0
Fork 0
mirror of https://github.com/willnorris/imageproxy.git synced 2024-12-30 22:34:18 -05:00
Commit graph

84 commits

Author SHA1 Message Date
Yassine ABOUKIR
2203979b9c Add X-XSS-Protection HTTP response header to block potential XSS 2021-01-24 12:18:42 -08:00
Blake Stoddard
c08b3c505a Disable browser MIME confusion attacks via content-type sniffing 2020-10-16 07:11:59 -07:00
Blake Stoddard
c6206ea30c Set a strict Content-Security-Policy 2020-10-16 07:11:59 -07:00
Blake Stoddard
fd43ff2198
Support proxying images with no provided intermediate cert (#241)
Replace http.DefaultTransport with aia-transport-go to properly handle missing intermediate certs
2020-09-10 01:52:43 -07:00
Blake Stoddard
52f4360543
Add option to disable following redirects (#237)
When redirects are followed, ensure that they are still allowed per AllowHosts/DenyHosts
2020-09-10 01:40:59 -07:00
Will Norris
84ae42bcde golangci: enable additional checks 2020-09-09 23:28:59 -07:00
Will Norris
fc79b851b2 fix go lint warnings
- handle errors where possible
- explicitly ignore errors where it makes sense to
- fix deprecations and unused var
2020-09-09 15:44:09 -07:00
Blake Stoddard
0da684b81e
Switch to Hostname() for checking whether a host is allowed or not (#238)
Using .Host allows you to get around an allowHosts or denyHosts entry by adding a port
2020-06-20 21:44:01 -07:00
Blake Stoddard
f91e9cb508
Allow allowing/blocks hosts by IP range (#236) 2020-06-19 17:30:49 -07:00
Will Norris
7f91379373 rename prometheus metrics and vars
Make names a little more consistent and align with naming docs at
https://prometheus.io/docs/practices/naming/
2020-02-24 08:27:30 -08:00
Will Norris
4e97a7ea8f make 'cached' a bool 2020-02-24 08:27:30 -08:00
Ben Haan
8484518c93 add basic prometheus support
Fixes #121
2020-02-24 08:27:30 -08:00
Will Norris
8c28dca762 include referer header in remote requests
this is an optional feature which is disabled by default, since it is
only needed in a few select cases and risks accidentally exposing
internal URLs.

Fixes #216
2020-02-21 08:24:23 +00:00
Mauro Ciancio
ef09c1ba31
add support for multiple signature keys (#209) 2020-02-01 17:03:59 -08:00
Will Norris
7eeacfca7a standardize copyright statements (Inc -> LLC) 2019-11-30 10:04:17 -08:00
Will Norris
d99be34251 use path package for matching content type
content type always uses forward slash, so path is the right package to
use.

fixes #191
2019-11-01 18:57:14 -07:00
Shahan Khan
ea95ad93a1 Support for better content type detection with images on S3 2019-10-12 08:20:52 -07:00
Will Norris
a7a8966289 add miscellaneous tests
also fix minor bug in detecting content type for content less than 512
bytes.
2019-06-11 14:02:44 -07:00
Harrison Healey
d4246a08fd allow overriding the Logger used by Proxy 2019-04-22 16:49:45 -07:00
Will Norris
38d3bcc7fe allow request signatures to cover options
URL-only signatures are still accepted, though no longer recommended.

Fixes #145
2019-03-27 21:00:14 +00:00
Will Norris
cf54b2cf2c detect content type if response header is missing
Some misconfigured servers will fail to properly set the content-type in
the response header.  In those cases, detect the content-type from the
response body.

Refs #132
2019-03-26 22:50:38 +00:00
Will Norris
6aca1e0b20 set Accept header on requests if contentTypes set
If the imageproxy instance is configured to only accept certain content
types (which defaults to "image/*"), set that as the accept header on
outbound requests.

Also log more information about the outbound request when the `Verbose`
option is set, so the request headers can be seen in the logs.

Fixes #165
Refs #132
2019-03-24 18:14:28 +00:00
Will Norris
4a6b8653b6 fix minor go fmt and go vet issues 2019-03-22 08:05:59 +00:00
Will Norris
a5297ae319 remove deprecated whitelist flag and struct field 2019-03-22 07:36:41 +00:00
Will Norris
7e19b5ca6b remove specific denial error from response
the specific denial error message reveals more about the imageproxy
configuration than it should, such as what hosts are denied.  Instead,
log the full error, but return a generic message that the requested URL
is not allowed.
2019-03-22 04:45:31 +00:00
Will Norris
2612fa4111 rename several validFoo method to fooMatches
this more accurately describes what the methods are actually doing:
verifying if the value matches, without making any judgement amount
validity.
2019-03-22 04:45:31 +00:00
yvind Ngai Johnsen
7264d177a1 Add denyHosts flag to deny URLs for certain hosts
For example, when running in a Docker swarm cluster we dont want it to
have access to our internal services available under *.weave.local

Closes #85
2019-03-22 04:44:08 +00:00
Will Norris
5eab3024c6 rename RemoteHosts to AllowHosts
This is what I probably should have called this when I renamed it back
in 70276f36, since this makes it more obvious that it's a list of
allowed hosts.  Renaming now to make room for a `DenyHosts` variable as
part of #85.
2019-03-17 03:05:13 +00:00
Will Norris
4acc0b24ce save and restore original url fragment 2019-03-17 02:51:55 +00:00
Hugues Alary
3444fd9cb4 allow custom User-Agent when fetching remote image
Closes #83
2019-03-17 01:24:41 +00:00
Will Norris
a903995ee7 empty ContentTypes allows all types 2018-10-02 16:14:14 +00:00
Will Norris
70276f36bc rename 'Whitelist' to 'RemoteHosts"
This better describes what exactly is being allowed.
2018-09-15 05:55:02 +00:00
Will Norris
0370572130 change how content-type enforcement is handled
If no content types are specified, then accept all responses, regardless
of content type (this is the behavior imageproxy has historically had).
Change default value for the contentTypes flag to be "image/*", so that
the new default when running cmd/imageproxy is that only images will be
proxied.  The old default behavior can be achieved by passing an empty
string for the contentTypes flag:

    imageproxy -contentTypes ""

Do not send the "XCTO: nosniff" header, since all documentation that I
can find still says that it can cause problems when served with images.
If it's effectively a noop when an explicit content-type is specified in
the response, then this shouldn't actually matter for us either way.
But in the absence of certainty, I'd rather err on the side of following
the spec.

Also add documentation for the new functionality.

Fixes #141
2018-09-15 05:36:25 +00:00
Christopher Brown
39a4e1813d content-type checking 2018-09-15 04:00:34 +00:00
Wilrik
74c16f575e fixed tcp_mem resource leak when sending 304 2018-07-06 08:14:09 -07:00
Dao Hoang Son
8fc9d8876c Include image URL in transform error log message 2018-05-20 08:32:16 -07:00
James Reggio
ebcfb52f3a Fix interpretation of Last-Modified and If-Modified-Since headers
If the dates in `Last-Modified` and `If-Modified-Since` are an exact
match, the server should 304.
2017-09-23 17:01:24 -07:00
Will Norris
7338ef68ef switch from glog to standard log library
add "-verbose" flag for more logging.

fixes #105
2017-09-12 05:14:46 +00:00
Will Norris
5ee7e282cf return a 200 OK for requests to root /
This has come up a couple of times, such as in #95.  As discussed there,
I'm not completely sure this is actually necessary in many cases, but
it's certainly not harmful and if it makes health checks easier to setup
than why not?
2017-09-09 08:31:22 +00:00
Michael Carey
c1a9dab401 Support TIFF images. 2017-08-31 13:04:10 -07:00
Romanos
50f6f640b2 Enable CORS for 3rd party applications 2017-06-20 08:24:55 -07:00
Will Norris
d64b0f81c9 return 304 from TransformingTransport
If the caching headers in the request are valid, return a 304 response
instead of doing the transformation.

Ref #92
2017-06-14 20:25:56 -04:00
Will Norris
a7a04ebe7b simplify copyHeader func
- take simple http.Header values as input, rather than http.Response
- allow multiple headers to be copied to be specified.  If no headers
  specified, then copy all.
2017-06-14 17:22:45 -04:00
Will Norris
c81621ae35 rename check304 to should304
this reads a little better in if blocks
2017-06-14 16:34:34 -04:00
Will Norris
328044540e add webp support (decode only)
if any transformation is requested, webp images will be encoded and
served as jpeg or png, defaulting to jpeg if no format is specified.

Fixes #88
2017-06-01 08:13:33 -07:00
Will Norris
b9cc9df4b6 add support for specifying output image format
For now, the options are "jpeg" and "png".  Gif is a little harder to
support because of the way we use the image/gif package to handle
animated gifs. I have also have trouble imagining someone wanting to use
gif over png. But if the need really exists, we can address it when it
comes up.

Fixes #89
2017-06-01 08:13:11 -07:00
Will Norris
576b7c023a return 504 status for timeout errors
modify custom TimeoutHandler to return 504 error and switch imageproxy
to use that func.

Fixes #75
2016-11-29 15:42:08 -08:00
Will Norris
93166a5b20 add support for per-request timeout
Adds a -timeout flag for specifying the timeout.  Currently, this
returns a 503 response on timeout, though it should really be a 504,
since imageproxy is acting as a gateway.

Ref: #75
2016-11-29 15:42:07 -08:00
xavren
79369ca8ef Copy header Link for canonical image SEO
fix format
2016-06-07 13:50:07 -04:00
Will Norris
a1af9aa8e2 handle 'cleaned' remote URLs
If imageproxy runs behind an http.ServeMux or certain web servers, the
double slash in the remote URL will get collapsed down to a single
slash.  (e.g. http://example.com/ becomes http:/example.com/).  This
is now handled by imageproxy directly.

Ref #65
2016-05-26 13:22:20 -07:00