Securing access from all over the world for Immich
Hello. I'm about to deploy Immich ( https://immich.app/ ) and i need it to be publicly accessible (as my
remote family members will use it as well).
I thought about doing it through Cloudflare (and it's tunnel) and restrict it only to my region so no chinese/american/so on bots can attack it. But then i thought my family travels kind of a lot so i don't want to restrict it to be usable only in my region.
I also set up reverse proxy (Traefik) so this way i can preserve SSL certificates as well as with Cloudflare. On the other hand, i don't have DDOS protection that Cloudflare offers. Also, i'm a bit concerned about Immich's login and if it is enouh to protect the access into the app. And there's another catch - i could set up someting like Authentik or Authelia but that would be pain in the ass with Immich's app as i would need to first open browser, go to my URL, pass authentik / authelia and after then i could go back to the Immich app and log in successfully.
What are your recommendations for securing / hardening Immich accessible from everywhere?
Home | Immich
immich Self-hosted photo and video backup solution directly from your mobile phone
4 Replies
With Authelia you can just press Log in with Authelia when you log in to Immich when you have set it up correctly.
And with Traefik you can also include Crowdsec, which will give you alot more protection.
Thank you, @Allram for response. So in theory i could somehow identify with google login (without actually entering password) and pass the immich login?
And would it work with Immich android application as well?
Yes, follow this guide and it should work.
I have only done it with Authelia as i already have that running, but Google should work great as well:
https://immich.app/docs/administration/oauth
OAuth Authentication | Immich
This page contains details about using OAuth in Immich.
Wow, thats a big topic