I have self hosted immich on Debian on my homelab. I have also setup tailscale to be able to access it outside my home.
Sometime ago, I was able to purchase a domain of my choice from GoDaddy. While I am used to hosting stuff on Linux, I’ve never exposed it for access publicly. I want to do that now.
Is it something I can do within tailscale or do I need to setup something like cloudflare? What should I be searching for to learn and implement? What precautions to take? I would like to keep the tailscale thing too.
PS: I would like to host immich as a subdomain like photos.mydomain.com.
Thanks!
deleted by creator
This is honestly the most confusing and complicated part of self-hosting.
I agree! It took me years to finally decide to buckle down and wrap my head around what a “reverse proxy” is. Once I figured it out things became so much more usable and fun.
Combined with DNS redirects in my LAN (to get around NAT loopback), things are very easy to use.
I have used reverse proxy in office setup where my local IP was NATed to a dedicated public IP. But in my home lab, I don’t have a dedicated public IP. So, i need to figure a way around that.
This is the way.
If you have a dynamic WAN IP (like I do), you can make use of DDNS-updater services such as this.
Also, afaik, Immich does not have chunked uploads yet (not sure if it has been updated to include that) so you might have to check your DNS’ policies regarding traffic (e.g. Cloudflare proxy only allows up to 100Mb traffic and can’t be used to serve media from what I read).
Is immich the only service you want to expose? And did you installed it using docker or directly on your system?
For now only Immich, but on a sub domain like I said in the PS. And yes, immich is installed using docker.
Then I would suggest you to take a look at Reverse Proxies, which are programs that let you publicly expose different services hosted on the same computer under different (sub)domains.
The easiest to start with (and also probably the one that better fits your needs) afaik is NGINX Proxy Manager, which can be set up really easily using docker, and you can find plenty of tutorials online (here is one I watched when I was starting to look into docker and selfhosting, it’s a bit old but should still be valid).
If after having set up that you will to thinker around it a little bit and dive a bit deeper, there’s also Traefik which is pretty cool and also has a lot of materials to learn online.
I don’t remember if the video I linked mention it or not, but to use a reverse proxy to expose your services on the web you will first need to set up a dynamic dns (probably the easiest way is to use Cloudflare) or to ask your ISP for a static IP, then go into your routers settings and find the Port Forwarding section where you should tell your routers to send all the incoming traffic from ports 80 (HTTP) and 443 (HTTPS) to the local IP of your server. And then you should be ready to use spin up Nginx Proxy Manager or Traefik on your server.
(idk if I was clear or not but I swear it’s easier that how it seems ahah)
Here is an alternative Piped link(s):
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Tailscale has a very neat feature called Tailscale Funnel, which makes this pretty easy
There’s also the option of setting up a cloudflare tunnel and only exposing immich over that tunnel. The HTTPS certificate is handled by cloudflare and you’d need to use the cloudflare DNS name servers as your domains name servers.
Note that the means cloudflare will proxy to you and essentially become a man-in-the-middle. You – HTTPS --> cloudflare --http–> homelab-immich. The connection between you and cloudflare could be encrypted as well, but cloudflare remains the man-in-the-middle and can see all data that passes by.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAT Network Address Translation SSL Secure Sockets Layer, for transparent encryption VPS Virtual Private Server (opposed to shared hosting)
6 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #795 for this sub, first seen 10th Jun 2024, 17:25] [FAQ] [Full list] [Contact] [Source code]
Without anything extra, there are three ways of doing it:
- Using Tailscale Funnel
- Direct port forwarding in your router, and pointing to the IP using some DDNS provider (e.g. desec.io)
- Through Cloudflare tunnel (not recommended due to privacy reasons) In each case, you’ll need a reverse proxy (e.g. Caddy) if you want secure https connections.
If you’re willing to spend money, the better way would be to proxy through a VPS (using something like a Wireguard tunnel). In that way, you won’t have to open ports on your home router. You can get a very cheap one since proxying doesn’t need much CPU power. Just choose one with enough bandwidth. I personally proxy most of my stuff through a $12/yr RackNerd VPS.