Don’t make it available from internet. This will solve the issue.
If it is not possible, once the cve is published and properly described, perhaps there is another way to secure it via an external proxy or even a waf.
If you have unsupported Sw, it is always a pain in the ass to keep them secure so try to figure out always the first point
Can someone be so kind to explain me what I am seeing?
Because it seems like I am not celvee enough to get it
The answer is mTLS.
But you will run into the key distribution problem. But if your number of devices is manageable, it could be the solution
This thing reduces the attack surface of the inmich installation.
If it is good, or bad or fitting to your security model can only be said by you. But honestly it sounds like a sensible thing to do
Yes, it will be enough if your services are not exposed via port forwarding , tailscale / zerotier are super convenient for this.
Honestly, if I were you I would start thinking in having a small computer just to act like a proxy / firewall of you synology, or even better, just run the applications on that computer and let the nas only serve files and data.
It is much easier to support, maintain and hardening a debain with a minimal intallation than nay synology box just because the amount of resources available to do so. In this easy way you could extent the life of your nas far beyond the end of life of the Sw