EDIT: I have a wireguard VPN set up for myself and it's always on so I can access *arrs and the like. I would like to expose immich on my domain to share photo albums and such.
However, if you want to host it publicly, at least restrict access to it via GeoIP. For example, if you live in Europe and only need access from there, only allow the areas in Europe you travel to and block everything else. This will greatly reduce your attack surface.
Also, make sure everything is patched. Always. And implement something like fail2ban to deny repeated failed logins, along with a reverse proxy.
GeoIP restricting is a brilliant idea I never thought of. I have been getting a few people trying to sign up on one of my other services and they're all from Asia somewhere.
Sweet. Both OPNSense and pfSense firewalls have the ability to tie into MaxMind's GeoIP service. Not sure what your perimeter device is, but it's pretty easy on those. And free.
You are increasing the attack vector immensely, and it is up to you to ensure that it is well protected and up to date. The attack effort won't be high though and most of the attacks would be pretty basic, still I wouldn't risk something so personal, like your image library.
I would suggest for you to look into Wireguard or Tailscale for accessing your personal Immich instance.
Public subdomain pointing to an internal Tailscale IP. Generate Let's Encrypt certificates using the domain alone. Browsers don't scream, access only works via Tailscale.
Also, true there is more risk, but you should always balance it with advantages.
If your immich is properly protected behind a reverse proxy and encrypted with https, and containerized, preferably root-less container, and you properly back it up, go ahead and enjoy sharing.
I haven’t gotten around to setting it up myself yet, but I have immich-public-proxy pinned. Could solve exactly your problem. Keep your main immich behind your vpn but expose some public galleries of your choosing.
I've got mine on a subdomain through a Cloudflare tunnel that points to my local nginx proxy manager (with wildcard SSL certs) then to immich. You can do access control through Cloudflare as well. Quite low risk in my opinion as long as you protect it properly.
Yeah, but if you put everything behind a well configured reverse proxy with proper SSL certs (let's encrypt) and maybe also a good SSO (not mandatory, but recomended) you will be fine.
You could look into mutual TLS / mTLS to protect your instance. You will need to set this up using a reverse proxy at your server (like Caddy) and then add a client certificate to your user devices. If you use the Immich app, I think it also supports adding this certificate under Settings -> Advanced -> SSL Client Certificate. Here you can find a tutorial on how to set it up: https://www.apalrd.net/posts/2024/network_mtls/
(Edit: you will need to ensure that all clients who want to receive your shared photos have a client certificate installed, so depending on the number of clients this might be okay or less useful)
I suspect most people open it via subdomain or cloudflare tunnel and it seems secure enough. Haven't seen reports of people getting hacked left and right.
VPN Certainly is more secure and works for a few people but becomes annoying if you have users that don't want to mess with a VPN. It also helps if you want to make a public share link to someone without an account.
It is no riskier than any other reverse proxy or tunneling app. If you follow good opsec, you should be fine. In truth there is no bulletproof way to avoid intrusion, so do the best you can without completely doing away with convenience.
Try out a mesh network VPN like tailscale (others are available, but i haven't tried them).
Tailscale is basically just a simple but powerful wireguard manager that does all of the work of setting up a mesh network for you, and it works amazingly well in my experience. The free account is good for I think 3 users and 100 devices on a network and has been the perfect thing to expose my home server to my various devices no matter where I am.
I like it so much after having used it for the last few months that I just spent way too much money upgrading my server... but that's another thing entirely. lol