How can I configure the thumbor security?

Question

I've already installed thumbor 6.3.2 on my ubuntu with docker container.

I'm trying to thumbor security configuration. but I failed. below is my /etc/thumbor.conf

SECURITY_KEY = "abcde"
ALLOW_UNSAFE_URL = False

and I tried

thumbor -l INFO -p 8000 -c /etc/thumbor.conf

and then I sent

/abcde/300x300/image.jpg

but It failed.

oddly,

/unsafe/300x300/image.jpg

It was a success.

How can I configure thumbor secuirty?

Answer 1

I am able to setup thumbor with SECURITY_KEY.

I started thumbor docker image like:

docker run -p 8000:8000 -e SECURITY_KEY=test -e ALLOW_UNSAFE_URL=False apsl/thumbor

and picked one random image from internet - https://rak-posts.s3.amazonaws.com/images/2943/large_rak_day.png

Then I generated base64.urlsafe_b64encode signature using the following python code:

>>> message = "1000x1000/https://rak-posts.s3.amazonaws.com/images/2943/large_rak_day.png"
>>> b_message = bytes(message)
>>> b_key = bytes("test")
>>> import hmac
>>> import hashlib
>>> digester = hmac.new(b_key, b_message, hashlib.sha1)
>>> signature = digester.digest()
>>> import base64
>>> url_safe_sign = base64.urlsafe_b64encode(signature)
>>> url_safe_sign
'_gcJOPfrByOrMqDekEool4uKYKE='
>>>

and make the URL call like this - http://localhost:8000/_gcJOPfrByOrMqDekEool4uKYKE=/1000x1000/https://rak-posts.s3.amazonaws.com/images/2943/large_rak_day.png - It work as expected.

And unsafe URL - http://localhost:8000/unsafe/1000x1000/https://rak-posts.s3.amazonaws.com/images/2943/large_rak_day.png - doesn't work anymore.

Let me know if that helps.

Thanks, Hussain Bohra