Just exposed Immich via a remote and reverse proxy using Caddy and tailscale tunnel. I’m securing Immich using OAuth.
I don’t have very nerdy friends so not many people appreciate this.
You must log in or register to comment.
Wrapping my head around reverse proxy was a game changer for me. I could finally host things that are usefull outside my LAN. I use Nginx-Proxy-Manager which makes the config simple for lazy’s like me.
Used to mess around with multiple Apache Proxy Servers. When I left that job I found Docker and (amongst other things) NPM and I swear, I stared at the screen in disbelief on how easy the setup and config was. All that time we wasted on Apache, the issues, the upgrades, the nightmare in setting it all up…
If I were to do that job again I would not hesitate to use NPM 100% and stop wasting my time with that Apache Proxy mess.
NPM
Nginx-Proxy-Manager. Got it.
I didn’t read the parent comment well enough and was wondering what the Node Package Manager had to do with anything 😂
Yeah port forwarding just isnt the same. I pretty heavily rely on Nextcloud and Plex doing the port forwarding for me
Plex can sometimes get by without port forwarding by using UPnP or NAT-PMP, but I had to open a port to use Plex (before I started using Jellyfin and a reverse proxy).
Same with Nextcloud, you either have to open a port or use a reverse proxy. Reverse proxy is more secure. Good stuff!
Worth mentioning that either way you’re opening up ports (you need to open 80 and 443 for the reverse proxy), but that’s much better than opening a bunch of ports, one for each thing you’re running.
The hardcore security minded people will always scream “use wireguard or whatever”, which also works really well (even combined with a reverse proxy that’s not exposed to the internet (80 and 443 not forwarded)). I do this for some of the stuff I run that I don’t want exposed at all, like my password manager. To access my password manager while out and about, I need to connect to my wireguard thing (my router sets it up for me), and then my phone is effectively back inside my LAN, and I can access whatever I need to. Fortunately it’s rare that I need to do this, because my password manager keeps a cached copy on my phone.
Sorry, getting long winded. You get the point!
Yeah both Nginx and plex handle making themselves public for me already. But I have a handful of other svcs that id like to move behind a reverse proxy too
Do you serve things to a public? Like a website? Because unless you’re serving a public, that’s dumb to do… and you really don’t understand the purpose of it.
If all you wanted was the ability to access services remotely, then you should have just created a WireGuard tunnel and set your phone/laptop/whatever to auto connect through it as soon as you drop your home Wifi.
A lemmy instance, a wiki, and a couple of other website type things, yes.
Publicly facing things are pretty limited, but it’s still super handy inside the LAN with Adguard Home doing DNS rewrites to point it to the reverse proxy.
I appreciate what you’re saying, though. A lot of people get in trouble by having things like Radarr etc. open to the internet through their reverse proxy.
Am I making a mistake by having my Jellyfin server proxied through nginx? The other service I set up did need to be public so I just copied the same thing when I set up Jellyfin but is that a liability even with a password to access?
Not really. Personally I’d allow the service account running jellyfin only access to read media files to avoid accidental deletion but otherwise no.
Also, jellyfin docs have a sample proxy config. You should use that. It’s a bit more in depth than a normal proxy config.
I’m a huge fan of Caddy and I wish more people would try it. The utter simplicity of the config file is breathtaking when you compare it with Apache or Nginx. Stuff that takes twenty or thirty lines in other webservers becomes just one in Caddy.
I love Caddy. So easy to configure, and the automatic SSL is almost always what I need.
The only thing I don’t like about caddy is that using DNS challenge requires recompiling the program itself, and the plugins themselves can be a bit quirky. Mind you, you can easily handle this with a separate program like
legoorcertbotso not a huge deal.
Good job!
I’m still trying to understand what it is and why I would want it. I see several programs I use recommend it but I just don’t get what it does and why what it does is good.Just out of curiosity, is the tail scale part of this required? If i just reverse proxy things and have them only protected from there by the login screen of the app being shown, that’s obviously less safe. But the attackers would still need to brute force my passwords to get any access? If they did, then they could do nasty things within the app, but limited to that app. Are there other vulnerabilities I’m not thinking about?
Nice one dude, i know the pain of not having nerdy friends to share shit like this with.
Nice work! 😎
Wow, so my understanding of the terms ‘reverse proxy’ and Tailscale must be wrong then, because I thought they were mutually exclusive. I’ll go do some more research, unless someone feels like explaining how you can do both at the same time.
Also, I think the ‘Risks’ section of this page is informative:
I think self hosting the proxy with the services at hobbyist scale mitigates most of the security risks. The single point of failure risk is another matter. I once had to effectively reverse-hack my services by uploading a Jenkins test job through an existing java project to regain access. Ever since then, I maintain a separate ddns address that’s just used for emergency ssh access.
Congrats! I just pulled off the same thing last week using cloudflare tunneling? The phrase “reverse proxy” scared me too much lol. So props to you.
I just got this set up last week too. Same setup with caddy on a free oracle vps, tailscale on vps and home pfsense router, tailscale on pfsense advertising routes (private IPs of my docker hosted services).
CGNAT sucks 🤮
Tailscale?
Is this setup advisable for the CGNATED environment?
You will need a VPS as your other endpoint
Ah, I figured… I used to do this with Wireguard instead of Tailscale.
Just be sure to read up on network security and set yourself up for success! Even tunnels can still be an attack surface. Always keep everything up to date! And plan for the worst case.
Quick, now lean a firewall with a good IDS
and fail2ban
I prefer wazuh. Much more powerful and preconfigured with tons of rules
I know that feeling ! My first service hosted via docker + Treafik outside my lan with a wireguard tunnel felt like a big dopamine hit ! Congrats !
Now I have over 20 services and It feels trivial :( I still love the easy to read/write syntax of Treafik ,however I feel like I’m missing a lot of important networking knowledge while avoiding Nginx !
Maybe one day when I’m too bored I will switch everything to Nginx, see how it goes !
I’ve been wanting do something similar, but with Authentik. Does anyone know a good guide on this?
Yes! Authentik is a great self-hosted OAuth platform. They actually publish integration guides in their documentation.
Integrate with ImmichThere is an official guide by Authentik on how to integrate with Immich. There is an official guide by Immich on how to integrate with Authentik.
