imgproxy.rb icon indicating copy to clipboard operation
imgproxy.rb copied to clipboard

Published 20 hours ago verified publisher icon imgproxy

Invalid Signature

Open smlparry opened this issue 6 years ago • 5 comments

Hi there,

I am running into an issue that is quite strange. I am using this gem as a stand alone gem and it seems that my imgproxy server wont accept the "advanced" url scheme:

I am using the following code (pulled from: https://github.com/imgproxy/imgproxy/blob/master/examples/signature.rb) which is generating a working, basic url

    def self.generate_url(url,
                          width: 250,
                          height: 250,
                          resize: "fit",
                          gravity: "no",
                          enlarge: 1)
      key = [Rails.application.secrets.IMGPROXY_KEY].pack("H*")
      salt = [Rails.application.secrets.IMGPROXY_SALT].pack("H*")

      encoded_url = Base64.urlsafe_encode64(url).tr("=", "").scan(/.{1,16}/).join("/")

      path = "/#{resize}/#{width}/#{height}/#{gravity}/#{enlarge}/#{encoded_url}"

      digest = OpenSSL::Digest.new("sha256")

      hmac = Base64.urlsafe_encode64(
        OpenSSL::HMAC.digest(digest, key, "#{salt}#{path}")
      ).tr("=", "")

      URI.join(Rails.application.secrets.IMGPROXY_HOST, "/#{hmac}#{path}").to_s
    end

If I update this code to the "advanced" url scheme (https://github.com/imgproxy/imgproxy/blob/master/docs/generating_the_url_advanced.md) I get an "Invalid Signature" error.

Interestingly I also am getting the "Invalid Signature" error when generating a URL using this gem

# config/initializers/imgproxy.rb
Imgproxy.configure do |config|
  config.endpoint = Rails.application.secrets.IMGPROXY_HOST
  config.hex_key = Rails.application.secrets.IMGPROXY_KEY
  config.hex_salt = Rails.application.secrets.IMGPROXY_SALT
end

# console
> Imgproxy.url_for("https://i.scdn.co/image/a41a79bccd8165b0a4c3d0de9979d973ca8cb321") 
=> "http://localhost:1337/Ujm6eYWQ8lJIsjBgT6vuSE742OvVvEfmBus7E9cmHYA/plain/https:/i.scdn.co/image/a41a79bccd8165b0a4c3d0de9979d973ca8cb321"

Can anyone confirm they are also getting this error using the advanced url scheme in Ruby and/or using this gem?

Using version 2.3.0 of imgproxy btw

smlparry avatar Jul 11 '19 05:07 smlparry

Hi,

Sorry for the delay.

The issue puzzles me because we use the gem in production for a long time. Also, the signature checking algorithm does not depend on the URL format. I don't think I can help you a lot here without knowing your key/salt pair, but it's probably not an option.

DarthSim avatar Aug 21 '19 13:08 DarthSim

I've encountered the same problem with kubernetes. When I'm serving imgproxy on docker-compose, it works perfectly. The cause was nginx ingress... I had ingress config like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: imgproxy
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  tls:
  - hosts:
    - imgproxy.example.com
    secretName: example-com
  rules:
  - host: imgproxy.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: imgproxy
          servicePort: 8080

Once I removed this line:

nginx.ingress.kubernetes.io/rewrite-target: /$1

problem goes away

wailorman avatar Jul 11 '20 08:07 wailorman

I'm having this occasionally too – it usually works. Only thing that stands out is that the signature that failed begins with a -.

wilg avatar Feb 16 '21 23:02 wilg

Found the issue, at least with the master branch https://github.com/imgproxy/imgproxy.rb/pull/110

wilg avatar Feb 17 '21 01:02 wilg

@wilg unfortunately, this PR won't fix the problem. Explanation in the PR's comments. Btw, which version of Ruby do you use?

DarthSim avatar Feb 17 '21 14:02 DarthSim