is this a safe way to expose immich?
I'm looking for some advice on how to safely expose my Immich instance. My goal is to only allow public access to shared albums and media, while keeping the main Immich login page private.
I am aware of the immich-proxy service, but I'd prefer to avoid it and expose the main application's share links directly. The UI for the shared albums in the main app is awesome, and I'd really like to keep using it.
To achieve this, I'm planning to use Traefik with Pangolin to create path-based rules with the following logic:
- Rule 1 (High Priority): Always Allow requests to the path /share/.
- Rule 2 (Low Priority): Always Deny all other paths (/) as a catch-all.
I'll also add another layer of security by using Pangolin's built-in authentication on the /share/* path.
Does this seem like a correct and secure approach? More importantly, will the shared pages function correctly if I only allow access to the /share/* path, or are there other API or asset paths I need to allow as well?
I am aware of the immich-proxy service, but I'd prefer to avoid it and expose the main application's share links directly. The UI for the shared albums in the main app is awesome, and I'd really like to keep using it.
To achieve this, I'm planning to use Traefik with Pangolin to create path-based rules with the following logic:
- Rule 1 (High Priority): Always Allow requests to the path /share/.
- Rule 2 (Low Priority): Always Deny all other paths (/) as a catch-all.
I'll also add another layer of security by using Pangolin's built-in authentication on the /share/* path.
Does this seem like a correct and secure approach? More importantly, will the shared pages function correctly if I only allow access to the /share/* path, or are there other API or asset paths I need to allow as well?
