Do I need to set up NGINX on a VPS (or similar cloud based server) to send the queries to my home box?

A proxy on a VPS is one way to do this, but not the only way and not necessarily the best one… depending on your goals.

• You can also use port-forwarding and dyndns to just expose the port off your home-ip. If your ISP is sucky, this may not work though.
• You can also use Cloudflare’s free tunneling product, which is basically a hosted proxy that acts like a super port-forward that bypasses sucky ISP restrictions.
• If you want to access Immich yourself from your own devices but don’t need to make it available to (many) others on devices you don’t control, I like and use tailscale the best. The advantage of tailscale is that Immich remains on a private network, not directly scannable from the internet. If there’s a preauth exploit published and you don’t pay attention to update promptly, scanners WILL exploit your Immich instance with internet-exposed techniques… whereas tailscale allows you to access services that internet scanners cannot connect to, which is a nice safety net.

Do I need to purchase a domain (randomblahblah.xyz) to use as the main access route from outside my house?

Not for tailscale, and I don’t think for Cloudflare tunnel. Yes for a VPS proxy.

I’ve run a VPS for a long while and use multiple techniques for different services.

• Some services I run directly on the VPS because it’s simple and I want them to be truly publicly accessible.
• Other services I run on a bigger server at home and proxy through the VPS because although I want them to be publicly accessible, they require more resources than my VPS has available. When I get around to installing Immich, there’s a decent chance it will go into this category.
• Still other services, I run wherever and attach them to my tailnet. These I access myself on my own devices (or maybe invite a handful of trusted people into my tailnet), but aren’t visible to the public internet. If I decide not to use immich’s shared gallery features (and so don’t need it publicly accessible) or decide I don’t trust it security-wise… it will go here instead of the proxy-by-vps category.

1. If you’ve a public IP address at your home and you can setup port forwards at your router then you don’t need a VPS.
2. Check the post by @dataprolet@lemmy.world

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

[Thread #86 for this sub, first seen 28th Aug 2023, 12:15] [FAQ] [Full list] [Contact] [Source code]

1. No, the reverse proxy should be running in your home network and redirects queries it gets on the usual http(s) ports to your applications.
2. No, you just need a DynDNS service which provides you with a basic domain like myfancyserver.dyndnsprovider.com.

Just use Cloudflare Tunnels if you’re opening it up to the Internet.

Use tailscale if only using your own personal devices.

Both easy to setup in 5 minutes.

Also for ease of use and management try out https://nginxproxymanager.com/

I’m still relatively new to NGINX Proxy Manager myself, but I’ll give your questions a shot. It doesn’t matter how (or where) you host your proxy instance, what matters is that the requests can get to it so that it can forward them to the correct resources. So simple answer to question one is no you can host locally.

If you host it locally you need to make sure that you forward requests that come into your network on to the proxy to be routed correctly. This is where port forwarding comes into play. You’ll need to set your router to take any requests that come in on port 80 or 443 (HTTP and HTTPS) and send those to your proxy.

As for question two do you need to purchase a domain. You can use a free domain name or you can pay for one that part doesn’t matter. The domain isn’t a technical requirement until you want to start hardening your instances with SSL. To get a cert you’ll need a domain. But if you set up your port forwarding and a proxy you could send a request to some_subdomain.123.456.789.123:80 (your external IP) and the proxy server will take thar request and translate it to the local server mapped to some_subdomain.