this post was submitted on 11 Jun 2026
63 points (98.5% liked)

Selfhosted

59905 readers
632 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
63
Security considerations about hosting Immich from home (lemmy.world)
submitted 4 days ago* (last edited 3 days ago) by Maroon@lemmy.world to c/selfhosted@lemmy.world
34 comments fedilink hide all child comments
 

So far, my self-hosting has been limited to Pi-Hole, and a static website. I now want to try out something new, an Immich server.

I have a static IP from my ISP, so I don’t need to rent out a VPS. However, given that this IS a home internet, I want to be extra sure that it is going to be secure.

In my existing website, I use Fail2Ban + BadBotBlocker + Anubis + Nginx rate limits to protect it from scrapers, bots and malicious users, and it works well. With photos (especially family photos) at stake, I just want to know more on how to protect my server.

Add: thanks for the helpful replies. I will be sharing the photos with family, many of whom live abroad.

you are viewing a single comment's thread
view the rest of the comments
[–] daniskarma@lemmy.dbzer0.com 3 points 3 days ago* (last edited 3 days ago) (1 children)

I have many services that doesn't "need" to be public, as public facing for one specific reason. TLS.

A lot of the times android apps won't connect to http directions, not even local ones, and require a proper https connection with a well known CA.

For that I put the services behind a caddy reverse proxy to get a valid tls certificate.

And them I do the trick, and basically on caddy reject any connection that's not local. Thus, making the supposedly "public" site a practical "local" one.

Once there I just connect through wireguard.

[–] nfms@lemmy.ml 1 points 1 day ago

Clever. I'm just starting to mess with Caddy. Been struggling with Vaultwarden lately and your solution might fit my needs.