Implementing Dynamic URL-Based Reverse Proxy in Nginx for Cross-Origin Image Loading in WebGL Applications


2 views

When working with WebGL applications that need to load external images, we frequently encounter CORS (Cross-Origin Resource Sharing) restrictions. The typical approach involves setting up a reverse proxy to bypass these limitations. Here's a detailed implementation guide for nginx configuration to dynamically proxy requests based on URL parameters.

location ~ ^/somename/imagesproxy {
    # Extract the URL parameter
    if ($args ~* "url=(https?://[^&]+)") {
        set $proxy_url $1;
    }

    # Remove the original query string
    rewrite ^ /$1 break;
    
    # Proxy settings
    proxy_pass $proxy_url;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
    # Important for image handling
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_buffering off;
}

For production environments, consider these additional optimizations:

proxy_cache_key "$proxy_url$is_args$args";
proxy_cache_valid 200 302 1h;
proxy_cache_use_stale error timeout invalid_header updating;
proxy_cache_bypass $http_cache_control;
proxy_cache_path /path/to/cache levels=1:2 keys_zone=img_cache:10m inactive=60m;

To prevent open proxy abuse, implement these security measures:

location ~ ^/somename/imagesproxy {
    # Allow only specific domains
    if ($args !~* "url=https?://(allowed1\.com|allowed2\.org)") {
        return 403;
    }
    
    # Rate limiting
    limit_req zone=proxy_limiter burst=5;
}

After implementing, test with curl to verify:

curl -I "http://yourdomain/somename/imagesproxy?url=http://allowed1.com/image.png"

If encountering problems, check these common pitfalls:

  • Ensure nginx has DNS resolution capability (consider adding resolver directives)
  • Verify URL encoding/decoding works correctly (%2F should become /)
  • Check nginx error logs for specific proxy errors

When working with WebGL applications that need to load external images, you'll often encounter CORS restrictions. The browser blocks requests to different origins unless proper headers are set. A common workaround is to implement a reverse proxy on your own domain.

Here's how to configure Nginx to dynamically proxy requests based on a URL parameter:

location /somename/imagesproxy {
    resolver 8.8.8.8;
    
    # Extract the URL parameter
    if ($args ~* "url=(.+)") {
        set $proxy_url $1;
    }
    
    # Decode URL-encoded characters
    set $decoded_url $proxy_url;
    if ($proxy_url ~* "%([0-9a-fA-F]{2})") {
        set_unescape_uri $decoded_url $proxy_url;
    }
    
    proxy_pass $decoded_url;
    proxy_set_header Host $proxy_host;
    proxy_set_header Referer "";
    proxy_set_header X-Forwarded-For $remote_addr;
    
    # Important headers for image handling
    proxy_hide_header Access-Control-Allow-Origin;
    add_header Access-Control-Allow-Origin *;
    proxy_buffering off;
}

The configuration includes URL decoding because browsers automatically encode special characters in query parameters. The set_unescape_uri directive handles this conversion.

While this solution works, be aware of potential security implications:
- Always validate the target domains you want to allow
- Consider implementing a whitelist of allowed domains
- Rate limit the endpoint to prevent abuse

For more control, you can use regex to extract and validate the URL:

location ~ ^/somename/imagesproxy {
    if ($arg_url ~* "^https?://(alloweddomain1\.com|alloweddomain2\.org)/") {
        proxy_pass $arg_url;
        proxy_set_header Host $host;
        # Additional proxy settings...
    }
    return 403;
}

After implementing, test with curl to verify it works:

curl -I "http://yourdomain.com/somename/imagesproxy?url=https://external.com/image.png"