So far, my self-hosting has been limited to Pi-Hole, and a static website. I now want to try out something new, an Immich server.
I have a static IP from my ISP, so I don’t need to rent out a VPS. However, given that this IS a home internet, I want to be extra sure that it is going to be secure.
In my existing website, I use Fail2Ban + BadBotBlocker + Anubis + Nginx rate limits to protect it from scrapers, bots and malicious users, and it works well. With photos (especially family photos) at stake, I just want to know more on how to protect my server.
Add: thanks for the helpful replies. I will be sharing the photos with family, many of whom live abroad.
Is there a reason it needs to be public facing?
I think this should be talked about more. Does every selfhosted app need to be public facing?
I use Immich as a backup service, so i really don’t have any need to have it public facing. It connects when I’m home. Same with contacts/calendar.
I have many services that doesn’t “need” to be public, as public facing for one specific reason. TLS.
A lot of the times android apps won’t connect to http directions, not even local ones, and require a proper https connection with a well known CA.
For that I put the services behind a caddy reverse proxy to get a valid tls certificate.
And them I do the trick, and basically on caddy reject any connection that’s not local. Thus, making the supposedly “public” site a practical “local” one.
Once there I just connect through wireguard.