Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Forum image proxying
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Forum image proxying

Hello all,

I run a small forum with about 500 users, and we use XenForo behind Cloudflare. In order to get SSL working without mixed content warnings, we had to enable an image proxy, which fetches local images, and caches them, distributing them over SSL from the XenForo server when they're requested.

This, however, leaks the backend IP, which isn't DDoS protected, so I set up an Nginx proxy, with caching, that runs on an external server, so the requests come from there.

The image url is passed as the uri argument in the address.

server { listen 80; server_name [domain name]; merge_slashes on; location /proxy/ { allow [server IP]; deny all; resolver 127.0.0.1; proxy_pass $arg_uri; proxy_cache my-cache; proxy_cache_valid 200 302 60m; proxy_cache_valid 404 1m; } }

This is working fantastically at the moment.

However, I've got a few concerns about this setup:

  • Are there any security risks? For example, is it possible that someone could enter a filesystem address into the Nginx config and it would proxy to that, instead? I'm fairly new to Nginx, so I'm not exactly sure of the behaviour of proxy_pass.

  • If someone inserted an image that was illegal or copyrighted, presumably, I'd be held liable, because the request would be from an IP belonging to me? That's not really ideal. I could set up some kind of domain blacklist to block this, but I'm not too keen on that, because it'd be a lot of work to keep up to date.

  • Is there an easier way to do this? I can't help feeling that I've massively overcomplicated it all.

  • If user links to an image that has arguments in the URL, they aren't passed on, because of the fact the URL isn't encoded when passed the uri argument. I tried to fix that, by using the php urlencode() function when generating the URL, but I was unable to get Nginx to decode the $arg_uri variable, because that apparently required recompiling Nginx to add another module, so I gave up.

Thanks in advance

Thanked by 1chauffer

Comments

  • vfusevfuse Member, Host Rep

    You could make it less complicated by only running one external server putting that on a subdomain with cloudflare SSL. This way you won't have to run another proxy that fetches from your external proxy.

    There's should be no security risks as long as you won't let for example PHP parse your images, just don't enable any PHP for the subdomain.

    Of course you are responsible for the images you host on that server.

    I think I did something like this a few years ago with nginx, what I did was something like this:

    http://example.com.myexternalserver.com/path/to/some/img.jpg?someimg=abc

    this would fetch the image from example.com/path/to/some/img.jpg?someimg=abc

    Thanked by 1YellowHummingbird
  • @vfuse said:
    You could make it less complicated by only running one external server putting that on a subdomain with cloudflare SSL. This way you won't have to run another proxy that fetches from your external proxy.

    There's should be no security risks as long as you won't let for example PHP parse your images, just don't enable any PHP for the subdomain.

    Of course you are responsible for the images you host on that server.

    I think I did something like this a few years ago with nginx, what I did was something like this:

    http://example.com.myexternalserver.com/path/to/some/img.jpg?someimg=abc

    this would fetch the image from example.com/path/to/some/img.jpg?someimg=abc

    Thank you! That all seems pretty reasonable to me. The PHP security point is a valid concern.

    I like the subdomain idea, I think that I'll look into that, thank you for sharing it :)

Sign In or Register to comment.