Immich is an amazing piece of software, but because it holds such personal data I have only ever felt comfortable accessing it via VPN or mTLS. This meant that I could never share any photos, which had been really bugging me.
So I built a self-hosted app, Immich Public Proxy, which allows you to share individual files or full galleries to the public, without ever exposing your Immich instance. This uses Immich’s existing sharing functionality, so other than the initial configuration, everything else is handled within Immich.
You can see a live demo here, which is serving a gallery straight out of my own Immich instance:
The proxy provides a barrier of security between the public and Immich, and only allows through requests which you have publicly shared. When it receives a valid request it talks to Immich locally via API and returns only those shared images. It does not require an API key, as the share link itself is all that is needed to query Immich.
If you share an individual image, by default the proxy will return the original image file (rather than a gallery page). This means you can directly embed images in websites / blogs / note-taking apps / etc.
It exposes no ports, allows no incoming data, and has no API to exploit. I don’t even use the Immich SDK to further reduce any possible attack surface.
Features:
- Supports sharing photos and videos.
- Supports password-protected shares.
- All usage happens through Immich - you won’t need to touch this app after the initial configuration.
Setup takes about 30 seconds - just take a copy of the docker-compose.yml file and change the address for your Immich instance.
Okay…I’m terribly confused by this project here, so maybe you can clarify some things.
First, looking through the code, it seems you’re literally just taking input requests and replaying them to a target host. So if Immich is updated with changes that proxy doesn’t have yet, everything breaks.
How is this adding more security than any other proxy?
You’re correct - it is indeed taking input requests and proxying them to Immich.
To allow sharing with Immich using a normal reverse proxy like Caddy or Traefik, you need to expose public access to the Immich
/api/path, along with a few other potentially dangerous paths. Any existing or future vulnerability has the potential to compromise your Immich instance.This proxy is more secure as it does not allow public access to the Immich API path or to any Immich path. The only incoming requests which are honoured are requests like this:
If the shared link does not resolve to something that you have intentionally shared from Immich, it will return a 404.
The only thing which would break it is if Immich changed the format of a few select API endpoints. And if that ever happens it’s a very easy fix.
Or you could similar just block those routes in whatever reverse proxy you’d use out in front of the server?
I don’t run Immich myself, but just trying to understand the technical issues and this particular solution. Seems like they should have a public facing /shared route that doesn’t require access to any others, so I see your point.
You can’t. You need to allow public access to your Immich instance’s
/api/path to use Immich’s built-in sharing.