this post was submitted on 28 Jun 2026
27 points (96.6% liked)

Selfhosted

60210 readers
947 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
27
Immich bridge to google photos shared albums (piefed.social)
submitted 4 hours ago by anytimesoon@piefed.social to c/selfhosted@lemmy.world
13 comments fedilink hide all child comments
 

Does anyone know if it's possible to achieve this? Possibly with an external service that syncs the two?

Basically, the last feature immich can't do that google does is to share albums. Sometimes my family wants to have albums after events, and my ones live in a silo.

you are viewing a single comment's thread
view the rest of the comments
[–] avidamoeba@lemmy.ca 2 points 4 hours ago (2 children)

It is but it requires public internet access to the Immich instance, or everyone involved being on our VPN. Reusing someone else's publicly facing service to share photos from a private Immich instance is a clever workaround.

[–] AzuraTheSpellkissed@lemmy.blahaj.zone 5 points 3 hours ago (1 children)

Using a reverse proxy / ingress, you can configure only share links to be publicly available, while keeping the rest of immich exclusive to your private-network. Optionally combine with something like Cloudflare Tunnel if you're worried about leaking your server's IP.

[–] Pika@sh.itjust.works 1 points 1 hour ago* (last edited 33 minutes ago)

~~this right here. If you have immich setup behind a reverse proxy, just route any requests that use the /share/ and /s/ (the custom link version) on the proxy manager to route to the immich instance, and have it 403 on anything else when the request is not via the vpn~~

~~Just be aware that immich uses links like share-* as well so be sure to have that trailing / to make it so only shared links and albums can be.~~

~~edit: Actually looking into this route further, it looks like immich as a whole needs more than just the /share/ and the /s/ endpoints exposed to function correctly. I will update this in a little when i figured out more on what is actually needed~~

update: So it seems immich will not support this style setup without quite a bit of hands on. You need to give at minimum /share/, /s/, /_app/ and /api/ in order to actually go this route. and at that point since you've given /api/ you've essentially publicly opened the instance anyway. While you can go through and individually do each endpoint. It requires access to /api/albums /api/assets and a few other endpoints, these endpoints do seem to need auth or some form of verification tho

for anyone wanting to still go through with it. You can reverse proxy it by allowing the endpoints

  • _app/ a bunch of immich internal files for serving content
  • api/
    • server/
      • config: shows basic infomation about the server
      • media-types: shows what media types the server supports
      • features: discloses what features the server supports
    • shared-links/me: 401, 403's or shows what links the user account can sign into
    • albums/: 403's on any album endpoint that doesn't also include the album's public slug in the URL
    • timeline/
      • buckets: displays timeline buckets. 401 or 403's on no auth
      • bucket/: displays timeline info on the requested resource. 401 or 403's on info unless info is provided about what its trying to access
    • assets/: 401 or 403's on any request that doesn't contain a public slug in the url

The nginx location regex I used for my testing(although not very read friendly) was

location ~ /(api/(server/(config|media-types|features)|shared-links/me|albums/|timeline/(bucket|buckets)|assets/)|(share|s)|_app/){
  proxy_pass *immich instance*;
}

note: this was found just by basic testing using NPM on my environment, I may have missed some more specific calls especially regarding videos as I don't really do any video photography to allow for testing.

Additional note: You may end up confusing your users with the UI though, as since lets you click on the immich banner to get to login, but everything would be blocked. You may just want to use the immich public project that was linked later in this discussion...

[–] 30p87@feddit.org 1 points 4 hours ago

Afaik immich is generally safe to publicly expose. Otherwise, I'd just use http basic auth. Supported by every server and client, should be secure enough to hold off attacks in case immich's login/auth mechanisms fail, and I don't see a usecase where this wouldn't work.

If you don't have a public IP or need IPv4, get a 4€/Month VPS (cheaper than even a Pi's energy usage I suppose) and put headscale on it.