Security considerations about hosting Immich from home
from Maroon@lemmy.world to selfhosted@lemmy.world on 11 Jun 20:05
https://lemmy.world/post/48049539
from Maroon@lemmy.world to selfhosted@lemmy.world on 11 Jun 20:05
https://lemmy.world/post/48049539
So far, my self-hosting has been limited to Pi-Hole, and a static website. I now want to try out something new, an **Immich ** server.
I have a static IP from my ISP, so I don’t need to rent out a VPS. However, given that this IS a home internet, I want to be extra sure that it is going to be secure.
In my existing website, I use Fail2Ban + BadBotBlocker + Anubis + Nginx rate limits to protect it from scrapers, bots and malicious users, and it works well. With photos (especially family photos) at stake, I just want to know more on how to protect my server.
threaded - newest
Put it behind Tailscale/Headscale/Netbird/etc. VPN connection and don’t think about it.
This. You can sync your photos when you’re connected to your home wifi or via tailscale/vpn. You can look at your photos either via vpn or at home in your own network. There is little need for opening it up to the Internet.
@avidamoeba @Maroon
I use wireguard. But yes.
In my case there is no need to have my services public reachable.
All family member have a wireguars client on their phone rethink or wgtunnel.
That way also their internet connection goes completely through my router and also the add blocker.
In addition to this. If going tailscale at least, add the pi-hole as the DNS server. Now you have pi-hole on the go as well.
assuming that you’re to expose that to the Internet, my recommendation is to deploy only
complicate the setup too much and it’s going to rather be more painful to maintain and also much easier to misconfigure.
The WAF covers OWASP Top 10 so that should give you around 70% protection which is still better than nothing
@Maroon FIY the security verification for my not being a bot failed
I’m sorry, could you rephrase that? I think there are a few typos in your post.
@Maroon no it just wasn’t verifying anything at all, but now it’s fixed. Thanks
I have it behind OAuth.
And then a reverse proxy via NPM.
I don’t know what else to do on it aside from keeping it fully VPNed.
Yeah, maybe it’s because I run public sites on kubernetes at work that I’m not as scared but a good locked down network is fine. Thousands or businesses run public URLs, as long as you configure it right you are mostly good. There is always a risk of vulnerabilities in the software for immich, your proxy, your auth provider so doing it that way increases your attack surface than just the VPN.
Part of “configuring it right” for companies is generally having the public-side be pretty well walled off from anything internal though, there isn’t anything wrong with taking the same approach at home, too
Add mTLS to the reverse proxy and to the Immich client app and forbid access without it.
The mTLS certs can be self-generated. There are tutorials for generating your own CA and individual mTLS certs for each device. Then you put the
ca.pemfile in a place accessable by NPM and add a couple of commands to the “Advanced” tab of the Immich proxy host, and you put the mTLS cert on the phone and load it into the Immich app.mTLS is a super strong method, not only does it serve as great authentication for that particular device, it also checks the TLS connection for tampering so it can’t be hijacked even if somehow you get rogue certificates loaded on your phone, you can revoke certs if your phone gets lost or stolen etc.
I would not expose anything to the internet, except if you want to have it public.
I use wireguard as a private, self-hosted VPN. It’s easy to set up.
Plain wireguard. Or maybe Pangolin?
github.com/fosrl/pangolin
I use a Pangolin reverse proxy with OIDC (PocketID) for family access to services, along with CrowdSec. For the Immich app access which needs to bypass auth login through the reverse proxy, I use ‘link share’ in Pangolin that gives me header tokens that can be entered in to the Immich app under Advanced settings.
I’ve been an Immich user for over 2 years now, so it’s been a journey for me to implement it to this standard.
Or as someone else suggests, try CloudFlare with something like Google Auth login. Just be aware that you are then exposing all your traffic to Cloudflare. I take that as a small sacrifice for simplicity.
Literally just heard of pangolin for the first time in today’s self host email. I checked it and signed up to get started. But am I correct in assuming I can only have 5 endpoints for free? Or was I not looking at the self hosted edition?
Despite what some may think, I’m not a representative of Cloudflare, nor do I receive any benefit from recommending them. I just recommend what works for me. There are many avenues at your disposal. That said, Cloudflare Tunnels/Zero Trust is a winner in my book. You will need a cheap domain name that you can change the nameservers to the ones Cloudflare assigns you. After that, you install Cloudflare Tunnels/Zero Trust on your server, and connect to Cloudflare, Jacks a doughnut, Bob’s your uncle. No need to fiddle with NAT, or opening ports. Cloudflare takes care of all of that. Of course you will need port 22 (ssh) to directly admin your server.
You’re already doing more than companies that charge people to host their photos.
Is there a reason it needs to be public facing?
I think this should be talked about more. Does every selfhosted app need to be public facing?
I use Immich as a backup service, so i really don’t have any need to have it public facing. It connects when I’m home. Same with contacts/calendar.
I have many services that doesn’t “need” to be public, as public facing for one specific reason. TLS.
A lot of the times android apps won’t connect to http directions, not even local ones, and require a proper https connection with a well known CA.
For that I put the services behind a caddy reverse proxy to get a valid tls certificate.
And them I do the trick, and basically on caddy reject any connection that’s not local. Thus, making the supposedly “public” site a practical “local” one.
Once there I just connect through wireguard.
I can’t recall the name, but there was at least one project that had a kind of static web proxy of shared immich albums, so you can expose that to the internet for sharing and keep Immich its self internal network only.
Definitely put it behind Netbird.
Also. I have a Jellyfin instance that I share with family, where I actually can’t put all of their client devices behind Netbird.
For that case, I used Netbird’s reverse proxy feature. So technically the Jellyfin instance is exposed to the public internet. HOWEVER, Netbird allows you to block or allow certain IP addresses. So while my Jellyfin instance is technically on the public internet, it’s only accessible from 1 specific public IP.
Otherwise, if you’re on the Netbird VPN, then the domain I have set resolves to the internal IP.
I have that but with caddy.
On the caddyfile you can put to only serve the site to certain IPs and reject the others with any status normally 403 or 404.
Attackers probe the site, but all they get it’s a connection error.
Do you want to have the site to be public facing? If so, I think your current setup is good.
If it doesn’t need to be public facing, I would use wireguard to VPN into your LAN network, and secure it that way.
I’m running immich with tailscale.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
5 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.
[Thread #10 for this comm, first seen 12th Jun 2026, 13:10] [FAQ] [Full list] [Contact] [Source code]