avidamoeba@lemmy.ca Afaik immich is generally safe to publicly expose. Otherwise, I’d just use http basic auth. Supported by every server and client, should be secure enough to hold off attacks in case immich’s login/auth mechanisms fail, and I don’t see a usecase where this wouldn’t work.
If you don’t have a public IP or need IPv4, get a 4€/Month VPS (cheaper than even a Pi’s energy usage I suppose) and put headscale on it.
AzuraTheSpellkissed@lemmy.blahaj.zone 1 day ago
Using a reverse proxy / ingress, you can configure only share links to be publicly available, while keeping the rest of immich exclusive to your private-network. Optionally combine with something like Cloudflare Tunnel if you’re worried about leaking your server’s IP.
Pika@sh.itjust.works 1 day ago
this right here. If you have immich setup behind a reverse proxy, just route any requests that use the /share on the proxy manager to route to the immich instance, and have it 403 on anything else when the request is not via the vpn
androidul@lemmy.world 17 hours ago
would rather not go that path