is this a safe way to expose immich?
I'm looking for some advice on how to safely expose my Immich instance. My goal is to only allow public access to shared albums and media, while keeping the main Immich login page private.
I am aware of the immich-proxy service, but I'd prefer to avoid it and expose the main application's share links directly. The UI for the shared albums in the main app is awesome, and I'd really like to keep using it.
To achieve this, I'm planning to use Traefik with Pangolin to create path-based rules with the following logic:
- Rule 1 (High Priority): Always Allow requests to the path /share/.
- Rule 2 (Low Priority): Always Deny all other paths (/) as a catch-all.
I'll also add another layer of security by using Pangolin's built-in authentication on the /share/* path.
Does this seem like a correct and secure approach? More importantly, will the shared pages function correctly if I only allow access to the /share/* path, or are there other API or asset paths I need to allow as well?
6 Replies
:wave: Hey @<Kylle />,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:I don't understand why you would not use immich-proxy because there will be other paths that need to be cleared piece by piece until it works, which is exactly what person developing proxy has done
I prefer it for the UI and the ability for users to upload images to the album, as opposed to using the Lightgallery from the Immich proxy
Well I've given you a way forward, it'll work in the end but I still think it'll be very tedious 👀
Theoretically, if I correctly configure my reverse proxy to only allow the necessary paths for shared albums, is this a secure method? And yes, I'm aware this is a tedious task, but that's the fun of it.
From a development perspective, is it possible for someone with a shared album link to somehow bypass the path-based rules and access the backend or other parts of the Immich instance?
I won't be sharing links with anyone tech-savvy or giving out the Pangolin authentication password to anyone who could exploit it.
IMO this is all very overkill and if you're going to do a Pangolin login to un-savvy people anyway I'd just expose it all 😛
If you worry about people bypassing your whitelisted, VPN-tunnel secured, un-login'ed Immich instance, you shouldn't be exposing anything at all