As the title says…
Is this a risky thing?
EDIT: I have a wireguard VPN set up for myself and it’s always on so I can access *arrs and the like. I would like to expose immich on my domain to share photo albums and such.
You must log in or # to comment.
Yeah, but if you put everything behind a well configured reverse proxy with proper SSL certs (let’s encrypt) and maybe also a good SSO (not mandatory, but recomended) you will be fine.
See https://wiki.gardiol.org/doku.php?id=selfhost%3Anginx https://wiki.gardiol.org/doku.php?id=selfhost%3Asso / https://wiki.gardiol.org/doku.php?id=services%3Aauthelia
These pages have been written for my own usage and use case, so YMWV…
I’ve got mine on a subdomain through a Cloudflare tunnel that points to my local nginx proxy manager (with wildcard SSL certs) then to immich. You can do access control through Cloudflare as well. Quite low risk in my opinion as long as you protect it properly.
Also, true there is more risk, but you should always balance it with advantages.
If your immich is properly protected behind a reverse proxy and encrypted with https, and containerized, preferably root-less container, and you properly back it up, go ahead and enjoy sharing.
I suspect most people open it via subdomain or cloudflare tunnel and it seems secure enough. Haven’t seen reports of people getting hacked left and right.
VPN Certainly is more secure and works for a few people but becomes annoying if you have users that don’t want to mess with a VPN. It also helps if you want to make a public share link to someone without an account.
Try out a mesh network VPN like tailscale (others are available, but i haven’t tried them).
Tailscale is basically just a simple but powerful wireguard manager that does all of the work of setting up a mesh network for you, and it works amazingly well in my experience. The free account is good for I think 3 users and 100 devices on a network and has been the perfect thing to expose my home server to my various devices no matter where I am.
I like it so much after having used it for the last few months that I just spent way too much money upgrading my server… but that’s another thing entirely. lol
It is no riskier than any other reverse proxy or tunneling app. If you follow good opsec, you should be fine. In truth there is no bulletproof way to avoid intrusion, so do the best you can without completely doing away with convenience.
I haven’t gotten around to setting it up myself yet, but I have immich-public-proxy pinned. Could solve exactly your problem. Keep your main immich behind your vpn but expose some public galleries of your choosing.
