Just exposed Immich via a remote and reverse proxy using Caddy and tailscale tunnel. I’m securing Immich using OAuth.
I don’t have very nerdy friends so not many people appreciate this.
You must log in or # to comment.
Wrapping my head around reverse proxy was a game changer for me. I could finally host things that are usefull outside my LAN. I use Nginx-Proxy-Manager which makes the config simple for lazy’s like me.
Used to mess around with multiple Apache Proxy Servers. When I left that job I found Docker and (amongst other things) NPM and I swear, I stared at the screen in disbelief on how easy the setup and config was. All that time we wasted on Apache, the issues, the upgrades, the nightmare in setting it all up…
If I were to do that job again I would not hesitate to use NPM 100% and stop wasting my time with that Apache Proxy mess.
NPM
Nginx-Proxy-Manager. Got it.
I didn’t read the parent comment well enough and was wondering what the Node Package Manager had to do with anything 😂
Yeah port forwarding just isnt the same. I pretty heavily rely on Nextcloud and Plex doing the port forwarding for me
Plex can sometimes get by without port forwarding by using UPnP or NAT-PMP, but I had to open a port to use Plex (before I started using Jellyfin and a reverse proxy).
Same with Nextcloud, you either have to open a port or use a reverse proxy. Reverse proxy is more secure. Good stuff!
Worth mentioning that either way you’re opening up ports (you need to open 80 and 443 for the reverse proxy), but that’s much better than opening a bunch of ports, one for each thing you’re running.
The hardcore security minded people will always scream “use wireguard or whatever”, which also works really well (even combined with a reverse proxy that’s not exposed to the internet (80 and 443 not forwarded)). I do this for some of the stuff I run that I don’t want exposed at all, like my password manager. To access my password manager while out and about, I need to connect to my wireguard thing (my router sets it up for me), and then my phone is effectively back inside my LAN, and I can access whatever I need to. Fortunately it’s rare that I need to do this, because my password manager keeps a cached copy on my phone.
Sorry, getting long winded. You get the point!
Yeah both Nginx and plex handle making themselves public for me already. But I have a handful of other svcs that id like to move behind a reverse proxy too
Do you serve things to a public? Like a website? Because unless you’re serving a public, that’s dumb to do… and you really don’t understand the purpose of it.
If all you wanted was the ability to access services remotely, then you should have just created a WireGuard tunnel and set your phone/laptop/whatever to auto connect through it as soon as you drop your home Wifi.
A lemmy instance, a wiki, and a couple of other website type things, yes.
Publicly facing things are pretty limited, but it’s still super handy inside the LAN with Adguard Home doing DNS rewrites to point it to the reverse proxy.
I appreciate what you’re saying, though. A lot of people get in trouble by having things like Radarr etc. open to the internet through their reverse proxy.
Am I making a mistake by having my Jellyfin server proxied through nginx? The other service I set up did need to be public so I just copied the same thing when I set up Jellyfin but is that a liability even with a password to access?
This is very short sighted. I can think of dozens of things to put on the open internet that aren’t inherently public. The majority are things for sharing with multiple people you want to have logins for. As long as the exposed endpoints are secure, there’s no inherent problem.
And yet you’ve not provided one example, hmmmm
Seriously?
Plex, Jellyfin, VaultWarden, AdGuard, Home Assistant, GameVault, any flavor of pastebin, any flavor of wiki, and the list goes on.
If you’re feeling spicy throw whatever the hell you want onto a reverse proxy and put it behind a zero trust login.
The idea that opening up anything at all through to the open internet is “dumb” is antiquated. Are there likely concerns that need to be addressed? Absolutely. But don’t make blanket statements about virtually nothing belonging on the open internet.
None of those have to be public and can all be accessed with WireGuard. You just proved my point, moron
Why don’t we just throw Lemmy behind wireguard while we’re at it.
Literally anything can go behind a VPN. Doesn’t mean much at all. And the majority of those are commonly left on the open internet for friends and family, which would be annoying af to set up with WireGuard.
I have enough issues dealing with VPN issues in my professional life, I don’t want to have to deal with them in my personal life as well.
I’m a huge fan of Caddy and I wish more people would try it. The utter simplicity of the config file is breathtaking when you compare it with Apache or Nginx. Stuff that takes twenty or thirty lines in other webservers becomes just one in Caddy.
I love Caddy. So easy to configure, and the automatic SSL is almost always what I need.
The only thing I don’t like about caddy is that using DNS challenge requires recompiling the program itself, and the plugins themselves can be a bit quirky. Mind you, you can easily handle this with a separate program like
legoorcertbotso not a huge deal.
Good job!
I’m still trying to understand what it is and why I would want it. I see several programs I use recommend it but I just don’t get what it does and why what it does is good.Nice one dude, i know the pain of not having nerdy friends to share shit like this with.
Just out of curiosity, is the tail scale part of this required? If i just reverse proxy things and have them only protected from there by the login screen of the app being shown, that’s obviously less safe. But the attackers would still need to brute force my passwords to get any access? If they did, then they could do nasty things within the app, but limited to that app. Are there other vulnerabilities I’m not thinking about?
I don’t think a tailscale tunnel helps this anyway, maybe just from standard antispoofing and geoblocks, but it still gets to the application in full eventually, when they can do what they’d do if it was directly exposed. The attack surface might be an entire API, not just your login screen. You have no idea what that first page implements that could be used to gain access. And they could request another page that has an entirely different surface.
If someone has Nextcloud exposed, I’m not stopping at the /login page that comes up by default and hitting it with a rainbow table; I’m requesting remote.php where all the access goodies are. That has a huge surface that bypasses the login screen entirely, might not be rate limited, and maybe there’s something in webdav that’s vulnerable enough that I don’t need a correct token, I just need to confuse remote.php into letting me try to pop it.
You can improve this by putting a basic auth challenge at least in front of the applications webpage. That would drastically reduce the potential endpoints.
Tailscale?
Is this setup advisable for the CGNATED environment?
You will need a VPS as your other endpoint
Ah, I figured… I used to do this with Wireguard instead of Tailscale.
Wow, so my understanding of the terms ‘reverse proxy’ and Tailscale must be wrong then, because I thought they were mutually exclusive. I’ll go do some more research, unless someone feels like explaining how you can do both at the same time.
Also, I think the ‘Risks’ section of this page is informative:
I think self hosting the proxy with the services at hobbyist scale mitigates most of the security risks. The single point of failure risk is another matter. I once had to effectively reverse-hack my services by uploading a Jenkins test job through an existing java project to regain access. Ever since then, I maintain a separate ddns address that’s just used for emergency ssh access.
Nice work! 😎
I just got this set up last week too. Same setup with caddy on a free oracle vps, tailscale on vps and home pfsense router, tailscale on pfsense advertising routes (private IPs of my docker hosted services).
CGNAT sucks 🤮
Congrats! I just pulled off the same thing last week using cloudflare tunneling? The phrase “reverse proxy” scared me too much lol. So props to you.
Just be sure to read up on network security and set yourself up for success! Even tunnels can still be an attack surface. Always keep everything up to date! And plan for the worst case.
Quick, now lean a firewall with a good IDS
and fail2ban
I prefer wazuh. Much more powerful and preconfigured with tons of rules
I know that feeling ! My first service hosted via docker + Treafik outside my lan with a wireguard tunnel felt like a big dopamine hit ! Congrats !
Now I have over 20 services and It feels trivial :( I still love the easy to read/write syntax of Treafik ,however I feel like I’m missing a lot of important networking knowledge while avoiding Nginx !
Maybe one day when I’m too bored I will switch everything to Nginx, see how it goes !
I’ve been wanting do something similar, but with Authentik. Does anyone know a good guide on this?
Yes! Authentik is a great self-hosted OAuth platform. They actually publish integration guides in their documentation.
Integrate with ImmichThere is an official guide by Authentik on how to integrate with Immich. There is an official guide by Immich on how to integrate with Authentik.
