Just exposed Immich via a remote and reverse proxy using Caddy and tailscale tunnel. I’m securing Immich using OAuth.
I don’t have very nerdy friends so not many people appreciate this.
You must log in or register to comment.
Can someone ELI5? I’m a noob who aspires to set up immich in the near future. I only recently started making efforts to separate myself from the cloud. So far I’ve got a wireguard server set up and I’ve disconnected both my Bambu printers from the cloud and I’m currently setting up some home assistant stuff. Pretty soon I’m hoping to set up a NAS, Immich, Plex (or similar) and replace my google nest cameras.
I’ll try to ELI5, if there’s something you don’t understand ask me.
Op has a home server where he’s running immich, that’s only accessible when he’s at home via the IP, so something like http://192.168.0.3:3000, so he installed Tailscale on that server. Tailscale is a VPN (Virtual Private Network) that allows you to connect to your stuff remotely, it’s a nice way to do it because it is P2P (peer-to-peer) which means that in theory only he can access that network, whereas if he were using one of the many VPNs people use for other reasons, other people on the same VPN could access his server.
Ok, so now he can access his immich instance away from home, all he has to do is connect to the VPN on his phone or laptop and he’ll be able to access it with something like http://my_server:3000 since Tailscale adds a DNS (Domain Name System) which resolves the hostnames to whatever IP they have on the Tailscale network.
But if you want to give your family access it’s hard to explain to them that they need to connect to this VPN, so he rented a VPS (Virtual Private Server) on some company like DigitalOcean or Vultr and connected that machine to the Tailscale network. He probably also got a domain name from somewhere like namecheap, and pointed that domain name to his VPS. Só now he can access his VPS by using
ssh user@myserver.com. Now all he needs to do is have something on the VPS which redirects everything that comes to a certain address into the Tailscale machine, Caddy is a nice way to do this, but the more traditional approach is ngnix, so if he puts Caddy on that VPS a config like this:immich.myserver.com { handle { reverse_proxy my_server.tailscale.network.name:3000 } }Then any requests that come to https://immich.myserver.com will get redirected to the home server via Tailscale.
It is a really nice setup, plus OP also added authentication and some other stuff to make it a bit more secure against attacks directly on immich.
Pretty much I have caddy on a VPS that’s pointing to my internal IP using a tailscale tunnel. You are still exposing the web gui to the Internet so I just changed authentication to OAuth to mitigate since risk. There is still a possibility of attacks via zero days, but my immich is on a VM and I’m creating firewall rules to just allow certain ports out.
I appreciate the extra details but I still don’t know what “caddy”, “VPS”, “tailscale tunnel”, or “zero days” are, but I can look it up.
It’s hard to explain from scratch.
Caddy is a reverse proxy software that essentially redirects traffic from a certain port to another port. For example external:port => internal:port. It also enables SSL encryption meaning everything will be encrypted en route between the external and the user.
VPS is a virtual private server. Just someone else’s computer you can expose to the Internet.
Tailscale is a mesh VPN that uses wire guard as its transport. I use this to tunnel between my VPS and my Immich server to hide my home IP and to allow encrypted traffic between my Immich server and my VPS.
A zero-day (also known as a 0-day) is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor thus has zero days to prepare a patch, as the vulnerability has already been described or exploited.
There’s no fix other than security through layers.
That actually helps a lot, thanks!
Like, good for you, man.
But you should really keep your stuff inside the VPN and not expose things, it opens up a pile of potential risks that you don’t need to have. You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications. If you absolutely, positively must have something exposed directly, put it on it’s own VLAN and with no access to anything you value.
Don’t listen to this guy. You don’t have to turtle all your stuff inside a VPN if you don’t want to. Hosting services on the internet is what the internet was created for. It’s up to you whether what you want to host is exposed to the internet or not, and as long as you’re aware of the risks do what you want man. I will mention that Immich specifically might not be the best idea to expose since it’s so unstable, but that depends on your level of comfortability. Worst case scenario is somebody gets into your Immich and can see all your photos. Would this be a dealbreaker for you? If so don’t expose it publicly. Otherwise you’re perfectly fine.
Absolutely that’s what the internet was made for!
But family photos keep a bit more secure, Particularly if it’s syncing directly from your phone, I take a lot of explicit photos of my wife, but also code that I’m writing on my computer, or the kids playing, etc.
Nobody said they had to. I made him aware of the risks in case he wasn’t. You seem to have an axe to grind there.
I’m not a big fan of amateur know-nothings regurgitating the same nonsense regurgitated to them by previous know-nothings, attempting to further the cycle to people finding their footing with self hosting, telling everybody what they “should” do based on their own limited understabding. It was a big problem on the self hosted reddit and up to this point has been less of a problem here.
And yet here you are, making sure this guy knows he can expose anything he wants except the specific thing you decided is troublesome like immich. Maybe you’ll be here to help him put it all back together with your wealth of knowledge and experience.
Take a hard look at yourself, you’re doing all the stuff you accuse someone else of. Maybe you aren’t always the smartest person in the room. In any case, I’m done with your shit. Go ruin someone else’s day, you ray of sunshine.
Yeah maybe you should take notes on how to relay a little bit of relevant knowledge in the context of what it is they’re trying to do, and let them decide how it fits their use case, instead of repeating broad, inaccurate generalizations dictating what people should and shouldn’t do across the board.
If you’re not going to be helpful or informative, then don’t bother chiming in at all.
I want to be able to upload/download/share my photos from anywhere in the world without using a VPN. Additionally, this satisfies the wife requirement. It works in the background without her needing her to turn on the VPN. I don’t want her to keep asking me how do I turn on the VPN? If it’s just me, then no issue, I’ll use a VPN.
Yeah, you always have to account for the wife factor. Same reason I’m using Plex instead of Jellyfin for my video hosting; I’d personally prefer Jellyfin, but the wife factor (really the mother-in-law factor, but whatever…) demands that it doesn’t require a ton of config on the user’s end. If the goal is to encourage use by your family, it can’t be fiddly or difficult to set up on their end.
To be fair, wireguard is pretty painless.
You set up the VPN and it’s always on. There’s no hassle.
Unless you’re on IOS that will shut your VPN off regularly. Or you want somebody else to be able to access what you’re hosting without having to walk theme through a VPN setup they won’t understand.
I have a couple dozen customers on ios that use their camera servers via Tailscale. Never had a peep about that sort of thing.
And the last is the typical sort of “convenience” that gets people popped.
You’re hearing about it now. It’s an issue with the way iOS handles background tasks and there isn’t any way to fix it. It’s just how the OS works.
Well, apparently a bunch of farmers are smart enough to press a button without even bothering me about it.
Why would farmers not be smart enough to press buttons?
I’ve never had iOS shut my VPN off, and I use a kill switch so I would immediately know.
You can still use a reverse proxy inside the VPN and use your own DNS server that spits out that internal address to your devices for your various applications.
Excuse me what? Here’s my dumb ass navigating to "[device name]:[port] over tailscale.
I’ve tried this a couple times and I’ve always failed. I could never figure out how to get a http://service.domain request to my Nginx install to be proxied in the first place. I tried putting pihole on tailscale and setting that as tailscale’s DNS. It blocked ads but I couldn’t navigate to custom domains. I put NPM on tailscale hoping that was the issue. I looked for LocalDNS/CNAMES in tailscale to see if I could do it that way. Do I have to set a local machine as an exit node and do split DNS shenanigans, service.domain goes through to my local and everything else the wider web? Do I set a router node?!
Not expecting you to troubleshoot, I don’t have time to see it through anyhow. Just annoyed at myself I couldn’t figure it out and driven to try again.
deleted by creator
I don’t even bother with the internal DNS server. I just set my A records in Cloudflare to point to the private IPs
Do the private IPs not change at all? Or can you handle that automatically?
I have next to no experience, but I’m pretty sure that wouldn’t work for me since my IP changes? Idk
Most routers have a feature to assign static IPs to a specific MAC address. You can also tell most devices to try to take a specific IP instead of using DHCP.
There are multiple ways to set it up, but it’s very possible to set a specific device to always have the same local IP, which is usually the first step to many self-hosting scenarios.
You can either set a DHCP reservation in your router, or manually set the IP on the device.
When I say private IP, I’m referring to the internal IP e.g 192.168.1.X
Means internally I just go to the domain without having to remember the IP I set.
Oooh. That makes more sense, thank you.
I somehow thought you’d meant your global IP addresses, lol
Edit: i see now they’re talking about private IP, but in case you want to learn about getting a static IP for other things…
Many ISPs will give you a dynamic (changing) IP rather than a static (unchanging) IP. Just check your IP once a week for a few weeks to see if it changes.
There are some services that get around this by checking your ip regularly and updating their records automatically. This is called a dynamic DNS provider (DDNS). I used to use “noip” but since then there are quite a few like cloudflare DDNS.
Beyond that you just would want to make sure your router or whatever device is assigning IPs on your network to give a static assignment to the server. Assigning IPs is handled by a DHCP server and it would usually be your router, but if you have a pihole you might be using that as a DHCP server instead.
Between DDNS and DHCP you can make sure both your external IP and internal IP are static.
Sounds like Cloudflare tunnels. I used that for a while, until I realized I didn’t want to be tied to Cloudflare.
Opening it up lets you use it from devices that aren’t on tailscale, or for friends and family. I have the same idea with Nebula instead of Tailscale, if I can figure it out.
I’m a huge fan of Caddy and I wish more people would try it. The utter simplicity of the config file is breathtaking when you compare it with Apache or Nginx. Stuff that takes twenty or thirty lines in other webservers becomes just one in Caddy.
The only thing I don’t like about caddy is that using DNS challenge requires recompiling the program itself, and the plugins themselves can be a bit quirky. Mind you, you can easily handle this with a separate program like
legoorcertbotso not a huge deal.I love Caddy. So easy to configure, and the automatic SSL is almost always what I need.
I moved from swag to caddy and I’m glad i did. So much more simple.
Congratulations!
It feels really good when you learn something new and get it working the way you like.
If you want more challenges take a look at this:
This would be useful if you ever wanted to share albums with other people outside your tailscale network and that lack an account for your immich server.
Tailscale?
Is this setup advisable for the CGNATED environment?
You will need a VPS as your other endpoint
Ah, I figured… I used to do this with Wireguard instead of Tailscale.
This is necessary for CGNat ISPs. That or cloudflared or ngrok or the like. Because you aren’t really routable on a CGNAT address.
In a nutshell, CGNAT users must spend money for something that people with IPv4 addresses can do for free 😔
We wouldn’t be in this mess if we switched to ipv6, but nOoOooOo… we can’t possibly do that…
Actually my ISP supports IPv6 (it is very erratic though) so I can access some of my services outside through it without using VPNs (only using a reverse proxy for the 443 port), but still is very annoying when I want to use them with IPv4 only networks, such as my carrier mobile data, I suffer from this especially when wanting to use Plex.
Lack of routability is a feature for ISPs, not a bug.
I’ve been wanting do something similar, but with Authentik. Does anyone know a good guide on this?
There is an official guide by Authentik on how to integrate with Immich. There is an official guide by Immich on how to integrate with Authentik.
Quick, now lean a firewall with a good IDS
and fail2ban
Congrats! I just pulled off the same thing last week using cloudflare tunneling? The phrase “reverse proxy” scared me too much lol. So props to you.
I just finally got it this weekend when I got Matrix-synapse and Pixelfed working on the same box.
All I can say is good for you! It wasn’t easy. And it’s so powerful.
deleted by creator
I just got this set up last week too. Same setup with caddy on a free oracle vps, tailscale on vps and home pfsense router, tailscale on pfsense advertising routes (private IPs of my docker hosted services).
CGNAT sucks 🤮
Nice work! 😎
O have a very similar setup but have a couple of questions if you don’t mind me asking, what did you used for OAuth? and where is it running? I tried athelia on the VPS but had some problems I can’t remember now and decided it wasn’t worth the time at the time, but probably should set it up.
I just use google OAuth since everyone I know has a google account. It just can’t use OAuth on private IP addresses, just FQDNs.
Nice one dude, i know the pain of not having nerdy friends to share shit like this with.
deleted by creator
