The security of which URLS are accessible without authentication would be up to immich.

This is exactly the risk I’m wanting to mitigate. Immich is under heavy active development, and I want to abstract away from needing to worry whether the no-auth API URLs are safe to expose publicly.

At the end of the day I feel safer knowing that there is zero public access to any part of my Immich instance, which for me is what really matters.

Sorry, off topic, but is this what Immich looks like out of the box, or have you used any other plugins?

No - this is using lightGallery. You can see what Immich looks like on their demo.

Or you could similar just block those routes in whatever reverse proxy you’d use out in front of the server?

You can’t. You need to allow public access to your Immich instance’s /api/ path to use Immich’s built-in sharing.

You’re correct - it is indeed taking input requests and requesting the related data from Immich.

How is this adding more security than any other proxy?

To allow sharing with Immich using a normal reverse proxy like Caddy or Traefik, you need to expose public access to the Immich /api/ path, along with a few other potentially dangerous paths. Any existing or future vulnerability has the potential to compromise your Immich instance.

This proxy is more secure as it does not allow public access to the Immich API path or to any Immich path. The only incoming requests which are honoured are requests like this:

https://your-proxy-url.com/share/ffSw63qnIYMtpmg0RNvOui0Dpio7BbxsObjvH8YZaobIjIAzl5n7zTX5d6EDHdOYEvo

If the shared link does not resolve to something that you have intentionally shared from Immich, it will return a 404.

if Immich is updated with changes that proxy doesn’t have yet, everything breaks.

The only thing which would break it is if Immich changed the format of a few select API endpoints. And if that ever happens it’s a very easy fix.