this post was submitted on 10 Jun 2024
45 points (95.9% liked)


38017 readers
118 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.


  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.


Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

I have self hosted immich on Debian on my homelab. I have also setup tailscale to be able to access it outside my home.

Sometime ago, I was able to purchase a domain of my choice from GoDaddy. While I am used to hosting stuff on Linux, I've never exposed it for access publicly. I want to do that now.

Is it something I can do within tailscale or do I need to setup something like cloudflare? What should I be searching for to learn and implement? What precautions to take? I would like to keep the tailscale thing too.

PS: I would like to host immich as a subdomain like


top 34 comments
sorted by: hot top controversial new old
[–] [email protected] 28 points 1 month ago* (last edited 1 month ago) (3 children)

You use a reverse proxy. Configure your DNS (GoDaddy in this case) to forward requests to your domain to your WAN IP. Set up port forwarding on your router to send HTTPS requests to your server, then the reverse proxy processes the request and directs it to the proper container.

This is honestly the most confusing and complicated part of self-hosting.

It's also all made very simple using Yunohost.

Also please move away from GoDaddy as soon as possible. Popular alternatives would be NameCheap or Porkbun.

[–] [email protected] 13 points 1 month ago* (last edited 1 month ago) (1 children)

This is honestly the most confusing and complicated part of self-hosting.

I agree! It took me years to finally decide to buckle down and wrap my head around what a "reverse proxy" is. Once I figured it out things became so much more usable and fun.

Combined with DNS redirects in my LAN (to get around NAT loopback), things are very easy to use.

[–] [email protected] 4 points 1 month ago (1 children)

You sound like me with Docker. Still unsure how to use that shit but haven't sat down to really try again, either.

I agree, reverse proxy was also a little mind numbing before I really buckled down and read/watched a bunch of info on it. I learn best by examples and try-fail, but that's hard to do with live services.

[–] [email protected] 2 points 1 month ago (1 children)

I found a lot of the problems I had with Docker were with Docker. Once I moved to using Portainer for Docker it became much more accessible.

[–] [email protected] 2 points 1 month ago (1 children)

I'll take a look at it, thanks!

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago) (1 children)

You need to pick a machine (if you only have 1 you don't lol) to be your web portal, bang a block of code in via ssh or command line (I copy pasted) then you can access Portainer via the web portal.

From there "Stacks" is Docker Compose and you can fiddle with your containers, networking settings and all the other stuff via a UI instead of having to SSH in all the time to look at your compose files.

Then if you wanna use docker on more machines you just bang a block of code into that machine via ssh and it will appear in your Portainer

Far easier imho

[–] [email protected] 1 points 1 month ago

I have saved this reply for the near future when I rebuild my server box to run Linux! Thanks again for your knowledge and information!

[–] [email protected] 2 points 1 month ago (3 children)

I have used reverse proxy in office setup where my local IP was NATed to a dedicated public IP. But in my home lab, I don't have a dedicated public IP. So, i need to figure a way around that.

[–] [email protected] 1 points 1 month ago (1 children)

I know everyone loves to shit on Oracle, but a free-tier Oracle VPS would solve this.

Or if you want something decent pay for a cheap VPS.

[–] [email protected] 2 points 1 month ago (1 children)

We’re running home labs because we’ve learned that relying on “free” services eventually comes back to bite you.

[–] [email protected] 1 points 1 month ago

Absolutely, if it was anything I needed or even really wanted to be sure was reliably available I'd never put it on a free VPS.

Now, something trivial like this that just requires installing wireguard and nginx, copying over some configs, and changing a DNS record? Hard to beat free.

[–] [email protected] 1 points 1 month ago

I've set up several instances in circumstances like yours. The easiest way is to create a duckdns domain for yourself, and install their updater on one of your systems, to keep your external IP up to date with their DNS-Servers. Then you can use a DNS-Provider of your choice (I use Cloudflare) to create a "CNAME" DNS Record, that basically just tells a browser to redirect from your domain to the IP Address of the duckdns domain. That way you can have an automatically updating public IP behind your domain name. Then you "just" have to set up a reverse proxy (I use Nginx Proxy Manager, but there are newer and easier alternatives), and create the correct port forwarding rules in your router/firewall, and you should be good to go

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago) (1 children)

Just run a cron job updating your IP every 24 hours. All I've ever done for the last decade or so.

I should clarify, I use namecheap as my registrar and Afraid as my nameserver. Afraid has curl, cron and even just a url i think you can use to update your IP.

[–] [email protected] 1 points 1 month ago

Thank you! I'll look into it.

[–] [email protected] 2 points 1 month ago

This is the way.

If you have a dynamic WAN IP (like I do), you can make use of DDNS-updater services such as this.

Also, afaik, Immich does not have chunked uploads yet (not sure if it has been updated to include that) so you might have to check your DNS' policies regarding traffic (e.g. Cloudflare proxy only allows up to 100Mb traffic and can't be used to serve media from what I read).

[–] [email protected] 7 points 1 month ago (1 children)

There's also the option of setting up a cloudflare tunnel and only exposing immich over that tunnel. The HTTPS certificate is handled by cloudflare and you'd need to use the cloudflare DNS name servers as your domains name servers.

Note that the means cloudflare will proxy to you and essentially become a man-in-the-middle. You -- HTTPS --> cloudflare --http--> homelab-immich. The connection between you and cloudflare could be encrypted as well, but cloudflare remains the man-in-the-middle and can see all data that passes by.

[–] [email protected] 2 points 1 month ago

I could be wrong, as I'm no expert, but cloud flare's proxy limits file uploads to about 1GB. I had to disable it to upload larger videos to immich. For other services, probably decent advice.

[–] [email protected] 4 points 1 month ago (1 children)

Tailscale has a very neat feature called Tailscale Funnel, which makes this pretty easy

[–] [email protected] 2 points 1 month ago (1 children)

I read about funnel and it is really cool. But it seems to only expose the services through a * type of URL. What I want is to use the domain that I've acquired.

[–] [email protected] 1 points 1 month ago (1 children)

Wouldn't you be able to cname your domain to the tailscale domain?

[–] [email protected] 1 points 1 month ago

Certs served by Tailscale will still be on * domain.

[–] [email protected] 3 points 1 month ago (1 children)

Is immich the only service you want to expose? And did you installed it using docker or directly on your system?

[–] [email protected] 2 points 1 month ago (1 children)

For now only Immich, but on a sub domain like I said in the PS. And yes, immich is installed using docker.

[–] [email protected] 3 points 1 month ago (1 children)

Then I would suggest you to take a look at Reverse Proxies, which are programs that let you publicly expose different services hosted on the same computer under different (sub)domains.

The easiest to start with (and also probably the one that better fits your needs) afaik is NGINX Proxy Manager, which can be set up really easily using docker, and you can find plenty of tutorials online (here is one I watched when I was starting to look into docker and selfhosting, it's a bit old but should still be valid).

If after having set up that you will to thinker around it a little bit and dive a bit deeper, there's also Traefik which is pretty cool and also has a lot of materials to learn online.

I don't remember if the video I linked mention it or not, but to use a reverse proxy to expose your services on the web you will first need to set up a dynamic dns (probably the easiest way is to use Cloudflare) or to ask your ISP for a static IP, then go into your routers settings and find the Port Forwarding section where you should tell your routers to send all the incoming traffic from ports 80 (HTTP) and 443 (HTTPS) to the local IP of your server. And then you should be ready to use spin up Nginx Proxy Manager or Traefik on your server.

(idk if I was clear or not but I swear it's easier that how it seems ahah)

[–] [email protected] 2 points 1 month ago

Here is an alternative Piped link(s):


use Cloudflare

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] [email protected] 2 points 1 month ago (1 children)

I personally would be hesitant to host Immich publicly until they've done a security audit. The risk of accidentally exposing my photos publicly is too big for me.

That's why I recommend using Tailscale or Wireguard directly. Personally I'm using Wireguard for me and Tailscale for other people I want to easily access my services.

[–] [email protected] 2 points 1 month ago

Your point is valid. I'll use the learnings from this thread for other, robust, services first and keep an eye on the progress of immich in terms of security.

[–] [email protected] 2 points 1 month ago

I personally just use NPM in front of all of the services I make available public. It's easy and handles the let's encrypt certificates also.

From my Ubiquity router I just have port 80 and 443 forwarded to the NPM.

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

Without anything extra, there are three ways of doing it:

  1. Using Tailscale Funnel
  2. Direct port forwarding in your router, and pointing to the IP using some DDNS provider (e.g.
  3. Through Cloudflare tunnel (not recommended due to privacy reasons)

In each case, you'll need a reverse proxy (e.g. Caddy) if you want secure https connections.

If you're willing to spend money, the better way would be to proxy through a VPS (using something like a Wireguard tunnel). In that way, you won't have to open ports on your home router. You can get a very cheap one since proxying doesn't need much CPU power. Just choose one with enough bandwidth. I personally proxy most of my stuff through a $12/yr RackNerd VPS.

[–] [email protected] 1 points 1 month ago (1 children)

I'd recommend a web proxy service. It acts as a middleman, public > router > port forward to proxy / tailscale > proxy forwards by the domainto the correct service (immich).

Traefic is a good starter one.The most used but more advanced is probably nginx.

For SSL, use, there are a bunch of tools to do it and some are automated. They expire faster but are free. Tailscale is a vpn tunnel so the ssl part may not be correct and they may have their own thing though.

Also godaddy is like the worst, expensive, ceo has hunted animals that shouadn't be touched, and I always had outages when dealing with them. Namecheap is good, cloudflare, and porkbun.

[–] [email protected] 2 points 1 month ago (1 children)

Thanks, I'll figure the best way out based on the responses.

And lol, I did not know about goDaddy being this bad since this was the first time I purchased a domain. Is it possible to move domains from one provider to another or do I have to wait for it to expire and then register on the other provider?

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago) (1 children)

You can transfer at any tine and keep the remaining registration time. The only negative is you have to pay the new regristrar a rnewal fee to complete the trasnfer, this adds nore time to your domain, you just would have to pay it early once. They often do deals for transfers especially around holidays.

[–] [email protected] 1 points 1 month ago

Thank you, I'll work it out based on what you've told me.

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAT Network Address Translation
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #795 for this sub, first seen 10th Jun 2024, 17:25] [FAQ] [Full list] [Contact] [Source code]