this post was submitted on 08 Dec 2024
37 points (91.1% liked)

Selfhosted

40734 readers
354 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

As the title says...

Is this a risky thing?

EDIT: I have a wireguard VPN set up for myself and it's always on so I can access *arrs and the like. I would like to expose immich on my domain to share photo albums and such.

top 26 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 2 weeks ago (2 children)

Best solution is a VPN to your home network.

However, if you want to host it publicly, at least restrict access to it via GeoIP. For example, if you live in Europe and only need access from there, only allow the areas in Europe you travel to and block everything else. This will greatly reduce your attack surface.

Also, make sure everything is patched. Always. And implement something like fail2ban to deny repeated failed logins, along with a reverse proxy.

[–] [email protected] 4 points 2 weeks ago

Best solution is using a mesh VPN service like Tailscale or Netbird

[–] [email protected] 3 points 2 weeks ago (1 children)

GeoIP restricting is a brilliant idea I never thought of. I have been getting a few people trying to sign up on one of my other services and they're all from Asia somewhere.

I'll try setting this up.

[–] [email protected] 4 points 2 weeks ago (1 children)

Sweet. Both OPNSense and pfSense firewalls have the ability to tie into MaxMind's GeoIP service. Not sure what your perimeter device is, but it's pretty easy on those. And free.

[–] [email protected] 1 points 2 weeks ago (1 children)

If you use Cloudflare as the domain-DNS I'd rather use them as the GeoIP filter.

[–] [email protected] 1 points 2 weeks ago (1 children)

Yes, but OP mentioned nothing about Cloudflare.

[–] [email protected] 2 points 2 weeks ago

Doesnt hurt to mention though in case others come across this discussion, no?

[–] [email protected] 10 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

You are increasing the attack vector immensely, and it is up to you to ensure that it is well protected and up to date. The attack effort won't be high though and most of the attacks would be pretty basic, still I wouldn't risk something so personal, like your image library.

I would suggest for you to look into Wireguard or Tailscale for accessing your personal Immich instance.

[–] [email protected] 5 points 2 weeks ago (1 children)

I've already got wireguard set up and that's how I access it. I would like the ability to share stuff with people though

[–] [email protected] 7 points 2 weeks ago (2 children)
[–] [email protected] 2 points 5 days ago (1 children)

I just set this up and it's amazing. Thank you for the suggestion!

[–] [email protected] 2 points 5 days ago

Glad to help!

[–] [email protected] 2 points 2 weeks ago

I didn't know about this! Thanks dude

[–] [email protected] 3 points 2 weeks ago

Public subdomain pointing to an internal Tailscale IP. Generate Let's Encrypt certificates using the domain alone. Browsers don't scream, access only works via Tailscale.

[–] [email protected] 9 points 2 weeks ago

Also, true there is more risk, but you should always balance it with advantages.

If your immich is properly protected behind a reverse proxy and encrypted with https, and containerized, preferably root-less container, and you properly back it up, go ahead and enjoy sharing.

[–] [email protected] 8 points 2 weeks ago (1 children)

I haven’t gotten around to setting it up myself yet, but I have immich-public-proxy pinned. Could solve exactly your problem. Keep your main immich behind your vpn but expose some public galleries of your choosing.

[–] [email protected] 4 points 2 weeks ago

I use yunohost for this. Ist possible there to use the sso etc. The default Installation Help to make a Quick and secure Installation.

[–] [email protected] 7 points 2 weeks ago

Yeah, but if you put everything behind a well configured reverse proxy with proper SSL certs (let's encrypt) and maybe also a good SSO (not mandatory, but recomended) you will be fine.

See https://wiki.gardiol.org/doku.php?id=selfhost%3Anginx https://wiki.gardiol.org/doku.php?id=selfhost%3Asso / https://wiki.gardiol.org/doku.php?id=services%3Aauthelia

These pages have been written for my own usage and use case, so YMWV...

[–] [email protected] 7 points 2 weeks ago

I've got mine on a subdomain through a Cloudflare tunnel that points to my local nginx proxy manager (with wildcard SSL certs) then to immich. You can do access control through Cloudflare as well. Quite low risk in my opinion as long as you protect it properly.

[–] [email protected] 6 points 2 weeks ago (1 children)

I’ve been putting everything behind Tailscale. I don’t see any reason to make it public unless you’re planning on sharing it with the public.

[–] [email protected] 1 points 2 weeks ago

Same for me, but via Cloudflare tunnel. No need to expose your system to world unless that is what you want.

[–] [email protected] 3 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

You could look into mutual TLS / mTLS to protect your instance. You will need to set this up using a reverse proxy at your server (like Caddy) and then add a client certificate to your user devices. If you use the Immich app, I think it also supports adding this certificate under Settings -> Advanced -> SSL Client Certificate. Here you can find a tutorial on how to set it up: https://www.apalrd.net/posts/2024/network_mtls/

(Edit: you will need to ensure that all clients who want to receive your shared photos have a client certificate installed, so depending on the number of clients this might be okay or less useful)

[–] [email protected] 2 points 2 weeks ago

Yeah, this is too much for my needs. My main goal is to be able to send pictures to people via a link.

Neighbors and family and stuff - less tech savvy folk.

[–] [email protected] 2 points 2 weeks ago

I suspect most people open it via subdomain or cloudflare tunnel and it seems secure enough. Haven't seen reports of people getting hacked left and right.

VPN Certainly is more secure and works for a few people but becomes annoying if you have users that don't want to mess with a VPN. It also helps if you want to make a public share link to someone without an account.

[–] [email protected] 1 points 2 weeks ago

Try out a mesh network VPN like tailscale (others are available, but i haven't tried them).

Tailscale is basically just a simple but powerful wireguard manager that does all of the work of setting up a mesh network for you, and it works amazingly well in my experience. The free account is good for I think 3 users and 100 devices on a network and has been the perfect thing to expose my home server to my various devices no matter where I am.

I like it so much after having used it for the last few months that I just spent way too much money upgrading my server... but that's another thing entirely. lol

[–] [email protected] 1 points 2 weeks ago

It is no riskier than any other reverse proxy or tunneling app. If you follow good opsec, you should be fine. In truth there is no bulletproof way to avoid intrusion, so do the best you can without completely doing away with convenience.