1

I have a web application that runs through HTTPS, but we are loading external images on servers that don't support SSL. For this reason we need to proxy all external images through a PHP script so they can be loaded over SSL.

I tried following but i get "the image cannot be displayed because it contains errors.".

$remoteImage = "http://www.blog.qarea.com/wp-content/uploads/2012/01/code.jpg";
$imginfo = getimagesize($remoteImage);
header("Content-type: ".$imginfo['mime']);
readfile($remoteImage);

Any thoughts on where I'm going wrong?

MORE INFO: The content length of the request matches the size of the original image. UPDATE: I just tried the script in a stand alone file and it worked fine. Looks like it's an issue with Zend Framework. Now I just need to debug that, any input would be appreciated.

Community
  • 1
  • 1
Dan Ramos
  • 1,092
  • 2
  • 19
  • 35
  • have you checked the output of `readfile($remoteImage)`? And are fopen wrappers enabled for your PHP installation on the server – Mike Dinescu Feb 03 '14 at 20:43
  • allow_url_fopen is set to 1, and just doing a regular echo readfile($remoteImage) displays a bunch of text in the browser. – Dan Ramos Feb 03 '14 at 20:49

2 Answers2

1

Is there a space or linebreak before the <?php tag? If so that would cause the image to be invalid.

Additionally, if you have a ?> closing the code (which is pointless), make sure there are no spaces/linebreaks after that either.

Zoey Mertes
  • 3,139
  • 19
  • 23
1

Do you really need PHP to proxy requests? The easiest solution is to use the proxy module of your webserver, and this also comes with the top performance.

See the documentation for Apache, Nginx.

Sven
  • 69,403
  • 10
  • 107
  • 109
  • I suppose I could use Apache, jut not quite sure how I could do that. As of now we have `site.com/?imgsrc=http://www.site2.com/image.jpg`. How would I be able to proxy the value of all srcimg values? – Dan Ramos Feb 03 '14 at 20:58
  • 2
    Don't transfer **anything** via your proxy script. If you do, the security is worse than without the SSL proxy, because then the user is actually aware that the security level is lacking - with your proxy, anything can be included and will be delivered from your domain, i.e. you allow for every injected script to circumvent the same origin policy, and every injected script is "secure" because it comes from your domain via SSL. – Sven Feb 03 '14 at 21:07
  • 1
    So after you decided to only use defined third party domains for proxying, you'd probably go this way: create a rewrite rule that detects "site.com/imgsrc/site2/(.)" and rewrites it to "site2.com/$1". You need one rewrite rule per remote site you want to trust and include. – Sven Feb 03 '14 at 21:07