2024-10-31 07:53:56 +01:00
|
|
|
# Securing Immich with mTLS using Caddy
|
|
|
|
|
|
|
|
## Caddy docker-compose.yml
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
version: "3.7"
|
|
|
|
|
|
|
|
services:
|
|
|
|
caddy:
|
2024-10-31 16:24:16 +01:00
|
|
|
image: caddy:2
|
2024-10-31 07:53:56 +01:00
|
|
|
restart: unless-stopped
|
|
|
|
cap_add:
|
|
|
|
- NET_ADMIN
|
|
|
|
ports:
|
|
|
|
- "6443:443"
|
|
|
|
- "6443:443/udp"
|
|
|
|
volumes:
|
|
|
|
- ./Caddyfile:/etc/caddy/Caddyfile:Z
|
|
|
|
- ./site:/srv:Z
|
|
|
|
- ./data:/data:Z
|
|
|
|
- ./config:/config:Z
|
|
|
|
```
|
|
|
|
|
|
|
|
## Authenticating with mutual TLS
|
|
|
|
|
|
|
|
### Generate your client certificate
|
|
|
|
|
|
|
|
This is a basic way to generate a certificate for a user. If it's only you using your own homelab, then you'll just need to make one certificate.
|
|
|
|
|
|
|
|
This certificate will last for ~10 years (although of course you can revoke it at any time by deleting it from Caddy's key store).
|
|
|
|
|
|
|
|
```bash
|
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
mkdir -p certs
|
|
|
|
|
|
|
|
# Generate CA certificates
|
|
|
|
openssl genrsa -out certs/client-ca.key 4096
|
|
|
|
openssl req -new -x509 -nodes -days 3600 -key certs/client-ca.key -out certs/client-ca.crt
|
|
|
|
|
|
|
|
# Generate a certificate signing request
|
|
|
|
openssl req -newkey rsa:4096 -nodes -keyout certs/client.key -out certs/client.req
|
|
|
|
|
|
|
|
# Have the CA sign the certificate requests and output the certificates.
|
|
|
|
openssl x509 -req -in certs/client.req -days 3600 -CA certs/client-ca.crt -CAkey certs/client-ca.key -set_serial 01 -out certs/client.crt
|
|
|
|
|
|
|
|
echo
|
|
|
|
echo "Please enter a STRONG password. Many clients *require* a password for you to be able to import the certificate, and you want to protect it."
|
|
|
|
echo
|
|
|
|
|
|
|
|
# Convert the cerificate to PKCS12 format (for import into browser)
|
|
|
|
openssl pkcs12 -export -out certs/client.pfx -inkey certs/client.key -in certs/client.crt
|
|
|
|
|
|
|
|
# Clean up
|
|
|
|
rm certs/client.req
|
|
|
|
```
|
|
|
|
|
|
|
|
## Configure Caddyfile
|
|
|
|
|
|
|
|
```Caddyfile
|
|
|
|
https://immich.mydomain.com {
|
|
|
|
tls {
|
|
|
|
client_auth {
|
|
|
|
mode require_and_verify
|
|
|
|
trusted_ca_cert_file /data/client_certs/client.crt
|
|
|
|
}
|
|
|
|
}
|
|
|
|
reverse_proxy internal_server.lan:2283
|
|
|
|
}
|
|
|
|
```
|