Immich is an amazing piece of software, but because it holds such personal data I have only ever felt comfortable accessing it via VPN or mTLS. This meant that I could never share any photos, which had been really bugging me.

So I built a self-hosted app, Immich Public Proxy, which allows you to share individual files or full galleries to the public without ever exposing your Immich instance. This uses Immich’s existing sharing functionality, so other than the initial configuration everything else is handled within Immich.

Why not just expose Immich publicly with Traefik / Caddy / etc?

To share from Immich, you need to allow public access to your /api/ path, which opens you up to potential vulnerabilities. It’s up to you whether you are comfortable with that in your threat model.

This proxy provides a barrier of security between the public and Immich. It doesn’t forward traffic to Immich, it validates incoming requests and responds only to valid requests without needing privileged access to Immich.

Demo

You can see a live demo here, which is serving a gallery straight out of my own Immich instance.

Features

  • Supports sharing photos and videos.
  • Supports password-protected shares.
  • Creating and managing shares happens through Immich as normal, so there’s no change to your workflow.

Install

Setup takes about 30 seconds:

  1. Take a copy of the docker-compose.yml file and change the address for your Immich instance.

  2. Start the container: docker-compose up -d

  3. Set the “External domain” in your Immich Server Settings to be whatever domain you use to publicly serve Immich Public Proxy. Now whenever you share an image or gallery through Immich, it will automatically create the correct public path for you.

For more detail on the steps, see the docs on Github.

  • @doeknius_gloek@discuss.tchncs.de
    link
    fedilink
    English
    301 month ago

    Security is something you do

    Like by reducing the attack surface on internal APIs?

    I don’t even necessarily disagree with you, everybody has to decide themselves if this app offers enough upsides to be worth the downsides.

    That being said, instantly calling OP stupid and their project crappy is just not the way to get your point across and in general considered a dick move.

    • @atzanteol@sh.itjust.works
      link
      fedilink
      English
      -191 month ago

      Like by reducing the attack surface on internal APIs?

      This is my other favorite term the community has picked up and uses like it’s a mic drop without understanding it.

      It’s a proxy my friend. It forwards requests to the other server. And you’ve added an untested personal project in front of it.

      But wait! You don’t want to just expose your immich proxy to the internet do you? I’ll write DavesAwesomeProxy that you can put in front of that proxy! Will it be secure? Maybe. Will I support it? What’s with all the questions!

      • @alan@feddit.orgOP
        link
        fedilink
        English
        12
        edit-2
        1 month ago

        It forwards requests to the other server.

        No raw requests are passed to Immich. All incoming data is validated / sanitized. Requests are only made to specific whitelisted API endpoints. I don’t know why you’re so angry 🤷