As the title says…

Is this a risky thing?

EDIT: I have a wireguard VPN set up for myself and it’s always on so I can access *arrs and the like. I would like to expose immich on my domain to share photo albums and such.

  • chronicledmonocle@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    arrow-down
    1
    ·
    8 days ago

    Best solution is a VPN to your home network.

    However, if you want to host it publicly, at least restrict access to it via GeoIP. For example, if you live in Europe and only need access from there, only allow the areas in Europe you travel to and block everything else. This will greatly reduce your attack surface.

    Also, make sure everything is patched. Always. And implement something like fail2ban to deny repeated failed logins, along with a reverse proxy.

    • jws_shadotak@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      8 days ago

      GeoIP restricting is a brilliant idea I never thought of. I have been getting a few people trying to sign up on one of my other services and they’re all from Asia somewhere.

      I’ll try setting this up.

  • filister@lemmy.world
    link
    fedilink
    English
    arrow-up
    13
    arrow-down
    3
    ·
    edit-2
    8 days ago

    You are increasing the attack vector immensely, and it is up to you to ensure that it is well protected and up to date. The attack effort won’t be high though and most of the attacks would be pretty basic, still I wouldn’t risk something so personal, like your image library.

    I would suggest for you to look into Wireguard or Tailscale for accessing your personal Immich instance.

  • Shimitar@feddit.it
    link
    fedilink
    English
    arrow-up
    8
    ·
    8 days ago

    Also, true there is more risk, but you should always balance it with advantages.

    If your immich is properly protected behind a reverse proxy and encrypted with https, and containerized, preferably root-less container, and you properly back it up, go ahead and enjoy sharing.

  • ryguyflyguy@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    8 days ago

    I haven’t gotten around to setting it up myself yet, but I have immich-public-proxy pinned. Could solve exactly your problem. Keep your main immich behind your vpn but expose some public galleries of your choosing.

    • Banthex@feddit.org
      link
      fedilink
      English
      arrow-up
      4
      ·
      8 days ago

      I use yunohost for this. Ist possible there to use the sso etc. The default Installation Help to make a Quick and secure Installation.

  • OminousOrange@lemmy.ca
    link
    fedilink
    English
    arrow-up
    7
    ·
    8 days ago

    I’ve got mine on a subdomain through a Cloudflare tunnel that points to my local nginx proxy manager (with wildcard SSL certs) then to immich. You can do access control through Cloudflare as well. Quite low risk in my opinion as long as you protect it properly.

  • Nine@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    7 days ago

    I’ve been putting everything behind Tailscale. I don’t see any reason to make it public unless you’re planning on sharing it with the public.

    • Karna@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 days ago

      Same for me, but via Cloudflare tunnel. No need to expose your system to world unless that is what you want.

  • supersheep@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    2
    ·
    edit-2
    8 days ago

    You could look into mutual TLS / mTLS to protect your instance. You will need to set this up using a reverse proxy at your server (like Caddy) and then add a client certificate to your user devices. If you use the Immich app, I think it also supports adding this certificate under Settings -> Advanced -> SSL Client Certificate. Here you can find a tutorial on how to set it up: https://www.apalrd.net/posts/2024/network_mtls/

    (Edit: you will need to ensure that all clients who want to receive your shared photos have a client certificate installed, so depending on the number of clients this might be okay or less useful)

    • jws_shadotak@sh.itjust.worksOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      8 days ago

      Yeah, this is too much for my needs. My main goal is to be able to send pictures to people via a link.

      Neighbors and family and stuff - less tech savvy folk.

  • Lem453@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    ·
    8 days ago

    I suspect most people open it via subdomain or cloudflare tunnel and it seems secure enough. Haven’t seen reports of people getting hacked left and right.

    VPN Certainly is more secure and works for a few people but becomes annoying if you have users that don’t want to mess with a VPN. It also helps if you want to make a public share link to someone without an account.

  • maplebar@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 days ago

    Try out a mesh network VPN like tailscale (others are available, but i haven’t tried them).

    Tailscale is basically just a simple but powerful wireguard manager that does all of the work of setting up a mesh network for you, and it works amazingly well in my experience. The free account is good for I think 3 users and 100 devices on a network and has been the perfect thing to expose my home server to my various devices no matter where I am.

    I like it so much after having used it for the last few months that I just spent way too much money upgrading my server… but that’s another thing entirely. lol

  • youmaynotknow@lemmy.ml
    link
    fedilink
    English
    arrow-up
    1
    ·
    8 days ago

    It is no riskier than any other reverse proxy or tunneling app. If you follow good opsec, you should be fine. In truth there is no bulletproof way to avoid intrusion, so do the best you can without completely doing away with convenience.