Immich is an amazing piece of software, but because it holds such personal data I have only ever felt comfortable accessing it via VPN or mTLS. This meant that I could never share any photos, which had been really bugging me.
So I built a self-hosted app, Immich Public Proxy, which allows you to share individual files or full galleries to the public, without ever exposing your Immich instance. This uses Immich’s existing sharing functionality, so other than the initial configuration, everything else is handled within Immich.
You can see a live demo here, which is serving a gallery straight out of my own Immich instance:
The proxy provides a barrier of security between the public and Immich, and only allows through requests which you have publicly shared. When it receives a valid request it talks to Immich locally via API and returns only those shared images. It does not require an API key, as the share link itself is all that is needed to query Immich.
If you share an individual image, by default the proxy will return the original image file (rather than a gallery page). This means you can directly embed images in websites / blogs / note-taking apps / etc.
It exposes no ports, allows no incoming data, and has no API to exploit. I don’t even use the Immich SDK to further reduce any possible attack surface.
Features:
- Supports sharing photos and videos.
- Supports password-protected shares.
- All usage happens through Immich - you won’t need to touch this app after the initial configuration.
Setup takes about 30 seconds - just take a copy of the docker-compose.yml file and change the address for your Immich instance.
Yes, it’s my project.
It doesn’t “forward traffic”, it validates traffic and answers only valid requests, without needing privileged access to Immich. I think you are confusing the word “proxy” with meaning something like Traefik.
Yes, it’s more secure to use this than exposing Immich. No it’s not “better written” than Immich; it fulfills a completely different purpose.
It’s 400 lines of code in total, feel free to review it and tell me any flaws, oh mighty security expert.
Sorry - it’s a pointless application. I won’t sugar coat it. If anyone things it’s “more safe” to run this soon-to-be-abandonware in front of a properly supported project then they deserve what’s coming to them.
Hahah. You must be bored.