Just exposed Immich via a remote and reverse proxy using Caddy and tailscale tunnel. I’m securing Immich using OAuth.

I don’t have very nerdy friends so not many people appreciate this.

  • Noggog@programming.dev
    link
    fedilink
    English
    arrow-up
    5
    ·
    2 days ago

    Just out of curiosity, is the tail scale part of this required? If i just reverse proxy things and have them only protected from there by the login screen of the app being shown, that’s obviously less safe. But the attackers would still need to brute force my passwords to get any access? If they did, then they could do nasty things within the app, but limited to that app. Are there other vulnerabilities I’m not thinking about?

    • WolfLink@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 day ago

      I only let things I trust are secure (e.g. ssh) have access from the internet, other services I hide behind a VPN (e.g. Tailscale).

    • ikidd@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      edit-2
      2 days ago

      I don’t think a tailscale tunnel helps this anyway, maybe just from standard antispoofing and geoblocks, but it still gets to the application in full eventually, when they can do what they’d do if it was directly exposed. The attack surface might be an entire API, not just your login screen. You have no idea what that first page implements that could be used to gain access. And they could request another page that has an entirely different surface.

      If someone has Nextcloud exposed, I’m not stopping at the /login page that comes up by default and hitting it with a rainbow table; I’m requesting remote.php where all the access goodies are. That has a huge surface that bypasses the login screen entirely, might not be rate limited, and maybe there’s something in webdav that’s vulnerable enough that I don’t need a correct token, I just need to confuse remote.php into letting me try to pop it.

      You can improve this by putting a basic auth challenge at least in front of the applications webpage. That would drastically reduce the potential endpoints.

      • Noggog@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 days ago

        Thanks for the insight! Does running this in a docker container help limit the damage at all? Seems like they’d only be able to access the few folders I have the container access to?

        • ikidd@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          2 days ago

          Maybe a bit, but if you’re not running rootless docker if they get out of that container they’ll have the run of your docker host. It is a lot of layers to crack, but sometimes they’ve got nothing but time, or it’s been so long since the containers been updated that its trivial. That’s why rootless docker or podman, and Watchtower are your friends.

          Also, vlan off your exposed surface and build firewall rules for the VPN and LAN inbound to it, and specific outbound rules if you need those servers to reach into those networks themselves.

    • Nibodhika@lemmy.world
      link
      fedilink
      English
      arrow-up
      4
      ·
      2 days ago

      It’s not required, but probably OP has a home server with Immich and a VPS which exposes it to the internet. In that setup you need Tailscale for the VPS to access your home server. Sometimes you can’t directly expose your home server for different reasons, e.g. ISP doesn’t give you an external IP directly (I’ve had this, where my router would get a 10.x IP so I couldn’t port forward because the internet IP was being shared between multiple houses), or the ISP gives you a dynamic IP so there’s no guarantee that your IP won’t change next time you reset the router, etc.

      Also it provides an extra layer of separation, so for example a DDOS would hit the VPS which probably has automatic countermeasures, and even if someone were to gain access to the VPS they still need an extra jump to get to the home server (obviously if they exploit something on immich they would get direct access to the home server).

      • Noggog@programming.dev
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        2 days ago

        Gotcha. Thanks for the insight!

        It’s annoying, as I’d like to expose things for other people in my family (like Overseerr or whatever) without hassling them to also start a VPN or other stumbling block steps.

        I was hoping that reverse proxy to overseerrs login screen would be safe enough. 8(

        Does docker help limit things at all? I’m running my services through docker, which seems to limit the folders the container can hit. Feels like that would limit the damage someone could do even if they bypassed the login page of Overseerr or whatever app it is?

        Edit: thanks for all the replies! Always more to learn and do, haha

        • Nibodhika@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 days ago

          First of all let me make this absolutely clear, docker is not expected to be secure to that level. While they try to make it hard for someone to escape a container, it’s not their main concern so expect that there are vulnerabilities that would allow an attacker to escape.

          Now the second thing, the Overseer login screen might be secure enough for your case, the problem is that login is hard to do right, and Overseer are doing several other stuff as well, so they might not give it enough emphasis, and even if they do, maybe Immich devs don’t, or any one of the dozens of other services, so there are dozen of possible points of failure. Things like Authelia or Google OAuth are focused on authentication, so they do that absolutely right, and then they become the only point of failure for authentication.

          To be fair, if you keep things updated it’s unlikely not having auth would be a problem. Mostly because most hackers won’t even know of your server to begin with. And most systems are secure enough for most casual hacks. But it’s an investment worth the time if you plan on making something available to the internet.