Security by obscurity the 100% least effective security measure! Wait what? MS left the government knowingly vulnerable for years for the shareholders?! That's some good security right there!
seang96
joined 1 year ago
Are you tunneling for just the 5g connection to expose your services or just tunneling everything?
From my limited Raspberry PI experience I believe their single core performance isn't great and synapse at least is single threaded. You'd have to use workers to utilize the other cores. If you have multiple pi devices you could also utilize workers on different pis and hosting postgres on one. Using only one, it would likely be quite slow like others noted.
Reverse proxy and letsencrypt. Doing custom certificates is more difficult and you would need to install and trust the certificate on all devices.
FUTO is the only one to my knowledge that doesn't rely on the Google library but it also isn't as good.
With Unifi APs you can set the minimum RSI on the individual devices which makes them kick the device off and then the device will generally attempt to connect to the AP with the best signal. This is an advanced setup and some devices might not like getting kicked off though.
https://caddy.its-em.ma/v1/docs/limits you appear to be correct it's something else. Reviewing logs of Immich and if the images uploaded can be accessed would be good info to start with.
Are you using a web proxy? I am guessing it may be doing partials because of upload limit of the proxy.
The proxy you are using seems like a good one and if you are using auth on it you aren't exposing the services under it directly, so the vulnerability would be proxy or your password to reach any potential vulnerabilities on the service. Sure there could be some crazy bad vulnerability on the proxy, but as long as your using a good trusted one and not doing some config to bypass their security, and updating it, you should be fine. Some people here think you could use vpns and such for everything and sometimes you just gotta share your services and going through a proxy service is a good solution.
From the link in the post it's a reverse proxy backed by terminos which is a secure OS for kubernetes and is really good, so I imagine this proxy is also really good. So OPs setup is already likely fine as is.
The google proprietary part is e2ee on RCS that use signal and MLS. It is not a standard in the RCS specs.
Honestly I believe it. I had a VP of sales / marketing overriding requirements making them more difficult from the CEO after getting screamed at by the CEO who wanted the product (bono project) to be quick and easy for initial release.
He also ordered IT garbage for a site once (consumer PCs running Windows not server edition)
And to top it all off went behind supervisors backs in engineering departments asking for daily spreadsheets trackong their time because "if you can go to the bathroom you have time for this.
All leadership was toxic though like the CEO screaming at him lol.