As the title says…
Is this a risky thing?
EDIT: I have a wireguard VPN set up for myself and it’s always on so I can access *arrs and the like. I would like to expose immich on my domain to share photo albums and such.
I’ve been putting everything behind Tailscale. I don’t see any reason to make it public unless you’re planning on sharing it with the public.
Same for me, but via Cloudflare tunnel. No need to expose your system to world unless that is what you want.
I haven’t gotten around to setting it up myself yet, but I have immich-public-proxy pinned. Could solve exactly your problem. Keep your main immich behind your vpn but expose some public galleries of your choosing.
Best solution is a VPN to your home network.
However, if you want to host it publicly, at least restrict access to it via GeoIP. For example, if you live in Europe and only need access from there, only allow the areas in Europe you travel to and block everything else. This will greatly reduce your attack surface.
Also, make sure everything is patched. Always. And implement something like fail2ban to deny repeated failed logins, along with a reverse proxy.
GeoIP restricting is a brilliant idea I never thought of. I have been getting a few people trying to sign up on one of my other services and they’re all from Asia somewhere.
I’ll try setting this up.
Sweet. Both OPNSense and pfSense firewalls have the ability to tie into MaxMind’s GeoIP service. Not sure what your perimeter device is, but it’s pretty easy on those. And free.
Best solution is using a mesh VPN service like Tailscale or Netbird
You are increasing the attack vector immensely, and it is up to you to ensure that it is well protected and up to date. The attack effort won’t be high though and most of the attacks would be pretty basic, still I wouldn’t risk something so personal, like your image library.
I would suggest for you to look into Wireguard or Tailscale for accessing your personal Immich instance.
I’ve already got wireguard set up and that’s how I access it. I would like the ability to share stuff with people though
Try out a mesh network VPN like tailscale (others are available, but i haven’t tried them).
Tailscale is basically just a simple but powerful wireguard manager that does all of the work of setting up a mesh network for you, and it works amazingly well in my experience. The free account is good for I think 3 users and 100 devices on a network and has been the perfect thing to expose my home server to my various devices no matter where I am.
I like it so much after having used it for the last few months that I just spent way too much money upgrading my server… but that’s another thing entirely. lol
It is no riskier than any other reverse proxy or tunneling app. If you follow good opsec, you should be fine. In truth there is no bulletproof way to avoid intrusion, so do the best you can without completely doing away with convenience.
You could look into mutual TLS / mTLS to protect your instance. You will need to set this up using a reverse proxy at your server (like Caddy) and then add a client certificate to your user devices. If you use the Immich app, I think it also supports adding this certificate under Settings -> Advanced -> SSL Client Certificate. Here you can find a tutorial on how to set it up: https://www.apalrd.net/posts/2024/network_mtls/
(Edit: you will need to ensure that all clients who want to receive your shared photos have a client certificate installed, so depending on the number of clients this might be okay or less useful)
Yeah, this is too much for my needs. My main goal is to be able to send pictures to people via a link.
Neighbors and family and stuff - less tech savvy folk.
