I have self hosted immich on Debian on my homelab. I have also setup tailscale to be able to access it outside my home.
Sometime ago, I was able to purchase a domain of my choice from GoDaddy. While I am used to hosting stuff on Linux, I’ve never exposed it for access publicly. I want to do that now.
Is it something I can do within tailscale or do I need to setup something like cloudflare? What should I be searching for to learn and implement? What precautions to take? I would like to keep the tailscale thing too.
PS: I would like to host immich as a subdomain like photos.mydomain.com.
Thanks!
You must log in or register to comment.
deleted by creator
I have used reverse proxy in office setup where my local IP was NATed to a dedicated public IP. But in my home lab, I don’t have a dedicated public IP. So, i need to figure a way around that.
Just run a cron job updating your IP every 24 hours. All I’ve ever done for the last decade or so.
I should clarify, I use namecheap as my registrar and Afraid as my nameserver. Afraid has curl, cron and even just a url i think you can use to update your IP.
Thank you! I’ll look into it.
I know everyone loves to shit on Oracle, but a free-tier Oracle VPS would solve this.
Or if you want something decent pay for a cheap VPS.
We’re running home labs because we’ve learned that relying on “free” services eventually comes back to bite you.
Absolutely, if it was anything I needed or even really wanted to be sure was reliably available I’d never put it on a free VPS.
Now, something trivial like this that just requires installing wireguard and nginx, copying over some configs, and changing a DNS record? Hard to beat free.
There’s also the option of setting up a cloudflare tunnel and only exposing immich over that tunnel. The HTTPS certificate is handled by cloudflare and you’d need to use the cloudflare DNS name servers as your domains name servers.
Note that the means cloudflare will proxy to you and essentially become a man-in-the-middle. You – HTTPS --> cloudflare --http–> homelab-immich. The connection between you and cloudflare could be encrypted as well, but cloudflare remains the man-in-the-middle and can see all data that passes by.
I could be wrong, as I’m no expert, but cloud flare’s proxy limits file uploads to about 1GB. I had to disable it to upload larger videos to immich. For other services, probably decent advice.
Tailscale has a very neat feature called Tailscale Funnel, which makes this pretty easy
I read about funnel and it is really cool. But it seems to only expose the services through a *.ts.net type of URL. What I want is to use the domain that I’ve acquired.
Wouldn’t you be able to cname your domain to the tailscale domain?
Certs served by Tailscale will still be on *.ts.net domain.
I personally would be hesitant to host Immich publicly until they’ve done a security audit. The risk of accidentally exposing my photos publicly is too big for me.
That’s why I recommend using Tailscale or Wireguard directly. Personally I’m using Wireguard for me and Tailscale for other people I want to easily access my services.
Your point is valid. I’ll use the learnings from this thread for other, robust, services first and keep an eye on the progress of immich in terms of security.
I personally just use NPM in front of all of the services I make available public. It’s easy and handles the let’s encrypt certificates also.
From my Ubiquity router I just have port 80 and 443 forwarded to the NPM.
Without anything extra, there are three ways of doing it:
- Using Tailscale Funnel
- Direct port forwarding in your router, and pointing to the IP using some DDNS provider (e.g. desec.io)
- Through Cloudflare tunnel (not recommended due to privacy reasons)
In each case, you’ll need a reverse proxy (e.g. Caddy) if you want secure https connections.
If you’re willing to spend money, the better way would be to proxy through a VPS (using something like a Wireguard tunnel). In that way, you won’t have to open ports on your home router. You can get a very cheap one since proxying doesn’t need much CPU power. Just choose one with enough bandwidth. I personally proxy most of my stuff through a $12/yr RackNerd VPS.
