1
0
Fork 0
mirror of https://github.com/alangrainger/immich-public-proxy.git synced 2024-12-28 03:41:58 +00:00
Share your Immich photos and albums in a safe way without exposing your Immich instance to the public.
Find a file
2024-11-01 20:39:39 +01:00
.github Add Docker Hub 2024-10-31 16:01:13 +01:00
docs Update docs 2024-11-01 14:45:25 +01:00
public Add custom configuration 2024-11-01 15:36:53 +01:00
src Fix #9 missing config.json settings 2024-11-01 20:39:39 +01:00
views Fix #9 missing config.json settings 2024-11-01 20:39:39 +01:00
.dockerignore feat(ci): add docker build&publish pipeline 2024-10-30 16:27:48 +00:00
.env.example Update docs 2024-10-31 14:03:53 +01:00
.eslintrc Convert to Typescript 2024-10-28 09:56:11 +01:00
.gitignore chore: merge upstream 2024-10-31 08:13:13 +01:00
config.json Add custom configuration 2024-11-01 15:36:53 +01:00
docker-compose.yml Update docker-compose 2024-11-01 19:19:49 +01:00
Dockerfile Move NODE_ENV from docker-compose 2024-11-01 19:02:31 +01:00
healthcheck.js Update base image to node:lts-slim 2024-10-31 19:24:39 +01:00
LICENSE Add license 2024-10-28 10:26:27 +01:00
package.json Fix #9 missing config.json settings 2024-11-01 20:39:39 +01:00
README.md Update docs 2024-11-01 15:53:30 +01:00
tsconfig.json Convert to Typescript 2024-10-28 09:56:11 +01:00

Immich Public Proxy

Share your Immich photos and albums in a safe way without exposing your Immich instance to the public.

Table of Contents

About this project

Immich is a wonderful bit of software, but since it holds all your private photos it's best to keep it fully locked down. This presents a problem when you want to share a photo or a gallery with someone.

Immich Public Proxy provides a barrier of security between the public and Immich, and only allows through requests which you have publicly shared. When it receives a valid request, it talks to Immich locally via API and returns only those shared images.

It does not require an API key which reduces the attack surface even further. The only things that the proxy can access are photos that you have made publicly available in Immich. It is stateless and does not know anything about your Immich instance.

Features

  • Supports sharing photos and videos.
  • Supports password-protected shares.
  • If sharing a single image, the link will directly open the image file so that you can embed it anywhere you would a normal image.
  • All usage happens through Immich - you won't need to touch this app after the initial configuration.

Why not simply put Immich behind a reverse proxy and only expose the /share/ path to the public?

To view a shared album in Immich, you need access to the /api/ path. If you're sharing a gallery with the public, you need to make that path public. Any existing or future vulnerability has the potential to compromise your Immich instance.

For me, the ideal setup is to have Immich secured privately behind mTLS or VPN, and only allow public access to Immich Public Proxy. Here is an example setup for securing Immich behind mTLS using Caddy.

How to install with Docker

  1. Download the docker-compose.yml file.

  2. Create a .env file to configure the app:

IMMICH_URL=http://localhost:2283
PROXY_PUBLIC_URL=https://your-proxy-url.com
PORT=3000
CACHE_AGE=2592000
  • IMMICH_URL is the URL to access Immich in your local network. This is not your public URL.
  • PROXY_PUBLIC_URL is the public URL for your proxy.
  • PORT is the external port you want for the docker container.
  • CACHE_AGE this is setting the Cache-Control header, to tell the visitor's browser to cache the assets. Set to 0 to disable caching. By default this is 30 days.
  1. Start the docker container:
docker-compose up -d
  1. Set the "External domain" in your Immich Server Settings to be the same as the PROXY_PUBLIC_URL:

Now whenever you share an image or gallery through Immich, it will automatically create the correct public path for you.

How to use it

Other than the initial configuration above, everything else is managed through Immich.

You share your photos/videos as normal through Immich. Because you have set the External domain in Immich settings to be the URL for your proxy app, the links that Immich generates will automaticaly have the correct URL:

How it works

When the proxy receives a request, it will come as a link like this:

https://your-proxy-url.com/share/ffSw63qnIYMtpmg0RNvOui0Dpio7BbxsObjvH8YZaobIjIAzl5n7zTX5d6EDHdOYEvo

The part after /share/ is Immich's shared link public ID (called the key in the docs).

Immich Public Proxy takes that key and makes an API call to your Immich instance over your local network, to ask what photos or videos are shared in that share URL.

If it is a valid share URL, the proxy fetches just those assets via local API and returns them to the visitor as an individual image or gallery.

If the shared link has expired or any of the assets have been put in the Immich trash, it will not return those.

Additional configuration

The gallery is created using lightGallery. You can adjust various settings to customise how your gallery displays.

  1. Make a copy of config.json in the same folder as your docker-compose.yml.

  2. Pass the config to your docker container by adding a volume like this:

    volumes:
      - ./config.json:/app/config.json:ro
  1. Restart your container and your custom configuration should be active.

You can find all of lightGallery's settings here: https://www.lightgalleryjs.com/docs/settings/

For example, to disable the download button for images, you would change download to false:

{
  "lightGallery": {
    "controls": true,
    "download": false,
    "mobileSettings": {
      "controls": false,
      "showCloseIcon": true,
      "download": false
    }
  }
}

Feature requests

You can add feature requests here, however my goal with this project is to keep it as lean as possible.

Due to the sensitivity of data contained within Immich, I want anyone with a bit of coding knowledge to be able to read this codebase and fully understand everything it is doing.