[Guide] Cloudflare Tunnels with SSO/OAuth working for immich

[shanelord01]

I've just set this up using Cloudflare Tunnels and a SaaS App for immich. This assumes you've setup an Auth Provider in Cloudflare Zero Trust Settings/Authentication already. Example setup for Google here.

1. In Cloudflare Zero Trust / Networks

   • Setup a public hostname in Networks/Tunnels for (ie immich.yourdomain.com) in your tunnel with no access control

2. In Cloudflare Access, setup a SaaS application called immich

   • Follow the OAuth setup for immich here.

   • In Cloudflare setup the redirect URI's for Mobile, Local IP and Hostname ("public hostname" set in step 1 above)

     • Choose OpenID Connect (OIDC)
     • Set "Scopes" to openid email profile
     • You should have at least these setup for Redirect URIs/Origins:

       https://immich.yourdomain.com/api/oauth/mobile-redirect
       http://local_IP:2283/auth/login
       http://local_IP:2283/user-settings
       https://immich.yourdomain.com/auth/login
       https://immich.yourdomain.com/user-settings
       

       Note: Replace "local_IP" with local LAN IP address for immich server, and "immich.yourdomain.com" with your public domain.

   • Disable "Proof Key for Code Exchange (PKCE)"

   • Set your App Launcher URL to your https://immich.yourdomain.com/ set in step 1.

   • Add a custom icon link.

   • Under "Policies", add a policy:

     • Policy name: email
     • Action: Allow
     • Create Additional Rules: Include Login Methods: Your Auth provider

   • Under Authentication, set it to whichever Identity Providers you want to support.

3. In immich:

   • Go to Administration/Settings/OAuth Authentication
   • Input the values provided by Cloudflare access for Issuer (Issuer URL), Client ID and Client Secret.
   • Click Save.

Once tested working, you can do the following final steps in immich:
- Enable "Auto Launch" to streamline things.
- Under "Password Authentication", disable it (forcing users to use OAuth).

Working perfectly for me and works with the app too!

[loopiv]

Can confirm that this works great. Thanks so much!

[kerhbal]

thanks, it works for me. though I have to set the the override redirect url https://immich.xxx.com/api/oauth/mobile-redirect to make it work

[alok-sin]

This gives me 404 on mobile (android). I am using cloudflare tunnel to avoid port forwarding. Do I need to configure a 301 somewhere so that https://immich.xxx.com/api/oauth/mobile-redirect redirects to app.immich:///oauth-callback?

[CyanicCipher]

Yeah, having a similar issue, attempted to set up a 301 at the mobile-redirect and the app thinks it is an older version, "Pinging sever with response code 200" from the logs. Works fine through web app. Using the updated "app.immich:///oauth-callback"

[mmomjian]

@shanelord01 would you be willing to write this up for the Guides section of the docs?

[shanelord01]

Happy to. I’ll get to it when back from my weekend away.

[mmomjian]

Hey @shanelord01 hope you're doing well. Wanted to check in to see if you are still interested in making a PR to add this to the docs or if you'd rather I do it? Seems like this has helped a lot of users.

[shanelord01]

Hi @mmomjian I have written one and submitted - seems there's an error in the pull request I don't know how to fix: #8614

[mmomjian]

Oh I see that now. The errors aren’t a problem - it will probably get merged soon.

[bshor]

So far I've been using Cloudflare tunnel to enable me to set up a custom domain name for my self-hosted apps. This has worked pretty well with Immich. But the way it works is that I still have to enter a password and username. If I understand this tutorial, this would use Cloudflare to bypass the Immich login screen, which sounds great.

But I'm presented by options I don't understand.

On the very first page of "Add an application" (after selecting SaaS under Access), it asks me whether I want SAML or OIDC. I don't know what to choose so I pick SAML. Then I see this (and more).

I'm not sure how to proceed.

ps I'm not sure how to "Follow the OAuth setup for immich here"

[shanelord01]

You need to select OIDC.

I’ll try and put more info in the guide when I write it.

[lyassinel]

thank you for your guide, but unfortunately I'm the opposite of an expert in this field. I managed to configure my immich correctly but here I can't understand your guide exactly. Could you detail the steps to accomplish this? I have not been able to complete the step with the redirections, nor have I been able to complete the immich Oauth guide.

Thank you

[maxmlvc]

It works great. Thank you!!

[davidrudlstorfer]

Thanks for your guide! Until now I wasn't able to setup Cloudflare Zero Trust with Immich. Does your proposed solution also work with the mobile app? Thanks in advance!

[selimovd]

Yes it does, just set it up myself with this tutorial 😊

[bryan065]

Just wanted to say thanks! Confirmed it works on web and mobile

[renfie]

Unfortunately, it doesn't work for me. The following error message is displayed:

{"error":"invalid_request","error_description":"Invalid redirect_uri - does not match configured values"}
The following redirect URLs are stored:

https://immich.xxx.de
https://immich.xxx.de/api/oauth/mobile-redirect
https://immich.xxx.de/auth

[bryan065]

You've got your redirect URL's wrong.

• http://DOMAIN/auth/login

• http://DOMAIN/user-setting

• http://DOMAIN/api/oauth/mobile-redirect

Step 1:

CloudFlare guide to get google OAuth working with CloudFlare Access:
https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/google/

• follow above guide to get CloudFlare access working with Google OAuth

Step 2:

• Create your CloudFlare SaaS app as the original op instructions. Use the redirect URLs from immich (above).

Step 3:

• Then make sure you grab the client ID, secret, and issuer URL from the CloudFlare SaaS app that you had made.

• The CloudFlare issuer URL should be https://[TEAM_NAME].cloudflareaccess.com/cdn-cgi/access/SSO/oidc/xxxxxxx

• Enter that info into immich OAuth settings.

I can do a detailed write-up once I'm at a PC.

Edit: I've just set up several instances all with CloudFlare access and google OAuth. Migrating all the photos over from NextCloud memories was a breeze (immich-go).

[renfie]

Thank you very much @bryan065, I will give it a try. It's definitely nicely detailed.

[Cicoz]

a little late, but try going inside immich settings / 0auth / activate MOBILE REDIRECT URI OVERRIDE and add https://YOURDOMAIN/api/oauth/mobile-redirect

worked for me

[alok-sin]

This gives me 404 on mobile (android). I am using cloudflare tunnel to avoid port forwarding. Do I need to configure a 301 somewhere so that https://immich.xxx.com/api/oauth/mobile-redirect redirects to app.immich:///oauth-callback?

[PatrickA3]

This works great! Thank you very much!

[GHerce]

This is the best writeup I've seen for getting OAuth to work. Thank-you @bryan065!

Upon selecting "Login with OAuth" button, select google account, enter password. I am returned to the login page with the message: "Error in OAuth discovery: AggregateError."

Have others come across this? I have double-checked my work against these instructions, and I can't see what I may have fat-fingered.

From my windows desktop, i start edge browser, enter my App Launcher URL as specified in cloudflare tunnel configuration. The cloudflare tunnel is linked to a my NAS running openmediavault.

The log with bitdefender enabled
immich_server | [Nest] 7 - 04/11/2024, 2:08:50 AM ERROR [AuthService] Error in OAuth discovery: AggregateError
immich_server | [Nest] 7 - 04/11/2024, 2:08:50 AM ERROR [AuthService]

The log with bitdefender disabled
immich_server | [Nest] 7 - 04/11/2024, 2:05:02 AM ERROR [AuthService] Error in OAuth discovery: Error: getaddrinfo EAI_AGAIN .cloudflareaccess.com
immich_server | [Nest] 7 - 04/11/2024, 2:05:02 AM ERROR [AuthService] Error: getaddrinfo EAI_AGAIN .cloudflareaccess.com
immich_server | at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:118:26)

[shanelord01]

"EAI_AGAIN" is a DNS lookup timeout error - ie it can't find the domain it's looking for. Have you got the "ISSUER URL" address correct in immich OAuth settings?

Check you can ping cloudflareaccess.com first:
ping cloudflareaccess.com

You should get an IPv4 or IPv6 reply. If that doesn't work your router is doing something funky. If it does work:

Currently that log shows it's just going to ".cloudflareaccess.com" - which may mean the Issuer URL is wrong. Check the address shared in Cloudflare Zero Trust/Access/Applications/immich/Overview then under "Issuer" and make sure that is in the immich OAuth "ISSUER URL" field.

[GHerce]

Thank-you shanelord01! I omitted my full team name when I pasted to the forum, and thought I had included to make that distinguishment. I didn't do anything but wait 24 hours, and it mysteriously worked. I'll take it. Again, THANK-YOU so much!

[aad4321]

Great article. So i got this working and with multiple email addresses. I am using Google in cloudflare as the auth provider but I have 2 questions.

1. It looks like you can still login with local credentials and not use oauth? The main reason I wanted to so this was to provide MFA no matter how you login. Can local account login be disabled or hidden?

2. How does this work with sharing photos for non registered users. Will they be hit with the cloudflare auth page?

[shanelord01]

@aad4321

1. Disable "Login with email and password" under immich Administration/Settings/Password Authentication
2. Sharing works fine - no need to login! Just make sure your domain is set correctly in immich Administration/Settings/Server Settings/EXTERNAL DOMAIN

[jarrah31]

I'm hoping someone can help spot my silly mistake somewhere please because I can't find where the problem is... Basically I get the following error:
{"error":"invalid_request","error_description":"Invalid redirect_uri - does not match configured values"}

I can browse to the URL and see the Immich logon prompt where I select "Login with OAuth" (which at least indicates the public hostname tunnel is working ok). I click the link and I'm prompted to sign in with Google as my OAuth provider. It then redirects me to the above error message.

Here are my Cloudflare redirect URLs:

Within Immich I've double checked the Issuer URL is correct:

The Policy looks ok:

Plus Authentication is set up to use Google which looks ok too.

I honestly can't spot the problem so apologies if I've missed something obvious. :)

[ext4xfs]

same

[ext4xfs]

The workaround is to add the /api/oauth/mobile-redirect instead, and make sure that's configured in immich as the same URL

[BourbonDoc]

This is the way. Got everything back up and running. Thanks!

[alok-sin]

This gives me 404 on mobile (android). I am using cloudflare tunnel to avoid port forwarding. Do I need to configure a 301 somewhere so that https://immich.xxx.com/api/oauth/mobile-redirect redirects to app.immich:///oauth-callback?

[alextran1502]

@alok-sin the mobile redirect should be a standalone redirect since it is for the mobile device knows which app should be redirected to after completing the flow

[tfred93]

I have followed the guide and was able to set this up correctly for the web links. I am having trouble setting up for the mobile. When I enter the server endpoint URL into the app, using the same link as i would on the web, it brings me to the (Email/Password) screen. I have disabled this to only allow the oauth login method. I also do not have the option to use the oauth login method in the app. Did I miss a step in setting this up?

my redirects for set up in cloudflare are the 5 listed in the original post and also the http://domain/api/oauth/mobile-redirect link. (domain being my specific domain)

[tusc]

Great article, managed to get this to work after figuring out I fat-fingured the redirect URLS. For those that are getting "Invalid redirect_uri" you might want to double check the redirect URL entries. That was causing the error when accessing the site.

One question, I'm trying to determine the best way to log IP addresses from clients accessing the site. Are the two option availble include:

1. Enable verbose logging within Immich?
2. Setup a reverse proxy in front of Immich?

[camilosampedro]

There is a Logging section in the Web UI settings page, where you can set the "LEVEL" to debug or verbose, but even verbose doesn't add much info to the logs related to OAuth

[yonesmit]

Hi,
Thanks a lot for the guide. I followed it and it works ok except in iOS mobile app.
When I use iOS mobile app I select "Login with OAuth", I select my gmail account, enter password, etc and then app go back to login screen.
The same as @tfred93 reported, but for me it works correctly with Android mobile app (of course also works with browsers).
When I go to Cloudflare Access Logs I can see the my login attampt is correct (Access granted) same as when I login from browser so seems a iOS app problem or redirect problem.
Can somebody help?
Thanks in advance
Best Regards

[TajAFK]

I have the same problem. Did you find any solution yet ?

[TajAFK]

Earlier, immich was on synology and now i had installed it on Qnap. Surprisingly it worked on mobile too. Really no idea, what has changed.

[yonesmit]

The solution I found to make this work with iOS mobile was:

• Enabling MOBILE REDIRECT URI OVERRIDE in Immich settings and setting MOBILE REDIRECT URI to: https://immich.MYDOMAIN/api/oauth/mobile-redirect
• Redirecting this URL (https://immich.MYDOMAIN/api/oauth/mobile-redirect) in Cloudflare.
  With these changes the iOS app logins correctly for me.

Thanks again to all.

[TajAFK]

Thanks, i did as you said but still did not work. Issue only persist on ios and android works fine.

[ty-han]

Thank you sooo much for this. Got it up and running perfectly. Questions though:

• How do I limit SSO to specific google accounts? In the users section of immich it only allows you to add standard login users (with passwords required).
• My admin account was created using standard login, but i would like to limit login to SSO only. How could I migrate that standard/admin account to an SSO account?

Thank you!

[ty-han]

Woops. Figured it out, for anyone else who might have this question. Just needed to add the users to Immich with their google email and a random password, and then they were able to sso.

[kiwijunglist]

Thanks for guide, I am a noob and I got briefly stuck on three points.

#1 Invalid redirect URL

You can't enter the "Redirect URLs" until you enter the "App launcher URL" which is further down the page. After you enter the "app launcher URL", you can scroll back up to the top and input the Redirect URLs.

#2 Got an error when I tried to save the new app configuration

I had to remove the "app.immich:/" redirect URL to allow me to save the app.

#3 I got failed to finish auth error when I tried to login to immich using oauth.

This is because to get a client secret for the first time you have to click the reset client secret button, to generate the initial client secret (by default it is set to just 4 stars).

[bdcooke]

Thank you so much for this comment! I had the same issue of "failed to finish oauth" and couldn't figure out where I went wrong.

[kiwijunglist]

I set this up as per guide, but using this guide anyone can access the immich login page, this seems really bad, wouldn't it be better if you had to authenticate with cloudflare before being shown the immich login?

[shanelord01]

If setup correctly the Cloudflare OAuth page should be presented and immich won't be accessible until you authenticate.

[rumblefrog]

My initial impression of this is that Immich is not reachable or no ingress at all until you authenticate with Cloudflare, and then you authenticate again with Immich, like a two factor.

Rather it's Immich being reachable, and Immich redirects you to Cloudflare's auth flow. But it sounds like you can achieve the former if you use "self-hosted" application rather than SaaS? Perhaps you can combine both self-hosted & SaaS for ingress gating and also Immich SSO gating?

[bryan065]

My initial impression of this is that Immich is not reachable or no ingress at all until you authenticate with Cloudflare, and then you authenticate again with Immich, like a two factor.

Rather it's Immich being reachable, and Immich redirects you to Cloudflare's auth flow. But it sounds like you can achieve the former if you use "self-hosted" application rather than SaaS? Perhaps you can combine both self-hosted & SaaS for ingress gating and also Immich SSO gating?

You can set up CloudFlare access rules (selfhosted) to do that. Immich won't be reachable until you login to CloudFlare. Then you can setup the CloudFlare SaaS app to sign into immich itself.

Confirmed it works and I've had it like that myself for awhile. However, you won't be able to access immich through the mobile apps as there's no way to verify/login with cloudflare through the apps.

You can setup additional whitelist rules if you know the user agent for the app or something but I haven't done that myself.

If or when the mobile apps support custom mTLS certs, you'll be able to setup authentication that way.

[rumblefrog]

My initial impression of this is that Immich is not reachable or no ingress at all until you authenticate with Cloudflare, and then you authenticate again with Immich, like a two factor.
Rather it's Immich being reachable, and Immich redirects you to Cloudflare's auth flow. But it sounds like you can achieve the former if you use "self-hosted" application rather than SaaS? Perhaps you can combine both self-hosted & SaaS for ingress gating and also Immich SSO gating?

You can set up CloudFlare access rules (selfhosted) to do that. Immich won't be reachable until you login to CloudFlare. Then you can setup the CloudFlare SaaS app to sign into immich itself.

Confirmed it works and I've had it like that myself for awhile. However, you won't be able to access immich through the mobile apps as there's no way to verify/login with cloudflare through the apps.

You can setup additional whitelist rules if you know the user agent for the app or something but I haven't done that myself.

If or when the mobile apps support custom mTLS certs, you'll be able to setup authentication that way.

Thanks for this, I ended up setting up a mix of everything.

• CF Self hosted application to allow friends to authenticate via Google via large predefined list
• CF SaaS application for the Immich SSO, has a smaller set of emails with Google auth with only emails of those with Immich account, I enabled auto registration with this
• Tailscale for myself to work with mobile apps, my family/friends only need to access it via browser

[HeyJ0e]

I just spent hours to set this up, just to realize that there is a 100MB upload size cap. It's probably a deal-breaker for anyone who wants to upload videos as well. I think this should be noted at the very beginning.

[chiquinales]

Thanks!
Working for me.

[tomganleylee]

Works great thank you :) did have to untick "Auto Register" to stop people being able to make accounts

[Marco10S]

Amazing! Cloudflare now middleware the login page and it works great with mobile app too.
if your policies are well set, you can trust it to be public.

Thanks again!

[CodeWithCJ]

Awesome. It worked. I followed these steps except I used Cloudflare OneTime email password instead of using Google Authentication. This makes things easier for me in terms of configurations that I need to maintain.

[Qhilm]

For those using this, can you confirm what size of video you are able to upload to immich through cloudflare? There is supposed to be a max, something like 250 or 500MB, I'd be interested in hearing some real world experience with this.

[CodeWithCJ]

I had an issue with large video files even when I connect via local WIFI skipping Cloudflare. Adding this worked for most of the videos. But randomly some videos doesn't upload. For them, i have manually upload via Web.

Adding this under advanced section of Nginx Proxy Manager(NPM) resolved most of the issues.

proxy_set_header Host              $http_host;
proxy_set_header X-Real-IP         $remote_addr;
proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect     off;

real_ip_header    X-Forwarded-For;
real_ip_recursive on;
client_max_body_size 50000M;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout       600s;

[bmccann16]

I may know the answer to my own question....

I use NGINX proxy manager (NPM) to forward traffic arriving from the cloudflare (CF) tunnel. NPM and CF run on the same virtual machine so the CF configuration file (/etc/cloudflared/config.yml) is exceedingly simple:

ingress:
  - hostname: "*.mydomain.org"
    service: http://localhost:80

CF forwards everything to the local NPM which is then configured to send stuff to my other services.

I assume inserting NPM in the middle of this integration of CF tunnels, SSO/Oauth, and Immich will break something. But, can I make this solution work by simply making the CF tunnel forward Immich traffic directly to my Immich instance, like this?

ingress:
  - hostname: "immich.mydomain.org"
    service: http://mylocalimmichserver:2283
  - hostname: "*.mydomain.org"
    service: http://localhost:80

Thank you...

[CodeWithCJ]

If you want to format to NPM, you need to use immich.mydomain.org under the cloudflare tunnel. Cloudflare doesn't need to know the ip/localhost and port. This way it directly goes to NPM and NPM will translate immich.mydomain.org to destination IP and port.

CloudflareTunnel: You can see Tunnel is making immich.mydomain.org points to immich.mydomain.org. Almost its pointing itself isn't? But it is not. Because NPM going to take care of it.

NPM: Now translate immich.mydomain.org to IP:port

I also have Adguard Home telling immich that immich.mydomain.org is 192.168.1.111

Now Cloudflare points to NPM and NPM with help of Adguard Home, points to my Immich in my local server.

I also have below items under NPM advanced section under IMmich to forward real IP from cloudflare to immich logs and increase timeout, size etc.

proxy_set_header Host              $http_host;
proxy_set_header X-Real-IP         $remote_addr;
proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect     off;

real_ip_header    X-Forwarded-For;
real_ip_recursive on;
client_max_body_size 50000M;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout       600s;

[CodeWithCJ]

In Cloudflare tunnel it didn't allow call back. So I have to enable below settings in Immich to make it work for my iPhone.

[kgkolev]

For the SaaS application option, here are few things I did in addition to tighten things up:

1. On the main CF console: https://dash.cloudflare.com/
2. Go to Websites > Select on the right
   1. SSL/TLS > Edge Certificates
      1. Ensure Automatic HTTPS Rewrites is enabled to auto-redirect HTTP calls, not sure if this was on for me by default.
   2. Rules > Redirect Rules

      1. Add a new rule with expression:
         http.host eq "<immich full domain>" and (http.request.uri.path wildcard "/api/auth/login" or http.request.uri.query contains "autoLaunch=0")

      2. Set static URL redirect to: "https://" this ensures any rogue requests toward sensitive endpoints are cut off by the CF reverse proxy without interrupting OAuth flow.

I would appreciate community feedback of any other POST/PUT endpoints that process authentication so I can consider blocking them as well.

[andrewjmoser]

Thanks for the guide, got everything setup and working except everyone could logon. I was having an issue that I did not want happening, and that was any user with a google account, would automatically be able to logon to my server, and have an account created in Immich. So in my SaaS app on Cloudflare, I added an email rule so that you have to use Google to authenticate, AND your google account email, must be allowed as well, so only emails I specifically allow, will be allowed to access the server, through cloudflare, and google auth. This seems to be working as far as I can tell with testing it on th eCF policy test page, and I had a friend try to access it both ways and the only way that works, is the way I want where you have to have your email, and use google auth.

[jzavalaneri]

You can change the settings in your Immich Admin to not auto create accounts.

When someone new needs an account, you'll create the account in Immich settings using their email account. This ensures you have full control over who you give access. New user will be prompt by oauth to authenticate their email and they will be let in.

[Awesomefreeman]

I did everything strictly according to the instructions. Through WEB it works well include oauth, but I cannot login in mobile app. There is an error Server is not reachable
What's the problem?

FormatException: Unexpected character (at character 1)
<!DOCTYPE html>
^
#0      _ChunkedJsonParser.fail (dart:convert-patch/convert_patch.dart:1465)
#1      _ChunkedJsonParser.parseNumber (dart:convert-patch/convert_patch.dart:1332)
#2      _ChunkedJsonParser.parse (dart:convert-patch/convert_patch.dart:933)
#3      _parseJson (dart:convert-patch/convert_patch.dart:36)
#4      JsonDecoder.convert (dart:convert/json.dart:610)
#5      JsonCodec.decode (dart:convert/json.dart:216)
#6      ApiClient.deserialize.<anonymous closure> (package:openapi/api_client.dart:158)
#7      compute.<anonymous closure> (package:flutter/src/foundation/_isolates_io.dart:19)
#8      _RemoteRunner._run (dart:isolate:1090)
#9      _RemoteRunner._remoteExecute (dart:isolate:1084)
#10     _delayEntrypointInvocation.<anonymous closure> (dart:isolate-patch/isolate_patch.dart:300)
#11     _RawReceivePort._handleMessage (dart:isolate-patch/isolate_patch.dart:184)

[gregeeh]

Sounds to me like there's a space at the beginning of something, like a password. Can easily happen when cutting and pasting.

[piyushpaliwal]

Exposing your private instance to public, is this secure or recommended by the devs considering the app is under heavy development and doesn't have a stable release yet.

I see a lot of people here in the thread have already set it up, are they just accepting the risks involved or aren't aware of these risks 🤔

[jzavalaneri]

Immich is indeed under development with bugs that are being fixed but that's not to say you can't use it and securely expose it. It's only as secure as you make it so setup is important.

I'm using a domain I purchased and access to my server is only available through OAuth with a google account. I control who has an account by creating it with their google email. I also have my Immich server set to auto launch OAuth when navigating to main page. It's been up for nearly 6 months now with 5 users. We share a lot of public alumnus available only through link. I haven't had any issues.

[piyushpaliwal]

that's so good to know that you are already doing it for sometime now. Do you think having a Crowdsec instance monitoring the server and open 433 along with OAuth setup enough in terms of security?

I am just worried about bearer tokens getting sniffed and all my data exposed via APIs or maybe some other attacks possible on it.

So that's where I was wondering if there has been any independent security/penetration testing already done on the project. Having that gives some assurance that you are fine as long as you can harden your server.

[Qhilm]

Security is a mean thing, because there is no such thing as "enough": it would imply 100% security, which does not exist.

TL;DR: It depends on your threat model, what are you guarding against, who has interest in hacking you?

If you use the cloudflare tunnels, I don't think crowdsec can help much: it works with source IPs and all the traffic will be coming from cloudflare from the point of view of your crowdsec instance... I would rather recommand leveraging cloudflare's offer then, it make more sense, because they see much more than your home router. You can use alternate port numbers in clouflare for example, you can enable very powerful packet inspection, etc.

Another example on how important threat model is:

Are you more worried about script kiddies out there destroying your Immich for fun or are you more worried about big tech? Cloudflare tunnel means that cloudflare will decrypt everything, every single picture is decrypted by cloudflare, to be clear. In theory, they just pass it along and don't store it. If you don't trust them, Cloudflare is not for you.

But on the other hand, cloudflare is a good line of defense against script kiddies (you could say "low effort, high volume hackers", maybe that's more accurate).

If you are considered a high profile target by some country for example, I would definitely advise against exposing anything to the internet. Indeed, it would mean you are a high value target for this actor, hence dropping a lot of money to buy a zero day vulnerability is realistic suddenly.

[rumblefrog]

There's the middle ground, restrict to subset of users. For good majority of users, asking family/friends to install VPN is not just viable, but most do have a Google account that can be used in Cloudflare Zero Trust's Google identity provider to make it only available to specific emails, without worrying about connectivity.