So far, my self-hosting has been limited to Pi-Hole, and a static website. I now want to try out something new, an **Immich ** server.
I have a static IP from my ISP, so I don’t need to rent out a VPS. However, given that this IS a home internet, I want to be extra sure that it is going to be secure.
In my existing website, I use Fail2Ban + BadBotBlocker + Anubis + Nginx rate limits to protect it from scrapers, bots and malicious users, and it works well. With photos (especially family photos) at stake, I just want to know more on how to protect my server.
You must log in or # to comment.
The others already have a lot of material you can go through that will help protect your immuch instance. Some things I would further recommend looking into:
- Keep Immich up to date. But also wait at least a bit before upgrading. Both old and very new versions can contain vulnerabilities. With immich and it’s release process I wait at least a .week before upgrading a minor version (2.X.n)
- Exposing publicly makes you at least as vulnerable as the exposed app. So always try to get a feeling for how aware the devs are about security. Immich already has a good stance.
- Try to build some form of monitoring. I have Caddy as reverse proxy that exports metrics about the served domain where I can track and alert myself, when there is unusual activity on my immich domain.
I just use a WireGuard VPN. Makes it so much more simpler. At this point I don’t think I’ll ever expose anything to the public internet, seems like too much of a headache.
This is the way. And if you need to give someone outside of your home access, generate a VPN token for them to access your intranet and you’re golden. (And if you fall out, you revoke the token)
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CA (SSL) Certificate Authority DNS Domain Name Service/System NAT Network Address Translation TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network
5 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.
[Thread #10 for this comm, first seen 12th Jun 2026, 13:10] [FAQ] [Full list] [Contact] [Source code]
I’m running immich with tailscale.
The Immich app (at least on Android) supports mTLS client certificates, I use that for my instance.
It supports it on the iOS client as well but last time I tried it would always lose the mTLS setting on its own after a while. I had to resort to the other method they offer, secret key in a custom HTTP header.
Do you want to have the site to be public facing? If so, I think your current setup is good.
If it doesn’t need to be public facing, I would use wireguard to VPN into your LAN network, and secure it that way.
Definitely put it behind Netbird.
Also. I have a Jellyfin instance that I share with family, where I actually can’t put all of their client devices behind Netbird.
For that case, I used Netbird’s reverse proxy feature. So technically the Jellyfin instance is exposed to the public internet. HOWEVER, Netbird allows you to block or allow certain IP addresses. So while my Jellyfin instance is technically on the public internet, it’s only accessible from 1 specific public IP.
Otherwise, if you’re on the Netbird VPN, then the domain I have set resolves to the internal IP.
I can’t recall the name, but there was at least one project that had a kind of static web proxy of shared immich albums, so you can expose that to the internet for sharing and keep Immich its self internal network only.
Is there a reason it needs to be public facing?
I think this should be talked about more. Does every selfhosted app need to be public facing?
I use Immich as a backup service, so i really don’t have any need to have it public facing. It connects when I’m home. Same with contacts/calendar.I have many services that doesn’t “need” to be public, as public facing for one specific reason. TLS.
A lot of the times android apps won’t connect to http directions, not even local ones, and require a proper https connection with a well known CA.
For that I put the services behind a caddy reverse proxy to get a valid tls certificate.
And them I do the trick, and basically on caddy reject any connection that’s not local. Thus, making the supposedly “public” site a practical “local” one.
Once there I just connect through wireguard.
You’re already doing more than companies that charge people to host their photos.
Despite what some may think, I’m not a representative of Cloudflare, nor do I receive any benefit from recommending them. I just recommend what works for me. There are many avenues at your disposal. That said, Cloudflare Tunnels/Zero Trust is a winner in my book. You will need a cheap domain name that you can change the nameservers to the ones Cloudflare assigns you. After that, you install Cloudflare Tunnels/Zero Trust on your server, and connect to Cloudflare, Jacks a doughnut, Bob’s your uncle. No need to fiddle with NAT, or opening ports. Cloudflare takes care of all of that. Of course you will need port 22 (ssh) to directly admin your server.
Plain wireguard. Or maybe Pangolin?
Literally just heard of pangolin for the first time in today’s self host email. I checked it and signed up to get started. But am I correct in assuming I can only have 5 endpoints for free? Or was I not looking at the self hosted edition?
I use Pangolin reverse proxy with OAuth (PocketID) for family access to services, along with CrowdSec. For the Immich app access which needs to bypass auth login through the reverse proxy, I use ‘link share’ in Pangolin that gives me header tokens that can be entered in to the Immich app under Advanced settings.
I’ve been an Immich user for over 2 years now, so it’s been a journey for me to implement it to this standard.
Or as someone else suggests, try CloudFlare with something like Google Auth login. Just be aware that you are then exposing all your traffic to Cloudflare. I take that as a small sacrifice for simiplicity.
I would not expose anything to the internet, except if you want to have it public.
I use wireguard as a private, self-hosted VPN. It’s easy to set up.
I have it behind OAuth.
And then a reverse proxy via NPM.
I don’t know what else to do on it aside from keeping it fully VPNed.
Yeah, maybe it’s because I run public sites on kubernetes at work that I’m not as scared but a good locked down network is fine. Thousands or businesses run public URLs, as long as you configure it right you are mostly good. There is always a risk of vulnerabilities in the software for immich, your proxy, your auth provider so doing it that way increases your attack surface than just the VPN.
Thousands or businesses run public URLs, as long as you configure it right you are mostly good.
Part of “configuring it right” for companies is generally having the public-side be pretty well walled off from anything internal though, there isn’t anything wrong with taking the same approach at home, too
@Maroon FIY the security verification for my not being a bot failed
I’m sorry, could you rephrase that? I think there are a few typos in your post.
@Maroon no it just wasn’t verifying anything at all, but now it’s fixed. Thanks
