One of the biggest reasons that I self-host Immich is data ownership. I want my photo library under my control, stored on my own hardware, and accessible without relying on a third-party cloud service.

Sharing photo albums with someone across the globe from a self-hosted service isn't the most straightforward process. Be it a family album, event photos, or travel photos, sharing means exposing your server to the internet. For a long time, I tried to avoid it. Opening up my entire Immich instance to public traffic felt unnecessary, simply because I wasn't sure I could secure it properly. I didn't need the entire interface accessible over the internet; I just wanted to share a few albums.

After trying a few different approaches, I landed on a setup that gives me the convenience of public sharing without directly exposing my image server. It's an open-source app called Immich Public Proxy, and it has become one of the most important pieces of my self-hosted stack.

Public album sharing without exposing Immich

A safer way to share self-hosted photo albums

Like most image users, I occasionally need to send photo albums to people who don't have accounts on my server. Immich already supports public share links, but the question I kept coming back to was whether I really wanted my primary photo server exposed at a public URL. I know Immich is actively maintained, and security is paramount for the team. However, reducing the attack surface of any self-hosted service is generally a good idea, especially when you're not a cybersecurity expert yourself.

My goal was simple. I just wanted people to open a shared album without logging in, while ensuring that visitors never interact with the image instance itself. That's exactly where Immich Public Proxy fits into the picture.

Instead of exposing Immich directly, this tool runs as a lightweight proxy service between visitors and my photo server. The proxy only handles public shares and does not provide access to the administration interface, user accounts, libraries, or any of the other functionality that powers the main application. When someone opens a shared album, the request goes to the proxy first. The proxy validates the share and fetches only the assets associated with that specific album, leaving everything else inaccessible.

I love this approach because visitors to my public shares do not interact with Immich directly. The proxy simply serves as a bridge between the public share link and the assets associated with that share. For something as sensitive as my personal photo archive, that separation provides a lot of peace of mind and, hopefully, security.

A better sharing workflow without extra steps

Every share link automatically uses the proxy

One of my primary criteria while picking out a service to enable this feature for me was ease of use. Security is important, but if my workflow became too cumbersome, I would basically stop using it. That's part of what makes Immich Public Proxy so effective. It doesn't change how you share albums.

After deploying the container, I just configured Immich's external domain setting to point at the proxy URL instead of the Immich server itself. From that point on, every public share link generated by Immich automatically used the proxy. I didn't have to do anything else. I can create my albums exactly the same way, then click the share button in Immich. After that, I just have to copy the share link, send it to friends and family, and they'll be able to open it. The difference is entirely behind the scenes.

When someone opens a shared album, the request reaches the proxy running behind my public domain. The proxy validates the shared key and communicates with Immich over my local network. If the share is valid, it retrieves the relevant photos and serves them back to the visitor.

In my case, the setup sits behind a Cloudflare tunnel. I've got a public hostname that routes traffic to the proxy container, while the actual Immich instance remains separated from the public sharing workflow. That means the only publicly accessible component involved in album sharing is the proxy service, not Immich. Once configured, it just sits there and does its job, and that's precisely the service I like: services I can set up once, verify they work, and then basically forget about. Immich Public Proxy also doesn't have any databases or API keys to manage, which further helps in reducing potential maintenance.

Sharing photos doesn't have to mean exposing your server

One of the biggest challenges that I've faced with self-hosting is finding a balance between convenience and security. The best security practices would advise me not to expose my photo archive to the public internet. Exposing something to the public internet is easy, but making it accessible without exposing critical services is more complicated. Immich Public Proxy solves the problem elegantly. It gives you all the convenience of Immich's sharing features. Your friends and family can open your albums without creating accounts, and shared links work natively. My photo archive remains outside the public sharing path. It's the perfect balance of security and convenience, making it easy to recommend.