Skip to main content
Topic: Feature request: Image Proxy (Read 23310 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Feature request: Image Proxy

Hi, I;ve just activated HTTPS on my Elkarte forum using Let's Encrypt. :) The problem is if a post contains images that hosted on non-https sites there will be mixed content warning. I'm requesting a feature/addon for Elkarte to cache the non-secured image.

Some references:
http://www.simplemachines.org/community/index.php?topic=527996.0
http://www.vbulletin.org/forum/showthread.php?t=316826
https://www.phpbb.com/community/viewtopic.php?f=496&t=2271541
http://community.mybb.com/thread-162572.html
https://invisionpower.com/forums/topic/416988-image-proxy/
https://xenforo.com/community/threads/what-is-proxy-links-and-proxy-images.81020/
http://arstechnica.com/information-technology/2015/10/chrome-finally-kills-off-the-http-https-mixed-content-warning/
https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

Thanks! :)
Last Edit: May 04, 2021, 12:06:18 pm by Spuds
192.MY.ID: Forum ISP Indonesia.



Re: Feature request: Image Proxy

Reply #3

I knew I wrote something!! xD
I wasn't able to find it as well... LOL
Bugs creator.
Features destroyer.
Template killer.

Re: Feature request: Image Proxy

Reply #4

Time for a bump!

I think we finally need to pull this into the 1.1 core (and possibly for 1.0.10) as the Chrome mandate is just about here. As I understand it Chrome will begin to flag screens with password inputs, on non-https servers, as insecure. 

Thats not really an ElkArte issue but a server / site issue.  However once someone enables https, they will need the image proxy to still allow links to http sites from your https site, something ElkArte should support out of the box. 
Last Edit: December 14, 2016, 05:15:03 pm by Spuds

Re: Feature request: Image Proxy

Reply #5

Agreed.

Re: Feature request: Image Proxy

Reply #6

Quick&dirty we can simply package the addon. O:-)
I wish I were able to finish what I had in mind in terms of addons... actually... I may have already finished, but I don't remember.
This evening I'll give it a try, if I did what I wanted to do, pack the "installed" addon is the easiest thing.
Bugs creator.
Features destroyer.
Template killer.

Re: Feature request: Image Proxy

Reply #7

If you get that in a branch somewhere that would be cool.  I'm looking to beef up the proxy a bit so have been working on that.

Re: Feature request: Image Proxy

Reply #8

Here is a first pass at updating this for 1.1 ....

I changed a few things in the proxy and the proxy-ed "link" which now both use a hash code, this should prevent someone from adding image and then being able to use the proxy from another site.  Some restructure etc.

Found a kind of a bug in the Elk code due to an update in the way Imagic deals with a parameter.

Some things to consider ....

  • Adding a scheduled task to purge old image cache files.
  • Using a library to prevent some potential abuse here.  One could to link a massive image file, which the site would have to download, try to cache, etc.  There are smarter getimagesize functions that we could use to help prevent this.
  • Adding a new db table to track last access (to help with scheduled task vs touching) but also to track success in downloading, a protected image may not download, and we don't want to continually try to get it each page load.

One other thing, where to put the settings (basically on /off) ... core feature page, attachment settings page, other suggestions ?
Last Edit: February 26, 2017, 10:48:43 am by Spuds

Re: Feature request: Image Proxy

Reply #9

Quote from: Spuds – One other thing, where to put the settings (basically on /off) ... core feature page, attachment settings page, other suggestions ?
Core feature page should be fine, attachment settings I'd say no since the images are embeded and not attachments. As a suggestion I could say ACP->Forum-> Posts and topics since is related to messages and images embeded with IMG tag.

My doubts regarding the proxy image:
1. how will deal with external avatars?
2. Gravatar is using an ssl connection? On elkarte.net existing gravatar images are not https
3. what about images inserted into signatures?

I'm planing to switch next year to https connection and I will use a free certificate from let's encrypt
sorry for my bad english

Re: Feature request: Image Proxy

Reply #10

Right now the proxy only works with images wrapped in [img]...[/img] tags ... so in theory I think it would work fine with signatures.  Gravatar using http is frankly a bug that should be fixed, no reason not to use https.  External avatars have not looked at, have to leave something for eman to do ;)

Re: Feature request: Image Proxy

Reply #11

I've added the basics for retry on fail for images that don't fetch properly.  It will try 10 times to get the image on a ^4 based timer curve.  Nothing fancy but basically waits longer each time it fails until it trys again.  On failure it just shows the default mime thumbnail.

To do the above I added a new table to track the image / time / failures to the db, so 1.1 will need a new table for this.  This same table will be used for prune operations so "old" images (ones that have not been accessed in X time) can be removed from the cache.  Thats the next bit to do.


Re: Feature request: Image Proxy

Reply #12

I don't think https image shown in http site is a problem, however, the vice versa is i.e. http image in https site.

Re: Feature request: Image Proxy

Reply #13

Quote from: Spuds – To do the above I added a new table to track the image / time / failures to the db, so 1.1 will need a new table for this.
Then, I'd say let's do the same we did with the likes stats: 1.1.1?
Bugs creator.
Features destroyer.
Template killer.

Re: Feature request: Image Proxy

Reply #14

I thought like stats are already  in 1.1.0, did I miss something  O:-)

I'm good with waiting until 1.1.1 for this proxy (since I know how to incorporate this  O:-) ) although it should probably be addon-ized for 1.1.0 so it can be used.