Just exposed Immich via a remote and reverse proxy using Caddy and tailscale tunnel. I’m securing Immich using OAuth.

I don’t have very nerdy friends so not many people appreciate this.

  • PunkiBas@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    Congratulations!

    It feels really good when you learn something new and get it working the way you like.

    If you want more challenges take a look at this:

    Immich-public-proxy

    This would be useful if you ever wanted to share albums with other people outside your tailscale network and that lack an account for your immich server.

  • ramenshaman@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    Can someone ELI5? I’m a noob who aspires to set up immich in the near future. I only recently started making efforts to separate myself from the cloud. So far I’ve got a wireguard server set up and I’ve disconnected both my Bambu printers from the cloud and I’m currently setting up some home assistant stuff. Pretty soon I’m hoping to set up a NAS, Immich, Plex (or similar) and replace my google nest cameras.

    • Nibodhika@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      I’ll try to ELI5, if there’s something you don’t understand ask me.

      Op has a home server where he’s running immich, that’s only accessible when he’s at home via the IP, so something like http://192.168.0.3:3000/, so he installed Tailscale on that server. Tailscale is a VPN (Virtual Private Network) that allows you to connect to your stuff remotely, it’s a nice way to do it because it is P2P (peer-to-peer) which means that in theory only he can access that network, whereas if he were using one of the many VPNs people use for other reasons, other people on the same VPN could access his server.

      Ok, so now he can access his immich instance away from home, all he has to do is connect to the VPN on his phone or laptop and he’ll be able to access it with something like http://my_server:3000 since Tailscale adds a DNS (Domain Name System) which resolves the hostnames to whatever IP they have on the Tailscale network.

      But if you want to give your family access it’s hard to explain to them that they need to connect to this VPN, so he rented a VPS (Virtual Private Server) on some company like DigitalOcean or Vultr and connected that machine to the Tailscale network. He probably also got a domain name from somewhere like namecheap, and pointed that domain name to his VPS. Só now he can access his VPS by using ssh user@myserver.com. Now all he needs to do is have something on the VPS which redirects everything that comes to a certain address into the Tailscale machine, Caddy is a nice way to do this, but the more traditional approach is ngnix, so if he puts Caddy on that VPS a config like this:

      immich.myserver.com {
          handle {
              reverse_proxy my_server.tailscale.network.name:3000
          }
      }
      

      Then any requests that come to https://immich.myserver.com/ will get redirected to the home server via Tailscale.

      It is a really nice setup, plus OP also added authentication and some other stuff to make it a bit more secure against attacks directly on immich.

    • randombullet@programming.devOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      Pretty much I have caddy on a VPS that’s pointing to my internal IP using a tailscale tunnel. You are still exposing the web gui to the Internet so I just changed authentication to OAuth to mitigate since risk. There is still a possibility of attacks via zero days, but my immich is on a VM and I’m creating firewall rules to just allow certain ports out.

      • ramenshaman@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        I appreciate the extra details but I still don’t know what “caddy”, “VPS”, “tailscale tunnel”, or “zero days” are, but I can look it up.

        • randombullet@programming.devOP
          link
          fedilink
          English
          arrow-up
          0
          ·
          2 months ago

          It’s hard to explain from scratch.

          Caddy is a reverse proxy software that essentially redirects traffic from a certain port to another port. For example external:port => internal:port. It also enables SSL encryption meaning everything will be encrypted en route between the external and the user.

          VPS is a virtual private server. Just someone else’s computer you can expose to the Internet.

          Tailscale is a mesh VPN that uses wire guard as its transport. I use this to tunnel between my VPS and my Immich server to hide my home IP and to allow encrypted traffic between my Immich server and my VPS.

          A zero-day (also known as a 0-day) is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor thus has zero days to prepare a patch, as the vulnerability has already been described or exploited.

          There’s no fix other than security through layers.

  • Noggog@programming.dev
    link
    fedilink
    English
    arrow-up
    0
    ·
    2 months ago

    Just out of curiosity, is the tail scale part of this required? If i just reverse proxy things and have them only protected from there by the login screen of the app being shown, that’s obviously less safe. But the attackers would still need to brute force my passwords to get any access? If they did, then they could do nasty things within the app, but limited to that app. Are there other vulnerabilities I’m not thinking about?

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      2 months ago

      I don’t think a tailscale tunnel helps this anyway, maybe just from standard antispoofing and geoblocks, but it still gets to the application in full eventually, when they can do what they’d do if it was directly exposed. The attack surface might be an entire API, not just your login screen. You have no idea what that first page implements that could be used to gain access. And they could request another page that has an entirely different surface.

      If someone has Nextcloud exposed, I’m not stopping at the /login page that comes up by default and hitting it with a rainbow table; I’m requesting remote.php where all the access goodies are. That has a huge surface that bypasses the login screen entirely, might not be rate limited, and maybe there’s something in webdav that’s vulnerable enough that I don’t need a correct token, I just need to confuse remote.php into letting me try to pop it.

      You can improve this by putting a basic auth challenge at least in front of the applications webpage. That would drastically reduce the potential endpoints.

      • Noggog@programming.dev
        link
        fedilink
        English
        arrow-up
        0
        ·
        2 months ago

        Thanks for the insight! Does running this in a docker container help limit the damage at all? Seems like they’d only be able to access the few folders I have the container access to?