Securing my VPS
Hello,
I just installed Immich on a VPS that is wide open on the internet.
I'd like to implement security with a cloudflared tunnel, but i can't find a way to have immich listen only on the local interface of the server.
I have two network interfaces :
lo (obviously) with 127.0.0.1
eth0 with a public facing IP wide open on the internet
If i leave IMMICH_HOST empty, it listens on both interfaces and works on both IPs
If i set it to 0.0.0.0 it listens on eth0 and the whole web but i get connection reset by peer on 127.0.0.1
If i set it to 127.0.0.1 it doesn't listen on eth0 (great) but i still get connection reset by peer on 127.0.0.1
What is the correct setting so that Immich is accessible from the local machine only and not on the public facing interface ?
Thanks a lot !10 Replies
:wave: Hey @flunch42,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :blue_square: verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: read applicable release notes.
3. :blue_square: reviewed the FAQs for known issues.
4. :blue_square: reviewed Github for known issues.
5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.This is something you would configure on your system firewall not on the docker host
Your VPS should never be wide open
Thanks but the problem is i tried to add a firewall with UFW but docker overrides all the UFW rules
You can disable that
But that’s not really immich related, this is just docker management
You should also check if your VPS has a web based firewall, most do
Unfortunatly the provider doesn't have a firewall so i have to protect the box from the inside
There is no way to have immich listen only on the local interface ?
That’s not something you should even trust to immich even if we had that feature
Nor docker tbh
Ok so my only solution is to disable docker's iptable management to be able to implement a firewall ?
Docker Documentation
Packet filtering and firewalls
How Docker works with packet filtering, iptables, and firewalls
They have a whole guide for this
for the record i went a different way and made it work on the loopback interface only and set up UFW without complications after.
I don't know why but setting the following in the
.env file made immich unreachable on 127.0.0.1 :
IMMICH_HOST=0.0.0.0
IMMICH_PORT=2283
But setting the same vars to the same values in docker-compose made it work directly :
environment:
IMMICH_HOST: 0.0.0.0
IMMICH_PORT: 2283
ports:
- '127.0.0.1:2283:2283'