diff --git a/immich-system/immich.yaml b/immich-system/immich.yaml index b9e219d..0e90b7b 100644 --- a/immich-system/immich.yaml +++ b/immich-system/immich.yaml @@ -480,42 +480,28 @@ metadata: # Allows Hungarian traffic everywhere, worldwide only for /share/* paths set $geo_allowed 0; - + + # Allow private/local networks + if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } + if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } + # Allow all Hungarian traffic - if ($geoip2_country_code = "HU") { - set $geo_allowed 1; - } - - # Allow public share paths from anywhere - if ($request_uri ~* "^/share/") { - set $geo_allowed 1; - } - - # API endpoints needed for shared content - if ($request_uri ~* "^/api/shared-links") { - set $geo_allowed 1; - } - - # Assets for shared albums (thumbnails and originals) - if ($request_uri ~* "^/api/assets/.*/thumbnail") { - set $geo_allowed 1; - } - if ($request_uri ~* "^/api/assets/.*/original") { - set $geo_allowed 1; - } - - # Static assets needed for share page rendering - if ($request_uri ~* "^/_app/") { - set $geo_allowed 1; - } - if ($request_uri ~* "^/favicon") { - set $geo_allowed 1; - } - if ($request_uri ~* "\.(js|css|woff2?|ttf|svg|png|ico)$") { - set $geo_allowed 1; - } - - # Block non-allowed requests + if ($geoip2_country_code = "HU") { set $geo_allowed 1; } + + # Public share paths + if ($request_uri ~* "^/share") { set $geo_allowed 1; } + + # API endpoints needed for shares + if ($request_uri ~* "^/api/shared-links") { set $geo_allowed 1; } + if ($request_uri ~* "^/api/assets") { set $geo_allowed 1; } + if ($request_uri ~* "^/api/albums") { set $geo_allowed 1; } + if ($request_uri ~* "^/api/server") { set $geo_allowed 1; } + if ($request_uri ~* "^/api/users/me") { set $geo_allowed 1; } + + # Static assets + if ($request_uri ~* "^/_app/") { set $geo_allowed 1; } + if ($request_uri ~* "\.(js|css|woff2?|ttf|svg|png|ico|jpg|jpeg|webp)$") { set $geo_allowed 1; } + if ($geo_allowed = 0) { return 403 "Access restricted to Hungary"; }