zlacker

[return to "A story on home server security"]
1. j_bum+mp[view] [source] 2025-01-05 16:41:16
>>todsac+(OP)
Ok - curious if anyone can provide some feedback for me on this.

I am running Immich on my home server and want to be able to access it remotely.

I’ve seen the options of using wireguard or using a reverse proxy (nginx) with Cloudflare CDN, on top of properly configured router firewalls, while also blocking most other countries. Lots of this understanding comes from a YouTube guide I watched [0].

From what I understand, people say reverse proxy/Cloudflare is faster for my use case, and if everything is configured correctly (which it seems like OP totally missed the mark on here), the threat of breaches into to my server should be minimal.

Am I misunderstanding the “minimal” nature of the risk when exposing the server via a reverse proxy/CDN? Should I just host a VPN instead even if it’s slower?

Obviously I don’t know much about this topic. So any help or pointing to resources would be greatly appreciated.

[0] https://youtu.be/Cs8yOmTJNYQ?si=Mwv8YlEf934Y3ZQk

◧◩
2. dns_sn+cx[view] [source] 2025-01-05 17:43:48
>>j_bum+mp
If you care about privacy I wouldn't even consider using Cloudflare or any other CDN because they get to see your personal data in plain "text". Can you can forward a port from the internet to your home network, or are you stuck in some CG-NAT hell?

If you can, then you can just forward the port to your Immich instance, or put it behind a reverse proxy that performs some sort of authentication (password, certificate) before forwarding traffic to Immich. Alternatively you could host your own Wireguard VPN and just expose that to the internet - this would be my preferred option out of all of these.

If you can't forward ports, then the easiest solution will probably be a VPN like Tailscale that will try to punch holes in NAT (to establish a fast direct connection, might not work) or fall back to communicating via a relay server (slow). Alternatively you could set up your own proxy server/VPN on some cheap VPS but that can quickly get more complex than you want it to be.

◧◩◪
3. j_bum+8y[view] [source] 2025-01-05 17:51:39
>>dns_sn+cx
Yikes… I had no idea about CDN being able to see raw data.

> forward a port

From what I understand, my Eero router system will let me forward ports from my NAS. I haven’t tested this to see if it works, but I have the setting available in my Eero app.

> forward port to Immich instance

Can you expand on this further? Wouldn’t this just expose me to the same vulnerabilities as OP? If I use nginx as a reverse proxy, would I be mitigating the risk?

Based on other advice, it seems like the self hosted VPN (wireguard) is the safest option, but slower.

The path of least resistance for daily use sounds ideal (RP), but I wonder if the risk minimization from VPN is worth potential headaches.

Thanks so much for responding and giving some insight.

[go to top]