Immich is an amazing piece of software, but because it holds such personal data I have only ever felt comfortable accessing it via VPN or mTLS. This meant that I could never share any photos, which had been really bugging me.

So I built a self-hosted app, Immich Public Proxy, which allows you to share individual files or full galleries to the public without ever exposing your Immich instance. This uses Immich’s existing sharing functionality, so other than the initial configuration everything else is handled within Immich.

Why not just expose Immich publicly with Traefik / Caddy / etc?

To share from Immich, you need to allow public access to your /api/ path, which opens you up to potential vulnerabilities. It’s up to you whether you are comfortable with that in your threat model.

This proxy provides a barrier of security between the public and Immich. It doesn’t forward traffic to Immich, it validates incoming requests and responds only to valid requests without needing privileged access to Immich.

Demo

You can see a live demo here, which is serving a gallery straight out of my own Immich instance.

Features

  • Supports sharing photos and videos.
  • Supports password-protected shares.
  • Creating and managing shares happens through Immich as normal, so there’s no change to your workflow.

Install

Setup takes about 30 seconds:

  1. Take a copy of the docker-compose.yml file and change the address for your Immich instance.

  2. Start the container: docker-compose up -d

  3. Set the “External domain” in your Immich Server Settings to be whatever domain you use to publicly serve Immich Public Proxy. Now whenever you share an image or gallery through Immich, it will automatically create the correct public path for you.

For more detail on the steps, see the docs on Github.

  • just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    6 days ago

    Okay…I’m terribly confused by this project here, so maybe you can clarify some things.

    First, looking through the code, it seems you’re literally just taking input requests and replaying them to a target host. So if Immich is updated with changes that proxy doesn’t have yet, everything breaks.

    How is this adding more security than any other proxy?

    • alan@feddit.orgOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      6 days ago

      You’re correct - it is indeed taking input requests and requesting the related data from Immich.

      How is this adding more security than any other proxy?

      To allow sharing with Immich using a normal reverse proxy like Caddy or Traefik, you need to expose public access to the Immich /api/ path, along with a few other potentially dangerous paths. Any existing or future vulnerability has the potential to compromise your Immich instance.

      This proxy is more secure as it does not allow public access to the Immich API path or to any Immich path. The only incoming requests which are honoured are requests like this:

      https://your-proxy-url.com/share/ffSw63qnIYMtpmg0RNvOui0Dpio7BbxsObjvH8YZaobIjIAzl5n7zTX5d6EDHdOYEvo
      

      If the shared link does not resolve to something that you have intentionally shared from Immich, it will return a 404.

      if Immich is updated with changes that proxy doesn’t have yet, everything breaks.

      The only thing which would break it is if Immich changed the format of a few select API endpoints. And if that ever happens it’s a very easy fix.

      • just_another_person@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        6 days ago

        Or you could similar just block those routes in whatever reverse proxy you’d use out in front of the server?

        I don’t run Immich myself, but just trying to understand the technical issues and this particular solution. Seems like they should have a public facing /shared route that doesn’t require access to any others, so I see your point.

        • alan@feddit.orgOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          6 days ago

          Or you could similar just block those routes in whatever reverse proxy you’d use out in front of the server?

          You can’t. You need to allow public access to your Immich instance’s /api/ path to use Immich’s built-in sharing.

  • markstos@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 days ago

    A simpler way to protect a private service with a reverse proxy is to only forward HTTP GET requests and only for specific paths.

    It’s extremely difficult to attack a service with only GET requests.

    The security of which URLS are accessible without authentication would be up to immich.

    • alan@feddit.orgOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      5 days ago

      The security of which URLS are accessible without authentication would be up to immich.

      This is exactly the risk I’m wanting to mitigate. Immich is under heavy active development, and I want to abstract away from needing to worry whether the no-auth API URLs are safe to expose publicly.

      At the end of the day I feel safer knowing that there is zero public access to any part of my Immich instance, which for me is what really matters.

  • atzanteol@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 days ago

    You seem to understand neither security nor privacy.

    I get to give you access to all my photos so that you can just proxy calls to my server?

    Just share your own damn server people, this “I’m behind 7 proxies” bs is getting tiring.

    • alan@feddit.orgOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      6 days ago

      I get to give you access to all my photos so that you can just proxy calls to my server?

      This is a self-hosted app… The only person who has access to your photos is you - that’s the entire point of using this. It lets you share photos/videos/albums from Immich without giving anyone access to any part of your Immich server, thus significantly increasing your privacy and security.

      It doesn’t forward any traffic to Immich, it creates essentially a WAF between the public and Immich. It validates all incoming requests and answers only valid requests, without needing privileged access to Immich.

    • lemmeBe@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      5 days ago

      For anyone else reading this completely unjustified and ill-intentioned criticism of the OP’s work: atzanteol obviously has no clue about security and therefore cannot comprehend the value of this library.

      • atzanteol@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        5 days ago

        Do you often recommend people running single-developer maintained software that has existed for about a fortnight for “security purposes”?