#Exposing Immich to the internet

What would be super cool is a little mini immich running on a vps that could allow for publicly sharing images/albums. The home immich would upload what you want to share to the mini immich. It could even have expiring links and stuff.

This might be what you're looking for:

https://github.com/alangrainger/immich-public-proxy

@rose oarYES! thank you. I was hoping it already existed.

Good Evening, I am quite new to immich and installed it 6 days ago, I transferred all of my photos to it and want it to do that automatically even outside of my LAN, I own a domain already and would like to link it there. I am using Linux Arch server without UI. Please pin important info here on this thread so others know where to start

Chat gpt is your friend. I used it from beginning to end

Like a personal IT mentor

can even paste in logs for troubleshooting

It is the devils tool. I will refuse to work for satan, I would perfer OpenVPN but I am not sure as to how it functions.

chatgpt is absolutely dogshit for immich related questions though

Crickey, it can assist me through OpenVPN it seems

error: failed retrieving file 'easy-rsa-3.2.2-1-any.pkg.tar.zst' from cdnmirror.com : The requested URL returned error: 404

... what is that URL even

The one registered in the Arch wiki it seems like

tar.zst is a compression format not a URL

Why does it take its own mirror it was just a pacman -Syu command

For me it brought me from essentially zero knowledge on networking (outside of port forwarding on a router) and docker, to running a full fledged immich setup through CloudFlare with reverse proxy, ddns, subdomains, SSL certificates, automated backups etc. so I'll respectfully hard disagree with you

No you're still wrong

I specifically said immich

It helped me with the compose for immich specifically and various other immich related troubleshooting

You can ask many questions but I've not seen it produce anything useful concerning immich config

@ornate notch you're much better off looking for generic reverse proxy guides for Arch

That, is something it can pull out of the immich site

There's nothing Immich specific about accessing a local IP on a certain port

Tailscale and Caddy?

Whatever floats your boat

(Tailscale is not a proxy though)

How do I connect it to immich with the domain and stuff though

caddy is and it can be registered there

https://immich.app/docs/administration/reverse-proxy/#caddy-example-config

And set the external URL in admin settings

Do you have a paid model perhaps?

Is this the same as remote access though?

If you want to acces through a domain you'll need that + a (D)DNS record for your IP address and a port forward on your router

I have done the same with my minecraft server but I followed a guide and didnt use a bought domain and without proxy. I think itll be a bit different with immich but eh

chatgpt will always give you an answer, often it works at least partly...
unfortunately it will fill unknown information with the best info it has, sometimes simply incorrect info
some topics it knows better, some it doesn't
i use chatgpt also but not for such tasks, simpler information gathering tasks to learn how things work to then do it yourself
biggest problem is usually that you need to verify each result as it may be made up

@ornate notch Install Tailscale on your server/device, activate funnel to port 2283 and then you can have external access with a direct link to your immich installation without opening ports, complete with SSL encryption etc and no need for a custom domain
ChatGPT can help you with this as it is widely used, just mention the OS properly

I got this

With Caddy and CloudFlare and Namecheap

Be aware that cloudflare has a 100MB limit

So can't upload large files over it right now

Oh

Ill delete everything again then and use something else because I am literally transferring my phones files

No no

You can configure both and then decide what you want to keep

I also have cloudflare & tailscale at the same time running

One for sharing files and using my personal domain

and tailscale funnel as primary to access & upload

They are not concurrent so it works both ways

In the app you can configure many things as

1 - in which order you want to access your server as you can configure different links
2 - which link you want to use when connected to a specific network, e.g. direct IP when on home wifi

It's all under Settings > Networking

That being said, Cloudflare proxy also kind of sucks beyond the 100MB upload limit for privacy reasons, since it requires you to trust them blindly.

@distant crypt That's true but on the other hand, your phone is either checked by Google or Apple, your ISP also can see what you are doing. Where does it start and end

I'm just saying that this particular thing is avoidable. Cloudflare proxy does not really give you anything in a self-hosting scenario

Well in their defense, security and convenience as you don't have to open ports and their system is super easy to use, otherwise not many people would use it

I'm not affiliated to them or something, but yeah

Where's the issue with opening a port though if you're using a self-hosted reverse proxy

We cannot deny that they have some kind of value

and many people use it

They definitely have a value for enterprises; we rely on them heavily. And their DNS is also pretty nice

I guess it's just fear for people who don't know the exact implications & risks of port forwarding

E.g. I'd rather not open any ports because I don't know what the risks are

So you rather trust a third party with your plain text data?

Plus, a port is open either way. It's just not 80/443 but some higher number TCP port that goes to the tunnel daemon

Really I don't understand why people are scared about opening some port that goes to nginx or traefik or whatever. What should happen?

I don't know maybe some exploit will magically appear and steal their info

HAckerman will come

😄

I mean to meaningfully do something you'd have to (1) find a pretty bad exploit in the reverse proxy and then (2) pull off a container escape. The same can happen to the tunneld container. It's just like no difference

Not everyone is so invested to know all the risk

The point of my argument is; the risks you're talking about are the same for both cloudflare tunnel and traefik, nginx, caddy, whatever

It's fine to say "I don't care", but it's not fine to say it's all the same 👀

Directly opening ports also makes you vulnerable to DDOS, or the random internet scans may eat up some bandwidth. A bunch of incoming traffic could make outgoing traffic impossible too. If you have a proxy in front of it, you can just cut it off there. If you are direct, much harder.

Nobody will pull a DDOS for your homelab lmao. Way too expensive

Is that directed at me?

no

You can get DDOS'd just fine without opening any ports too btw

Ya

I bet everyone in this chat here has at least 30 ports open right now 👀

I keep my ports closed until marriage

😄

xD

My point was about mitigation. Also, you can figure out your physical location to about a few miles with just a bare residential ip

I get it was a joke, but I was alluding to that every internet connection needs a port open. When you make a request to a page one of the first things that happens is you're opening a TCP port

I got the point

Everything in life has a potential risk

I maaaay let that fly in like a very rural area, everywhere else it's like not really an argument. Plus, as established multiple times, you're browsing the internet, so

So we have:
"Giving a corporation access to all your passwords/logins/habits/..."
vs
"Giving a potential stalker a radius of where you live"
+
"Mild inconvenience when a script kiddie decides to nuke your internet"

I know my favorite 👀

I want all three!

How much?

$5

Sold

so ill try using tailscale again but last time i used their dns i had bad experiences becaus it kept saying it doesnt have an ip addressed to it or it would refuse connection

@ornate notch Which OS are you running on?

Fail2ban or similar can also help. Not sure if there are other good OSS packages that block traffic automatically

arch

(btw)

so replace cloudflaree with tailscale or what now

i have very little idea of what i am doing

Write in chatGPT: Help me install tailscale funnnel on arch linux through command line to access my immich installation on my internal port 2283

The result will be

A link to your Immich installation to the login screen which you can paste in your browser & app where you can access your installation

The best way to mitigate security threats is to also accept that they will happen. And follow defense in depth practices. Making it harder to move laterally once they’re in. Ie don’t save ssh keys or other credentials on the exposed server. If you can’t spare a physical server, at least use a VM which is a bit harder to escape. Containers are insecure by default.

a bit harder to escape
If someone wastes a qemu escape on your homelab I'd be LOLing haha

True 😉 you’ll probably be alright. The main risks I think would be using weak passwords and exposing ssh

And don’t use windows. 😉

Tho I think that’s more secure these days

why would you think that cloudflare would stop that exploit?

for a container, you still need access to the container first before being able to use any container escape exploits
all of which is unlikely to be used against a random immich user

with access to a container i mean you would first need an exploit of e.g. immich which would then allow access to the container level

I definitely don't expose ssh directly 👀

i serve everything via tls/ssl only
ok, except of wireguard

if i need ssh access to something, i connect to an html5 remote desktop environment in which i can start an ssh client :[

I still want to use my domain thogh

Then you have two options

1. Point your DNS to cloudflare and use the Cloudflare Tunnel zero trust to access your immich instance
2. Open a port and configure a reverse proxy

If you don't want any of that then you can rent a VPS somewhere and host your FOSS tunnel through Pangolin/Fossorial

but how do I point the domain to the ip of the machine the reverse proxy is running on without cloudfare

i also dont want a 100mb limit

That's above my knowledge, I only use low config tools like Tailscale funnel & Cloudflare Tunnel

So my setup has its limitations but I can live with those

you would either create a dns entry with your registrar / nameserver

are there any free alternatives to cloudflare that dont have some limit and still use my domain name

I'd suggest reading up on what a reverse proxy is and how it works

oh so cloudflare is one

use a reverse proxy ^^

if there is no need to expose any ports because there is like two people using it and its only with wireguard... fine
no need to be afraid of "just exposing" your immich install with a properly configured reverse proxy

i tried now i connected my domain with tailnet url using cloudflare

it does simply not work

i tried dig it gives positive results

but when i open the domain with the dns thing it doesnt work

if i open the tailnet url it brings me to caddy

my caddyfile looks like this wait

i dont see an advantage in that solution but to each his own

a properly configured reverse proxy is so much simpler and can be used for all other services as well... just need to learn once about proper setup, googling cause a long way

this is it

i dont use caddy, sorry

still reverse proxy

yes

its good, what i meant to say is that i can't help much with caddy

idk what to do ill try something else ig i followed this but i cant open it at the end and caddy wants me to upload my servers files to /srv/httphttps://www.youtube.com/watch?v=Vt4PDUXB_fg&t=

have you tried contacting the guy who made the video? if he is from tailscale, maybe in their forums?

I suggest taking a step back and learning what are the things you are trying to do, how the pieces fit together, and what are the tools to implement each piece in your setup.

ill try nginx instead now

turns out cloudflare tunnel works well

it doesn't support large file upload FYI

(they can also read all your data)

i deleted the tunnel now i tried tailscale without caddy and without my precious domain and it works on my phone now without lan connection

Yeah tailscale is a good choice

i wish immich had a google drive alternative built into it

for like files that are not photos or videos

That'd be a different product :P

immich plugins

Not even

Just a whole different software tbh

You can try nextcloud for this type of functionality.

Also something that is worth checking is https://docs.numerique.gouv.fr/home/ (I haven't tried myself, but it's on the menu).

And for documents paperless-ngx is a good suggestion

Or just Filebrowser if it's just for files. So simple

If you're using Nginx I suggest using their Proxy Manager, it comes with a WebUI

I use this https://medium.com/@angstycoder101/forget-the-cloud-run-your-own-server-with-cloudflare-tunnels-cb73cb5f18ab

I use filebrowser as a cms to manage a Hugo website 😛
only thing I hate is that the title always includes the name of the root dir of each user

I wish it could be easier to sync with WIndows e.g. to have your Filebrowser a drive in Explorer like Gdrive. I don't know if there's something like a program for that

I need to try Seafile in a docker LXC

I don’t sync with filebrowser at all, I use Nextcloud for my data sharing and paperless for documents

I'm looking for something lightweight, Filebrowser also has external sharing

Yes but no sync afaik, I also use Nextcloud for calendar and contacts

Lightweight you might want to try syncthing

I have probably the most basic setup.

I already had a digital ocean droplet that was running a small web app and a DB instance.

• I increased the resources of the droplet
• modified the DB instance to have pgvecto (now VectorChord after the update to 1.123
• Installed immich and it runs behind a reverse proxy via caddy

Maybe some day chunked uploads?

Just use Pangolin its the easy waY

Tailscale and a Cloudflared SaaS working together with google cloud console Oauth. Disabled password login on immich.

So when I want to login. I connect to Tailscale. Put in the tailscale ip:immichportnumber. And login with my google account whicht contains MFA steps

Also having Google OAuth.
But also disable registration of new users. So that you have to whitelist a users Gmail address before he can login.

Thanks for the addition, totally agree!

I feel good using nginx proxy manager on digital ocean as a reverse proxy, I just need to find some sort of logging/monitoring solution for it to alert me to potential issues like resource overutilization

what kind of resources?
nginx itself has some config for that i believe and cpu/ram you can limit on the container level

I’m just looking for some obvious signs of somebody hammering it trying to find a way in

I’ll only allow oauth login but still

anyone have a nginx template for immich?

https://immich.app/docs/administration/reverse-proxy

I got it to work for the mobile app with my url. The browser just shows the immich logo spinning.

I want that my Images are automatically synched to my Immich Server when I am not at home. What should I use? Tailscale, Cloudflare Tunnel or something different

because I think that this isn't a secure way

I'd recommend Tailscale

So I install it in the Immich container. Then I create a shortcut that, when i open the app tailscale it should connect using no exit-node

But when Tailscale isn't turned on when I am not at home then it won't automatically sync when I am not opening the app

YOu can go to your profile settings in Tailscale app > VPN on demand, then toggle it on

it will stay connected

will it need a lot of battery

it is just VPN connection, I don't image it will eat the battery. I mainly use Wireguard and I've always have it on, don't notice anything regarding battery life

Can I close the app on the app screen

These are the settings that I Need Right

?

Should I use a subnet router or no exit-node

Because I host one

not sure about exit node but yeah, that is the setting I mentioned in Tailscale app

Someone may have aleady mentioned this but I just did a free Cloudflared Tunnel to my docker install. Set it up so my subdomain was public and people who have a login (Family, etc) can go to the domain, sign in and see the photos.

yes, thats mentioned a lot...
its a good solution with some things you just need to know:
1.) there is an upload limit of 100MB, so you might need to upload videos once you get home
2.) the unencrypted traffic passes their servers, your data is their product 😉
3.) while there is some "protection", it is less than most think and probably doesn't protect from what most would want to be protected from
4.) it "hides" your IP from those you share the links with but that does not mean your ip is protected 😛

Are there any settings in Immich by default that need to be changed to get reverse proxy working? I have about 10 or so items setup this exact same way as the photos above and they all work out of the gate, but Immich for some reason is not working. Using NGINX and Cloudflare.

Immich's Default port is 2283 not 8080, could be as simple as that.

@rancid tangle

unfortunately no luck. when i check the dockers config it shows webui port of 8080

Is it is accessable directly using the local hostname/IP and port like my screenshot?

I just had a look, the port in the default docker-compose is still 2283. If you want to change the port to be 8080 make sure you just set the host side and leave the container side as is, so:-

 ports:
      - '8080:2283'

it works using the following ip: http://192.168.0.19:8080/photos

here are the docker settings I see (defaults on everything except my IP address)

you are using cf tunnels and a reverse proxy? cf is already a reverse proxy, nginx doesn't make sense here. anyway, you should check nginx logs, this is hardly an Immich issue

CF is my host, nginx is my reverse proxy

Hi! I am using yunohost.org. Works perfectly and includes typical security measures.

Change your forward port to 2283:2283. For whatever reason even if I change the port on docker, the reverse proxy will only work with 2283

I had the same issue where I exposed it to a different port which worked with a local ip but the reverse proxy could not handle it

Havent got a clue why

because if you host your reverse proxy in docker, unless you are attaching a host network, it will use the internal network, and hence, it's using the internal ports not the exposed

which typical security measures?

It gives you a SSL cert

sad but probably true, lol

to be fair, I wouldnt know how to properly do that automated for every service and have each service working still
its either plug and play or secure :[

Oh yeah ofc not

And also fail2ban for the SSH port… 🙂

say what? 😄
i hope you dont actually leave ssh open 😄

ssh honeypot to gather IPs to ban maybe 😄

I do. I do use a non standard port but i wouldnt lose sleep over using 22

I would

even on a non-standard port 😛

But why? SSH is one of the most tested and widely deployed protocols in the world

If you have it well configured and hardened I think it’s totally safe

if you have it well configured on a hardened system it can be OK
but sometimes exploits are out there, there are some honeypots that use actual ssh servers with actual sandboxed systems out there, those are taken over sometimes
since then I dont expose ssh anymore 😛

I probably would with something as simple as a port knock pin but havent had a need to since switching to html5 access (with MFA of course) for ssh (actually a full desktop which has read-only access to most of my data and read-write to some of my data which is there as a copy (e.g. emails and an upload directory)

Has there every been a report of anyone having data issues with cloudflare tunnel on their immich install? Or is this more theoretical?

you mean data privacy?

there are issues with upload limits if you meant that...
them having access to your unencrypted data is a fact, not theoretical
if they actually do access your data, that part is theoretical

data issues
what kind of data issues?

Does someone have a link to a end to end guide for setting up remote access? I'd like it to cover: setting up an NGINX docker, config my home internet router port forwarding, getting a LetsEncrypt cert, setting up the NGINX ports and config, any changes to my Immich docker, which is now accessible on the LAN only on port 2283, but no ports forwarded from the internet router. I thought I'd figure it out from this Discourse discussion... but it goes back years, thousands of comments.

I'm guessing I'd set up internet router port 443 forwarding to my server, server NGINX docker listening on 443, NGINX forwarding 443 to localhost (server) 2283, Immich docker listening on 2283 ? BTW does this setup preclude running any other https web site in my LAN because 443 is now dedicated to Immich?

basically you set up your reverse proxy of your choice... thats not covered here how to do that
immich docs show examples on the immich specific config for e.g. nginx

your reverse proxy (e.g. nginx) would receive all requests to port 443 and would forward it according to the websites fqdn (e.g. immich to your immich and serviceB to another server)
with that setup you could host unlimited services behind your reverse proxy

but again, the setup of the reverse proxy itself is not explicitly covered here, you can find a few hardening tips in the history here

You can mount Google drive on your Immich server with rclone.

Ah, got it. My reverse proxy gets all traffic to 443 and 80 and looks at the domain name to decide where to forward it (for example to my Immich or my Plex etc.) And of course other services could run on non-standard ports without going through the reverse proxy.

immich would run on a non standard port, your reverse proxy would simply forward the traffic to your defined ip/port

a reverse proxy can also be configured to e.g. allow access to certain websites only from within your LAN

Thanks everyone, it went smoothly. I did the following:

• On my domain registrar, I set up photos.mydomain.com as a CNAME to photosmydomain.duckdns.org
• On duckdns, I set up photosmydomain
• On my server I set up a cronjob script to update my dynamic DNS, photosmydomain, every 30 minutes (from the example on duckdns.org)
• On my internet router I forwarded ports 80 (HTTP) and 443 (HTTPS) to my server. This means ONLY 80 and 443 can get in from the Internet.
• On my server, I setup a docker container with Caddy (the simplest reverse proxy) listening to port 443 and forwarding to port 2283 (Immich)
• No changes were necessary to my Immich container. It was already listening on port 2283 for any local traffic on my LAN.
• I set up users for my family on the Immich server

It worked right the first time. I can go to photos.mydomain.com and log into my Immich!

Update: My home internet router has trouble doing NAT going out to photos.mydomain.com and back in to the LAN. So from outside I use photos.mydomain.com and from inside I use http://myserver:2283 directly bypassing the reverse-proxy and cert issues.

• On my server, I setup a docker container with Caddy (the simplest reverse proxy) listening to port 443 and forwarding to port 2283 (Immich)
  that is debatable 😛

either way, look into hardening your system and reverse proxy, always a good idea 🙂
and enjoy, its a lot of fun 🙂

Just found out about this… anyone wanna try it? Homepage seems very hyped up, but looks great if it works and isn’t too difficult https://github.com/octelium/octelium

ewe... it's very difficult to configure, but looks kinda neato

how about cloudflare domain?

I used the free ddns of www.noip.com,
on my local server, I setup nginx to proxy_pass to immich,
I port fw 80 and 443 to my server IP in my router,
then I configured certbot to enable TLS on the name I chose with noip.com.

It should be easy enough to replicate dynamic dns on any domain name as long as domain name provider has an easy to use API.
Just run a systemd timer every 5m that runs on PC with immich, checks its public IP, compares with current record, and if necessary call domain name provider to update DNS record.

yea, there are also tools for that like ddclient if a simple curl isnt enough

i jsut came off the free ddns subdomain because it is going to mess up once you want to host more like a Oauth provider or a cloud service or something ( once you get into self hosting it gets addicting ) pay a few euro/dollar a year for your own domain and will make feature subdomains much easier and it all is cleaner .

also you don't have to open more ports than 443 since you can seperate your services by subdomain

You still need :80 for certbot to get the TLS cert, no?

DNS-01!

With Nginx I had to open port 80 indeed but since I'm using Caddy I don't have to anymore because it does it over TLS I guess. It pulled certificates and they are valid without port 80 being open.

because it does it over TLS I guess.
That's rather hard if you don't have a TLS cert :P

I'm assuming you gave caddy creds to your DNS provider?

Serious question what’s the harm with opening 80?

You know it goes to the same backend process right 😅

Not really any

(assuming you enable https redirect and don't allow people to use http for your services :P)

Yes I wonder about that myself when people start crying about major security issues because port 80 is open for redirect

It's not an issue depending on the usage.
The danger is some client reaching out to port :80 and sending confidential data.
Nowadays, it would be hard to find a client stupid enough to do that.

To give some perspective, I checked the websites of a few banks and they all listen to :80 (and redirect to :443).

What data if all you get is a redirect?
I agree if the same website is available via http… but just for a redirect, I see no issue…
I don’t see a problem in not having a redirect either as modern browsers will know those sites are supposed to be accessed via https
I am just saying, a simple redirect shouldn’t be an issue and there shouldn’t be a case where a client just sends confidential unencrypted data to any port

If you make sure the page is not served through http, I don’t see an issue as well. But I would use HSTS rather then a redirect. Modern browsers will understand this and will not try to use http in the first place

I use pangolin with CrowdSec to publish my services to public internet - just to answer the initial question

Using hsts is a given and is what I meant when I said modern browsers „know“ to access via https…
Sometimes a specific redirect is wanted, though I wouldn’t have a use case for it myself

Agree with you. For my own services I would not use http -> https redirect as I also control the clients.
In case I would need that stuff for a public audience I would also use the redirect

🤷‍♂️ Shri don't really see an issue either way, I have it on in general so I leave it on. I have a single webpage that is available only inside my home network which serves http content, nothing confidential… just some ip lists

Hey folks having some real what I can only presume to be knowledge issues here WRT Docker networking to get Immich exposed to the internet
Using Nginx Proxy Manager I am currently able to access my instance by URL on the local network but not via the internet
This is the only external service I have running in Docker everything else is an LXC on the local net and Nginx on the same instance is kept internal which is why I presume this is a Docker network knowledge issue
Things I've tried in combination:

• Putting immich-server in network_mode: host (did not get to the point of being able to access locally via IP)
• Setting IMMICH_TRUSTED_PROXIES to the local and docker IPs of Nginx
• Setting IMMICH_HOST to that of the Docker host
  Any basics I might have missed that immediately spring to people's minds?

if you can access your instance by url, the problem is not docker. you have to forward ports in your router

Anything other than 80 and 443 I should be forwarding then? I was of the understanding that's all that was necessary for this

And that forwarding 2283 was a "should avoid"

Correct, don’t forward 2283
If you get nothing but it works from inside, it’s either a DNS or port forwarding issue

Is immich android app fine if you put an http(s) basicauth before it?

Https:// user:pass @subdomain

I just have treafik with https before it

since some ios lusers will use it i cannot make it to complicated.

But an ips won't hurt i guess

It might sort of work but it might also break features like video playback.

Thanks for the pointer I'd gotten away with an @ host in as my only DYN record for every other service (nslookup had previously complained for subdomains but would fall back/assume correctly) having a DYN record for each service immich included it appears to be happy (and is probably how I should have it set up!)

You need to setup a reverse proxy to handle traffic coming from the internet.
AFAIK, immich cannot (securely) handle it.
https://immich.app/docs/administration/reverse-proxy/

You should, yes

Can I use Tailscale to access Immich remotely while maintaining local access via localhost:2283 and 10.0.0.100:2283 ?
I once setup Tailscale on Ubuntu by installing binary files, allow remotely access to the whole Ubuntu device. But currently I don't want to Tailscale the my whole *PC *, just want it to remotely access Immich with Tailscale. Btw I'm using Docker Desktop on Windows 11 to run Immich.

if you don't want to install tailscale in you host, you could use the tailscale docker implementation to just share your container internal network

Anyone out there using crowdsec to secure Immich with an up-to-date whitelist rule? This (https://github.com/immich-app/immich/discussions/3243#discussioncomment-6543612) was the most recent example I could find, but it's about two years old and needs some tweaking. I came up with the rule below, but just curious if anyone smarter than me has a better version.

whitelist:
  reason: "Whitelist false positive from Immich-api"
  expression:
   - evt.Meta.http_verb == 'POST' && evt.Meta.http_status == '403' && evt.Parsed.request contains '/asset/upload'
   - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '429' && evt.Parsed.request contains '/api/asset/thumbnail/'   
   - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '200' && evt.Parsed.request contains '/api/asset/thumbnail/'   
   - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '304' && evt.Parsed.request contains '/api/asset/thumbnail/' 
   - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '429' && evt.Parsed.request contains '/photos/'
   - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '200' && evt.Parsed.request contains '/photos/'
   - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '304' && evt.Parsed.request contains '/photos/'

I think you can comment to that Github discussions to help people and to get the correction

Whoa whoa whoa let's not get crazy

Swag (ngnix+fail2ban) reverse proxy with openid using Authentik behind Opnsense firewall with crowdsec

I am using pangolin + crowdsec + geoblocking + authentik. I am happy with my setup.

I will update that whitelist tonight with my added paths 👍

I can't connect to immich on my phone via grapheneos idk whose fault it is ? Tailscale or Grapheneos? Here is my resolv conf

I have tailscale on my grapheneos

Enabled

Sorry for being late 😅 Here is my updated config, works for my friends, family and me 🙂
https://github.com/immich-app/immich/discussions/3243#discussioncomment-13837508

[Discussion] How do you secure public facing Immich? (immich-app/immich#3243)

Thanks for updating the whitelist my friend, we appreciate it. I didn't realize there was a new /api/assets path and strangely haven't ran into any issues with it yet. Is that related to the /photos path? I'm curious why you chose not to whitelist that path as well.

I don't remember in which Immich version it was, but one of the latest ones, i got constantly blocked by /api/assets because of uploads.
I have not got any blocks after i added that, but if you do. Please tell me so i can update it 😄

Similar to the thumbnail block you get when scrolling through the timeline, you'll get a block from paging through photos too fast. To solve for that I copied the rules you had for /api/asset/thumbnail and replaced that with /photos. Another user on git mentioned issues with non-Immich users getting blocked when paging through a shared album too fast, and as far as I can tell that is also solved by whitelisting /photos.

Nice, then i will add them as well 🙂

Just as simple as this, right? I can now access Immich with localhost:2283 and remotely with Tailscale. But I'm afraid there's any misconfiguration. First time using a containerized tailscale

Does your server on internet access there?

Hi! I just started about 3 days ago, its been so fun 🙂

My setup right now i just a raspberry pi, exposing via portforwarding on my router behind a reverse proxy (nginx) with SSL with let's encrypt. Using duckdns for a free domain to configure let's encrypt

very simple, not the most ideal.

what improvements would you recommend securitywise?

sounds good....
security wise if you want to improve, look into hardening nginx reverse proxy, use best practices and harden your OS and docker.
https://www.cisecurity.org/ <- you can get good best practices benchmarks here for free

many also implement geoblocking and brute-force blocking, though I personally don't believe it helps that much

if you have a firewall with IDS/IPS, you can of course make use of that as well

hey all
I've been running immich behind a wire guard VPN for a few months now, but I've decided that I want to expose it to the internet on one of my domains.
I've done some research, and I want to use a cloudflare tunnel to expose it, along with using their zero trust to restrict access, and also fail2ban to stop brute force attacks.
does anyone have any feedback or recommendations for a setup such as this one?
thanks

File limit on cloudflare proxie is 100 mb that‘s why i went with pangolin (+crowdsec, geoblock and authentik). Not sure if that‘s also the case for cloudflare tunnel.

I use cloudflare tunnel, my usecase is mostly browsing the uploaded content, I upload directly to my server lib, where immich scans it.

As mentioned by hoplie, upload will cap to 100mb otherwise.

I also configured oAuth with my own Google account, this way session management is done through it, you can also use Authentik, but that means you have to host that yourself also.

cloudflare means 100mbyte size limit
fail2ban over cloudflare has special setup requirements, make sure you read up on fail2ban together with cloudflare

there are plenty people mentioning their setup examples...
mine is reverse proxy (nginx) with a firewall, all just at home

FYI:

https://www.reddit.com/r/immich/comments/1md0l5j/people_with_families_how_do_you_remote_access/

@distant crypt Would it be okay to PIN it here?

What does it add that's worth pinning? Isn't that just another person talking about how they did remote access?

Yes, but on Reddit, It can help people get more information (especially since it's much easier to figure out who's talking to whom on Reddit than here on Discord) Tree view

You can also do threads here, people just don't use that 😅

Oh

Lol

I thought its built in view option

I don't know, I don't think that thread is as important that it's worth pinning tbh. Also, there's already soooo many information all over the place

thanks for the feedback all, I think I've decided against using a cloudflare tunnel, due to the upload limits, as well as apparently they don't like video content being served through the tunnel, and I would also like to expose my jellyfin install through it

just harden your reverse proxy and expose it :[
of course there are risks, but there always are...
harden and keep up to date is my recommendation

and as for that thread...
I also dont think its worth pinning, even the opening post is confusing

3. ddns

Not great from a security stand point
security? 😕

and then there is just discussion about it...

I personally recommend two options:

1. wireguard or the likes
   -> secure and "easy" for small setups with only few members and without sharing
   -> if this is enough for you, I do not see a reason to jump into the rabbit hole and do any more than this... dont force yourself to stay with this if your needs increase though!

2. expose via reverse proxy
   -> harden and use best practices and you will be more secure than most

there are always corner cases but the problem is that people (including me) are a bit paranoid.
if people express their security concerns, it does not mean you will be "hacked", things need to be taken into consideration (activate brain).

What weighted the most on my desicion on how to expose to the internet was the clients (me and my partner).

Using VPNs adds one more thing into consideration, so that was a no-no for my specific case. She wouldn't even give it a try if she had to use another app before using immich

exactly...
for yourself and a partner, a vpn might be sufficient...
add some grandparents that dont live close and you might think different 😄

sorry, i edited 😄 after rereading what i wrote, i meant something else haha

well, to be fair... you CAN configure it so she does not need to open any app and the connection simply stays active and is used for immich only

true, but that means handling her phone more, i wanted it to be almost as easy to use as google photos/ios

install the app, log in, and go

thats fair

and if you know how, i also dont see a reason not to expose it...

this would be my first time exposing services, so I don't have any prior experience, and I want to make sure I'm keeping it as safe as I can, so I'm being quite cautious with what I'm doing

well, google best practices for the reverse proxy you are using and use TLS1.2+
if you want to go the extra mile, harden your docker and OS

I tried oauth on cloud flare and could get it working so just a cloud flare tunnel currently

if that works for you its fine also 🙂

I'm using tailscale to get access its super simple and easy and the most important part is that it is secure. Just install tailscale and then join the tailnet and then you have the access to that local instance.

yea, wireguard,tailscale or other VPNs are great, especially if you are the only one accessing it

I'm glad I posted this, because last night AT&T Internet decided to wipe my router settings and my port forwarding and firewall rules were erased. I looked at my old post to remind myself what I had set up to troubleshoot why my Immich wasn't working.

I use tailscale. I hope thats secure enough.

secure enough is a matter of opinion...
there is always a more secure option

for me, exposing it with a hardened reverse proxy, all running at home is secure enough for me

the reason I recommend a VPN for those that are satisfied with it is just ease of setup and limited attack vector (meaning a misconfiguration, e.g. admin user with password admin would not be able to be accessed by everyone... basically its a quicker entry to get running for people just starting out self-hosting)

If it's just tailscale then it's secure

Anyone have any comments for my current configuration? I have Immich running on a Ugreen DXP2800. 2 8TB Seagate HDD in a RAID 1 configuration. I access it via a URL and have the NAS connected to my router at home. I have port forwarding that goes to NGINX proxie manager and then points it to my Immich. Any comments on security or volume of users I could service would be appreciated.

have you tried reading anything here beforehand, any specific question?
if you are more elaborate, people can help better
e.g. how many users do you WANT to serve and what are the specs on that Ugreen device so people dont have to look it up?
where is immich running, where is the NAS running or are they the same device?
as for security... "I access it via a URL" and "I have a port forwarding that goes to NGINX proxie manager" does not tell me that much about your config but yes, if you set that up in a secure manner, its security would be enough for me (more secure is always possible).

I hope to service about 15 people in the field that would have an iphone and an ipad. Non of these people would have a need for access via web portal. Their would be 8 people in the office that would only view via web portal. The Ugreen I have has a 12th gen intel N100 quad core with 8gb ram ddr5. This particular unit can upgrade to 16 gb ram, 2 m.2 slots, or even take ssd drives if I wish to add. Right now I have it with the basics and feels snapy when testing it with 5 people.

Immich is in portainer inside my ugreen NAS which is connected to my home router. Only downside is I do not have a static IP yet.

I guess what I was wondering is if anyone had an idea of how many users this setup could service. I would say the field accounts would take on average 8 pictures a day each x 15 people. So at the most, it would be 120 new pictures a day.

Plus the load of the 8 people in the office viewing these pictures via internet.

Feel like the speed of my internet would be the limiting factor here.

Yes it will be 😛

DDNS exists for this reason

Interesting. Thank you.

20mbit upload will definitely be the limiting factor...
probably OK for 1-3 people but 23 people accessing it at the same time over 20mbit...
if you get the bandwidth resolved, you definitely want container data (thumbs, encodings, database...) on an ssd/nvme and depending if the users access the originals a lot, you may also want to get an SSD for the libraries

Thank you

I've been slowly moving away with a VPS approach to on-demand wireguard through my vpn. the one thing i want to do though is stand up an internal reverse proxy to front Immich with HTTPS; is there a great way of doing that without exposing 80/443 on my internal network for DNS redirection/lets encrypt rotation?

You can do txt record validation instead

wow... did not know this existed.

This is more secure?

Just another type of verification. It's required when doing wildcard if I remember correctly. At least that's how I'm getting a wildcard for my local network.

AFAIK it's like pretty much same same, but DNS-01 is more convenient for sure. You can also get wildcard certs through that

I would agree, it's just a different type of verification... has advantages and disadvantages. I do prefer it but would not say it is more secure...

Just found this project for anyone looking for a Cloudflare tunnel alternative https://github.com/wiredoor/wiredoor

https://github.com/oauth2-proxy/oauth2-proxy is used in many professional environments

The Immich mobile app doesn't work with proxy auth, but we support OAuth natively

Honestly haven’t thought about the mobile App. This is just the security standard that many big corporations that I worked with used. I personally luckily don’t have to make immich available directly.

The added security factor isn't as big, the biggest gains you get from using OAuth in the first place. Realistically you'd not even open it to the public in the first place if you are very strongly worried security.

Also, Immich does not target companies primarily :D

Realistically we're just using a battle-tested oauth lib, with an insane amount of downloads and usages. Trusting that seems reasonable to me

Yeah, but tech companies at least have pre-existing security guidelines one can follow

Tech companies also have a very different threat level compared to some random person's homelab

And tbf even in companies the most common attack vector is phishing lmfao

I am stricter than my company tbh, lol

Fair

If you feel better with that, go for it! :P

After all self hosting is also about learning stuff, even if it doesn't make sense

(or your company just sucks, idk lol)

The discussion I had about that was that it is safer than IP whitelisting nowadays and thus recommended in production environments

An auth proxy layer is more of a "the software does not support oauth, so we need to add another component to our stack to make it secure".

I'd be interested in those arguments tbh. Yes, IP spoofing is a thing, but also only to a limited degree. Proxy oauth adds very little

The security standards are very rigid, but since I am the only person who needs to access my devices I can be far more radical in my approaches

The argument is that if you work with cloud infrastructure like we do IPs can be squatted like domains (which actually happened to one of our customers according to some of my older coworkers)

Ok so that's an argument why ip address whitelisting is far from perfect. And what's the argument in favor of proxy oauth?

Just do both IP allowlisting and OAuth 😎

Honestly I was happy with the first answer. I‘ve only been at my employer for about a year and that was the answer to my question: "why do we use oauth-oroxy over IP whitelisting?" I just know that we by far aren’t the only ones using that solution.

Yes, as Finn said you can use oauth proxy stuff if your application does not support oauth

Fair. IMO you should prefer integrated solutions over added components in the deployment. It adds a lot of complexity for very little benifit.

If you want an additional layer of sec, use mTLS or something

The lib in immich is just as vulnerable as the one used in the auth proxy

Yup exactly

At my company we do use a combination of IP lists and OAuth where we feel like it's necessary (not all of it)

Sure. Maybe I‘ll discuss that at work sometime in the future. Maybe there is some other reason that I do not yet know or someone just messed up and this just became company policy to at minimum have oauth enabled.

I don't think either of us is arguing against oauth tbc

I'd say OAuth or similar should be minimum everywhere

Yeah, I‘d still be interested in the additional reasons for using instead of ip-whitelisting. Maybe it is just for convenience reasons, idk. My first year out of university, so I am currently learning some of the real life trade-offs

IP proves next to nothing. See it more as a weak second factor.

Any kind of secret send as part of the request would be better

Don’t 100% agree with that, depending on the level of control you exert over that IP it’s exceedingly harder to fake that even if credentials are leaked

Obviously you could have an ISP level takeover etc

Sure, if you control it I agree. But for cloud envs that were mentioned before they may change regulary

Yes they will

Yeah. My university had been given an entire /16 range. They just gave every device unique IPs and specific subnets completely reserved for working on sensitive devices. Then IP whitelists are way more effective

Back in my early to mid teens I had the idea to whitelist my home IP using DDNS. Didn’t end well, lol

I'd still add another layer on this, even for private networks. With docker you might have many applications running on the same host, and you don't want every single one of these containers to be able to access hosts that are only intended for the other container

I know a bit about the setup and they just used LXC containers with unique IPs

In the end it's all about minimizing the attack surface

Ah sure IP per container also works. But I don't see that very often.

They had 1000s of IPs lying around. IPv4s were distributed like candy in the early days

Yeah my company has a /20. It's crazy what you could just get back then.

Wouldn’t surprise me if a random company still had a million IPv4s reserved that it isn’t using

Deutsche Telekom (known as T-Mobile in the US) still gives out a unique IPv4 to every customer (even more for some legacy customers)

You mean they don’t use CGNAT? That’s not really abnormal

Most german ISPs still do that. I'd switch providers if they wouldnt

Unless you mean for a cellphone..

No they give out public IPs directly. No CG-NAT or DS-Lite

Didn’t have a choice here. Vodafone is the only company offering fiber here and they only offer DS-Lite nowadays

Ah yes Vodafone is the bad one in that set and unfortunately a lot of people with them have no alternative 🙁

I use a public mail server anyway that I can use to access my network through WireGuard even in weird scenarios, but yeah standard IPv4 would be much better

And while I was at school I had an O2 contract for my phone, who didn’t have IPv6 support until 2021 or 22 IIRC

I am honestly waiting for the first IPv6 only networks

That would be a big step into the right direction

Won't happen for a very very very long time. It would just break too much for customers. v6 Servers on the other hand are starting to be a thing.

unless you consider v4 tunneling in v6 networks as v6 only

Yeah. Buisness has to move first. Probably starting with v6 only backends

that is not abnormal, at all

My sample size is tiny, so, fair

not having a public ipv4 unfortunately still causes many issues in the self hosting space

I used to run a wireguard tunnel from a vps back when i had cgnat

I am still doing that. I am using the VPS for other things, so I am okay with that

I have a public ipv4 without cgnat, nothing special about it here

Coax != Fiber

I meant fiber though. In my street you have the choice between Vodafone fiber or DSL without vectoring

You're in Germany, right?

Yep

Then you can use any provider if it's actually fiber. That's thanks to open access

I am fairly confident you mean Vodafone Coax, not fiber

Vodafone is a reseller for Telekom Glasfaser though.

Yes, that's the open access part. If one party builds fiber every ISP is allowed to use that

But yes, you can use any provider then.

Nope, I 100% have a fiber connection. The Telekom just refuses to use it for some reason

In your apartment/house you don't use the typical TV cables?

You get more than 100Mbps upload?

Nope

Then you can definitely just switch ISPs if you want to

Yep

If you ask the Telekom they say that they only offer DSL in my street. IIRC there was a big argument with my city about a decade ago

Then go with someone else? 1&1?

There is currently one other company offering a contract. They only offer fiber and only operate in my state. I might look into them in the future

Thing is: even if other providers can use the network, most don't offer this. I'm surprised though that VF has real fibre. Usually they switch to Coax for the final connection and still claim is fibre 🙃

My street was one of the first to receive fiber. In cooperation with Vodafone. Now my city is working with a new local company for the rest of the city

About a decade later btw, but we should have 100% fiber availability by the end of the year

12 years actually

so what are few main ways people do this now, to sum up whole thread

I don't think you can sum it up to one solution. Minimum is put something in front of Immich and if thats only a proxy doing TLS.

didnt really mean one but rather what are some of the main setups people use

most frequent ones

tailscale would be one ei

I am using TLS and Wireguard (The software Tailscale uses)

I use nginx proxy manager to proxy requests to my services. And Wireguard when I need to get into my home network.

I just use a standard Nginx that communicates with all my services

I just like having a UI from time to time, but yes running it standalone also works

Traefik and Wireguard/Headscale :)

UI is bloat. I prefer flipping the bits with a magnet by hand

/s

Kinda true, but I do that stuff too much at work to bother with this at home as well

what do you need the magnet for? With all that raDiaTioN you should be able to flip those bits just with your hand /s

Funny. For me terminal is just much faster. Debian + LXC is much more convenient for me personally than Proxmox or other UI solutions

Redirecting the body‘s radioactivity to cause bitflips. Clever

Oh yes thats actually funny, I prefer running the applications on my server by hand with plain old docker compose. But configuring them via UI.

Especially the proxy config file would just get too long for my liking. Which means it would end in me trying to automate the generation of that config somehow to make it look cleaner

I am not going to take the fun away from you, but I‘ll still consider you a psychopath

Definitely a psychopath

/s

If it was a good language you could do ==(5, count)

.equals()

Yeah but java is ugly

The whole point is for any operator to also just be a function with the option to be notated infix

Doesn't Javascript count 1 as true? Then I prefer "if (count - 4)"

FWIW any number !== 0 would be truthy though

Ah crap

So it wouldn't be exactly the same :P

What you could do is if (!(count - 5))

Honestly I would expect JavaScript to just return count here because why not

In every other language you tell your computer what to do in JavaScript you tell it what not to do

Except C. There you tell it what to do and it does what you didn't tell it

+++++>+<[->-<]>[++++++++..]

Are you making me google a brainfuck interpreter now or will you send the readable code too? lmao

Honestly I just asked ChatGPT

+++++ // Cell[0] = 5

•      // Cell[1] = temp flag
  

<< // Back to Cell[0]

[- // Start loop if Cell[0] != 0

•     // Decrement Cell[1]
  

<- // Decrement Cell[0]
] // End loop

      // Move to Cell[1]

[ // If Cell[1] == 0, Cell[0] was exactly 5
++++++++ // Print something
.. // (e.g., print H twice)
]

LOL

Well looks like it doesn't run

I only know one person insane enough to write brainfuck code and that is the person who wrote an entire OS with a network driver from scratch for his Abitur (high school degree)

Honestly didn’t expect that

in highschool?

Damn they're crazy lol

Yep. Switched schools just to get one that offered computer science as a main subject

According to him nobody in the room understood what he did anyways and they just gave him a 0.75 (A+)

And honestly I actually believe that

I mean that's not even too hard tbh. I had a pretty similar experience with not even too crazy of a software project. Many teachers just suck unfortunately, especially CS ones here

Yep. My school had a trainee (not quite accurate, in Germany they are called Referendar) who actuallyhad a CS background, but was a horrible and I mean horrible teacher

If you gave that woman a bunch of 8th graders you’d get the closest to real world anarchy possible

The thing with CS kinda is:

• If you're good and you enjoy research/education you stay at universities
• If you're good and don't want to do research anymore you find a job in the industry that's very well paid (much better than a teacher job)
• If you can't do any of the above you end up as a teacher
  There are definitely exceptions to this, people who are really passionate about educating young people (not university students) but those are rare

that is actually one case where I would say that IP whitelisting is not enough....
generally ip whitelisting is fine, the danger is just in someone unauthorized being able to use the IP
in case of a university using a /16... that's is very likely a whole lot of smart people who would try to access unauthorized things just for fun... likely not hard to use an IP assigned to someone else.

generally, even with ip whitelisting you should use some kind of authentication. it just lower the attack vector and usually by a lot.

Reminds me of my study time. They tried to lock down the network by having us register our devices MAC addresses. We soon figured out we can retrieve any users MAC address from the AD. We ended up using one of our Admins addresses. Luckily that did not provide any system access, but tracing back forbidden activity would then lead to that admin ...

no RADIUS/WPAE?

Nope just teachers thinking what they built themselves was genius and our report of this was "not an issue".

That's... Incredibly dumb lol

It is and isn’t. The correct lan ports were in inaccessible areas

and how would they realize that an IP is fixed to a specific port?
its doable but not feasible on campus networks so there would be ways around this...
generally, I wouldnt see whitelisting as "secure", it would make it "more secure" than without it but you are still allowing a broad audience access to whatever... its fine if there is decent authentication

Physical separation. They had multiple networks for example: 127.0.0.0/24 in one room and 128.0.0.0/24 for servers and so on

127.0.0.0

I have two account set up with immich that communicates to my NAS. I recently updated everything to v1.138.0, including my apps on my phones. I access my NAS which is connected to my home internet via url and Nginx. Here is my problem. I can get background refresh to work on my android device, but not on my iphone. Settings are all the same and background services are enabled. Anyone have any clue as to why this is?

I believe I enabled Beta Timeline at one point on the iphone, but do not have it enabled anymore. Not sure if this information is relevent.

I didn’t wanna use the real IP addresses, so I took local one could’ve used 192.168.178 and 192.168.179 instead though

Settings -> Apps -> Immich -> Background refresh probably

I think I figured it out. Somehow my Backup Albums "Recents" was not selected. Maybe this happened when I tried the Beta Timeline. This is strange as I never turned this off. Hope it is fixed now.

These options are located here

Update: Background backup still not working for my iphone. I got foreground working though. I have no trouble with my android device working with background backup. This is strange

https://immich.app/docs/FAQ#why-is-background-backup-on-ios-not-working

Appreciate the help. Unfortunately all the suggestions in this article have already been set on my phone and the background backup still does not work on my iphone

It will, just not in the interval that we’d like to see

It still has not updated. Ran a test on your last message and it is still stuck.

idk... something is wrong with my ios version. I feel like something happened when I tried brta timeline for an hour and since turned it off. Feel like at that point it stoped working.

would just hardened nginx be good enough. or should i put in oauth through something like authelia

i understand depends on my tolerance for security but what do you all do

Just plain NPM here

hardened nginx here with oauth with MFA (though for some testing I currently allow local logins as well, basically bypassing oauth)
If you can and have it, I would definitely use oauth for the added security, if not... make sure to use a good password and maybe not have the admin user named the default of admin

Add webauthn (Passkeys) as MFA 😏

thats what oauth is for, yes

How well does certificate auth work

client certificates?

I mean what are you stuck on?

akshually oauth itself doesn't enforce MFA/FIDO2!11!

I never used it before I was curious if browsers ask for it every time you need to connect

and how it compares to using header authentication

Aight. Its more like an handshake type deal. The server "requests" the certificate from the client and the client (browser) offers the certificate. I am omitting a few steps but this is the really short version. Depending on the client you might need to select the proper certificate or it will autoselect it. Header authentication is vastly different

header authentication is usually an extra header (Authorization: Bearer <token>) and can be a JWT or API key or OAuth2 token.

so it depends on what your goal is and the application support if header auth or mTLS is a better option

I guess my goal with either is to prevent an attacker form knowing I am running immich

like without cert/token it just throws a random error

In a sense to avoid having to relly on immich for authentication (in case of vunerability)

I currently use header which works fine for mobile but it does minorly mess up web (for exaple version status doesnt work)

ah yeah client certificates would work for that albeit a little more difficult to get going. Without a client certificate you cannot 'establish' the connection (e.g. you'd get a 403 or someting)

do you have to reauth the cert every refresh?

of browser

nope

the browser will do that for you

are browsers smart to remember certs

yes

they can be a bit finiky however

Also does it work with ios

like ipads

Are you using cloudflare

yes

ngnix locally

used to but prefer to keep everything local

aigt the set-up is pretty straight forward

yes fair enough

https://github.com/immich-app/immich/discussions/18614

[Discussion] Trust Self Signed Certificates with Immich - OAuth Setup (immich-app/immich#18614)

this one I think right?

nvm

I'll look into it later

uni starting

Thanks for help

They're using authentik. This looks to be something different

aigt np

    ssl_client_certificate <bla>.pem;
    ssl_verify_client on;
``` probably something like this. But there are complete tutorials out there

It doesn't enforce you to enforce it but with e.g. authentik you can configure it to be mandatory and therefore enforce MFA/FIDO2!11!ONEONEONE!!!

you are entirely correct and I love it

I was just being pedantic, im sorry 🥺

same, i'm happy with authentik... not the easiest to use though

I used to run Authentik but I switched to Authelia

and now I HATE HATE yaml but it works

i get that... havent tried authelia but i guess it is much easier to use

ngl authentik is easier

lol

didn't help that my setup is weird and not recommended tbh

I do both proxy-forward and ODIC

if authentik is easier, why would you switch to authelia? 😄

with mTLS

I really hated the way they fixed vulnerabilities in Authentik

that really put me off

same but not on the same websites 😛
dont use mTLS though

I went full insane

the way they fixed them or the way they handle and announce them?

the fix was like: aight lets sprinkle some checks in the code as opposed doing it centralized and structured

I just don't feel confident

🤷‍♂️ i am no dev, so i never looked at any code or fixes

Fair enough

I mean I wouldn't that its vulnerable, I personally was put off by it

yea, i understand but cant judge myself

I mean I work in infosec so I have a vague idea

me too but not with coding apps, not app security

I was a secure developer (lol) for a bout 5 years, after that ethical hacker and now somehow managed to fail myself into a CISO position

so

I am not an expert and I will not give advice to anyone

I'm running a Pangolin instance through AWS that tunnels Wireguard to my home server.

FYI pangolin performs the TLS termination on the VPS it is installed on (AWS in your case). This means that if Amazon wants to, they can technically access this unencrypted data.

If you want more privacy you can take look here:
https://github.com/dinvlad/caddy-wireguard-proxy

Of course this doesn't mean anything bad about pangolin, it's just that quite a few people think it's more private than CF in this aspect.

It arguably is more private. The VPS provider would need to look at the RAM, whereas for cloudflare they control the whole stack and you don't even know what happens after they terminate the TLS. With pangolin you know exactly where your data goes through

It’s way more secure than Cloudflare yep. While still technically possible (but significantly challenging), cloudflare openly scans your data + logs it through their own proxy

And honestly even SSL cannot be guaranteed to be private unless you do certificate pinning, which almost no one does

Well compromised CAs would be an even better problem, but yeah

Cloudflare: "These are the most used insecure passwords: a, b, c ..."
Normal people: "Omg who uses that"
IT: "... wait you can see our passwords?"

Yes, I agree with that. To be honest, I'm not sure why the pangolin product design performs the TLS termination on the VPS and not the Home server in the first place.

It’s reeeeealy hard to forward packets while still keeping source IP info

So any blocking or filtering becomes useless

I don't know pangolin, never used it, but I'd imagine they have a reason

https://github.com/dinvlad/caddy-wireguard-proxy

Hmm. That’s cool

I think you just use the X-Forwarded-For http headers, but not 100%

I started using this a week ago, works well. I plan to add pangolin to run locally on the home server but I need to see how it works.

If I remember correctly they do auth filtering on the VPS, so unauthenticated traffic does not reach the internal network.

Out of a fear of DOS attacks?

You can’t do that if you’re passing the traffic unmodified 😛

Muh homelab botnet attacks

Who said unmodified?

In fact, from what little I've read about it, it's an almost 100% open source alternative to CF, which is amazing. What bought it for me was the ease of applying filters and authenticating users.

We only don't want to terminate tls

Let's goooo

I mean how are you avoiding terminating TLS?

Http headers are not encrypted

Huh? They are

There are attempts to include them, and I think the most popular one is a Http3/quic proposal.

But nothing is really there yet

They are not? 👀

I’m pretty sure SNI is the only one currently not encrypted..

SNI is part of the TLS handshake

Gdi

I'll find myself out

😄

sni not being included in quic is the reason quic is blocked in many enterprise environments

I use certificates via mTLS. Reverse proxy via Traefik and authtentication via Authentik.

I was going to use a CloudFlare tunnel along with WARP authentication.

But then I decided to just set up a VPN on the same network as my server so now I can literally just access it via the same IP as I would if I was on the same network as the Immich server.

It's also much easier to set up.

since I originally posted this I figured I should post an update with my current plan. My idea now is to use mTLS (manually shared) along with some WAF rules in cloudflare and a cloudflare tunnel. I've set this up for Home assistant and it seems to works good. The one major downside of this is the 100MB upload limit, I figure that should not be a problem since hopefully any file bigger than 100MB will be uploaded once I'm at home. The major upsides of this is that you don't have to think about VPN connections, nothing that needs to be turned on/off.

Why cloudflare though and not a proxy? Your data passes through unencrypted encrypted n their systems.

what proxy would you suggest?

But yes, it does require you to trust cloudflare, I guess that's one more downside of this.

Any you are comfortable with (I use nginx), just need to do some basic hardening.
I personally don’t see an advantage that warrants the downsides. AFAIR, their tos prohibit media streaming like videos in immich. I haven’t found free, useful security features either… geoblocking can be done on the proxy as well and hiding your IP is security through obscurity at best.

Right, but that's going a vastly different route. I prefer to not open ports in my personal firewall. I've previously solved that with tailscale. However I've found that that is at times a little bit unstable. I'm running traefik as a reverse proxy on my local network tho.

Ultimately it's a question about what you want to trust. But it's not only about hiding IP but also having a stable IP, my ISP rotates IPs once in a while. Tailscale solved that. But so does cloudflare. I'm sure mTLS could be set up using traefik, but I've previously used authelia or similar in front of my services, with the downside that not alls (nextcloud for example) supports that.

having a stable IP
dynamic dns
I'm sure mTLS could be set up using traefik
yes, any reverse proxy
I've previously used authelia or similar in front of my services
use oauth, mtls and oauth is plenty security

if you fancy renting another VPS to act as a fronting that's an option
it's still a point of failure, and something to manage
you can decide which one to trust: a vps on your provider of choice or cloudflare/tailscale etc
though it comes back down to cost, benefit and risk analysis of what you value more

a vps is still somewhere that can fail
but it's not like cloudflare is infallible either
it's still somewhere you have to manage too, but you have greater control of the stack

personally i just open a port in my IP, with caddy as fronting, for most of the publicly accessible services
but i do have tailscale to access other more sensitive services, or as a SHTF backdoor for myself to access inaccessible things
(like ssh which is not exposed)

imo a tunnel only moves the entrypoint to your stack. You still expose an HTTP service to the world which needs to be secured. I'm with @zinc merlin on this one, CF does not really offer much in terms of security that you can't implement yourself. Sure, if you care about having a stable IP you need a VPS or something as a proxy (which then could also tunnel through a VPN). I just live with a daily disconnect of about 5 minutes until the DNS update is propagated to all clients.

Given my WAF rules on Cloudflare it should be secure, it will only allow access if you have the mTLS cert installed on your device. Yes. That's perfectly doable on my own server and port forwarding from my router, but it means I need to open up my own network a bit more than I have now. Having family manage a VPN (even tailscale) have shown hard, they just don't keep it on. So this seems like a decent way for me. And while traefik with mTLS is probably enough and secure it demands that I keep it up to date, vs moving that to Cloudflare. It's probably just as likely that Cloudflare will have issues as Traefik. But if there's a zero day with traefik implementation I have to act, if there's a problem with Cloudflare they're bound to act quickly.
My reasoning is that I'd be able to keep less of an eye on it.

Another? I don't have any VPSs atm. So going from none to having one is a huge addition in time spend on managing that.

and from all I can tell Cloudflare is plenty secure as well. For my needs

yep that does mean a new thing to manage if you want to avoid cf
but you dont seem to have any opinion against them
so unless you have other justification to get one, or already have one
i think using a service is fine for what it is

I have strong opinions against CF to be honest. I dislike them. But for me it's about what will work for the family, me having to maintain, more than morality atm.

The downside I see with CF is the TLS termination on their server / 100Mb limit. But neither I see as a huge problem really

Having family manage a VPN (even tailscale) have shown hard
ah now i see why tailscale was passed
having vpn is definite an extra step needed

While I could get people to install it, having them check if it was actually connected when something didn't work just wasn't easy. And for various reasons it would disconnect for people. Any extra step is just not doable for family is what I've come to realise.

agreed it's also not ideal even for me i dont like to keep it running constantly (i use adguard normally)
so it's just more hassle if my stuff has to be manually connected for immich to sync

that's why i decided to just open a port on my IP it's the easiest least friction method for me

Installing a cert on familys phones, I think, will be rather easy to. Signal over the file and I can just install it for them. Afaikt that's the only thing needed really.

hmm right mtls, would consider but
i guess i am passing that because i do like the ability to share albums
maybe after i setup an albums proxy i could consider mtlsing certain services

I tried the mTLS route but I ran into the issue that my mother also wanted to view photos on other devices that did not have the certificate installed so I ended up putting authelia infront of it and forcing auth via authelia before connecting to Immich 🙃

mTLS is still used to bypass Authelia for the apps

do you also use immich's internal auth for allowing people to login to the correct account then?

SSO

I am using the SSO feature to login :D

works really good

ahh so you dont use mtls anymore?

does authelia hardwalls immich to authenticated users only?
(ie you cant even see immich if you arent authed, would block things like /share/)

thats correct

no, I use mTLS to bypass the 'hardwalled' Authelia. If I don't the app will not work (obv)

i see mine is probabaly just the lowest serivcable security level lol
i leave it open because my family dont have authentik accounts
i dont trust myself to for my homelab to serve my family so it's just me rn

That is fair enough tbh

I do trust myself :D

if that is the case, then all good...
I won't try to make you understand things differently... if you did your research and due diligence and came to the conclusion that a self hosted reverse proxy is too much work and CF is secure and private enough, then that is your conclusion and decision!
should you seek any help with any explanations or suggestions, let us know 🙂

I have issues with hosting stuff, specifically I've had on 3 separate occasions, someone be able to get into my hosting system and delete seemingly whatever they wanted. This was on a PC running Windows 10 and then a Mac running MacOS 10.15, and the Mac was running stuff with HTTPS.
I'm also running Immich on a different, much newer machine, but I have no idea how to run it with HTTPS or really do anything other than run Immich as it comes.
I've been told by anyone who knows better than I do that I need to have more security, but I have no idea wtf I'm doing. I've ceased running the other servers due to this, but Immich I can't just cut off because its how I share stuff with my friends, and at least one of them uses it to store their photos.

What do I actually do? I know almost nothing. Cloudflare is intensely complicated to me, and I couldn't even figure out how to do that.

I'm just gonna... buy a Cloudflare domain and play with it. Does that sound like a sound option? Would this theoretically protect me from whatever has been happening?

Ok, I got it up. The problem now is I can't enable HTTPS.

Every software can have security issues. Cloudflare does very little to protect you from such issues, and even that little you have to configure first (not on by default). You should set up a proxy on your server to enable HTTPS. I use nginx proxy manager for that, it comes with a nice UI and does not require much work on the command line.

Also without knowing how people got into your system before, it's hard to say it'll never happen again. There is no sure way of that. Isolate as many things as possible, so even if they get hacked it's only that software. And have backups to restore from.

It was powershell commands through the hosting software I used the first time

The dev made v2 though and said it was much more secure, and to completely stop using v1 because of how vulnerable it made everything

And that worked for a long while

…until it happened again, so I restored from a backup I had just made

And then I turned on HTTPS

Thought it was fine for a while AGAIN

So whatever software you used probably is just ... not good.

Idk if they did the same thing or not, I couldn’t find out the same way I had the first time

Well it’s what I had to use soooo

About 8 years ago I started experimenting with xampp or whatever it’s called

But that was overcomplicated for what I needed and eventually stopped working anyway

So I switched to HFS

But yea eventually it happened again, but the software had a macOS version, and the box I was running it on was kinda stupid slow anyway, so I switched to a 12 core trashcan, which I thought would be extra fixed.. because.. there’s no powershell.

But it happened AGAIN, the same damn thing. August 31st was the day I just took almost everything down and said “fuck it.”

And I thought I had a backup - I looked everywhere, but it’s just freaking gone - So that factored into my decision to take it all down.

2 of the servers I was hosting for someone who actually passed away later that evening

So whoever did that.. they’re going to a special hell. With me for not making better backup solutions.

Definitely look into backup strategies. Best case offsite with protected snapshots / write only operations from outside.

Oh god I don’t have the means or the storage space for that

I’d just make a copy to a drive that lives on a drive in my closet every week

Cloud storage is cheap. Unless you want to store petabytes or something

The best security: Not Online!

Yeah, outdated backups are always nice to have /s

I’ve come to hate cloud storage. It comes with all of these asterisks and I have like 10 500GB drives that I don’t use rn and a backup would be like 50GB - I just can’t make it automatic because I’d forget about it and in 2 years it would be full and the last backup would be freakin a year old or something

Then you probably don't use a proper backup software tbh

Yes I don’t

AKA none at all!

Being able to "forget about it" is one of the most important aspects of backups. They should manage themself

Yea… I never investigated software to do that because I always imagined they’d cost money

At least the ones I’d actually want to use

Borg and Restic are popular choices, both free

Oh?

I might look into those if I ever host anything else again

I only run Immich now, and that… for SURE can’t be backed up properly. My folder itself is creeping up to a terabyte.

And my upload speed is 20Mbps so cloud storage really isn’t an option (especially since I heavily use that minuscule upload speed for quite a few other things that are time sensitive)

Initial backup will just take a while. I uploaded a terabyte over a 40 mbit connection. Took a couple of days but eventually it finished.

Honestly I really should be backing Immich up because it’s on the RAID0 box which I know is a T E R R I B L E idea - I just had no where else to put it, and I’m scared that I’ll fuck it all up if I try to move it.

I just have no money rn so I can’t pay for cloud services like that

The best I’d be able to do is stripe 2 of those 500GB drives that were salvaged from DVRs and crap, and copy everything onto those-

To be clear (even if it might not say much). I've been "selfhosting" for ruffly 20 years. Started running linux 25+ years back. I've use traefik/caddy/nginx (and even apache/httpd) for reverse proxying. I did start this thread because I was curious about what other did. But I think I do know most of the way I can expose a service, and its pros and cons. I do, however, prioritize things differently today than I did a few years back.

That is a lot better than nothing at all.

I blank on the name now but the other popular alternative have support for things like Google drive out of the box as well.

Kopia?

rclone, had to look it up

Ah, so by extension also restic (it can use rclone as a storage backend)

True true, when I evaluated them I ended up with rclone, it seemed like the simplest way

you most likely need to read up and deep dive into it... only do that if you enjoy it, it wont be cheaper 🙂
hosting on windows 10 is also not the best idea 😄

perfectly fine, i have been self-hosting for maybe ~8 years only
I am definitely no linux expert but about security in general I know enough to be confident about my setup (always enough room for improvement of course)

in the end I always think it is best to educate yourself and then make your decisions based on what you know, at least if you screw up, you know it is on you 😄

you should also periodically verify backups by actually doing a restore and have proper monitoring in place to ensure backups are created

easier said than done but yes, at least some basic checks should be done... a full restore can be difficult sometimes
I dont actually test if all my databases restore properly, I should but I don't 🙁

I sometimes do

True, good point. Backrest has a notification service built in so I forget that for other solutions you might need to add some more monitoring to it.

I scripted to look for updatetime and verification the the backup is not empty
i get a daily silent notification with statistics, how much was added/removed, etc.
and i get an alarm if the script had an error or the checks in the script say there might be something faulty

that does not actually do a full restore though and therefore verify it would actually work

I mean i always recommend doing that periodically

I take full backups (incremental) of the VMS so the test is just as easy as restoring it from backup and verify everything boots and loads correctly

I make do with restoring individual files for testing. A full restore above a certain size is just way too much, at least on a regular basis.

I don't have VMs, I only run containers...
I back those up with restic and dump the databases just before that

That's very sound reasoning and in general I do agree. My current life situation makes my reasoning skew a bit from what I might normally say is best tho

containers is a another attack vector 😐 did you read about the docker container escape for docker desktop? Really bad stuff

One of those things that makes me really question exposing anything online

i would never use docker desktop
and yes, once container access is compromised, there are sometimes container escape vulnerabilities

And for what it's worth, I've already rolled back my mTLS solution. Turns out I'm not able to read. While certs are possible to install on iOS and you can get Safari to respect them there's no way to get apps to just work with them, in the way Android do it. So I'm back to tailscale for now.

too inconvenient for me to share my hosted services so I do it differently

lol

vms all day

To be fair that exploit had nothing really to do with docker. It could just as easily happen with a VM hypervisor

Not that it makes it any better, but the container itself wasn’t really breached

Definitely, sorry if I was unclear. It Definitely was a docker desktop (not docker) problem.

But its the type of think you, as a self-hoster, might have to jump on. Hopefully I'm not as exposed to that typo of things when not opening ports on my own router

opening ports on a router is not a problem...
you know if you run docker desktop on windows, I would argue that it is more likely to be "hacked" by phishing, browsing or exploits of other applications

I feel quite secure with my hardened reverse proxy exposed on the internet 🙂

when i say "opening ports on a router is not a problem...", what I mean is that there are so many people which are afraid of opening ports on a router but do not associate this with the service this port gets forwarded to... the mere act of opening a port sounds threatening to many

Well, to be clear, I would never run docker desktop on windows 🙂

And you're absolutely right in that opening a port isn't unsafe in itself.

Precisely why I moved to a Mac

I don’t have the time to suck down all the info on securing a web server, I’d probably have to use Linux which is just a really bad idea for me and yea. Just… not happening right now, that’s why I shut it all down, except for Immich. That, with the help of a great and knowledgeable few people in another channel here, I made “a lot” more secure.

And hopefully that’ll be good enough.

I am currently running an n100 mini pc and n97 mini pc (Both have 16 GB ram). The n100 as a reverse proxy and exposed to internet via public ip DDNS, Crowdsec Autoban & Load balancing via Nginx native. The n97 on the other hand runs machine learning and keeps back files of my main machine directories. I have tailscale on both of them, Also enabled GeoBlocking and protection with Cloudflare Zero trust and WAF rules. I have them in a small server rack with my NVR and router on top. Because they sit in a closed space covered with wood, but do have holes in the back of box for airflow, I added usb server fans to them and my hard drives. Total cost spent 230 dollars excluding my 2 tb drive

you exposed it via public ip DDNS and also use cloudflare?

whats the use case?

Hi Folks, is it possible to install a domain certificate to immich? I have a wildcard for my main server and would like to use https and immich.mydomain.com. Apologies if I've missed it somewhere in the docs but I can only find nginx.

No. You should run a proxy in front of Immich to handle the incoming connections.

Oke Doke, just seems an extra step that I don't need. I'll stick to Tailscale.

it is much better (time-wise) to not develop your own webserver and have that handled by a well established product like apache or nginx
some kind of proxy is needed for outside exposure

I usually roll my own crypto too

I use a Tailscale Funnel. Seems to work pretty well, haven't been ransonware-d yet!

havent heard of anyones immich being ransomwared through immich itself yet

It's been quite reliable through tailscale funnel here too

Yes. Opening port is not a problem. The problem is the service listening on that port

Hello, I hope someone can help solve the issue. I did the steps below, but still cannot access the server.

created an A record in Cloudflare that points to your public IP address
created a DNS entry in Cloudflare that's a CNAME called immich.subdomain.com
On my OpenSense gateway I forwarded whatever ports are used for NPM
created an unbound rule to allow these requests to flow to my router which my server is connected to

Im' using unraid.

By default every port is open on every Arch Linux system, there just isn’t anything listening on it

I've seen a lot of different setups here. So I want to include mine as well.

My immich is exposed via domain with TLS Certificate. The reverse proxy is installed in a server for only the reverse proxy. Within the Config the header of the reverse proxy is hard restricted. From there it tunnels through a VPN to a DMZ. Behind the DMZ there are different subnets. One of those is for immich.
Between those different systems is CrowedSec and different firewalls. Everything is hardly restricted.

Is there something I can add here?

if you dont provide more info, people cant help you... if you dont even know which info to provide, this will be too lengthy and you might want to create a helpdesk thread

No worries, it is working now. I use Cloudflare tunnel. It can't be working using proxy Nginx.

Dynamic DNS and a reverse proxy (Caddy, which handles LetsEncrypt automatically) combined with mTLS (very pleased immich supports that).
Used nginx before and that also definitely worked.

mTLS is supported by the app no?

#10860

[Pull Request] feat(mobile): Adding setting in mobile app to TLS client certificate (immich-app/immich#10860)

It sort of works sometimes. Stuff is broken

Is it considered safe to expose immich with caddy externally without any additional layer of security like authelia?

provided you trust the authentication method
if you are using built in auth, you would have to assume your admins and users have secure passwords
if you are using SSO, same assumptions goes for that

personally i expose it with caddy + authentik sso, i dont really feel worry using pw+TOTP for login

Yeah I feel that that's my only concern the password strength.

Personally I would not expose it without a second factor, but I would also not call it unsafe per se. You just have to be aware of the risk, especially when you don’t have any other security defenses that block attackers from brute forcing.

also remember, brute- forcing is not that common anymore, pw/wordlists, yes... but even then, you have to first have someone who would waste the time on you to do that... and if you are worried about it, there is fail2ban or similar things

True, I just use that example out of habit. Haven't seen actual brute force in a very long time. Unless someone really hates you personally it's mostly bots trying leaked passwords or scanning for vulnerable software versions. So keeping up to date and using strong passwords is more important than overthinking the deployed stack too much. Just a bit 🙂

I've been running it for about 1,5 years with that and never had any issues.

If I replace Immich auth with Authelia (Basic Auth + TOTP). The only better part is TOTP, isn't it?

I mean the basic auth method itself is just a combination of username/password. Regardless implemented on Immich or Authelia

Yes. Or in my case support for passkeys.

Thank you. Just spinning up a Proxmox VE and learning something before actually buy a nas 🫶

Buying a NAS: DrakeNo.jpg
Making a NAS: DrakeYes.jpg

Well I did the opposite, bought a mini computer to try out some stuff and make a NAS

Now I can't access my router via ipv4 anymore

But immich is working well behind my nginx proxy manager so at least there's that

Regarding Immich OAuth with Authelia. It works on web browser but ios app doesn't.
Failed to check server availability. It send request to this URL https://immich.example.tld/api/server/ping&rm=GET and got blocked with statusCode=401
Do I help to whitelist that url path in Authelia access_control ?
Beside that, when I try to enter that URL on browser (authenticated), it returns {"message":"Cannot GET /api/server/ping&rm=GET","error":"Not Found","statusCode":404,"correlationId":"9fa82clf"}

Edit: I tried to add bypass rule for /api/server, then it return 401 on /api/user... so I ended up with below Authelia config

access_control:
  default_policy: "deny"
  rules:
    - domain: "auth.example.tld"
      policy: "bypass"
    - domain: "imit.example.tld"
      policy: 'bypass'
      resources:
        - '^/api/' # Unsure if this is an potential security risk
        - '^/.well-known/(immich|openid-configuration)$'
    - domain: "imit.example.tld"
      policy: "two_factor"

i dont think immich was really designed for forward auth
as in proxy->auth->immich pattern
it's probably more so proxy->immich <-> proxy->oauth
apps and stuff will break if they cant access api paths

seems like there's people who had success using mtls with Authelia though
(search in this thread)

check here above by a solution of another user

Immich is not designed for that flow at all. You have to add the OIDC provider within Immich. oauth proxies are not supported.

I follow this tutorial: https://www.authelia.com/integration/openid-connect/clients/immich/ Is it considered as "oauth proxied"?

that tutorial is how to use authelia as a oauth provider

i dont see mentions of adding access controls in that tutorial

can you try removing these and see if that works again?

I setup exactly the same as they wrote. Then I found errors and solution as below

• "Your app major version is not compatible with the server" -> Add bypass rule for ^/.well-known/immich
• "Login with OAuth" button not shown on mobile app -> The mobile app log said 401 Unauthorized on route /api/server/info/ -> Bypass rule for ^/api/server
• Still got "Login with OAuth" button not shown on mobile app -> The mobile app log said 401 Unauthorized on route /api/server/version/ -> Bypass rule for ^/api/version
• Now OAuth button show, click on it direct me to Safari web browser, things went well before it redirect me back to the Immich mobile app
  Got new error in the log 401 Unauthorized on route /api/server/users/

401 code is return from Authelia middleware I guest, those request didn't reach Traefik, or Immich server at all.

---> So tired of adding route by route, I decided to bypass /api/ instead.
Then everything work well.

Because I don't see it mention anywhere in the tutorial but found some comment on Github issue, maybe a year ago. So I bring it up to ask again if it still correct.

i see so this setup works as intended but you are asking if adding /api/ is okay

well the thing is, as i said before immich wasnt designed to have something sit infront of it
what you did here by allowing /api/ is to allow unauthenticated access to all immich API endpoints
(you are now only protecting the GUI, which means almost nothing you might as well have not protected anything to begin with)

hence why i said you could have removed the whole block here
and allow everything thru by default

access_control:
  default_policy: "deny"

because right now API request is like internet -> proxy -> (notices that /api/ is allowed, bypass auth) -> immich

which is effectively the same as having no access control

i wont say it is a security risk, i will say it is something you must be aware and consciously choose that
if you think it adds security that's bad, because you would be tricking yourself into false sense of security
it only become a risk, if you think you are more secure than you actually are

you have 2 choices:
accept that immich is basically directly open to the web
reject that idea and secure your setup by finding another way

If you wish to fix your setup
You can check out: using secret values in header(simple), using mTLS(this would be the more proper and secure thing, then to rely on a short secret header)
using either of these, to conditionally bypass access control

there's no wrong choices here
for my personal setup immich is directly exposed to internet
and auth is done via oauth on authentik

Hello All,
I tried to run the Nginx proxy server using Cloudflare A list, but I cannot connect. I see that I have a CGNAT IP address since. I see that my public IP is xxx.xx.3.82, but the IP on my modem is xx.xxx.176.32. What is the other way to connect to a reverse proxy using NGinx Manager? Thanks!

I switched to Tailscale with a Wireguard as backup method. Just realized that I don't really need an easy access solution like reverse proxy. 🫶 personal use only so VPN is better

You can use cloudflare tunnel to your reverse proxy

https://gist.github.com/prateekrajgautam/75afbaa9bcda8eb1dfb6b5ceecd25e8c

Is it fine to use "Proxied" dns in cloudflare for immich or is it recommended to disable it?

If you use it you have a 100MB limit on file uploads and cloudflare can see all your data.

Then I'll keep it off, thanks Zeus!

Hello, I successfully reverse-proxied my server using Pangolin. I have an issue that I can access the immich via my.domain.com on the browser on my computer, even my Cellphone. The issue is that I cannot connect to the server using the app. I enable the PIN on Pangolin authentication. Has anyone experienced the same? Thanks!

You cannot put any auth in front of immich. You can use the immich OIDC connector if you want

Try pangolin with Pocket id (Passkey Provider) works Perfect for me and Family They dont Keep remind the password anymore

Do you have documentation to set it up? Sorry, newbie here.

https://docs.digpangolin.com/self-host/quick-install-managed

https://docs.digpangolin.com/manage/identity-providers/pocket-id

https://docs.digpangolin.com/manage/access-control/rules

https://pocket-id.org/docs/client-examples/pangolin

@low nexus just read the docs its very easy

Hey, sorry if that has been answered or if that isnt the right place. Did anyone set up the bypass rules in pangoline correctly? I cant get share links to work with the pangolin auth.

this discussion should move to another topic imho

Hi guys.

• Immich and Tailsale are running at my hone. All behind ufw and physical firewall which not allow any public incoming connections
• Now I'm outside (100km away). when using 4G. Tailscale show relayed conn. when using wifi It shows direct conn.

How is that possible? If the two network are not behind cgnat. Despite being on different isp. Tailscale can still init direct connection between them?

Are you confused as to what a VPN is @spring jasper ?

direct connection means you are not going thru the tailscale network (obviously since you are on your home network).
when you are not on your network... how do you expect to connect if not relayed thru tailscale servers 😬

Tailscale's relayed connections are when they relay packets through a Designated Encrypted Relay for Packets server (DERP)

Tailscale's direct connections work through a UDP socket through the WireGuard protocol

Two networks are still behind their own NATs
NAT traversal means you can still get a direct connection between two NATs

https://tailscale.com/blog/how-tailscale-works
https://tailscale.com/blog/how-nat-traversal-works
https://tailscale.com/blog/how-nat-traversal-works#:~:text=carrier-grade NAT.-,Concerning CGNATs,-Even with NATs

You can still connect to stuff behind CGNATs with sophisticated holepunching, but sometimes it's not worth it, like being on a phone carrier's CGNAT

||how do you expect to connect if not relayed thru tailscale servers 😬||
I didnt expext. I experienced direct conn when not at home. That why I asked. 🤪

Tailscale can negotiate a direct connection even behind CGNAT, that's the main point of it

Thank you. This helped

it only needs the coordination server for the initial nat hole punch between the clients

First time experienced it. I go to coffe shop a lot but always got relayed conn