So far, my self-hosting has been limited to Pi-Hole, and a static website. I now want to try out something new, an Immich server.
I have a static IP from my ISP, so I don’t need to rent out a VPS. However, given that this IS a home internet, I want to be extra sure that it is going to be secure.
In my existing website, I use Fail2Ban + BadBotBlocker + Anubis + Nginx rate limits to protect it from scrapers, bots and malicious users, and it works well. With photos (especially family photos) at stake, I just want to know more on how to protect my server.
Add: thanks for the helpful replies. I will be sharing the photos with family, many of whom live abroad.
Add mTLS to the reverse proxy and to the Immich client app and forbid access without it.
The mTLS certs can be self-generated. There are tutorials for generating your own CA and individual mTLS certs for each device. Then you put the
ca.pemfile in a place accessable by NPM and add a couple of commands to the “Advanced” tab of the Immich proxy host, and you put the mTLS cert on the phone and load it into the Immich app.mTLS is a super strong method, not only does it serve as great authentication for that particular device, it also checks the TLS connection for tampering so it can’t be hijacked even if somehow you get rogue certificates loaded on your phone, you can revoke certs if your phone gets lost or stolen etc.