All good points, and Apple has some of the most skilled engineers in the world and The Fappening still happened.
It’s not possible for me to audit everything that’s happening security-wise in Immich, but I can fully understand what’s happening in this small codebase to my own satisfaction. At the end of the day I feel safer knowing that there is no public access to any part of my Immich instance.
It’s also not true that you “never need to touch it again”
I meant that you don’t need to use it to share photos, not that you never need to update your docker containers! 😱 Thanks, I have clarified that.
The security of which URLS are accessible without authentication would be up to immich.
This is exactly the risk I’m wanting to mitigate. Immich is under heavy active development, and I want to abstract away from needing to worry whether the no-auth API URLs are safe to expose publicly.
At the end of the day I feel safer knowing that there is zero public access to any part of my Immich instance, which for me is what really matters.
You’d still need to allow access to the /api/
path, and even public endpoints could potentially expose you to a vulnerability. It’s entirely up to your threat model.
Knowing what happened in 2014 with iCloud, I’m not prepared to take that risk. Especially as Immich is under heavy development and things can often change and move around. At least this way I know that it will either safely fetch the data or simply fail.
some dude’s personal project
Yes, it’s my project.
if I put it behind something else that forwards traffic to the server then that’s somehow safe!
It doesn’t “forward traffic”, it validates traffic and answers only valid requests, without needing privileged access to Immich. I think you are confusing the word “proxy” with meaning something like Traefik.
telling me that is more secure. As though that project is better written?
Yes, it’s more secure to use this than exposing Immich. No it’s not “better written” than Immich; it fulfills a completely different purpose.
It’s 400 lines of code in total, feel free to review it and tell me any flaws, oh mighty security expert.
Sorry, off topic, but is this what Immich looks like out of the box, or have you used any other plugins?
No - this is using lightGallery. You can see what Immich looks like on their demo.
I get to give you access to all my photos so that you can just proxy calls to my server?
This is a self-hosted app… The only person who has access to your photos is you - that’s the entire point of using this. It lets you share photos/videos/albums from Immich without giving anyone access to any part of your Immich server, thus significantly increasing your privacy and security.
It doesn’t forward any traffic to Immich, it creates essentially a WAF between the public and Immich. It validates all incoming requests and answers only valid requests, without needing privileged access to Immich.
You’re correct - it is indeed taking input requests and requesting the related data from Immich.
How is this adding more security than any other proxy?
To allow sharing with Immich using a normal reverse proxy like Caddy or Traefik, you need to expose public access to the Immich /api/
path, along with a few other potentially dangerous paths. Any existing or future vulnerability has the potential to compromise your Immich instance.
This proxy is more secure as it does not allow public access to the Immich API path or to any Immich path. The only incoming requests which are honoured are requests like this:
https://your-proxy-url.com/share/ffSw63qnIYMtpmg0RNvOui0Dpio7BbxsObjvH8YZaobIjIAzl5n7zTX5d6EDHdOYEvo
If the shared link does not resolve to something that you have intentionally shared from Immich, it will return a 404.
if Immich is updated with changes that proxy doesn’t have yet, everything breaks.
The only thing which would break it is if Immich changed the format of a few select API endpoints. And if that ever happens it’s a very easy fix.
It’s all about the risk matrix. The theoretical likelihood of a vulnerability in Immich might be low, but the severity of that risk is catastrophic in terms of personal data leaking.
The likelihood of a risk in this proxy might be medium or even high according to you, but the severity is low. It doesn’t have access to any of your personal data. All it does is talk to Immich via Immich’s public sharing API.
One of the contributors to this project is bo0tzz, who is one of the maintainers of Immich.