Specifically from the standpoint of protecting against common and not-so-common exploits.

I understand the concept of a reverse proxy and how works on the surface level, but do any of the common recommendations (npm, caddy, traefik) actually do anything worthwhile to protect against exploit probes and/or active attacks?

Npm has a “block common exploits” option but I can’t find anything about what that actually does, caddy has a module to add crowdsec support which looks like it could be promising but I haven’t wrapped my head around it yet, and traefik looks like a massive pain to get going in the first place!

Meanwhile Bunkerweb actually looks like it’s been built with robust protections out of the box, but seems like it’s just as complicated as traefik to setup, and DNS based Let’s Encrypt requires a pro subscription so that’s a no-go for me anyway.

Would love to hear people’s thoughts on the matter and what you’re doing to adequately secure your setup.

Edit: Thanks for all of your informative replies, everyone. I read them all and replied to as many as I could! In the end I’ve managed to get npm working with crowdsec, and once I get cloudflare to include the source IP with the requests I think I’ll be happy enough with that solution.

  • @[email protected]OP
    link
    fedilink
    English
    17 months ago

    Yeah I’m running a Cloudflare tunnel for external access (which is why I need DNS based LE certs), but that’s another thing that I don’t really know what it’s doing beyond basic reverse proxying.

    I have a country-based whitelist for where my Immich instance can be accessed from but I find the Zero Trust admin backend to be massive overkill for my needs, and it doesn’t help that they’ve recently moved everything around so none of the guides out there point to the right places anymore!

    • @[email protected]
      link
      fedilink
      English
      17 months ago

      Btw, you can do http based LE certificates through cloudflare. They just proxy the ACME URLs.

    • @[email protected]
      link
      fedilink
      English
      07 months ago

      So, is public accessibility actually required?
      Does it need to be exposed to the public internet?

      Why not use wireguard (or another VPN)? Even easier is tailscale.
      If you are hand selecting users (IE, doesn’t actually need to be publicly accessible), then VPN is the most secure and just run a reverse proxy for ease & certs.
      Or set up client certificate authentication, so only users that install a certificate issued by you can connect to the service (dunno how that works for 3rd party apps to immich)

      Like I asked, what is your actual threat model?
      What are your requirements?
      Is public accessibility actually required?

      • @[email protected]OP
        link
        fedilink
        English
        27 months ago

        If it was just me, or if Tailscale wasn’t such an insatiable battery leech then I’d absolutely do that but the wife (and kids) acceptance factor plays a big role, and they’re never going to accept having to toggle a separate service on and off to get to their photos.

        Maybe I’m being overly paranoid but I work in IT and see the daily, near constant barrage of port scans and login attempts to our VPN service and it has an effect!

        • @butitsnotme
          link
          English
          17 months ago

          I use WireGaurd, it’s set to on demand for any network or cellular data (so effectively always on), no DNS records (I just use public DNS providing private range IP addresses). It doesn’t make any sort of dent in my battery life. Also, only the wiregaurd network traffic is routed through it, so if my server is down the phone/laptop’s internet continues to work. I borrowed my wife’s phone and laptop for 15 minutes to set it up, and now no one has to think about it.

          • @[email protected]OP
            link
            fedilink
            English
            17 months ago

            Thanks for the suggestion. I spent a good hour or two trying to make Wireguard work for me last night but failed. If I set it to only apply to Immich, nothing else would have Internet access at all. Likewise if I set the peer IP range to just my LAN subnet.

            After pulling my hair out for a while I gave up and uninstalled.

            • @butitsnotme
              link
              English
              27 months ago

              The peer range shouldn’t be your LAN, it should be a new network range, just for WireGaurd. Make sure that the server running Immich is part of the WireGaurd network.

              My phone and laptop see three networks: the internet, the lan (192.168.1.0/24, typically) and WireGaurd (10.30.0.0/16). I can anonymize and share my WireGaurd config if that would help.

                • @butitsnotme
                  link
                  English
                  27 months ago

                  Here are a few more details of my setup:

                  Components:

                  • server
                  • clients (phone/laptop)
                  • domain name (we’ll call it custom.domain)
                  • home router
                  • dynamic DNS provider

                  The home router has WireGuard port forwarded to server, with no re-mapping (I’m using the default 51820). It’s also providing DHCP services to my home network, using the 192.168.1.0/24 network.

                  The server is running the dynamic DNS client (keeping the dynamic domain name updated to my public IP), and I have a CNAME record on the vpn.custom.domain pointing to the dynamic DNS name (which is an awful random string of characters). I also have server.custom.domain with an A record pointing to 10.30.0.1. All my DNS records are in public DNS (so no need to change the DNS settings on the computer or phone or use DNS overrides with WireGuard.)

                  Immich config:

                  version: "3.8"
                  
                  services:
                    immich-server:
                      container_name: immich_server
                      image: ghcr.io/immich-app/immich-server:release
                      entrypoint: ["/bin/sh", "./start-server.sh"]
                      volumes:
                        - ${UPLOAD_LOCATION}:/usr/src/app/upload
                      env_file:
                        - .env
                      ports:
                        - target: 3001
                          published: 2283
                          host_ip: 10.30.0.1
                      depends_on:
                        - redis
                        - database
                      restart: always
                      networks:
                        - immich
                  

                  WireGuard is configured using wg-quick (/etc/wireguard/wg0.conf):

                  [Interface]
                  Address = 10.30.0.1/16
                  PrivateKey = <server-private-key>
                  ListenPort = 51820
                  
                  [Peer]
                  PublicKey = <phone-public-key>
                  AllowedIPs = 10.30.0.12/32
                  
                  [Peer]
                  PublicKey = <laptop-public-key>
                  AllowedIPs = 10.30.0.11/32
                  

                  Start WireGuard with systemctl enable --now wg-quick@wg0.

                  Phone WireGuard configuration (iOS):

                  [Interface]
                  Name = vpn.custom.domain
                  
                  Private Key = <phone private key>
                  Public Key = <phone public key>
                  
                  Addresses = 10.30.0.12/32
                  Listen port = <blank>
                  MTU = <blank>
                  DNS servers = <blank>
                  
                  [Peer]
                  Public Key = <server public key>
                  Pre-shared key = <blank>
                  Endpoint = vpn.custom.domain:51820
                  Allowed IPs = 10.30.0.0/16
                  Persistent Keepalive = 25
                  
                  [On Demand Activation]
                  Cellular = On
                  Wi-Fi = On
                  SSIDs = Any SSID
                  

                  This connection is then left always enabled, and comes on whenever my phone has any kind of network connection.

                  My laptop (running Linux), is also using wg-quick (/etc/wireguard/wg0.conf):

                  [Interface]
                  Address = 10.30.0.14
                  PrivateKey = <laptop private key>
                  
                  [Peer]
                  PublicKey = <server-public-key>
                  Endpoint = vpn.custom.domain:51820
                  AllowedIPs = 10.30.0.0/16
                  

                  My wife’s window’s laptop is configured using the official WireGuard windows app, with similar settings.

                  No matter where we are (at home, on a WiFi hotspot, or using cellular data) we access Immich over the VPN: http://server.custom.comain:2283/.

                  Let me know if you have any further questions.