#Question regarding public links.

Just a quick question regarding public links. When a public link is created, the authentication layer before immich is ignored, as it should. However, if no link is created, anywhere, there is NO way for someone to snoop in from the outside?
Sanity check for myself

:wave: Hey @limber yarrow,

Thanks for reaching out to us. Please follow the recommended actions below; this will help us be more effective in our support effort and leave more time for building Immich .

References

• Container Logs: docker compose logs docs
• Container Status: docker compose ps docs
• Reverse Proxy: https://immich.app/docs/administration/reverse-proxy

Checklist

1. :blue_square: I have verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: I have read applicable release notes.
3. :blue_square: I have reviewed the FAQs for known issues.
4. :blue_square: I have reviewed Github for known issues.
5. :blue_square: I have tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: I have uploaded the relevant logs, docker compose, and .env files using the buttons below or the /upload command.
7. :blue_square: I have tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

If this ticket can be closed you can use the /close command, and re-open it later if needed.

The authentication layer isn't ignored, the link is essentially a secret token that is used as the authentication key

Thank you for clearing that up.

So there is no other way to view photo's for users who do not have a link.

public users^

As long as there aren't any bugs/security loopholes I'd say so, yes

Is there also a way to just disallow it entirely? Using nginx btw.

What do you mean? As soon as you are able to view something externally, it cannot be guaranteed (by anyone) that nobody else could somehow be able to view that as well

Although very unlikely in most cases

You certainly can put immich under some sort of access control, for example, Cloudflare Access. But this limits functionality in some other ways.

Sorry, I probably misworded my previous question. What I mean is just like the login page of immich is now moved over to Authentik, making use of 0auth. (redirected to auth subdomain). Would it also be possible to simply not allowed an other parts of the immich subdomain to be accisible from the outside. So let's say a user has created a link, which he shares. But I simply want that not being possible, so I still put authentication over it and redirect it to auth subdomain.

You'd need to do that using your reverse proxy. Either pull in an additional auth layer that just puts all immich endpoints behind auth, or block requests to paths you don't want to work

when putting the immich endpoints behind auth, the mobile app will propably not work

AFAIK the immich app supports basic auth, no?

so if I put authelia infront of immich, the app will still work?

If authelia supports basic auth and you configure the domain correctly I think it should, yeah