265

Immich Public Proxy: Safely share your photos and albums without exposing your Immich instance (feddit.org)

submitted 6 days ago* (last edited 5 days ago) by alan@feddit.org to c/selfhosted@lemmy.world

41 comments fedilink hide all child comments

Immich is an amazing piece of software, but because it holds such personal data I have only ever felt comfortable accessing it via VPN or mTLS. This meant that I could never share any photos, which had been really bugging me.

So I built a self-hosted app, Immich Public Proxy, which allows you to share individual files or full galleries to the public without ever exposing your Immich instance. This uses Immich's existing sharing functionality, so other than the initial configuration everything else is handled within Immich.

Why not just expose Immich publicly with Traefik / Caddy / etc?

To share from Immich, you need to allow public access to your /api/ path, which opens you up to potential vulnerabilities. It's up to you whether you are comfortable with that in your threat model.

This proxy provides a barrier of security between the public and Immich. It doesn’t forward traffic to Immich, it validates incoming requests and responds only to valid requests without needing privileged access to Immich.

Demo

You can see a live demo here, which is serving a gallery straight out of my own Immich instance.

Features

Supports sharing photos and videos.
Supports password-protected shares.
Creating and managing shares happens through Immich as normal, so there's no change to your workflow.

Install

Setup takes about 30 seconds:

Take a copy of the docker-compose.yml file and change the address for your Immich instance.
Start the container: docker-compose up -d
Set the "External domain" in your Immich Server Settings to be whatever domain you use to publicly serve Immich Public Proxy. Now whenever you share an image or gallery through Immich, it will automatically create the correct public path for you.

For more detail on the steps, see the docs on Github.

top 41 comments

sorted by: hot top controversial new old

[-] fmstrat@lemmy.nowsci.com 10 points 6 days ago

Oh man, total flashback to when I did this for Owncloud https://github.com/Fmstrat/shorten

[-] Tippon@lemmy.dbzer0.com 9 points 6 days ago

You can see [a live demo here](https://immich-demo.note.sx/share/ffSw63qnIYMtpmg0RNvOui0Dpio7BbxsObjvH8YZaobIjIAzl5n7zTX5d6EDHdOYEvo), which is serving a gallery straight out of my own Immich instance.

Sorry, off topic, but is this what Immich looks like out of the box, or have you used any other plugins?

Immich Public Proxy looks like exactly what I want for my family photos, but I haven't looked into Immich yet. The demo looks beautiful, and is simple enough for the grandparents to use 🙂

[-] alan@feddit.org 12 points 6 days ago

Sorry, off topic, but is this what Immich looks like out of the box, or have you used any other plugins?

No - this is using lightGallery. You can see what Immich looks like on their demo.

[-] Tippon@lemmy.dbzer0.com 4 points 6 days ago

Thank you 🙂

Immich on its own looks good, but if I set it up, I think I'll definitely install lightGallery to go with it 🙂

[-] muntedcrocodile@lemm.ee 2 points 6 days ago

Not default but can highly reccommend immich its great.

[-] Tippon@lemmy.dbzer0.com 2 points 6 days ago

Thanks 🙂

[-] just_another_person@lemmy.world 7 points 6 days ago

Okay...I'm terribly confused by this project here, so maybe you can clarify some things.

First, looking through the code, it seems you're literally just taking input requests and replaying them to a target host. So if Immich is updated with changes that proxy doesn't have yet, everything breaks.

How is this adding more security than any other proxy?

[-] alan@feddit.org 11 points 6 days ago* (last edited 6 days ago)

You're correct - it is indeed taking input requests and requesting the related data from Immich.

How is this adding more security than any other proxy?

To allow sharing with Immich using a normal reverse proxy like Caddy or Traefik, you need to expose public access to the Immich /api/ path, along with a few other potentially dangerous paths. Any existing or future vulnerability has the potential to compromise your Immich instance.

This proxy is more secure as it does not allow public access to the Immich API path or to any Immich path. The only incoming requests which are honoured are requests like this:

https://your-proxy-url.com/share/ffSw63qnIYMtpmg0RNvOui0Dpio7BbxsObjvH8YZaobIjIAzl5n7zTX5d6EDHdOYEvo

If the shared link does not resolve to something that you have intentionally shared from Immich, it will return a 404.

if Immich is updated with changes that proxy doesn’t have yet, everything breaks.

The only thing which would break it is if Immich changed the format of a few select API endpoints. And if that ever happens it's a very easy fix.

[-] just_another_person@lemmy.world 2 points 6 days ago

Or you could similar just block those routes in whatever reverse proxy you'd use out in front of the server?

I don't run Immich myself, but just trying to understand the technical issues and this particular solution. Seems like they should have a public facing /shared route that doesn't require access to any others, so I see your point.

[-] alan@feddit.org 8 points 6 days ago

Or you could similar just block those routes in whatever reverse proxy you’d use out in front of the server?

You can't. You need to allow public access to your Immich instance's /api/ path to use Immich's built-in sharing.

[-] lemmeBe@sh.itjust.works 5 points 6 days ago* (last edited 6 days ago)

Great work! 😎 Starred.

[-] markstos@lemmy.world 4 points 6 days ago

A simpler way to protect a private service with a reverse proxy is to only forward HTTP GET requests and only for specific paths.

It’s extremely difficult to attack a service with only GET requests.

The security of which URLS are accessible without authentication would be up to immich.

[-] elvith@feddit.org 4 points 6 days ago

I don't know the Immich API, but I've seen several REST APIs that used the usual pattern of

GET /api/v1/user/<id> - read user
POST /api/v1/user/ - create user
...

but also allowed

GET /api/v1/user/<id> - read user
GET /api/v1/user/?action=create - create user
...

[-] davad@lemmy.world 1 points 6 days ago

Yup, also some APIs use GET for everything. It's a pain. And it means that filtering by verb only helps if you're intimately familiar with the API. And even then, only if you keep up with changes as they happen. So really, only if you're developing the API yourself.

[-] davad@lemmy.world 1 points 6 days ago

(another pretty peeve of mine is "rest" APIs that use 200 response codes for everything)

[-] Appoxo@lemmy.dbzer0.com 4 points 6 days ago

Thank you very much for the work. I pondered a few times how I could do that safely as I don't feel like hosting it that publicly.
I run Jellyfin publicly behind Authelia but there arent any personal files inside so if they breach it, it would give them only movies, muaic and tv shows...

[-] BaroqueInMind@lemmy.one 5 points 6 days ago

This is excellent! Thank you!

[-] poszod@lemmy.world 1 points 6 days ago

Please Proton team port over this UI to drive.

[+] atzanteol@sh.itjust.works -44 points 6 days ago

You seem to understand neither security nor privacy.

I get to give you access to all my photos so that you can just proxy calls to my server?

Just share your own damn server people, this "I'm behind 7 proxies" bs is getting tiring.

[-] alan@feddit.org 20 points 6 days ago* (last edited 6 days ago)

I get to give you access to all my photos so that you can just proxy calls to my server?

This is a self-hosted app... The only person who has access to your photos is you - that's the entire point of using this. It lets you share photos/videos/albums from Immich without giving anyone access to any part of your Immich server, thus significantly increasing your privacy and security.

It doesn't forward any traffic to Immich, it creates essentially a WAF between the public and Immich. It validates all incoming requests and answers only valid requests, without needing privileged access to Immich.

[-] Appoxo@lemmy.dbzer0.com 0 points 6 days ago

Couldnt this in theory also be handled by using cloudflares WAF and disallowing every entry to protected end-points?

[-] alan@feddit.org 2 points 6 days ago* (last edited 6 days ago)

You'd still need to allow access to the /api/ path, and even public endpoints could potentially expose you to a vulnerability. It's entirely up to your threat model.

Knowing what happened in 2014 with iCloud, I'm not prepared to take that risk. Especially as Immich is under heavy development and things can often change and move around. At least this way I know that it will either safely fetch the data or simply fail.

[-] cron@feddit.org 13 points 6 days ago

You‘re supposed to host this yourself.

[+] atzanteol@sh.itjust.works -35 points 6 days ago

Then what's the fucking point? I'm "exposing" my own server either way! And now I'm adding a new system to the mix which can have vulnerabilities of its own.

This is stupid.

[-] alan@feddit.org 21 points 6 days ago

I’m “exposing” my own server either way!

Put it on a different server then. It prevents your Immich server from ever needing to be exposed publicly. That's the entire point.

This is stupid.

You seem to understand neither security nor privacy.

[+] atzanteol@sh.itjust.works -24 points 6 days ago

Put it on a different server then. It prevents your Immich server from ever needing to be exposed publicly. That’s the entire point.

This is stupid.

Repeat after me - proxies are not used for security.

This is a cargo-cult believe in this community. There's a weird sense that it's "dirty" to have a server exposed "directly" to the internet. But if I put it behind something else that forwards traffic to the server then that's somehow safe!

Security is something you do not something you have. The false sense of security with proxy bullshit like this crappy project is not giving you anything. You're taking a well supported community project (immich) and installing another app in front of it which appears to be some dude's personal project and telling me that is more secure. As though that project is better written?

Install immich. Forward ports to it (or proxy it with nginx if needed for hostname routing (but don't expect this to be more secure)), and keep it up to date and use good passwords.

[-] doeknius_gloek@discuss.tchncs.de 21 points 6 days ago

Security is something you do

Like by reducing the attack surface on internal APIs?

I don't even necessarily disagree with you, everybody has to decide themselves if this app offers enough upsides to be worth the downsides.

That being said, instantly calling OP stupid and their project crappy is just not the way to get your point across and in general considered a dick move.

[-] betweenthesixes@lemm.ee 14 points 6 days ago

Repeat after me - proxies are not used for security.

If you believe this, you are extremely uninformed at best. Proxies are routinely used for security in situations like this and are used to secure many of the apps that you use on the public internet today.

Thank you OP for creating this app! Please ignore any negativity from ignorant detractors.

[-] alan@feddit.org 12 points 6 days ago* (last edited 6 days ago)

some dude’s personal project

Yes, it's my project.

if I put it behind something else that forwards traffic to the server then that’s somehow safe!

It doesn't "forward traffic", it validates traffic and answers only valid requests, without needing privileged access to Immich. I think you are confusing the word "proxy" with meaning something like Traefik.

telling me that is more secure. As though that project is better written?

Yes, it's more secure to use this than exposing Immich. No it's not "better written" than Immich; it fulfills a completely different purpose.

It's 400 lines of code in total, feel free to review it and tell me any flaws, oh mighty security expert.

[-] MangoPenguin@lemmy.blahaj.zone 9 points 6 days ago* (last edited 6 days ago)

Why so angry?

This lets you share photos without directly exposing Immich to the internet.

I don't see the point in getting so worked up over someones project they made and decided to share, it's not like you're being forced to use it.

[-] Wrongdoer4094@lemmy.world 8 points 6 days ago* (last edited 6 days ago)

I rarely post, but... Chill, man!

[-] thelittleblackbird@lemmy.world 7 points 6 days ago

This thing reduces the attack surface of the inmich installation.

If it is good, or bad or fitting to your security model can only be said by you. But honestly it sounds like a sensible thing to do

this post was submitted on 11 Nov 2024

265 points (98.2% liked)

Selfhosted

40198 readers

432 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz