URL Signature #12

mdmm13 · 2024-03-05T22:41:04Z

mdmm13
Mar 5, 2024

Thanks for this fantastic repo @shinsenter.

You're bypassing URL signatures by default and it's not possible with the current NGINX rules to add them back. Would you mind commenting on

How this setup is secure since anyone can DOS a given URL without signature or are you suggesting moving that to NGINX?
How one could enable URL signatures if one wanted to?

Answered by shinsenter

Mar 5, 2024

Hi @mdmm13

Thank you for your interest and for posing your question. I'll address your inquiries individually based on my knowledge.

How this setup is secure since anyone can DOS a given URL without signature or are you suggesting moving that to NGINX?

In terms of mitigating DoS attacks, one effective strategy is to implement rewrite rules to restrict access to specific parameters that are necessary. For instance, in my current setup, I only allow resizing for images with fixed widths of 200, 640, 800, 1200, and 1600 pixels. Any other sizes default to 200 pixels.

docker-imgproxy/imgproxy.conf

Lines 132 to 142 in 0d0bbe8

     # You can define dynamic presets,  
   #> but beware th…

View full answer

shinsenter · 2024-03-05T23:02:51Z

shinsenter
Mar 5, 2024
Maintainer

Hi @mdmm13

Thank you for your interest and for posing your question. I'll address your inquiries individually based on my knowledge.

How this setup is secure since anyone can DOS a given URL without signature or are you suggesting moving that to NGINX?

In terms of mitigating DoS attacks, one effective strategy is to implement rewrite rules to restrict access to specific parameters that are necessary. For instance, in my current setup, I only allow resizing for images with fixed widths of 200, 640, 800, 1200, and 1600 pixels. Any other sizes default to 200 pixels.

docker-imgproxy/imgproxy.conf

Lines 132 to 142 in 0d0bbe8

    
           # You can define dynamic presets, 
        
           #> but beware that dynamic presets are able to cause a denial-of-service attack 
        
           #> by allowing an attacker to request multiple different image resizes. 
        
           #> E.g. a dynamic preset with a variable $width. 
        
           # ~^/_w(?<parsed_width>[0-9_-]+)/  'max_w:${parsed_width}'; 
        
           # This is a better version for above dynamic preset. 
        
           #> It allows only certain image sizes, 
        
           #> and fallbacks other undefined image sizes to max_w:200 
        
           ~^/_w(?<parsed_width>(200|640|800|1200|1600))/  'max_w:${parsed_width}'; 
        
           ~^/_w(?<parsed_width>([0-9_-]+))/               'max_w:200';

Additionally, implementing proxy caching between nginx and imgproxy can also significantly reduce the number of requests reaching imgproxy.

docker-imgproxy/nginx/nginx.conf

Lines 207 to 209 in 0d0bbe8

    
           proxy_cache     $imgproxy_cache; 
        
           proxy_cache_key $imgproxy_rewrite; 
        
           proxy_pass      http://upstream_imgproxy${imgproxy_rewrite};

And if you use a CDN, this DoS limitation will be even more effective.

How one could enable URL signatures if one wanted to?

The main objective of my project is to minimize the number of parameters and URL signatures required for image query URLs. If you're interested in incorporating URL signatures into your setup, you can refer to how I utilize rewrite rules to achieve a similar outcome for adding URL signatures to imgproxy queries.

Best regard

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

URL Signature #12

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

URL Signature #12

mdmm13 Mar 5, 2024

Replies: 1 comment

shinsenter Mar 5, 2024 Maintainer

mdmm13
Mar 5, 2024

shinsenter
Mar 5, 2024
Maintainer