So far, my self-hosting has been limited to Pi-Hole, and a static website. I now want to try out something new, an Immich server.

I have a static IP from my ISP, so I don’t need to rent out a VPS. However, given that this IS a home internet, I want to be extra sure that it is going to be secure.

In my existing website, I use Fail2Ban + BadBotBlocker + Anubis + Nginx rate limits to protect it from scrapers, bots and malicious users, and it works well. With photos (especially family photos) at stake, I just want to know more on how to protect my server.

Add: thanks for the helpful replies. I will be sharing the photos with family, many of whom live abroad.

  • Decronym@lemmy.decronym.xyzBEnglish
    1·
    6 days ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CA (SSL) Certificate Authority
    DNS Domain Name Service/System
    NAT Network Address Translation
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network

    5 acronyms in this thread; the most compressed thread commented on today has 4 acronyms.

    [Thread #10 for this comm, first seen 12th Jun 2026, 13:10] [FAQ] [Full list] [Contact] [Source code]

    • nfms@lemmy.mlEnglish
      1·
      14 days ago

      I think this should be talked about more. Does every selfhosted app need to be public facing?
      I use Immich as a backup service, so i really don’t have any need to have it public facing. It connects when I’m home. Same with contacts/calendar.

      • daniskarma@lemmy.dbzer0.comEnglish
        0·
        14 days ago

        I have many services that doesn’t “need” to be public, as public facing for one specific reason. TLS.

        A lot of the times android apps won’t connect to http directions, not even local ones, and require a proper https connection with a well known CA.

        For that I put the services behind a caddy reverse proxy to get a valid tls certificate.

        And them I do the trick, and basically on caddy reject any connection that’s not local. Thus, making the supposedly “public” site a practical “local” one.

        Once there I just connect through wireguard.

        • nfms@lemmy.mlEnglish
          0·
          12 days ago

          Clever. I’m just starting to mess with Caddy. Been struggling with Vaultwarden lately and your solution might fit my needs.

          • trilobite@lemmy.mlEnglish
            1·
            6 days ago

            Yeah, i got stuck on this a few months ago when trying to set up Vaultwarden. I gave up for the time being. I need a proper guide that walks you through all the steps :-)