All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is having Immich behind cloudflare "safe"?
Usually i run immich at home and when i expose it it's mostly
Home (1.2Gbps DL/120Mbps UL) -> Tailscale -> Las Vegas/Switzerland VPS (Deb 13) (10Gbps NIC Fair use) (front nodes running hardened nginx as a reverse proxy, TLS 1.3/QUIC/443 only/Wildcard SSL/other stuff)
but recently i already have my immich behind cloudflare for a while
[Same setup but just adding cloudflare to the end w proxying on but cache off?]
I do sometimes have a private share folder link i share with my friends and one of the folders i have in are images and lets say i have 1000-3000 images only. (other shares are mixed between 1-5k) Usually i noticed online that most people say to just disable cache and just have cloudflare just be a dumb proxy just like my frontend.. just forwarding packets. So, is it safe to have it or just throw cloudflare and keep my frontend nodes?
- Do you run your own immich server?40 votes
- Yea (Selfhosting at home or on a VPS)55.00%
- No (Uses Nextcloud/Google Images/Box or whatever host)45.00%
- Do i need really need cloudflare?40 votes
- Yea32.50%
- no67.50%
Comments
If its not public then, you really don't need CF. Some people just put CF as a proxy out of habit
and even then "need really need" is very strong wording
Mentally strong people deploy immich publicly without cloudflare.
If you're not, just make it accessible on private network tailscale, netmaker...
well my immich is "public" (login n such, shares too). Just wondering if i should keep or just throw cloudflare away or just keep my frontend nodes since i do already expose my immich server behind my frontend nodes before then added cf
One benefit of using CF is the Cloudflare Tunnel, you can expose a service at home without using Tailscale or passing through another VPS or opening a port on your router.
Because it sounds like all you are using CF for is protect the IP of the origin server and not using it for any of the other features like Murv mentioned. I doubt you are worried about it getting ddosed.
i would but i used to use CF tunnel + nginx (both on the same server) in the past and i still do with other servers and my other domains
If CF Tunnel is useful to you then, keep it. It creates an extra layer of security. Without it, it comes down to how secure your server is and if you got it setup right.
the thing is, i have immich exposed on 2 of my vps as 1 for the main proxy and another as a failover/backup node. Sure, i could run CF tunnel at home but again it would come to a risk as im just exposeing my home IP directly to cloudflare so any abuse claims get forwarded to my home ISP even if i use cf tunnels. thats why i have the vps as a buffer relay so i can have extra time to check what's wrong before some dumbass takes down my internet over a dogshit claim. This is why im reading 3-4 steps ahead since i refuse to have my home internet exposed since risks and such
ahh i see now. The annas archive approach.
CF <> DMCA Ignored VPS <> Immich server.
I guess it would depend on how good that buffer relay is. It is nice to have free CF to add another layer but it can't always protect you. You might end up like this user getting their account taken down.
See here:
https://lowendtalk.com/discussion/216095/seeking-non-us-host-with-reasonable-abuse-handling/p1
yeah, but it's mostly configured for like my personal domain. between my home to Las vegas is like 20-40ms, swiss is higher. I mostly have everything re-routed though San Jose since between my home to SFO/LAX is 0-10ms at best or even 10-20ms. for my use case, i would say the risk is near 0-1% or so since i am only sharing my immich gallery with friends i know who is not going to snitch out. I know cloudflare isn't going to protect me since i am using it as a dummy proxy to deter casual users from snooping on finding my vps ip address n such. Iv been doing it since like a year or two now and it has been working fine. my other servers like my jellyfin are just are behind my vps nodes, not cloudflare
If there is nothing wrong with CF, then why change it? I guess it adds more latency or when CF goes down lol
It's more like a blast radius control. Even though this Fourm, discord and other also use cloudflare. Sure, CF can go down in a day. I'm just talking about risk management
I have deployed Immich (moving from Google cloud) to vps and without CF proxy (because it has a 100mb limit on file uploads!) for 2 years now, never an issue!
I use Pangolin+Authentik for my public facing services.
Can't find a way to make the private resources work tho, for that I am still using Tailscale.
Maybe you could use a Tailscale Funnel?
It is currently in beta. Cloudflare Tunnel is better.
I haven't heard about this before but after looking at it, i swear that i recall that other application i used before in the past where you could just run 2 commands and it drops and random link. Tailscale Funnel is for something else and my use case is way diffrent. Sorry.
that's nice, i just upload mine at home on LAN since i know it's running in docker. It's quite comfy.
I see, iirc i heard about Pangolin before on yt and Authentik but never used them.
Personally i ditched cloudflare
I use authelia
But for stuff like that, i dont use anything, i trust the password of the app itself, so the apps dtay compatible
If immich has personal photos and stuff, don't.
Cloudflare is essentially a MiTM.
It's literally MITM.
Pangolin is nice to make services available without installing the client like we do with Tailscale, but if it is just you using the services or someone else that is ok with using Tailscale client and knows that have to connect through that first, then it would be easier to setup.
You don't really need Authentik, but its is useful to have one single sing on to the "tunnel" + applications
How do you like Authelia?
I started using Authentik a while ago (tested Zitadel as well), but it is overkill (and sometimes overly complicated) for a couple of users, but at the time something did went well with my Authelia tests, I wonder if it is more mature now and would simplify things (no need for RBAC)
So far so good... i only use it for 1 app that does not have auth
At the end of the day it does not matter tbh, setup once and forget in 95% of cases...
i might try Authentik in docker on one of my vps since i know i have so many logins for different websites