How do you secure public facing Immich? #3243
Replies: 8 comments 18 replies
-
I run my setup with Traefik as reverse proxy and Crowdsec.
|
Beta Was this translation helpful? Give feedback.
-
Did a little tuning now:
|
Beta Was this translation helpful? Give feedback.
-
Hi, I'm using the swag reverse-proxy with fail2ban that should properly secure immich and ban IPs if they attempt to login for ~5 times. Did anyone find a way to work around that yet? |
Beta Was this translation helpful? Give feedback.
-
I set up immich + fail2ban successfully. When there is a failed login, a log line in
I set up fail2ban to pick up that line and ban the corresponding ip. Here is my setup:
services:
immich-server:
logging:
driver: "journald"
options:
tag: "immich-server"
$ vim /etc/fail2ban/filter.d/immich.local
[Definition]
failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
journalmatch = CONTAINER_TAG=immich-server
$ vim /etc/fail2ban/jail.d/immich.local
[immich]
enabled = true
filter = immich
backend = systemd
chain = DOCKER-USER
Debug tips:
|
Beta Was this translation helpful? Give feedback.
-
I spent couple hours to get it working, but here is the nginx version. The modified
Now the NGINX side, let's modify how nginx writes access logs. Add this part within the
Let's define variable describing our upstream app: location / {
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
+ set $upstream_app immich-server;
set $upstream_port 3001;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
} reload/restart nginx; open immich to generate traffic; check if your nginx log looks as intended: For the final part, let's fix that nginx-logs parser, so it notices our upstream server.
look for the If not, replace the pattern in
save the file, and test it again
done, you should see
Edit1: disable nginx logging rewrites |
Beta Was this translation helpful? Give feedback.
-
Do any of these schemes allow file sharing by link? I use swag and couldn't seem to get that to work so I bypassed it for now. I mean work without having to give people a swag/authelia login. |
Beta Was this translation helpful? Give feedback.
-
What about this that I did on my nginx? I don't really understand how that thing is configured, but I got it a bit secured this way. This in nginx site config:
.conf files contain just configuration for proxy_pass (and for php for one URI). And auth.php in the server root directory: <?php
//not sure this line works - my Immich runs on different machine, so I'm getting logs different way.
$logs = shell_exec("docker logs immich_server --since 30m 2>&1");
if (substr_count($logs, "from ip address " . $_SERVER['REMOTE_ADDR']) > 10)
{
http_response_code(403);
}
else
{
http_response_code(200);
}
?> Every time I access login page or api endpoint for login, it gets logs from last 30 minutes, checks whether your IP is there more than 10 times (as failed attempts) and if it is, it blocks access to the page. |
Beta Was this translation helpful? Give feedback.
-
Hello, has anyone built a successful content security policy ? When I try with my usual |
Beta Was this translation helpful? Give feedback.
-
Hello,
I want to share my experience for others and maybe look for inspiration.
The main question is in the title "How do you secure public facing Immich?"
I use Traefik and wanted to use Crowdsec. It worked great... untill you try to scroll down, then it flags the trafik as enumeration attempt and blocks your IP, which isn't ideal. If anyone wants to try it for everything else it worked great. If anyone wants to try it out I reccomend this video tutorial, but don't use it with Immich, I recommend to secure other projects with it, just not Immich.
Beta Was this translation helpful? Give feedback.
All reactions