Immich is an amazing piece of software, but because it holds such personal data I have only ever felt comfortable accessing it via VPN or mTLS. This meant that I could never share any photos, which had been really bugging me.
So I built a self-hosted app, Immich Public Proxy, which allows you to share individual files or full galleries to the public without ever exposing your Immich instance. This uses Immich’s existing sharing functionality, so other than the initial configuration everything else is handled within Immich.
Why not just expose Immich publicly with Traefik / Caddy / etc?
To share from Immich, you need to allow public access to your /api/ path, which opens you up to potential vulnerabilities. It’s up to you whether you are comfortable with that in your threat model.
This proxy provides a barrier of security between the public and Immich. It doesn’t forward traffic to Immich, it validates incoming requests and responds only to valid requests without needing privileged access to Immich.
Demo
You can see a live demo here, which is serving a gallery straight out of my own Immich instance.
Features
- Supports sharing photos and videos.
- Supports password-protected shares.
- Creating and managing shares happens through Immich as normal, so there’s no change to your workflow.
Install
Setup takes about 30 seconds:
-
Take a copy of the docker-compose.yml file and change the address for your Immich instance.
-
Start the container:
docker-compose up -d -
Set the “External domain” in your Immich Server Settings to be whatever domain you use to publicly serve Immich Public Proxy. Now whenever you share an image or gallery through Immich, it will automatically create the correct public path for you.
For more detail on the steps, see the docs on Github.
Oh man, total flashback to when I did this for Owncloud https://github.com/Fmstrat/shorten
Thank you very much for the work. I pondered a few times how I could do that safely as I don’t feel like hosting it that publicly.
I run Jellyfin publicly behind Authelia but there arent any personal files inside so if they breach it, it would give them only movies, music and tv shows…You can see [a live demo here](https://immich-demo.note.sx/share/ffSw63qnIYMtpmg0RNvOui0Dpio7BbxsObjvH8YZaobIjIAzl5n7zTX5d6EDHdOYEvo), which is serving a gallery straight out of my own Immich instance.
Sorry, off topic, but is this what Immich looks like out of the box, or have you used any other plugins?
Immich Public Proxy looks like exactly what I want for my family photos, but I haven’t looked into Immich yet. The demo looks beautiful, and is simple enough for the grandparents to use 🙂
Sorry, off topic, but is this what Immich looks like out of the box, or have you used any other plugins?
No - this is using lightGallery. You can see what Immich looks like on their demo.
Thank you 🙂
Immich on its own looks good, but if I set it up, I think I’ll definitely install lightGallery to go with it 🙂
Not default but can highly reccommend immich its great.
Thanks 🙂
Great work! 😎 Starred.
This is excellent! Thank you!
Pretty cool!
Have you thought about whether this could also be used for limited write access? A common use-case for abusive image gallery services that you cannot ordinarily fulfil with Immich is shared albums where multiple people that e.g. attended the same event can collect pictures in without complex authentication (just a single shared secret or even just the link to the album).
You seem to understand neither security nor privacy.
I get to give you access to all my photos so that you can just proxy calls to my server?
Just share your own damn server people, this “I’m behind 7 proxies” bs is getting tiring.
I get to give you access to all my photos so that you can just proxy calls to my server?
This is a self-hosted app… The only person who has access to your photos is you - that’s the entire point of using this. It lets you share photos/videos/albums from Immich without giving anyone access to any part of your Immich server, thus significantly increasing your privacy and security.
It doesn’t forward any traffic to Immich, it creates essentially a WAF between the public and Immich. It validates all incoming requests and answers only valid requests, without needing privileged access to Immich.
Couldnt this in theory also be handled by using cloudflares WAF and disallowing every entry to protected end-points?
You’d still need to allow access to the
/api/path, and even public endpoints could potentially expose you to a vulnerability. It’s entirely up to your threat model.Knowing what happened in 2014 with iCloud, I’m not prepared to take that risk. Especially as Immich is under heavy development and things can often change and move around. At least this way I know that it will either safely fetch the data or simply fail.
You‘re supposed to host this yourself.
Then what’s the fucking point? I’m “exposing” my own server either way! And now I’m adding a new system to the mix which can have vulnerabilities of its own.
This is stupid.
I’m “exposing” my own server either way!
Put it on a different server then. It prevents your Immich server from ever needing to be exposed publicly. That’s the entire point.
This is stupid.
You seem to understand neither security nor privacy.
Put it on a different server then. It prevents your Immich server from ever needing to be exposed publicly. That’s the entire point.
This is stupid.
Repeat after me - proxies are not used for security.
This is a cargo-cult believe in this community. There’s a weird sense that it’s “dirty” to have a server exposed “directly” to the internet. But if I put it behind something else that forwards traffic to the server then that’s somehow safe!
Security is something you do not something you have. The false sense of security with proxy bullshit like this crappy project is not giving you anything. You’re taking a well supported community project (immich) and installing another app in front of it which appears to be some dude’s personal project and telling me that is more secure. As though that project is better written?
Install immich. Forward ports to it (or proxy it with nginx if needed for hostname routing (but don’t expect this to be more secure)), and keep it up to date and use good passwords.
Security is something you do
Like by reducing the attack surface on internal APIs?
I don’t even necessarily disagree with you, everybody has to decide themselves if this app offers enough upsides to be worth the downsides.
That being said, instantly calling OP stupid and their project crappy is just not the way to get your point across and in general considered a dick move.
general considered a dick move.
Sometimes that’s the point. This project is so stupid it simply deserves derision. I couldn’t care less if anyone here is swayed. It’s lemmy - if I’m not echoing what everyone else is saying I’ll be voted down anyway.
Like by reducing the attack surface on internal APIs?
This is my other favorite term the community has picked up and uses like it’s a mic drop without understanding it.
It’s a proxy my friend. It forwards requests to the other server. And you’ve added an untested personal project in front of it.
But wait! You don’t want to just expose your immich proxy to the internet do you? I’ll write DavesAwesomeProxy that you can put in front of that proxy! Will it be secure? Maybe. Will I support it? What’s with all the questions!
It forwards requests to the other server.
No raw requests are passed to Immich. All incoming data is validated / sanitized. Requests are only made to specific whitelisted API endpoints. I don’t know why you’re so angry 🤷
some dude’s personal project
Yes, it’s my project.
if I put it behind something else that forwards traffic to the server then that’s somehow safe!
It doesn’t “forward traffic”, it validates traffic and answers only valid requests, without needing privileged access to Immich. I think you are confusing the word “proxy” with meaning something like Traefik.
telling me that is more secure. As though that project is better written?
Yes, it’s more secure to use this than exposing Immich. No it’s not “better written” than Immich; it fulfills a completely different purpose.
It’s 400 lines of code in total, feel free to review it and tell me any flaws, oh mighty security expert.
Sorry - it’s a pointless application. I won’t sugar coat it. If anyone things it’s “more safe” to run this soon-to-be-abandonware in front of a properly supported project then they deserve what’s coming to them.
Hahah. You must be bored.
Why so angry?
This lets you share photos without directly exposing Immich to the internet.
I don’t see the point in getting so worked up over someones project they made and decided to share, it’s not like you’re being forced to use it.
Why so angry?
Stupid question. I’m not. I forgot about this entirely until I logged in later and saw replies, which are just… Wow.
I don’t see the point in getting so worked up over someones project they made and decided to share, it’s not like you’re being forced to use it.
The stupid continues. Go ahead - run some rando’s “proxy” application to make yourself more secure and add to the number of things you need to maintain and update. I’m sure it’ll be fine. It’s worth it to “reduce attack surface area”. I’m sure they’ll support it for a long time too.
And don’t think about why it’s risky to “expose immich to the internet” (oh noes!) but for some reason it’s okay to “expose” this rando’s project to the internet.
I rarely post, but… Chill, man!
For anyone else reading this completely unjustified and ill-intentioned criticism of the OP’s work: atzanteol obviously has no clue about security and therefore cannot comprehend the value of this library.
Do you often recommend people running single-developer maintained software that has existed for about a fortnight for “security purposes”?
