Proxy

From Dreamwidth Notes
(Redirected from SSL Image Proxy)
Jump to: navigation, search

What it's for

Dreamwidth's SSL image caching proxy is a web service that:

  • listens for requests for embedded content served via HTTP
  • downloads and caches the requested content
  • returns a temporary HTTPS link to that content

This process allows Dreamwidth to successfully display insecure (http:) offsite content on a securely viewed (https:) page. Without the proxy, either the insecure content would be hidden, or browser warnings would be generated. The cached content expires every few hours, to avoid DMCA concerns.

Building the proxy server

The source code for the proxy is written in Go and can be found here: https://github.com/dreamwidth/dw-free/blob/develop/src/proxy/main.go

It's probably more useful (and usable) on stand-alone dev environments than on dreamhacks. To build the executable:

 cd $LJHOME/src/proxy
 go build

That will create a binary called proxy in $LJHOME/src/proxy. Run that:

 ./proxy -salt_file=$LJHOME/ext/local/etc/proxy-salt -hotlink_domain=yourdomain.example.org

The domain here will be used to check Referer headers so your proxy URLs will not be valid on other sites. It should be a common suffix of all URLs on your site (e.g., example.com, not www.example.com, if your user pages will be like username.example.com).

Proxy URL in your 'hack

To enable generation of the proxy URL in your 'hack, set these in your config:

$PROXY_SALT_FILE = "$LJHOME/ext/local/etc/proxy-salt";
$PROXY_URL = "https://proxy.hack.dw";
$USE_SSL = 1;

You'll need to create the proxy-salt file. Contents of proxy-salt are just a string, preferably long with randomly generated characters.

You'll also want something in front of the proxy to handle https negotiation. I recommend nginx. Sample config that will work:


    server {
        listen       443 ssl;
        server_name  proxy.hack.dw;
 
        sendfile     off;
 
        location / {
            proxy_pass http://127.0.0.1:6250;
            proxy_redirect off;
        }
    }


(for dev) Make sure you've also got an /etc/hosts entry for `proxy.hack.dw`.