-
-
Notifications
You must be signed in to change notification settings - Fork 36
/
imgproxy.conf
295 lines (241 loc) · 10.4 KB
/
imgproxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
################################################################################
# Ultra Image Server
# A production grade image processing server setup powered by `imgproxy` and nginx
#
# Author: Mai Nhut Tan <shin@shin.company>
# Copyright: 2021-2024 SHIN Company https://code.shin.company/
# URL: https://shinsenter.github.io/docker-imgproxy/
################################################################################
# ======================================================================== #
# Block access from some bad IPs
# See: http://nginx.org/en/docs/http/ngx_http_access_module.html#deny
# Add your bad client IPs here. E.g.
# deny 134.119.219.93;
# ======================================================================== #
# This upstream links to `imgproxy` container outside.
# Do not change this upstream
# unless you are going to change `imgproxy`'s container name.
upstream upstream_imgproxy {
server imgproxy:8080;
keepalive 16;
}
# ======================================================================== #
# Cache zone
# See: https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path
#
# Let's assume average file size is ~20kb
# max_size: 1mb of keys_zone can store 7,000 keys * 20kb = ~140mb
# 4mb of keys_zone can store ~28,000 keys = ~560mb
# 32mb of keys_zone can store ~224,000 keys = ~4.8gb
#
proxy_cache_path
/var/cache/nginx/imgproxy levels=1:2 use_temp_path=off
keys_zone=IMAGE_CACHE:32m max_size=5G min_free=32m inactive=7d;
# ======================================================================== #
# Temporary variables
##! **`$uri_omitted_origin`**
## Get the URI after omitting origin server.
## This setup assumes that an origin server starts with an `@` symbol.
map $file_uri $uri_omitted_origin
{
default '$file_uri';
~^(/@[^/]+)?(?<parsed_path>/.+)$ '$parsed_path';
}
##! **`$uri_omitted_origin_preset`**
## Get the URI after omitting origin server and preset name.
## This setup assumes that preset name starts with an underscore (`_`) symbol.
map $uri_omitted_origin $uri_omitted_origin_preset
{
default '$uri_omitted_origin';
~*^(/_[a-z0-9_-]+)?(?<parsed_path>/.+)$ '$parsed_path';
}
# ======================================================================== #
# Variables for `imgproxy`
## **`$use_imgproxy`**
## This flag indicates that the request will be proceeded by `imgproxy`.
map $uri_omitted_origin_preset $use_imgproxy
{
default 0;
# Add any rules that you want to skip image processing.
#> E.g. this line excludes files under "hq-cactus" folder.
~^/hq-cactus/ 0;
# File URL is base64-encoded
#> Warning: Since this project has simplified the "URL signature" function of imgproxy,
#> please be cautious with the use of Base64-encoded URLs.
#> Malicious actors could exploit this to process images from any untrusted sources for unethical purposes.
#> Comment out these two lines to disable Base64-encoded URLs.
~^/@base64/ 1;
~[-A-Za-z0-9+/]*=*$ 1;
# Else, process all image files with these file extensions
~*\.(jpe?g|png|gif|tiff?|bmp)$ 1;
}
##! **`$imgproxy_cache`**
## Default cache zone for `imgproxy`.
map $use_imgproxy $imgproxy_cache
{
default off;
1 IMAGE_CACHE;
}
## **`$origin_server`**
## Define origin base URL from the request.
## This setup assumes that an origin server starts with an `@` symbol (such as `@nasa`, `@pinterest`, etc.).
## You can also add your own origin servers using [regular expressions](https://www.nginx.com/blog/regular-expression-tester-nginx/).
map $uri $origin_server
{
default 'local://';
# Put your rewrite rules for origin servers from here.
#> E.g.
~^/@mybucket/ 's3://my-bucket';
~^/@myhost/ 'http://myhost.com';
~^/@nasa/ 'https://mars.nasa.gov/system/downloadable_items';
~^/@pinterest/ 'https://i.pinimg.com/originals';
# Source URL can be encoded with URL-safe Base64 (please be cautious!)
#> See: https://docs.imgproxy.net/usage/processing#source-url
#> Warning: Since this project has simplified the "URL signature" function of imgproxy,
#> please be cautious with the use of Base64-encoded URLs.
#> Malicious actors could exploit this to process images from any untrusted sources for unethical purposes.
#> Comment out the below line to disable Base64-encoded URLs.
~^/@base64/ ''; # no origin server
}
## **`$origin_uri`**
## Parse real origin URI of the file.
## This setup just omits origin server and preset name in the URI if they exist,
## but you can also rewrite requested URI using [regular expressions](https://www.nginx.com/blog/regular-expression-tester-nginx/).
map $uri_omitted_origin_preset $origin_uri
{
default '$uri_omitted_origin_preset';
# Put your rewrite rules for origin URI from here.
#> E.g. this line rewrites cactus.jpg to the real path cacti.jpg.
~*^/cactus\.jpe?g$ '/cacti.jpg';
}
## **`$preset_name`**
## Parse preset name from requested URI.
## This setup assumes that preset name starts with an underscore (`_`) symbol (such as `_thumb` or `_w200`).
## You can define your own presets using [regular expressions](https://www.nginx.com/blog/regular-expression-tester-nginx/).
map $uri_omitted_origin $preset_name
{
default '';
# You can define dynamic presets,
#> but beware that dynamic presets are able to cause a denial-of-service attack
#> by allowing an attacker to request multiple different image resizes.
#> E.g. a dynamic preset with a variable $width.
# ~^/_w(?<parsed_width>[0-9_-]+)/ 'max_w:${parsed_width}';
# This is a better version for above dynamic preset.
#> It allows only certain image sizes,
#> and fallbacks other undefined image sizes to max_w:200
~^/_w(?<parsed_width>(200|640|800|1200|1600))/ 'max_w:${parsed_width}';
~^/_w(?<parsed_width>([0-9_-]+))/ 'max_w:200';
# Get static preset name from the URI
~^/_(?<parsed_name>[a-z0-9_-]+)/ '$parsed_name';
}
## **`$imgproxy_preset`**
## Define `imgproxy` options for each preset name.
## You can view more details by following [their documentation](https://docs.imgproxy.net/usage/processing?#processing-options).
map $preset_name $imgproxy_preset
{
default 'size:1600:0:0:0/preset:logo'; # preset:logo adds watermark to the image
# Dynamic preset
~^max_w:(?<width>[0-9]+)$ 'size:${width}:0:0:0/preset:logo';
# Static presets
blurry 'size:320:320:1:0/blur:10/quality:50';
small 'size:320:320:0:0/sharpen:0.3/preset:logo';
medium 'size:640:640:0:0/preset:logo';
thumb 'size:160:160:1:1/bg:ffffff/resizing_type:fill/sharpen:0.3';
square 'size:500:500:0:1/bg:ffffff/resizing_type:fill/preset:logo';
masked 'size:500:0:0:1/bg:ffffff/resizing_type:fill/preset:repeated_logo';
download 'size:1600:0:0:0/preset:logo/return_attachment:1';
}
## **`$imgproxy_preset_query` (overriding presets with query string)**
## Override the `$imgproxy_preset` whenever `width` or `height` provided.
## But beware that dynamic image sizes are able to cause a denial-of-service attack by allowing an attacker to request multiple different image resizes.
map "$arg_width:$arg_height" $imgproxy_preset_query
{
default '';
# only width
~^(?<width>[0-9]+):$ '/size:${width}:0:1:0/bg:ffffff/resizing_type:fill';
# only height
~^:(?<height>[0-9]+)$ '/size:0:${height}:1:0/bg:ffffff/resizing_type:fill';
# both width and height
~^(?<width>[0-9]+):(?<height>[0-9]+)$ '/size:${width}:${height}:1:0/bg:ffffff/resizing_type:fill';
}
## **`$imgproxy_quality` (overriding photo quality with query string)**
## Control photo quality with query string. You can also add your custom settings.
map $arg_quality $imgproxy_quality
{
default '';
# if the given value is between 1 and 100, override the quality
~^(?<quality>[1-9][0-9]?|100)$ '/q:${quality}';
# or receive some readable quality values
low '/q:30';
clear '/q:50';
high '/q:80';
highest '/q:100';
}
## **`$imgproxy_dpr` (controlling photo dimensions, aka Device Pixel Ratio)**
## This will multiplying the image dimensions according to this factor for HiDPI (Retina) devices.
map $http_user_agent@$http_dpr $imgproxy_dpr
{
default '/dpr:1';
# parse from DPR header
~@(?<dpr>[1-4]) '/dpr:${dpr}';
# Put your rewrite rules for DPR settings from here.
#> E.g. these lines will set custom DPR for smartphones.
# ~iPhone|iPad|Mac '/dpr:3';
# ~Android '/dpr:2';
}
##! **`$imgproxy_extension`**
## Detect WebP or AVIF supports from the request header `Accept`.
map $http_accept $imgproxy_extension
{
default '';
# uncomment this lines to enable WebP or AVIF compression
# ~*webp '@webp';
# ~*avif '@avif';
}
##! **`$imgproxy_type`**
## Detect WebP or AVIF supports from the request header `Accept`.
map $origin_server $imgproxy_type
{
default '/plain';
# omit the /plain/ prefix when the URL is base64-encoded
'' '';
}
## **`$imgproxy_options`**
## Generate final URL for `imgproxy` following [their documentation](https://docs.imgproxy.net/usage/processing).
## When URL query `?skip=1` is set, use another rule to skip `imgproxy` processing.
map $arg_skip $imgproxy_options
{
default '/unsafe/${imgproxy_preset}${imgproxy_preset_query}${imgproxy_quality}${imgproxy_dpr}${imgproxy_type}/${origin_server}${origin_uri}${imgproxy_extension}';
~.+ '/unsafe${imgproxy_type}/${origin_server}${origin_uri}';
}
##! **`$imgproxy_rewrite`**
## Generate final URL for `imgproxy` following [their documentation](https://docs.imgproxy.net/usage/processing).
map $use_imgproxy $imgproxy_rewrite
{
default '';
1 '$imgproxy_options';
}
##! **`$debug_imgproxy_rewrite`**
## For debugging the value of `$imgproxy_rewrite`.
map $arg_debug $debug_imgproxy_rewrite
{
default '';
~.+ '$imgproxy_rewrite';
}
## **`$fallback_uri`**
## Define fallback file to serve when the requested file is unavailable.
## E.g. `/noimage.jpg` or `/noimage_thumb.jpg`, which is stored in the folder `www/`.
map $preset_name $fallback_uri
{
default '/noimage.jpg';
thumb '/noimage_thumb.jpg';
# small '/noimage_small.jpg';
# medium '/noimage_medium.jpg';
# square '/noimage_square.jpg';
}
# Extra: You also can set `$fallback_uri` using value of `$origin_uri`.
# map $origin_uri $fallback_uri
# {
# default '/noimage.jpg';
# ~^/products/ '/default_product_image.jpg';
# }