diff --git a/config/_default/params.yaml b/config/_default/params.yaml index 12fc6d0..98d8c46 100644 --- a/config/_default/params.yaml +++ b/config/_default/params.yaml @@ -9,12 +9,12 @@ hb: # see https://hbstack.dev/en/docs/modules/socials/. socials: github: https://github.com/ditatompel/insights - youtube: https://www.youtube.com/channel/UCDV5fWBAvJdULelWdOa3ubQ?sub_confirmation=1 + youtube: https://www.youtube.com/channel/UCDV5fWBAvJdULelWdOa3ubQ footer: # see https://hbstack.dev/en/docs/modules/socials/. socials: github: https://github.com/ditatompel/insights - youtube: https://www.youtube.com/channel/UCDV5fWBAvJdULelWdOa3ubQ?sub_confirmation=1 + youtube: https://www.youtube.com/channel/UCDV5fWBAvJdULelWdOa3ubQ blog: paginate: 12 # paginate. # post_thumbnail: false # whether to show the thumbnails. diff --git a/content/authors/ditatompel/_index.id.md b/content/authors/ditatompel/_index.id.md index 30df208..1386907 100644 --- a/content/authors/ditatompel/_index.id.md +++ b/content/authors/ditatompel/_index.id.md @@ -7,5 +7,5 @@ socials: github: ditatompel website: https://www.ditatompel.com patreon: svcadm - youtube: https://www.youtube.com/channel/UCDV5fWBAvJdULelWdOa3ubQ?sub_confirmation=1 + youtube: https://www.youtube.com/channel/UCDV5fWBAvJdULelWdOa3ubQ --- diff --git a/content/authors/ditatompel/_index.md b/content/authors/ditatompel/_index.md index d8b31e7..ca711b5 100644 --- a/content/authors/ditatompel/_index.md +++ b/content/authors/ditatompel/_index.md @@ -7,5 +7,5 @@ socials: github: ditatompel website: https://www.ditatompel.com patreon: svcadm - youtube: https://www.youtube.com/channel/UCDV5fWBAvJdULelWdOa3ubQ?sub_confirmation=1 + youtube: https://www.youtube.com/channel/UCDV5fWBAvJdULelWdOa3ubQ --- diff --git a/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/cf-automatic-https.jpg b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/cf-automatic-https.jpg new file mode 100644 index 0000000..e5f3c7c Binary files /dev/null and b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/cf-automatic-https.jpg differ diff --git a/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/cf-dns-record.jpg b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/cf-dns-record.jpg new file mode 100644 index 0000000..4315f11 Binary files /dev/null and b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/cf-dns-record.jpg differ diff --git a/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/cf-encryption-mode.jpg b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/cf-encryption-mode.jpg new file mode 100644 index 0000000..907246d Binary files /dev/null and b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/cf-encryption-mode.jpg differ diff --git a/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/feature-nat-to-public.jpg b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/feature-nat-to-public.jpg new file mode 100644 index 0000000..a4e505d Binary files /dev/null and b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/feature-nat-to-public.jpg differ diff --git a/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/index.id.md b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/index.id.md new file mode 100644 index 0000000..acded68 --- /dev/null +++ b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/index.id.md @@ -0,0 +1,318 @@ +--- +title: Akses Aplikasi Self-Hosted di Rumah Dari Manapun +description: Tujuan artikel ini adalah untuk menunjukkan bagaimana saya dapat mengakses foto dan video saya di rumah dari mana saja, menggunakan VPN tunnel yang terhubung ke server Immich lokal saya. +summary: Bagaimana saya dapat mengakses aplikasi Immich saya di rumah dari mana saja. +# linkTitle: +date: 2024-10-23T07:50:00+07:00 +lastmod: +draft: false +noindex: false +# comments: false +nav_weight: 1000 +categories: + - Self-Hosted +tags: + - Immich + - WireGuard + - Nginx + - Cloudflare + - DNS + - MikroTik + - AdGuard +images: +authors: + - ditatompel +--- + +Ada banyak cara untuk mengekspose _HTTP service_ yang berada dibalik NAT supaya +dapat diakses dari internet. Pada umumnya, teknik yang dilakukan adalah +melakukan _network tunnel_ menggunakan VPN dan HTTP _reverse proxy_. +[Cloudflare Tunnel][cloudflare-tunnel] adalah salah satu contoh yang +menggunakan teknik ini. + +Di artikel ini saya ingin berbagi pengalaman dan cara saya mengekspose HTTP +service yang berada di jaringan lokal ke internet menggunakan WireGuard VPN +tunnel dan Nginx sebagai _HTTP reverse proxy_. HTTP service yang akan saya +expose adalah [Immich][immich-web]. Bagi yang belum tahu, Immich adalah solusi +manajemen foto dan video yang dapat dihosting sendiri; sebuah alternatif dari +[Google Photos][google-photos]. + +Saya tidak akan membahas detail cara menginstall Immich karena proses [instalasi Immich menggunakan Docker][immich-docker-install] sangat mudah dilakukan. Saya akan lebih fokus ke konfigurasi Nginx dan VPN tunnel, serta topologi yang digunakan. + +## Prasyarat + +Sebelum memulai ada beberapa kondisi yang perlu dipenuhi, yaitu: + +1. Sebuah nama domain atau subdomain yang menggunakan Cloudflare sebagai + _authoritative DNS server_. +2. Sebuah VPS dengan IP public (sudah terinstall WireGuard dan Nginx yang + nantinya digunakan untuk _reverse proxy_ ke jaringan lokal). +3. Sebuah PC / VM / LXC di jaringan lokal untuk menjalankan Nginx, Docker dan + Certbot. + +## Topologi + +Sebelum memulai, saya ingin membagikan topologi jaringan yang saya gunakan saat +artikel ini dibuat. + +![gambar topologi jaringan](topology.jpg#center) + +Ijinkan saya menjelaskan topologi diatas dan memberikan tambahan informasi +untuk mengikuti artikel ini: + +- Subdomain yang saya gunakan untuk Immich adalah `i.arch.or.id`. +- IP publik VPS server yang saya gunakan adalah `154.26.xxx.xx`. +- IP VPS server untuk WireGuard tunnel adalah `10.88.88.51`. +- Jaringan LAN menggunakan segmen `192.168.2.0/24`. +- Immich terinstall di LXC yang berada di jaringan lokal dengan alamat IP + `192.168.2.105`. +- LXC Immich terkoneksi ke VPS server dan menggunakan IP tunnel `10.88.88.105`. +- Di LXC Immich juga terinstall Nginx dan Certbot. + +Tujuan akhir dari artikel ini adalah aplikasi Immich dapat diakses dari +internet dan seluruh perangkat yang berada pada jaringan lokal dapat terkoneksi +secara langsung ke server Immich tanpa harus memutar ke internet. + +Jadi ketika saya berada di luar rumah, saya masih tetap bisa mengakses foto dan +video saya yang berada di rumah melalui aplikasi Immich. Sedangkan saat saya +berada dirumah, saya dapat secara leluasa melakukan sinkronisasi atau upload +foto dan video lebih cepat karena terkoneksi langsung menggunakan jaringan LAN. + +## Konfigurasi + +### Cloudflare: DNS record & Edge Certificates + +Anda perlu mendelegasikan _authoritative DNS server_ ke Cloudflare kemudian +tambahkan atau arahkan `A`/`AAAA` record untuk subdomain yang akan digunakan +oleh immich ke IP public VPS Anda. Di artikel ini berarti saya mengarahkan `A` +record `i.arch.or.id` ke IP `154.26.xxx.xx`. + +![](cf-dns-record.jpg#center) + +Ada beberapa setting default dari Cloudflare yang perlu dirubah supaya LXC +dapat melakukan request sertifikat SSL menggunakan certbot, yaitu: + +1. Mengubah **mode enkripsi** ke `Full`. Caranya masuk ke manajemen domain -> + **SSL/TLS** -> **Overview**. Pada bagian **"SSL/TLS encryption"** ubah + **_encryption mode_** ke `Full`. Hal ini perlu dilakukan supaya Cloudflare + mau menerima _"self-signed certificate"_ dari _origin server_. + ![](cf-encryption-mode.jpg#center) +2. Mendisable **"Always Use HTTPS"** dan **"Automatic HTTPS Rewrites"**. + Caranya masuk ke manajemen domain -> **Edge Certificates**. Pastikan + **"Always Use HTTPS"** dan **"Automatic HTTPS Rewrites"** tidak aktif. Hal + ini perlu dilakukan supaya verifikasi SSL request dari LXC ke **Let's + Encrypt** server berjalan dengan lancar. + ![](cf-automatic-https.jpg#center) + +### VPS: WireGuard & Nginx + +Anda perlu mensetting dan menjalankan WireGuard di VPS server yang nantinya +digunakan untuk berkomunikasi dengan LXC server yang berada di jaringan lokal. +Jika Anda belum pernah melakukan konfigurasi WireGuard, Anda dapat membaca +artikel saya sebelumnya tentang [cara setup WireGuard VPN server secara +manual]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.id.md" >}}) +atau [menggunakan WireGuard-UI]({{< ref "/tutorials/installing-wireguard-ui-to-manage-your-wireguard-vpn-server/index.id.md" >}}). + +Kurang lebih, konfigurasi WireGuard di VPS server saya sebagai berikut: + +```plain +[Interface] +PrivateKey = SomeRandomStringThatShouldBePrivate +Address = 10.88.88.51/22 +ListenPort = 51822 + +# Immich LXC server +[Peer] +PublicKey = SomeRandomStringThatPublicMayKnow +AllowedIPs = 10.88.88.105/32 +``` + +Kemudian konfigurasi Nginx di VPS server sebagai reverse proxy ke LXC server, +kurang lebih konfigurasi Nginx saya sebagai berikut: + +```nginx +upstream immich_app { + server 10.88.88.105:443; +} + +server { + listen 80; + listen 443 ssl; + server_name i.arch.or.id; + + # Self-signed certificates + ssl_certificate /etc/nginx/certs/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/privkey.pem; + + # Acme challenge handler + location /.well-known/acme-challenge/ { + allow all; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # This avoid SSL_do_handshake() failed on HTTPS upstream + proxy_ssl_name $host; + proxy_ssl_server_name on; + proxy_ssl_verify off; + + proxy_pass https://immich_app; + } + + keepalive_timeout 70; + sendfile on; + client_max_body_size 100m; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # This avoid SSL_do_handshake() failed on HTTPS upstream + proxy_ssl_name $host; + proxy_ssl_server_name on; + proxy_ssl_verify off; + + # enable websockets: http://nginx.org/en/docs/http/websocket.html + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + + proxy_pass https://immich_app; + } +} +``` + +Bisa dilihat bahwa Nginx di VPS server menggunakan _Self-signed certificates_. +Hal ini tidak menjadi masalah karena kita sudah mengkonfigurasi Cloudflare +SSL/TLS **encryption mode** ke `Full`. + +Dengan konfigurasi diatas, _HTTP request_ dari internet akan melewati +Cloudflare dan menggunakan sertifikat SSL yang valid dari Cloudflare. Request +dilanjutkan ke VPS server dan kemudian diteruskan ke LXC server melalui +WireGuard VPN tunnel. + +### Lokal LXC: WireGuard, Immich (Docker), Nginx, Certbot + +Install WireGuard dan buat konfigurasi supaya bisa terhubung ke WireGuard +server di VPS. Berikut ini contoh konfigurasi WireGuard di LXC server saya: + +```plain +[Interface] +PrivateKey = SomeRandomStringThatShouldBePrivateII +Address = 10.88.88.105/22 + +# VPS server +[Peer] +PublicKey = SomeRandomStringThatPublicMayKnowII +AllowedIPs = 10.88.88.51/32 +Endpoint = 154.26.xxx.xxx:51822 +PersistentKeepalive = 15 +``` + +Kemudian, install Immich dengan mengikuti proses [instalasi Immich menggunakan +Docker dari situs resminya][immich-docker-install]. Secara default, Immich akan +menggunakan TCP port `2283`. + +Buat konfigurasi Nginx virtual host untuk Immich. Nginx di LXC ini akan +berfungsi sebagai reverse proxy dan menghandle **Acme challenge** sehingga +server LXC memiliki sertifikat yang valid. Berikut ini adalah contoh +konfigurasi Nginx virtual host untuk Immich di server LXC lokal: + +```nginx +upstream immich_app { + server 127.0.0.1:2283; +} + +server { + listen 80; + server_name i.arch.or.id; + root /srv/http/default; + + location /.well-known/acme-challenge/ { + allow all; + } + location / { return 301 https://$host$request_uri; } +} + +server { + listen 443 ssl; + server_name i.arch.or.id; + ssl_certificate /etc/nginx/certs/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/privkey.pem; + + # allow large file uploads + client_max_body_size 50000M; + + location / { + # Set headers + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # enable websockets: http://nginx.org/en/docs/http/websocket.html + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + + proxy_pass http://immich_app; + } +} +``` + +Dari konfigurasi Nginx diatas, perlu diperhatikan bahwa untuk konfigurasi awal +saya masih menggunakan _Self-signed certificate_. Langkah selanjutnya adalah +melakukan request sertifikat SSL menggunakan Certbot. + +> **Catatan**: Sebelum melakukan request serifikat SSL, pastikan koneksi antara +> VPS server dan LXC melalui WireGuard tunnel berjalan dengan baik. Begitu pula +> dengan konfigurasi Nginx baik di VPS server dan LXC server. + +Install certbot Nginx plugin. Di Ubuntu, Anda bisa menginstall cerbot Nginx +plugin menggunakan `sudo apt install python3-certbot-nginx`. Setelah Certbot +Nginx plugin terinstall, lakukan request sertifikat SSL dari XLC server: + +```shell +sudo certbot --nginx -d i.arch.or.id +``` + +Ubah `i.arch.or.id` ke (sub)domain milik Anda. + +### LAN: Lokal DNS resolver + +Langkah terakhir adalah mengkonfigurasi perangkat-perangkat di jaringan LAN +supaya subdomain `i.arch.or.id` mengarah ke IP lokal server LXC +(192.169.2.105). Cara paling efektif adalah menggunakan lokal _DNS resolver_ +yang bisa digunakan oleh seluruh perangkat di jaringan LAN. Untuk konfigurasi +_DNS resolver_ akan sangat bervariasi tergantung seperti apa jaringan LAN +masing-masing. + +Untuk jaringan LAN saya, saya mempunyai dua buah DNS resolver. DNS resolver +pertama berada di Router **MikroTik**, dan resolver kedua menggunakan +**AdGuard Home** yang berjalan di Linux Container. AdGuard home disini saya +gunakan juga sebagai DHCP server untuk jaringan lokal saya. + +Berikut capture konfigurasi DNS resolver di MikroTik router dan AdGuard Home +saya: + +![](lan-dns-resolver.jpg#center) + +Dengan konfigurasi tersebut, seluruh perangkat yang ada di jaringan lokal +menggunakan DHCP akan langsung akan menggunakan IP `192.168.2.105` ketika +mencoba mengakses subdomain `i.arch.or.id`. + +## limitasi + +- Karena maksimum upload di Cloudflare hanya 100MB per request (untuk free + version), maka proses sinkronisasi Immich dari internet kemungkinan besar + banyak yang gagal, terutama saat sinkronisasi video. + +[cloudflare-tunnel]: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/ "Cloudflare Tunnel" +[immich-web]: https://immich.app/ "Immich website" +[immich-docker-install]: https://immich.app/docs/install/docker-compose "Install Immich using Docker" +[google-photos]: https://photos.google.com/ "Google Photos website" diff --git a/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/index.md b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/index.md new file mode 100644 index 0000000..8a5b796 --- /dev/null +++ b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/index.md @@ -0,0 +1,315 @@ +--- +title: Access Any Self-Hosted Applications at Home From Anywhere +description: The goal of this article is to demonstrate how I can access my photos and videos at home from anywhere, using a network tunnel to connect to my local Immich server. +summary: How I can access my Immich application at home from anywhere. +# linkTitle: +date: 2024-10-23T07:50:00+07:00 +lastmod: +draft: false +noindex: false +# comments: false +nav_weight: 1000 +categories: + - Self-Hosted +tags: + - Immich + - WireGuard + - Nginx + - Cloudflare + - DNS + - MikroTik + - AdGuard +images: +authors: + - ditatompel +--- + +There are many ways to expose HTTP services behind NAT so that they can be +accessed from the internet. The technique commonly employed involves setting +up a network tunnel using VPN and an HTTP reverse proxy. [Cloudflare +Tunnel][cloudflare-tunnel] is one example. + +In this article, I want to share my experience and how I expose HTTP services +on a local network to the internet using WireGuard VPN tunnel and Nginx as an +HTTP reverse proxy. The HTTP service I will expose is [Immich][immich-web]. +For those who don't know, Immich is a self-hosted photo and video management +solution; an alternative to [Google Photos][google-photos]. + +I won't discuss the details of how to install Immich because [installing Immich +using Docker][immich-docker-install] is very easy to do. Instead, I'll focus on +the configuration of Nginx and VPN tunnel, as well as the [topology +used](#topology). + +## Prerequisites + +Before we get started, there are a few conditions that need to be met: + +1. A domain name or subdomain that uses Cloudflare as its authoritative DNS + server. +2. A VPS with a public IP address (WireGuard and Nginx installed, which will + later be used for reverse proxying the local network). +3. A PC, VM, or LXC on the local network to run Immich, Nginx, Docker, and + Certbot. + +## Topology + +When writing this article, I used the following network topology: + +![network topology image](topology.jpg#center) + +To provide further context, let me break down the components of the above +topology: + +- The subdomain used for Immich is `i.arch.or.id`. +- The public IP address of the VPS server is `154.26.xxx.xx`. +- The VPS server's WireGuard tunnel IP address is `10.88.88.51`. +- The local area network (LAN) uses the `192.168.2.0/24` subnet. +- Immich is installed on an LXC container located on the local network, + with an IP address of `192.168.2.105`. +- The Immich LXC is connected to the VPS server and utilizes the IP tunnel + `10.88.88.105`. +- Nginx and Certbot are also installed on the Immich LXC. + +The ultimate goal of this article is to demonstrate how I can access my photos +and videos at home from anywhere, using a network tunnel to connect to my local +Immich server. This setup allows me to synchronize or upload files faster when +I'm at home, while still being able to access my media remotely through the +Immich application. + +## Configuration + +### Cloudflare: DNS records & Edge Certificates + +To configure Cloudflare, you need to delegate the authoritative DNS server and +add or point the `A`/`AAAA` record for the subdomain that will be used by +Immich to your VPS public IP. In this article, I pointed the `A` record +`i.arch.or.id` to the IP `154.26.xxx.xx`. + +![](cf-dns-record.jpg#center) + +To ensure that LXC on your local network can make a smooth request for SSL +certificates using Certbot, you'll need to modify several default Cloudflare +settings: + +1. Update the **encryption mode** to `Full`. To do this, navigate to domain + management -> **SSL/TLS** -> **Overview**, and modify the **"SSL/TLS + encryption"** to `Full`. This is necessary for Cloudflare to accept the + _"self-signed certificate"_ from the _origin server_. + ![](cf-encryption-mode.jpg#center) +2. Disable both **"Always Use HTTPS"** and **"Automatic HTTPS Rewrites"**. To + achieve this, go to domain management -> **Edge Certificates**, and ensure + that these features are not active. This is necessary for the SSL request + verification from LXC to the **Let's Encrypt** server to run smoothly. + ![](cf-automatic-https.jpg#center) + +### VPS: WireGuard & Nginx + +You need to set up and run WireGuard on the VPS server which will be used to +communicate with the LXC server on the local network. If you're new to +WireGuard configuration, I recommend reviewing my previous articles on [setting +up a WireGuard VPN server manually]({{< ref "/tutorials/how-to-setup-your-own-wireguard-vpn-server/index.id.md" >}}) +or [using WireGuard-UI]({{< ref "/tutorials/installing-wireguard-ui-to-manage-your-wireguard-vpn-server/index.id.md" >}}). + +Here's an example of my WireGuard configuration on my VPS server: + +```plain +[Interface] +PrivateKey = SomeRandomStringThatShouldBePrivate +Address = 10.88.88.51/22 +ListenPort = 51822 + +# Immich LXC server +[Peer] +PublicKey = SomeRandomStringThatPublicMayKnow +AllowedIPs = 10.88.88.105/32 +``` + +Next, I configured Nginx on the VPS server as a reverse proxy to the LXC +server. My Nginx configuration is similar to the following: + +```nginx +upstream immich_app { + server 10.88.88.105:443; +} + +server { + listen 80; + listen 443 ssl; + server_name i.arch.or.id; + + # Self-signed certificates + ssl_certificate /etc/nginx/certs/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/privkey.pem; + + # Acme challenge handler + location /.well-known/acme-challenge/ { + allow all; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # This avoid SSL_do_handshake() failed on HTTPS upstream + proxy_ssl_name $host; + proxy_ssl_server_name on; + proxy_ssl_verify off; + + proxy_pass https://immich_app; + } + + keepalive_timeout 70; + sendfile on; + client_max_body_size 100m; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + # This avoid SSL_do_handshake() failed on HTTPS upstream + proxy_ssl_name $host; + proxy_ssl_server_name on; + proxy_ssl_verify off; + + # enable websockets: http://nginx.org/en/docs/http/websocket.html + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + + proxy_pass https://immich_app; + } +} +``` + +It's worth noting that Nginx virtual host configuration for `i.arch.or.id` on +the VPS server uses _Self-signed certificates_ for SSL/TLS encryption. This +isn't an issue, as we've previously configured Cloudflare's SSL/TLS +**encryption mode** to `Full`. + +With this configuration in place, HTTP requests from the internet are routed +through Cloudflare and utilize a valid SSL certificate from Cloudflare. The +request is then forwarded to the VPS server and subsequently to the LXC server +via the WireGuard VPN tunnel. + +### Local LXC: WireGuard, Immich (Docker), Nginx, Certbot + +Install WireGuard and configure it to connect to the WireGuard server on the +VPS. Here's an example of my WireGuard configuration on my LXC server: + +```plain +[Interface] +PrivateKey = SomeRandomStringThatShouldBePrivateII +Address = 10.88.88.105/22 + +# VPS server +[Peer] +PublicKey = SomeRandomStringThatPublicMayKnowII +AllowedIPs = 10.88.88.51/32 +Endpoint = 154.26.xxx.xxx:51822 +PersistentKeepalive = 15 +``` + +Next, install Immich by following the process outlined on its official website +for [installing Immich using Docker][immich-docker-install]. By default, +Immich will use TCP port `2283`. + +Create an Nginx virtual host configuration for Immich. On my local LXC server, +Nginx will function as a reverse proxy and handle Acme challenges to obtain a +valid certificate. Here's an example of the Nginx virtual host configuration +for Immich: + +```nginx +upstream immich_app { + server 127.0.0.1:2283; +} + +server { + listen 80; + server_name i.arch.or.id; + root /srv/http/default; + + location /.well-known/acme-challenge/ { + allow all; + } + location / { return 301 https://$host$request_uri; } +} + +server { + listen 443 ssl; + server_name i.arch.or.id; + ssl_certificate /etc/nginx/certs/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/privkey.pem; + + # allow large file uploads + client_max_body_size 50000M; + + location / { + # Set headers + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # enable websockets: http://nginx.org/en/docs/http/websocket.html + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + + proxy_pass http://immich_app; + } +} +``` + +From the configuration above, it is clear that I initially uses a self-signed +certificate. Later, the certificate will be automatically replaced with a valid +one from Let's Encrypt, utilizing Certbot. + +> **Note**: Before requesting an SSL certificate, ensure that the connection +> between the VPS server and LXC via the WireGuard tunnel is running smoothly. +> Also, verify that the Nginx configuration on both the VPS server and LXC +> server is correctly set up. + +Install the Certbot Nginx plugin. On Ubuntu-based systems, you can install the +certbot Nginx plugin using `sudo apt install python3-certbot-nginx`. After +installing the plugin, request an SSL certificate from the XLC server: + +```shell +sudo certbot --nginx -d i.arch.or.id +``` + +Replace `i.arch.or.id` with your (sub)domain. + +### LAN: Local DNS resolver + +The final step is to configure devices on the local area network (LAN) so that +the subdomain `i.arch.or.id` resolves to the local IP address of the LXC server +(`192.168.2.105`). A reliable approach is to use a local DNS resolver that can +be utilized by all devices within the LAN network. The configuration for this +DNS resolver will depend on the specific characteristics of each LAN network. + +For my LAN setup, I have two DNS resolvers. The first one is located on my +Router (MikroTik), and the second is AdGuard Home running on a Linux Container. +In addition, I utilize AdGuard home as a DHCP server for my local network. + +Here's a capture of the DNS resolver configuration on my MikroTik router and +AdGuard Home: + +![](lan-dns-resolver.jpg#center) + +With this setup, all devices on the local network that obtain their IP +addresses via DHCP will immediately use the IP `192.168.2.105` when attempting +to access the subdomain `i.arch.or.id`. + +## Limitations + +- Due to the 100MB per request upload limit imposed by Cloudflare (for its + free version), the Immich synchronization process from the internet is + likely to fail, particularly when synchronizing videos. + +[cloudflare-tunnel]: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/ "Cloudflare Tunnel" +[immich-web]: https://immich.app/ "Immich website" +[immich-docker-install]: https://immich.app/docs/install/docker-compose "Install Immich using Docker" +[google-photos]: https://photos.google.com/ "Google Photos website" diff --git a/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/lan-dns-resolver.jpg b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/lan-dns-resolver.jpg new file mode 100644 index 0000000..2ad0924 Binary files /dev/null and b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/lan-dns-resolver.jpg differ diff --git a/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/topology.jpg b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/topology.jpg new file mode 100644 index 0000000..6bee5dd Binary files /dev/null and b/content/tutorials/access-any-self-hosted-applications-at-home-from-anywhere/topology.jpg differ