Immich is an amazing piece of software, but because it holds such personal data I have only ever felt comfortable accessing it via VPN or mTLS. This meant that I could never share any photos, which had been really bugging me.
So I built a self-hosted app, Immich Public Proxy, which allows you to share individual files or full galleries to the public without ever exposing your Immich instance. This uses Immich’s existing sharing functionality, so other than the initial configuration everything else is handled within Immich.
Why not just expose Immich publicly with Traefik / Caddy / etc?
To share from Immich, you need to allow public access to your /api/
path, which opens you up to potential vulnerabilities. It’s up to you whether you are comfortable with that in your threat model.
The proxy provides a barrier of security between the public and Immich. It doesn’t forward traffic to Immich, it validates incoming requests and responds only to valid requests without needing privileged access to Immich.
Demo
You can see a live demo here, which is serving a gallery straight out of my own Immich instance.
Features
- Supports sharing photos and videos.
- Supports password-protected shares.
- All usage happens through Immich - you won’t need to touch this app after the initial configuration.
Install
Setup takes about 30 seconds:
-
Take a copy of the docker-compose.yml file and change the address for your Immich instance.
-
Start the container:
docker-compose up -d
-
Set the “External domain” in your Immich Server Settings to be whatever domain you use to publicly serve Immich Public Proxy. Now whenever you share an image or gallery through Immich, it will automatically create the correct public path for you.
For more detail on the steps, see the docs on Github.
Proxies are not used for security by anyone but morons. Firewalls, WAFs, etc. all provide some sort of benefit. What is this application doing that is of use? Just “not exposing your server directly”? Well, it is being exposed directly now - so it’s a very secure application written by a security professional then? Or should I put it behind another proxy just to be sure? Maybe 7 proxies are enough?
OP is well meaning - but this was a waste of time for anyone else to use. It’s a solution in search of a problem.
You have clearly not understood what it does. It basically acts as a basic WAF by blocking the access to various paths that are required by the default sharing feature but not by this “proxy”.