HTTP Source

The HTTP source is the default source in PreviewProxy and is always enabled. It allows you to proxy and transform any publicly accessible image over HTTP or HTTPS.

Basic Usage

Include the full image URL (starting with http:// or https://) as the last segment of the request path:

/<params>/<image_url>

Example:

/w=400/https://example.com/photo.jpg

URL Encoding

The image URL in the path is URL-decoded automatically. This means you can percent-encode the URL if needed - for example, when embedding the proxy URL inside another URL or passing it through systems that require encoding:

/w=400/https%3A%2F%2Fexample.com%2Fphoto.jpg

Both the encoded and plain forms are handled correctly.

Configuration

The HTTP source behaviour is controlled by the following environment variables:

Variable	Default	Description
`ALLOWED_HOSTS`	(unset)	Comma-separated list of allowed hostnames. If set, only these hosts may be proxied.
`FETCH_TIMEOUT_SECS`	`10`	Maximum time in seconds to wait for the upstream server to respond.
`MAX_SOURCE_BYTES`	`20971520` (20 MB)	Maximum size of the source image that will be downloaded.

Restricting Allowed Hosts

By default, PreviewProxy will fetch images from any public host. To restrict which domains are permitted, set ALLOWED_HOSTS:

ALLOWED_HOSTS=example.com,assets.mysite.com

cảnh báo

If ALLOWED_HOSTS is not set, any public URL can be proxied. It is strongly recommended to set this in production to prevent your instance from being used as an open proxy.

Fetch Timeout

If the upstream server takes longer than FETCH_TIMEOUT_SECS to respond, the request will be aborted and an error returned to the client.

FETCH_TIMEOUT_SECS=30

Maximum Source Size

Requests for images exceeding MAX_SOURCE_BYTES will be rejected before the full body is downloaded.

MAX_SOURCE_BYTES=10485760  # 10 MB

Private IP Protection

thông tin

Requests to private, loopback, or link-local IP ranges (e.g. 127.0.0.1, 10.0.0.0/8, 192.168.0.0/16, ::1) are always blocked, regardless of ALLOWED_HOSTS configuration.

This prevents server-side request forgery (SSRF) attacks where an attacker could use the proxy to reach internal network services.

Basic Usage​

URL Encoding​

Configuration​

Restricting Allowed Hosts​

Fetch Timeout​

Maximum Source Size​

Private IP Protection​