19. March 2026 | Michael Klissner

Immich Secure Internet Sharing: This post shows you how to make your private Immich photo platform securely accessible over the internet—with password protection for yourself AND via shareable links for family and friends. The solution is based on Cloudflare Tunnel and doesn’t require any complicated router settings or custom reverse proxy configuration.

Video: Immich Secure Internet Sharing – A Practical Guide

Language: 🇩🇪|🇬🇧
☝️ Use YouTube subtitles for all languages.

Cloudflare Tunnel Setup

Prerequisites

A domain managed by Cloudflare
Docker environment with running Immich instance
Cloudflare account (free)

Setting up a tunnel with two subdomains

1. Create tunnel in Cloudflare

Go to Cloudflare Dashboard to Zero Trust > Networks > Tunnels
Create new tunnel (Type: Cloudflared)
Save the token

2. Extend Docker-Compose with tunnel

services:
  # ... your existing Immich services ...

  cloudflared:
    container_name: cloudflared
    image: cloudflare/cloudflared:latest
    depends_on:
      - immich-server
    restart: always
    networks:
      - immich_default
    environment:
      - TUNNEL_TOKEN=YOUR_TOKEN_HERE
    # command: tunnel --no-autoupdate run

networks:
  immich_default:
    external: true

3. Configure two public hostnames

In the tunnel dashboard, add two public hostnames:

Subdomain	Purpose	Access Protection
photos.your-domain.com	Admin area & personal use	✅ Cloudflare Access (Email PIN)
share.your-domain.com	Public share links	❌ No additional protection

Both point to the same internal service: http://immich-server:2283

4. Access Policy for admin area

In Zero Trust > Access > Applications, create a new Application for photos.your-domain.com
Policy type: “Email” (Email PIN)
Add allowed email addresses (e.g., family members)
Important: Do NOT create an application for share.your-domain.com

Alternative: Classic Reverse Proxy

If you prefer not to use Cloudflare Tunnel, you can expose Immich through your own reverse proxy (e.g., Nginx Proxy Manager, Caddy, or Traefik). Advantage: No 100 MB upload limit. Disadvantage: You need to open ports in your firewall and manage SSL certificates yourself.

Understanding the Security Architecture

Two separate access paths

Internet
    │
    ├─→ share.your-domain.com ──→ Cloudflare Tunnel ──→ Immich (public links)
    │      │
    │      └─→ No hurdle - Direct access to shared content
    │
    └─→ photos.your-domain.com ──→ Cloudflare Tunnel ──→ Cloudflare Access
           │                                                │
           └─→ Email PIN required ←────────────────────────┘
                                      └─→ Immich (Admin/Private)

Why this separation?

photos.your-domain.com: Protected by Cloudflare Access (Email PIN). Only authorized people with verified email addresses can access this. This protects your entire photo library, admin functions, and configuration.
share.your-domain.com: All public shares land here. The links are intentionally not protected by an additional PIN hurdle so recipients can directly see the shared photos. Security relies on random, unguessable links and individual link settings.

You can find an additional video with detailed instructions on setting up Cloudflare at:

NAT? Deine WEB-Seite Hosten

Securing Immich itself

Disable public registration

To prevent unwanted sign-ups on your instance:

In the .env file (next to your docker-compose.yml):

DISABLE_PUBLIC_SIGNUP=true

Or directly in docker-compose.yml:

services:
  immich-server:
    environment:
      - DISABLE_PUBLIC_SIGNUP=true
    # ... rest of configuration

After adding, restart containers: docker compose up -d

Additional sensible settings

No new users by default: Create accounts only manually for family members
Password policy: Set minimum password length in system settings

Using Share Links properly

Link options in Immich

When creating a public link, you have many configuration options:

Option	Description	Recommendation
Expiration date	Link automatically becomes invalid	Set for temporary shares
Password	Additional protection for the link	Use for sensitive albums
Allow download	Recipients can download originals	Only enable when needed
Show metadata	EXIF data (location, camera) visible	Disable for privacy

Understanding link security

How secure are the links?
Immich generates extremely long, random strings (e.g., JUckRMxlgpo7F9BpyqGk_cZEwDzaU_U5LU5_oNZp1ETIBa9dpQ0b5ghNm_22QVJfn3k). These are practically unguessable. An attacker would need to try billions of combinations – technically impossible.

Links on social media and search engines

The risk
If you post a share link publicly in a forum, on social media, or a website, it can be found and indexed by search engines. Google and others crawl public pages and follow all links.

How to protect yourself

For public posts, use an additional password for the link
Or set a short expiration date (e.g., 24 hours for events)
Share sensitive links only directly via email or messenger

But: It can also be useful!
For photographers, clubs, or public events, indexed share links might actually be desirable. If you want your shared albums to be found on Google, post the link on your website or social media – entirely up to you.

Using with the Immich App

At home: The app finds your server automatically
On the go: Enter https://photos.your-domain.com as server URL in app settings
The app supports Cloudflare Access login (redirects automatically)

Important Limitation

The 100 MB upload limit of the free Cloudflare Tunnel:

Files over 100 MB (especially videos) cannot be uploaded
Only upload is affected – viewing large videos works
Solution: Upload only at home or switch to a classic reverse proxy

Troubleshooting

Problem	Possible Solution
502 Bad Gateway	Check container network: Is cloudflared in same network as Immich?
Email PIN not arriving	Check allowed emails in Cloudflare Access, check spam folder
Share link not working	Is the link on the correct subdomain (share.your-domain.com)?