view the rest of the comments
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
You seem to understand neither security nor privacy.
I get to give you access to all my photos so that you can just proxy calls to my server?
Just share your own damn server people, this "I'm behind 7 proxies" bs is getting tiring.
This is a self-hosted app... The only person who has access to your photos is you - that's the entire point of using this. It lets you share photos/videos/albums from Immich without giving anyone access to any part of your Immich server, thus significantly increasing your privacy and security.
It doesn't forward any traffic to Immich, it creates essentially a WAF between the public and Immich. It validates all incoming requests and answers only valid requests, without needing privileged access to Immich.
Couldnt this in theory also be handled by using cloudflares WAF and disallowing every entry to protected end-points?
You'd still need to allow access to the
/api/
path, and even public endpoints could potentially expose you to a vulnerability. It's entirely up to your threat model.Knowing what happened in 2014 with iCloud, I'm not prepared to take that risk. Especially as Immich is under heavy development and things can often change and move around. At least this way I know that it will either safely fetch the data or simply fail.
You‘re supposed to host this yourself.
Then what's the fucking point? I'm "exposing" my own server either way! And now I'm adding a new system to the mix which can have vulnerabilities of its own.
This is stupid.
Put it on a different server then. It prevents your Immich server from ever needing to be exposed publicly. That's the entire point.
You seem to understand neither security nor privacy.
This is stupid.
Repeat after me - proxies are not used for security.
This is a cargo-cult believe in this community. There's a weird sense that it's "dirty" to have a server exposed "directly" to the internet. But if I put it behind something else that forwards traffic to the server then that's somehow safe!
Security is something you do not something you have. The false sense of security with proxy bullshit like this crappy project is not giving you anything. You're taking a well supported community project (immich) and installing another app in front of it which appears to be some dude's personal project and telling me that is more secure. As though that project is better written?
Install immich. Forward ports to it (or proxy it with nginx if needed for hostname routing (but don't expect this to be more secure)), and keep it up to date and use good passwords.
Like by reducing the attack surface on internal APIs?
I don't even necessarily disagree with you, everybody has to decide themselves if this app offers enough upsides to be worth the downsides.
That being said, instantly calling OP stupid and their project crappy is just not the way to get your point across and in general considered a dick move.
Sometimes that's the point. This project is so stupid it simply deserves derision. I couldn't care less if anyone here is swayed. It's lemmy - if I'm not echoing what everyone else is saying I'll be voted down anyway.
This is my other favorite term the community has picked up and uses like it's a mic drop without understanding it.
It's a proxy my friend. It forwards requests to the other server. And you've added an untested personal project in front of it.
But wait! You don't want to just expose your immich proxy to the internet do you? I'll write DavesAwesomeProxy that you can put in front of that proxy! Will it be secure? Maybe. Will I support it? What's with all the questions!
No raw requests are passed to Immich. All incoming data is validated / sanitized. Requests are only made to specific whitelisted API endpoints. I don't know why you're so angry 🤷
If you believe this, you are extremely uninformed at best. Proxies are routinely used for security in situations like this and are used to secure many of the apps that you use on the public internet today.
Thank you OP for creating this app! Please ignore any negativity from ignorant detractors.
Proxies are not used for security by anyone but morons. Firewalls, WAFs, etc. all provide some sort of benefit. What is this application doing that is of use? Just "not exposing your server directly"? Well, it is being exposed directly now - so it's a very secure application written by a security professional then? Or should I put it behind another proxy just to be sure? Maybe 7 proxies are enough?
OP is well meaning - but this was a waste of time for anyone else to use. It's a solution in search of a problem.
You have clearly not understood what it does. It basically acts as a basic WAF by blocking the access to various paths that are required by the default sharing feature but not by this "proxy".
Yes, it's my project.
It doesn't "forward traffic", it validates traffic and answers only valid requests, without needing privileged access to Immich. I think you are confusing the word "proxy" with meaning something like Traefik.
Yes, it's more secure to use this than exposing Immich. No it's not "better written" than Immich; it fulfills a completely different purpose.
It's 400 lines of code in total, feel free to review it and tell me any flaws, oh mighty security expert.
Sorry - it's a pointless application. I won't sugar coat it. If anyone things it's "more safe" to run this soon-to-be-abandonware in front of a properly supported project then they deserve what's coming to them.
Hahah. You must be bored.
Why so angry?
This lets you share photos without directly exposing Immich to the internet.
I don't see the point in getting so worked up over someones project they made and decided to share, it's not like you're being forced to use it.
I rarely post, but... Chill, man!
This thing reduces the attack surface of the inmich installation.
If it is good, or bad or fitting to your security model can only be said by you. But honestly it sounds like a sensible thing to do
And it adds its own "attack surface".
And? It lowers the attack surface of Immich. Attack surface is about the surface, whatever an attacker can use to get leverage. This acts as an intermediate between Immich and a public viewer, controlling how a threat actor can access a private Immich server. It helps reduce external attack surface while increasing overall system complexity. Since the project is small, it is easy to audit the code.