Comment

Comment on Just how secure are the various reverse proxy options?

Yeah I’m running a Cloudflare tunnel for external access (which is why I need DNS based LE certs), but that’s another thing that I don’t really know what it’s doing beyond basic reverse proxying.

I have a country-based whitelist for where my Immich instance can be accessed from but I find the Zero Trust admin backend to be massive overkill for my needs, and it doesn’t help that they’ve recently moved everything around so none of the guides out there point to the right places anymore!

source

Sort:hotnew top

vzq@lemmy.blahaj.zone ⁨5⁩ ⁨months⁩ ago
Btw, you can do http based LE certificates through cloudflare. They just proxy the ACME URLs.

source
towerful@programming.dev ⁨5⁩ ⁨months⁩ ago
So, is public accessibility actually required?
Does it need to be exposed to the public internet?

Why not use wireguard (or another VPN)? Even easier is tailscale.
If you are hand selecting users (IE, doesn’t actually need to be publicly accessible), then VPN is the most secure and just run a reverse proxy for ease & certs.
Or set up client certificate authentication, so only users that install a certificate issued by you can connect to the service (dunno how that works for 3rd party apps to immich)

Like I asked, what is your actual threat model?
What are your requirements?
Is public accessibility actually required?

source