Immich is an amazing piece of software, but because it holds such personal data I have only ever felt comfortable accessing it via VPN or mTLS. This meant that I could never share any photos, which had been really bugging me.

So I built a self-hosted app, Immich Public Proxy, which allows you to share individual files or full galleries to the public without ever exposing your Immich instance. This uses Immich’s existing sharing functionality, so other than the initial configuration everything else is handled within Immich.

Why not just expose Immich publicly with Traefik / Caddy / etc?

To share from Immich, you need to allow public access to your /api/ path, which opens you up to potential vulnerabilities. It’s up to you whether you are comfortable with that in your threat model.

This proxy provides a barrier of security between the public and Immich. It doesn’t forward traffic to Immich, it validates incoming requests and responds only to valid requests without needing privileged access to Immich.

Demo

You can see a live demo here, which is serving a gallery straight out of my own Immich instance.

Features

  • Supports sharing photos and videos.
  • Supports password-protected shares.
  • Creating and managing shares happens through Immich as normal, so there’s no change to your workflow.

Install

Setup takes about 30 seconds:

  1. Take a copy of the docker-compose.yml file and change the address for your Immich instance.

  2. Start the container: docker-compose up -d

  3. Set the “External domain” in your Immich Server Settings to be whatever domain you use to publicly serve Immich Public Proxy. Now whenever you share an image or gallery through Immich, it will automatically create the correct public path for you.

For more detail on the steps, see the docs on Github.

  • cron
    link
    fedilink
    English
    arrow-up
    15
    ·
    1 month ago

    You‘re supposed to host this yourself.

      • alanOP
        link
        fedilink
        English
        arrow-up
        30
        arrow-down
        1
        ·
        1 month ago

        I’m “exposing” my own server either way!

        Put it on a different server then. It prevents your Immich server from ever needing to be exposed publicly. That’s the entire point.

        This is stupid.

        You seem to understand neither security nor privacy.

        • atzanteol@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          38
          ·
          1 month ago

          Put it on a different server then. It prevents your Immich server from ever needing to be exposed publicly. That’s the entire point.

          This is stupid.

          Repeat after me - proxies are not used for security.

          This is a cargo-cult believe in this community. There’s a weird sense that it’s “dirty” to have a server exposed “directly” to the internet. But if I put it behind something else that forwards traffic to the server then that’s somehow safe!

          Security is something you do not something you have. The false sense of security with proxy bullshit like this crappy project is not giving you anything. You’re taking a well supported community project (immich) and installing another app in front of it which appears to be some dude’s personal project and telling me that is more secure. As though that project is better written?

          Install immich. Forward ports to it (or proxy it with nginx if needed for hostname routing (but don’t expect this to be more secure)), and keep it up to date and use good passwords.

          • doeknius_gloek@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            31
            arrow-down
            1
            ·
            1 month ago

            Security is something you do

            Like by reducing the attack surface on internal APIs?

            I don’t even necessarily disagree with you, everybody has to decide themselves if this app offers enough upsides to be worth the downsides.

            That being said, instantly calling OP stupid and their project crappy is just not the way to get your point across and in general considered a dick move.

            • atzanteol@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              23
              ·
              1 month ago

              Like by reducing the attack surface on internal APIs?

              This is my other favorite term the community has picked up and uses like it’s a mic drop without understanding it.

              It’s a proxy my friend. It forwards requests to the other server. And you’ve added an untested personal project in front of it.

              But wait! You don’t want to just expose your immich proxy to the internet do you? I’ll write DavesAwesomeProxy that you can put in front of that proxy! Will it be secure? Maybe. Will I support it? What’s with all the questions!

              • alanOP
                link
                fedilink
                English
                arrow-up
                13
                arrow-down
                1
                ·
                edit-2
                1 month ago

                It forwards requests to the other server.

                No raw requests are passed to Immich. All incoming data is validated / sanitized. Requests are only made to specific whitelisted API endpoints. I don’t know why you’re so angry 🤷

          • alanOP
            link
            fedilink
            English
            arrow-up
            21
            arrow-down
            2
            ·
            edit-2
            1 month ago

            some dude’s personal project

            Yes, it’s my project.

            if I put it behind something else that forwards traffic to the server then that’s somehow safe!

            It doesn’t “forward traffic”, it validates traffic and answers only valid requests, without needing privileged access to Immich. I think you are confusing the word “proxy” with meaning something like Traefik.

            telling me that is more secure. As though that project is better written?

            Yes, it’s more secure to use this than exposing Immich. No it’s not “better written” than Immich; it fulfills a completely different purpose.

            It’s 400 lines of code in total, feel free to review it and tell me any flaws, oh mighty security expert.

          • betweenthesixes@lemm.ee
            link
            fedilink
            English
            arrow-up
            18
            ·
            1 month ago

            Repeat after me - proxies are not used for security.

            If you believe this, you are extremely uninformed at best. Proxies are routinely used for security in situations like this and are used to secure many of the apps that you use on the public internet today.

            Thank you OP for creating this app! Please ignore any negativity from ignorant detractors.

            • atzanteol@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              21
              ·
              1 month ago

              Proxies are not used for security by anyone but morons. Firewalls, WAFs, etc. all provide some sort of benefit. What is this application doing that is of use? Just “not exposing your server directly”? Well, it is being exposed directly now - so it’s a very secure application written by a security professional then? Or should I put it behind another proxy just to be sure? Maybe 7 proxies are enough?

              OP is well meaning - but this was a waste of time for anyone else to use. It’s a solution in search of a problem.

              • ShortN0te@lemmy.ml
                link
                fedilink
                English
                arrow-up
                11
                ·
                1 month ago

                You have clearly not understood what it does. It basically acts as a basic WAF by blocking the access to various paths that are required by the default sharing feature but not by this “proxy”.

      • MangoPenguin@lemmy.blahaj.zone
        link
        fedilink
        English
        arrow-up
        14
        ·
        edit-2
        1 month ago

        Why so angry?

        This lets you share photos without directly exposing Immich to the internet.

        I don’t see the point in getting so worked up over someones project they made and decided to share, it’s not like you’re being forced to use it.

      • thelittleblackbird@lemmy.world
        link
        fedilink
        English
        arrow-up
        9
        arrow-down
        1
        ·
        1 month ago

        This thing reduces the attack surface of the inmich installation.

        If it is good, or bad or fitting to your security model can only be said by you. But honestly it sounds like a sensible thing to do

          • Lemongrab@lemmy.one
            link
            fedilink
            English
            arrow-up
            8
            arrow-down
            1
            ·
            1 month ago

            And? It lowers the attack surface of Immich. Attack surface is about the surface, whatever an attacker can use to get leverage. This acts as an intermediate between Immich and a public viewer, controlling how a threat actor can access a private Immich server. It helps reduce external attack surface while increasing overall system complexity. Since the project is small, it is easy to audit the code.

            • atzanteol@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              2
              ·
              1 month ago

              It’s some rando’s project that has existed for “nearly a month”, has no community, is unlikely to have any rapid response to any issues, and probably won’t be supported for more than a year.

              But sure - go ahead and run it for “security purposes”.

              You can “reduce surface area” by simply putting in place nginx or apache (real supported software) and blacklisting the endpoints you don’t like.

              • Lemongrab@lemmy.one
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 month ago

                I like to judge software based on its actually merit and not on the theoretical possibility it is vulnerable. It very well could be vulnerable, but without auditing it we are just speculating, which in the real world means nothing. Every project starts somewhere, without community, followers, and “5 years of support”. I am not saying I would trust this software in a security critical situation, just that your speculation means nothing.

                • atzanteol@sh.itjust.works
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 month ago

                  I like to judge software based on its actually merit and not on the theoretical possibility it is vulnerable

                  This is literally the entire justification for the project. It’s assuming theoretical vulnerabilities in Immich.

                  I am not saying I would trust this software in a security critical situation

                  Which is the point of this software (security critical situation).

                  just that your speculation means nothing

                  This project has zero community support. That’s not speculative, it’s a fact. “Every project starts somewhere” is just a tautology that means nothing. Every project that fails starts somewhere.

                  • alanOP
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    edit-2
                    1 month ago

                    It’s assuming theoretical vulnerabilities in Immich.

                    It’s all about the risk matrix. The theoretical likelihood of a vulnerability in Immich might be low, but the severity of that risk is catastrophic in terms of personal data leaking.

                    The likelihood of a risk in this proxy might be medium or even high according to you, but the severity is low. It doesn’t have access to any of your personal data. All it does is talk to Immich via Immich’s public sharing API.

                    This project has zero community support.

                    One of the contributors to this project is bo0tzz, who is one of the maintainers of Immich.