I just use a WireGuard VPN. Makes it so much more simpler. At this point I don't think I'll ever expose anything to the public internet, seems like too much of a headache.
this post was submitted on 11 Jun 2026
55 points (98.2% liked)
Selfhosted
59841 readers
449 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
This is the way. And if you need to give someone outside of your home access, generate a VPN token for them to access your intranet and you’re golden. (And if you fall out, you revoke the token)
The others already have a lot of material you can go through that will help protect your immuch instance. Some things I would further recommend looking into:
- Keep Immich up to date. But also wait at least a bit before upgrading. Both old and very new versions can contain vulnerabilities. With immich and it's release process I wait at least a .week before upgrading a minor version (2.X.n)
- Exposing publicly makes you at least as vulnerable as the exposed app. So always try to get a feeling for how aware the devs are about security. Immich already has a good stance.
- Try to build some form of monitoring. I have Caddy as reverse proxy that exports metrics about the served domain where I can track and alert myself, when there is unusual activity on my immich domain.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| CA | (SSL) Certificate Authority |
| DNS | Domain Name Service/System |
| NAT | Network Address Translation |
| TLS | Transport Layer Security, supersedes SSL |
| VPN | Virtual Private Network |
5 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.
[Thread #10 for this comm, first seen 12th Jun 2026, 13:10] [FAQ] [Full list] [Contact] [Source code]
I'm running immich with tailscale.
Put it behind Tailscale/Headscale/Netbird/etc. VPN connection and don't think about it.
In addition to this. If going tailscale at least, add the pi-hole as the DNS server. Now you have pi-hole on the go as well.
This. You can sync your photos when you're connected to your home wifi or via tailscale/vpn. You can look at your photos either via vpn or at home in your own network. There is little need for opening it up to the Internet.
@avidamoeba @Maroon
I use wireguard. But yes.
In my case there is no need to have my services public reachable.
All family member have a wireguars client on their phone rethink or wgtunnel.
That way also their internet connection goes completely through my router and also the add blocker.
Do you want to have the site to be public facing? If so, I think your current setup is good.
If it doesn't need to be public facing, I would use wireguard to VPN into your LAN network, and secure it that way.
The Immich app (at least on Android) supports mTLS client certificates, I use that for my instance.
It supports it on the iOS client as well but last time I tried it would always lose the mTLS setting on its own after a while. I had to resort to the other method they offer, secret key in a custom HTTP header.
Definitely put it behind Netbird.
Also. I have a Jellyfin instance that I share with family, where I actually can't put all of their client devices behind Netbird.
For that case, I used Netbird's reverse proxy feature. So technically the Jellyfin instance is exposed to the public internet. HOWEVER, Netbird allows you to block or allow certain IP addresses. So while my Jellyfin instance is technically on the public internet, it's only accessible from 1 specific public IP.
Otherwise, if you're on the Netbird VPN, then the domain I have set resolves to the internal IP.
I have that but with caddy.
On the caddyfile you can put to only serve the site to certain IPs and reject the others with any status normally 403 or 404.
Attackers probe the site, but all they get it's a connection error.
You're already doing more than companies that charge people to host their photos.
Plain wireguard. Or maybe Pangolin?
Literally just heard of pangolin for the first time in today's self host email. I checked it and signed up to get started. But am I correct in assuming I can only have 5 endpoints for free? Or was I not looking at the self hosted edition?
I use a Pangolin reverse proxy with OIDC (PocketID) for family access to services, along with CrowdSec. For the Immich app access which needs to bypass auth login through the reverse proxy, I use 'link share' in Pangolin that gives me header tokens that can be entered in to the Immich app under Advanced settings.
I've been an Immich user for over 2 years now, so it's been a journey for me to implement it to this standard.
Or as someone else suggests, try CloudFlare with something like Google Auth login. Just be aware that you are then exposing all your traffic to Cloudflare. I take that as a small sacrifice for simplicity.
I would not expose anything to the internet, except if you want to have it public.
I use wireguard as a private, self-hosted VPN. It's easy to set up.
Is there a reason it needs to be public facing?
I think this should be talked about more. Does every selfhosted app need to be public facing?
I use Immich as a backup service, so i really don't have any need to have it public facing. It connects when I'm home. Same with contacts/calendar.
I have many services that doesn't "need" to be public, as public facing for one specific reason. TLS.
A lot of the times android apps won't connect to http directions, not even local ones, and require a proper https connection with a well known CA.
For that I put the services behind a caddy reverse proxy to get a valid tls certificate.
And them I do the trick, and basically on caddy reject any connection that's not local. Thus, making the supposedly "public" site a practical "local" one.
Once there I just connect through wireguard.
I have it behind OAuth.
And then a reverse proxy via NPM.
I don't know what else to do on it aside from keeping it fully VPNed.
Add mTLS to the reverse proxy and to the Immich client app and forbid access without it.
The mTLS certs can be self-generated. There are tutorials for generating your own CA and individual mTLS certs for each device. Then you put the ca.pem file in a place accessable by NPM and add a couple of commands to the "Advanced" tab of the Immich proxy host, and you put the mTLS cert on the phone and load it into the Immich app.
mTLS is a super strong method, not only does it serve as great authentication for that particular device, it also checks the TLS connection for tampering so it can't be hijacked even if somehow you get rogue certificates loaded on your phone, you can revoke certs if your phone gets lost or stolen etc.
Yeah, maybe it's because I run public sites on kubernetes at work that I'm not as scared but a good locked down network is fine. Thousands or businesses run public URLs, as long as you configure it right you are mostly good. There is always a risk of vulnerabilities in the software for immich, your proxy, your auth provider so doing it that way increases your attack surface than just the VPN.
Thousands or businesses run public URLs, as long as you configure it right you are mostly good.
Part of "configuring it right" for companies is generally having the public-side be pretty well walled off from anything internal though, there isn't anything wrong with taking the same approach at home, too
assuming that you’re to expose that to the Internet, my recommendation is to deploy only
- WAF solution, such as https://github.com/corazawaf/coraza-caddy
- bot blocker such as https://anubis.techaro.lol/docs/admin/environments/caddy
complicate the setup too much and it’s going to rather be more painful to maintain and also much easier to misconfigure.
The WAF covers OWASP Top 10 so that should give you around 70% protection which is still better than nothing
Despite what some may think, I'm not a representative of Cloudflare, nor do I receive any benefit from recommending them. I just recommend what works for me. There are many avenues at your disposal. That said, Cloudflare Tunnels/Zero Trust is a winner in my book. You will need a cheap domain name that you can change the nameservers to the ones Cloudflare assigns you. After that, you install Cloudflare Tunnels/Zero Trust on your server, and connect to Cloudflare, Jacks a doughnut, Bob's your uncle. No need to fiddle with NAT, or opening ports. Cloudflare takes care of all of that. Of course you will need port 22 (ssh) to directly admin your server.
I can't recall the name, but there was at least one project that had a kind of static web proxy of shared immich albums, so you can expose that to the internet for sharing and keep Immich its self internal network only.