Help protecting Immich public Web server

MacCaddy · September 22, 2025, 8:20pm

1. The problem I’m having:

I’m trying to protect a public-facing Immich Web server. I actually have the Immich + Caddy integration working great with LetsEncrypt cert.

However, I don’t love the idea of leaving https://imichserver/auth/login open to just anybody. What I’d love to do is prevent ANY IP accept my office/home IPs to hit the /auth/login URL.

2. Error messages and/or full log output:

No errors really, more of a usage question.

3. Caddy version:

v2.10.0

4. How I installed and ran Caddy:

Download standalone binary for Linux, ran it.

a. System environment:

Linux Ubuntu x64 - latest version and all patches as of today.

b. Command:

./caddy run --config ./Caddyfile

c. Service/unit/compose file:

d. My complete Caddy config:

mysite {
    reverse_proxy http://my-internal-immich-server:2283

    log {
        output file /var/log/caddy/access.log {
            roll_size 10MiB
            roll_keep 5
        }
        format json
    }
}

5. Links to relevant resources:

matt · September 22, 2025, 9:45pm

Use the remote_ip matcher, something like:

@myHomeOrOffice remote_ip 1.2.3.4 5.6.7.8
reverse_proxy @myHomeOrOffice http://my-internal-immich-server:2283

You could alternative use a not matcher and reply with some sort of error message or page.

qrhfz · September 23, 2025, 1:07am

do your home and office got static ip?

MacCaddy · September 24, 2025, 1:49am

I realize I probably wasn’t clear in the original message in that I want people to be able to view the general photos and gallery pages, but I don’t want just anybody to hit that specific login page and hammer away at it with brute force password spraying attacks. I’ll look into that remote-ip functionality though as perhaps it can deny just specific URLs. And yep my home and office have static IPs.

system · October 24, 2025, 1:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.