I'm developing a site that is all behind SSL. Members can post profiles containing text, youtube vids, soundcloud sounds and external images. I have a filter in place to remove all iframes, js etc and format youtube and soundcloud players to use https. I'm not sure what to do about images that are usually hosted on non ssl domains. My first thought has been to make a proxy system to fetch the image and serve it through local ssl. However the system I have knocked together to test doesn't work!
Basically all external URL's get filtered like so ../external/?url=http://www.somedomain.com. This includes external image URLs. They then get passed to this;
public function index() {
$url = $this->input->get('url', TRUE);
$data = FALSE;
$ch = curl_init();
$timeout = 5;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$data = curl_exec($ch);
$type = curl_getinfo($ch, CURLINFO_CONTENT_TYPE);
$responce = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
$sub_type = explode('/', $type); // so we return just image instead of e.g. image/jpg
if ($type == 'text/html') {
redirect($url);
} else if ($sub_type[0] == 'image') {
header('Content-type: ' . $type);
echo $data;
}
}
This isn't serving external images securely though, so what do I need? Also is this the best method? I don't want to have to download and serve all external images from my server.
The ultimate goal would be for this function to to check content exists (not 404), and probably probe the external file to try to make sure it is not malicious. For now though I just want it to serve the file through ssl, unless this is a very bad idea.
