Just exposed Immich via a remote and reverse proxy using Caddy and tailscale tunnel. I’m securing Immich using OAuth.
I don’t have very nerdy friends so not many people appreciate this.
You must log in or register to comment.
Wrapping my head around reverse proxy was a game changer for me. I could finally host things that are usefull outside my LAN. I use Nginx-Proxy-Manager which makes the config simple for lazy’s like me.
NPM is awesome until you have a weird error that the web GUI does not give a hint about the problem. Used it for years at this point and wouldn’t consider anything else at this point. It just works and is super simple.
+1 for NPM! Used to even do things manually, but I’m too lazy for that and NPM fulfils nearly all my use cases lol
came here to leave this exact response! 😁
Do you serve things to a public? Like a website? Because unless you’re serving a public, that’s dumb to do… and you really don’t understand the purpose of it.
If all you wanted was the ability to access services remotely, then you should have just created a WireGuard tunnel and set your phone/laptop/whatever to auto connect through it as soon as you drop your home Wifi.
This is very short sighted. I can think of dozens of things to put on the open internet that aren’t inherently public. The majority are things for sharing with multiple people you want to have logins for. As long as the exposed endpoints are secure, there’s no inherent problem.
A lemmy instance, a wiki, and a couple of other website type things, yes.
Publicly facing things are pretty limited, but it’s still super handy inside the LAN with Adguard Home doing DNS rewrites to point it to the reverse proxy.
I appreciate what you’re saying, though. A lot of people get in trouble by having things like Radarr etc. open to the internet through their reverse proxy.
Am I making a mistake by having my Jellyfin server proxied through nginx? The other service I set up did need to be public so I just copied the same thing when I set up Jellyfin but is that a liability even with a password to access?
I’m a huge fan of Caddy and I wish more people would try it. The utter simplicity of the config file is breathtaking when you compare it with Apache or Nginx. Stuff that takes twenty or thirty lines in other webservers becomes just one in Caddy.
I moved from swag to caddy and I’m glad i did. So much more simple.
I love Caddy. So easy to configure, and the automatic SSL is almost always what I need.
Can someone ELI5? I’m a noob who aspires to set up immich in the near future. I only recently started making efforts to separate myself from the cloud. So far I’ve got a wireguard server set up and I’ve disconnected both my Bambu printers from the cloud and I’m currently setting up some home assistant stuff. Pretty soon I’m hoping to set up a NAS, Immich, Plex (or similar) and replace my google nest cameras.
Pretty much I have caddy on a VPS that’s pointing to my internal IP using a tailscale tunnel. You are still exposing the web gui to the Internet so I just changed authentication to OAuth to mitigate since risk. There is still a possibility of attacks via zero days, but my immich is on a VM and I’m creating firewall rules to just allow certain ports out.
I appreciate the extra details but I still don’t know what “caddy”, “VPS”, “tailscale tunnel”, or “zero days” are, but I can look it up.
It’s hard to explain from scratch.
Caddy is a reverse proxy software that essentially redirects traffic from a certain port to another port. For example external:port => internal:port. It also enables SSL encryption meaning everything will be encrypted en route between the external and the user.
VPS is a virtual private server. Just someone else’s computer you can expose to the Internet.
Tailscale is a mesh VPN that uses wire guard as its transport. I use this to tunnel between my VPS and my Immich server to hide my home IP and to allow encrypted traffic between my Immich server and my VPS.
A zero-day (also known as a 0-day) is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor thus has zero days to prepare a patch, as the vulnerability has already been described or exploited.
There’s no fix other than security through layers.
That actually helps a lot, thanks!
I’ll try to ELI5, if there’s something you don’t understand ask me.
Op has a home server where he’s running immich, that’s only accessible when he’s at home via the IP, so something like http://192.168.0.3:3000/, so he installed Tailscale on that server. Tailscale is a VPN (Virtual Private Network) that allows you to connect to your stuff remotely, it’s a nice way to do it because it is P2P (peer-to-peer) which means that in theory only he can access that network, whereas if he were using one of the many VPNs people use for other reasons, other people on the same VPN could access his server.
Ok, so now he can access his immich instance away from home, all he has to do is connect to the VPN on his phone or laptop and he’ll be able to access it with something like http://my_server:3000 since Tailscale adds a DNS (Domain Name System) which resolves the hostnames to whatever IP they have on the Tailscale network.
But if you want to give your family access it’s hard to explain to them that they need to connect to this VPN, so he rented a VPS (Virtual Private Server) on some company like DigitalOcean or Vultr and connected that machine to the Tailscale network. He probably also got a domain name from somewhere like namecheap, and pointed that domain name to his VPS. Só now he can access his VPS by using
ssh user@myserver.com. Now all he needs to do is have something on the VPS which redirects everything that comes to a certain address into the Tailscale machine, Caddy is a nice way to do this, but the more traditional approach is ngnix, so if he puts Caddy on that VPS a config like this:immich.myserver.com { handle { reverse_proxy my_server.tailscale.network.name:3000 } }Then any requests that come to https://immich.myserver.com/ will get redirected to the home server via Tailscale.
It is a really nice setup, plus OP also added authentication and some other stuff to make it a bit more secure against attacks directly on immich.
Good job!
I’m still trying to understand what it is and why I would want it. I see several programs I use recommend it but I just don’t get what it does and why what it does is good.It does a couple things. It’s one service that routes requests to multiple services. So if you have radarr, sonarr, etc., you can put a reverse proxy in front and use the same ip-port to connect to all, and the proxy routes the request to the service by hostname.
If you have multiple instances of the same service for HA, it can load balance between them (though this is unlikely for a homelab).
Personally I run all my services through docker and put traefik in front, so that I don’t have to keep track of ports. It’s all by name.
It’s also nice because traefik handles HTTPS termination, so it automatically gets certs for each name, and the backing service never needs to worry about it (it’s http on the backend, but all that traffic is internal).
Thank you for the explanation. But that’s it than? Just convenience with ports?
Well it IS pretty nice to be able to tell people to go to jellyfin.example.com instead of example.com:8096, but you also get security benefits for using a properly set up reverse proxy. You don’t need to keep your ports open to the whole internet, only the reverse proxy accesses them. As far as the rest of the internet is concerned, you have :443 open.
I just finally got it this weekend when I got Matrix-synapse and Pixelfed working on the same box.
All I can say is good for you! It wasn’t easy. And it’s so powerful.
Congratulations!
It feels really good when you learn something new and get it working the way you like.
If you want more challenges take a look at this:
This would be useful if you ever wanted to share albums with other people outside your tailscale network and that lack an account for your immich server.
Same boat (in the learning cycle that is). No idea what immich is, but I got Stirling-PDF hosting in docker. I only learned the other day that localhost, is localhost for the container. I couldn’t get a bunch of stuff running for.ever, till I learned the way I was calling things needed to be to host.docker.internal.
Congrats! I just pulled off the same thing last week using cloudflare tunneling? The phrase “reverse proxy” scared me too much lol. So props to you.
Wow, so my understanding of the terms ‘reverse proxy’ and Tailscale must be wrong then, because I thought they were mutually exclusive. I’ll go do some more research, unless someone feels like explaining how you can do both at the same time.
Also, I think the ‘Risks’ section of this page is informative:
I think self hosting the proxy with the services at hobbyist scale mitigates most of the security risks. The single point of failure risk is another matter. I once had to effectively reverse-hack my services by uploading a Jenkins test job through an existing java project to regain access. Ever since then, I maintain a separate ddns address that’s just used for emergency ssh access.
Nice work! 😎
Just be sure to read up on network security and set yourself up for success! Even tunnels can still be an attack surface. Always keep everything up to date! And plan for the worst case.
me too like last week!!! yay us!!
haven’t gotten oauth going yet but soon
I know that feeling ! My first service hosted via docker + Treafik outside my lan with a wireguard tunnel felt like a big dopamine hit ! Congrats !
Now I have over 20 services and It feels trivial :( I still love the easy to read/write syntax of Treafik ,however I feel like I’m missing a lot of important networking knowledge while avoiding Nginx !
Maybe one day when I’m too bored I will switch everything to Nginx, see how it goes !
Like, good for you, man.
But you should really keep your stuff inside the VPN and not expose things, it opens up a pile of potential risks that you don’t need to have. You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications. If you absolutely, positively must have something exposed directly, put it on it’s own VLAN and with no access to anything you value.
O have a very similar setup but have a couple of questions if you don’t mind me asking, what did you used for OAuth? and where is it running? I tried athelia on the VPS but had some problems I can’t remember now and decided it wasn’t worth the time at the time, but probably should set it up.
