this post was submitted on 23 Jul 2024
271 points (98.2% liked)

Selfhosted

40218 readers
984 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Update : I made a follow-up post containing a Nginx-based solution to cache map tiles from OSM and limit the amount of PII you send

While monitoring the logs in Rethink DNS (awesome app BTW) today, I noticed the Immich app making requests to api-l.cofractal.com.

After reaching out on Immich's discord, the devs explained to me that it is used as a tile provider for the map feature. I can confirm it is not realistic to self-host a tile provider without heavily tuning down the level of details on the map (which would still require a lot of disk space and CPU time). I understand the need for a third-party service to provide the map tiles, but I'm concerned by this one.

Visiting cofractal.com only tells us that they're selling APIs. I did not find any details about the company, not even the country they're registered in. The website is also missing informations about what they are logging or not. Everything else seems gated behind a login page, but they "are not currently accepting new customers". The whois for the domain says they're in California. Digging a bit more, I find AS26073 which apparently is the same company.

This bothers me, because Cofractal gets sent every location you viewed (and the zoom level) on Immich's map, along with your client's IP address and a "Referrer" header pointing to your Immich instance. This sounds like a lot of PII to me. It's also behind cloudflare which gets to see the same stuff.

When asked about it, one dev (thanks to them for almost instantly replying to every concern/question I threw at them) explained that they personally know the people behind Cofractal. According to this Immich dev, Cofractal provides free access to its paid service to Immich's user base as a way to support the project, with the side benefit of load testing their platform.

This explanations seems plausible and reasonable to me. However, I do not personally know the people behind Cofractal, and by default, I do not trust for-profit companies to act in an altruistic way. Here's a summary of everything that makes me uneasy about this company :

  • it does not say anything about the kind of data they are logging or not
  • it requires digging through whois records to find the most basic info about the company
  • it freely provides access to its normally paid service (for the whole Immich user base), but it does not communicate about it (or it is really hard to find)
  • it does not communicate about anything : searching for its name only returns its home page and websites with informations on Autonomous Systems
  • it is "not currently accepting new [paying] customers" while providing the service for free to a quite large user base (Immich v1.109.2 got 170k downloads in 5 days, v1.108.0 got 438k downloads in 13 days )
  • It is not mentioned anywhere in the whole immich.app website (searching for site:immich.app "cofractal" gave me no result). Not even a "Thank You" or "Sponsor" note on the homepage for the free API
  • (it is behind cloudflare)

The dev I talked to encouraged me to create a feature request, and seemed favorable to adding a switch for disabling maps client side. It is already possible to disable it server-wide, and the "URL to a style.json map theme" option seems to provide a way to customize the tile provider. Which leads to this post : I'm trying to collect feedback on this before creating the feature request.

  • It should be made prominently clear to server admins that leaving maps enabled causes clients to send requests to a third party-server and give details about what is sent (viewed locations, zoom level, IP address, Immich instance URL). The Post Install Steps in the docs and a paragraph above the switch on the config page seem like good places to me. Are there other/more appropriate place for such a warning ?
  • The "URL to a style.json map theme" option should probably be renamed to make it clearer that it allows changing tile providers. Or better yet, it could be reworked to make it easier to choose which third-party you decide to trust
  • What do you think about the idea of providing instance admins with a list of choices for tile providers ? Maybe with a short pros/cons list in the docs for each provider. I'd be fine with using a more reputable provider with the extra step of configuring my own API key (which would probably require proxying requests to the tile provider to not share the API key with all clients)
  • Should the Immich server proxy requests to the tile provider in any case ? Since the tile provider has access to the Referrer and Origin headers (which is probably required for CORS), they are currently able to link user IP addresses with Immich instances. Proxying requests with the Immich server should prevent that.
  • I would go as far as making maps disabled by default for new installs. I understand that "disabling by default would be a significant downgrade for a majority of users", but I feel like there's a strong overlap between the self-hosting and privacy communities. So we should at least have some debate about it

I've also been told that I'm the first one to raise concerns about this, which leads to one more question : Did nobody complain because nobody noticed ? Or are my concerns unjustified ?

all 49 comments
sorted by: hot top controversial new old
[–] xantoxis@lemmy.world 75 points 3 months ago (2 children)
  1. Seems like a very reasonable objection to me. I'd guess that most of us Immich users are using it in the first place because it improves the privacy of our photos, and a third party seeing our location data certainly undermines that.
  2. I would have complained had I noticed, so you might be the first one to notice. Immich's userbase isn't huge right now, it's definitely possible.
  3. Featurewise, I'd like: a) a clearly documented way to disable map data leaving my server; b) a set of well-integrated choices (maybe even just two, as long as one of them is something like openstreetmap); c) the current configurability to be well documented.
  4. I'd love it if all such outbound data streams are also documented. Many security and privacy-focused products give you a "quiet" mode of some kind, where you can turn off everything that sends your data somewhere else. It's a requirement in many enterprise installations.
[–] pcouy@lemmy.pierre-couy.fr 20 points 3 months ago (1 children)

Thanks for the detailed feedback. According to one Immich dev, they used to use OSM's raster tile provider but switched away from it since they were causing too much load on OSM's servers.

There does not seem to be any non-commercial vector-tile provider at the moment (though OSM seems to be currently working on it), and it seems really overkill to try and self-host a tile provider (at least with the default level of details). Maybe the way is to find a balanced level of details that makes it reasonable to self host

[–] dan@upvote.au 27 points 3 months ago* (last edited 3 months ago) (1 children)

they were causing too much load on OSM's servers.

They could host their own caching proxy between OSM and their users though.

Also, Home Assistant uses OpenStreetMap and they have more users than Immich does.

Edit: Home Assistant does use OSM data, but they use it via another third-party called CARTO, who at least have a proper site: https://carto.com/basemaps. Tiles come from URLs like https://basemaps.cartocdn.com/rastertiles/voyager/12/657/1580@2x.png

[–] xantoxis@lemmy.world 11 points 3 months ago (1 children)

Home assistant's main use case is showing you where your house is on a single map, though. Not sure how immich works, but if it's one tile per photo with location data, that would be a MUCH bigger ask.

[–] dan@upvote.au 9 points 3 months ago (2 children)

Oh yeah, that's a good catch. Hosting their own proxy/CDN in front of OSM should be doable though.

[–] pcouy@lemmy.pierre-couy.fr 2 points 3 months ago

Or you can quite easily configure nginx as your personal caching proxy with an arbitrarily long TTL/retention duration (you can check out my follow-up post for instructions on doing that)

[–] acockworkorange@mander.xyz 1 points 3 months ago (1 children)

I can see that as a paid premium feature. There are costs to host anything.

[–] dan@upvote.au 1 points 3 months ago

At the end of the day, someone has to pay for it. Either the users pay, or Immich's developers pay, or a map provider pays (by offering it for free and covering the costs).

[–] lemmyvore@feddit.nl 8 points 3 months ago (1 children)

You could also start by denying any outside connection to anything except private IP ranges for any docker container, and only allow it on a need to have basis.

It's not enough to rely on the the good will and savvy of whoever made the software, you have to make the restrictions stick.

[–] pcouy@lemmy.pierre-couy.fr 1 points 3 months ago

It's the clients (web/android app, probably iOS too) that are making these requests.

To the best of my knowledge, the Immich server inside the container is not making requests to the outside. It is merely sending a style.json to the client displaying a map, which then fetches tiles from the Cofractal URL inside this JSON.

[–] avidamoeba@lemmy.ca 39 points 3 months ago

Completely reasonable to have this obvious and easy to toggle. In fact it should be opt-in as part of the initial setup flow.

I had no idea. I assumed the maps come from OSM.

[–] socphoenix@midwest.social 34 points 3 months ago (2 children)

I don’t use Immich, but if you open a feature request I’d suggest asking for open street maps, which offers a self hosted tile service https://www.maptiler.com/server/

[–] pcouy@lemmy.pierre-couy.fr 37 points 3 months ago* (last edited 3 months ago) (1 children)

When I mentionned that "I can confirm it is not realistic to self-host a tile provider", it's because I tried to run maptiler : it maxed out my CPU for 2 hours before my disk got filled while trying to generate the tiles from OSM data (and it was just for France)

Edit : Anyway, I don't think this should be in Immich's scope. Simply providing an easy option to switch tile providers would allow people motivated enough to host maptiler to use it

Edit bis : More details on how hard it is to host your own tile provider are available on the official OSM wiki

[–] Revered_Beard@lemmy.world 7 points 3 months ago* (last edited 3 months ago)

Requirements:

About 300GB clear disk space for the entire planet. Probably an SSD unless you like pain, suffering and watching the slow creep of old age...

Lol, no kidding!

[–] ghoscht@feddit.org 5 points 3 months ago

I can really recommend pmtiles. They are already pre-generated and easily hostable with something like Minio without the need for a dedicated server. My europe pmtile file (only one file!) is around 40-50 gb.

[–] s38b35M5@lemmy.world 21 points 3 months ago

This is a great post! I don't use immich; I use ente.io and I don't host it, but I do know they use OSM, as confirmed in #14 of their privacy policy:

Open Street Maps

I don't self host presently, but if I get my server hardware back (moved out of the country a while) I want to dabble with a self hosted photo solution, so I'm glad to have found your post that keeps this fresh in my mind.

[–] MangoPenguin@lemmy.blahaj.zone 19 points 3 months ago

I think disabling by default and having a clear explanation of what enabling it involves is good.

Maybe in the initial account creation/onboarding on a new instance, have it ask if server wide maps should be enabled using the default provider, with clear text about what that involves.

The option to use other providers sounds good too.

[–] sorter_plainview 18 points 3 months ago* (last edited 3 months ago) (1 children)

I read through your comments and the reply from devs regarding OSM. I will add a few points that can be part of the feature request. I have some experience dealing with maps, and my understanding is you can set up an offline version of OSM, which will get updated only when required.

leaflet.offline is a library which provides a similar functionality. I think with some modifications this can be implemented to significantly reduce the load on OSM that using it directly.

Even with a very large zoom level say 11 to 15, a large area of maps takes like a few hundred MBs. We once cached the entire region of California with all the details and it was around 240 MB IIRC. But Immich does not need this much details and it is possible to restrict zoom levels to certain details.

For someone self hosting several hundreds of GBs of photos, this should be doable without using too much storage. I think the problem will be that this is a huge engineering effort. Depending on the priority of the feature it may not be easy to do this.

There is a site called Switch2OSM which details almost everything you need to know. The previous link is on how to serve map tiles on your own. Again it is a daunting task and not suitable for everyone.

If anyone needs a live update of OSM as things get added, look into the commercial offerings.

In conclusion, it is possible to include a highly optimised version of OSM, instead of putting their servers under heavy load. The catch is, it is not easy and will need a huge engineering effort. I think developers should take a call on this.

[–] pcouy@lemmy.pierre-couy.fr 5 points 3 months ago (1 children)

Thanks for sharing your experience and for the links.

Do you think it would be doable to make/host a tileserver that only generates the first few zoom levels for the whole planet by default, and is able to generate tiles for more detailed zoom levels only for specific locations ? I'm thinking of a feature where Immich asks the tile server to generate the appropriate tiles based on the locations of photos. Since we only ever zoom on locations where photos have been taken, and we often take several photos at the same locations, could this decrease the requirements enough for self-hosting ?

[–] sorter_plainview 2 points 3 months ago (1 children)

If you are asking about vector maps, I am not really sure, because I have no experience with it. So can't really comment on that. On raster maps, as you already know every tile is a PNG. The behaviour you described is very similar to the client side caching that usually happens in the browser. Depending on the coordinates in the viewport and zoom level the server provides the tiles.

Usually to save the map most offline map making tools will ask you to draw a rectangle and select the required zoom levels. In an interactive map, the rectangle is the viewport of the device. So there can be a feature which will download and store the tiles around a specific gps location for a fixed geographical area. That should be doable without much issue. But in this case that may not be a good idea.

If you visualise all zoom levels stacked over each other, the images need to be retrieved when the user zooms into a point the geographical area will not stay the same. Smaller geographical area is only needed with higher zoom levels. If we only take all the tiles that get downloaded in every layer, it may produce a shape similar to an inverted pyramid. So saving the images as a user zooms in for the first time, may be the best idea.

Then the saved tiles need to be used again when users zoom in the same area. Also these tiles need not be updated frequently and maybe even once in every 3 months might be enough, that too only when the user zooms in again in that area.

This can be a little tricky as almost all the tools that create offline maps do it for a fixed area and selected zoom levels, every point in that area gets equal priority. But in this case the point is the important element. The area nearby may not be relevant at all. So that is the part that needs some exploration.

[–] pcouy@lemmy.pierre-couy.fr 2 points 3 months ago* (last edited 3 months ago) (1 children)

I'll try clarifying what I had in mind :

I tried running maptiler to generate tiles from OSM's data, which required an insane amount of time and resources (not doable for most self-hosters including myself, even for a single country) to process the data and store the results. I was wondering if there would be a way to ask maptiler (or another equivalent tool) to only generate tiles that contain points from a given set (in this case, photos) and maybe the tiles adjacent to them. What about doing this for every zoom level ? This would require generating at most zoom_levels * n_photos (* 9) if we include adjacent) tiles, and a lot less for the typical person taking several photos at the same place.

[–] sorter_plainview 2 points 3 months ago* (last edited 3 months ago)

Hey I understood what you meant. The result that you are trying to achieve is very close to the browser caching normally present is what I meant. When you zoom in it will only load that area. And I don't think you can specify the number of tiles to be a specific number, since the zoom levels are not linear.

The offline leaflet I shared in the previous comment actually does the same thing you want to achieve. The difference is the offline mode is discarded immediately when the system is back online. So that library could be modified to incorporate the time dependency and users visiting a point again I specified in the last comment, at least in theory.

Regarding OSM data, there are zip files available for downloading. Geofabrik and openstreetmap.fr are examples. Another tool is Protomaps, where you can download by drawing a polygon. But these are not going to be the ideal solution for a product like Immich.

By the way I saw your update. Great job on following up and providing a fix for others. I really really appreciate it.

[–] catloaf@lemm.ee 15 points 3 months ago

Sounds reasonable. You said they already have a switch to turn it off, which is good. I don't think it's unreasonable to have it off by default, with a button to turn it on right where the map data should appear.

[–] padge@lemmy.zip 14 points 3 months ago

Good on you for having such a detailed and well-meaning post, and good on the devs for being so receptive to ideas. I run Immich but am definitely a novice when it comes to self hosting things, so I had no idea this was going on. I don't have any suggestions for the feature request but the proposed changes to the documentation would be good for people to know its thete and can be changed.

[–] kjake@infosec.pub 13 points 3 months ago

I don’t use Immich, but want to say that your post here is very detailed and level-headed - and I appreciate it. Giving users more choice over how their data is used is always good.

[–] breakingcups@lemmy.world 9 points 3 months ago (1 children)

Wonder why they wouldn't use OSM.

[–] pcouy@lemmy.pierre-couy.fr 29 points 3 months ago (2 children)

Quoting one dev from the conversation I had on Discord :

the one run by OSM is not intended for general purpose use because that results in way too much load on their system. We used to use theirs, but as Immich grew we decided that we should relieve them of that

I guess you (and they) are talking about raster tiles, since OSM does not seem to provide vector tiles

[–] meldrik@lemmy.wtf 3 points 3 months ago

Isn’t vector tiles generated locally? A raster tile needs to be generated every time it changes.

[–] Rayzor@lemmy.ml 6 points 3 months ago

Rethink is awesome, thanks for sharing that app!!

[–] Suoko@feddit.it 4 points 3 months ago

Can immich be configured to work like pixelfed?

[–] MaggiWuerze@feddit.org 3 points 3 months ago (1 children)

@pcouy@lemmy.pierre-couy.fr The link to you lemmy is dead

[–] pcouy@lemmy.pierre-couy.fr 1 points 3 months ago (1 children)

What do you mean ? Can you give me the exact link that's not working ?

[–] MaggiWuerze@feddit.org 1 points 3 months ago

Ah, it seems to be a Photon issue, never mind

[–] MartianFox@lemmy.ml 2 points 3 months ago

They seem to have have addressed this in the new version 1.110.0 by hosting their own tile server

[–] Moonrise2473@feddit.it 1 points 3 months ago

I would have assumed that maps are disabled by default and all requests proxied by the server to some mapbox api that has been set by the admin

[–] possiblylinux127@lemmy.zip 1 points 3 months ago (2 children)
[–] meldrik@lemmy.wtf 10 points 3 months ago (1 children)

Leaflet is just the frontend. You need the actual tiles as well. You can either generate your own tiles or use something like mapbox, who generate the tiles for you and keep them updated.

[–] possiblylinux127@lemmy.zip 3 points 3 months ago (1 children)

Can't you just pull from OSM? I think that's what leaflet does

[–] meldrik@lemmy.wtf 1 points 3 months ago

You can pull from any provider you want, with Leaflet. Including OSM. But! OSM does not have the resources to provide tiles for everyone. https://operations.osmfoundation.org/policies/tiles/

[–] Decronym@lemmy.decronym.xyz 1 points 3 months ago* (last edited 3 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
SSD Solid State Drive mass storage
nginx Popular HTTP server

3 acronyms in this thread; the most compressed thread commented on today has 10 acronyms.

[Thread #886 for this sub, first seen 25th Jul 2024, 08:15] [FAQ] [Full list] [Contact] [Source code]