• 1 Post
  • 11 Comments
Joined 16 days ago
cake
Cake day: October 30th, 2024

help-circle





  • some dude’s personal project

    Yes, it’s my project.

    if I put it behind something else that forwards traffic to the server then that’s somehow safe!

    It doesn’t “forward traffic”, it validates traffic and answers only valid requests, without needing privileged access to Immich. I think you are confusing the word “proxy” with meaning something like Traefik.

    telling me that is more secure. As though that project is better written?

    Yes, it’s more secure to use this than exposing Immich. No it’s not “better written” than Immich; it fulfills a completely different purpose.

    It’s 400 lines of code in total, feel free to review it and tell me any flaws, oh mighty security expert.






  • You’re correct - it is indeed taking input requests and proxying them to Immich.

    How is this adding more security than any other proxy?

    To allow sharing with Immich using a normal reverse proxy like Caddy or Traefik, you need to expose public access to the Immich /api/ path, along with a few other potentially dangerous paths. Any existing or future vulnerability has the potential to compromise your Immich instance.

    This proxy is more secure as it does not allow public access to the Immich API path or to any Immich path. The only incoming requests which are honoured are requests like this:

    https://your-proxy-url.com/share/ffSw63qnIYMtpmg0RNvOui0Dpio7BbxsObjvH8YZaobIjIAzl5n7zTX5d6EDHdOYEvo
    

    If the shared link does not resolve to something that you have intentionally shared from Immich, it will return a 404.

    if Immich is updated with changes that proxy doesn’t have yet, everything breaks.

    The only thing which would break it is if Immich changed the format of a few select API endpoints. And if that ever happens it’s a very easy fix.