I’m the bad guy that installed my CA where needed lol but nice!
brvslvrnst
- 0 Posts
- 6 Comments
Joined 4 years ago
Cake day: October 21st, 2020
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
My current backup strategy is BTSync, which while super easy to get going is a pain in the ass to look up old images. Using direct IP on the app works perfectly, and the DNS lookup only works internally anyways.
All that to say that I’m probably going to use it and remove the btsync approach in a couple months.
All the traffic is internal, so I can get away with it 🙃
Really was just interested in what cert generation entailed and did a fun little dive a few years back.
I’ve been using it for about a month, and love it.
My one complaint: self-signed certs on reverse proxies seem to break the android app backup. I’m not sure why, but internal CA seems to make things angry. Its more likely to be a local setup issue than anything in immich, but frustrating to pin down.
5·1 year agoMy approach was to set it all up internally, create a wireguard VPN accesspoint and only open that up. That way I don’t have as much to worry as much within the network (still use generated passwords for things) and able to access it anywhere.
Granted, you asked about opening up to the www. I’d suggest buying a domain through cloudfront, setting up an nginx instance that proxies traffic (think nextcloud.mydomain.com), and have it only accept connections from cloudfront servers.
That allows you SSL termination, pretty good bot coverage, and a nice domain name to share as needed.
Here’s how I generated the CA:
# openssl genrsa -des3 -out my-ca.key 2048 # openssl req -x509 -new -nodes -key my-ca.key -sha256 -days 1825 -out my-ca.pemI’m sure I’ll receive flak for how I went about it, but importing that pem into the “install certificates” bit of the settings works like a charm.