Image Proxy

[kh99]

Quote:

Originally Posted by Dave

Might be clever, but I could cause a huge load on the server if I include big images. Easy to do a DoS attack like that.

Yeah, I think we all agree that it has issues, that's why I said "basically working". I think it needs a few basic checks, like not rewriting the url if it's already using https.

My thoughts (and some of this comes from reading about the xenforo version that was linked earlier) was to try to keep the proxy script from having to read the database, or at least from loading the vbulletin stuff to check permissions. My thought was to generate a random "secret" and save it somewhere (a file, I guess, if not using the database). Then when rewriting the links, hash the secret with the url and add that as a parameter. That will at least allow the proxy script to check that the requested image is actually something someone posted. But with that scheme there's no way to 'delete' a link once it's out there.

As for someone hot linking, I guess that's the same issue as any other image you might be hosting.

Do you really think that this script represents a significantly greater opportunity for DoS attack over just requesting vbulletin pages? I guess a server normally doesn't use a lot of incoming bandwidth, so maybe that's a problem. maybe caching could solve that.

Let me know what problems you see and if you have any ideas for solving them.


Edit: I was thinking about this: If you have a proxy script like this on your server, I can post any url I want as an image src, and now I have a url that looks like it's coming from your server that delivers anything I want. I don't know how that could be used maliciously, but it sounds bad. Does anyone know more about that kind of stuff?

[AndrewSimm]

Here is what I changed the plugin too on bbcode_image_match. This detects https and does not use the proxy if the image is https. If the image is http then it does.

PHP Code:

$url = parse_url($link);

if($url['scheme'] == 'https') {
$retval = ($fullsize ? '<div class="size_fullsize">' : '')  . '<img src="' . $link .'" border="0" alt="" />' . ($fullsize ? '</div>' : '');
} else {
$retval = ($fullsize ? '<div class="size_fullsize">' : '')  . '<img src="proxy.php?url=' . rawurlencode($link) .'" border="0" alt="" />' . ($fullsize ? '</div>' : '');
} 


The 3 issues I have yet to figure out are:
- Detect filesize of a link so I could limit it.
- Prevent others from hotlinking the proxy image proxy and making it look as if I am hosting an image.
- cache

--------------- Added [DATE]1418979451[/DATE] at [TIME]1418979451[/TIME] ---------------

[kh99]

Well, as usual I never got around to working on this, but I just noticed this: https://vborg.vbsupport.ru/showthread.php?t=288060

[AndrewSimm]

oh wow I am not sure how I missed that. The only thing is I don't want to download the image to my server. I want the images to be externally linked to conserve space. It looks like this post in that mod shows how to do it.

https://vborg.vbsupport.ru/showpost....3&postcount=12

If the image is downloaded to the server why would it need to go through a proxy?

I wonder if it could be cached without being downloaded?

thank you for finding this.

Would there be an advantage to using curl?

[kh99]

Well, I think it downloads it to cache it, but it doesn't look like there's any security or any limiting of cache size, so I guess there's no difference bewteen that and downloading them all to your server. And if you use the code in the post that eliminated the cache, thne I guess you're pretty much back to what you have.

I don't know that curl is any better. I guess it's a little easier to set headers and manage any errors that might happen, but if what you have is working for you, then it doesn't matter.

[Zachery]

I don't see why you wouldn't just cache images for some period of time, it'd save you a ton of bandwidth.

[AndrewSimm]

Quote:

Originally Posted by Zachery

I don't see why you wouldn't just cache images for some period of time, it'd save you a ton of bandwidth.

That would be ideal. I am not sure if the mod linked does that. Also if they are cached on the server there would be no need to run them through an image proxy.

[Mellnik]

Can anyone make an ImageProxy Product which works as fine as on forums like bitcointalk.org? I would even pay for it.