Exposing Immich via subdomain - good or bad idea?
As the title says...
Is this a risky thing?
EDIT: I have a wireguard VPN set up for myself and it's always on so I can access arrs and the like. I would like to expose immich on my domain to share photo albums and such.
Best solution is a VPN to your home network.
However, if you want to host it publicly, at least restrict access to it via GeoIP. For example, if you live in Europe and only need access from there, only allow the areas in Europe you travel to and block everything else. This will greatly reduce your attack surface.
Also, make sure everything is patched. Always. And implement something like fail2ban to deny repeated failed logins, along with a reverse proxy.
Best solution is using a mesh VPN service like Tailscale or Netbird
GeoIP restricting is a brilliant idea I never thought of. I have been getting a few people trying to sign up on one of my other services and they're all from Asia somewhere.
I'll try setting this up.
You are increasing the attack vector immensely, and it is up to you to ensure that it is well protected and up to date. The attack effort won't be high though and most of the attacks would be pretty basic, still I wouldn't risk something so personal, like your image library.
I would suggest for you to look into Wireguard or Tailscale for accessing your personal Immich instance.
I've already got wireguard set up and that's how I access it. I would like the ability to share stuff with people though
You can use immich-public-proxy for that
Public subdomain pointing to an internal Tailscale IP. Generate Let's Encrypt certificates using the domain alone. Browsers don't scream, access only works via Tailscale.
Also, true there is more risk, but you should always balance it with advantages.
If your immich is properly protected behind a reverse proxy and encrypted with https, and containerized, preferably root-less container, and you properly back it up, go ahead and enjoy sharing.
I haven’t gotten around to setting it up myself yet, but I have immich-public-proxy pinned. Could solve exactly your problem. Keep your main immich behind your vpn but expose some public galleries of your choosing.
I use yunohost for this. Ist possible there to use the sso etc. The default Installation Help to make a Quick and secure Installation.
Yeah, but if you put everything behind a well configured reverse proxy with proper SSL certs (let's encrypt) and maybe also a good SSO (not mandatory, but recomended) you will be fine.
See https://wiki.gardiol.org/doku.php?id=selfhost%3Anginx https://wiki.gardiol.org/doku.php?id=selfhost%3Asso / https://wiki.gardiol.org/doku.php?id=services%3Aauthelia
These pages have been written for my own usage and use case, so YMWV...
I've got mine on a subdomain through a Cloudflare tunnel that points to my local nginx proxy manager (with wildcard SSL certs) then to immich. You can do access control through Cloudflare as well. Quite low risk in my opinion as long as you protect it properly.
I’ve been putting everything behind Tailscale. I don’t see any reason to make it public unless you’re planning on sharing it with the public.
Same for me, but via Cloudflare tunnel. No need to expose your system to world unless that is what you want.
You could look into mutual TLS / mTLS to protect your instance. You will need to set this up using a reverse proxy at your server (like Caddy) and then add a client certificate to your user devices. If you use the Immich app, I think it also supports adding this certificate under Settings -> Advanced -> SSL Client Certificate. Here you can find a tutorial on how to set it up: https://www.apalrd.net/posts/2024/network_mtls/
(Edit: you will need to ensure that all clients who want to receive your shared photos have a client certificate installed, so depending on the number of clients this might be okay or less useful)
Yeah, this is too much for my needs. My main goal is to be able to send pictures to people via a link.
Neighbors and family and stuff - less tech savvy folk.
I suspect most people open it via subdomain or cloudflare tunnel and it seems secure enough. Haven't seen reports of people getting hacked left and right.
VPN Certainly is more secure and works for a few people but becomes annoying if you have users that don't want to mess with a VPN. It also helps if you want to make a public share link to someone without an account.
It is no riskier than any other reverse proxy or tunneling app. If you follow good opsec, you should be fine. In truth there is no bulletproof way to avoid intrusion, so do the best you can without completely doing away with convenience.
Try out a mesh network VPN like tailscale (others are available, but i haven't tried them).
Tailscale is basically just a simple but powerful wireguard manager that does all of the work of setting up a mesh network for you, and it works amazingly well in my experience. The free account is good for I think 3 users and 100 devices on a network and has been the perfect thing to expose my home server to my various devices no matter where I am.
I like it so much after having used it for the last few months that I just spent way too much money upgrading my server... but that's another thing entirely. lol
