Comment on Just how secure are the various reverse proxy options?
vzq@lemmy.blahaj.zone 5 months ago
I have yet to see anything I can run myself that works as well as cloudflare. Still, not exactly self hosted.
Comment on Just how secure are the various reverse proxy options?
vzq@lemmy.blahaj.zone 5 months ago
I have yet to see anything I can run myself that works as well as cloudflare. Still, not exactly self hosted.
TedZanzibar@feddit.uk 5 months ago
Yeah I’m running a Cloudflare tunnel for external access (which is why I need DNS based LE certs), but that’s another thing that I don’t really know what it’s doing beyond basic reverse proxying.
I have a country-based whitelist for where my Immich instance can be accessed from but I find the Zero Trust admin backend to be massive overkill for my needs, and it doesn’t help that they’ve recently moved everything around so none of the guides out there point to the right places anymore!
vzq@lemmy.blahaj.zone 5 months ago
Btw, you can do http based LE certificates through cloudflare. They just proxy the ACME URLs.
towerful@programming.dev 5 months ago
So, is public accessibility actually required?
Does it need to be exposed to the public internet?
Why not use wireguard (or another VPN)? Even easier is tailscale.
If you are hand selecting users (IE, doesn’t actually need to be publicly accessible), then VPN is the most secure and just run a reverse proxy for ease & certs.
Or set up client certificate authentication, so only users that install a certificate issued by you can connect to the service (dunno how that works for 3rd party apps to immich)
Like I asked, what is your actual threat model?
What are your requirements?
Is public accessibility actually required?