Allow list images from specified domains

[thesohodigital]

If self hosting, is there a way to allow only images from a list of domains I specify?

eg. if the &url value is not on the allow list, then a 404 is returned.

[andrieslouw]

The easiest way is to specify your own resolver in the NGINX config:

images/ngx_conf/imagesweserv.conf

Line 55 in 439f5c8

resolver 8.8.8.8; # Use Google's open DNS server

and let that resolver only respond to specific domains. It is the way we use to filter ourselves.

We use Unbound as a local(host) resolver, which forwards the requests to OpenDNS, and adds some of our own blocklists for our public service. But it should be easy to let Unbound only respond to specific domains.

[kleisauke]

If there's only one domain you want to allow, you can also use proxy_pass in combination with the weserv filter directive. For example, to process only images from Imgur:

location /imgur {
    weserv filter;

    proxy_pass https://i.imgur.com:443/;
    proxy_redirect off;

    # Enable SNI on the upstream connection
    proxy_ssl_server_name on;

    # Use a custom user agent
    proxy_set_header User-Agent "Mozilla/5.0 (compatible; ImageFetcher/9.0; +http://images.weserv.nl/)";

    # Set upstream host
    proxy_ssl_name "i.imgur.com";
    proxy_set_header Host "i.imgur.com";

    # Enable the upstream persistent connection
    proxy_http_version 1.1;
    proxy_set_header Connection "";
}

$ curl -s -o /dev/null -w "%{http_code}" http://localhost/imgur/FY1AbSo.gif?w=512
200

[kleisauke]

I hope this information helped. Please feel free to re-open if questions remain.

[kleisauke]

Another option is to use the ngx_http_secure_link_module module to check the authenticity of requested links and protect resources from unauthorized access. This module is included by default in the Dockerfile (see commit ce4ea86).

For example:

FROM ghcr.io/weserv/images:5.x

ARG SECRET

RUN cp ngx_conf/imagesweserv-secure-link.conf /etc/nginx/imagesweserv.conf \
    && sed -i "s/<SECRET>/$SECRET/g" /etc/nginx/imagesweserv.conf

$ docker build --build-arg SECRET=mysecret -t weserv/images .
$ docker run -d -p 8080:80 --shm-size=1gb --name=weserv weserv/images
$ echo -n 'url=https://wsrv.nl/lichtenstein.jpg&w=100 mysecret' | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d =
hqx4I-j6fhgY6LVhGTbHdw
$ curl -s -o /dev/null -w "%{http_code}" "localhost:8080/s/hqx4I-j6fhgY6LVhGTbHdw/?url=https://wsrv.nl/lichtenstein.jpg&w=100"
200
$ curl -s -o /dev/null -w "%{http_code}" "localhost:8080/s/hqx4I-j6fhgY6LVhGTbHdw/?url=https://wsrv.nl/lichtenstein.jpg&w=1000"
403

(ensure that you change mysecret to something else)

[adamJLev]

I've achieved this with some nginx.conf tweaks

# Extract domain out of ?url= param
map $arg_url $url_domain {
    default "";
    ~^(https?://|https?%3A%2F%2F)?([^/%]+) $2;
}

# Validate that image url to transform in is from one of our whitelisted domains
map $url_domain $is_domain_whitelisted {
    hostnames;
    default 0;

    "" 1; # allow empty `url` param
    yourdomain.com 1;
}

and inside the location / {} directive:

        if ($is_domain_whitelisted = 0) {
            # Prevent caching of 400 responses
            add_header Cache-Control "no-cache, no-store, must-revalidate" always;
            return 400 "Invalid url domain - not in allowlist";
        }