Beaker has asked for the wisdom of the Perl Monks concerning the following question:

I have a site that I'm converting to use only https. The only issue is links to remote http images posted by users in the forum. This means I end up with mixed content on those pages so it won't be secure. Could someone please point me in the direction of some info which would help me create a basic script to efficiently deal with this issue, and serve these images as https thanks

Replies are listed 'Best First'.
Re: Basic Remote Image to SSL Server
by Corion (Patriarch) on Oct 19, 2016 at 07:18 UTC

    You will have to fetch the resource via HTTP through a proxy script and then serve the resource under your website content via HTTPS. There are examples in (for example) LWP::UserAgent::Paranoid and LWPx::ParanoidAgent.

    Note that your script needs to be very paranoid to prevent Javascript data from being served in an image context etc. - I think the popular approach nowadays is to serve such content from a separate domain or subdomain and have the forum page supply the appropriate CORS headers.

[reply]
Re: Basic Remote Image to SSL Server
by RonW (Parson) on Oct 18, 2016 at 23:34 UTC

    What forum software are you using? It may be a configuration option. I suggest asking the forum software creators.

    Also, converting 3rd party links from HTTP to HTTPS assumes the 3rd party's server supports HTTPS. You may have to resort to replacing the in-line images with clickable links.

[reply]
      It's a Perl forum I wrote myself a while back, rather than a third party forum.
[reply]
Re: Basic Remote Image to SSL Server
by RonW (Parson) on Oct 19, 2016 at 18:03 UTC

    Out of curiosity, I did a little looking at available modules on CPAN.

    For handling URLs in user posted content, URL::Transform might be of use.

    Though, you might want to look at how HTML::Copy modifies URLs.

    For serving the images, you could, as Corion suggested, create a local proxy script. Maybe you could use HTTP::Proxy. It does provide a mechanism for defining filtering. It's not clear if there's a way to to make it use a LWP::UserAgent::Paranoid object instead of a plain LWP::UserAgent object. But, I think you could enhance the new method to allow specifying that LWP::UserAgent::Paranoid be used instead. (Then submit a patch to the author for your enhancement.)

    However, given the Javascript problem Corion mentioned and other possible malicious content problems, I think it would be a better idea to not display user submitted links as inline images, rather just make them clickable links. (This is how many other forum sites work.)

[reply]
      Thanks for your response, lots to consider. Indeed there seems to be lots of valid reasons not to display remote images directly. Problem being; a potential member backlash if I take this functionality away. I was thinking of just having image uploads instead, like I have in other areas of the site. However, I'd need more server space and a solution for legacy content. For now I've converted the site to https and the pages in the forum with non https images will just break the ssl lock. Since images are considered passive this doesn't seem to trigger warnings in IE etc. It seems a number of other large forums I looked at are doing the same, half assed solution. I will put together a future project based on your suggestions.
[reply]

Back to Seekers of Perl Wisdom