Install is the easy part. Nobody ever thinks about maintenance.
Install is the easy part. Nobody ever thinks about maintenance.
I had the same thought - an entire 8U rack to hold a single raspberry pi with an external drive?
Go ahead and try to use it then.
The likelihood of a risk in this proxy might be medium or even high according to you
It might be zero. It’s “unknown” (according to me I guess).
I’ve dug into the code a bit out of curiosity - it seems to me that “proxy” is a misnomer. It’s a stripped-down “view” layer built on top of the API. But has the same endpoints as the main immich app for shared things so that you can create links that work with it so it kinda looks like a proxy. But it’s just a “simplified public view” of sorts.
Meh.
I like to judge software based on its actually merit and not on the theoretical possibility it is vulnerable
This is literally the entire justification for the project. It’s assuming theoretical vulnerabilities in Immich.
I am not saying I would trust this software in a security critical situation
Which is the point of this software (security critical situation).
just that your speculation means nothing
This project has zero community support. That’s not speculative, it’s a fact. “Every project starts somewhere” is just a tautology that means nothing. Every project that fails starts somewhere.
Do you often recommend people running single-developer maintained software that has existed for about a fortnight for “security purposes”?
It’s some rando’s project that has existed for “nearly a month”, has no community, is unlikely to have any rapid response to any issues, and probably won’t be supported for more than a year.
But sure - go ahead and run it for “security purposes”.
You can “reduce surface area” by simply putting in place nginx or apache (real supported software) and blacklisting the endpoints you don’t like.
Kinda - It’s the only reason I bothered to reply to anyone. :-)
Removed by mod
And it adds its own “attack surface”.
Removed by mod
Proxies are not used for security by anyone but morons. Firewalls, WAFs, etc. all provide some sort of benefit. What is this application doing that is of use? Just “not exposing your server directly”? Well, it is being exposed directly now - so it’s a very secure application written by a security professional then? Or should I put it behind another proxy just to be sure? Maybe 7 proxies are enough?
OP is well meaning - but this was a waste of time for anyone else to use. It’s a solution in search of a problem.
Removed by mod
Like by reducing the attack surface on internal APIs?
This is my other favorite term the community has picked up and uses like it’s a mic drop without understanding it.
It’s a proxy my friend. It forwards requests to the other server. And you’ve added an untested personal project in front of it.
But wait! You don’t want to just expose your immich proxy to the internet do you? I’ll write DavesAwesomeProxy that you can put in front of that proxy! Will it be secure? Maybe. Will I support it? What’s with all the questions!
Put it on a different server then. It prevents your Immich server from ever needing to be exposed publicly. That’s the entire point.
This is stupid.
Repeat after me - proxies are not used for security.
This is a cargo-cult believe in this community. There’s a weird sense that it’s “dirty” to have a server exposed “directly” to the internet. But if I put it behind something else that forwards traffic to the server then that’s somehow safe!
Security is something you do not something you have. The false sense of security with proxy bullshit like this crappy project is not giving you anything. You’re taking a well supported community project (immich) and installing another app in front of it which appears to be some dude’s personal project and telling me that is more secure. As though that project is better written?
Install immich. Forward ports to it (or proxy it with nginx if needed for hostname routing (but don’t expect this to be more secure)), and keep it up to date and use good passwords.
Removed by mod
You seem to understand neither security nor privacy.
I get to give you access to all my photos so that you can just proxy calls to my server?
Just share your own damn server people, this “I’m behind 7 proxies” bs is getting tiring.
Yes - they’ll start automatically. There are other options for “restart” that define the behavior.
You can give whatever you like to “servicename” and use that rather than the ID.
For example:
docker run -d --name mysite --restart unless-stopped nginx
docker stop mysite
docker start mysite
At its simplest:
docker run -d --name servicename --restart unless-stopped container
That’ll get you going. Youi’ll have containers running, they restart, etc. There are more sophisticated ways of doing things (create a systemd file that starts/stops the container, use kubernetes, etc.) but if you’re just starting this will likely work fine.
Sorta. If the log file is open then your rm won’t take effect until the application closes the file. You won’t see the file anymore but it will still be taking up space. So if nginx is running when you delete the logs you may need to either stop it or restart it depending on how nginx handles this.