Add mTLS to the reverse proxy and to the Immich client app and forbid access without it.
The mTLS certs can be self-generated. There are tutorials for generating your own CA and individual mTLS certs for each device. Then you put the ca.pem file in a place accessable by NPM and add a couple of commands to the “Advanced” tab of the Immich proxy host, and you put the mTLS cert on the phone and load it into the Immich app.
mTLS is a super strong method, not only does it serve as great authentication for that particular device, it also checks the TLS connection for tampering so it can’t be hijacked even if somehow you get rogue certificates loaded on your phone, you can revoke certs if your phone gets lost or stolen etc.
femtek@lemmy.blahaj.zone 1 week ago
Yeah, maybe it’s because I run public sites on kubernetes at work that I’m not as scared but a good locked down network is fine. Thousands or businesses run public URLs, as long as you configure it right you are mostly good. There is always a risk of vulnerabilities in the software for immich, your proxy, your auth provider so doing it that way increases your attack surface than just the VPN.
curbstickle@anarchist.nexus 1 week ago
Part of “configuring it right” for companies is generally having the public-side be pretty well walled off from anything internal though, there isn’t anything wrong with taking the same approach at home, too