XF 1.5 Untrusted Http Client

[Sunka]

• A new config.php option $config['untrustedHttpClient'] has been added to allow you to specify a custom configuration when making untrusted HTTP calls such as via the image proxy. For example, this can allow you to direct the connection through a proxy to keep your server's IP hidden.

Regarding this in newest xenforo version, could someone give some examples and elaborate this option little more.
My forum is on https and I am running xenforo proxy for images.

Thank you

 

[rdn]

• $config['untrustedHttpClient'] - default: array()
  When XenForo makes an HTTP call to an untrusted external server, you may specify a specific adapater configuration. For example, this allows you to use an HTTP proxy service to stop your application server's IP from being leaked. The value should be an adapter configuration array like given in this Zend_Http_Client_Adapter_Proxy example.

https://xenforo.com/help/config-php-options/

 

[Mike]

As an example of that configuration:

$config['untrustedHttpClient'] = array(
   'adapter' => 'Zend_Http_Client_Adapter_Proxy',
   'proxy_host' => '123.123.123.123',
   'proxy_port' => 80
);

You'll need an HTTP proxy to access (either one you run on a different server or an external one).

 

[rdn]

You'll need an HTTP proxy

Just a plain web server will do?
Or do we need some sort of script to be run on proxy server?
Thanks!

 

[SneakyDave]

BUG BUG "adapter" is spelled wrong.

 

[rdn]

 

[Mike]

Just a plain web server will do?
Or do we need some sort of script to be run on proxy server?
Thanks!

It needs to be an HTTP proxy. This can be done through a regular web server if you configure it like that. Or it can be done through a dedicated proxy (Squid, https://tinyproxy.github.io/, etc). I don't have experience with setting any of them up so I can't comment on that.

 

[rdn]

Or it can be done through a dedicated proxy (Squid, https://tinyproxy.github.io/, etc)

Thanks!
That was very easy to setup
http://www.justinmccandless.com/blog/Set+Up+Tinyproxy+in+Ubuntu

 

[eva2000]

As an example of that configuration:

$config['untrustedHttpClient'] = array(
   'adapter' => 'Zend_Http_Client_Adapter_Proxy',
   'proxy_host' => '123.123.123.123',
   'proxy_port' => 80
);

You'll need an HTTP proxy to access (either one you run on a different server or an external one).

@Mike is the image proxy the only thing that takes advantage of the untrusted HttpClient setup right now ? or other Xenforo features ?

 

[Chris D]

Image proxy and auto linking stuff in XF.

It's also used in XFMG from version 1.1.5 with XF 1.5.6 or above installed for everything from automatically grabbing titles, to downloading video thumbnails, to adding media from URLs etc.

 

[eva2000]

Image proxy and auto linking stuff in XF.

It's also used in XFMG from version 1.1.5 with XF 1.5.6 or above installed for everything from automatically grabbing titles, to downloading video thumbnails, to adding media from URLs etc.

thanks @Chris D

 

[tr1cky]

What happens when the proxy is down? Will xenforo fetch the Images directly from the backend?

 

[Jawsh]

What happens when the proxy is down? Will xenforo fetch the Images directly from the backend?

No, the query fails and it displays an error icon.

 

[tr1cky]

No, the query fails and it displays an error icon.

Good. So it's safe to use this option and the built-in xenforo imageproxy?

 

[Jawsh]

Good. So it's safe to use this option and the built-in xenforo imageproxy?

Yes. On my website, it's critical the PHP Daemon servers do not expose their IP, yet I also want to protect users from IP logging pixels. I am using a Squid3 proxy on a spare server to fish image content for me.

 

[eva2000]

No, the query fails and it displays an error icon.

guess that answers https://xenforo.com/community/threa...nnect-to-proxy-auto-disable-img-embed.115439/

 

[tr1cky]

Thanks!
That was very easy to setup
http://www.justinmccandless.com/blog/Set+Up+Tinyproxy+in+Ubuntu

But it won't work fetching https images like that, since php 5.6 introduced peer verification:

Peer certificate CN=`*.imgur.com' did not match expected CN=`ip'

 

[eva2000]

But it won't work fetching https images like that, since php 5.6 introduced peer verification:

Peer certificate CN=`*.imgur.com' did not match expected CN=`ip'

known bug with fix posted at https://xenforo.com/community/threa...usted-connection-on-php7.114973/#post-1058456

 

[Brent W]

As an example of that configuration:

$config['untrustedHttpClient'] = array(
   'adapter' => 'Zend_Http_Client_Adapter_Proxy',
   'proxy_host' => '123.123.123.123',
   'proxy_port' => 80
);

You'll need an HTTP proxy to access (either one you run on a different server or an external one).

Is there a way to setup fallback proxies if the first fails?

 

[Mike]

No that wouldn't directly be an option. I suppose technically you could run a local proxy that you'd connect to which itself would then work through multiple other proxies as needed, though I'm not sure if there is any proxy package that provides that.