Skip to content

Proxy image server with nginx [updated]

Published by tex on February 10, 2019

The original article is here: Proxy image server with nginx

Updates:
– Referer limits
– Cache on the local storage
– Resize image ‘on the fly’
– Image quality settings (for reducing the size)
– Passing the request to HTTPS enabled servers with SNI

Arguments that can be passed to URL:
– w (weight in pixels)
– h (height in pixels)
– q (quality percentage)

Examples:

https://yourdomainname.tld/http(s)://remotedomain.tld/imagepath/imagename.ext
https://yourdomainname.tld/http(s)://remotedomain.tld/imagepath/imagename.ext?w=300
https://yourdomainname.tld/http(s)://remotedomain.tld/imagepath/imagename.ext?w=300&h=300
https://yourdomainname.tld/http(s)://remotedomain.tld/imagepath/imagename.ext?w=300&q=80

Dependency: ngx_http_image_filter_module nginx module. You can read more about configuration here.

Nginx configuration:

server {
     listen 0.0.0.0:443 ssl http2 reuseport backlog=2000;
     server_name static.unixteacher.org;
     keepalive_timeout         60;
     ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers               'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!RC4';
     ssl_prefer_server_ciphers on;
     ssl_session_cache         shared:TLSSL:30m;
     ssl_session_timeout       360m;
     ssl_buffer_size           4k;
     ssl_certificate           /etc/letsencrypt/live/unixteacher.org/fullchain.pem;
     ssl_certificate_key       /etc/letsencrypt/live/unixteacher.org/privkey.pem;
     ssl_dhparam               /etc/ssl/certs/dhparam.pem;
     add_header                Strict-Transport-Security max-age=315360000;

merge_slashes off;

# limit images
valid_referers none blocked server_names unixteacher.org ~\.unixteacher.org;
        if ($invalid_referer) {
                return 444;
        }

# image proxy to http
location ~ /(?http://.*) {
        set $w "-";
        set $h "-";
        set $q "100";
        if ( $arg_w ) {
            set $w $arg_w;
        }
        if ( $arg_h ) {
            set $h $arg_h;
        }
        if ( $arg_q ) {
            set $q $arg_q;
        }
        image_filter resize $w $h;
	image_filter_jpeg_quality $q;
        image_filter_buffer 20M;
        image_filter_interlace on;
	proxy_cache static;
        proxy_cache_key "$proxy_host$uri$is_args$args";
	proxy_cache_revalidate on;
	proxy_cache_min_uses 1;
	proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
	proxy_cache_lock on;
	resolver 8.8.4.4 8.8.8.8 4.2.2.2 9.9.9.9 valid=3600s ipv6=off;
        proxy_set_header Referer """;
        proxy_pass $r;
        expires 10y;
   }
# image proxy to https
location ~ /(?https://.*) {
        set $w "-";
        set $h "-";
        set $q "100";
        if ( $arg_w ) {
            set $w $arg_w;
        }
        if ( $arg_h ) {
            set $h $arg_h;
        }
        if ( $arg_q ) {
            set $q $arg_q;
        }
        image_filter resize $w $h;
        image_filter_jpeg_quality $q;
        image_filter_buffer 20M;
        image_filter_interlace on;
	proxy_ssl_server_name on;
	proxy_cache static;
        proxy_cache_key "$proxy_host$uri$is_args$args";
        proxy_cache_revalidate on;
        proxy_cache_min_uses 1;
        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        proxy_cache_lock on;
	resolver 8.8.4.4 8.8.8.8 4.2.2.2 9.9.9.9 valid=3600s ipv6=off;
        proxy_set_header Referer "";
        proxy_pass $r;
	expires 10y;
   }
 }

For cache (static zone from above configuration) insert the line in http section. Example:

http {
..................
proxy_cache_path /dev/shm/proxy_cache levels=1:2 keys_zone=static:2048m max_size=40966m inactive=24h use_temp_path=off;
....
}

References:
Read more about SNI
Nginx Webpage

Published inLinuxWebservers