Just learned how to do a reverse proxy
-
Just exposed Immich via a remote and reverse proxy using Caddy and tailscale tunnel. I'm securing Immich using OAuth.
I don't have very nerdy friends so not many people appreciate this.
-
S [email protected] shared this topic
-
[email protected]replied to [email protected] last edited by
Congratulations!
It feels really good when you learn something new and get it working the way you like.
If you want more challenges take a look at this:
This would be useful if you ever wanted to share albums with other people outside your tailscale network and that lack an account for your immich server.
-
[email protected]replied to [email protected] last edited by
I'm a huge fan of Caddy and I wish more people would try it. The utter simplicity of the config file is breathtaking when you compare it with Apache or Nginx. Stuff that takes twenty or thirty lines in other webservers becomes just one in Caddy.
-
[email protected]replied to [email protected] last edited by
Wrapping my head around reverse proxy was a game changer for me. I could finally host things that are usefull outside my LAN. I use Nginx-Proxy-Manager which makes the config simple for lazy's like me.
-
[email protected]replied to [email protected] last edited by
Good job!
I'm still trying to understand what it is and why I would want it. I see several programs I use recommend it but I just don't get what it does and why what it does is good. -
[email protected]replied to [email protected] last edited by
NPM is awesome until you have a weird error that the web GUI does not give a hint about the problem. Used it for years at this point and wouldn't consider anything else at this point. It just works and is super simple.
-
[email protected]replied to [email protected] last edited by
I moved from swag to caddy and I'm glad i did. So much more simple.
-
[email protected]replied to [email protected] last edited by
I love Caddy. So easy to configure, and the automatic SSL is almost always what I need.
-
[email protected]replied to [email protected] last edited by
I know that feeling ! My first service hosted via docker + Treafik outside my lan with a wireguard tunnel felt like a big dopamine hit ! Congrats !
Now I have over 20 services and It feels trivial
I still love the easy to read/write syntax of Treafik ,however I feel like I'm missing a lot of important networking knowledge while avoiding Nginx !Maybe one day when I'm too bored I will switch everything to Nginx, see how it goes !
-
[email protected]replied to [email protected] last edited by
+1 for NPM! Used to even do things manually, but I'm too lazy for that and NPM fulfils nearly all my use cases lol
-
[email protected]replied to [email protected] last edited by
It does a couple things. It's one service that routes requests to multiple services. So if you have radarr, sonarr, etc., you can put a reverse proxy in front and use the same ip-port to connect to all, and the proxy routes the request to the service by hostname.
If you have multiple instances of the same service for HA, it can load balance between them (though this is unlikely for a homelab).
Personally I run all my services through docker and put traefik in front, so that I don't have to keep track of ports. It's all by name.
It's also nice because traefik handles HTTPS termination, so it automatically gets certs for each name, and the backing service never needs to worry about it (it's http on the backend, but all that traffic is internal).
-
[email protected]replied to [email protected] last edited by
me too like last week!!! yay us!!
haven't gotten oauth going yet but soon
-
[email protected]replied to [email protected] last edited by
Just be sure to read up on network security and set yourself up for success! Even tunnels can still be an attack surface. Always keep everything up to date! And plan for the worst case.
-
[email protected]replied to [email protected] last edited by
Can someone ELI5? I'm a noob who aspires to set up immich in the near future. I only recently started making efforts to separate myself from the cloud. So far I've got a wireguard server set up and I've disconnected both my Bambu printers from the cloud and I'm currently setting up some home assistant stuff. Pretty soon I'm hoping to set up a NAS, Immich, Plex (or similar) and replace my google nest cameras.
-
[email protected]replied to [email protected] last edited by
Quick, now lean a firewall with a good IDN
and fail2ban
-
[email protected]replied to [email protected] last edited by
Nice work!
-
[email protected]replied to [email protected] last edited by
Wow, so my understanding of the terms 'reverse proxy' and Tailscale must be wrong then, because I thought they were mutually exclusive. I'll go do some more research, unless someone feels like explaining how you can do both at the same time.
Also, I think the 'Risks' section of this page is informative:
-
[email protected]replied to [email protected] last edited by
I think self hosting the proxy with the services at hobbyist scale mitigates most of the security risks. The single point of failure risk is another matter. I once had to effectively reverse-hack my services by uploading a Jenkins test job through an existing java project to regain access. Ever since then, I maintain a separate ddns address that's just used for emergency ssh access.
-
[email protected]replied to [email protected] last edited by
came here to leave this exact response!
-
[email protected]replied to [email protected] last edited by
Why do you serve things to a public? Because unless you're serving a public, that's a dumb to do...
