immich-public-proxy

v2.1.0 Breaking

This release includes 1 breaking change for platform teams planning a safe upgrade.

Published 7d Media Servers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Affected surfaces

breaking_upgrade

ReleasePort's take

Moderate signal

editorial:auto 7d

The dynamic public URL setting via HTTP header in IPP configuration has been removed.

Why it matters: Affects any system using the deprecated config option; update configurations before upgrading to v2.1.0.

Summary

AI summary

Removed broken config option for dynamic public URL via HTTP header.

Changes in this release

Type	Severity	Summary	CVE
Breaking	High	Removes dynamic public URL setting via HTTP header in IPP config. Removes dynamic public URL setting via HTTP header in IPP config. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes slug album download failure when URLs are incorrect. Fixes slug album download failure when URLs are incorrect. Source: llm_adapter@2026-05-28 Confidence: high	—
Bugfix	Medium	Fixes inability to unlock password‑protected links across different sites. Fixes inability to unlock password‑protected links across different sites. Source: llm_adapter@2026-05-28 Confidence: high	—
Refactor	Low	Updates zip‑creation code to match Immich's implementation. Updates zip‑creation code to match Immich's implementation. Source: llm_adapter@2026-05-28 Confidence: high	—

Full changelog

"Breaking" change?

An option has been removed from the config, which apparently was never working. So this should not break anyone's IPP as the previous code never functioned:

Previously there was an option in IPP when serving from multiple domains, that you could "instead of setting the public URL in your docker-compose file, you can set it dynamically via a HTTP header in the request from your reverse proxy to IPP."

Thanks to @mFIND #234 for pointing it out - the code had a camelCase key, but NodeJS forces all keys to lowercase. This means that the existing code would have been non-functional.

Due to the cache poisoning risk pointed out by @mFIND #234 and since apparently no one was using this functionality, rather than fix the issue it has been removed entirely https://github.com/alangrainger/immich-public-proxy/commit/79346d9bc7d4942f4111442740a01877120525e1

Fixes

#230 slug album not downloading correctly
#233 unable to unlock password protected link with cross-site context (thanks @MDornacher)
Update the zip-creation code to match the way Immich does it, which seemed like a sensible idea

Breaking Changes

Removed the non‑functional configuration key that allowed setting the public URL dynamically via an HTTP header

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track immich-public-proxy

Get notified when new releases ship.

About immich-public-proxy

Share your Immich photos and albums in a safe way without exposing your Immich instance to the public.

All releases →

Related context

Related tools

Earlier breaking changes

v2.2.0 Deprecates `?password=...` query-param for shared links; requires Immich v2.6.0 or later.
v2.0.0 Gallery title now shown by default; hide with showTitle=false in config.json