i havent done it but you should be able to, afaik the maxminddb includes information like the organization
so you could block on organization of "NordVPN|ExpressVPN" etc.

https://www.maxmind.com/en/solutions/proxy-vpn-fraud-detection

looks like they do have it

oh

it seems that using that comes with a cost though, free one might only include city and country data (like city name, postocal code, longitude/latitude,state name,state code,continent code and country code)

yeah idk

?

also does this exist

After trying reverse proxy, wireguard (with port forwarding), cloudflare tunnel. Eventually I settled with Tailscale.
I'm not believe myself about my networking and security experience! Paranoid 🤣

The "Enterprise edition" of pangolin is free to homelabbers. All you have to do is create an account and agree to an attestation that you're not using it for a business and they give you a key to unlock it.

Also, geoblocking is a bad practice. You are much better off setting up something like crowdsec. Geoblocking will inevitably block legitimate traffic and you'll spend hours trying to figure it out before realizing it's the geoblock.

I undestand the cloudflare upload limit but what would be the paid approach to cloudflare tunnels ?

Paid cloudflare tunnels 🤣😇

I have my immich instance exposed via Cloudflare tunnels too.
immich.mydomainname.com>cloudflare access control>cloudflare tunnel> immich login page > Authentik oAuth > Logged in.

i have one question fot the group..

if i disable email login forcing only Oauth. What happens if my Oauth instance does down? is there a way to get back in?

https://immich.app/docs/administration/server-commands

Awesome, Thank you

What are the risks of just exposing immich to the web raw? I just connect to my home's public IP with http

Http would be really bad, https is fine

yes
https://docs.immich.app/administration/server-commands/

Can't read the next message

🤣 yea I couldn't ^^
I see it now though... must've magically appeared

those two messages even ^^

I blame Daniel for hiding them

Package sniffing I guess so

Noobie here i buyed a domain name and cloudflared it to it, so i can access it very easily and share some pics too!

As you are a beginner, one advice for using cloudflare: be aware of the 100mb upload limit when using their proxy service. This will cause failed uploads on larger files like Videos.

Oh okay! But its in one time? Not in a period?

Thanks ! Ive seen its a request size limit, so its okay for a lot of my work!

yep it's 100mb max per-request :)

Then its good for me curently ! But thanks ! 😄

Yeah just something to be aware of. I’ve recently seen someone going through a ton of data usage because the video upload kept getting rejected by CF.

What are you guys going to deal with this issue?
I have 4 long videos on upload hold for weeks now and not sure if I should go back to direct nginx as I will lose the bot/ddos protection from cloudflare.

You can define a local URL to upload when you are in your home network/vpn. There is work in progress for chunked uploads but will still take time.

Can folks ELI5? I wanted to reverse proxy but after hours of troubleshooting, I realized my ISP (Cox) blocks port 80 inbound. So I can't reverse proxy. I don't want to VPN (e.g., Tailscale) because then I either deal with battery drain or toggling the VPN on/off. I could do that personally, but it would never fly with my family members. Cloudflare seems to have privacy concerns with using their proxy service. VPS costs additional money to host.... Am I missing anything? I am not an IT guy, just looking for a simple way to host without just opening ports willy-nilly, because that internet says that is really bad.

oracle has a free VPS

you can also call your ISP to try to get 80 opened

Thank you, I'll look into that!

U can use dns challenge and try to open 443. Do they block that as well. Idk if it’s assumed 443 is blocked if 80 is blocked.

Get a free/cheap VPS, put a reverse proxy container on it, set up a VPN like Wireguard or Tailscale in a container on the same network as the reverse proxy that connects into your home network where immich is

443 is open.

thank you for the idea. I have not been able to get the reverse proxy going on my host machine (where immich is). Unfortunately.

You don’t need 80 then. Some browsers may not properly redirect http to https though

Can you elaborate?

When you type in domain.com not all browsers will start with https (443)

Use Pangolin for a reverse proxy.

I meant on the not needing port 80 part. Won't I miss all incoming http traffic if I just have 443?

I'll check it out.

I have only 443 open. And nginx redirects all http to https. I’m not sure why it works when 80 is closed. But it does work

Maybe that’s the browser thing that Zeus was mentioning

But even when I curl for the headers, I get the correct 301 redirect response

Ideally you don’t have any http traffic. My port 80 just redirects everything to https.

Some browsers are starting to use https first before trying http, so that’s why it might work already

That’s what I thought. But I’ve explicitly put in http and still redirect works

Oh wait. Maybe u mean even when I put http, it automatically tries https first?

Yes.

HSTS also plays a role if you ever enabled that.

Tangolin looks like an interesting option for me. I wonder what impact it has on speed. Sounds like it adds an extra stop for the data to pass through (client-->pagolin on vps-->host device and back again). I'm usually not dealing with huge files but some video uploads on immich could be larger, or if I connected my plex server.

The extra hop will add a bit of latency, but bandwidth should remain the same mostly. As long as the VPS can handle the speed of course.

No impact for me. Depends on your server VPS.

You should be forcing https either way

You can’t force HTTPS if you don’t have port 80, though

You can't?

What do you mean by “force”?

Most people mean putting a 301 redirect on 80 to force traffic to 443

HSTS

HSTS is an option yes, pending browsers all following it

I wouldn’t call it forcing because it’s still up to the browser. Won’t work for stuff like curl

dont modern browsers already try https before http though

Depends on your settings. Chrome will start doing that by default in … october next year. https://security.googleblog.com/2025/10/https-by-default.html (Edit: forget that, this seems to be more on a blocking side - chrome may already try https but fall back when it does not work)

Also to get the HSTS policy, the browser first has to access the page somehow. Only from the second request onwards the HSTS policy will apply. Unless you are on the preload list.

I'm having problems with the cloudflared tunnel that I was instructed to setup for Immich, and I have no idea how to fix it.

Sometimes Immich will come up, but most of the time it lands on a Cloudflare page that says "Bad Gateway"

(it works locally perfectly btw, this is externally)

And before anyone tells me about VPNs and Tailscale again, those are impcractical for my use case of simply giving people a link and having them, no matter how their technical skills are, able to access stuff - among other reasons. I already have this setup, and it was working for months, I just want to fix it.

I suspect this is a problem with our new networking stuff, the new Unifi stuff, but we have no idea what settings could be messing with this.

The site is here https://im.iredredux.net

When it is *kind of *working, and I click on an image, it'll sometimes spit this out

And other times, it'll just be a black screen, and othertimes, the image will come up like normal.

I'm on the newest everything

Newest Mac, newest consumer ethernet speed (10G), newest Immich versions...

We have Ubiquiti equipment, moved from an EdgeRouter (ERX) to a Cloud Gateway Fiber (UCG-Fiber) and it's mostly set to defaults. The config file from the ERX could not be read by the UCG, so all the port-forwarding and static-IP addrs had to be entered manually. Previously, 2283 was forwarded (its in the CFG file), but using CloudFlareD obviates this by using tunneling, right? But to make this work, I'm told that DDNS needs to be set up so CloudFlare, which is resolving our IP address, gets our WAN address if it ever changes. The dialog box on the UCG asks for four data: Service (CloudFlare selected), Hostname, Zone name, and API token. We got the token from CloudFlare as it is shown in the bottom-right corner of some page (right below the Zone ID), but we're unsure how to populate the Hostname and Zone name fields. Initially, we tried iredredux.net (the top-level domain name) in both, and that didn't work. We tried, changing to the subdomain (im.iredredux.net) for the Zone, and that didn't work, and then we tried the subdomain in both. No go. I had port-forwarding for 2283 back in the list until Red said it was no longer needed [because tunneling]. At this point I'm wondering if there's some other UCG setup that needs to happen, like in the Firewall somewhere. (Red's Dad)

(From the master of the network)

Did you check the logs for any issues? Maybe open a helpdesk thread with all info requested and maybe a video of what’s happening

The helpdesk thread can be seen. It wasn't fruitful.

Right now it actually seems to be working. We did some things last night (specified above) that... might... have fixed it? Strange to me that it maybe didn't take effect immediately. I'm very used to that. (Red)

I'll check back in if it breaks again.

do you use caching on cloudflare?

Are there any specific Immich rulesets being used for Crowdsec or the common consensus just running this mostly default?

There is an immich collection to use with crowdsec to parse logs files and have immich bruteforce detection, and that adds some attack scenarios to detect :
https://app.crowdsec.net/hub/author/gauth-fr/collections/immich

Idk how much it is efficient, but it's here :)

guys

question

i made a python script that spams requests to immich login api

and it can do ~300 reqs per second

why?

what for?

a hacker can brute force

i wanted to test if there is any resource rate limit

there isn't if you dont configure one on your reverse proxy afaik

oh okay thanks

also what security concerns should be resolved by reverse proxy

https://blog.nginx.org/blog/rate-limiting-nginx

thanks

mhh, immich should NOT be exposed without a reverse proxy...
you have tons of security concerns without a reverse proxy

i know

sorry, then i misunderstood the question

np

if you elaborate, i will try to answer

you can harden your reverse proxy with many different approaches...
https://www.cisecurity.org/benchmark/nginx
secure ciphers/versions/protocols
secure headers
blocking/limiting/detection
2FA/authentication
obscure identification
blocking based on unusual behavior, using things like crowdsec/modsec or even WAF-like plugins
best practices (disabling certain things, etc.)
lots of options here

thx

actually rn im setting up pangolin

heard its good

cant say, never tried it

Meh I'll just run the default Crowdsec repos. It is backend agnostic anyway

Yeah. But what's the purpose of theses then ?

theses?

yeah theses additionnal collections that we can install on crowdsec ?

like the immich one

Ohh I shoud have specified that I run ODIC so monitoring for brute forcing doesn't really add value for Immich specificly. Sometimes there are more application specific collections aside from BF protection

it has a purpose if you do not already have protection in place :)

Ooh ok yes, I see then :)

Immich will not work with custom authentication in front of it. You need to trust the built in / oauth login.

You could put Authentik itself behind the Pangolin Auth. But tbh I don't really see any added value in such a double login. You could add a third factor to Authentik at that point.

Ah forget what I said. Protecting the Auth provider would break the flow anyways. Double auth just is not worth the hassle with oidc.

So yes. Basically overkill. Make the login flow on Authentik secure enough and add "standard" detection patterns via crowdsec. You probably are not a huge company that gets attacked non stop anyway.

Mostly just having a second factor. When I used Authentik I changed to Password + Passkey for Authentication. TOTP should also be fine though.

This is not true, and "trusting immich's login mechanism" is awful advice. Do not do this. I will explain.

Hot take. Many of us do it with no issues. 1) immich hasn’t had any login bugs (yet?) 2) with properly configured reverse proxy, fail2ban, crowdsec, geo blocking, the risks are honestly pretty minimal. Obviously this requires some reading and knowledge

many people leave their door unlocked without issues; this doesn't prove anything. again i'll explain. (sorry.. work is busy and this is long-winded)

What a weird take. Leaving a door unlocked is like disabling login alltogether. Not a comparison at all lol.

If we could not trust OAuth libraries the internet would have a huge problem

next time maybe write it once you have the time to elaborate 😉

"This is not true"
is not true! putting a custom authentication in front of it DOES break the Immich mobile app!

the way you phrase it, it sounds like the login is a "trust me bro" implementation
afaik, immich uses standard implementations of login and oauth, oauth relays the authentication to the oauth provider
this already gives you MFA
you are also able to use client certificates and custom headers if you are a little paranoid (which I am not saying is a bad thing)

it is very common to not implement your own authentication suite into your product and instead rely on third parties for more advanced implementations and I would say that the login implementation gives a lot of room for your security needs with oauth, client certificate support and custom headers if you do not want to rely on a simple username and secure password version.

You need to trust the built in / oauth login.
This is true, otherwise you need to know how to audit the public code yourself!
If you put a custom authentication in front of something, you need to trust that as well
For me personally, the downsides of a custom authentication just put in front of it outweigh the benefits

now, is it more secure to put a custom authentication in front of it? yes
is it more secure to use a VPN and not have it publicly accessible? yes
is it more secure to not even have a VPN or even leave it offline? yes
there are always ways to make it more secure, everyone needs to find their reasonable access/comfort to risk ratio

a secure password and a properly configured reverse proxy already goes a long way!
fail2ban and geoblocking help as well (though I personally think the benefit is very limited)

many people leave their door unlocked without issues
now this part I do not like and have the impression is very provocative at best...
using the immich login implementation has absolutely nothing to do with leaving the door unlocked
If anything, it’s more like choosing a standard, well-tested lock instead of hand-carving one. The analogy just doesn’t track, and it distracts from the actual technical discussion. Let’s stick to concrete points about the implementation rather than dramatic metaphors.

I just started using a cloudflare tunnel with rate limiting for incorrect logins and page loads to protect against brute forcing.

you can do the same with a reverse proxy

rate limiting in general on e.g. the loginpage and also use things like fail2ban if you like

True but I do like the idea of my home IP not being advertised to the WWW and having zero forwarded/open ports on my router/ufw

Open ports are not a security risk in itself

If there were a vulnerability, it would carry across cloudflare to your server anyhow

It's not really about 'hiding' the vulnerability—it's about infrastructure and defense-in-depth.
I actually use both (Tunnel to ingress, Caddy for local proxying), but here is why the Tunnel is non-negotiable for me:

1. Zero Ingress: My firewall is strict default-deny. I don't have to open ports 80/443 on my router or worry about scanners/Shodan hitting my residential IP directly.
2. Resource Offloading: I’d rather Cloudflare’s edge handle the WAF, DDoS mitigation, and bot filtering than burn my own CPU cycles and upload bandwidth fighting noise at the modem level.
3. ISP Independence: Tunnels bypass CGNAT completely, which is a lifesaver if your ISP doesn't offer static IPs or blocks ingress ports.
   It’s less about fear of open ports and more about keeping the attack surface off my actual hardware.

Oh, and it’s free.

Yes, but there are downsides that make it more of a “debate” than you suggest:

• you are dependent on an outside infrastructure (recent outages notably have affected CF)
• more importantly, CF (and anyone with control over them - US gov?) can see (and edit) all your data in plain text as it transits the data center
• unless you setup split DNS and get an SSL cert anyway, pings at home (where you usually are) will be slower than they could be

Also, your own hardware still is a major attack surface because at the end of the day many (but not all) requests are still passing to your backend service. Whether the incoming port is open or not isn’t the only factor here

If you use only OIDC login with CF, that does mitigate the last issue

Valid points, and I actually agree with you on the trade-offs—which is why I don't use the Tunnel in isolation. I treat the Tunnel purely as an Ingress Controller for the WAN, not a replacement for local networking.
To address your specific downsides:

1. Latency/Local Access: I specifically set up Split-Horizon DNS (using Technitium) and a local Caddy reverse proxy to solve this. When I'm on my LAN, DNS resolves directly to the local server IP, bypassing the Cloudflare Tunnel entirely. My local speeds are line-rate (Gigabit), and I'm not dependent on the Tunnel for home usage.
2. Outages: Because of the Split DNS setup mentioned above, if Cloudflare goes down, I only lose remote access. My local home lab remains fully functional and accessible via the local domain.
3. Privacy: You're right that this is a trust tradeoff. I am trading the theoretical privacy risk of TLS termination at the edge for the concrete security benefit of their WAF and Zero Trust policies. For my threat model (hosting family photos/media vs. storing state secrets), offloading the attack surface is worth the encryption tradeoff.
   It's definitely a debate, but I've found a hybrid approach (Tunnel for WAN + Split DNS/Reverse Proxy for LAN) covers the bases you mentioned.

unless you have an enterprise plan, the protection you get from CF is very limited.

It's all relative. Compared to an Enterprise plan? Sure, it's limited. But compared to a naked residential router with ports 80/443 open to the world? It's a massive upgrade.

The Free plan successfully:

1. Masks my home IP (preventing direct network attacks).
2. Blocks all port scanners/shodan (since I have 0 open ingress ports).
3. Handles basic bot challenges.

For a home lab hosting family photos, that's plenty of protection for $0/month.

I personally don't like giving CloudFlare access to all my media. All of the same can be accomplished with a VPS acting like a reverse proxy, with the added benefit of their business model not relying on inspecting all traffic that flows through their servers to find a way to monetize it

Hi Team, I need some guidance/ assistance with my setup.
I have exposed immich to public web successfully via cloudflare tunnel and zero trust access.
So when a web browser logs in, its presented with Cloudflare zero access. after clearing that, its redirected to my immich instance where OAuth needs to happen for login. This works just fine for web. However, the OAuth flow breaks for Mobile app.

for mobile app. i would like to bypass the cloudflare access via mTLS. which is successful. however, when i attempt to login via mobile app. i get invalid redirect from my OAuth. How do i resolve this?

Have you tried this?

also please note, CloudFlare Tunnel restricts you to 100mb per action so if your trying to upload a video or image over 100mb, i will fail

https://youtu.be/J4vVYFVWu5Q?si=TPVVUd9gXMf0WEIn

Hey how do you configure fail2ban, I installed and think setup crowdsec and crowdsec remediation component with nginx on server but outside I have CloudFlare google login only on immich login page with geoblock

Yea, I'm not gonna bother with the attitudes here. I don't claim to be the best infosec expert around, but it is my day job. There is so much wrong with almost every "Support Crew" reply here I don't know where to begin, so I won't. Almost every reply to my alleged "hot/weird take" is just defensive attempts to prop up bad recommendations by "proving" a negative with anecdotal non-evidence. Some of this bad advice can have real consequences. I was going to correct your errors until you demonstrated that the Support Crew, as a group, don't appear to be concerned about safety or open to learning, you jump straight to talking down to people you disagree with. Childish behavior.

My comment about leaving the door unlocked was quite obviously not an analogy, (even less so a "metaphor"), so taking it as one just to try and sound right is.. wow. I was obviously pointing out that this is anecdotal non-evidence, and you're trying to prove a negative. A few people not having been hacked, assuming you'd even know it if you were, means absolutely nothing.

I wrote a long-winded detailed explanation, but work needed my attn and I'm in the middle of a move. On top of that, Discord seems to have deleted it. When I had time I came back, all I see is snark and nonsense so I wasn't going to bother to reply, but someone with some sense did so I'll at least contribute this.

Even simply pasting the conversation into ChatGPT and telling it to point out why you're wrong is enough to prove my case, while incomplete, so for giggles I did that much for you. I sure hope the attitude and these recommendations of the "Support Crew" aren't representative of the dev and his team's mindset. I highly suspect they aren't. If they are, you're only proving further the need to layer up and not blindly trust the project.

My comments were never a dig on immich itself. If you had experience in the space, you'd know that the risks here are the same that putting any community server project online (particularly with an open port on your home network) brings - namely, that there is a lot more at play than just the OAuth protocol implementation in a library, which is being hailed as the end-all-be-all here.

I would suggest that you stop being blinded by ego and be open to learning. I comment only for the sake of those who read these recommendations later, are open to learning, and to say that @crystal sundial is correct about everything he mentioned. The Support Crew members for the most part have demonstrated that they are biased at best, and only have a partial understanding of things, and as such don't really have any business commenting on what is secure and what isn't. Until they demonstrate otherwise, I wouldn't follow their advice. Do your own research (the actual, non-echo-chamber kind). Those of you employing CloudFlare and mTLS are on the right track. I'm still learning myself, that's the point of a homelab, but I see holes places where others might not, and you won't catch me certifying things as "secure" or even "secure enough" on a whim. If the attitudes were to change, and assuming I have time, I would be open to answer questions and elaborate.

I'll close with: if immich were open-port-worthy as you suggest, the project below wouldn't exist. As I said, I would argue almost no community-run server project is, especially one this new. As historical supply chain / watering-hole attacks have demonstrated, even "proven" projects are subject to new attacks. Heartbleed, Shellshock, and countless more were huge issues in ancient projects. Even the project below, created with the sole intent of being secure, needs to be implemented carefully in order for it to actually achieve the goal, and that wouldn't involve an open port. Someone suggesting you open one on your home router in 2025 is a good first hint you're talking with someone who's knowledge is, at best, out of date.
https://github.com/alangrainger/immich-public-proxy

Just a reminder to everybody here to be open minded and to keep the discussion sane. We all come from different background, with different experiences, there will be things we won't agree on and it should be ok to have disagreement. 🙂

I'm all for being open minded and that's what I'm suggesting, but security isn't something where anecdotal evicence and different backgrounds really matters. It's generally either secure or it isn't at the time it's being discussed. Some of the questions are being confidently answered here with wrong information and bad advice that can get people in trouble.

Thank you, it was a general reminder for everybody participate in discussions

Overall Immich is a great project and I really appreciate all the hard work you've put in btw @hollow estuary . It's fantastic as it is and is showing even more promise with each update. Great work from you and your team.

Thank you

Just to be clear: I’m open to hear your concerns anytime. As your first reply was about one of my statements, I’d be VERY interested why me saying the Immich App only works with the supported authentication methods is not true.

It is not my intention to give bad advice and most of my experience is based on my work where I manage authentication and authorization for over 100 developer teams. I don’t claim this experience is the end of all, but just my current state of understanding how things work and at which point you are starting to over engineer for a potential problem while still having other holes to fix. Again: I’m happy to hear what other Immich users are doing and how they protect their infrastructure. There are a lot of ways to do this that don’t break the authentication or rely on big tech - even in 2025.

Does CF tunnel throttle bandwidth or anything in anyway?

They limit upload size to 100MB

You are talking about the CF tunnel right? Not the dns proxy?

I know the dns proxy limits it to 100mb.

But I've never used the new CF tunnel.

The tunnel that ppl these days use to expose a backend service w/o having to open ports.

Yeah, that uses the proxy.

afaik cf tunnels still have the 100mb limit on the free plan

Hmm ok thats enough reason for me to stick to my current setup then.

cf tunnels only change how cf connects to the target, so the same limits apply.

@hollow estuary I saw talk of chunking/resuming support in I believe the 2.0 release notes or at least the new version of the backup engine. could you speak to whether this was a response to Cloudflare’s 100mb limit and if there has been any success with overcoming it? I have had strange results on my instance that I haven’t shared yet.

#22385

[Pull Request] feat(server): resumable uploads (immich-app/immich#22385)

This is blocking on interaction between CF and Apple - as far as I know, until one side patches it, we cannot progress on the immich end

Basically, Apple supports RUFH, which we want to use, but cloudflare doesn’t support using the spec as written (and may have very little incentive to change this to enable larger uploads)

seems odd we would be beholden to RUFH on the apple side. i may not have read everything yet. this is what i had read previously and was referring to
https://immich.app/blog/sync-v2
this phrases it as if it is a requirement for a stable release, and 2.0 was dubbed "stable", so i wondered if this implementation was already live. i have noticed that turning the old and new "timeline" on and off causes syncs to behave differently, particularly over cloudflare, and I prefer the greater detail I get on the "old timeline" UI, currently. The "old timeline" implementation seems to think it is sending the entire file successfully to somewhere, even if cloudflare is ultimately rejecting it somehow. on the new timeline implementation, i can't really tell what's happening.

in any case, i didn't know if this chunking implementation was intended to solve the cloudflare issue or just large syncs in general. and i'm real curious why the transfer on a 300+mb video doesn't just die at 100mb and instead continues through the whole job, but none of them actually show up in immich

Stable means that there is backward compatibility between minor versions upgrade, and we will follow semver for breaking changes update. It doesn't mean we have solved all of the problems or implemented all the features. Chunking implementation is partly to help 100MB limitation of CF and largely will provide a better backup experience overall.

The blog post is for the data synchronization mechanism between the server and the mobile app, not related to upload implementation

Regarding being beholden — we sort of are stuck complying to apples approved paths if we want to have the best background experience. Apple limits these activities severely

CF buffers the request in the CDN before sending any of it to Immich. It receives the request body and just doesn't forward it because it exceeds the max buffer size (100MB). I'm not sure why it continues accepting data past that, though.

ah, didn't know that. interesting behavior..

thanks for the insight guys

I've got two instances, one personal instance that never goes on the public internet. I have no reason to put it on the internet, but I have good reason not to, so I will not expose my personal photos.

However, Immich is quite useful for sharing photos during/after a trip, or sending/recieving the full, high quality photos from folks
I have a public instance exposed either thru a CF tunnel if I need a pretty url, or through tailscale funnel to avoid the 100MB upload limit. This instance only has very few photos, that once shared/recieved, are placed in the private instance.

Eager to hear your guys' opinions on this way of doing things!

This sounds like a reasonable setup. As usual the recommendations follow your personal requirements. Since you know of the CF drawbacks and have ways around it, I don't see a problem with using it! And because your critical data is on an instance that is not exposed to the internet at all, I don't see any reason to specifically harden the security of your exposed instance.

I also think it's reasonable
You don't want your personal photos on an exposed service and also have no need to and you accept the extra work this brings with it -> perfect use case (you seem to be aware of what you want).
You consider and minimize risks on the public instance.

Now, as long as you understand the setup and weigh benefits and risk for yourself, then it is all good...
many people have different opinions and preferences.

one thing I would add is to make sure you have proper backups of at least your photos!

Some off-topic to your actual question and just some rambling/general things:

I am generally not a fan of CloudFlare for Immich, simply because in my personal opinion, the actual security benefits in this case are minimal and for me do not make up for the downsides (like the 100mb limit, my decrypted data being present on their system and "analyzed", etc.)

there are other solutions I prefer for different use-cases
Personally, I like to run my own reverse proxy for my use-case.
I am always happy to explain my view and why and how I would do things a certain way (this can obviously be different from other people, especially because they weigh different aspects differently than I do or have more or less information/knowledge about a certain topic)

e.g. if you have little knowledge about security best practices and use immich just for yourself and maybe your spouse, a wireguard tunnel to your own reverse proxy which is not publicly exposed may be the best solution for you...

but if you are not afraid of the work and have the need to share with many people, a hardened setup with your own exposed reverse proxy may be the best solution for you
there are always ways to make your (or any) setup more secure and you need to find a balance for yourself

there are also setups created to get around restrictions like CGNAT

Yeah, I just have kept it simple. I guess for me right now, the benefits of a self-hosted reverse proxy (pangolin maybe?) don't really outweigh hassle that I would put in to it. Also, since I'm not very familar with security, I'm fine paying cloudflare a bit to not have to worry about it. But maybe that's not the right way to think about things!

I would like to hear more about your privacy concerns with cloudflare, because that might be enough reason for me to self-host my own reverse proxy.

(oh yeah btw for my personal instance i just use tailscale for remote access)

self hosted reverse proxy
You mean Nginx?

Love to!
My privacy concern with CloudFlare is simply that it is decrypted, partially analyzed, then encrypted again.
I don't know what exactly they do with my photos and other decrypted data.
With many photos I don't care so much but I am more protective about my childrens photos.
Now if that is a concern for you or not is for everyone to decide... less of a "concern" than usinge Google Photos but definitely something to consider if your a concerned about privacy!

My personal belief is also that CloudFlare does not offer that much actual added protection for immich.
It provides DDoS protection (anything medium to major could lead to them canceling your membership as you are not a paying customer but every DDoS attack will cost them actual money), GeoBlocking (which can also be done on a reverse proxy), basic rate limiting (which can also be done on a reverse proxy).
Now the security benefits it does give are basic WAF / threat capabilities: this blocks things like Top10 vulnerabilities like sql injections and cross-site scripting (I would say these don't apply to immich and if there were an actual vulnerability on immich, immich is likely too small to be included) and also blocks a few known attackers IPs (the first part can be done (maybe even better) with modsec but I would consider this hard to implement or with an actual WAF like bunkerweb and the latter has alternatives like crowdsec)

PS: tailscale / wireguard is perfect for personal instances where you don't need others to have access to

You can block the most simple injections using Nginx rules as well.

I also use crowdsec which can detect many of them more easily than bunker web or mod sec which is much harder to setup

Crowd sec also uses peer sourced IP ban lists

I agree with everything you said btw!

Thanks for the info! And that's making me feel better that my personal photos are not going through there 😄. Great to hear from someone more knowledgeable 🫡

yes, there are a lot of possibilities with reverse proxies

Personally I think CrowdSec gives a benefit but mainly for keeping logs sane, in my opinion it does not offer much long term protection
there are not really any downsides to it other than the added work of implementing it though

I like it because 1) bad actor IPs will often try the “low hanging fruit” first and you also can get the block list from peers without ever getting hit

It does nothing for a targeted zero day , but that’s what containers, VMs, and sandboxing are for

modsec I havent even found a way to implement with nginx...
bunkerweb is definitely harder to implement as you will need to familiarize yourself with a specific WAF... not worth it for a single product in my opinion

Running services on a wildcard subdomain and avoiding common ports cuts out many of the zero day scanners

I never got hit with the Emby vuln for example

But people with default port got pwned

it reduces the likelihood but does not protect... illegal scanners will find you, it will just take longer...
it has no downsides though, so it is definitely good to have it

I also try to stay off of official (and unofficial if possible) scanners by not having a default site and/or certificate on my IP / reverse proxy and also block the ip ranges of those scanners as those are usually published for those "legal" ones

"obfuscation" makes you harder to find and might keep you off of the "low hanging fruit" list but will not protect you (just to clarify: this is still good but it does not offer protection in a direct sense... indirectly it does to a degree)

I try to add those layers, obfuscate as much as possible, assume that obfuscation does not protect me and add actual protection and harden where possible (e.g. most vulnerabilities rely on internet access of the server, if you limit that outgoing access to only needed services, it adds another huge barrier)

Yes.. I also configure nginx to serve no cert and an empty reply if SNI does not match my domains that I serve

And I block shodan etc from the firewall as well as some geo blocks, again all cuts down on noise nothing can 100% protect.

Security is all calculated risks

completely agree 🙂

One thing I did recently is I moved every service into its own docker network stack and then connected all these to nginx.. this helps reduce lateral attacks

Many people use a proxy network but IMO this provides no protection

😄 yea I do the same ever since I started...

important... i have a lot of security based on connections between containers... no need for a container to be able to reach another container it is not associated to...
I just don't have any actual firewall rules in place on those networks between containers, so it is bidirectional access

I make most of my containers talk to each other through the proxy unless they are I. The same stack

For example sonarr and qbittorrent

This gives me more visibility into the metrics etc

yes, same
I have different kinds of networks:
1.) connections between containers, these allow no outside connections and only between containers connected to this network... I have one or more of these per stack
2.) one network for each container which needs to be accessible via the reverse proxy, the network is limited to the reverse proxy and that one container only
3.) a network shared between all containers who need external access, this network connects to my firewall and allows no connectivits to IPs in the same network (the proxy is in a different network on its own,
so they could in theory connect via proxy to any other services if the firewall rules allow it)

all that is just another layer of security... and just in case they ever were able to get access to any container...
of course there is tons more I could add... e.g. I don't run true rootless yet 🙁

Can you briefly explain how you configure those networks in docker?

I have them segmented but no rules on them.

I also have no rules on them, the complexity of using iptables or nftables on docker networks is too much for me

I just make use of different bridge and network types

e.g. I do not use the default bridge ever as that one gives network access through the host

Maybe that what I mean. I think all mine are bridges

I don’t use the default but I don’t change the settings on the others

for 3.) I use private macvlans

if you have no external firewall vlans, you can try to create something like public and private bridges

basically ones allowing ip forwarding but not allowing container communication and ones not enabling ip forwarding

I’ll look into it
I’m not sure what you mean by fire wall VLAN. I have UniFi now but I don’t segment the traffic within each machine into VLANs yet

my firewall also segments my actual network
I have the following VLANs which have a relation to container functionality:
ProxyVLAN: This VLAN is solely for my reverse proxy
Dev VLAN: This is a VLAN which I can directly access but is not accessible from "untrusted" networks like the internet. I use this to try out containers before making them accessible via reverse proxy
DMZ: network to access public resources for containers I consider trivial (not holding any valuable data or not needing a lot of security for whichever reason), this gives unrestricted outgoing internet access, this is not used much
SecureDMZ: network with restricted internet access to destinations a container might
InternalDMZ: network to access resources on my network from containers without additional internet access

I also have several Client VLANs like Guests, Kids, IoT and "Secure"

Traffic between those networks is handled by the firewall

I mentioned the above bridge possibilities in case one does not use VLANs on their network (as most only have a flat LAN at home)

of course this suffers from time contraints and e.g. containers stay on the DMZ for longer than I plan (as I need to find out what they need access to and allow this on the SecureDMZ before moving them there)

PS: this explains the bridges in more detail:
https://docs.docker.com/engine/network/drivers/bridge/

I make use of the prefix option to differentiate between the different kinds of networks I use in case I take a look at them inside of the container

with the options you can adjust bridge behavior to what you need

#1122615710846308484 message
that conversation I linked here above is talking about a similar topic and some more insights if anyone is interested

I forgot to mention, I don't know much about Pangolin, if you want to know more about it, someone else needs to chime in or you need to research

Pangolin is just a reverse proxy (traefik?) Bundled with built in WireGuard

You canDIY it super easily if you want. It’s for a VPS in the cloud. Only should be used if you have CGNAT. Stop worrying about your IP leaking 😛

cool yeah 👍 i'm always up for reading the docs. sorry if i came across like i was trying to have you explain it to me step by step, that's not what i meant to do (and would be quite immature lol)

you did not come across like that at all and I am happy to talk about stuff I do know...
I just forgot to address that part, so I will keep quiet about pangolin as I havent used it and cannot provide firsthand knowledge about it

ah i see 😄 sounds good!

definitely... leaking your IP should not be an actual concern in itself

This is another example of a litany of incorrect and presumptuous statements. Some teter on correct in certain instances, others are flat out wrong. I don't know why someone would have a "belief" about objective things that can be researched rather than just researching them.

Things you're right about:

• A home reverse proxy is better than nothing, could allow for e2ee (mostly) and some of the protections Cloudflare can provide can be provided at home by various means (with a big but...).
• Cloudflare (for a split second, likely in ram) terminates TLS, because they pretty much have to to function as an https/mTLS destination and proxy. If Immich wanted to, they could implement encryption on their own for "e2ee" in transit purposes. If they did, Cloudflare would be blind despite TLS termination.
• "tailscale / wireguard is perfect for personal instances where you don't need others to have access" Correct except that last part. It's perfect for where you don't need the public internet to have unadulterated access. You can divy out access via tailscale, twingate, WARP, other solutions with trusted people/devices.

Things you overlook:

Self-hosting a reverse proxy at home...

• Exposes your home IP which could have been stealthed, and now opens you up to things like directed and highly-effective DDoS attacks should someone be inclined, when the same attacks wouldn't affect Cloudflare (and by extension, you.)

• Requires a permanent open port, which attracts massive attention from attackers beyond normal ambient web traffic, and allows for recon and attempts at more vulnerability exploits deeper into the network

• The "Raw" attacker packets this open port attracts traverse your modem, router, and potentially other network equipment at home, all of which run their own OS and software, before reaching your server, os, and server software. All of these are additional potential attack surfaces that you are now defending personally, rather than a billion dollar company responsible for large portions of the world's architecture that have seen every type of attack under the sun. They have a 24/7 funded, manned SOC and years of collective experience blocking threats baked into their rulesets. Home users have a Chinese modem and router, likely with out of date firmware and no IPS/WAF.

• Things like Access + mTLS on the external Cloudflare side, plus the Cloudflare Tunnel itself means that exactly zero traffic intended for the open port on Cloudflare's side gets through that doesn't originate from a known-trusted device, or Cloudflare. Yes normal internet ambient traffic still hits your router, but it is met with a very simple "deny all inbound" rule and no response that again reduces attack surface and dissuades attention since your equipment is stealthed.

• "Cloudflare is analyzing my traffic" with a comparison to Google Photos - highly unlikely. They process your traffic but calling it "analysis" aside from WAF rules is pretty disingenuous. They perform the operations necessary to perform the network actions you asked them to perform, like re-encryption on the way to your server, redirection, WAF filtering, etc. At worst, if they were hacked I might worry about passwords being passed over the pipe. They're not analyzing your photos with AI or anything of the sort Google would have a vested interest in doing when you store photos with them. It would be costly and likely introduce massive latency. If they were caught doing this I'm sure there would be massive lawsuits. Companies this big have open privacy policies they adhere to, and in Cloudflare's case they operate as a processor and promise not to log, sell, or rent your data, and likely would not "view" it except as needed to "identify, analyze, mitigate, prevent, and block malicious activities on Cloudflare's network". Cloudflare is unique in that it gives them no advantage to analyze your traffic content - they aren't serving you ads or anything bc they basically can't, and they actually encourage user-level encryption. As I mentioned, Immich could implement "e2ee" in transit between their apps and server if they wished, aside from TLS.

Things that are just incorrect:

• "Immich is not subject to XSS, injection, OWASP Top 10 etc" - All webapps can be subject to all of the above, especially anything with an API or that takes user input, or especially uploads like immich. It is drasitcally lessened on something security-oriented that takes no user input such as Immich Public Proxy. It depends entirely on dev knowledge and focus, how hardened and sanitized the implementation is. For a young project like immich where the focus is getting it working.. not thwarting every injection under the sun.. hacking it is often trivial. The only time I could see this being remotely true is if you're using something like Tailscale or Cloudflare Tunnels + mTLS where traffic flat out cannot arrive at Immich's doorstep unless it is already authorized, which is why I suggest this approach for any community project. Even then, you're trusting any machines you have manually trusted not to be a carrier or proxy (hah).

• "Immich is too small to be included" - Immich makes use of underlying libraries which hundreds of other projects use, and rulesets which isolate things like injection attempts are often generic, i.e. regex looking for particular strings within a given protocol. A lot of protection can be afforded despite a project's age or popularity. The same is true for any WAF/IPS.

• "anything medium to major could lead to them canceling your membership" - Immich is a small, commonly single-user instance. Even if they could isolate a DDoS campaign as attempting to hit your hosted services and no one else's, which is extremely unlikely, they're not going to punish the end user for that. Even if they did, that would mean closure of the tunnel, which wouldn't afford them any additional protection or save them any cost. It would only serve to inconvenience the customer, blocking all access and you'd simply have to find another solution. It would "fail closed", which is zero risk aside from lost convenience, whereas exposing your home IP and port, and praying for no vulnerabilities across all the moving pieces I mentioned, on an unmonitored connection, is potentially a lot of risk.

I’ll just leave this here: https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/

TLDR, cloudflare does seek out and analyze passwords, at a minimum

tell me you don't understand what that's reporting on without telling me. great example of nuance missed

i specifically mentioned passwords if you bothered to read. that specifically says it's collected as part of an application security offering you can place in front of things like api's. if you don't see how that's useful, lol

Hey, first of all, please consider that the way you write comes across as condescending.
Just as your comparison with the unlocked door, that was provocative at best, you continue to talk down on people.
Some examples:

many people leave their door unlocked without issues; this doesn't prove anything. again i'll explain.

Yea, I'm not gonna bother with the attitudes here. I don't claim to be the best infosec expert around, but it is my day job. There is so much wrong with almost every "Support Crew" reply here I don't know where to begin, so I won't.

I was going to correct your errors until you demonstrated that the Support Crew, as a group, don't appear to be concerned about safety or open to learning, you jump straight to talking down to people you disagree with. Childish behavior.

Even simply pasting the conversation into ChatGPT and telling it to point out why you're wrong is enough to prove my case, while incomplete, so for giggles I did that much for you. I sure hope the attitude and these recommendations of the "Support Crew" aren't representative of the dev and his team's mindset. I highly suspect they aren't. If they are, you're only proving further the need to layer up and not blindly trust the project.

I would suggest that you stop being blinded by ego and be open to learning.

The Support Crew members for the most part have demonstrated that they are biased at best, and only have a partial understanding of things, and as such don't really have any business commenting on what is secure and what isn't.

This is another example of a litany of incorrect and presumptuous statements. Some teter on correct in certain instances, others are flat out wrong. I don't know why someone would have a "belief" about objective things that can be researched rather than just researching them.

tell me you don't understand what that's reporting on without telling me. great example of nuance missed

i specifically mentioned passwords if you bothered to read.

I hope you see how messages like the above, at least when sent in such quantities, can be very offensive

I hope you see the pattern and agree that this is not the best way to talk to others?
If you would seem to want a serious professional discussion and not just troll and bash, I would happily continue a conversation but this will be the last time I will respond to you for as long as you speak this way.

Please remember that the support-crew is a bunch of nice people, dedicating their free time to helping people out, simply because they believe in contributing to projects like these.

There are things in security that are facts and things where you have an opinion / personal belief on.
Often opinions are expressed as such as to not get into arguments about details.
I understand that security is your day job, believe me when I say that many of the support crew have a very professional background.
If your opinion is that companies as big have open privacy policies they adhere to and that those privacy policies are there to protect your privacy... then that is OK, it is your opinion but not everyone shares the same opinion on this.

Now I do not agree with your take on open ports, exposing your home IP, tailscale being practical to share photos with everyone, projects only existing because security on immich being bad.

Immich not being subject to XSS, injection, etc....
Yes, reading this I wrote this incorrectly! yes, immich can be subject to this.
I do not think it gives "enough" (in the free plan) security benefits for the privacy concerns and upload limit it comes with, at least not for me...
I think everyone can decide for themselves though. Many do not have concerns about privacy and don't mind the 100MB limit as they just upload those at home on WiFi... Many of those are very happy with CloudFlare.
Many are happy with a simple reverse proxy as well.

I definitely agree (and always say this here) that more security is better... run a WAF in front of it, run IDS/IPS, modsec,crowdsec, harden your OS, harden your docker installation, harden each container, harden your network.
more is better, no arguing that!

I do however stand by my stance: Attackers are financially motivated, they will go for the easiest way to get the most amount of money. This includes high value targets with unique malware designed just for those targets (and more if possible).
If you are a person of interest, I would agree that even your immich installation could be a potential target and you should secure it as best as you can.
For the average immich user, the likeliest scenario would be a vulnerability that is found someday and is published, the targets will then be installations which are listed on scrapers, public (e.g. shodan) or illegal. you can take measures to avoid being listed there
Is it possible someone will still use an undisclosed vulnerability to take over the immich installation of a "normal user"? possible yes, likely, no!

maybe if people weren't doing this there wouldn't be condescention

I think the best way forward here is for @real maple and <@&1184258769312551053> to dissenage with each other on this topic.

Thank you

Now I do not agree with your take on open ports, exposing your home IP, tailscale being practical to share photos with everyone, projects only existing because security on immich being bad.
what? i am advocating against that.
Many of us are happy with it
that's great, but you are advising people who are asking security questions about putting it on the internet with incomplet or incorrect information which puts them at risk. it's not a matter of opinion or being "happy" with a product
attackers are motivated by money
you're not wrong, except that you're assuming attackers are a person. attacks are widespread and they find targets via automated tools. Shodan is an example of one that is publicly listed, but groups and botnets do this on their own all day long.

@real maple Please read my message above, thank you

it is a strange position to advocate that your users shouldn't be informed that advice they're being given puts them at risk.

I am specifically talking about we cannot have a good discussion here without bashing on each other, so I'd like to stop that.

consider it stopped from my end. i have no interest in being rude or condescending to anyone. i have an interest in protecting people who are asking security, not immich, questions. as you can see in previous replies were i was treated respectfully, i was respectful back. i'm citing risk to a team that seems (seemed?) to think adding Oauth to an app means it's unhackable, and being laughed at in response. sorry, you get condescension for that.. shocking. if you silence me by saying don't respond to the bad advice being given, the same thing will obviously continue as users ask if putting this project on an open port is ok, and are told yes by "support".

I will say that aside from the beginning remarks, most of what is said here, I agree with. I'm glad you changed your position on the XSS and injection things, I respect that. I don't agree that it is unlikely users will get hacked. I've seen it first hand on numerous occasions, and in a lot of cases targets were relative "nobodies", including me. What you say used to be true, but really isn't anymore in the age of AI and automation. Botnets and scanners are the minions and Nazgûl on autopilot scouring the net - every single IP. My inactive domains I've never posted anywhere get thousands of hits a day. Same for anything with an internet IP. If you don't believe me, fire up a honeypot or Wireshark on an open VPS and just watch it for a while. Create a new MongoDB database in AWS or Azure using default settings, and see how long it takes before it gets taken over and "ransomed". (It's minutes, ask how I know.) It's common for even experienced IT professionals to think that not having DNS pointing to their IP will save them. This is "security by obscurity", and now more than ever it doesn't work. you've seen the same thing happen with robocalling and smishing becoming more frequent. These days as soon as a new vuln PoC drops for a version of something they've found previously with their own personal shodan-type scanner, they can quickly spin up an agent for it, act on the instances they're previously found, establish a foothold, and report it to the mothership, perhaps all before a human is involved. The onus is on us to layer up and reduce attack surface.

On another topic: if you pick a unique subdomain (hunter2.mydomain.com) to get security through obscurity – once you get a targeted HTTPS certificate, the domain name leaks and is searchable via https://crt.sh. Getting a wildcard cert (like CF does for example) masks this vulnerability. NB generally security through obscurity is not a good goal on its own (but is - statistically speaking - better than nothing).

Now that we got this out of the way, is there a list of HTTP endpoints that need to be exposed to the public? E.g. something like /login, /oauth/* etc? Asking to craft a rule which would drop all traffic w/o Authorization header to any other URL for a friend.

i think the first thing to consider is: will they use the share album feature
(OR they have an alternative frontend to handle sharing links)
if you will use share link, basically all frontend files need to be served (i dont think there is an easy way since everything is minified)
and also whatever links used to fetch photo by the album script

that's a tradeoff to consider/know first before you get started

i think it will be easier to hardwall the whole thing if you dont care about the sharing of album but i elect an informed decision on my own instance to not do that

(security is at the end a calculated measure against own risk, at cost to own convivence)

It kind of depends on what level of access you need, but for daily operations you basically need the whole API accessible. So as Thunder said, you should treat the whole API as something that needs proper protection (whatever that means for you, we can only give guidelines).

https://github.com/alangrainger/immich-public-proxy
Is a community option that you can use at your own risk

/api has to be exposed so that won't work (sadly) (I tried)

to your point about wildcard certs, I think many people already do that

Yep, this. One of the biggest advantages is turning what would normally be a full app with user input, API, and uploads into what is more akin to a static site. Far less things to try and break on it via injecting, bruteforcing, etc. Generally proper use of it would look like network-segmenting this project from Immich itself with either layer 3 switching or a firewall or something between the two, such that it can only access what it needs port-wise from the immich server frontend/api, not the database or anything else on your network. You could also whitelist it URL-wise, though that's the point of the project so if you trust it it's a bit redundant.

You yourself could Tailscale / VPN / tunnel to access the secure side without exposing it. The public proxy app's segment would effectively be in a DMZ. If you were ok with inconveniencing users a little bit, you can also set up Clouldflare Access with a one-time-pin and have an email-based allowlist, similar to how MFA works, generally on a per-subdomain basis. This drops a cookie in their browser for a customizable time period and they can then access that subdomain (the DMZ) at will from that browser for that time period - again reduces attack surface to the public proxy app and it's server by limiting what can hit it. To earlier points, in this setup Cloudflare itself could potentially see the data, likely in memory, but I think it's pretty unlikely they're performing any analysis that your ISP isn't already or logging much - would be mostly for network optimization type things. Some people put a honeypot in their DMZ or use canarytokens to see if anything has made it into the DMZ and started looking around, and this serves as an early warning that the public-facing server has been popped, and allows you to take action before it's really a problem.

Im working with tailscale.

After learning that Cloudflare-Tunnels necessarily give cloudflare plain-text access to your traffic I migrated to pangolin as well. it's been working well for me so far 🎉

I want to let everyone know I added a line to the example nginx config that should make uploading twice as fast:
https://docs.immich.app/administration/reverse-proxy#nginx-example-config

Specifically proxy_request_buffering off;, which by default would result in uploading files to the proxy server fully before the proxy server would upload to Immich. With big video files this caused issue when the proxy server didn't have enough memory to store the full video file. Also, the Immich web upload progress would reach 100% when the file was fully uploaded from the client to the proxy server but it would then take just as long (assuming the proxy server has the same bandwidth to the Immich server that the client has to the proxy server) to upload from the proxy server to the Immich server resulting in it sitting at 100% for just as long as it took to get to 100%.

With this setting the uploaded file is "streamed" through the proxy server and 100% on the web should be 100% on the Immich server.

assuming the proxy server has the same bandwidth to the Immich server that the client has to the proxy server

I'm jealous of people who have an external connection as fast as their internal one ... For me it's the difference from going from 40 Mbit to a local bridge interface (or 10 Gbit if it's another device on the network) 😅 Thanks for the contribution! I guess buffering is not that required for most home setups anyway.

This is good, but it is important to know that Pangolin is not perfect either. Technically, if you run it on a VPS, then if the VPS provider really wanted to, they could technically gain access to your information.

In my opinion, for a VPS with true privacy, this is a great way to go. It also keeps the client's original IP and keeps your information - yours.

https://github.com/dinvlad/caddy-wireguard-proxy

To be clear. if the proxy server is 10 gbit to the immich server then it'll be negligible.

If the proxy server to the immich server is slow this makes a bigger difference.

(If the proxy server is on the same server as Immich this is going to be a very small difference.

I was testing on my LAN and I have 1 Gbit from my desktop to my router (with my reverse proxy server on it) and 1 Gbit from there to my server with Immich.

But yeah, proxied uploads make no sense in most cases and if you want it then you should explicitly enable it.

Using a tailnet for mines, secured it behind a Tailscale vpn and got a password manager stored creds and the biggest password I can make haha 48 long and the most random ass combination haha

Same here. bc the cloudflare free plan has 100 mb limit per file.

going to expand it to other apps very handy setup, just need to switch my vpn on my phone and boom got access to my immich server.

I use Openvpn installed on my router

NGINX and Cloudflare

this is awesome!

the obvious downside is it isn't free when that's what we're all trying to avoid - paying, but if you can score something like the nerdrack black friday deal (i got $10/yr for a 2TB/mo transfer 1 core 1GB VPS), then that is worth it to roll your own cloudflare tunnel, circumventing the transfer limit and keeping TLS intact through the proxy

Very similar, but CloudFlare Zero Trust Auth and protection Access keys, Nginx performance settings, Crowdsec on the inside and Ipta les Local Firewall with internal request allowance permission to only CloudFlare proxy ips (I have a script that queries CloudFlare once every morning to get the new CloudFlare ips ranges. Now my Servers are completely protected from the domain side & the public ip side.

Hey @worldly wraith , like the extra layers there, I thought if the service is proxied only by Cloudflare (and private IP on LAN isnt accessible externally), then it will only be the Cloudflare IPs that will have access?

I made sure to leave a firewall rule for tailscale RDP and SSH access

Yes

IP Ranges | Cloudflare https://share.google/Bthl6pu6lG12gQzNK

Thanks, haven't setup Tailscale, but heard a lot about it. Will explore.

whitelisting just their IPs is a great practice. love the recent contributions 🙂

also, even though it’s really buggy right now, I got deep into the weeds on the alternate network settings and found a workaround to get it working, thanks to some of the people on the github issue. thanks to whoever linked to me to the first github issue, I found it a workaround in a different issue than linked. i’ll try to write it up in an easy to digest manner.

the tl;dr is the UI seems to assume you are setting the alt up while on your local home connection, which most people won’t be who want this i would guess.

on your endpoint, sign out of immich, change network settings and then sign in using your local IP or bonjour hostname or whatever, and THEN go back to network settings and add the alternate connection settings. specifically, use the button to copy the current Wi-Fi and current (local) server URL, and then in the list below, put the same information in for the URL in the first slot, but add a second entry below it. only here would you put your remote URL of https://whatever.com:port. highlight the first field again and you should get a green checkmark on both of them. If you don’t, you either mistyped it or the UI is being stupid. Close out of immich if it refuses to give you a green checkmark because it won’t save any of the settings until URLs are green. restart the process and fiddle with things until you get two green checkmarks. eventually, it will work, assuming you have the right information. /api is not necessary. now, when you leave home, it will try the servers in that order meaning it will try your local host name first, fail, and fall back to your external URL which will be your reverse proxy.

basically it ignores the main setting next to the wifi and seems to try the servers in that order meaning it will try your local URL first, fail, and then try the second entry, which will be your reverse proxy.

this means you can upload images and videos smaller than 100 MB while you’re out roaming, and then at home bypass the proxy and upload the rest easily. if you want to, you could also roll your own reverse proxy like pangolin instead of Cloudflare tunnels and have that as a middle entry, falling back to cloudflare if both are unreachable for some reason.

One of the reasons why I don't like people going around "I use CF, I'm safe". Beginners often don't know yet what else they have to do. Limiting their ingress to CF IPs is the first step but in the end all rules that apply for directly exposing also apply for cloudflare. Good job on adding internal security on it!

I’m using CF Tunnel but seeing issues when going through 1000s of items.

I have a VPS and I have a local server at home where my Immich service is hosted and my NAS is located.

I’m thinking to use the nginx proxy manager at my VPS to be the entry point and then proving that traffic over WireGuard to my UniFi UDM Pro router, and then access the inmich instance on my local server.

Does this sound like a reasonable plan to remove reliance on CF Tunnel?

I don’t feel like exposing my local network, I run lots of other services at home..

Something link this https://github.com/dinvlad/caddy-wireguard-proxy but npm instead

My npm is already setup with let’s encrypt wildcard cert

You can use any combination of proxy & VPN, it does not have to be a pre configured solution. I previously had npm + wireguard running very well.

Just for the "exposing the local network", keep in mind that on layer 7 you are still doing exactly that, no matter if there is CF or any other proxy between your immich and the internet.

did you have both wg and npm running within docker containers?

npm as docker, wireguard directly on the vps. But should work similar with docker (the docker compose in the github project you linked is a good example)

Although my UDM pro is a client to my Wg container on the VPS, I can’t ping my UDM from within the container, so there’s got to be some routing and firewalls stuff to figure out

From which container, wg or another? Depending on your network config on that setup you might need to change the network mode of the wireguard container. I run the local side in docker and have set it to host mode so everything on that machine can also connect.

from the wg container itself

im not using host mode on any container

Oh then you don’t even reach any docker network things. Probably some issue with the tunnel then

So I got most of it working

1. Wg easy container on vps
2. Udm pro at home setup as wg client
3. Iptables rules to send dns req to pihole
4. Opened firewall at udm pro so vpn can access lan

Now my iPhone connected to my wg server can access lan and pihole.

Last part is making nginx proxy mgr pass req via wg container. Looking at the caddy example, they use network_mode: service:wireguard, but I can’t do that since I have lots of containers on the vps setup for access via nginx.

Wondering if there is some other way to route req from nginx to wg container down the tunnel?

I only know of these two methods (host network and service notation), so I can't help with that usecase. There are some ways to exclude the docker network from being routed through wg described at https://hub.docker.com/r/linuxserver/wireguard#maintaining-local-access-to-attached-services but I never tested that

has anyone here used tailscale? i wanted to try vpn but i dont have static ip sadly and the ISP is on CGNAT.

Lot's of Tailscale users, any questions? (Don't use it myself, running my own VPS for these things)

Just use Tailscale

I have placed the setup in immich github repo

if you want public just add funnel. But its better to share the node with friends and family. most private and secure way

Funnels can reportedly be somewhat slow sometimes, so it’s difficult to give as a recommendation. Maybe it gets better once they are out of beta.

I believe Tailscale does not recommend funnel for production but rather for temporary use. I don't know if that's still true though

From past experience with Funnels it is simply too slow for production

Funnel is also beta which is usually an indicator of don’t use it in prod yet.

I have immich/traefik/authelia/crowdsec hardened ufw and domain proxied on cloudflare.

So which are the best for remote access if im not able to port forward as option?

cloudflare tunnel is 1 option i think

https://immich.app/docs/administration/reverse-proxy

https://immich.app/docs/guides/remote-access

Cloudflare Tunnel or if you don‘t want CF to scan all your data and dont wanna deal with their upload limit pangolin or diy it with wireguard and a recerse proxy on a vps

Is it the paid service?

CF tunnel is free

A vps (virtual private server) will cost you <5$/month

Although there is also a paid version of cf tunnel

Im currently a haply user of pangolin

its a really nice reverseproxy, but I'd reccomend using it on a vps since the free non selfhosted version costs from 20gb traffic

I always forget there is a fully hosted version of Pangolin

i'm guessing you've come across it, but tailscale is one of the simplest ways to get remote access with not much fuss if it's just you using it, due to the inherent nature of a vpn that doesn't expose stuff on the public internet. however, the other suggestions like cf tunnels are good for sharing with loads of people.

there is 5k message and i cant read them all , is there a ggood message discussion in here that we can pin or a video i can watch and copy paste to my pc

im mainly planning to use the option 1

Option 1?

There is not a single message/video it depends on what you need and what your options are

https://immich.app/docs/guides/remote-access

Ah, remote access. Yeah if you don't need to expose that is the safest option.

there's also ngrok/localtunnel but you have to pay there to have a custom domain

and they have no bot protection like Cloudflare offers

i also very much enjoyed twingate

but currently im all in with pangolin, even for my gameservers with Proxy Protocoll

People who use Caddy and defined
protocols h1 / h2c / h3 in Caddyfile
Have you noticed a change in speed for the better?

I actually set it up, and noticed a really good speed change
I wonder if this is something worth adding to the documentation under reverse proxy
But I want to know if other people have noticed this

Edit:
See here:

#off-topic message

It’s immich that untested? Or is the feature development too fast for the security testing to catch up?

immich itself is not designed to be exposed to the internet directly. It uses http only. If using a reverse proxy that is properly configured, the risk is the same as any other self-hosted application, in my opinion

I don’t understand the risks, nor the mitigations. Are there any guides for setting it up for the interwebs? That’s how I’d like to use it ultimately

Right now I have a reverse proxy behind a firewall with port forwarding

And of course no super valuable data, yet

the immich-specific examples can be found at the reverse proxy link in the docs. However, exposing an application to the internet is very different than creating an application to manage your photos. That is why there are purpose-built reverse proxies, as that's a task all in it's own.

That message was from 2023. Immich is safe to expose behind a reverse proxy assuming otherwise good security posture

https://immich.app/docs/administration/reverse-proxy

Phew, I didn’t catch that, and got worried. I did follow the Reverse proxy guidelines from the docs, and some other guides for hardening security

I dont use Caddy but if h3 is working with immich, it should improve especially speeds on reliable remote connections as it uses udp/quic

The app doesn’t use h3 🙁 or even h2 I believe..

then I wouldn't know how that snippet would improve immich speed

For me it was a performance improvement for all clients, not necessarily the app. See here:
#off-topic message

I would've thought that the immich app supports the use of quic...
each version could show a step-up in speed (i have seen cases where this is not the case but in general I guess this is true)
if immich itself does not do http3 with the proxy, just the proxy using it to the client should improve speed already (even more so if the backend supports it as well)
at least with the browser it should work and should be noticeable especially on outside connections

short:
if you notice an improvement, it likely works 😄

Does anyone know if there exists a similar project like this for Immich: https://github.com/coreruleset/nextcloud-rule-exclusions-plugin

First time I heard of CRS. Is it some kind of application specific WAF?

I haven't been able to implement OWASP into my reverse proxy because I haven't found a suitable way to get modsec running with nginx...
@glossy jasper where do you run this on even? a WAF or via modsec?
afaik modsec works with apache but it's a lot more difficult for nginx the last time i checked

if anyone has this running for nginx... please let me know, would love to implement OWASP CRS in my deployment 😄

@zinc merlin I'm running a Ubuntu server with LXD containers, where the reverse proxy container runs a Docker container with Caddy and Coraza. Haven't regretted a second after making the switch from nginx to caddy. See this repo: https://github.com/corazawaf/coraza-caddy The reverse proxy container uses Coraza with the Nextcloud rule exclusion plugin when relaying traffic to the Nextcloud container. Would love to see a similar Immich rule exclusion plugin 🤞

@wild lynx It's a generic WAF that you can tweak according to the application you're hosting. You'll want to exclude different rules for different apps. It works at the reverse proxy level in your stack.

ngl "rule exclusion" sounds super reverse of what I'd expect with what it's doing 😄
okay so a ruleset for some compatible WAF you are running. wonder how it compares to crowdsec (someone did create immich rules for crowdsec afaik)

crowdsec is "basic", it analyzes logs and based on rules, considers some entries malicious and shares that with others... iirc if many share the same IP upwards, others get that included in a shared list to use for e.g. blocking these entirely

modsec basically is a waf, OWASP is a great ruleset for it to block known common attacks (not IP based but content based, layer 7)

not a fan of Caddy, I like nginx... i just read that v3 is supposed to work with nginx, so maybe I'll take a look some other time

not a fan of Caddy
may the light one day shine upon your web server

it is doing great with nginx 😄

I prefer Nginx because it generally offers better performance and lower memory usage. It has also been used in production for a much longer time, which means that when you run into issues or look for configurations and explanations, it’s usually easier to find answers for Nginx.

Caddy is definitely easier to configure at the beginning but certain edge cases or fine-tuning scenarios can become difficult. For quick and simple setups it’s a good choice from what I have heard.

The main reason I wouldn’t switch to Caddy, even if I thought it was technically better, is familiarity. I’ve done so much with Nginx over the years that I know my way around it. Switching to another product would mean going through that learning curve again, which is also why I understand why people tend to stick with their preferred tools as long as they work well enough for what they need.

I should correct the "not a fan of Caddy" though...
I do not mean to say it is a bad product, I simply prefer Nginx over it.

fair enough 😄
as someone without a professional background, nginx has always been some sort of "black box" where 4 different install scripts had modified it for different services, and it kinda sorta worked-ish, although I think that when I was using it I had somehow borked it enough to where it looped back on itself at least 2 times before actually proxying the request

it was one of those things you set up at 3am in a rage of productivity, then wake up the next day and have no idea what to touch, what headers to manually add, what to customize for each service...

Then I jumped ship to NPM, then NPM-plus because it's just better then regular NPM in every single way with no downsides, but still found myself needing to tweak the advanced config to set up stuff like geoblocking, WAF, etc etc, which not only defeated the entire point, but sometimes broke all the forward headers

So one day I just stopped the npm-plus container and set up caddy, and haven't looked back since.
Easy config file even for someone with limited programming knowledge, automatic forward headers for everything, (mostly) good documentation, and easy integration of external plugins for WAF, geoblocking, OIDC forward auth, and the like.

You are completely right on your points tho, one thing I really miss is the advanced customization of nginx, with caddy there's some (imho) dumb restrictions on if something needs to be global or site-wide (looking at you, automatic https redirect, why do you need to be a global toggle and not site-wide, whyyyy), but the advantages in my case far outweigh anything bad I can ever say about it

completely understand! 🙂
i've heard from most who use caddy that the main reason is the initial ease of use, seems to be its strength
and for such use-cases, I dont think a performance difference is noticeable much with a low load

Which plugins do you use for caddy?

https://github.com/porech/caddy-maxmind-geolocation
for geoblocking

and my own fork of https://github.com/AlphaByte02/caddy-badbot-blocker , which is itself a fork of nginx-ultimate-bot-blocker (my fork blocks the bots that the original repo considers "good", like Google AdBot, adds some additional ip blocklists, and auto refreshes them every 24 hours, if you wanna check it out it's literally the only fork of that repo 😅 )

I was thinking of adding https://github.com/corazawaf/coraza as a WAF but I've seen it breaks plenty of stuff that needs manual whitelisting and it's exam season so I don't have much time on hand

yup, 100% correct

in my case, the slight performance tradeoff is worth it, but it's really minimal anyways

for example, traefik is like 2x worse

https://reddit.com/r/selfhosted/comments/1odh46j/nginx_vs_caddy_vs_traefik_benchmark_results/

some day in the distant future I'll try to set up cloudflare's pingora reverse proxy, they claim it uses 70% less CPU and 67% less memory then nginx with the same traffic load.... unfortunately it's not really used by the self hosting community so there's no support and no external plugins/guides

https://github.com/cloudflare/pingora

Funny, last time I saw a comparison caddy was noticeably behind everyone including traefik

One of the reasons I never used it

Looking at the pingora repo it’s easy to see why adoption seems lacking. If you need to code and compile the routing yourself it’s not as simple as throwing a small config file into a proxy 😄

That’s just latency on low loads… good for home use.
The difference would likely look worse when they are under high loads with lots of requests

but when do 3ms matter in a real world usecase for a software like immich thats not ment to be deployed in such scales where it would matter

Pangolin uses Traefik and it seems to work well so far (and includes easy way of installing crowdsec and geoblock), you are not a fan of it I take?

I personally don’t get all the love for pangolin, but I guess it’s fine. It’s a lot better then CF tunnel

yes, it wouldn't matter in most immich deployments
what matters more is a solid config in whichever proxy you decide to use

I simply don't know it... haven't tried it
I like to stick with what I know and works well...
If I started out with e.g. Caddy and am able to configure everything I want and need with it and had no knowledge about nginx... I also would not switch to nginx

and i love to replace twi gate and cf with one stack

I guess. I mean you can just use WireGuard and any reverse proxy. Nginx, traefik, caddy

Just run the WG server and proxy on the VPS and connect your home by WG to the proxy

but thays two things to manage

Sure, but you’re not locked into a relatively new project that already seems to be pretty aggressively monetizing

pangolin is one thing and auth for my proxy is nice

It’s also extremely basic networking knowledge that’s probably good to learn

they still have the non ee version, and thats foss and even if they would discontinue, who whould stop someone to fork it

i already have that, been using other proxies for years

the fact that me and Zeus dislike CF (I assume we have similar reasons) is mainly because it decrypts your traffic
they need to, the way their service works but I still don't like them having cleartext access (not just pictures but passwords, tokens, etc.)
with it being a U.S. based company, we would never know if they gathered info that way

well, if they turn "evil" we can always change I guess, get our traefik config and install some wireguard stuff

if they do, you might never know...
as long as you know of the possibility...
i might just be too paranoid 🙂

ah yes, for cloudflare yes, was more thinking about Pangolin, being open source and with standard encryption I hope it is less of a concern

if it all runs on your equipment, yes
but again, my opinion is a bit paranoid
you would have the same issues elsewhere... e.g. if you use microsoft Entra / Azure AD you would also have your credentials somewhere else (I think, havent actually checked if they implemented anything to NOT have access to it).

Have you ever looked into keeping the pangolin stack up to date? Thats like 5 things to manage 🙈

one compose

I only like it for it's UI, I could do my setup by hand but UIs are nice to look at

Not only

You also need to update the traefik plugin for example

I can put a VPN and proxy into one compose as well.

i have it basic and some other stuff is on the backends

Whatever basic means, just wanted to point out pangolin is actually more to manage than one might think 🙂

I actually did my first update now

not sure if just putting latest in the images would work (on the traefik config would it?), anyways, everything has breaking changes that need to be reviewed from time to time I guess? pretty new to this world to be honest

Yeah their release notes lists the 5 versions that they recommend to run together.

But most of the time it runs well with only updating pangolin itself and then updating the rest at some other time

I just saw they finally have their mobile apps out

btw, this triggered myself to check, they have release a pangolin app on ios for private services, I think this looks pretty much like tailscale, I will check it out

They had the desktop version two releases or so ago. It's nice, works well

maybe I can uninstall tailscale then, is this theoretically any safer or just same stuff, different wireguard implementation? I guess this is still tehcnically on topic as it is a way to expose immich to local devices 🙂

Both use a wireguard tunnel in the end. With pangolin it's just self hosted so one party less to trust

its ztna so its more like twingate than tailscale

Isn't that what tailscale is about?

no, you cant restric on ports/services

But you can 🤔 (https://tailscale.com/kb/1018/acls#availability-by-plan)

Latest Pangolin fixed port restrictions (didn't work before on my setup) so I guess it's finally usable (officially out of beta as well)

just set it up for immich and seems to work, nice

I am not a fan of anything "self hosted" that uses a centralized console

just look at crowdsec, started all "open source" "free" and then once it had enough userbase it hard pivoted to company use and put a shitton of features behind a paywall

Pangolin has already started having a business plan that costs money and while they don't lock up features for now I am not trusting them

if I need a GUI, NPM-plus has the same functionality, runs on the faster nginx, and has built in support for all the bells and whistles of pangolin, you just need to uncomment what you need in the compose (geoblocking, access log GUI, crowdsec, QUIC, openappsec, Anubis, etc etc)

As for the vpn, remember the Unix philosophy, one service for one thing

Having a dedicated wireguard service gets you updates and critical security fixes faster, not to mention better customization

I just run wg-easy to have a nice GUI to configure everything, zero maintenance, just works, usually withstands watchtower updates without a problem

it even has amnezia-wg support for when I'm at my dorm and they have a DPI firewall to block normal wireguard

holy text wall 🥀

tbf, Pangolin is a collection of individual services that can be updated individually

And while you can still run it without the centralized management console, I get what you mean. No one knows which features get paywalls in the future

wg-easy had the biggest breaking change I had in a long time, they basically said start from scratch you can’t just update this.

yea fair enough v15 did require me to reinstall it 😅

still, running the vpn separately gives you the option to choose whatever you want

tailscale? go ahead
wg-easy? right over here
OpenVPN since you're a masochist? that too

(although you'll never catch me using tailscale for the same reason as pangolin and crowdsec, fuck central consoles)

I saw discussion on Pangolin, does anybody know why authentication breaks /public/*? Are there other paths I need to bypass?

You need to bypass /api, which contains all the important routes, so there is no real way to do path based auth for immich unless you use an outside tool like immich public proxy

it is now 2:08 AM and i have just discovered RFC 9460

this is amazing

you can specify the preferred http protocols for clients to use when connecting to your website in an HTTPS type dns record

so from the first connection clients can instantly use h3 / quic

😁

$ dig +short @1.1.1.1 HTTPS immich.domain.tld
1 . alpn="h3,h2" ipv4hint=1.2.3.4

yea i just discovered it

so cool :)

ipv4 hint is also cool if i didnt have a residential dynamic ip

you can easily set it whenever you update the A record

and i dont think the auto updater i have supports https records

?

DataHttps=$(jq -n \
  --arg name "$CfName" \
  --arg ip "$Ip" \
  --arg comment "$(datex now)" \
  '{
    type: "HTTPS",
    name: $name,
    ttl: 60,
    comment: $comment,
    data: {
      value: ("alpn=\"h3,h2\" ipv4hint=\"" + $ip + "\""),
      priority: 1,
      target: "."
    }
  }')

curl -d "$DataHttps" -X PATCH "${Auth[@]}" <CFURL>

i dont use cloudflare

ah, I am sure most DNS providers support it

and i think ovh has shit APIs in regard to that

but their .ovh domains are soooo cheap that i'm willing to put up with it lmao

uhh one day.. maybe... for now, A record for the ip + https record is already wayy to good to be true.. why have i never heard of this...

makes me wonder what other stuff i've missed

just checked with wireshark and it's basically a poor man's ECH if the client supports quic... this is amazing.....

wait, it bypasses SNI?

well

quic has encrypted sni by default iirc

didn't know that. so if it starts as quic, you are good.

nice

so if your browser uses dns over https, fetches the HTTPS dns record, and connects with quic from the very first connection..

it never gets leaked

nevermind i take all of that back it turns out i was lied to by wireshark

the sni is there it just doesn't show in the info coloumn

for those using immich public proxy - where are you running it? in a VPS? inside your home lab in a separate VM than immich? trying to think about the best way to set it up

right now i use tailscale for my own personal access to the mobile app but id like to be able to create share links for external sharing

Im using pangolin with Immich its easy as fuck and has no Problems

I don't run immich public proxy, but if I would: I prefer running depending services side by side unless there is a reason. I would just put them in the same docker stack but a VM would also be fine.

I am running Immich in a Proxmox LXC, Access by a Cloudflare Tunnel.

I run it in a docker lxc, use cloudflared (though should probably move it to Pangolin now that it is setup)

Tbh I have not used it even once other than for testing, share the photos through WhatsApp if needed 😳

I have my main Immich containers in a Proxmox VM with Docker, was wondering if I just throw public proxy in there and hook up Cloudflare Tunnel to just the proxy

I am using Cloudflared (LXC) to create the tunnel to Cloudflare and route the traffic to the internal IP adress. So if your Docker gets a unique IP, that should work as well.

yeah i just got it working. immich-public-proxy container and cloudflared container in the same docker compose as immich. on the cloudflare web portal, configured the tunnel to point to immich-public-proxy only. working great

i think moving to an LXC approach would be ideal but i was scared off of doing it with Immich

I just use immich and nginx in two different compose stacks.

Is the Immich-public-proxy needed due to the Docker Container? I am curios as I dont need that in the LXC Setup.

its an LXC add-on

if you use helper scripts

Yeah, but why so you use it and not Forward the Traffic directly by Cloudflared? You can forward there by the .env settings.

so i want to gate the rest of immich behind tailscale and only expose the /share path that IPP exposes

basically, keep the main app behind tailscale for the family, but when we want to share photos with others, let cloudflared tunnel in for that

Ah, understood, thanks.

also using pangolin on a oracle cloud free vps ( use pay as you go mode so i't won't get disposed, still no costs) and immich lives on unraid at home. also crowdsec as failtoban replacement and not using tailscale as i use adguard on android which already uses the only vpn slot that there is and family also uses adguard on mobile

i have considered doing something like that because the handoff from local wifi to tailscale when leaving the house can cause some issues in the app

I'm using immich behing nginx as reverse proxy. Does anyone think this is too risky?

Also is there any pro or cons to put immich server on a DMZ in my local network?

I bet you over 25% of our users use nginx

i use caddy but same principal

Over port forwarding there is a high attack surface

Especially if firewall on the server is misconfigured.

Good point! I think I didn't finish this step 😰 .

Forwarding a single port is usually not a problem. Of course it's always better to add some more security on top of the service but not an absolute requirement.

For the DMZ: Isolating public services from the rest of the network is generally a good thing, if it's necessary for you is another question.

Hi, I've just wrote about exposing Immich to the internet on my blog post.
I use Tailscale funnel fuction for it. and additionally I set Oauth2 with google authentication to block malicious access. How's that?

My blog is in Japanese, but you can translate it to your language, if you use translation function of the browser.

My Japanese is still too basic for this, but going by the automatic translation it looks good. I like that you give some info in the end about debugging in case of issues! A lot of articles don't mention anything in that regard.

Personally I don't like handling authentication to Google, but it still is better than hoping no one get's through your password.

I am using a local hosted Authentik instance for SSO / OpenID with an exponsed Immich instance, works well and I prefer that also over Google.

call me crazy, but i dont get the craze over SSO.
64 charachters password randomly made by a password manager and thats it

MFA and convenience mostly

SSO is more for comfort

However long your password is, it's still a single factor

Why would you not like SSO

Hey all, unsure if my usecase has been discussed before, but couldn't find it via the search feature.

I'm on unraid and want to expose Immich through Pangolin reverse proxy.
By using a sharable link and using the additional headers, I'm able to easily connect the mobile app to my external domain, but backing up photo's results in an error.
Next to that, I also can not see any of the actual images on my server, even though the app connects and logs in correctly.

My debug attempts seem to fail me, since increasing timeout and idle limits in Pangolin/ Traefik didn't seem to work, which was my guess at what is going wrong

No logs in the app?

didnt check in androiddebugger and unsure if there are logs in the app itself

Rebuilding network stack now, so all good, will report back if issue persists

There are logs in the app

connection closed while receiving data, so connection gets terminated for some reason

And a bunch of 400 status codes, so clearly pangolin/ traefik messing things up. There is also never any issues locally, so time to fix the network

is there an auth page?
how is that auth setup?

if it's a reverse proxy sided auth
this means
client -> rp -> auth -> immich
this would imply all client must authenticate to reverse proxy before any request can reach immich
and i dont think the apps would be able to do that

the difference is in
client -> rp -> immich
client -> rp -> auth (for sso)
auth is bypassed, and only require when signing in (immich enforces this, instead of the reverse proxy)

(this is assuming, you can connect to immich in your browser, but not the app)

The apps do not support authentication via proxies.

The additional headers are in experimental state, could be some issue there

I use nginx+Netbird as a VPN tunnel. After everything is set up within Netbird, you must add a DNS entry in nginx immich config file, with either your own resolver or Google, cloudflare one. Obviously that assumes one has a domain tied to the server

I'll have to check how to activate an SSO solution or at least a 2 Step verification. Is Authentic difficult to configure?

It could definitely be easier (especially for small home use setups) but it's also not the end of the world.

my bad, didnt see this sooner...

It was setup with pangolin sso and auth bypass via headers

on browser I can complete sso flow offcourse, and added the headers in the experimental feature. Worked great for login, but after auth stuff seemed to break.

Thats why I decided to rebuild and see what happens

Authentik is worth the effort, I am using it in general as my OpenID provider and I reconfigured the auth flow to use Passkeys instead of passwords, which is really cool. No old fashioned password prompts anymore.

I went with PockeID and so far so good

you pay to be able to upload files larger than 100mo? because cloudflare blocks requests if files are too large in the free tier.

I was using tailscale it worked fine but it was annoying not being able to "share" content with a link, or share albums with people that don't have tailscale.

yeah i was using tailscale and that was annoying me. also not being able to look at my photos on a device thats not on tailsclae. i just ended up proxying it out to the internet and taking the risk. been fine so far

haproxy.

I'm not. Since I only have users in my house, it just gets uploaded when getting home on the network. Honestly I haven't looked at the details of what happens in that instance, but that's what seems to happen at least

you've set the option to only backup over lan with your local ip? not using your url? ah.

i might give tunnels another shot but with the new zero trust security page they released I got a bit lost hiw to configure everything, I'll check that out tomorrow. I have reinstalled the app tho

No I don't have it local only. I'm not sure how often it comes up going over the 100mb while not at home, but it seems to figure it out once we get home

And actually I have DNS setup on my local network for my homelab URLs. Set it up before Immich had the option for separate IP on local network, but I like the seamless setup anyway

Not that that matters in this problem, but you mentioned "not using the URL" so thought I'd mention it

can i use anubis as a traefik middleware for the immich app

afaik Anubis will intercept all traffic initially which will break the app

why does it break the app?
I intercept all my immich traffic

It shows a challenge that needs to be solved by the browser. I doubt the immich app executes JavaScript on the api

ahh, i thought its simple decryption 😄
yea, a challenge would break the app if that challenge cannot be deactivated

it sometimes worked for me, but only after I solved the challenge in a web browser, then it worked in the app but just some apis

doesnt sound very practical
sorry I dont know Anubis and just assumed its just a WAF that decrypts traffic...
if it displays challenges or authentication, that would break the app functionality

you can whitelist the api from anubis while still having the webpage under challenge requirement, for what that's worth

anubis has policy configuration which can let immich through
https://anubis.techaro.lol/docs/admin/policies/

i've set up pangolin vpn and placed immich into private resources alongside other docker conteiners... so far i figured it isn't working well with authentik since you need separate accounts for vpn and openid (vpn doesn't accept users from external providers)

The thing about these exceptions is that it mostly comes down to allowlisting /api/* which basically renders all protections useless

^^ this part is important to note
stuff out of /api/ is just the UI, protecting FE has no use here
everything is operated via the API
so if you bypass the API then you are better off not having anubis at all

the common escape hatch i seen is a secret header to skip checks for apps
some user use this to skip auth proxy checks (by protecting /api/ to require auth)
this same approach can be done for anubis, it isnt ideal but might beat nothing in some user's view

yea
doesnt anubis provide some IPS functionality if it already decrypts?
that wouldnt be bad either 🙂

and yet..

^

(Finn is correct.)

Hi folks. I'm searching and googling what I can but am fairly green. If I'm willing to pay maybe 20$ a year, (I don't know for what), what would be best practice for remote access for myself and one other user. Goal is closest to Google photo experience where I can share albums with people who have no immich access, and perhaps they can upload pictures to that folder.

Again, sorry, I'm new. I hope I can learn enough so I know what to Google. I'm not familiar with Internet but have experience with following GitHub tutorials and YouTube videos lol

(a bit off topic but how do I purposely cause a corruption so I can test my backup / restore process)

what you're looking for is a reverse proxy. You can make your own at home if your router / internet service provider supports it. Otherwise you'd setup a VPS and a VPN to connect your server to the VPS. The VPS would be your reverse proxy.

I have a complete unifi network, which I'm told is prosumer. So I just have to learn how to setup a reverse proxy with that equipment and more or less I'm on the right track? No other "services" needed?

Assuming my provider doesn't allow it. Is there preferences to cloud far/tailscale/??? if I'm willing to pay for a better experience?

as long as your isp supports it, yea

Thank you. Well that didn't take long. Cox doesn't allow reverse proxy for residential lol.

That's unfortunate. blocking port 80 on inbound connections kinda sucks.

I think a vps will likely be easiest for you. There are many options out there - with quite a few name brand hosting services. I'd assume your cost for soemthing like this would be approx $5/month

you don't really need port 80. port 443 is fine

I'm happy with 5/month. I know there's free ways to do this but I'm assuming there's less restrictions on paid versions. I think I'll go with cloud fair since there's plenty of guides. Thank you

Om thinking of exposing Immich through reverse proxy on VPS and authentik in front of Immich and remove password login.

Have you had issues with your authentik setup? What happens if authentik container stops working? Will Immich just not log in?

I'm looking into best practice for remote access. I want to be able to send a link to my grandma, and she can access/upload their own photos to the album.

I imagine cloudflare is the answer with a domain name? I cannot open port 80 for reverse proxy.

I would like to use tailscale because it's simple, but as i understand it, i have to download it onto anyone's phone that wants to view a share album link.

Yes

What's the difference with cloudflare here?

from what i read, cloudfair + domain name i just send my grandma a link and she can upload and view without needing any setup on her phone.

I thought tailscale required the vpn to be on her phone.

You specifically need a tunnel for that https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/

This is a vpn but it runs on cloudflare's servers so the other users don't need to install things

aweswome, so cloudflare is the way to go for that. thank you.

The Authentik/Immich Integration was really straight-forward, I didnt find major obstacles and the implementation has a good documentation on the Immich docs.
By my understanding, as far as your login Token is still valid, you can use Immich also if Authentik is down. Only a fresh login would not be possible.

I'm a bit worried exposing it public but I've also done everything in my power to sagen it up as much as possible. Will see how I move forward. Thank you for your reply.

Basically, using an OIDC provider lowers the risk, as there is only one attack point (Authentik) remaining for potential intruders (in case you are using it for different apps). Using passwordless options in Authentik even lowers the risks (Passkeys / FIDO2 key sticks)
You could use also Cloudflare Access to create a OTP by mail to allowed mail adresses, before a user even sees the login screen of Immich / Authentik. Thats how I am securing critical pages, which are basically exposed also to the net.

Currently using Pangolin through a VPS. I can add another layer SSO with it but it might make the app not work?

Will have a look. Cheers

By Cloudflare you can create a Service Authenthication policy, where the matching ID/Secret is read by the HTTP header. As far as I could see, the Immich app supports custom HTTP headers also in the app (as a beta feature). If Pangolin supports such an policy as well, it should also work. Keep me updated, I´m always thinking about moving from Cloudflare to Pangolin. 😀

just remember that your grandma will not be able to send videos to your server, she will be able to watch them however (cloudflare has a 100mb upload limit)

gotcha, i assume that means she could upload plenty of pictures.

is there another service that wouldn't have a limit on upload limit? Because i imagine that means i can't backup videos remotely.

Guys, i want to expose immich to the internet so i can temporarily create a shared album and share it with qr-code so guest at a party can share the pictures they took.. what is the best approach for this? Currently immich is running locally on my proxmox server and i’m reaching it externally through wireguard

Buy a domain, use a reverse proxy like NPM, Caddy

there is a paid plan from cloudflare and you can also just run your own reverse proxy or if your ISP wont let you, you can use a VPS to tunnel to and install a reverse proxy on (with cloudflare and VPS, keep in mind that the traffic exists in an unencrypted from there)

I think there is a way to use duckdns with let's encrypt as well? haven't done it because domains are cheap anyways, but might be an option to look into

I don’t see a reason why it would not work with duckdns 😄 Having a valid DNS entry is basically the only requirement for let’s encrypt

thanks haha im trying my best. I ended up with a domain main but haven't been able to figure out tunneling with cloudflair. More research needed.

if your ISP supports it, look into reverse proxy

they do not unfortunately.

yes, it works with duckdns as well...
thought i heard they frequently have dns problems and your site will be unavailable while they do...
I never experienced issues when I was still using duckdns

im too new to have a preference I'm limited to youtube tutorials, but hope that one i understand what these services do then i can move about and test.

can be fun but the initial steps can take some learning
all the best and enjoy the journey 🙂

for reference, the only people who use immich is my wife and I, but we'd like to be able to send shared albums to relatives to view and upload their own stuff without needing to do any changes on their phone.

I use Immich with my wife and son and plan to migrate my in-laws to it as well
We share with relatives allover the world and also with clubs/associations like when they had a music camp, I would share photos that way.

But Immich wasn't the first service I publicly exposed

I was using Immich on my local network only, for a while: I run proxmox with a pi-hole LXC as local DNS and setup Caddy LXC as a reverse proxy so that I'd use photos.home to access Immich.

This works fine but I wanted to expose Immich to the Interwebz. So I've set up photos.mydomain.nl to point to a small Hetzner VPS. On the VPS I run another Caddy reverse proxy and a frp server.

photos.mydomain.nl points to the VPS'es Caddy, which forward to the frps tunnel, which is connected to my local Proxmox frpc client, allowing access.

This gave me some troubles because the two Caddy's were competing for SSL termination (INTERNAL_ERROR). Having my VPS Caddy handle TLS and forwarding plain HTTP through an (encrypted) frp tunnel solved that issue.

I still feel a bit uneasy exposing my local Proxmox LXC to the Web, but no open ports on my router and proper HTTPS so it's probably fine? 😬

For any open port (no matter if it's on the router or the VPS), it's generally fine. Many add additional filtering in front of their proxy. For me thats the Unifi IDS/IDP which will block some threats. In the end no protection will save you from every kind of attack, but for home use you don't need to worry too much. imo having working backups is more important than squeezing the last bit out from a WAF.

I do have some Hetzner firewall rules, so there's that 😅

Last time I checked Hetzner did not have a WAF at all

allowing/blocking ports is another layer 🙂

But if you use a Cloudflare Tunnel, the HTTP request gets blocked when uploading files larger than 100MB, right?

I just ran a test off my wifi and yes it errors. It worked when getting back on wifi, but I'm not sure if it would have eventually done it on its own or not

I think having files that are >100MB is really rare for me, especially not at home, so I haven't really run into it

What are the benefits of using Immich Public Proxy over exposing the bare minimum endpoints to get public shares to work via a Caddy side car? The one major benefit of exposing endpoints is allowing guests to upload images. What are the cons of the minimal endpoint exposure?

I'm imagining a use case where one uses Tailscale to serve the full app privately to users on the VPN but then use a secondary Tailscale and Caddy sidecar for Immich-Shares (immich-shares.tail.ts.net/s/) which points to the real Immich on the same compose.yaml but only the necessary endpoints are exposed publicly.

Possible Caddyfile

:8080 {
  @allowed {
     path /s/* /share/*  /_app/*  /assets/*  /api/assets* /api/shared-links/*  /api/assets/*  /api/upload/* /api/server/* /custom.css /appl*.png /favi*.png
  }

  handle @allowed {
    reverse_proxy immich-tailscale:2283
  }

  handle {
    respond 404
  }
}

Thanks in advance

The main benefit is you don’t have to configure anything and actually protect your files. While you don’t allow the login endpoint, technically you still allow the api that can be used to get all your assets.

Also since we don't provide a list of minimum api coverage it will be a trial and error path you are going.

technically you still allow the api that can be used to get all your assets.
Oh that's good to know. Is the recommendation to keep Immich behind a VPN at all times? I imagine there's some form of authentication going on so that people cannot just get your assets.

How does IPP work so that attackers cannot get all your assets? I imagine it's more thanjust the /s/ and /share/ endpoints being used by IPP

AFAIK IPP does not expose any API externally so you are safe from these kinds of attacks. Also to note, without the auth endpoint an attacker would need to get or guess your session token, which is very unlikely. I just wanted to point out it will not be a 100% protection. Our recommendation is: do it the way you feel safe. Personally I have my full Immich instance available publicly.

If i use immich public proxy and share a album with someone can they add photo’s as well or is it view only?

view only

unless it changed since the last time I looked at it. But the goal of the project is to provide minimal access for viewing a share.

So doing the Caddy config is going to be safe for most purposes, but there's a small but still existant chance that someone somewhere COULD do something, but it's not likely and less likely than if they had the auth endpoint?

Yes

We won't be able to assist with any errors you are getting on these restrictions, you'll be on your own then.

Sounds good. I think I got the Caddyfile and composed structure working. I just wanted to check security wise and have a better understanding before deploying the configuration

FYI Caddy v2.11.2 is out with 2 CVEs fixes

[Pull Request] fix: handle client certificates (immich-app/native_video_player#13)

tysm

i should really get around to automating the caddy build when a new base image gets released

How can one do that?

Not sure if any of the popular docker management tools has it built in, but one option is just create a cronjob for it

How bad of a practice is it to leave the Tailscale funnel open to access Immich without needing to be connected to Tailscale all the time? I prefer using Proton VPN consistently.

many of us use a domain for immich soo.. about the same

not inherently bad, but it can lead to bad things if a very severe vulnerability in immich gets discovered by bad actors

(very unlikely)

though you could use OIDC to have another safeguard against attacks

I'm mainly worried about somebody somehow getting the URL and brute forcing in and deleting stuff

If someone really is interested into getting your data - yes it's the same risk as exposing it via other methods.

iirc tailscale funnels get a cert independently of each other, not as a wildcard, so yes, the url gets broadcasted for the whole world to see on Certificate Transparency logs

URL will be known to the world the second you request a cert.
The way I done it before I decided to go Netbird way, was to harden the server I was running immich on, and then use best practices from industry to configure reverse proxy to minimise the attack surface. I am running vaultwarden self host on the same machine so I used majority of it's config to strengthen immich side of things. But then I managed to configure Netbird, so majority of that stuff is kinda pointless now 😁

Netbird user ⬆️

thats why you need backups...

yea, hardening is good... if you do wildcard cert, they wont know the subdomain (used to be best practice the other way around but with short lived certs, wildcard certs are having a comeback)
netbird is like a vpn, so people without it wont be able to use immich though, right?

Netbird is a VPN but also offers a proxy to route public traffic into the network

Kind of what Pangolin is doing but their origin is reversed

And the netbird proxy is still early beta, I had some issues with it

Need to redo my security rules with the netbird proxy some day

i just use netbird with godoxy

and my own ca ofc

mhh, id rather use a well established reverse proxy for that 😛

its just internal so idc

I'd like to do backups, but I currently can't afford that much B2 storage per month

I'm using Caddy, even with the new Netbird proxy that they advertise as Traefik only. Requires some extra work though and breaks easily as such.

I use the following setup to access Immich from the internet (full access, e.g., mobile app with photo uploading and limited access to shared assets for others):
Cloudflare Proxy (rate limiting, bot blocking, etc.) -> Cloudflare Tunnel -> Reverse Proxy (on my host)

• For LAN access, I use a simple domain like immich.mydomain.com (this is solved only localy by DNS rewrites, not exposed to Cloudflare connectors)
• For external access on mobile, I use a random phrase domain like abc123.mydomain.com (in the mobile app, you can select a secondary address to be used outside of your defined home network).
• For shared photos/albums, I use another domain like share.mydomain.com, which is then proxied to the Immich Public Proxy to cut off the admin panel on this domain.

I deployed also CrowdSec with a bouncer to the local reverse proxy as an additional shield (e.g., against known threats or to ban IPs for multiple wrong password attempts).

does your crowdsec behave well? Mine blocked myself out multiple times when scrolling the timeline fast enough

Yes, but I've whitelisted the LAN IP pool. In the beginning, I struggled also with fast scrolling on the timeline, but it was caused by CrowdSec requests (a few hundred per second) choking my host. I solved that by (if I remember correct) increasing the timeout limit, decision buffer duration and some other settings which I forget 🙂

hmm

I solved it by removing that resource hog, rugpulled, configuration mess of a software that (imho) is crowdsec

as bad as naysayers will say it is, I'm just running with geoblocking & ip blacklists

and yes, blah blah blah enumerating badness, blah blah blah.... I get less then 100 requests/week that get past the filters and aren't me

Well, then I hope you can afford to lose your data… I would search for a solution like local backups on remote devices

CrowdSec does add some additional security but I also think there are ways to get similar results with much less effort. rate limiting is available on reverse proxies as well and good blocklists are available also…

Most helpful is usually a “simple” hardening

Some proxies also have modsec support, can use OWASP there

i recently started doing backup to backblaze B2 using backrest for incremental backups
i dont have much data but i do want to keep it safe, i guess they just charge by what i use which isnt much to pay for
i am glad i didnt went all in on hetzner storage boxes, they are cheaper by bulk i think

i am saying this if you are under the assumption you need to pay for at least a whole TB every month

hey,

is there a single message around here that I can read and refer through for securely exposing immich to the internet?

the issue I would like to highlight which im facing right now is,
I have cloudflare tunnel configured and working, but stuck with 100 mb upload limit

And I have my debian no gui remote home server access right now (Im in college) and im unable to access and do port forwarding while going for reverse proxy

No, this is a lot more complex than a single message.

where can I find a curated article resource then?

Why are you unable to do port forwarding?

If you don't have remote access to your router I guess you have to wait until you have a chance to get to your router.

We can't provide a single article for setups like this because there is not a single solution for the whole thing. And everyone has different needs

Or use tailscale funnel

I did actually

True, if there is already a connection to the home server it could be extended

but the new issue is, my wifi just shows ipv6 wan and not ipv4

I get that, like my router not showing IPv4 now

So you were just not precise enough in your original message 😅

As Finn said, it's basically impossible to tell you what you need to do since it's highly dependent on your setup. Even more so if you don't tell us exactly what's going on

no I mean previously i wasn't able to access but I figured out why

now the WAN IPv4 isn't there, I enabled port forwarding but im getting -

Connection timed out Error code 522

What Im able to see is I used the ipinfo gave me IPv4 that i used in DNS in cloudflare but now as there is just IPv6 WAN in my router, im not able to access the domain

Your router needs it's own public IPv4 for simple port forwarding to work. If your ISP does not provide you your own address, you'll need another server acting as a proxy into your network.

Or if it's an option you could go IPv6 only. But that depends on who is connecting to you

Yeh Ig my router uses CGNAT

routerISP

yeh ISP

is there a solution to it? or do I have to stick with tunnel only?
I have came so far by now

In that case you could either proxy the traffic through a self-hosted VPS that has a public v4 address, or use a service such as tailscale funnel

tailscale funnel have its own limitations and VPS would be something that I would have to pay for additionally which I can't rn

There are some free VPSs out there (most commonly oracle), and plenty that cost like $1 or $2/month. FWIW you generally don't self-host to save money though 😅

What limitations are you running into with funnel?

the speed limit,
unable to share with other people,
etc

unable to share with other people,
Huh?

yeh I agree, but im just learning yet

You should be able to share when using funnel

Tbc, we're talking about a specific tailscale feature, right? https://tailscale.com/docs/features/tailscale-funnel

yeh but only 3 people can connect

Where does it say that?

Never heard about such a limitation

I mean the user that can be added to the machine

You can only have x free seats in your tailscale org or whatever they call it, yes

That's unrelated to funnel though

For funnel your users don't need to be connected to your VPN mesh in the first place

They don't even need the tailscale app

Tailscale VPN is requried on client side each time?

No.

No

Could you read through the page I linked you?

sure

And/or watch the video at the top of that page

internet without your own IP, thats unimaginable to me :[
I mean do the ISPs there not even offer that or is that just a cheaper option/ISP?

some ISPs either don't provide the option at all, or you have to beg on all fours to get a full stack ip, and it depends on the service worker you get connected to

for a company here, you need to choose the "net neutrality" package and use your own router to even be eligible to ask for a full stack ip

is it a good idea to go for oracle free tier VPS while exposing immich to internet?

That's up to you. I'm using oracles offering myself

Oracle will only provide the infrastructure, you'll need to manage the setup by yourself

Also be ready for the VPS to disappear without warning. I've been using it for years without issue though

I want to set up traefik as a reverse proxy and from what I’ve seen there are two ways to configure routing: Via docker labels or via a central configuration file.
I don’t plan to do a very complicated setup, I want to route my services via https (via let’s encrypt for certificates) and add a few middlewares like authelia and maybe crowdsec. Later on I’ll probably hardwall immich with authelia and add mtls for the app.
From what I’ve everything cam be done both via the configuration file and docker labels but especially mTLS is easier to set up via a configuration file.
What do you recommend, docker labels or central configuration file?

My preference is a file as I like to see the config in one place instead of being spread around on each container

I have finally done the setup with VPS
Pangolin was reallyyy greatt help!

if you use docker labels in docker compose
i suppose the config are now bound together
everything about this container is setup here in this docker file or something
(wait that was very old, i did not see the date before replying )

I often think about yesterday being very old, until I remember the endless passing of time where each day ends after just 24 hours when in reality I need 36 hours a day ...

Jokes aside, yes compose files kind of put it into a place, but if you do it right you have many compose files and then the config is spread around again. In the end it depends on if you prefer the service config close to the service or the proxy config close to the proxy 😛

I see your point but I agree with Finn tbh and rather have all the traefik config in one place.
Also I think mTLS for the immich app is easier to configure that way (i.e. I didn’t find any example how to do that with docker labels xd)

yep i dont think there's wrong way per say just whatever is most convenient to you who will be managing it
i use caddy so it's not like i got a choice, but i actually prefer having a overview of all my ingress, good to be mindful and have a singular view of it all
i do have a lot of docker compose files for all my different services, and i do enjoy it that way for ops side
my friends who use traefik though likes the label because everything is close to the container, even though that wasnt my thing
personally it feels like a bit of a hack to define rules that way(you will have to treat everything as a KV), i rather have a nice DSL like caddy config

I use HaProxy as the external proxy and then reencrypt and send to Traefik internally

It’s not perfect, I would like 2FA

you can use OAuth for 2FA

Hello, looking for some advice. I use authentik and oidc and everything is peachy but i have to leave /api unauthenticated to use the android app. Are there any guides to using a custom header to authenticate the /api route? The only ones I'm finding are for cloudflare...

Just in case more context is needed: I have my own WAN IPv4, traffic goes through caddy with fail2ban and forwarded on to authentik. I have a forward Auth app in authentik and another oidc app which together give me OIDC only login (password disabled, oidc redirect on auto). On desktop this lets my through perfectly. The forward Auth app lists the /api route as unauthenticated so the android app can do its thing. I'm looking for any guides that would help me compare the custom header against a custom user or group attribute for traffic going to /api from the WAN (the containers are in their own docker network with only the main app container exposed to the same network as caddy)

ideally you wouldnt even need forward auth when using oidc login

but you can always do some trickery in caddy to have the /api endpoint still behind forward auth for everything except the immich app's custom header

Yes, that might work... If i check the custom header first but in caddy instead of authentik and pipe everything else as normal... Thanks, I'll try that

I took the liberty of throwing together an example, sorry for the formatting but I'm on mobile

example.com {

@api_with_header {

header mycustomheader hello

path /api*

}

handle @api_with_header {

reverse_proxy immich:2283

}

forward_auth authentik:9091 {

uri /auth/validate

}

reverse_proxy immich:2283

}

I don't use authentik so maybe you need to add copy_headers or something else to the forward auth

but you should already have that set up from before

Yes, header forwarding is set up, this is wonderful, thank you.

If your auth proxy supports custom headers you could also set it up there. Never done it with authentik as I skip auth proxies whenever possible so not sure if they support it. I'd be surprised if not though.

Oh it does, it's why i thought of doing it there first but couldn't find a guide, but caddy will probably work for my case

I use Sophos XG for my home firewall. I secure Immich behind a WAF (type of reverse-proxy) and use a Let's Encrypt certificate to secure the url.

You could use mtls with self signed certs i think

I've exposed my Immich server to the internet because my users aren't tech-savvy enough to use a VPN. I'm using Cloudflare with geo-restrictions (allowing only my country) and I've blocked bots and high-risk IPs.

For those with a similar setup, do you recommend adding extra rules based on specific URL paths?

do you know if your users will strictly be using the mobile app?
if you use header filters
it's a low tech way of creating a preshared secret key as filter

i think IP filters is not ideal.... given what if i am traveling, or what about someone's compromised device(local botnets)
so i wouldnt give it a lot of weight and safety

if you trust your users to set secure passwords
it might not be the worst thing ever to just leave it exposed

personally i would at least set a SSO, and make sure that it requires strong password or passkey login
so the authentication process get redirected to the SSO login
and the SSO login can enforce policies, and safety measures

• like enforcing strong password/passkey/2fa
• enforcing max login attempts
• captcha filtering of bots trying to brutefoce
  etc etc

Cloudflare tunnel is great but the fact you cannot send over files bigger than 100MB is painful

It's an easy way to get started, but it has it's drawbacks. When possible I'd always recommend hosting the public endpoint on your own.

I'm still somewhat a noob in this field

So doing this would be painful xD

But I guess at some point I will have to switch

Taking ownership of the storage with Immich is a good first step, second would be taking ownership of who can read your traffic. One thing at a time 🙂

Have a look at pangolin it’s rather flexible and pretty easy to set up i think (you’d need your own public vps which can be had for a few bucks per month or even for free with Oracle i think)

https://github.com/fosrl/pangolin

you mean this right?

so wait so i'd have to buy vps, setup pangolin there and direct it to my server at home? or am i getting this wrong

sorry for being stupid

lmao

You’d have to set it up on a vps and then install the client on your home server from what I understand

dont worry jajaj

Pangolin is a popular solution when you either can't or want to access your home network directly. It works similar to what Cloudflare is offering with their tunnels. Another self hosted option would be Netbird (I have this on my VPS).

I haven’t tried either yet although I plan to set up pangolin next week.
Fron what I’ve seen I like pangolin more because it feels more flexible

I had both running, they do the same nowadays. Pangolin started as a proxy and gained VPN features, Netbird started as a VPN and got proxy features. Pangolin was a little easier but they also push a bit more into their subscriptions. Like for geoblocking you basically had to manually add it to the traefik configuration and in the end it felt like I could have done everything by myself.

Well I plan to use it mostly as a vpn only so Im ok with that

or using both

since newt has quite the performance issues

Both??? Sounds very redundant

Since they both do the same

i just use netbird as my backend for everything

and pangolin on my local servers

then another traefik on a public vps

which allows me to do direct acces to my jellyfin and everything else locally

with my own ca locally and a wildcard cert for the vps

locally I just have a caddy with a simple config file

works like a charm, netbird allows me to allow my friends faster direct connections to my gameservers etc

What's the reasoning behind doing pangolin locally?

it enables me to switch to the next free vps if i run out of DigitalOcean credits

and having the same setup locally and remote makes it really easy

You live in a DigitalOcean datacenter?

no

only using the gh student vps rn

i live on a crappy elitebook 850 g5

Your computer has good specs

Don't underestimate its power

More than enough for immich

I started my setup from a single n100 mini PC with 16gb ram

Had immich, nginx reverse proxy, authentic etc

same, and i still think its overkill for my workload 😄

PQC so if anyone captures my traffic to try to decrypt my immich photos in 5 years, they wont have to look at them 😄

ok, Hybrid PQC but still PQC nonetheless 😄

Oh interesting, I should upgrade my proxy config 👀

which proxy are you using?

Caddy

ok yea, that should work

i just read, it should be enabled by default on newer Caddy versions

I saw that too, now I just need to check if my browser actually uses it. Seems like Firefox defaults to the non quantum curves

false alarm, looks like it works an I'm safe

They just decided to hide this in the developer tools

I see this, is this fine? what do I need to do to Caddy to use something better?

It's basically all you need

I use this pages modern preset whenever possible
https://ssl-config.mozilla.org/#server=caddy&version=2.8.4&config=modern&hsts&guideline=6.0

x25519mlkem768 is the one you are looking for with PQC

too many germans here 😄

seems it already takes it by default?

Caddy has very modern defaults, yeah

I think they allow TLS1.2 by default but the cipher and curves are all pretty good

that is PQC already, so you dont need to worry about your neighbor saving your traffic and then decrypting it in 5years with his quantum computers he is hiding in the basement 😄

i think my downstairs neighbor (like 70+ yrs old) is running a server farm cause our floor feels like we have floor heating...

so i have to be wary of her capturing our traffic and decrypt it when she is 85 :[

either that or its because of her cactii farm 😇

yeees...

"cacti" farm

I am using nginx, how do I do this, I might already have encryption and setup but how do I check that

If you have HTTPS/TLS then you are encrypted. I posted a link a bit down where you can generate a modern configuration for your proxy

Doesn’t PQ key exchange use more data?

yes, only during initial exchange though...

nginx you need openssl 3.5 I think

check developer tools security section once you are connected to your site
otherwise try configuring it

guys, btw.... this is in no way necessary....
I just did this for fun, noone will need this to secure images...
this is just so that noone will capture your traffic and decrypt it once quantum computing is more readily available...
your neighbors are unlikely to have this and whatever bad actors would make use of it, would do this on more confidential data like trade secrets and state secrets
just dont want anyone to do this to "increase their security" and put in a lot of work.... if you do it for fun, all good 🙂

Someone said it was a bad idea to use Cloudflare tunnel to expose you Immich instance because Cloudflare can basically see all your photos, is that so? What are the alternatives? I won’t use Tailscale because I run Mullvad pretty much all the time and can’t have two VPNs running at the same time.

Alternative: use the Internet as designed by hosting your service locally (typically with a reverse proxy like Nginx)

You can get a vps (for 2-5€ per month or even for free with Oracle I think) and use a service like netbird or pangolin to expose your service if you don‘t want to (or cannot because of CGNAT) expose your services directly like Zeus saud

could, yes...
but not in a way that they "have" all your photos but in the sense that they see the traffic in an unencrypted state, which includes your photos and e.g. access tokens

the same would apply if you would run a reverse proxy on a VPS unless that proxy isn't decrypting (like e.g. in stream mode, just forwarding packets)

Isn‘t Cloudflare actively anlayzing the traffic of their tunnels and collecting eg the passwords for statistics?

who knows ™

Yes, they are

just take this and replace Google with (maybe) cloudflare

I JUST started using Immich so, thus far I'm using a Cloudflare app tunnel just to get it working. Next I'd like to get Pocket ID working. Then I'll probably try to replace Cloudflare with Pangolin or Tailscale.

My previous effort was trying to use NextCloud and their photos app with ddns and a reverse proxy. I never got that fully working and then my mini server died. When my replacement mini server had to be a different machine that didn't accept the previous machine's M2 drive, I decided to try all different software, too. This has proven to be easier and faster to set up.

That’s the big question here, I’m not sure and I don’t want to find out the hard way

I looking into this, what are the security implications here? I can think of a few but I maybe wrong.

The risk is if there would be a vulnerability in Immich (or any publicly exposed service), the attacker in the worst case could run anything on your machine, spread malware, mine bitcoin etc.

The truth is that you're probably not worth the time for someone to hack your server (if you have properly secured setup)

Be sure though that you'll probably be hit with bots, especially if you have something like ssh exposed

Keep in mind the same applies for cloudflare tunnels. They don't protect your home network when Immich has a vulnerability.

Yeah of course

and hardening your home setup can be fun 😄

shhh... r/selfhosted isn't ready to hear that yet

"opening your ports will give hackers access to everything, kill your cat and set your house on fire.

Use cloudflare tunnels or a vps instead so the ports are open on someone else's machine"

also applies to a lesser degree to the tailscale shills who cannot for the life of them understand that I can't connect a smart TV to tailscale

You can route traffic through a tailscale VPN in your network with a proper router

Yeah but in most cases it’s family with a POS ISP router haha, not openWRT/opnsense

lmao that's fair

Not understanding the opening of a port itself is meaningless if you tunnel all that traffic to your home 🙂

but the hackers will use the open port to kill my cat!

some gems

Just wait until they learn that outgoing connections open a port for return traffic

Any recommendations for hardening your home network?

Plenty, never ending list
Which part exactly?

I’m really a novice so I’ve been doing port scans and found out that my NAS poked two ports in my network, I panicked and shut them so now I can’t use my NAS outside with the built in service.

What are some techniques I can use to harden my network? I’m using a TP-link mesh router (I know about the vulnerabilities 😭)

You have UPnP enabled…. Massive mistake #1

Turn that off IMMEDIATELY whenever you setup an edge device

Crowdsec
Fail2ban
VLANs
Geo blocking
All terms you can Google

Yep, I turned that off.

Search for cis security
They provide free best practices for anything
Docker, nginx, Linux, etc.

There's a lot to cover, but Zeus mentioned the big parts. Also don't stop at securing only the network. Securing the host system is also important

Basically if anyone got into your network and bypassed your security measures, you want to restrict their access and what they can do as much as possible on the host

a seemingly endless endeavour 😄

Good idea. I've been looking into Crowdsec and everything else Zeus mentioned. Lots to go over.

Hey guys, let me know if you think this public Immich setup is secure:

Connection:

Traefik reverse proxy
Port 443 public

Security Configuration:

• Disabled password login (oAuth2 login via Authentik only)

• Crowdsec actively scanning Immich logs AND Authentik logs to detect bruteforcing, scanning and any other funky requests

• Configured Crowdsec to automatically ban any connection to ANY part of my server (not just Immich) that originate from outside my country (since i dont really travel anywhere at the moment)

I know security through obscurity is not real security, but I never post my IP or domain online. So I think that factor certainly lowers my attack surface even more.,

Id say as of right now, my biggest threats are probably LAN based attacks. My WAN is pretty secure i like to think

My host was also vulnerable to the copy fail exploit released a couple days ago, so I had to manually patch that too since I use a custom kernel on my Host.

your cert renewal is public information(depends on how your cert renewal is setup, if you are using wildcard cert or not)

yes im using wildcard certs as opposed to subdomain certs