Specifically from the standpoint of protecting against common and not-so-common exploits.

I understand the concept of a reverse proxy and how works on the surface level, but do any of the common recommendations (npm, caddy, traefik) actually do anything worthwhile to protect against exploit probes and/or active attacks?

Npm has a “block common exploits” option but I can’t find anything about what that actually does, caddy has a module to add crowdsec support which looks like it could be promising but I haven’t wrapped my head around it yet, and traefik looks like a massive pain to get going in the first place!

Meanwhile Bunkerweb actually looks like it’s been built with robust protections out of the box, but seems like it’s just as complicated as traefik to setup, and DNS based Let’s Encrypt requires a pro subscription so that’s a no-go for me anyway.

Would love to hear people’s thoughts on the matter and what you’re doing to adequately secure your setup.

Edit: Thanks for all of your informative replies, everyone. I read them all and replied to as many as I could! In the end I’ve managed to get npm working with crowdsec, and once I get cloudflare to include the source IP with the requests I think I’ll be happy enough with that solution.

  • butitsnotme@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    6 months ago

    The peer range shouldn’t be your LAN, it should be a new network range, just for WireGaurd. Make sure that the server running Immich is part of the WireGaurd network.

    My phone and laptop see three networks: the internet, the lan (192.168.1.0/24, typically) and WireGaurd (10.30.0.0/16). I can anonymize and share my WireGaurd config if that would help.

    • TedZanzibarOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      6 months ago

      Yes please, I might revisit it with a fresh pair of eyes.

      • butitsnotme@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        Here are a few more details of my setup:

        Components:

        • server
        • clients (phone/laptop)
        • domain name (we’ll call it custom.domain)
        • home router
        • dynamic DNS provider

        The home router has WireGuard port forwarded to server, with no re-mapping (I’m using the default 51820). It’s also providing DHCP services to my home network, using the 192.168.1.0/24 network.

        The server is running the dynamic DNS client (keeping the dynamic domain name updated to my public IP), and I have a CNAME record on the vpn.custom.domain pointing to the dynamic DNS name (which is an awful random string of characters). I also have server.custom.domain with an A record pointing to 10.30.0.1. All my DNS records are in public DNS (so no need to change the DNS settings on the computer or phone or use DNS overrides with WireGuard.)

        Immich config:

        version: "3.8"
        
        services:
          immich-server:
            container_name: immich_server
            image: ghcr.io/immich-app/immich-server:release
            entrypoint: ["/bin/sh", "./start-server.sh"]
            volumes:
              - ${UPLOAD_LOCATION}:/usr/src/app/upload
            env_file:
              - .env
            ports:
              - target: 3001
                published: 2283
                host_ip: 10.30.0.1
            depends_on:
              - redis
              - database
            restart: always
            networks:
              - immich
        

        WireGuard is configured using wg-quick (/etc/wireguard/wg0.conf):

        [Interface]
        Address = 10.30.0.1/16
        PrivateKey = <server-private-key>
        ListenPort = 51820
        
        [Peer]
        PublicKey = <phone-public-key>
        AllowedIPs = 10.30.0.12/32
        
        [Peer]
        PublicKey = <laptop-public-key>
        AllowedIPs = 10.30.0.11/32
        

        Start WireGuard with systemctl enable --now wg-quick@wg0.

        Phone WireGuard configuration (iOS):

        [Interface]
        Name = vpn.custom.domain
        
        Private Key = <phone private key>
        Public Key = <phone public key>
        
        Addresses = 10.30.0.12/32
        Listen port = <blank>
        MTU = <blank>
        DNS servers = <blank>
        
        [Peer]
        Public Key = <server public key>
        Pre-shared key = <blank>
        Endpoint = vpn.custom.domain:51820
        Allowed IPs = 10.30.0.0/16
        Persistent Keepalive = 25
        
        [On Demand Activation]
        Cellular = On
        Wi-Fi = On
        SSIDs = Any SSID
        

        This connection is then left always enabled, and comes on whenever my phone has any kind of network connection.

        My laptop (running Linux), is also using wg-quick (/etc/wireguard/wg0.conf):

        [Interface]
        Address = 10.30.0.14
        PrivateKey = <laptop private key>
        
        [Peer]
        PublicKey = <server-public-key>
        Endpoint = vpn.custom.domain:51820
        AllowedIPs = 10.30.0.0/16
        

        My wife’s window’s laptop is configured using the official WireGuard windows app, with similar settings.

        No matter where we are (at home, on a WiFi hotspot, or using cellular data) we access Immich over the VPN: http://server.custom.comain:2283/.

        Let me know if you have any further questions.

        • TedZanzibarOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          6 months ago

          Thanks, I’ll muse over this when I next get the chance!