Just exposed Immich via a remote and reverse proxy using Caddy and tailscale tunnel. I’m securing Immich using OAuth.
I don’t have very nerdy friends so not many people appreciate this.
Just exposed Immich via a remote and reverse proxy using Caddy and tailscale tunnel. I’m securing Immich using OAuth.
I don’t have very nerdy friends so not many people appreciate this.
Thanks for the insight! Does running this in a docker container help limit the damage at all? Seems like they’d only be able to access the few folders I have the container access to?
Maybe a bit, but if you’re not running rootless docker if they get out of that container they’ll have the run of your docker host. It is a lot of layers to crack, but sometimes they’ve got nothing but time, or it’s been so long since the containers been updated that its trivial. That’s why rootless docker or podman, and Watchtower are your friends.
Also, vlan off your exposed surface and build firewall rules for the VPN and LAN inbound to it, and specific outbound rules if you need those servers to reach into those networks themselves.