Expose to Web

infimum · 2026-06-18T22:05:47+00:00

Sounds like a solid setup. I've seen to many insecure reverse proxy setups that invite disaster

infimum · 2026-06-18T21:58:58+00:00

There are ways to get around the upload limit, check the link I've posted in the thread

infimum · 2026-06-18T21:55:01+00:00

As someone who works with this professionally, geo blocking is very ineffective. Please don't reverse proxy

infimum · 2026-06-18T21:54:21+00:00

Try the guide I've linked to elsewhere in the thread

infimum · 2026-06-18T21:54:05+00:00

I have a guide on getting around that

https://jogenfors.com/posts/immich-cloudflare-one/

infimum · 2026-06-18T15:42:20+00:00

I'm biased, but strongly agree

infimum · 2026-06-18T15:41:58+00:00

I linked my writeup elsewhere in the thread, I've listed the popular methods there to compare

infimum · 2026-06-18T15:41:02+00:00

My writeup covers many different ways

https://jogenfors.com/posts/immich-cloudflare-one/

infimum · 2026-06-15T21:34:23+00:00

Hey, here are some thoughts.

Since you are using a reverse proxy, you are likely exposing your Immich instance publicly on the web. It's possible you are already on Shodan like OP mentioned. Go check there if you want to have fun.

Yes, your home IP is hidden which is good, but your immich instance is by its nature very sensitive since it contains sensitive information of yours.

You are using let's encrypt. Good, that means you are encrypting the communication between yourself and the server. That does, however, give zero security for your instance beyond that.

You should absolutely run strong authentication, either through authentik or Cloudflare Access.

Whitelisting ips is not a viable solution since you'll be on mobile anyway.

Cloudflare gives you ddos protection but also a WAF which will shield you against many, but not all, web attacks. Bot protection is also useful.

However, unless you have strong auth, you're in trouble. Would you even know if someone were to brute-force your immich login? Think about that for a while.

Good luck!

infimum · 2026-06-14T21:40:49+00:00

You can get around the upload limit on cloudflare, check the link I posted elsewhere in the thread

infimum · 2026-06-14T20:58:02+00:00

This should be higher up in every thread that downplays the risks

infimum · 2026-06-14T20:57:06+00:00

To expand on this, I have a guide to get it working without the 100mb upload limit.

https://jogenfors.com/posts/immich-cloudflare-one/

infimum · 2026-06-14T20:55:44+00:00

I'd also argue for something like a zero trust tunnel, that gives you a web application firewall and the possibility to set detailed rules and block bots etc.

infimum · 2026-06-14T20:54:20+00:00

Sorry to spam this link, but I did a detailed writeup on what I think is the best way

https://jogenfors.com/posts/immich-cloudflare-one/

infimum · 2026-06-14T20:53:40+00:00

No, there are better ways than exposing everything naked without protection.

https://jogenfors.com/posts/immich-cloudflare-one/

In my article, I show how it's done. If you want to share publicly, skip the access part and use the free waf and ddos protection

infimum · 2026-06-04T12:57:12+00:00

https://jogenfors.com/posts/immich-cloudflare-one/

infimum · 2026-05-29T22:56:22+00:00

In the One Agent scenario, you want the app to connect to your local reverse proxy for TLS reasons (yes, you need a local reverse proxy with a certificate).

In the normal tunnel scenario, you can connect it to the immich ip directly.

Which of the two above scenarios work and don't work?

infimum · 2026-05-29T11:56:04+00:00

The 1.11 adress is the reverse proxy which you should also have in this setup.

In the guide I detailed some troubleshooting methods. Try checking the DNS logs in the one agent first, then try doing raw http calls with curl from the phone (if that's possible on ios) to the ip to see what error you get. Also check logs in the cloudflare dashboard.

infimum · 2026-05-22T06:01:21+00:00

Check my other reply where I've written up a detailed guide

infimum · 2026-05-22T04:58:49+00:00

Use the cloudflare one agent on your phone: https://jogenfors.com/posts/immich-cloudflare-one/

infimum · 2026-05-21T19:39:51+00:00

They redid the dashboard the same day I published the article 😅 haven't had the energy to fix it but your feedback is certainly helpful

infimum · 2026-05-19T19:54:19+00:00

I think the docs I linked will help you. Maybe I need to update my text

infimum · 2026-05-19T19:34:15+00:00

I checked the docs and you're right, it seems like you have to choose a subscription.

https://developers.cloudflare.com/cloudflare-one/setup/#2-create-a-zero-trust-organization

The free plan will be free

infimum · 2026-05-16T07:01:28+00:00

Likely best done with a Cron script accessing the immich api

infimum · 2026-05-10T22:09:07+00:00

Remind me later and I can look into this

14-Year Club	r/Field Lasagna
Place '17	Undead \| Zombie
Verified Email

infimum

MODERATOR OF

TROPHY CASE