Update docs
This commit is contained in:
parent
f9f868f025
commit
f3e4078e41
11
README.md
11
README.md
@ -15,9 +15,16 @@ those shared images.
|
||||
|
||||
It exposes no ports, allows no incoming data, and has no API to exploit.
|
||||
|
||||
[Live demo](https://immich-demo.note.sx/share/ffSw63qnIYMtpmg0RNvOui0Dpio7BbxsObjvH8YZaobIjIAzl5n7zTX5d6EDHdOYEvo)
|
||||
|
||||
### Why not simply put Immich behind a reverse proxy and only expose the `/share/` path to the public?
|
||||
|
||||
To view a shared album in Immich, you need access to the `/api/` path. If you're sharing a gallery with the public, you need
|
||||
to make that path public. Any existing or future vulnerabilities could compromise your Immich instance.
|
||||
|
||||
The ideal setup is to have Immich secured privately behind VPN or mTLS, and only allow public access to Immich Public Proxy.
|
||||
|
||||
[Live demo](https://immich-demo.note.sx/share/ffSw63qnIYMtpmg0RNvOui0Dpio7BbxsObjvH8YZaobIjIAzl5n7zTX5d6EDHdOYEvo)
|
||||
Here is an example setup for [securing Immich behind mTLS](./docs/securing-immich-with-mtls.md).
|
||||
|
||||
## How to install with Docker
|
||||
|
||||
@ -105,3 +112,5 @@ however my goal with this project is to keep it as lean as possible.
|
||||
|
||||
Due to the sensitivity of data contained within Immich, I want anyone with a bit of coding knowledge
|
||||
to be able to read this codebase and fully understand everything it is doing.
|
||||
|
||||
## D
|
||||
|
72
docs/securing-immich-with-mtls.md
Normal file
72
docs/securing-immich-with-mtls.md
Normal file
@ -0,0 +1,72 @@
|
||||
# Securing Immich with mTLS using Caddy
|
||||
|
||||
## Caddy docker-compose.yml
|
||||
|
||||
```yaml
|
||||
version: "3.7"
|
||||
|
||||
services:
|
||||
caddy:
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Dockerfile
|
||||
restart: unless-stopped
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
ports:
|
||||
- "6443:443"
|
||||
- "6443:443/udp"
|
||||
volumes:
|
||||
- ./Caddyfile:/etc/caddy/Caddyfile:Z
|
||||
- ./site:/srv:Z
|
||||
- ./data:/data:Z
|
||||
- ./config:/config:Z
|
||||
```
|
||||
|
||||
## Authenticating with mutual TLS
|
||||
|
||||
### Generate your client certificate
|
||||
|
||||
This is a basic way to generate a certificate for a user. If it's only you using your own homelab, then you'll just need to make one certificate.
|
||||
|
||||
This certificate will last for ~10 years (although of course you can revoke it at any time by deleting it from Caddy's key store).
|
||||
|
||||
```bash
|
||||
#!/bin/bash
|
||||
|
||||
mkdir -p certs
|
||||
|
||||
# Generate CA certificates
|
||||
openssl genrsa -out certs/client-ca.key 4096
|
||||
openssl req -new -x509 -nodes -days 3600 -key certs/client-ca.key -out certs/client-ca.crt
|
||||
|
||||
# Generate a certificate signing request
|
||||
openssl req -newkey rsa:4096 -nodes -keyout certs/client.key -out certs/client.req
|
||||
|
||||
# Have the CA sign the certificate requests and output the certificates.
|
||||
openssl x509 -req -in certs/client.req -days 3600 -CA certs/client-ca.crt -CAkey certs/client-ca.key -set_serial 01 -out certs/client.crt
|
||||
|
||||
echo
|
||||
echo "Please enter a STRONG password. Many clients *require* a password for you to be able to import the certificate, and you want to protect it."
|
||||
echo
|
||||
|
||||
# Convert the cerificate to PKCS12 format (for import into browser)
|
||||
openssl pkcs12 -export -out certs/client.pfx -inkey certs/client.key -in certs/client.crt
|
||||
|
||||
# Clean up
|
||||
rm certs/client.req
|
||||
```
|
||||
|
||||
## Configure Caddyfile
|
||||
|
||||
```Caddyfile
|
||||
https://immich.mydomain.com {
|
||||
tls {
|
||||
client_auth {
|
||||
mode require_and_verify
|
||||
trusted_ca_cert_file /data/client_certs/client.crt
|
||||
}
|
||||
}
|
||||
reverse_proxy internal_server.lan:2283
|
||||
}
|
||||
```
|
Loading…
Reference in New Issue
Block a user