How do you secure public facing Immich?

[Ziomal12]

Hello,
I want to share my experience for others and maybe look for inspiration.
The main question is in the title "How do you secure public facing Immich?"
I use Traefik and wanted to use Crowdsec. It worked great... untill you try to scroll down, then it flags the trafik as enumeration attempt and blocks your IP, which isn't ideal. If anyone wants to try it for everything else it worked great. If anyone wants to try it out I reccomend this video tutorial, but don't use it with Immich, I recommend to secure other projects with it, just not Immich.

[Allram]

I run my setup with Traefik as reverse proxy and Crowdsec.
I run my instance without the Immich-proxy, so the immich-api@docker part is just immich.domain.com/api.
I have tried to create a whitelist for Crowdsec, might still need a bit of tuning, but as of now it works at least:

name: crowdsecurity/immich-whitelists
description: "Whitelist false positive from Immich-api"
whitelist:
  reason: "Whitelist false positive from Immich-api"
  expression:
   - evt.Line.Raw == '.*immich-api@docker.*'
   - evt.Parsed.traefik_router_name == 'immich-api@docker'
   - evt.Meta.http_status == '403' && evt.Meta.http_verb == 'POST' && evt.Parsed.request == '/asset/upload'

[Allram]

Did a little tuning now:

name: crowdsecurity/immich-whitelists
description: "Whitelist false positive from Immich-api"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
  reason: "Whitelist false positive from Immich-api"
  expression:
   - evt.Parsed.traefik_router_name == 'immich-api@docker' && evt.Meta.http_verb == 'POST' && evt.Meta.http_status == '403' && evt.Parsed.request contains '/asset/upload'
   - evt.Parsed.traefik_router_name == 'immich-api@docker' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '429' && evt.Parsed.request contains '/api/asset/thumbnail/'
   - evt.Parsed.traefik_router_name == 'immich-api@docker' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '200' && evt.Parsed.request contains '/api/asset/thumbnail/'
   - evt.Parsed.traefik_router_name == 'immich-api@docker' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '304' && evt.Parsed.request contains '/api/asset/thumbnail/'

[5zud3n]

can you add for share link also in this ?

[thmsdelange]

What do you mean?

[5zud3n]

When i share a album to friends and they just scroll through it, it is banning them.

[thmsdelange]

I didn't run into this issue. You can use cscli explain again to inspect the logs and construct another whitelist rule for that.

[5zud3n]

[Nest] 7 - 03/03/2024, 5:10:54 PM ERROR [AuthService] Error in OAuth discovery: OPError: expected 200 OK, got: 403 Forbidden
[Nest] 7 - 03/03/2024, 5:10:54 PM ERROR [AuthService] OPError: expected 200 OK, got: 403 Forbidden
at processResponse (/usr/src/app/node_modules/openid-client/lib/helpers/process_response.js:41:11)
at Issuer.discover (/usr/src/app/node_modules/openid-client/lib/issuer.js:151:18)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async AuthService.getOAuthClient (/usr/src/app/dist/domain/auth/auth.service.js:241:28)
at async AuthService.authorize (/usr/src/app/dist/domain/auth/auth.service.js:148:24)

how to resolve this ?

[mjasny]

Hi,

I'm using the swag reverse-proxy with fail2ban that should properly secure immich and ban IPs if they attempt to login for ~5 times.
However this setup does not work because immich itself triggers 401 Unauthorized errros that fail2ban picks up and then blocks the IP.
Related issue: #3358

Did anyone find a way to work around that yet?

[simone-viozzi]

I set up immich + fail2ban successfully.

When there is a failed login, a log line in immich-server is generated:

immich_server  | [Nest] 8  - 08/09/2023, 3:27:42 PM    WARN [AuthService] Failed login attempt for user gsdfgsdfg@gsdfg.cd from ip address 156.70.33.157
immich_server  | [Nest] 8  - 08/09/2023, 3:27:43 PM    WARN [AuthService] Failed login attempt for user gsdfgsdfg@gsdfg.cd from ip address 156.70.33.157

I set up fail2ban to pick up that line and ban the corresponding ip.

Here is my setup:

1. use journald logging driver for immich-server:

services:
  immich-server:
    logging:
      driver: "journald"
      options:
        tag: "immich-server"

2. Create a filter for fail2ban:

$ vim /etc/fail2ban/filter.d/immich.local
[Definition]
failregex = immich-server.*Failed login attempt for user.+from ip address\s?<ADDR>
journalmatch = CONTAINER_TAG=immich-server

3. Create a jail:

$ vim /etc/fail2ban/jail.d/immich.local
[immich]
enabled = true
filter = immich
backend = systemd
chain = DOCKER-USER

4. Restart the fail2ban service and the immich-server container
5. watch -n1 sudo fail2ban-client status immich and try to log in with wrong credentials. If the failed counter goes up, it worked!

Debug tips:

• set banaction and banaction_allports to dummy while debugging. This way, fail2ban will not actually ban the ip, but only show it into fail2ban-client status.
• use sudo fail2ban-regex systemd-journal immich to test if the regex is working. Read the man of fail2ban-regex, it has useful options.

[clintjk]

Can i retrospectively change the logging driver in the docker compose file and not destroy anything? If that is the case, will future updates to immich also work fine with the edited docker compose file?

[Jurrer]

@clintjk
Container of modified service will be recreated. In this case, immich-server.
If you have default immich setup, everything will be working as usual, as the database holds persistent information.
During container recreation logs are usually destroyed, if that concerns you.

It will affect how logs are gathered, but it will not affect how immich app works.

[clintjk]

@Jurrer Thanks that worked perfectly!

@simone-viozzi The fail2ban setup was a little confusing in comparison. Turns out you must append the immich jail file with .conf instead of .local when adding it to fail2ban/jail.d or else fail2ban won't see it.

[dekiesel]

Thanks, that worked really well!

An fyi for people that aren't on systems with systemd: You can use syslog with a few simple changes:

docker-compose.yaml

services:
  immich-server:
    logging:
      driver: "syslog"
      options:
        tag: "immich-server"

immich:~# cat /etc/fail2ban/jail.d/immich.local 
[immich]
enabled = true
filter = immich
logpath = /var/log/messages
bantime  = 24h
chain = DOCKER-USER
immich:~# 

[Jurrer]

I spent couple hours to get it working, but here is the nginx version.
On the beginning, I warn you, that it requires some tinkering, as nginx does not log upstream app by default,
and crowdsec parser does not read upstream proxy correctly by default too :/
But it's pretty straightforward.

The modified immich-whitelist.yaml I put in the parsers/s02-enrich/ directory of crowdsec configs.

name: crowdsecurity/immich-whitelists
description: "Whitelist false positive from Immich-api"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
  reason: "Whitelist false positive from Immich-api"
  expression:
   - evt.Parsed.proxy_upstream_name == 'immich-server' && evt.Meta.http_verb == 'POST' && evt.Meta.http_status == '403' && evt.Parsed.request contains '/asset/upload'
   - evt.Parsed.proxy_upstream_name == 'immich-server' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '429' && evt.Parsed.request contains '/api/asset/thumbnail/'
   - evt.Parsed.proxy_upstream_name == 'immich-server' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '200' && evt.Parsed.request contains '/api/asset/thumbnail/'
   - evt.Parsed.proxy_upstream_name == 'immich-server' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '304' && evt.Parsed.request contains '/api/asset/thumbnail/'

Now the NGINX side, let's modify how nginx writes access logs. Add this part within the http { } block

# Define custom log format
    log_format custom_combined '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_app"';

    # Sets the path, format, and configuration for a buffered log write.
    access_log /config/log/nginx/access.log custom_combined;

Let's define variable describing our upstream app:
(Your proxy config may look different, just set upstream_app variable in root location block)

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
+       set $upstream_app immich-server;
        set $upstream_port 3001;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

reload/restart nginx; open immich to generate traffic; check if your nginx log looks as intended:
11.22.33.420 - - [date] "GET /api/asset/thumbnail/db6d1[...]?format=WEBP HTTP/1.1" 200 19756 "-" "Dart/3.1 (dart:io)" "immich-server"

For the final part, let's fix that nginx-logs parser, so it notices our upstream server.
It should work out of the box, but for me it didn't
Let's check(replace log string with your own)

cscli explain --type nginx -v --log '11.22.33.420 - - [21/Oct/2023:13:35:12 +0800] "GET /api/asset/thumbnail/db6d1?format=WEBP HTTP/1.1" 200 19756 "-" "Dart/3.1 (dart:io)" "immich-server"'

look for the create evt.Parsed.proxy_upstream_name : part. If you see it has a value "immich-server", it got fixed, you're good to go.

If not, replace the pattern in parsers/s01-parse/nginx-logs.yaml, section http_access-log with:

pattern: '(%{IPORHOST:target_fqdn} )?%{IPORHOST:remote_addr} - %{NGCUSTOMUSER:remote_user}? \[%{HTTPDATE:time_local}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:http_version}" %{NUMBER:status} %{NUMBER:body_bytes_sent} "%{NOTDQUOTE:http_referer}" "%{NOTDQUOTE:http_user_agent}" "%{DATA:proxy_upstream_name}"'

save the file, and test it again

cscli explain --type nginx -v --log '11.22.33.420 - - [21/Oct/2023:13:35:12 +0800] "GET /api/asset/thumbnail/db6d1?format=WEBP HTTP/1.1" 200 19756 "-" "Dart/3.1 (dart:io)" "immich-server"'

done, you should see

        |       ├ 🟢 crowdsecurity/immich-whitelists (~2 [whitelisted])
        |               ├ update evt.Whitelisted : %!s(bool=false) -> true
        |               ├ update evt.WhitelistReason :  -> Whitelist false positive from Immich-api

Edit1: disable nginx logging rewrites rewrite_log off;
Edit2: updated to fit current *89 immich release, that got rid of the web container

[vspaziani]

Thank you very much for pointing me in the right direction. I have a Nginx Proxy Manager server that is my proxy. I could't quite figure out how to get the 'Target Server' part of the log to work with the NPM configuration. I look a look at the parser for NPM and keyed on filtering based on the target server. If it will help anyone else...

The modified immich-whitelist.yaml I put in the parsers/s02-enrich/ directory of crowdsec configs.

name: crowdsecurity/immich-whitelists
description: "Whitelist false positive from Immich-api"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
  reason: "Whitelist false positive from Immich-api"
  expression:
   - evt.Parsed.target_server == 'XXX.XXX.XXX.XXX' && evt.Meta.http_verb == 'POST' && evt.Meta.http_status == '403' && evt.Parsed.request contains '/asset/upload'
   - evt.Parsed.target_server == 'XXX.XXX.XXX.XXX' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '429' && evt.Parsed.request contains '/api/asset/thumbnail/'
   - evt.Parsed.target_server == 'XXX.XXX.XXX.XXX' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '200' && evt.Parsed.request contains '/api/asset/thumbnail/'
   - evt.Parsed.target_server == 'XXX.XXX.XXX.XXX' && evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '304' && evt.Parsed.request contains '/api/asset/thumbnail/'

I restarted crowdsec
sudo systemctl reload crowdsec

and lastly tested
sudo cscli explain --type nginx-proxy-manager-logs -v --log '**one line from NPM access log file**'

[aniruddhas]

That really helped me!
I had to make some changes though.
Setup:
Nginx On Internet [crowdsec one] -> wg tunnel -> nginx -> docker proxy -> immich.
I removed parsed target server and added one line for 404s.
Now this takes care of:

• crowdsecurity/http-probing
• crowdsecurity/http-crawl-non_statics

I am sure, I will need to add few more lines (maybe for .wellknown etc when I have to add another device and http probing will kick in another ban. Will update if there are any changes in my configs in this thread.

cat /etc/crowdsec/parsers/s02-enrich/immich-whitelists.yaml

name: crowdsecurity/immich-whitelists
description: "Whitelist false positive from Immich-api"
filter: "evt.Meta.service == 'http' && evt.Meta.log_type in ['http_access-log', 'http_error-log']"
whitelist:
  reason: "Whitelist false positive from Immich-api"
  expression:
   - evt.Meta.http_verb == 'POST' && evt.Meta.http_status == '403' && evt.Parsed.request contains '/asset/upload'
   - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '429' && evt.Parsed.request contains '/api/asset/thumbnail/'
   - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '200' && evt.Parsed.request contains '/api/asset/thumbnail/'
   - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '304' && evt.Parsed.request contains '/api/asset/thumbnail/'
   - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '404' && evt.Parsed.request contains '/api/asset/thumbnail/'

[dsm1212]

Do any of these schemes allow file sharing by link? I use swag and couldn't seem to get that to work so I bypassed it for now. I mean work without having to give people a swag/authelia login.

[aniruddhas]

I know, this is too late a response. But, I was looking for solution for this issue and wanted to report that this works for shared links as well. I just created a large shared link album (I've 2FA OIDC setup as well) . Opened up that link on private browser on cellphone network, scrolled up / down / page refresh multiple times within seconds. Didn't get a ban.

For http probing, I had to add another line. Added my config in the same discussion, elsewhere.

[jenda69]

What about this that I did on my nginx? I don't really understand how that thing is configured, but I got it a bit secured this way.

This in nginx site config:

	location / {
		include snippets/immich_proxy.conf;
	}
	location /auth.php {
		include snippets/fastcgi-php.conf;
	}
	location /auth/login {
		auth_request /auth.php;	
		include snippets/immich_proxy.conf;
	}
	location /api/auth/login {
		auth_request /auth.php;
		include snippets/immich_proxy.conf;
	}

.conf files contain just configuration for proxy_pass (and for php for one URI).

And auth.php in the server root directory:

<?php	
//not sure this line works - my Immich runs on different machine, so I'm getting logs different way.
$logs = shell_exec("docker logs immich_server --since 30m 2>&1");

if (substr_count($logs, "from ip address " . $_SERVER['REMOTE_ADDR']) > 10)
{
	http_response_code(403);
}
else
{
	http_response_code(200);
}
?>

Every time I access login page or api endpoint for login, it gets logs from last 30 minutes, checks whether your IP is there more than 10 times (as failed attempts) and if it is, it blocks access to the page.
I'm posting this mainly because I want to hear how stupid this solution is.

[Eirikr70]

Hello, has anyone built a successful content security policy ? When I try with my usual add_header Content-Security-Policy "default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';base-uri 'self'" always;, the screen results blank. I must confess that I barely understand what I do at that level and if such a policy is of use in the case of Immich.

[amadeous]

I manage to have a usable Content-Security-Policy using default-src 'self'; base-uri 'self'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; script-src-elem 'self' 'unsafe-inline'; script-src 'unsafe-inline' 'unsafe-eval'; connect-src 'self' https://api-l.cofractal.com https://maputnik.github.io https://fonts.openmaptiles.org; worker-src blob:;. When defined, some WebGL warning show up in the console but it does not seem to affect the usability.

However, it should be noted that this CSP is not really secure as it contains "unsafe-inline" and "unsafe-eval". But in any case, it still narrows the scope of what resources can be loaded from an Immich instance.

Ideally, Immich should be adapted in such a way that these unsafe inline and eval() can be removed, further securing the CSP.
Also, the CSP could be added in the app <header> html tag.

[Eirikr70]

Thanks @amadeous , I am not sure that I understand it all, but it seems to work. What I understand is that not everything is at the highest level of security, but the whole is more secure than remaining with no CSP at all.