this post was submitted on 08 Dec 2024
37 points (91.1% liked)

Selfhosted

60093 readers
1083 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 7 days old, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
37
Exposing Immich via subdomain - good or bad idea? (sh.itjust.works)
submitted 2 years ago* (last edited 2 years ago) by jws_shadotak@sh.itjust.works to c/selfhosted@lemmy.world
26 comments fedilink hide all child comments
 

As the title says...

Is this a risky thing?

EDIT: I have a wireguard VPN set up for myself and it's always on so I can access *arrs and the like. I would like to expose immich on my domain to share photo albums and such.

you are viewing a single comment's thread
view the rest of the comments
[–] chronicledmonocle@lemmy.world 11 points 2 years ago (2 children)

Best solution is a VPN to your home network.

However, if you want to host it publicly, at least restrict access to it via GeoIP. For example, if you live in Europe and only need access from there, only allow the areas in Europe you travel to and block everything else. This will greatly reduce your attack surface.

Also, make sure everything is patched. Always. And implement something like fail2ban to deny repeated failed logins, along with a reverse proxy.

[–] possiblylinux127@lemmy.zip 4 points 2 years ago

Best solution is using a mesh VPN service like Tailscale or Netbird

[–] jws_shadotak@sh.itjust.works 3 points 2 years ago (1 children)

GeoIP restricting is a brilliant idea I never thought of. I have been getting a few people trying to sign up on one of my other services and they're all from Asia somewhere.

I'll try setting this up.

[–] chronicledmonocle@lemmy.world 4 points 2 years ago (1 children)

Sweet. Both OPNSense and pfSense firewalls have the ability to tie into MaxMind's GeoIP service. Not sure what your perimeter device is, but it's pretty easy on those. And free.

[–] Appoxo@lemmy.dbzer0.com 1 points 2 years ago (1 children)

If you use Cloudflare as the domain-DNS I'd rather use them as the GeoIP filter.

[–] chronicledmonocle@lemmy.world 1 points 2 years ago (1 children)

Yes, but OP mentioned nothing about Cloudflare.

[–] Appoxo@lemmy.dbzer0.com 2 points 2 years ago

Doesnt hurt to mention though in case others come across this discussion, no?