Allow bypassing image proxy for specific domains (#5223)
* Allow bypassing proxy for some domains with ProxyAllImages * remove web:: * remove expect * bypass imgur by default * correct imgur domain * restore processing, cleanup --------- Co-authored-by: sunaurus <sander@saarend.com>
This commit is contained in:
parent
66a63df152
commit
3d7fbde091
3 changed files with 54 additions and 30 deletions
|
@ -73,6 +73,15 @@
|
||||||
#
|
#
|
||||||
# Requires pict-rs 0.5
|
# Requires pict-rs 0.5
|
||||||
"ProxyAllImages"
|
"ProxyAllImages"
|
||||||
|
# Allows bypassing proxy for specific image hosts when using ProxyAllImages.
|
||||||
|
#
|
||||||
|
# imgur.com is bypassed by default to avoid rate limit errors. When specifying any bypass
|
||||||
|
# in the config, this default is ignored and you need to list imgur explicitly. To proxy imgur
|
||||||
|
# requests, specify a noop bypass list, eg `proxy_bypass_domains ["example.org"]`.
|
||||||
|
proxy_bypass_domains: [
|
||||||
|
"i.imgur.com"
|
||||||
|
/* ... */
|
||||||
|
]
|
||||||
# Timeout for uploading images to pictrs (in seconds)
|
# Timeout for uploading images to pictrs (in seconds)
|
||||||
upload_timeout: 30
|
upload_timeout: 30
|
||||||
# Resize post thumbnails to this maximum width/height.
|
# Resize post thumbnails to this maximum width/height.
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
use actix_web::{
|
use actix_web::{
|
||||||
body::BodyStream,
|
body::{BodyStream, BoxBody},
|
||||||
http::{
|
http::{
|
||||||
header::{HeaderName, ACCEPT_ENCODING, HOST},
|
header::{HeaderName, ACCEPT_ENCODING, HOST},
|
||||||
Method,
|
Method,
|
||||||
StatusCode,
|
StatusCode,
|
||||||
},
|
},
|
||||||
web::{self, Query},
|
web::*,
|
||||||
HttpRequest,
|
HttpRequest,
|
||||||
HttpResponse,
|
HttpResponse,
|
||||||
|
Responder,
|
||||||
};
|
};
|
||||||
use futures::stream::{Stream, StreamExt};
|
use futures::stream::{Stream, StreamExt};
|
||||||
use http::HeaderValue;
|
use http::HeaderValue;
|
||||||
|
@ -24,22 +25,18 @@ use serde::Deserialize;
|
||||||
use std::time::Duration;
|
use std::time::Duration;
|
||||||
use url::Url;
|
use url::Url;
|
||||||
|
|
||||||
pub fn config(
|
pub fn config(cfg: &mut ServiceConfig, client: ClientWithMiddleware, rate_limit: &RateLimitCell) {
|
||||||
cfg: &mut web::ServiceConfig,
|
|
||||||
client: ClientWithMiddleware,
|
|
||||||
rate_limit: &RateLimitCell,
|
|
||||||
) {
|
|
||||||
cfg
|
cfg
|
||||||
.app_data(web::Data::new(client))
|
.app_data(Data::new(client))
|
||||||
.service(
|
.service(
|
||||||
web::resource("/pictrs/image")
|
resource("/pictrs/image")
|
||||||
.wrap(rate_limit.image())
|
.wrap(rate_limit.image())
|
||||||
.route(web::post().to(upload)),
|
.route(post().to(upload)),
|
||||||
)
|
)
|
||||||
// This has optional query params: /image/{filename}?format=jpg&thumbnail=256
|
// This has optional query params: /image/{filename}?format=jpg&thumbnail=256
|
||||||
.service(web::resource("/pictrs/image/{filename}").route(web::get().to(full_res)))
|
.service(resource("/pictrs/image/{filename}").route(get().to(full_res)))
|
||||||
.service(web::resource("/pictrs/image/delete/{token}/{filename}").route(web::get().to(delete)))
|
.service(resource("/pictrs/image/delete/{token}/{filename}").route(get().to(delete)))
|
||||||
.service(web::resource("/pictrs/healthz").route(web::get().to(healthz)));
|
.service(resource("/pictrs/healthz").route(get().to(healthz)));
|
||||||
}
|
}
|
||||||
|
|
||||||
trait ProcessUrl {
|
trait ProcessUrl {
|
||||||
|
@ -129,11 +126,11 @@ fn adapt_request(
|
||||||
|
|
||||||
async fn upload(
|
async fn upload(
|
||||||
req: HttpRequest,
|
req: HttpRequest,
|
||||||
body: web::Payload,
|
body: Payload,
|
||||||
// require login
|
// require login
|
||||||
local_user_view: LocalUserView,
|
local_user_view: LocalUserView,
|
||||||
client: web::Data<ClientWithMiddleware>,
|
client: Data<ClientWithMiddleware>,
|
||||||
context: web::Data<LemmyContext>,
|
context: Data<LemmyContext>,
|
||||||
) -> LemmyResult<HttpResponse> {
|
) -> LemmyResult<HttpResponse> {
|
||||||
// TODO: check rate limit here
|
// TODO: check rate limit here
|
||||||
let pictrs_config = context.settings().pictrs_config()?;
|
let pictrs_config = context.settings().pictrs_config()?;
|
||||||
|
@ -173,11 +170,11 @@ async fn upload(
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn full_res(
|
async fn full_res(
|
||||||
filename: web::Path<String>,
|
filename: Path<String>,
|
||||||
web::Query(params): web::Query<PictrsGetParams>,
|
Query(params): Query<PictrsGetParams>,
|
||||||
req: HttpRequest,
|
req: HttpRequest,
|
||||||
client: web::Data<ClientWithMiddleware>,
|
client: Data<ClientWithMiddleware>,
|
||||||
context: web::Data<LemmyContext>,
|
context: Data<LemmyContext>,
|
||||||
local_user_view: Option<LocalUserView>,
|
local_user_view: Option<LocalUserView>,
|
||||||
) -> LemmyResult<HttpResponse> {
|
) -> LemmyResult<HttpResponse> {
|
||||||
// block access to images if instance is private and unauthorized, public
|
// block access to images if instance is private and unauthorized, public
|
||||||
|
@ -226,10 +223,10 @@ async fn image(
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn delete(
|
async fn delete(
|
||||||
components: web::Path<(String, String)>,
|
components: Path<(String, String)>,
|
||||||
req: HttpRequest,
|
req: HttpRequest,
|
||||||
client: web::Data<ClientWithMiddleware>,
|
client: Data<ClientWithMiddleware>,
|
||||||
context: web::Data<LemmyContext>,
|
context: Data<LemmyContext>,
|
||||||
// require login
|
// require login
|
||||||
_local_user_view: LocalUserView,
|
_local_user_view: LocalUserView,
|
||||||
) -> LemmyResult<HttpResponse> {
|
) -> LemmyResult<HttpResponse> {
|
||||||
|
@ -253,8 +250,8 @@ async fn delete(
|
||||||
|
|
||||||
async fn healthz(
|
async fn healthz(
|
||||||
req: HttpRequest,
|
req: HttpRequest,
|
||||||
client: web::Data<ClientWithMiddleware>,
|
client: Data<ClientWithMiddleware>,
|
||||||
context: web::Data<LemmyContext>,
|
context: Data<LemmyContext>,
|
||||||
) -> LemmyResult<HttpResponse> {
|
) -> LemmyResult<HttpResponse> {
|
||||||
let pictrs_config = context.settings().pictrs_config()?;
|
let pictrs_config = context.settings().pictrs_config()?;
|
||||||
let url = format!("{}healthz", pictrs_config.url);
|
let url = format!("{}healthz", pictrs_config.url);
|
||||||
|
@ -273,9 +270,9 @@ async fn healthz(
|
||||||
pub async fn image_proxy(
|
pub async fn image_proxy(
|
||||||
Query(params): Query<ImageProxyParams>,
|
Query(params): Query<ImageProxyParams>,
|
||||||
req: HttpRequest,
|
req: HttpRequest,
|
||||||
client: web::Data<ClientWithMiddleware>,
|
client: Data<ClientWithMiddleware>,
|
||||||
context: web::Data<LemmyContext>,
|
context: Data<LemmyContext>,
|
||||||
) -> LemmyResult<HttpResponse> {
|
) -> LemmyResult<Either<HttpResponse<()>, HttpResponse<BoxBody>>> {
|
||||||
let url = Url::parse(¶ms.url)?;
|
let url = Url::parse(¶ms.url)?;
|
||||||
|
|
||||||
// Check that url corresponds to a federated image so that this can't be abused as a proxy
|
// Check that url corresponds to a federated image so that this can't be abused as a proxy
|
||||||
|
@ -283,10 +280,19 @@ pub async fn image_proxy(
|
||||||
RemoteImage::validate(&mut context.pool(), url.clone().into()).await?;
|
RemoteImage::validate(&mut context.pool(), url.clone().into()).await?;
|
||||||
|
|
||||||
let pictrs_config = context.settings().pictrs_config()?;
|
let pictrs_config = context.settings().pictrs_config()?;
|
||||||
|
|
||||||
let processed_url = params.process_url(¶ms.url, &pictrs_config.url);
|
let processed_url = params.process_url(¶ms.url, &pictrs_config.url);
|
||||||
|
|
||||||
image(processed_url, req, &client).await
|
let bypass_proxy = pictrs_config
|
||||||
|
.proxy_bypass_domains
|
||||||
|
.iter()
|
||||||
|
.any(|s| url.domain().is_some_and(|d| d == s));
|
||||||
|
if bypass_proxy {
|
||||||
|
// Bypass proxy and redirect user to original image
|
||||||
|
Ok(Either::Left(Redirect::to(url.to_string()).respond_to(&req)))
|
||||||
|
} else {
|
||||||
|
// Proxy the image data through Lemmy
|
||||||
|
Ok(Either::Right(image(processed_url, req, &client).await?))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
fn make_send<S>(mut stream: S) -> impl Stream<Item = S::Item> + Send + Unpin + 'static
|
fn make_send<S>(mut stream: S) -> impl Stream<Item = S::Item> + Send + Unpin + 'static
|
||||||
|
|
|
@ -88,6 +88,15 @@ pub struct PictrsConfig {
|
||||||
#[default(PictrsImageMode::StoreLinkPreviews)]
|
#[default(PictrsImageMode::StoreLinkPreviews)]
|
||||||
pub(super) image_mode: PictrsImageMode,
|
pub(super) image_mode: PictrsImageMode,
|
||||||
|
|
||||||
|
/// Allows bypassing proxy for specific image hosts when using ProxyAllImages.
|
||||||
|
///
|
||||||
|
/// imgur.com is bypassed by default to avoid rate limit errors. When specifying any bypass
|
||||||
|
/// in the config, this default is ignored and you need to list imgur explicitly. To proxy imgur
|
||||||
|
/// requests, specify a noop bypass list, eg `proxy_bypass_domains ["example.org"]`.
|
||||||
|
#[default(vec!["i.imgur.com".to_string()])]
|
||||||
|
#[doku(example = "i.imgur.com")]
|
||||||
|
pub proxy_bypass_domains: Vec<String>,
|
||||||
|
|
||||||
/// Timeout for uploading images to pictrs (in seconds)
|
/// Timeout for uploading images to pictrs (in seconds)
|
||||||
#[default(30)]
|
#[default(30)]
|
||||||
pub upload_timeout: u64,
|
pub upload_timeout: u64,
|
||||||
|
|
Loading…
Reference in a new issue