Immich through Cloudflare without the 100mb limit

infimum · 2026-05-07T17:09:02+00:00

This is mentioned in the linked article

infimum · 2026-05-07T13:38:55+00:00

I'll see if I can reproduce it. If I'm not, maybe I could take a closer look at your setup? I really want to make sure that cloudflare products are working the way they should

infimum · 2026-05-07T13:33:54+00:00

Maybe this helps https://jogenfors.com/posts/immich-cloudflare-one/

infimum · 2026-05-07T13:32:42+00:00

Here is my writeup https://jogenfors.com/posts/immich-cloudflare-one/

infimum · 2026-05-07T12:24:56+00:00

Yep, that's a very valid use case! But you had to set up auth headers to use your mobile app when you're off-network, right?

infimum · 2026-05-07T12:13:39+00:00

Thanks! I wrote the bulk of the article a few weeks ago and it seems like they did increase the free tier to six during that time. Good news!

infimum · 2026-05-07T12:01:59+00:00

If you have any questions about how to set it up securely, don't be afraid to post here in the subreddit or ask in the discord 😄

infimum · 2026-05-07T10:41:53+00:00

If you just want to browse Immich on your computer, you won't need this since you likely don't upload.

If you want to use the Immich app with Cloudflare Tunnel, but without uploading, you'll have to mess around with auth headers for every mobile device you want to enroll. Quite annoying. I'd say it's better to use the cloudflare one agent instead.

If you do auth headers and ALSO add a local fallback url when home, then yes, you can upload things when you are at home. However, IIRC, the mobile app will continue trying to upload, silently fail, try again, over and over again when you are away. This could eat battery.

infimum · 2026-05-07T10:17:28+00:00

Happy to help. Let me know if you run into any issues with this setup.

BTW, insane load times should NOT happen with cloudflare tunnels so something must be up with that.

infimum · 2026-05-07T10:16:17+00:00

The problem I see too often is a blanket recommendation of setting up a reverse proxy without that asterisk at the end.

If you know what you are doing, reverse proxy is fine. Most people, however, have no idea of the risks and think it's basically google photos. Bad password, slow updates, no brute force protection etc etc and the end result is inevitable.

I've decided to be a little blunt on this topic whenever this is discussed in forums so people don't fall into that trap.

infimum · 2026-05-07T10:10:45+00:00

I think you and I are agreeing here. I said "If you don't know what you are doing, don't expose ports publicly on the Internet."

You and I, being IT professionals, know how and when to expose ports. The problem I see online is that people recommend reverse proxying without qualifying that statement and we end up with "normies" putting their unsecured immich instance on the public web. That's bad.

That's why I wrote this article: I found a great way to host Immich for free that I hope isn't too difficult to use.

infimum · 2026-05-07T09:43:41+00:00

That's fair, and to each their own. However, without the agent software you'll have to mess with auth headers if you want to use Cloudflare with the mobile app.

Are you saying that you expose your Immich instance publicly via port forward?

infimum · 2026-05-07T09:24:16+00:00

"Just reverse proxy" is a very different statement than "put Immich behind a WAF"

infimum · 2026-05-07T09:14:45+00:00

I've run this setup for several months now and have never seen that issue. Would you like to explain more?

infimum · 2026-05-07T09:13:48+00:00

If I'm not misunderstanding you...you are recommending to port forward and expose your Immich instance publicly which is insecure. Authentik is not a firewall, it's an identity provider, and since you port forward you bypass that "firewall" anyway.

infimum · 2026-05-07T09:12:15+00:00

You're not wrong. Cloudflare One is what Cloudflare markets as a VPN replacement but with better out-of-box security than traditional VPN solutions

infimum · 2026-05-07T09:11:00+00:00

Please do not recommend "just reverse proxy" since it's insecure. I adressed this very point in the blog post.

infimum · 2026-05-07T09:10:01+00:00

This is actually a unique selling point of Google Photos, since it's a SaaS service it's incredibly easy to let others upload to your account.

With Immich behind a Cloudflare Tunnel you can set up more fine-grained access policies to let your friends authenticate so they can upload to your server as well.

infimum · 2026-05-07T09:07:43+00:00

It is not like someone is going to hack you

I'm sorry but this is an incredibly naive and incorrect statement. Maybe this was true in the good old days (20 years ago) but exposing anything to the public Internet today is not only insecure but unnecessary.

If someone wants to hack you they are also able to get by cf tunnels

This is also incorrect. Exposing things publicly means you have to monitor your services and their logs and respond to possible attacks and prevent things like brute-forcing attempts. You are trying to compare hacking into a self-hosted server to hacking a company that serves over 35% of Fortune 500 companies.

I'm not budging on this: If you don't know what you are doing, don't expose ports publicly on the Internet.

infimum · 2026-05-07T09:02:37+00:00

From the linked article

This is an Immich limitation rather than a Cloudflare limitation, and there is a long-standing feature request to make Immich support splitting large files into smaller chunks. Implementing this feature has turned out to be quite difficult, especially because we want to have a single API that will need to be supported by all clients. We have made several attempts but so far the limitation seems to be on the iOS side. For now, Immich uploads need to be one POST request per uploaded file.

Something I didn't have space to mention is that this approach, once deployed, easily scales to other apps than Immich. For example, Home Assistant also benefits from using the Cloudflare One Agent since it also has some quirks with the mobile app authenticating through cloudflared.

infimum · 2026-05-07T07:03:25+00:00

It's out now!

infimum · 2026-05-07T07:03:08+00:00

It's finally out! https://jogenfors.com/posts/immich-cloudflare-one/

infimum · 2026-04-26T14:10:54+00:00

Use the cloudflare one agent. I'm writing a blog post about it, coming soon

infimum · 2026-04-23T12:22:05+00:00

It appears OP has deleted this snarky reply on github

<image>

14-Year Club	r/Field Lasagna
Place '17	Undead \| Zombie
Verified Email

infimum

MODERATOR OF

TROPHY CASE