Maybe i don’t understand your setup here

How do you change certs in the VPS without exposing plaintext?

Public internet --> VPS: Encrypted with SSL using LetsEncrypt

VPS --> Home server: Encrypted with SSL using a self signed certificate.

Yes…. So in the VPS the data is all visible when it gets exchanged certs yes?

^

You’re running nginx or something right?

Yeah.

So yeah your data is in plaintext in the VPS at least somewhere
Can argue this is a very low likelihood attack vector, but it’s there

It's more like end-to-man-in-the-middle encrypted

(And has been done for high profile targets)

Hmm i guess it is possible to capture the certificate exchange.

the raw data is in RAM

if you use iptables you can tunnel the direct TCP packets over WireGuard

Whatever it is it’s def not E2EE😝

Wait hold up.

With my setup the data is still encrypted on the vps

Only my home server knows how to decrypt the data with its self signed cert

At least thats what i thought?

Yes, but who encrypts the data with that self signed cert lol

The home server under my desk

Where immich is

I feel like you’re not understanding how certs work

Enlighten me sir

Where is the private key located for your public SSL cert? Is it on the VPS?

No

On the home server

Ok well where is the private key for your self signed cert..?

There are 2 ssl certs

The data is encrypted twice

Ok I just realized the flaw in my logic

I see what you are saying

From vps to home server the data is encrypted.

But in this case my vps is the client and it can and does decrypt the data once it reaches there

Yep

Then the data is reencrypted from vps to public internet client.

Yeah idk i wasnt thinking

You are right

Anyway the risk is low but if you want you can tunnel the raw packets over iptables
Con is you lose IP source info for each client, and slightly worse latency / caching options

Hmm. But then i'd need an actual cert signed by a valid ca.

On my home server

Sure, but let’s encrypt id easy

Is

Which would be annoying to do with letsencrypt given i dont want to open any ports on my home router to the public internet

Internet traffic is only allowed in through the cloud vps rn

You can just use DNS challenge

Yeah i was about to say

I already do that actually for most of my setup.

Interesting I'll look into it.

Just for the learning experiance if not anything else

even if you can't do DNS challenge automatically you can make the TXT record yourself

@cinder adder I had a setup awhile back where I used a public facing VPS with reserve proxy encrypted Wireguard tunnel. With a setup like this you don’t even have to open a port on your home firewall.

It doesn’t really solve any of the issue listed above with your current setup, but if your biggest worry is an attack on your home IP, this at least makes it so any direct attack will not find an open port/app to attack. Your attack vector through the VPS remains the same though.

I'm reading what you wrote here and I'm wondering because I'm thinking of switching from cloudflare tunnel to relaying wireguard through oracle together with cloudflare proxy dns.
That is, the VPS has no access to decrypt the information because it is only an relay between my server at home and the outside world, and decoding the encrypted information is done on the server at home and on the phone that sent the information via SSL

Lmk if you need help. I have one setup though I rarely use it now

Do you think this way is better/equal to in terms of security than using the Cloudflare tunnel? That is, from the aspect of privacy it is definitely better.

It hides your IP equally well

You lose the WAF features, but fail2ban and crowdsec let me sleep

If you’re raw dogging NPM with no monitoring or responsive firewall, it’s not as safe

However you do lose source IP information in this case

So monitoring only really tells you about volume of requests not source IP

If this matters to you you can run the reverse proxy in the cloud, ofc in theory the VPS provider can inspect your ram but this is magnitudes less likely than cloudflare IMO

I actually find that in most cases, if you are not behind CGNAT, exposing your own ports is the safest way because you have 1) no risk of MITM / packet inspection and 2) retain knowledge of the origin IP of each request. That is if you know what you’re doing

If only it was easy to get a static IP address in my country... Actually I know Proton VPN allows port forwarding but I'm not sure if it will work/ how safe it is at all. Right now what I did was set up a VPS and create a wireguard tunnel to connect from Immich remotely. I still haven't implemented the Https and configured a strong firewall, so for now I don't activate it. (It requires time which I don't have that much) If you have settings that could help for the firewall/general guide it could help :)

Define static

I think you mean public, static ip means it does not change, this is not needed for homelab

For monitoring I use fail2ban (there is a good link in our community projects for setup) with iptables

Otherwise nginx is pretty good with SSL cert

Do you think this Iptables are good enough for what needed?

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.66.66.2:443
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.66.66.2:80
sudo iptables -A FORWARD -i ens3 -o wg0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i ens3 -o wg0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Ah, let me check mine

You have WireGuard running on 10.66.66.0/24?

Yes

You can make your second rule easier with -m multiport --dports 80,443 I think

Oh, I'll check it out. (new to this whole thing)

You probably need a MASQUERADE rule - does yours currently work?

-A POSTROUTING -s 10.104.63.0/24 -o enp0s3 -m comment --comment wireguard-nat-rule -j MASQUERADE

It works, although I'm sure I have a bug because when the tunnel is up I'm not able to go online except for the server sending and receiving immich data

-A POSTROUTING -d 10.104.63.100/32 -j MASQUERADE

I’m no tables expert but I think MASQUERADE rewrites the packet IP so the replies get sent through the tunnel correctly

Do you have AllowedIps set in the WireGuard client conf? It should probably only route for the VPN subnet not all traffic

This is exactly what I wanted to check once I get home, probably a mistake in my setup.

I will check what you sent and I will update. thanks!

[Peer]
PublicKey = ###=
PresharedKey = ###=
Endpoint = domain.tld:port
AllowedIPs = 10.104.63.0/24
#AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 15

persistent keepalive is important because wireguard is by default silent with no traffic which means you will lose your NAT "hole" if not traffic for a while

at that time no incoming traffic can be negotiated

My guess is that the reason it's working right now without masquerade is because all of the data is forced through the VPN. if you set the subnet as such, you will need to masquerade the packets so they appear from the VPN subnet and route back correctly

you mean a socks proxy?
as in forwarding without actually terminating the connections?!?

I am personally not a fan of running a VPS and using wireguard to connect to your home network...
I just dont see the benefits over the added complexity and risks

I do think a wireguard setup to your home from the end devices which use immich is perfect if that is all someone needs! if that is enough, i would never recommend to switch to a reverse proxy instead

NAThole, is that a new insult? 😄
you only really have to watch out for that if the "server" will need to connect to the client after they havent been talking for a while
I personally use keepalives as well
I havent changed my wireguard config for years, not sure if there is a better way yet but I use Pre and Post scripts to configure firewall rules and NAT

This will be valuable if your home network is behind CGNAT / no public IP

You can run the reverse proxy at home as if you opened your own port

yes

If you terminate in the VPS your data will be visible in plain to the VPS hosted

that is a valid use case

while i would say that noone is going to bother to look at a random dudes photos that way...

for POIs it might be a different story (in theory...)
its very easy nowadays to automate a lot of the traffic "analysis"... photos sent within the stream can be saved as files and deduplicated without any human intervention
even phone calls are saved and analyzed automatically this way

so if I am actually worried about that, then no I would not have my tls sessions terminate in a VPS where I have no control over who has access to it 😄

I agree it’s unlikely — much less likely than CloudFlare

However some people network setup does not accept that risk and I do respect that. I try to minimize it (I use my own port 443 at home)

I think cloudflare has a much higher chance of doing this mostly because their entire job is to do packet inspection, it’s very easy.
Whereas the VPS would have to inspect the RAM itself

I personally believe they probably do this for some source IPs

yea, i really dont know.. VPS wouldnt have to inspect the RAM, it could be something built-in already even
I do believe there is traffic analysis at some points and to certain degrees and tailored to specific people but that would go into conspiracy theories...

I for myself weighed my options and opted to expose immich...
though i would love to integrate modsec at some point 😄

Well recall with the VPS the traffic only gets decrypted and re encrypted by the nginx proxy.. which lives in RAM

So the network traffic itself would be useless

I suppose you mean the OS image could contain something but you can use your own OS image. They could have some kind of Trojan that loads in but the data would have to come from the ram still

Honestly the fact that TLS exists and is usable by everyone is a gift we should not take for granted…

yea

its good for business too... more things get encrypted, more security appliances need to decrypt it
traffic that cannot be decrypted? needs design and engineering work to decide what to do with that kind of traffic...
encryption sure has become very costly 😄
though of course it is necessary to encrypt confidential data 😄

kinda off-topic, but I will soon travel to SEA, how is the IPv6 coverage? I do not have any kind of ipv4 forwarding/NAT to my server at home because CGNAT (and also do not want to beat the dead horse about how we should all move away from ipv4)

do users with sudo access count as non-root users. or shoudl i make a user without sudo access and use that when trying to run immich as non root

also what you more experienced folks think about this setup. I use nginx as my reverse proxy. im planning on making 2 docker netowrks. one proxy_public and one proxy_private. the public one will have immich and nginx only. the private will have nginx and all my other services. do you guys think theres a point in doing this or it wont help secure/harden at all?

I don’t think so. The user can still elevate privelages

Not sure about the other question

I’m curious about this as well if anyone has an answer. I’m much closer to exposing Immich. Things are running with non root and behind a (I hope and think) properly configured reverse proxy. I added the suggested cap drop and security opt from the FAQ page. I’ll add crowdsec soon. Anything else I should be thinking about?

Don’t think it makes much of a difference IMO but others may disagree. What attack would this prevent?

I wrote most of those sections haha, but not much else to add. Fail2ban can monitor for immich login attempts

Oh nice. They’re really helpful thank you!!

I’m being a little too paranoid. Which I think might be ok. The host is also my dhcp and dns server. I just don’t want anyone who does get access to Immich to be able to get to my host or my other containers.

Hopefully later this week I’ll forward thr ports from my router!

Are yalls reverse proxies running as non root as well

I feel like it would be beyond me to get nginx with ssl as non root

Yes it’s easy

It doesn’t really do anything differently

Awesome. Will do that

Thank you

segmentation always helps
usually the public would be only for nginx though
i am guessing what you mean though is to have a public and private dmz
which is good but also think in ways of sensitivity of data!
e.g. I personally would not run nextcloud on the same network as my password safe
you kinda need to think about your own strategy

if the user has sudo access, it is a root user

in theory if one of the containers is compromised, there is no direct access to other containers
I run a whole bunch of different networks for segmentation so devices who do not need to talk with eachother, also can't....
I go so far that containers that do not need internet access, also don't have it (easier to drop a payload if the container has internet access)

Sorry to be a bother. But There’s some non privelaged images for nginx. Did u use one of those or just set the user directive like for Immich?

no I just set user: ####:####

image: 'nginx:latest'
You need to do a few bind mounts:
/etc/nginx
/var/run/nginx.pid
/var/cache/nginx
/var/log/nginx

Awesome. Thank u sir

with all those it should work as a user, you can also do

  cap_drop:
    - ALL
  security_opt:
    - no-new-privileges:true

at least all of these work fine for me

Perfect

I have learnt so much thanks to Immich. It was the first thing I self hosted

maybe you will get some other permission issue when you boot but in general if you get an issue just make a new bind mount, chown it to the user you specified, and try again

I run most of my containers as non root just trial and error

That’s what I’m trying to migrate to. Most as non root. I have wireguard and technitium dns in host mode so not much I can do there. But everything else

Hello friends, I'm trying to enter my immich outside my network, through NGINX Proxy Manager but I don't understand that it doesn't work, can anyone help me? Thank you!

I have released an update to the docs that outline how to safely host Immich on the Internet using a nginx TLS reverse proxy. You can review the docs, https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/guides/remote-access.md and https://github.com/ckuyehar/immich/blob/ckuyehar-docs-updates/docs/docs/administration/reverse-proxy-tls.md

Just throw in what you did here @timber cairn it'll get crowdsourced 😛

I looked at using nginx, and others but settled on caddy. As a newbie I liked the almost zero config option and the automatic ssl. (I have no connection to caddy, except that it worked well for me).

yea, i guess its a matter of preference...
for you caddy is easy, for me the more advanced options are easier to use in nginx 😛
i started with apache and moved to nginx (swag by lsio actually)

I am currently using nginx for reverse proxy to my domain + cloudflare to protect against bots and such. My cert is from letsencrypt via certbot because it was the easiest to set up lol

@thin tide @zinc merlin I am using the VPS + WireGuard + Caddy method to host Immich but there is a problem that the IP address of the client that sign in to Immich will always be the address of the WireGuard tunnel, for example 10.66.66.8.
Do you have an idea how to solve this?
The VPS is used to forward the TCP traffic over iptables to the home server.

googles

https://serverfault.com/questions/1096994/how-to-configure-wireguard-to-forward-client-ip-address-with-gateway

I’ve looked into this before and I thought it was pretty tricky (impossible?) without forcing ALL traffic back through the VPS…. Seems like it may be possible with packet marking? Anyone have a guide?

not sure I understood the issue...
but in order to NOT have everything come from the tunnel network, you will need to route the network on the other side.
e.g. you have 100.66.67.0/24 as your client network and need to make sure this gets routed from your VPS to the wireguard tunnel
then you can have clients in that range without NATing them

@high spade is that what you were looking for?

I think that we want public IPs to access resources through the WG tunnel and maintain the source IP (for fail2ban etc)

but caddy should be running on the VPS, which is before the wireguard tunnel... so the traffic that gets tunneled will be the proxy traffic... just have to take care of the headers to use the real ip / x-forwarded-for or newer versions to use with fail2ban etc.

Yes but if you do that your traffic is decrypted in the cloud, which I prefer not to 😉

Also breaks SSH or other TCP traffic

then host directly at home 🤣
no sense in tunneling it through a VPS unless that offers other protections...

but to answer the question anyhow....
yes you could do it with policy based routing / packet marking... easier to do if you have two interfaces, then you can just mark all incoming traffic on that one interface

without packet marking:
I am not super familiar with linux but I believe you could also do this with ip rule (also assuming two separate interfaces)
something like ip rule add iif wg-bridge table 100

I use the VPS to get around port restrictions at other sites. Lots of places lock down non port 80/443

I’ve also found my VPS to have better peering especially when I travel to other continents 😛

Will have to look into it

mhh? you mean you dont use these ports at home?

For SSH though I can’t use 443 twice

Or other proxy services

yea, thats true... some residential ISPs dont offer good international peering for their customers
defo valid reason

you can, though its a bit complicated 😄
you can check for a SNI and if it doesn't have one, you can socks proxy it
for nginx you would need two separate proxies but i believe haproxy can handle that use-case

Yeah I think there’s a way to inspect the packet and then route based on that but I don’t want to break the backbone of my self hosted services 🤣

I feel confident enough with SSH being exposed with the way I have it setup otherwise

not route but proxy based on that, but yes

👍 different ways to do it...
I decided to have a jumphost exposed via ssl to do ssh

I believe when I tried, i used a stream proxy with ssl_preread on nginx and had a default point to another nginx instance because nginx was unable to handle both a streamproxy and normal proxy at the same time (forgot the exact reason).
I was tired of running two proxies though and didnt want to read up on haproxy so I just dropped that setup 😄

that was one rabbit hole I did not enjoy so much (simply because of the results I had with it, was not to my satisfaction)

BUT, what you could do with it...
you could forward just the stream, without decrypting it

meaning you run a proxy in the VPS and simply do not decrypt it

you would need to use proxy_protocol to identify the original client IP though
but probably a good way to solve this use-case

Rabbit hole deepens 😅

well, its really only a rabbit hole if you want both, decrypted and unencrypted at once

which is what I wanted...
but for your use-case, a simple tcp proxy would be good

theoretically, wouldn't even require wireguard

just limit external traffic to the VPS external IP but that is the same with tcp proxy or ssl proxy

I'll try to explain better:
Client (34.6.185.182) --> VPS (WireGuard 10.66.66.2) forward the TCP traffic over iptables --> home server (WireGuard 10.66.66.3)

The access logs will always show that every user accessed the Home Server from 10.66.66.2 but I want it to show the real IP address of the client in the logs

yea then that comment right above to what you responded to, should help... in that case I understood correctly..
the rest afterwards was not related to your specific use-case but one Zeus was referring to (his own use-case)

kinda wondering but why do you run wireguard on a vps?

I will try to see how I can implement this.

Regarding to the wiregurad its for the server at home to access the VPS. The server at home is behind CGNAT

provider doesnt offer at least a fixed port? lol
well anyhow, doing it like above should give you a unique IP per client by not using NAT towards your proxy/webserver

any doubts, let me know and ill try to help

Wait wasn’t that my exact use case lol? I want to preserve the source IP through a TCP WireGuard tunnel

not exactly
for Aviv, he has the clients using wireguard
for you, your "clients" connect to your VPS with a public IP but are not wireguard clients.

Hi to everyone!
I'm trying to set up a remote connection to my Immich server, preferably through VPN so that only my device can connect to it. Is there any guide, video or discussion that could help me with this? 🙂

I'm fairly new to Immich and tech stuff, so, if the guide in question could be dummed down or something that'd be a plus

I'm currently going over the "remote access" article on the Immich website, therefore, I clicked on the Pi-hole documentation and am currently reading through the wireguard stuff

Hi you would be best off googling “how to setup WireGuard vpn”. You don’t need an immich specific guide

I have a domain which i want to use for this thing on certain subpath say https://example.com/immich. Can someone please help me do the same. I was thinking of going with cloudflare and I have set it up and also did the access part but I came to know that with that we wont we able to use the mobile app. Is there any way i can have MFA and access the app?

Immich doesn't work with subpaths @quasi sentinel

For MFA you should use an OIDC provider

Okay so what i have to do is remove the cloudflare access and use oidc provider right

You'll likely want a proxy so you can use subdomains (which makes things easier IMO)

You can use CF but it will be limited to 100MB files externally

Do we have any video tutorial for the same cause I am a newbie in networking stuff and finally i figured out cloudflare today but due to it limitations now I will need to look other way because mostly i would be using app

Youtube probably has a dozen on Caddy or NPM

I have no specifics to share here

For anyone looking for a quick way to set up a VPN, this is a guide that includes a very simple script to run and contains an excellent explanation

https://www.youtube.com/watch?v=YkOUOwuZ3Fw

like Mraedis said, you can use the mobile app with cloudflare, cloudflare just limits the size to 100mb files, so you will need to upload larger files from within your home network

And another disadvantage of using CF is that if they want, they can read all the information that passes through their service if you use Cloudflare Tunnel.

But mostly It would be used by my friends after the initial testing so it will be a problem for them in future. So I am planning to use NPM with Lets Encrypt.

And as recommended will use subdomain

Hi guys I needed help in making my immich instance public. So I followed this steps

Step 1: Sign Up for a No-IP Account
1. Go to No-IP.
2. Create a free account.
3. Click “Add a Hostname”, and enter a subdomain like mypi.ddns.net.
• Hostname: mypi.ddns.net (or your choice)
• Type: DNS Host (A)
• IP Address: (It will auto-detect your public IP)
• Click “Save”.

Step 2: Install No-IP Client on Raspberry Pi

Step 3: Configure NGINX for the Subdomain

Create a new NGINX config file:

sudo nano /etc/nginx/sites-available/app.yourdomain.com

Add the following configuration (replace app.yourdomain.com and 1234 with your actual subdomain and app port):

server {
listen 80;
server_name app.yourdomain.com;

location / {
    proxy_pass http://localhost:1234;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}

Enable the configuration:

sudo ln -s /etc/nginx/sites-available/app.yourdomain.com /etc/nginx/sites-enabled/

sudo nginx -t

sudo systemctl restart nginx

Run the following command to get an SSL certificate for your subdomain:

sudo certbot --nginx -d app.yourdomain.com

This are steps given by chatgpt. I did all as said and then added a CNAME record to my domain dns

Create a CNAME record in your domain registrar’s DNS settings:

Type Name Value
CNAME app yourname.duckdns.org

But when i browse to app.mydomain.com i get redirected to something GX portal. Is there anything I am doing wrong?

And certbot fails as i think my dns is not set properly

Sounds like you need the CNAME first, then certbot

just making sure but your CNAME record needs to point to a valid A record which would need to resolve to your IP (app.yourdomain.com needs to point to mypi.ddns.net)

damn you have so many references to black out your domain, it gets confusing...
either way, duckdns points all *.yoursubdomain.duckdns.org to the same ip as yoursubdomain.duckdns.org and you can use that as your dynamic dns as well...

do you have access from outside your network? make sure you forward ports 80 and 443 on your router to your Pi machine.

if you are behind a NAT, you'll have to setup a tunnel, like cloudflare

Okay thanks guys I will check all the above recommendations later today.

does anyone have a good solution with cloudflare tunnel only?

currently i have the default zerotrust authentication with google

then for the api i habe it setup to have a certain proxy value to let you in

idk chatgpt came up with this

not sure if its just me but I dont fully see the whole picture, maybe elaborate a bit on how and what you did, what your goal is and what you would like help with exactly

i was just asking if there was a better way to do this

or was chatgpt cooking when it set this up for me

can you still use the webUI this way?

i think i vaguely have the idea of what you are doing here
if the connecting client has a secret, then your cf tunnel will not try to interrogate the client and let it pass

it's probably fine since immich API is going to be guarded by it's own API keys instead

i think not

last time i tested it didn’t work

yes

i left api open when secret key is given

but the web ui is guarded by cloudflare access

i mean what if you just dont do anything?
immich isnt supposed to have something standing infront of it this way

because it does oauth itself

is it a concern where you want to protect immich from exploits etc?
(where now you need auth before you could exploit it)

i didn’t know that

i thought that it was just something to keep other people out of the immich server

i thought that it wasn’t enough for a public server

and is the authentification of immich brute force proof?

technically yes but also there's times when you dont want to keep people out
(like shared album)

ok

if you use SSO then it depends on your SSO provider
if you use built in auth, i am not sure about that

what is sso?

sorry

there ARE some people who wall off immich entirely to protect it, that's up to your personal risk tolerances
your approach of using a secret header would be correct way to do it

SSO, when you use oauth to login, instead of builtin login

my immich web ui is just broken when using the sso from cloudflare

it gives 403 i think

but that is okay for me

as i just use it for the immich app

to be clear when you use sso i meant the oauth setting in admin

not just placing a forward auth proxy on cf level

haha i dont know about that one

i just use the default zero trust access thing

is this setup in immich?

when i refer to oauth/sso i refer to this setting specifically

you can disable the pw login

haha didnt know it existed

i just use the cloudflare access page

so the proxy one

but i will ask chatgpt to explain this to me later haha

so i can understand this

so what you did is effectively forward auth proxy?

since your cf tunnel is forwarding user to auth with cf

honestly not so sure about cf part i dont use that

idk

i think there should be a way to still at the very least make it accessible via web

it think so

i mean i wouldnt be able to accept that i cant use web lol
but it fits your usecase sooo it seems fine

haha

ok i will this then

as for security wise, well using a secret token is fine
but i would move toward oauth so you still got 2 layers(secret token, then auth with sso)

authing with sso is better in terms you can set bruteforce protection etc

but my security token is buried somewhere in the proxy headers

and i think the immich app doesnt work with auth sso

you mean you warent aware of that oauth config beforehand?

yes

i didnt know there was a integrated immich one

no

immich has the possibility to use oauth, you still need a oauth provider though

I'm trying to reverse proxy immich with nginx so I can access it outside the network but when I try to create an ssl cert for my duckdns it just says "Internal error" does anyone know how to fix that?

how do you create it and where does the error appear? the more info the better

Sorry I followed a youtube video so I'm not even too sure on most things and I only just got unraid, in the unraid docker I downloaded NginxProxyManager, I created a duckdns domain and entered my ip, I used the nginx web ui to then reroute the duckdns to the ip and port of immich, this works perfectly however theres no ssl, in this screen in the picture when I click save after requesting a new ssl cert it says this

this is whats in my log file for nginxproxymanager

PM] [Nginx ] › ℹ info Reloading Nginx
[app ] [2/23/2025] [5:24:56 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -s reload
[app ] [2/23/2025] [5:25:01 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #12: immichddnsserver.duckdns.org
[app ] [2/23/2025] [5:25:01 PM] [SSL ] › ℹ info Command: certbot certonly --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-12" --agree-tos --authenticator webroot --email 'email' --preferred-challenges "dns,http" --domains "immichddnsserver.duckdns.org"
[app ] [2/23/2025] [5:25:01 PM] [Global ] › ⬤ debug CMD: certbot certonly --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-12" --agree-tos --authenticator webroot --email 'email' --preferred-challenges "dns,http" --domains "immichddnsserver.duckdns.org"
[app ] [2/23/2025] [5:25:13 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/temp/letsencrypt_12.conf
[app ] [2/23/2025] [5:25:13 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -t
[app ] [2/23/2025] [5:25:13 PM] [Nginx ] › ℹ info Reloading Nginx
[app ] [2/23/2025] [5:25:13 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -s reload
[app ] [2/23/2025] [5:25:13 PM] [Express ] › ⚠ warning Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
[app ] Some challenges have failed.
[app ] Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

for reference email does have my correct email, was just taken out

Xhexk the log file at tmp letsencrypt-log

How do I get to the tmp folder? I cant seem to find it anywhere

If I go to the actual nginx ssl cert menu and click test server reachability it says this, however going to the site myself works fine

is my port forwarded correctly? Virgin router btw

You need 80 and 443 if you’re not using DNS challenge

You have 1880 and 18443 mapped to NPM properly ?

I'm guessing not because I have no idea how to do that 😅

Is that not what it is currently?

I’m looking at your ports and it’s fairly clearly not ?

So should the local port range be 80 and 443 too? When I do that the website just links to the unraid ui

is there a chance your unraid is taking up the 80 port?

if that's the case that wont work

what's your local address for nginx proxy manager?

the external port ranges for 80 and 433 should point toward the ip address of the NPM

if it's pointed to unraid's Ip that would mean all the cert challenge is sent to unraid which have no clue about any of this

at risk of explaining the unnecessary things:
there's only 65535 ports for one IP(internal and external)
but inside your network you can have multiple devices inside that network, each having services hosted on different ports
but you probably only get one external IP, all of these devices inside that network of one IP has to be represented by that IP
if i have ip1:80 and ip2:80 that means that the PUBLIC IP:80 can only be linked to one, either ip1:80 or ip2:80, but not both
(external port) -> (internal device and port)
public ip:80 -> ip1:80
public ip:8080 -> ip2:80
TLDR: one of them has to move to make way for the other

after googling it it seems like it

I'm not sure which one is that the 172 or the 192 one?

is that just the ip address of the pc running it? if so it already is

I'll try moving unraids port now

the http port is port 80 for unraid, does it matter what I change it to?

yes the device+port running NPM should take up the external port 80 and 433 entries

any should be fine honestly

if you put NPM infront (port 80/433)
dosent that fucntion as a reverse proxy?

you can just have a subdomain that routes the traffic back into unraid

because reverse proxy functions as a [de]multiplexer
acting as a middle man that routes the request to the correct host
based on certain conditions like host names
so that the valuable ports(80/433) can be shared by multiple services across multiple devices in the same network

if you arent sure, visting it directly should give you a clue to what's hosting what service

So it should be like this? When I try to also port forward the 443 port it says this

Is it the one that shows the congratulations screen saying to sign into the admin panel? If so its just my computers ip with the port 1880

you will probably need to move around some rules so that the space is free

the rule is the one I just made because I need to port forward both 443 and 80 to 2283 dont I?

remember that the left is internal the right is external

the internal ip is the IP you use to access the device
the internal port is the port you use to access the service using the internal ip

the external port is the port you will have to use to access the service externally

basically you are telling your router that "if any traffic comes in on port XX forward it to the device on this internal ip at this that port"
what you want is to make sure that NPM has the correct external port(80/433)

from what i can see it feels like you are flipping internal and external
or i might be wrong and your router uses a different terminology

Sorry I dont seem to be getting it, so I should flip it? that causes the same issue

"that causes the same issue"

because the rule already exist in the table

the router doesnt want you to have 2 rules about the same thing(it wouldnt know what to do about it that would be conflicting)

but arent 443 and 80 both supposed to go to 2283?

hm no

NPM should still have 2 ports

one for HTTP and one for HTTPS

the 80 one goes to http
the 443 one goes to https

this warning probably meant that the 2283 local port is already routed, so it cant be used again

The immich server only seems to have one port though

uhh

well the thing is your NPM should be the front

unless you have no intention of using NPM?

because it is like this
Internet -> Router -> NPM -> immich

so that means you need to tell the router to forward everything to NPM
then tell NPM to forward related traffic to immich

Ohhh so I need to port forward the npm ports? how would that work with these sorry I have no idea what im doing lmfao

uh give me a second let me make sure NPM works the way i expect

Just letting the note here that you should have a solid understanding of self-hosting concepts to be able to have a proper backup plan and handle your data (somewhat) safely. Especially for Immich, which is hosting your most precious memories

hm wait what is that UI?
that doesnt seem like NPM itself

Unraid

yes you only need to forward the NPM
that's the whole point of having a reverse proxy to route your request so that everything can be accessible from the same port

currently all my photos are stored again separately on my pc's hard drive and they will be for a while too to make sure I know what I'm doing, once I do how should backups be made and stored?

ah ok but since theres three how do I do it? and also which ports go to where

The topic is way too deep to explain in a single message, but there are dozens of articles & videos on that online. As to backup tools, restic and borg are popular alternatives.

Having your images on one other drive isn't save in any way

ah ok I'll take a look once I have everything going, thank you

18443 => 443 (external)
1880 => 80 (external)

Btw the ports you chose are super weird lol

80->80
433->433
in your case i am guessing
4443 -> 433
and 8080 -> 80
but you mapped 4443 to 18433
which means you need to tell the router that port 433 external should go to 18433
and 80 external should go to 1880

Ideally you do that before you start with anything

the pictures arent too important so I don't mind too much if they were to go but I see what you're saying I'll definitely take a look soon

Ok the domain is pointing at immich again, as for the ssl settings what should I turn on? Ideally I want to be as safe as possible while still being accessible outside the network

also as for the scheme should that be on http or https?

http

Force SSL makes sense

HTTP/2 support is unrelated to security but still neat

What about hsts?

Can also enable that if you want

I would advise starting with as little toggles as possible

And then turning them on one by one just in case it doesn't work for one :p

Alright thank you :) I'll try it now

still says the same thing 😭

Logs?

Just with those settings?

I'm guessing it fails to fetch the cert

with them all switched off yeah I havent tried any others

Because stuff isn't set up properly

do you know how id get those?

Just the container logs

[app ] [2/23/2025] [7:13:20 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/proxy_host/1.conf
[app ] [2/23/2025] [7:13:20 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/proxy_host/1.conf.err
[app ] [2/23/2025] [7:13:20 PM] [Nginx ] › ⬤ debug Could not delete file: {
[app ] "errno": -2,
[app ] "syscall": "unlink",
[app ] "code": "ENOENT",
[app ] "path": "/data/nginx/proxy_host/1.conf.err"
[app ] }
[app ] [2/23/2025] [7:13:20 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -t
[app ] [2/23/2025] [7:13:20 PM] [Nginx ] › ℹ info Reloading Nginx
[app ] [2/23/2025] [7:13:20 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -s reload
[app ] [2/23/2025] [7:13:25 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #15: immichddnsserver.duckdns.org
[app ] [2/23/2025] [7:13:25 PM] [SSL ] › ℹ info Command: certbot certonly --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-15" --agree-tos --authenticator webroot --email 'email' --preferred-challenges "dns,http" --domains "immichddnsserver.duckdns.org"
[app ] [2/23/2025] [7:13:25 PM] [Global ] › ⬤ debug CMD: certbot certonly --config '/etc/letsencrypt.ini' --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-15" --agree-tos --authenticator webroot --email 'email' --preferred-challenges "dns,http" --domains "immichddnsserver.duckdns.org"
[app ] [2/23/2025] [7:13:27 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/temp/letsencrypt_15.conf
[app ] [2/23/2025] [7:13:27 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -t
[app ] [2/23/2025] [7:13:27 PM] [Nginx ] › ℹ info Reloading Nginx
[app ] [2/23/2025] [7:13:27 PM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -s reload
[app ] [2/23/2025] [7:13:27 PM] [Express ] › ⚠ warning Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
[app ] Some challenges have failed.
[app ] Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

Yeah NPM is annoying for logs like that 😛

I see...

did the reachability check worked first?

"Could not delete file" does NPM not have the right permissions on it's own data folder?

how would I check that?

I havent changed any permissions I dont think, how would I check?

Idk I don't use unraid

i dont know how you tested this in the screenshot but making sure it pased is probably ideal(otherwise NPM cant get the cert challenge)

would this be something to do with it?

Possibly? I really do not know

I just opened the log on the docker container

see at what i am replying to

ah sorry

You can just ignore SSL for now and see if it saves the config without

If it does, not a permission issue but an SSL/port forward issue

If it doesn't, permissions issue

wdym config? I believe its entirely working just isnt secure as I can go to the website in my browser and it brings up the immich login but says not secure at the top

yes we want to make sure it works first

right... you're not using split dns right now 😛

then we can worry about that later

I'm staying out of this, it's sleepy evening time 😄

i really should be sleeping soon too zzz

good night haha sorry I'm being so difficult I really have no idea what I'm doing

how would I check it works?

what they said about trying to get it to save while ignoring SSL

also you could try visiting it yourself
what does it say if anything?

ah it does save fine, and I can access it too in my browser

just takes me here

so first is that routed to your public IP?

I'm not sure what you mean but in the like url box it has the duckdns.org url

or do you mean is the duckdns domain routed to my public ip if so yes

ok ok

that's correct then

next in the router what's the external port 80 routed to

(it should be towards NPM)

1880 I think

This domain does not work for me

How can it work for you?

Nvm I typo'd

😅

I have no idea but it is 😅

ah ok lmao

Then I'd say just screw this

But I don't have any experience with NPM, so

¯_(ツ)_/¯

does that not allow others on the network to potentially see the login details though?

Yes, you don't want to keep HTTP only

But that's unrelated to the message I replied to no?

I'm just saying that that accessibility check may just be weird

that's testing the server reachability under the ssl certificate bit

I see

When did you set that domain up?

maybe a couple hours ago now? I'd say an hour at the least

it says on duckdns actually, 3 hours ago

what if you put that domain name and just click save?
seems like it is accessible by others

just to put you at ease, @velvet mural setting up my proxy and DNS correctly was the longest setup of my home server adventure by far 😂

You don't have a proper router up and running yet? 👀

like this? it says this

thank god 😭

The domain name does not include the protocol

CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

at /opt/nginx-proxy-manager/lib/utils.js:16:13
at ChildProcess.exithandler (node:child_process:410:5)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

I said properly 😛

Huh?

Yeah you need to check those logs. I have no idea why it would fail, I can reach your npm

Back to the permissions issue! yay

Do you have any idea how? I cant find them anywhere

ok seems like this is just going back to the permission issue

Get a shell inside the NPM container

And check out the logs

errr this is going to be finnicky i dont know unraid so i dont know what's the correct permission user and settings