#Exposing Immich to the internet

it should 👀

ok and is that like secure?

Btw, just as an FYI, but adding immich to your domain is kind of unusual, since you typically use a domain for multiple things (you will too)

About as secure as it gets for any web-facing service

(again the short answer :))

I don't think she bought immich.eveimmich.tld ... 😛

Oh it's .tld

I already have another domain I could use so I dont mind

I am blind nvm

what is the tld bit?

ah lmao

I meant immich.yourdomain.com/org/us/nl/...

ohhh 😭

TLD is the last part of a domain name

Top Level Domain

TLD

ok I've changed it lmao, but also wont that still be http? I thought that was what made it so insecure

The communication between the Immich container and NPM is insecure/http, yes

am I not supposed to be using https for that?

You cannot

Immich does not do HTTPS

NPM-immich is all on your own network

So if you're worried about that part, you've got bigger problems 😛

ah ok, is it possible for anyone to grab the passwords/usernames? say if you were on a cafes wifi and logged in? thats what I really mean by is it secure

No that part is secure

ah ok so what exactly isnt secure then? sorry for asking so many questions I just dont really understand it 😅

The communcation goes

<you somewhere> => your home => NPM

All of that is secure until NPM

When you hit NPM you're in your local network

NPM terminates the SSL connection

And forwards the request to your immich container

Not if they use CF*

ah ok, so someone could but theyd have to be on my actual home wifi to do that? if so thats fine

Oh right. Not if you use cloudflare as your proxy

Yeah. And not even that if you use a docker-internal network :D

ok thank you I'll message later whenever it starts working you've all been a big help 😭

oh actually how will I know its working? like what do I type in my browser and what screen should I see?

You bought a domain right

For starters the NPM domain test should work

yes

just type https://immich.domainwhatever.com

or .org or whatever it is

how do I do that?

currently it just shows this is that right?

at least until the records update

I meant here ^

For this

ah ok ill try it now

what do I put in there?

Where exactly?

Your domain?

Yeah just your domain

So immich.eveimmich.uk

it takes a while to load then just puts this out again

The port forwards are still there right?

no I removed them someone said I didnt need them now

should I add them back?

noooo who said that

You do.

😅

Ill add them back now lmao my bad

No worries ;)

Lies! I said it was fine!

Should've put the comma there, I thought that was clear from context 😛

Lies?

someone said I didn't need them now
Me:
You do.

Ah I thought you meant I said it

Which I did though 👀

Oh I have no idea who did lol

"No port forwarding is fine"

Is what I said lol

this is correct right?

Ooooh

I see

Should be, yeah

thats my bad I did wonder if you meant that but I wasnt sure 😭

Nah it's not your bad

Alright now all you need is SSL

It's always fine to blame Mraedis

For whatever really 🙂

One of these days, Daniel, one of these days

✊

still the same error here and also when I go to it in my browser now it says this

You had the opportunity to come to FOSDEM 😤

... Do.. Do you WANT to get punched?

Is that from the "test server" in NPM?

Hokay back on topic lol

yes

The domain works for me again for http

And that https doesn't work is to be expected

What NPM is doing? I have no idea

ah yeah the url had https, so when I connect to things I should connect with http://immich.eveimmich.uk/ ?

Not when we're done here

ah ok whats next lmao

Trying to figure out why NPM is still complaining about your domain

could it be that its set to flexible?

You have the orange cloud off, right?

yes

Then that doesn't matter

You can add SSL certificates in NPM without setting up a proxy for it fyi

If the http challenges really aren't working you can use the CF API

https://ryanfreeman.dev/writing/secure-your-websites-with-lets-encrypt-npm-and-cloudflare skip to the Create an API token section

wait so what am I supposed to do? 😅

"add SSL certificate" on the right

ah ok then custom?

Letsencrypt and select:

ah ok ill try now

I get this error when doing that

ah that I did not know 😛

Then no wildcard I guess

how do I do that?

just immich.eveimmich.uk

I think it did it

hurray

Now you go back to your proxy host

select your new cert on the SSL tab and also "Force SSL", and HTTP/2 support

alright ive done it

and it works, huzzah

http should also be impossible now

yep it just redirects back to https

Is that everything? Now I just need to set it up on mobile?

On your mobile you can just use the local IP with http when connected to home Wifi and your https URL when not

Why is the like error sign there? Did I put it in wrong?

I’m just stupid nevermind 😭

you forgot your .uk ?

yeah I fixed it now lmao oops

How can I like verify its working? I went on my mobile data but when I try to refresh it just seems to keep trying to reload

uhhh

If you refresh too much it goes to rebuild the timeline

too much being twice

I'm not sure why it did that but restarting the app only being on data seems to work and it can refresh so its working right?

yeah now switch back to wifi and see if it still lives 😛

it seems to be workingggg

thank you everyone for your help lmao I can finally go to sleep 😭

night!

goodnight!!

I should have played with proxmox firewalls way earlier. I’ve locked down all LAN access to VMs other than whitelisted ports, and loaded in heaps of countries and known scanner IPs to blacklist

Would def recommend for anyone exposing stuff at home

I can also block my 🏴‍☠️VMs from all LAN access

This wouldn't be useful if I have an upstream firewall and proxy already doing this work right?

How does your upstream firewall segregate the LAN?

VLANs. Any services I host are on the DMZ which has its own trunk port.

You’re probably already good then. This is basically a poor man’s vlan

when doing the cloudflare access thing on immich web page it gives error 403

any quick fix?

Error: 403 - undefined
Error: Error: 403
    at Object.mt [as ok] (https://immich.example.com/_app/immutable/chunks/BYB68Yzy.js:1:8008)
    at async Promise.all (index 0)
    at async n (https://immich.example.com/_app/immutable/chunks/DkGcw9C2.js:1:511)
    at async o (https://immich.example.com/_app/immutable/chunks/ruygQ5gm.js:1:177)

is that something proprietary or does it use some virtual opnsense?

I also just use a firewall with VLANs to segregate the LAN, however I do not have the firewall in between the docker networks... that was a bit too much effort for me 😄
i only connect containers where needed on separate networks, if they connect anywhere outside the docker network, they go through the firewall

It just uses iptables lol

lol, better than nothing i guess

I prefer simple Linux kernel stuff like that over some proprietary BS

which is just port blocking, right?
which is not enough nowadays ^^

Not sure what you mean
I use geo, scanner, and firehol IP list blocking on the proxmox level. Then I have crowdsec and fail2ban running in the VM that has 80/443 exposed and forwarded from router
Then i also block LAN traffic into and out of most of the VMs except for whitelisted ports

thats more than simple linux kernel stuff/iptables
I meant that nowadays, just layer4 security is not enough to protect from threats

why do you have crowdsec and fail2ban? isnt crowdsec a crowd based fail2ban solution?

Crowdsec doesn’t integrate with logs in the same way, or it was too much work to do so. For immich login attempts for example

I also like security in layers. Probably could get it all done in crowdsec but it’s not documented so well

yea, i havent tried it but from what i read it is supposed to have two parts, the local log analysis, which contributes to the crowdlists and then the lists provided by it...
the local log analysis can be configured similar to fail2ban I think

I subscribe to a few lists to block out known stuff as well and then add to it with access I know is not legitimate and put that on a blocklist as well
stays fairly quiet this way, without those, the logs would be filled and I could not reasonably analyze them

i would really like to try modsec but i think that nginx integration is a bit more than difficult and I dont want to switch my reverse proxy

Let me know if you figure out a way

I think there’s a nginx image that has it but I haven’t really looked into it. I don’t feel like changing out all my nginx config

i am not looking, last time i checked it wasn't feasible to do and maintain it
I have better stuff in place anyhow but would like to do it for fun if it becomes feasible with nginx

@leaden sigil there's lots of info in here, please don't PM me

This thread dates back nearly two years - is there a recommended place to start reading from?

Scrolling up it looks like recently someone setup nginx-reverse-proxy manager, which is part of my current (working) setup. But I'm working on trying to secure my exposure to the Internet.

I started reading from here, because I am also using Cloudflare. I own a domain.

I've been using CNAME's as subdomains for Docker containers

I don't understand how the instructions for setting up an A record with an * work, though. Where do I put the domain in that I bought? Edit: Nvm, I figured out/understand this part now. Since I already own the Cloudflare domain, it's not necessary to input.

Do I leave the current A record I already have that works and add an additional A record with the *?

@green dome Okay, I added an additional A record (I'll consider removing the original), followed the instructions for *, added the correct config to NPM, and I have HTTPS access to Immich. Is this considered secure?

Looks like I just need to generate certs for each subdomain I want.

I'm also using the container maintained at https://github.com/favonia/cloudflare-ddns to regularly check and update my WAN address. I initially had an environment flag PROXIED=true. I just set that to false.

Luckily I didn't hit the cert limit in NPM because I only have 3 apps exposed to the Internet right now. But I removed all the CNAMES and the old A record from Cloudflare, and only have the * A record now. And everything is working.

"DNS only"

Actually after reading the documentation on favonia's Github, looks like you don't set it to false. You either set it to true or just remove it from the environment variables entirely.

But since "the default is false", maybe setting it to false just does the same thing as removing it.

So now the overall question is - do I have Cloudflare set up as ideally as it possibly can be?

From https://internetsecure.org/ :

It doesn't show up under the internetsecure diagnostics, but I setup DNSSEC (maybe unnecessary, I don't know) and https://dnsviz.net/ seems to show it working.

What I can't seem to get to work is a rule for geolocation blocking.

where are you doing the geo blocking?

DNSSEC tester is broken on that site, yes

And I can post the PNG

I'll show what I tried for geolocation blocking

that looks right for dnssec (which isn't a massive deal anyway tbh)

Yeah, I'm finding that out the more I read about it

But oh well, it's enabled and it works, so I may as well leave it, I suppose

still good to have

That seems to be what's recommended via Googling, but I could be doing it wrong.

I have a PIA account, so I tried connecting to various countries via VPN, but they all still load the page.

Ummmm yeah you dont get ANY of those features without them proxying you

I see

Thats just how the internet works. Theyre not in your network path

Time to delete the rule, lol

Okay, so still the overall question remains - is this as secure as Cloudflare gets?

An "A" record with *, purely DNS, and NPM generating Let's Encrypt certs for subdomains?

Found this: ignoring the video and reading what user SnooHesitations4877 wrote, it sounds like proxying might still be the way to go. You get all of the Cloudflare security features that way, and I can enable Geolocation Blocking then.

https://www.reddit.com/r/immich/comments/1j28jjn/if_youre_using_a_cloudflare_tunnel_to_access_your/

I reached out directly and they are going to write up a guide and link it to me when it's finished.

That’s fine, as long as you are ok with cloudflare reading all your data in plain text

Is it a problem if it's in plain text? Also I've heard Cloudflare doesn't have a history of selling data collected, and that all logs are anonymous.

I know that's a he-said, she-said type of deal, and they could renege and change their course of action. But that's what I heard is currently the status quo.

we cant know what they do or dont do with it for sure
but we can definitively said they are MITMing your connection
do you feel comfortable about it? that is up to you to decide

I wouldn't say that it's that much safer than a reverse proxy, however using cloudflare hides your IP (if that matters to you for some reason)

I did notice that when I reduced my A/CNAMES to a single A *, the warning for my IP being exposed did disappear.

I know that streaming media across Cloudflare Zero Trust is against their TOS, I'm not sure if Immich is considered as such. I think that applies only for video streaming like Plex

It most likely is

IMO that shouldn't be a warning. People overstress that

Yeah, especially after seeing those cringe public VPN ads. IPs are inherently public.

Yeah this is just cloudflare fear mongering IMO

I'm trying to find the post to forward, but I think Zeus mentioned something yesterday in the Immich channel about DNS being preferred (especially if) I could set up something on my network that would prevent brute-force attacks. But I'm unsure what that would entail. Does the NAS's internal firewall already do that?

no you shouldn’t trust your NAS to do any of that. You’ll want to look into tools like fail2ban and crowdsec

kk, Appreciated

I know Google’s AI snippets should be treated with a grain of salt, but I did see this:

Yeah this is just wrong

Ofc you can run docker containers

You're doing that

Okay it can run in Docker - I hadn’t found that yet - thank you

I actually run it on bare metal directly in a VM 🙈

But it does state that the NAS can potentially perform similarly with its own solution

How do you implement the rules if it’s in docker?

I don’t trust a NAS firewall tbh

Yeah, that’s what I was thinking, too. And why I hadn’t found it Dockerized yet.

I didn't actually think this far but surely it's possible 😅

NAT is the best "firewall" anyway. Nothing is exposed except what you port forward

I hope you're joking right?

I would say anecdotally that the blacklist is a great feature. When I have SSH enabled, it blocks and logs failed login attempts. And blacklists if the same IP tries more than like 3-4 times.

It won't protect against DDoSes and stuff like that, but essentially it blocks all unsolicited traffic unless it's on a port that is a forwarded, right?

NAT itself does not really provide any security and should never be trusted as a replacement for a firewall

Most (all) consumer grade routers combine firewall rules and NAT in "port forwarding" settings though

And I automatically get emails on failed logins and blacklist additions.

But NAT by itself is definitely not a security mechanism

What do you use for that?

An Asustor NAS which runs their ADM OS.

Oh ok, I also have that feature, but on OMV

It’s helpful to have for sure

Ultimately, my connection to the Internet is this:

Google Fiber <-> Ubiquiti UDM-SE Firewall <-> VLAN for home network <-> Asustor NAS.

And as stated above, Cloudflare Domain (currently * and DNS only) <-> Asustor NAS <-> Docker <-> nginx-pm <-> Immich.

So I guess I’m double firewalled. Between the UDM and the Asustor itself.

Looks like Asustor has geoblocking - gonna look into that now, too.

I should probably get around to setting OAuth, too.

Yeah, unfortunately Asustor’s geoblocking is hard restricted to their proprietary apps and services. Docker is ignored. I can still connect from France if I geoblock it, for example.

So that’s definitely a no-go.

But I did discover that the Asustor NAS also offers “Risk Detection Greylist” via an API key from AbuseIPDB. And it already blocked someone right off the bat.

Looking into crowdsec and Fail2Ban during some downtime at work.

Another curiosity - has anyone ever tried Trivy to run security diagnostics on containers?

May have found a solution for crowdsec:

https://www.crowdsec.net/blog/crowdsec-with-nginx-proxy-manager

https://www.github.com/lepresidente/nginx-proxy-manager

Profit?

There’s a other fork with crowdsec built-in that seems like it would be the preferable fork, but it states explicitly in the README that it’s broken with Immich specifically.

https://www.github.com/ZoeyVid/NPMplus

Cloudflare tunnel is great and all, until you need to playback video 💀.

I thought I saw some anecdotal reports that the 100 mb limit is gone now, though (?)

Is it a bandwidth thing?

It’s not gone

If I proxy the wildcard * from Cloudflare, everything still works.

I’m not personally uncomfortable with them receiving my data in plaintext, so maybe this is the most effortless way to go until that Redditor posts what they accomplished and how.

So now I’ll get all of the Cloudflare security benefits

Now I should be able to impose geoblocking, etc.

But https://www.github.com/lepresidente/nginx-proxy-manager is probably a valid thing to explore at some point in time, since it’s reported to work. Although I’m not sure how important appsec is.

And yahtzee, VPN’d to France, and geoblocking works

And USA is working on a refresh (disconnected the VPN before the screengrab.)

And I’m not sure if there’s anything on my end causing it, but proxying through Cloudflare gives me better speed to Immich than using pure DNS.

The SSL Report analyzer at https://www.ssllabs.com/ssltest/ is giving me back a “B” score, which I like. It’s better than seeing an “F” and I can improve it.

Changed minimum TLS to 1.2, now reporting A grade.

I’m assuming SNI is not really something to care about? It seems like it’s for connecting to older browsers/machines (like Android 2.3.7 and IE on Windows XP.)

I repurposed an older 32-bit PC a year or two back, so I could use Windows XP to mod an OG Xbox. It didn’t seem like SSL worked at all anyway.

And if anyone is at all curious about the security of the reverse-proxy offered by Asustor - here are my stats (some just cherry-picked) on my remote connection that way. I had to use https://testtls.com to use a specific port number (SSL Labs does not support this for free):

Used the recommendations at https://algustionesa.com/security-headers to add security headers in Cloudflare. Now I get an “A+” result from SSL Labs. That makes me happy.

I wonder, why would you run crowdsec with NPM? Are you not using Proxy mode with Cloudflare? Does it block that much more than Cloudflare does?

Also, how would this work with Authentik?

I am now using proxy mode with Cloudflare. Staff recommendations were not to due to data privacy concerns, but I made the choice to go with it due to how they (supposedly) handle the data and to take advantage of their added security features (while proxied.)

Many recommendations I found were to find some combination of NPM, crowdsec, fail2ban, and I did see Authentik listed in my research. But I was not able to easily deploy that strategy in my environment.

So now it’s just NPM, Cloudflare proxy with a Cloudflare purchased domain, and hardened (as best as I could) SSL.

And then all the added website security that Cloudflare provides with its service.

Keep in mind that you also aren't able to upload large files and that you are violating their terms and conditions

Fwiw setting up oauth would be a much greater security gain compared to trying to harden SSL or whatever

I do intend to setup oauth

How am I violating their terms and conditions if I’m using a purchased domain from Cloudflare directly?

I think you’re thinking of Cloudflare Tunnels (?)

Using their proxy isn't allowed for serving media or something

I don't know the exact wording

Ah, I see what you’re saying

Cf tunnels are perfectly fine by itself btw, why they have the limitations and stuff is only because it's also using the cf proxy

Oh well, I never saw it explicitly stated anywhere. Hopefully CF doesn’t bite me when it comes to the ToS.

Ah, I gotcha

I proxied my Plex server’s web UI. I don’t plan to do much with Immich other than your average photo / videos taken with phones / cameras / etc.

I’m also using it to serve up comics and EPUBs, though. So I guess I better research those ToS. Seems kind of restrictive, no? Isn’t everything on the Internet some form of “media”?

It’s not like they rolled out their platform just to accommodate Wordpress sites (I would hope)

Nobody is saying that, but they want to sell your their product that's actually built for that purpose

Ah, the expensive package

https://www.cloudflare.com/application-services/solutions/stream-delivery/

I see what you mean there

The longest video I have on Immich is my wedding video from over 14 years ago and it’s extremely low resolution. I think that link describes that they’re mostly targeting people who want to serve up media like Plex.

Which I already have in place

But I can see how maybe I should probably be putting longer videos there and not on Immich. It’s a thought to consider.

The proper solution would be to just not use cloudflare proxy, but we've been there already

Yeah

Well, unfortunately they just make it too simple to set up and figure out.

I won’t stop researching the preferred recommendations, but they require a lot more invasive maneuvers and require a much steeper learning curve.

That argument is fair, yes. Cloudflare is freaking simple

And I’m not sure Cloudflare is auditing your data as it passes through their proxy. I guess no one can be sure of that, but I would seriously doubt that any infrastructure would have the resources to do so on the large/massive scale of data they do serve.

Bandwidth and download rates, sure - I could see that and expect it. But specific content, I doubt.

Sorry if I'm not following your conversation here, but if you have a web domain, why not just use a reverse proxy like nginx on the same server as immich?

Any specific reason for you to use cloudflare?

I know it passes through in plaintext, but I don’t think they see that you have a “video file” necessarily as it passes through.

They want to use WAF and stuff, for reasons

👆

It was also the lowest barrier of entry when it came to configuration / security.

I am using NPM.

Ofc they see that, the question is if they care. And that I don't know either obv

Yeah, none of us do - I guess it’s good that I haven’t heard of any troubles yet, though. I’m not the only one doing it.

If NPMplus worked, I would have gone down that route yesterday.

So maybe in the future if that's ever figured out in whatever kitchen the fire is in, I'll use that as my end solution.

I'm repeating myself, so apologies, but Lepresidente's fork (with crowdsec built in) works, but only because appsec is disabled. https://www.github.com/lepresidente/nginx-proxy-manager

IMO you're worrying too much about the less relevant aspects here

Sure, fail2ban is neat, but realistically it also just doesn't matter

You aren't a relevant target for anything more than some random bots anyways

I mean, it kept being said to harden security with crowdsec and fail2ban.

Yes, because you were asking how to harden it further

Not necessarily - I'm not very good when it comes to security. It was said independently and I latched onto it, lol.

If you don't think it's that big of a deal, I respect your advice / opinion, though. It's a reassuring counterpoint to trying to figure all of that out.

I was happy when I had * and DNS only working, and just NPM.

I am fairly sure that everyone here (including people who work in that area) would tell you that not having cf proxy and also not having crowdsec/fail2ban makes more sense than having cf, especially if you consider adding it later

OAuth though you should get set up

Appreciate it

I'm going to keep the Cloudflare proxy for now, only because I'm not uncomfortable with them receiving plaintext and I can't ignore that A+ rating from the SSL Labs test. But I'm going to keep it under consideration whether or not to switch back to DNS only.

I can't ignore that A+ rating from the SSL Labs test
You can also get that with NPM

Again, time cost - I know it's possible to accomplish, but (also) not necessarily in my environment.

I don't have access to low level nginx config files - I only have access to the web UI.

I know.

Plus, like you mentioned, the WAF stuff is actually nice. I'm not going to backpedal and say it isn't. Geoblocking (while not a solid layer of protection or a reliable one, at that) is good to have as an option. Always appreciate an extra (practical) layer.

This argument never makes sense to me. They’re one of the biggest server providers on the planet, and it would also be super easy for them to target specific users, specific traffic, and/or help with warrantless searches for the gov

Doesn't that mean they would have to audit Petabyte / Exabyte / Zettabytes worth of data, though? Since they're one of the biggest providers on the planet?

I mean, I might be exaggerating (or maybe not) with some of those units, but it's got to be a massive amount of data.

They can easily sniff specific IPs or users

I guess we have AI / ML these days, though, so they could find a way, probably.

Well sure, yeah, that makese sense

They already need to figure out who you are to route the traffic properly
The WAF literally works by auditing your data stream(mostly headers) and looking for threat patterns

So the idea that they don’t have the infrastructure is hogwash. They’re already doing it as a core part of their product

Point taken

Still, no anecdotal reports of anyone having any issues (security related or ban related) yet. If I'm the first, I'll be sure you're the first ones to know.

The point is; you're trying to defend yourself from a less likely attacker, by asking a more likely attacker for help

Kind of ironic if you ask me

I can see your point and I respect it

...I'm going to regret this, and I know you're going to hate me for asking it - but could you elaborate on "more likely attacker"?

Hasn't zeus already elaborated on that?

Does Cloudflare have a history of security flaws that have been egregious in the past?

Idk

Do they need that in order to be a more likely attacker?

Zeus's point (I think) overall is that he just doesn't believe anyone else should be intercepting the traffic.

And I respect and agree with that belief.

I guess the counter question is; is there a history of targeted attacks against homelabs of random people on the internet

The answer is also "idk", but probably not

So we're at the same starting point, and obviously the one who already has all the information is the "more likely attacker", no?

But again, the barrier of entry was low, my environment is a limiting factor, and everything is secure and running great. So I'm right as rain currently. And I don't know of history of Cloudflare going rogue on anyone.

I suppose by your logic that's correct, yes

I agree

If I could actually get a reliably working version of NPM with crowdsec baked-in, and learn how to implement fail2ban, I would start down that route.

I have to wait until Zoey's fork's bug is ever figured out. And that might not ever happen.

The attacker would be the US gov, not Cf specifically

Good counterpoint

I also was interested in (and implemented) geoblocking specifically to block Russia and China.

Their own website says in an emergency they will proceed without a warrant

No one will disagree cloudflare is easy. I don’t think anyone here will agree it’s more secure

I mean, I'm limiting access to the USA. So everyone else is excluded (when it actually works), but for those countries specifically.

It’s just a question of how much setup you’re willing to do

I think I've shown I'm willing to put the work in 😄 - I've pestered you all enough for advice so you know. The resources available just don't fit my environment yet.

1. crowdsec isn’t 100% required
2. you don’t need it integrated to NPM. Very few people run it this way

I think that's ultimately what I've come to find.

You install crowdsec watcher, point at !nginx logs, then install the bouncer to run iptables

Don't think my NAS is going to play nice with custom iptables

Actually, I think I read some stories of people trying to work with iptables on my brand of NAS, and reasons, and they end up getting wiped and replaced with the NAS's own.

Everything I do has to be done through Docker - I'm assuming the bouncer is installed locally?

In your example?

It just circles the “it doesn’t fit my environment” issue again.

It has been brought to my attention that Cloudflare is a recommended method of reverse-proxying in the documentation to prevent against DDoS attacks, etc. Maybe that should be reconsidered?

https://immich.app/docs/guides/remote-access/#option-3-reverse-proxy

I mean yes, cloudflare is good if you fear that. You won't ever get a (relevant) DoS attack though

It's way too expensive to throw at some random guy's homelab

Agreed

Are there any reports of users using Immich in any environment of a grander scale than a homelab, though?

I imagine if not, that would eventually be the goal, though.

Regardless, if 99.9% of us are using homelab environments, maybe it should be amended or elaborated on in the documentation.

At some point we plan on offering a cloud hosted Immich, officially

I think that's kind of implicit, no?

Oh boy, that would be amazing

Not sure, it wasn’t clear to me until you elaborated.

Then it isn't 😅

(That it’s a snippet aimed at users buying CF’s high-end service(s))

lol

Just found this info - may be relevant still, although the post is from ~2 years ago. It mentions exactly what Daniel was saying about Cloudflare wanting you to use a streaming plan for media.

https://www.reddit.com/r/selfhosted/comments/13j4pft/goodbye_section_28_and_hello_to_cloudflares_new/?rdt=54732

Here''s the part I find interesting and I'll research more:

And (the probably outdated UI) imgur pic that was linked by the poster:

lol, Cloudflare actually offers automatic “Bypass Cache for Everything” as a pre-generated rule option.

And… deployed. I’ll report back if anything breaks.

Apparently the follow-up comments to that post I screenshotted say that you are still subject to the ToS (obv, I suppose), but by negating caching, you’re no longer breaking the ToS.

I think the presumption that tunnels is NOT a CDN is very implausible

They’re delivering your content for you

Almost all the comments explain that as well lol

Oh I agree it’s a CDN - they just say they recommend to not cache the CDN

Yeah but the CDN terms specifically disallow videos. Not only cached videos

https://www.cloudflare.com/service-specific-terms-application-services/#content-delivery-network-terms

Ah, good counterpoint, appreciated

Did some more research - seems the conservative consensus agrees with Zeus that disabling caching isn’t going to get you around CF’s ToS for proxying.

I went back to DNS only and tested again with the SSL Labs test and I’m getting an “A” result back. I’m satisfied with that.

Now I just have to figure out how to add headers to my Docker container for nginx-reverse-proxy manager.

Found a potential Docker replacement for NPM as a reverse-proxy solution with more robust security (including support for a crowdsec plug-in) - I’m in touch with their Discord to try and figure out setup. If I can get it working successfully, I’ll report back with details.

https://github.com/bunkerity/bunkerweb

PS: I run several services, not just immich. I have proper detection methods for brute force attacks and can say that I have never had a brute force attack in the five years I have been able to properly check for these…

So in my case, fail2ban would not have done anything….
If you use secure passwords, brute force is not feasible anyways…

Things I have had: lots of bots trying wordpress admin logins
Things I haven't had: anything serious

Personally I like to block scrapers so I don’t get listed on sites like shodan… just in case because these kinds of lists get used a lot in case there would be a security issue with any exposed service…

I hardened my host and reverse proxy

Yea, I have a lot of probing going on as well, for all kinds of services…

Don’t think my services ever got discovered by scanners…
They usually get discovered by something spying on your dns traffic…
So yes, I do have some things trying to access my domains…

About cloudflare, the negatives outweigh the positives for me…

Somewhat hardening your services, sticking to best practices goes a long way

Yeah, I think DNS only on Cloudflare and BunkerWeb might end up being the ultimate solution for my environment when it comes to self-hosting.

But I’m juggling that with learning OAuth today, so decisions, decisions…

Probably going to focus on OAuth first like Daniel suggested.

I do constantly get emails from my NAS about blacklisted IP’s when I have SSH turned on, and I implemented a “greylist” feature that cross-checks AbuseIPDB. And I’ve gotten several emails about IP’s getting blacklisted after that got set up.

Some kind of risk threshold setting that defaults to 40%. But still, tons of catches.

Speaking of, reminded me to flip SSH off again just now

For example on the “greylist”, just got another email

I guess the question is though... who cares?

SSH is pretty secure by all standards, and extremely well field tested

I mean sure, some random bot is hitting :22. So what?

🤷‍♂️ It’s a fair question. Just learning / sharing. It may not be a risk at all.

But the NAS heavily recommends that you turn it off constantly.

I have a unique port set, I don’t use 22.

Never worked with bots myself, so I don’t know how robust they’ve become as of late with AI/ML/etc, so when the NAS tells me it’s a risk, I usually just let the blocking continue.

And I try to flip SSH on only when I’m using it, but that has been frequently enough lately that I’ve neglected the practice.

What about just keeping SSH on but not exposing it to the internet? 👀

Always an option 😄

Definitely more reasonably than toggling it on/off the entire time lmao

Not necessarily an option in the UI, though. I guess I just need to block it on the firewall level.

Huh?

You just don't expose it on your router

Idk why, but your focus seems like waaaaay off. You focus on random shit that nobody cares about, while neglecting other, actual things you could improve

Sorry

I meant the router’s firewall

Case in point;

• using cloudflare
• trying to optimize your TLS level as one of the first steps
• graylisting ips based on hits against your SSH, instead of just restricting it your local network (or simply not caring)

I’m learning from you to move away from Cloudflare’s proxy and actively working toward securing that as best as I can.

TLS maybe was not the first thing to focus on, I don’t disagree with you.

Greylist is just a NAS feature and not exclusive to SSH.

I was just sharing that I receive hits since everyone else was mentioning their own hits.

That's fair

yea... ssh if exposed does get brute forced more I think...
I personally prefer not to expose ssh on port 22 (I do expose it on a different port)
that is mainly to avoid all the logs from brute forcing attempts

worst thing to expose is probably RDP 😄
or either with a default user and a weak password 😄

I use this chain : FW -> Traefik -> Immich with crowdsec on Traefik. No cloudflare for the moment. DDNS with OVH which deliver the domain name.

cool, how do you like crowdsec?
if i didnt use nginx, i wouldve tried it as well 😄

oh nvm, i meant modsec :[

havent finished my coffee yet

sorry :[

i run ISP-Router->FW->nginx->immich

To be honest, It stops some IPs but I don't know if it stops everything. I don't have also a huge list of services openned. I balance between setting up Cloudfler tunnel and deploy a WAF...

stopping some IPs is better than nothing 😄

I run also ISP-Router->FW->nginx->immich

I've wireguard for accessing some internal services that I'm only concern (admin services). Apart of your Immich question, I've setup my phone to activate the wireguard VPN when I'm not on my wifi lan. It's very stable and I can benefit of the protection set on my FW (ads filtering and all the features that my ASUS FW can provide)

asus fw? thats something built into your isp router?

i use html5 to remotely access my network

but i could also use vpn... its just easier via web ui 😛

It an wifi router with FW services

:[

layer4 firewall then

Who says that?

i am assuming only from what I have seen on asus firewall screenshots

Oh I see

I am fairly sure some of their routers/modem/APs have a somewhat solid firewall for average users

looks similar to what my ISP router offers

I actually spent yesterday chasing my tail with Unifi equipment for hours on end because it kept reporting that SSH was being used (on the server) even though I had it blocked on the router's firewall level (both the traditional port and my custom port.) It turns out it was just Plex's relay, and the Unifi UI was using outdated DB info to report "SSH" activity that wasn't actually SSH activity. 🤦‍♂️

I think I'm going to look into implementing a Firewalla Purple - 2-3 years back this router/firewall was supposed to be awesome (and in many ways, it still is), but Unifi just isn't what they used to be. I think they had a relatively short day in the sun, so to speak.

🤷‍♂️ never used their firewall but their access points are great and I plan to get some of their switches

I actually have the router/firewall specifically because I love the AP's. The equipment is good.

The software/UI... not so much.

if id have to buy a firewall myself, id probably try opnsense

Yeah, I saw that recommended the other day - I traditionally used a pfSense home-rolled router. When it bit the dust and I couldn't recover, the Unifi was a drop-in replacement because it has that AP managing controller built-in to it.

i run their software as well but to be honest.... i dont really reconfigure my wifi that much 😄
it runs well and does what i want it to

OPNsense might be up my alley.

Yeah, the WiFi just works. I love the AP's.

i am eyeing with their flex 2.5G switches though

unfortunately never in stock :[

I'd be hesitant, but that's me anecdotally

This router/firewall was like $500-600 and the UI is garbage after only about 2 years. They basically ghosted it.

🤷‍♂️ why?
its just a switch 😄
if it switches and supports vlans, im good 😛

you cant update it?

It's a RT-AX88U Pro with Asuswrt-Merlin (https://www.asuswrt-merlin.net/). Not so bad to configure 🙂

i only know their unifi software

They apparently just stop supporting equipment with no EoL estimates, or however it works along those lines. That's why I have features in my router that are advertised but don't actually work correctly. Like traffic stats.

havent used it, if it does what you want

Before the pfSense router, I ran Asus routers with Tomato. Merlin is a good one.

now that sucks... didnt know 🙂 but i think switches and APs both use their unifi UI

Yeah, even if I get the Firewalla, I'm going to have to put this router in switch mode or something. I need that controller portion to manage the AP's.

Might end up making me move away from Unifi AP's eventually all together. Then I could eliminate it from my homelab entirely.

why not use their unifi software?

Because advertised features don't work properly and like I said, wasted hours of my life yesterday.

maybe it can manage your firewall as well?

you can even get the software in a container

Oh, you mean like the Desktop software?

I've never tried it myself

either that or the web ui

I've always just used the web UI

the standalone web ui

I wasn't aware you could do that anymore

afaik its for all products but i use it only for the APs

This is what I get when I use the web UI

i think they call it the unifi-app

i assume that cannot be updated?

I think it is updated

🤷‍♂️

cant check the security settings as i dont have one of their firewalls

Maybe just a difference in the product line, though.

software gets updates all the time

Yeah, my mobile app isn't anything like that

But network 9.0.114, just the same

🤷‍♂️ maybe you can get it back to life with that

ah, is it?

ok

I need to charge my phone

True, but the quality of those updates isn't necessarily complete. Breaking features, without acknowledging it, while implementing new features, doesn't seem like a good development policy to me... but what do I know... I'm not a dev by trade. 🤷‍♂️

But they've lost my confidence in their software.

dont have one of their firewalls, so i cant judge

Just to play devil's advocate though, they are relatively well set-up from a security standpoint out-the-box. I doubt the router/firewall is insecure, as far as equipment can go. And the AP's are great, and you do have to have their controller (in some model, some form) to run them.

But yeah, the routers/firewalls just get a thumbs down from me at this point. I gave them a huge chunk of change and 2 years. I got like a decade out of my pfSense box.

OPNsense would likely be similar, I imagine, if I went that route.

yea, its the open source version of pfsense

personally, i probably wouldnt go for a ubiquity firewall either...
if I would run a non-commercial one, it would be opnsense

but i run a commercial one for now

And my pfSense box was literally just a home-rolled box that I spent like $200 on total. If even that. I used a case from the '00s for it. OPNsense is probably fantastic.

What do you use for commercial, just out of curiosity?

Sorry, you mentioned earlier.

Palo Alto

Oh, maybe you didn't. Oh cool, that's interesting.

just a small, fanless one

My wife isn't super thrilled with my request to jump to the Firewalla, so maybe I'll look into gutting the bones of my old pfSense box and throw OPNsense on there instead. If we decide we don't have the budget.

It would probably be just that easy. I could probably use exactly the same equipment I had from before.

Anyway, it's a thought to consider.

My managed switch and Unifi router/firewall have literally just sat on top of it for the last 2 years, lmao.

(Apologies for the rat’s nest. I suck at cable management.)

See what I mean about using an '00's case, lol. I even left the floppy drive and CD drive in there, because I just didn't even care to remove them.

Just made sure it had (at the time of building, anyway) a relatively decent budget mobo/CPU, and gigabit Intel cards.

(slightly less embarrassing photo, less mess)

Anyway, end of that side topic - overall message is just that *sense seems (at least before mine had an update I couldn't recover from that messed everything up) clean/stable enough to run on something I built with a budget and a case I got for free like 12+ years ago.

Unless they've had new hardware requirements in the last 2 years, and I doubt they have.

Well, an SSD being recommended is new for me to notice, but that's a non-issue. That's about it.

Well, squashed this issue. Apparently the Plex relay node system uses port 443. And I still had the relay system on, as it’s toggle-able. That’s why Unifi was reporting “SSH” traffic on my server while using Plex (why they don’t tell you the exact port instead of just “SSH” is infuriating.)

So Unifi gets a little bit more credit back now. But still not cool to report aliases instead of exact ports.

i disagree, it should be visible in some kind of details view but its important to see the actual application and not the port...

e.g. if I see imap on port 443, I dont want to know there is traffic on port 443, I want to know its imap on port 443, which would be suspicious

Fair point

Exactly why I’m looking at the Firewalla, too, lol. It’s supposed to do application matching better.

But yes, definitely agreed that the port itself should show up in some kind of details view / pane.

I assume the plex relay actually uses SSH though 😉

my guess is they use 443 because it's less likely to be blocked

You’re probably 1000% right.

Yeah, exactly

So maybe it’s not fair to be overly critical that Unifi reported SSH. Just hate that it wasn’t telling me the port (that would have been extremely helpful to have in their UI.)

I do agree that's strange

Actively working on deploying BunkerWeb as my reverse-proxy solution today instead of vanilla NPM. I’m going to be pretty active in their Discord today to try and find a way to get it working on my hardware.

The Unifi router/firewall actually has a decent threat detection system that I never knew they rolled out. I went ahead and enabled it. It was interesting data - I could see my server being attacked globally like 50-100x/day. I reduced this by blocking unnecessarily opened ports. Unifi also has a network-wide geoblocking feature, so I enabled that to reduce bad actors.

Now I’m seeing <20 attempts/day, but I want that to get even lower. I mean, that’s only what Unifi is seeing. Not necessarily every potential penetration test or bot scan.

I think BunkerWeb is going to meet the need for hardened security, and I’ll report back if I’m successful, and if it does.

Mhh, didn’t know BunkerWeb but it sounds interesting! Let us know how it works out 🙂
glad you got more use out of your ubiquity one as well

I think their main dev handles their help channel, and I’m guessing they took the weekend off for themself (completely fair) - so I’ll be delayed in getting it figured out.

But the little I’ve spoken to them before - they seemed more than willing to help get it figured out. I have no doubt that when they are able to respond, I’ll have it deployed.

Just a heads up that it’ll probably be after the weekend, seems like.

calm your horses 😂

has anyone tried tailscale funnel? can't find any info about limits, maybe it can replace CF tunnels to overcome the upload limits

replace how?!?
tailscale does not connect to CF?!?

I think tailscale funnel serves to a domain name owned by TS

Instead of using cloudflare (tunnels) use tailscale

but it's a direct (?) connection to your PC

Yup

Doesn't sound insane to me lol

I think you can also have custom domains?

i thought funnel was a typo 😄

should work, doubt it has an upload limit... but yea it looks like you cannot use your own domain for that:

`Additionally, Funnel has the following limitations:

Funnel can only use DNS names in your tailnet's domain (tailnet-name.ts.net).`

well, if that's the only limitation I wouldn't mind honestly

try it out I guess

dont think there will be an upload limitation

but there will also not be added security from cloudflare as far as I understood, could just as well just expose your reverse proxy

I'm assuming their problem is CGNAT or something, which requires CF tunenl or alike

And I don't want to start ranting about security vs privacy again

sadly I'm behind a NAT, so I rely on tunnels to expose my services

(cough oracle cloud)

k, makes sense then 🙂

if you dont use tailscale DNS you can just ignore it

zeta is my homelab server
it is an exit node and also have a subnet route to 192.168.0.222(AKA itself)
my mobile client can:
connect to tailscale
access mything.duckdns.org which is A towards 192.168.0.222
now i can acess my homelab
it could also been service.mything... or whatever format

(tailname dns is not acceptable for me as all my services are vhosted, so i need wildcard subdomain to handle that)

accessing over cellular via tailscale on my phone

i wish i knew this trick long time ago

and didnt rule it out as a way to connect privately

Back after a long journey - still working through it. BunkerWeb is very robust, and I finally have an instance working on a mini PC (set me back maybe $130 USD), with BunkerWeb virtualized under Proxmox.

Now that I actually have BunkerWeb stood up, my next goal is to get Immich to utilize it as my reverse-proxy solution. It’s extremely feature-rich, and does require some tailoring to work (or so I’m told.)

More to come.

i have added the oauth of google on my exposed immich application and it marked my domain as a dangerous.

when checked the google console it says that the redirect uri i added in tha oauth has some phising risk or malware

@proven fox can you please guide me what am i doing wrong?

I'm using cloudflare tunnels to expose it to internet

No idea what might be wrong.

Just google being google

report it as false positive ... somewhere

Or get a new domain 🙂

Also please note that I'm not the expert here, my original question was how people exposed their instances. For cloudflare tunnel support you should turn to cloudflare for the best help

Sorry wutanc, you made this thread so you're now on the hook for every proxy question 👀

Its super interesting discussion 🙂 don't get me wrong.

Oh dear, it was a sarcastic remark in case that wasn't clear 😛

@dusk nimbus I do really mean it, report it to google as false positive

i have reported to them lets see if i get back my domain or i'm cooked

No no. It was clear 🙂

all mails are also going to spam now

Sometimes that happens when you use the name of a product as a subdomain

that seem to be interesting

so what do you suggest to name it?

Maybe photos , mich, pics, etc

I would also strongly recommend to use separate domains for things like hosting and emailing.

😮

question already deleted

Rupsje Nooitgenoeg

check https://discord.com/channels/979116623879368755/1356653443712024686

@zinc merlin

So I just finished setting up Immich with lots of help from this community 🙂 . I have setup inside docker compose, within Debian, on win11. It's my 3rd attempt, I always fail at the remote access part. I really want to avoid having to install extra apps on my users phones, so option 3 (reverse proxy) seems like my best bet. I have asked copilot to help me with the commands as I'm using linux commands for the first time. I do own a domain name, which I use solely for email purposes...I dont have a website. Does this sound like a good idea?

1. Set Up Your Reverse Proxy with Nginx
   Install Nginx on your Debian server:

bash
sudo apt install nginx -y
Create a new Nginx configuration file for your Immich instance:

bash
sudo nano /etc/nginx/sites-available/immich
Add the example Nginx configuration (from the Immich documentation) to the file. Adjust the server name to match your domain (e.g., example.com):

plaintext
server {
listen 80;
server_name example.com;

location / {
    proxy_pass http://localhost:2283;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}
Save the file (Ctrl + O, then Ctrl + X) and enable it:

bash
sudo ln -s /etc/nginx/sites-available/immich /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx
2. Get a Free SSL Certificate from Let's Encrypt
Install Certbot:

bash
sudo apt install certbot python3-certbot-nginx -y
Run Certbot to obtain and configure your SSL certificate:

bash
sudo certbot --nginx
Follow the prompts to select your domain and enable HTTPS.

3. Point Your Domain to Your Server
   Log in to your Web Hosting Canada account.

Update the DNS settings for your domain:

Set an A record pointing to your server's public IP address.

Wait for the DNS changes to propagate (can take up to 24 hours).

4. Verify Remote Access
   Open your domain (e.g., https://example.com) in a browser. You should see the Immich login page.

Test access from outside your LAN (e.g., using mobile data).

5. Optional: Increase Security
   Enable Cloudflare's free tier for your domain to enhance security, hide your server's IP address, and protect against DDoS attacks.

Did you cover "Port forward from your router" @river merlin ?

I would recommend you caddy instead of nginx, simpler to configure and it will handle your ssl certificates automatically

In one of my many attemps I added immich to my router port forwarding.

which ports though?

2283 is directly to immich, which is a bad idea

yes 2283

80 and 443 is what you need to forward to nginx (or caddy if you decide on that)

80 internal 443 external?

no

both 80 to 80 and 443 to 443 wherever the nginx is hosted

kk

Also, your nginx config has no HTTPS component (443/https)

1. Install Caddy
   First, install Caddy on your Debian server:

bash
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
2. Create a Caddyfile
The Caddyfile is where you define your reverse proxy configuration. Create it in /etc/caddy/:

bash
sudo nano /etc/caddy/Caddyfile
Add the following configuration, replacing example.com with your domain name:

plaintext
example.com {
reverse_proxy localhost:2283
}
Save and exit (Ctrl + O, then Ctrl + X).

3. Point Your Domain to Your Server
   Log in to your Web Hosting Canada account and update the DNS settings:

Add an A record pointing your domain (e.g., example.com) to your server's public IP address.

Wait for the DNS changes to propagate (this can take a few hours).

4. Start Caddy
   Restart Caddy to apply the configuration:

bash
sudo systemctl restart caddy
5. Verify HTTPS
Caddy automatically obtains and renews SSL certificates from Let's Encrypt. Open your domain (e.g., https://example.com) in a browser to verify that the Immich login page loads securely.

6. Optional: Port Forwarding
   Ensure your router forwards ports 80 and 443 to your server's internal IP address. This allows external traffic to reach Caddy.

I'd prefer avoidign nginx, as I failed before. I ended up uninstalling everything because I had become lost in where I was. deos the above sound okay?

# Redirect all non-HTTPS requests to HTTPS
http:// {
    redir https://{host}{uri}
}

# Handle HTTPS and set up reverse proxy
https://example.com {
    reverse_proxy 127.0.0.1:8080
    tls [email protected]
}

Folks please use codeblocks -- it makes it much easier to parse and support everyone 😊

Should I be putting in my domain name before the redir command?

no

gemini gave me pretty much the same snippet, but modified the second block to contain my domain name and email. it used 2283

replace example.com with your domain

and of course, point to the immich port

earlier I was told to use 40 and 443, hiow would I apply that here?

replace 127.0.0.1:8080 with your immich host and port
replace example.com with your domain
add your email address
forward ports 80 and 443 in your router

thank you

ugh I really hate being dumb with this stuff. I assume I'm doing something wrong in either the caddy file, or my DNS stuff. Copilot tells me to add a record that applies to my domain, using whatever whatsmyip dot com tells me. the caddy file looks exactly like what you have above, except its my domain name and email, and the other line is localhost:2283. Right now when I try to reach https:_mydomain.ca from outside my network, it brings up Index of / and then lists cgi-bin, 404.shtml, home.html

This would probably work better if you weren't trying to do all the things at once :p

how so?

verify a port forward works, verify your dns records are being set, test non-https connection through your router etc

okay. I'm going through the suggested steps by copilot. I'm trying to limit my questions here to be immich-specific. For port forwarding, I setup my router to fwd the internal ip from debian. My router didnt allow the IP because it was outside the range, so I had to manually assign one.

so my router is now forwarding 80-443 on this IP. Not sure how I can test that. I tried to put in http:// mypublicipaddress:80 and :443 on my phone browser (turned off wifi). both didnt work.

Btw @trail tundra are you aware this thread exists? 👀

I used portchecker.co and both ports seem closed 😦

wait, you said you are using wsl in windows or in a vm?

I installed Debian on windows. Then docker-compose within Debian, then Immich inside docker.

so, wsl?

Don’t know what that is

I don't know any other way to run Linux on windows other than wsl or in a VM.
if it's in wsl, you have to proxy your wsl port to be able to access it from outside https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy

also should open the ports on windows firewall

I installed Debian using the windows App Store, does that clarify anything? It’s essentially just a command prompt window looking interface.

I will read that and see if I can apply it. Copilot has had me play in the networking files in Debian.

ok, then is wsl. have in mind it auto shutdown when not in use

Can you define not in use? My intention is to have Debian/docker/immich always opened

Is that sufficient or do I need actual traffic

when you are not with the linux console open

Ok, it will stay open, that’s not a problem. The machine is only for Immich and plex. I’m attempting a full-scale test before dumping windows completely

My Immich instance is exposed to the internet via HA Proxy (reverse proxy) on my pfSense router. HA Proxy fronts a number of services including Immich behind a Let's Encrypt SSL cert that is auto-renewed by pfSense prior to expiration. I use a sub domain and Cloudflare for my DNS records. While this works well, it was not a simple setup and took me multiple tries and lots of research to finally get working. On the plus side, it has been rock solid and having reverse proxy running on my router gives the ability to grant any resource on my multi-VLAN network that I choose to expose to the internet.

For now, I am using Immich authorizations but I also self host Authelia for MFA for a few apps that I want stronger access controls for. I haven't decided if I want to add Authelia MFA to Immich at this time.

Exposing Immich to the internet doesn't quite provide me a solution for what I'm looking for though. Ideally, I would like to be able to publicly expose my photos (some or all) with guest access (no login required) and secure access for specific libraries. I think I can only do this using the Albums feature. I need to explore this some more. Adding to my complexity is that I do not want to use the Immich photo storage but rather rely on external libraries only. I have too many photos in a curated folder structure that I do not want to import/re-import into another file structure.

My Immich instance is exposed to the internet via HA Proxy (reverse proxy) on my pfSense router. HA Proxy fronts a number of services including Immich behind a Let's Encrypt SSL cert that is auto-renewed by pfSense prior to expiration. I use a sub domain and Cloudflare for my DNS records. While this works well, it was not a simple setup and took me multiple tries and lots of research to finally get working. On the plus side, it has been rock solid and having reverse proxy running on my router gives the ability to grant any resource on my multi-VLAN network that I choose to expose to the internet.
👍

For now, I am using Immich authorizations but I also self host Authelia for MFA for a few apps that I want stronger access controls for. I haven't decided if I want to add Authelia MFA to Immich at this time.
why though? it just limits app functionality, oauth should be sufficient, I use Authentik but only either SAML/Oauth or on sites without proper authentication

Exposing Immich to the internet doesn't quite provide me a solution for what I'm looking for though. Ideally, I would like to be able to publicly expose my photos (some or all) with guest access (no login required) and secure access for specific libraries. I think I can only do this using the Albums feature. I need to explore this some more. Adding to my complexity is that I do not want to use the Immich photo storage but rather rely on external libraries only. I have too many photos in a curated folder structure that I do not want to import/re-import into another file structure.
this would be a feature request

Anyone using Crowdsec and have a good way to whitelist for the http probing? Its banning immich album requests

I dont have it exposed to public internet, but im tempted to add traefik forward auth for anything that wouldn't be the public URL. Probably dumb as i'd still need to log into immich itself but idk. I'll probably just stay with hosting internally and using wireguard tunnel

whats wrong with exposing it?

immich has authentication... just local authentication...
if that is not enough, you can use OAuth

You have clearly not been attacked by login bots that keep trying to break in (yes that happens, sadly). It is more or less a DoS and can become a DDoS if the attacker starts taking you seriously enough.

So just ban them , It takes like 5 min to setup fail2ban 🙂

My setup is simple: The service lies on a machine not exposed to internet but is within Tailscale VPN.

I have a simple setup. The day I decide to put it out there, I will add layers on top.

thats perfectly fine to do!

i have but i dont really care much for those except the logs they generate... that is only used to bruteforce a login, if you have a good password, you are safe from brute force and dictionary attacks, especially on immich as they likely will not know your username and you hopefully dont use "admin" as user 😄
it will never be meant as a DoS or DDoS attack (it will turn distributed only if the IP gets blocked after X attempts by fail2ban or similar) as that is too slow, there are more effective ways usually to DoS

either way, those attacks on sites like immich are extremely rare and if, it wont even be brute-force but dictionary instead to check for real easy passwords and leaked passwords

by the way, forward auth wouldnt change that...

I am trying to setup a more elaborate setup. Currently I am trying it on my server that is hosted with a VPS provider. But with time I plan to move it to either a Cloudflare or WireGuard tunnel with proper protections. Right now I am dealing with the setup, Scheduling, Backups etc. Once they are in place, I will start adding more tools for auth and protection and then open a WG tunnel from the server to home to check if everything is working as I hope.

Once that is done, then I can expose something. Even the home network is not that well sorted yet. So lots of pieces to bring together. 😓

cloudflare adds less protection than many think but yes, it does offer some protection abilities

putting it behind a wireguard accessible network is of course the safest, most paranoid option 😛

i have a hardened linux OS, docker engine hasnt been hardened much but the reverse proxy is hardened and I run a firewall with it to protect from some threats
threat actors I put on a blocklist that I block for an undefined amount of time 😛

Yeah. I have used those earlier. But again, the setup has to be there before I include immich in it as it contains some of the most personal stuff ever (like all people's photos might have).

Right now, it's Docker (have to move it to Podman) mostly inside a compose, routed with Caddy. Building stuff with GitLab. Monitoring is not in place yet. I am new to homelabbing and am slowly gearing up.

always your choice what you want to do... a targeted attack on an "unknown" persons immich instance is extremely unlikely

i can only speak for myself, i have my immich exposed and it has my kids photos in it

But still possible and more so as automated attacks become more relevant. That's why I'd use forward auth because it has no chance at all to get to immich, then I use the login in immich as well.

I just don't know how to set up forward auth while making the app usable at the moment so I just have a VPN instead

while nothing is ever truly impossible...
targeted attacks are only driven by money! aside from the effort it would take that can be used on something that gets money, noone will waste a vulnerability that is unknown so far on a target that brings no money....
so yes, if you have pictures of state secret documents and some people know about it, it is possible

mass scanning and then if a vulnerability becomes known, mass attacking all listed entities is much more likely but that is why regular updating is good (and in that sense, it could be something in the app, the IdP, reverse proxy or anything either of these use)

I just don't know how to set up forward auth while making the app usable at the moment so I just have a VPN instead
you can't, that's what you have OAuth for

hello

i have a problem, which is that when accessing web interface of immich after cloudflare access login it gives error 403

someone once said that you have to do it in immich settings

but i want things as simple as possible

i think domain -> cloudflare access -> immich is simplest way

Error: Error: 403
    at Object.mt [as ok] (https://immich.example.com/_app/immutable/chunks/BYB68Yzy.js:1:8008)
    at async Promise.all (index 0)
    at async n (https://immich.example.com/_app/immutable/chunks/DkGcw9C2.js:1:511)
    at async o (https://immich.example.com/_app/immutable/chunks/ruygQ5gm.js:1:177)```

Anyone using opnsense / IDS/IPS/suricata? how do you handle SSL inspection?
I’m currently using fail2ban+crowdsec+nginx and idk if the juice is worth the squeeze to add an IPS. I’d have to terminate SSL again and then I’d lose my source IP info in nginx, right?

i am using an IPS, it supports decryption by giving it the key and certificate, no info gets lost and the clients are not even aware that traffic is being decrypted it is not being proxied, it is decrypted on the fly. but for that I had to restrict some ciphers from being used, it still has the highest security rating but some ciphers will not work with on the fly decryption

Ok, this makes sense, you are using ciphers that do not support perfect forward secrecy for this purpose

What IPS are you using?

Palo Alto Firewall

i think just incompatible ones...
according to SSLLabs:
Forward Secrecy Yes (with most browsers) ROBUST (more info)

Out of curiosity does cloudflare have a download limit?

I rember their was a 100mb upload limit not sure if that applies to downloads

I am trying to set up a reverse proxy with nginx but i have no idea what im doing since i never did anything like this before. i can only access the nginx server from inside the network using its ip address, but I cant access it from outside the network at all.

my nginx config looks like this:

server {
    server_name my.domain.net;

    # allow large file uploads
    client_max_body_size 50000M;

    # Set headers
    proxy_set_header Host              $http_host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # enable websockets: http://nginx.org/en/docs/http/websocket.html
    proxy_http_version 1.1;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "upgrade";
    proxy_redirect     off;

    # set timeout
    proxy_read_timeout 600s;
    proxy_send_timeout 600s;
    send_timeout       600s;

    location / {
        proxy_pass http://127.0.0.1:2283;
    }


    listen 8443 ssl; # managed by Certbot
    listen [::]:8443 ssl ipv6only=on;
    ssl_certificate /etc/letsencrypt/live/my.domain.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my.domain.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = my.domain.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name my.domain.net;
    listen 80;
    return 404; # managed by Certbot


}

and I am port forwarding the port nginx is running on:

Your external port should be 443
And you have to setup DNS

My ISP blocks port 443 so I was using 8443 to get around it
and how would I setup DNS?

That’s well beyond immich haha, you can google what is DNS and how to set it up

Ah alright, thank you

do you own a domain?

yes, i removed it from the config i sent just for privacy

I have an A record set that points to my external IP already, and I know that works because I can access other things I have running on the network through it

I guess show some examples of what works and what doesn’t. Minimal redaction
It sounds like you already have DNS. Show a site that works and one that doesn’t

https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-dns-validation-with-acme-dns-certbot-on-ubuntu-18-04

a dns challenge would be the alternative to get certs

(note I never used ngnix I only have used caddy so idk how good the guide is)

Broke my brain a bit tonight. I have a untrusted subdomain for testing bad SSL certs and I didn’t realize HTTP3/QUIC coalescing will cause it to show a trusted cert if another site is loaded in a different tab

thats what I use, I prefer wildcard certs over individual ones... truth is even if i did individual ones, if they somehow got the cert and key to one of them, they would be on the same server anyhow, so all of them would be compromised either way.
there is a few other reasons I prefer a wildcard one, so for that I use dns challenge

I disabled quic on the firewall and in my browsers (as well as post quantum encryption) so I am still able to decrypt all traffic :[

Did you ever find a good solution to the http probing issue? I'm getting bans if I look at too many images
edit: just saw your solution posted on the crowdsec discord. i'll see if i can port that to my pangolin/traefik instance

I think I included everything important in the thread

Reading all of this in a single thread is mind numbing. Lots different problems with no clear solution. I understand with a self installed local server there are lots of variables....I simply want to be able to download a high res image from the server when outside the network.
Will any type of outside internet connection be an officially supported feature at some point. Is it in the the roadmap?

No. I’m not quite sure how immich could do that? If you mean a built in VPN or similar we won’t ever have that. In general most self hosted projects are exactly how immich is. The app itself can’t control how its exposed to the internet

No, I did not read the full thread and maybe it's been mentioned somewhere already, but if you just want to expose shared assets without exposing the API, there is https://github.com/alangrainger/immich-public-proxy Of course you'll still have to deal with making that available publicly somehow, but it most likely reduces the risk.

anyone mind helping out with a novice question. currently spec/building my own home nas. Have immchi running on my home pc until then.

external access, I'm only starting to read up now about how to access outside of the home network. I have proton VPN running as a client on my router to certain devices and im wondering is this enough or do you have to run a VPN server?

when we talk about VPN, we mean a private connection between your client device and your server/PC.
like wireguard, tailscale, cloudflare ZT warp2warp

Iam Using pangolin Reverse Proxy with builtin sso it works Perfect and it is Secure to use! Now I can Access to my Immich Server without VPN

So yesterday I setup external access via nginx and duckdns, here is my current setup and issues.
I'm on Windows 10, immich and nginx are both running on docker desktop, ports 80 and 443 are open, in my firewall inbound rules ports 80 and 443 are set to allow all connections private and public, duckdns is live and working with my current updated ip address, nginx settings for immich should be correct. Also when I visit "https://[URL].duckdns.org/" locally it works, it just doesn't work from external networks

So yesterday before I went out immich wasn't working and randomly after 3-4 hours I decided to check it out and it was working (idk how or why) and it was working for a full 12 hours before it broke again (I didn't change or update anything) now it's back to not working. I have no clue what's going on or how to fix it pls help.

it might be instability in duckdns

sometimes it is like that

if duckdns fails to resolve then immich wouldnt work
to confirm it, if you try to visit on a browser it should say an error code related to DNS failure

since you did nothing i am going to assume it's not your fault here
(which i believe is a reasonable thought: things untouched shouldnt break and recover randomly)

could you recommend a better more stable solution and which is relatively simple to setup

i think https://desec.io is an option that's shared around
i cant fully vouch for it, i was going to migrate fron duckdns eventually, because of this
but never got to doing it, so i cant actively vouch for that yet
it is more complicated though more powerful
allowing you to set per subdomain entries

https://freedns.afraid.org is also another one

suppose you can register your own domain that would been a solid choice too
(using your domain registar's dns)

thanks for sharing these, I'll take a look and test it out

reddit have some other resources if you just look up duckdns alternatives
it seems like that's not a rare thing at all for it to fail at times

now it's back to not working
is it still broken?
what happens if you try to visit the URL in the browser?

if it's something like nxdomain then it's probably not your problem

lol now it's working

yeah I guess duckdns is not really stable

https://www.noip.com/ is another option.
or if you have a tplink router they offer their own solution too

noip had a bit of annoyance
i like duckdns's perpetual freehold on the subdomain you claim

well it took me maybe 30-45 minutes to switch from duckdns to desec, and after setting it up it was working immediately, I hope it won't have stability issues like duckdns did.

I probably have one of the most jank setups for immich

I have it going through a reverse proxy with a cert bot certificate to a sub domain from freedns

All through wampserver

Hi, new to immich here, I couldn't afford neither to pay google for more space nor to accept that my personal files must be scanned by google AI. I faced numerous technical issues in order to expose immich to the internet since I'm behind a CGNAT but finally I made it by reading hundreds of guides and tutorials relevant or not to immich. Now my immich server runs at my home on a thin client and it is exposed to the internet through a wireguard tunnel to a $1/month VPS (which of course has a global routed IP) and it also supports HTTPS using the Nginx/Let's encrypt reverse proxy in the VPS. The whole setup is secured and monitored using UFW, Fail2ban and other linux tools. All requests are being forwarded to the immich server in my home. My domain is also free kindly provided by freedns. I just finished setting up the OAuth as well. Now the next and last step is to setup an LVM/RAID1 so to have redundancy for my files. Kudos to all the people behind this project, to the FUTO and everyone who supports it financially and by any other means. I would really like to make a guide for this setup but I'm lazy and there are so many things that must be documented and explained. Hopefully some day I will find the will to do it.

Very nice setup, welcome

afaik, contributions are always welcome 🙂
so if you ever do find the will to document something that isnt documented, visit #contributing and explain what you plan to do and then someone from the team can say if its something they would incorporate
enjoy immich 🙂
PS: sounds like a good setup 🙂

Instead of exposing the server directly to the internet, I use Twingate VPN, a free version for up to five users.

If I get it right, with Twingate every end user needs the twigate client in his device, isnt' so ? With my solution it's just a web page that everyone can visit. So for example, installing the immich app in your phone and accessing your immich server outside your LAN requires nothing more than internet access. That's the whole idea behind my setup. Did I get it right ?

The only configuration which was a pain in the ass but applies only to users that want to run the server localy because they have spare hardware and at the same time they are behind a CGNAT, is the Nginx conf. I believe that anyone with basic knowledge of linux and networking can manage the wireguard and netfilter/iptables configuration.

your setup is totally fine if setup correctly and hardened... some prefer to get risks down to a minimum... if a VPN fulfills all your needs then it is the safest solution... i expose my setup via nginx as well though... its a matter of preference, opinion and expertise

also team nginx/open to internet here. just better user experience IMO

yea, i think the same but I also completely understand those that prefer a VPN like wireguard if its only a close circle of users and no sharing is required...

cant argue that it is more secure and if you dont have the need for more exposure, thats fine
i personally dont see a larger real risk to be considered exposing immich for people who are not a POI if setup more or less securely/hardened

You are correct, the downside of this solution is explaining to family members that to use Immich they must log into the Twingate app. Is internet with a public IP required for your solution?

nikall was sharing how to use a VPS in case that you do not have a public IP (CGNAT)

so, no

It's all about CGNAT, the requirement initially was how to override CGNAT and be able to forward ports to my LAN. Then it came immich and the situation got a little more complicated. So yes my setup is specialized to users who are behind a CGNAT.

Yes, I used to do something similar when I was on CGNAT, except I ran nginx at home but I did a wireguard tunnel from home to VPS

Yes due to CGNAT and because I wanted to be able to sync photos when outside my home/LAN.

Very good! So you just request a port forwarding from your provider?

no, he tunnels to a VPS which has a public IP

I wish I could. This is not possible for many reasons. That's why I wanted a global Routed IP and a VPS that can provide it.

I don't understand, why isn't it possible? If the internet provider provides the CGNAT public IP and port. Theoretically, it was possible to access.

Well, first of all most people want to run their websites on port 80 and 443, not some random port that always changes

and even then I do not think all CGNAT companies will provide you with a stable port / way to access that

perfect, I think that's it.

First no, my ISP doesn't offer such service. Secondly and technically it's difficult to forward a port and use a Public IP along with many other users (hundreds or even thousands). You can't use this IP let's say for setting up a domain. And then, I wanted to run my website on port 80/443 (it actually rewrites any request to 80 automatically to 443).

I understand, but it still seems viable to me. I'll check with my provider about this possibility, on a larger port. The one I use for example, 2282.

So you are behind a CGNAT too ?

Yes.

And did you get the mobile app working with sso

pangolin auth is not OIDC

Do you use SSL on the server?

I had a conversation with my internet provider and he said that he provides a public IP for my connection at no additional cost.

Ofc, you must use SSL this is non negotiable. That’s great to get a public IP

I wondered...
what do you use? Is there a way to do it without extra costs?

Sure, lets encrypt is totally free
You need a domain though

Thank you very much for the information.

My ISP also provides a public IP for no additional cost but this is a public IPv4 not for my personal use but for all the users behind the CGNAT. This reply from your ISP is a bit "cryptic".... If provides a public IP PER USER FOR FREE then why puts you behind a CGNAT ? There is one more explanation, the public IP that is provided at no charge could be an IPv6 and more specifically a whole block /64 of IP's but IPv6 is a different kind of beast....

It's a hypothesis. I didn't go into details with it... I'm studying an SSL solution. I believe it would be a good alternative to expose the server to the internet in this way.

I'm not sure what you mean by SSL but HTTPS is SSL/TLS encrypted communication. If you mean a HTTPS server, then this is the solution for the end user side. If you have some time and when you are ready please give us an abstract of the solution you are working on.

This is correct, https. As soon as it is ready I will share it with you. Basically, it is this, take advantage of the public IP offered by the provider, activate https and activate OAuth login.

To give you literally a picture of the problem when you are behind a CGNAT and what the ISP's mean when they tell you "of course you have a public IP", this is the actual IP of my Internet Connection. The first is the Global Routed IP, the one that Internet sees you and knows you, the other one is the private IP which is unique per user/connection but...It's private.

The first IP you can't use it for your own services and apps. The second is also useless because it's private. Port forwarding doesn't work in this scenario because of practical and technical reasons.

It only makes sense if he is actually giving me a public IP /32.

hello, does anyone have a working apache2 reverse proxy config? I tried using config from https://immich.app/docs/administration/reverse-proxy and even from https://www.reddit.com/r/immich/comments/1b0cgbq/apache_reverse_proxy_config_websockets_not_working/ but I had no luck.

I can connect to <DOMAIN> and enter login info but the login is not working. I I enter wrong password I get the apporpriate error:
HTTPD LOG:
[08/May/2025:17:14:39 +0200] "POST /api/auth/login HTTP/1.1" 401 108
DOCKER LOG:
[Nest] 17 - 05/08/2025, 2:58:07 PM WARN [Api:AuthService~q10yo8ts] Failed login attempt for user <EMAIL> from ip address <PUBLIC_IP>

Using correct password:
HTTPD LOG:
[08/May/2025:17:15:05 +0200] "POST /api/auth/login HTTP/1.1" 201 226
There is no docker log.

Using local IP to login gives this docker log:
[Nest] 17 - 05/08/2025, 2:59:29 PM LOG [Api:EventRepository] Websocket Connect: m6ntjUZF-s_PCA92AAAD

I also added this to .env:
IMMICH_WEB_URL=https://<DOMAIN>

I use Nginx Proxy Manager and DynDNS

I have so many vhosts set up it would take a long time to migrate them all. I was hoping someone already solved this issue 🙂

To solve actual issues, the best place may be #1049703391762321418

I actually do, this is what I am using along with a certbot cert

    ServerName example.com
    SSLEngine on
    SSLCertificateFile C:/Certbot/live/example.com/fullchain.pem
    SSLCertificateKeyFile C:/Certbot/live/example.com/privkey.pem
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    ProxyPreserveHost On
    ProxyPass "/" http://127.0.0.1:2283/ upgrade=websocket
    ProxyPassReverse "/" http://127.0.0.1:2283/
</VirtualHost>```

thank you for this config, ill try it later today

i couldnt help myself and i tried it now 🙂 it doesn't work for me. maybe the issue is that I run proxy on another machine. Ill set up another one on the sam ehost as immich later

Just want to share a config I've been using. I noticed that my cloudflare tunnel seemed to be a little slow sometimes. Plus, it has the limitation that you can't upload more than 100mb per request. I'm using fly.io to host a very tiny FRP server (in a docker-container). FRP acts as a tunnel. The FRP client initiates the request to tunnel, so it works over CGNAT or frequently changing dynamic IPs. The tunnel connects to an instance of caddy in the immich-compose stack, so it can reverse proxy to immich, or other self-hosted apps. SSL is terminated by caddy, so its e2e encrypted - fly.io won't see your traffic (other than metadata). Opinions welcome: https://github.com/midzelis/immich-fly -- this can probably be adapted to other VPS providers (hetzner, Oracle, etc) relatively easily. You do need a static ip for the cloud endpoint.

Not ready to share, but I have a much larger/ambitions config using k8s, for those that want to try that. This one is purely docker based.

Does anybody else think it would be nice if the Android mobile app could support basic HTTP auth?
It seems a bit stupid, but are 2 passwords better than 1?
I have Immich behind a reverse proxy and besides the integrated login, it'd be very easy to add basic auth from the reverse proxy.
Accessing it through the browser is very painless, you just get the basic auth prompt once.

in settings > advanced > custom proxy headers

you can add anything as a secret header and value

Oh, that's lovely, I guess I didn't quite get the naming of that one

Thanks, it works

So that kinda answers this: "How have you secured your server?"
The logic being: the domain name is generic, if you don't know the basic auth you don't even know what's being hosted there, you'd have to break that first, then find out it's immich, then break Immich's auth or find a specific exploit. I think that's sufficient for me.

this is assuming you have something else infront of immich that expects the header right?

that's not bad arrangement
keep in mind that it might work out for web users
(if you had any to begin, otherwise it's not a concern)

yeah, I have an nginx reverse proxy. I have no users outside the household, it's for personal use.

What you described does what you intend to do 😏
I wouldn’t cause that’d be too cumbersome for me but if it fulfills your requirements, it’s good.👍

Hi. I have setup nginx proxy manager and I use dynu for a dynamic dns. To access immich outside of my network do I need to open ports?

I was using tailscale and works great but I just need a setup that will allow me to give access to family on shared albums without them having to install tailscale and set it up.

You'll need to forward port 443 for https

On the documentation on remote access on immich it doesn`t say anything about opening ports, there is where I was confused

Did you had to open ports on your router?

Port forwarding is required for an outside connection to be directed to your server. If you don't want to, or can't, forward ports, it looks like a VPN like tailscale might do the trick. However configuring tailscale on clients will be required to access the server. ie. Your family/friends can't just go to your immich website unless they set up tailscale on their device.

Unless you tailscale funnel.
But yes there are different ways of accomplishing remote access so having a 100% foolproof every use case guide is not possible

Can you give me more details, please?

https://tailscale.com/kb/1223/funnel

Is this what you were asking about?

Thanks

No Not required

How did you managed to set it up? I have casaos and there is impossible for me to install it on there.

Just install newt as docker or binary

Can you explain the steps, if you have time, please?

I should first install newt?

I would prefer to use docker compose. When I try to do that with the docker compose from their documentations it gives me an error from hostname and network mode

Whats your Docker Compose file Looks

I have uninstalled it

I have used this from their website

I have tried to install it as a docker compose in CasaOS

No no you have to install pangolin on a vps Server Like hetzner Cloud or something Else but you Can try with my ref link: https://hetzner.cloud/?ref=zmHf2udsXHhh you get 20€ credits for free and then create a ubuntu Server and install pangolin

And then install newt on casaos for exposing Secure your Services Like Immich or other

Regarding privacy and security, how safe is to use that vps?

Hetzner have builtin Firewall use that

Will my traffic go thru it and can be seen?

And keep updating your Server

Traffic is encrypted with ssl with lets encrypt

So, there is no possible way to setup this local?

For example if I have another pc around

Sure you Can use pangolin as a standalone Reverse Proxy but you cant reach it from outside

So basically, with newt I will send my services to the vps with pangolin and from there it will go to the device that access it.

Yes

All encrypted

Yea

Just try

Another option will be to install pangolin on a friend device on a ubuntu server, different network and I will connect with newt to that and it will be the same as I am using a vps. No?

Yea

I will, yes. Just trying to make sure that I will have the best setup.

But I cannot do that at home on a different device with ubuntu server. It has to be a different network. Is that correct?

Ja

Ok. Thank you for your time and helping me to understand a little bit how this works

I used cloudflare tunnel on its own hardware in DMZ on VLAN with port 8212 only allowed to pass through. I could not get the application within the tunnel to not present to code challenge that would make it a no go for family. I created rules in WAF to limit access a bit

Tailscale is awesome

Have you tried "hiding" faces you don't care about? I think they actually get removed/unrecognized from the pics which might help. Speculations though

anyone can help me? I can't make my immich app public to acces outside of my network? I really do not know what I am doing btw.
All I know is I got an url/domain and I got the immich working on localhost:2283, so that's all fine.
Only problem, I can't acces it from other networks/my phone outside my house.
and I am using docker.desktop (I just use a windows pc as server; so other programs can be used to if needed btw)

You can start by searching reverse proxy or VPN

https://immich.app/docs/guides/remote-access

well, I trieded, and did not worked the reverse proxy

idk what I am doing wrong, I am trying for 2 full days now, everything I can, rip me... and I do not want vpn, since I want to let other acces my albums to :)

idk what I am doing wrong,
Can't tell without knowing what you did lol

can I dm you with it? or where can I send screenshots? so I do not spam this channel :)

you can open #1049703391762321418 instead

#1377730775004221581 message

You can try with Pangolin. I am testing it now and seems ok. Altough I haven`t tested it with Immich. But it can be a good option.

For those using Pangolin is there a good way to setup mobile app access without just bypassing Pangolin's auth or using custom proxy headers?

If you want proxy auth but no proxy auth headers, that'll always be impossible

I guess I was looking at this discussion https://github.com/immich-app/immich/discussions/8299 where cloudflare is used as the oauth and redirects

and was wondering if something similar would be possible with Pangolin

This isn't proxy auth

This is just using cf access as an oauth provider

Those are different things

but at the same time things are being routed through cloudflare tunnel similar to what pangolin offers right

Yes, but cloudflare isn't "in front" of Immich

The traefik goes through cloudflare in plain text, but there isn't an auth wall before Immich

Is there a way to better expose/support external auth walls in the mobile app or are the proxy headers really the only viable method that makes sense

Just use oauth?

Thoughts on just using nginx with lets encrypt & nothing else?

All you need if you want avoid the hassle of a VPN, especially if you plan to share whatever you're hosting with friends/family. Extra steps like fail2ban, cloudflare DNS proxy, etc are helpful though to reduce any risk.
It's what I use.

Like fail2ban specifically for immich? Right now its just a ubuntu server, root & password loigin disabled.

I was a bit hesitant to use cloudflare because I've heard they'll block transfers of files under over 4GB

Id suggest against cf proxy, but otherwise sounds correct

• transfers over 100mb. And they see all of your data

Why's that? I'm talking about the DNS one, so just the ip lookup is proxied, rejecting specific regions or other rules that can be set up

As opposed to the full tunnel

Proxy fully tunnels data

That's my understanding of it at least.

I've never used fail2ban, I know they have the default "jail" config, but would I need to setup a custom config just for immich?

Hmmm

Check the HTTPS certificate at the client if you don't believe me, it'll be CloudFlare's and not your server's

Right now I have the docker compose ran, changed it to be on localhost only & just about to setup the reverse proxy, thank you for all the help so far btw but this was the nginx config I was gonna use:

server {
    listen 80;
    server_name (domain);

    # Redirect any request on HTTP to the HTTPS version
    location / {
        return 301 https://$host$request_uri;
    }
}

# Serve HTTPS requests using Certbot-managed SSL and proxy to Docker container
server {
    listen 443 ssl;
    server_name (domain);

    # SSL settings managed by Certbot
    ssl_certificate /etc/letsencrypt/live/(domain)/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/(domain)/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Reverse proxy to Docker container on port 2283 with additional security headers
    location / {
        proxy_pass http://127.0.0.1:2283;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Security headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
    }
}```

^ Can vouch for that, I've used cloudflare for other stuff & it'll swap the cert

You'll probably want to add something to change your max body size and timeout for larger videos

What do you have yours set too?

I'm running http not HTTPS atm (over VPN only)

Thats probably best, I didn't wanna go that route cause I've got a VPN router using Mullvad just so my ISP cant spy on all my traffic

That plus the Mullvad app on my phone & laptop so anytime I'm out of the house I'm also covered, essentially been using a public VPN 24/7 for everything for a few years now

Cert is letsencrypt. Verified domain is proxied by flushing DNS cache, setting up VPN to a blocked country, and trying to connect, which was refused

So rather have them spy on all your data.. interesting

Can you share a screenshot of the DNS slider? If it's orange it's (possibly encrypted) from your server to cloudflare, and from there it's decrypted and re-encrypted to the client

Encryption mode is automatic at the moment, which appears to mean cloudflare will step in if there's not a cert in place. But since there is a cert, they hand it off and just proxy the ip lookups

I trust Mullvad way more then I trust my ISP, also by using Mullvad I'm fragmenting the knowledge each party has on me. My ISP would know my internet traffic & my personal info if they were the single party.

Since I pay for Mullvad with Monero now my ISP only has my personal info but not my network traffic & Mullvad has my network traffic but not personal info, so it would now require 2 independent parties to collude with each other to have an equal level of insight that just my ISP had before.

So even if we assume Mullvad is just as bad as my ISP, in the very worst case (Mullvad is spying on everything) I'm still better off because it'll be more difficult for them to attribute the identity to whome my traffic applies too

Thats ignores the many privacy benifits get from internet services who no longer have my ip & my activity is mixed in with a whole bunch of other people

If you share the domain (DM or public) I can quite certainly guarantee that CloudFlare is not blocking requests if it's not proxied. If it is proxied then CloudFlare terminates the connection and reads your data

there's no such thing as a free lunch

ill set up a domain and dm in a few

Cloudflare uses let’s encrypt as far as I know

Compare the fingerprint itself

Lol weeelp

Granted, I've got almost nothing proxied since I just use a wildcard domain.

Been looking at crowdsec for some better protection.

Okay I realized I didn't have web socket enabled, I've updated my nginx config for use with Lets Encrypt & I think its about perfect now:

# Redirect all HTTP traffic to HTTPS
server {
    listen 80;
    server_name (domain);

    # Redirect any request on HTTP to the HTTPS version
    location / {
        return 301 https://$host$request_uri;
    }
}

# Serve HTTPS requests using Certbot-managed SSL and proxy to Docker container
server {
    listen 443 ssl;
    server_name (domain);

    # SSL settings managed by Certbot
    ssl_certificate /etc/letsencrypt/live/(domain)/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/(domain)/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Reverse proxy to Docker container on port 2283 with additional security headers
    location / {

        # Increase maximum allowed client body size
        client_max_body_size 32G;

        # Increase timeouts for receiving the client body
        client_body_timeout 600s;

        # Increase proxy timeouts
        proxy_read_timeout 600;
        proxy_connect_timeout 600;
        proxy_send_timeout 600;

        # enable websockets: http://nginx.org/en/docs/http/websocket.html
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_redirect     off;

        proxy_pass http://127.0.0.1:2283;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Security headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
    }
}```

Okay apparently nginx is bad so I'm switching to apache 1.4, it doesn't support web sockets but thats okay I don't really need to see the server version in the corner of the screen. Here is the new config file I'm using.

SSLEngine on
SSLCertificateFile      /etc/letsencrypt/live/your.domain.com/fullchain.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/your.domain.com/privkey.pem
# Include additional SSL options if needed. In Apache you might
# include them directly or via an Include directive:
# Include /etc/letsencrypt/options-ssl-apache.conf

# Proxy settings
ProxyPreserveHost On

# Increase timeouts for proxy operations (note that these are global settings 
# that might also be set in the main server config if necessary)
ProxyTimeout 600

# If you need to forward WebSocket connections as well,
# you can add the following ProxyPass directives. (Requires mod_proxy_wstunnel.)
# For example:
# ProxyPass "/ws/" "ws://127.0.0.1:2283/ws/"
# ProxyPassReverse "/ws/" "ws://127.0.0.1:2283/ws/"```

ProxyPass        "/"  "http://127.0.0.1:2283/"
ProxyPassReverse "/"  "http://127.0.0.1:2283/"

# Increase maximum allowed client body size.
# Apache’s LimitRequestBody directive sets the size in bytes.
# To allow very large uploads, you can disable the limit (or set it to a very high value).
# 32G = 34359738368 bytes.
# Note: This directive can be set in a Directory or Location context as needed.
<Location "/">
    LimitRequestBody 0
</Location>

# Set additional headers (security headers)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"

# Optionally, if you need to configure timeouts for reading 
# the client request body you may adjust the TimeOut directive in your main apache.conf.
# For per-request settings you might need to use mod_reqtimeout. For example:
#   RequestReadTimeout header=20-40,MinRate=500 body=600,MinRate=500
# Uncomment and adjust as needed:
# <IfModule reqtimeout_module>
#   RequestReadTimeout header=20-40,MinRate=500 body=600,MinRate=500
# </IfModule>

# Sometimes, you may need to pass additional headers to the backend:
# Using mod_proxy, Apache automatically sets X-Forwarded-For.
# To set additional headers similar to your nginx config, you can use:
RequestHeader set X-Forwarded-Proto "https"

# If you need the real client IP from the connection, Apache already adds it via mod_remoteip
# if configured, or using mod_log_config with %a. Adjust as needed.

nginx bad? what

someone on reddit said so & to use apache 1.4

so I had chatgpt make me a new config

Just because you fail at configuring it doesn't make it bad

no no it was working good, but its worse under the hood

That's a bunch of crock

idk he told me apache is older then nginx has been around for longer & has more robust capabilities & is used for better stuff preferred in enterprise settings

like its what pros use

He's stupid

so I was like "okay I'll use that then"