this post was submitted on 11 Nov 2024
390 points (98.5% liked)
Selfhosted
60281 readers
616 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Okay...I'm terribly confused by this project here, so maybe you can clarify some things.
First, looking through the code, it seems you're literally just taking input requests and replaying them to a target host. So if Immich is updated with changes that proxy doesn't have yet, everything breaks.
How is this adding more security than any other proxy?
You're correct - it is indeed taking input requests and requesting the related data from Immich.
To allow sharing with Immich using a normal reverse proxy like Caddy or Traefik, you need to expose public access to the Immich
/api/path, along with a few other potentially dangerous paths. Any existing or future vulnerability has the potential to compromise your Immich instance.This proxy is more secure as it does not allow public access to the Immich API path or to any Immich path. The only incoming requests which are honoured are requests like this:
If the shared link does not resolve to something that you have intentionally shared from Immich, it will return a 404.
The only thing which would break it is if Immich changed the format of a few select API endpoints. And if that ever happens it's a very easy fix.
Or you could similar just block those routes in whatever reverse proxy you'd use out in front of the server?
I don't run Immich myself, but just trying to understand the technical issues and this particular solution. Seems like they should have a public facing /shared route that doesn't require access to any others, so I see your point.
You can't. You need to allow public access to your Immich instance's
/api/path to use Immich's built-in sharing.