I’m not great with Docker or networking, so when I picked up an n100 mini pc for self hosting I installed Ubuntu and Tipi to get started.

I used Tipi to install Immich and forwarded my ports, then setup cloudflare tunneling to expose it to the internet. Currently I’m migrating from Google Photos.

But since I’m new to this I’m worried about exposing Immich to the internet without really knowing what I’m doing. Any suggestions on ways to monitor my setup to make sure nothing goes wrong or gets hacked? Ideally any application suggestions would come from the Tipi app store but I’m willing to learn if there’s no other option. Thanks!

  • @foggy@lemmy.worldEnglish
    44 months ago

    only expose things you must expose. It’s better to do things right and secure than easy. Exposing a webservice requires you to expose port 443 (https). Basically everything else is optional.

    Not sure if it’s always possible but I setup an auth portal via port 443 where I’m using authelia and fail2ban, and using traefik to route authenticated users to other ports from there. So for example Plex 32400 is not exposed, only 443. But you get there via 443 and authentication.

    • @ricecake@sh.itjust.worksEnglish
      34 months ago

      Yup, that’s a really good pattern to follow. Not only does it minimize your exposure behind a secured entry, it also makes sure that all of your access is uniformly authenticated.

      You have to do some shenanigans to do something similar with other, non-http based services, but it’s possible with most of them.

    • BillygoatEnglish
      14 months ago

      Does that still allow other Plex users the ability to play remotely without having to use Plex relay?