Why remove the upload from URL feature

[Pizzacus]

Now I know it's because DDG changed their proxy

So that leads me to this question:

Why not just download images directly? In the end, that's what DDG does and it works for them... that's actually what every good website does (except Google Images) so it's really really common, I don't see why you wouldn't be okay with just downloading the images directly.

It would be more reliable, more ethical (using DDG's own proxy is not nice at all) and it would use the same amount of bandwidth.

If you are scared of people using it to connect the server to illegal websites, remember you're already allowing any arbitrary file to be uploaded so you're already taking a big risk may as well go through with it xD

I don't think any country would ever hold you liable for this as there is no way to prevent this and you're not the one who initiated the action anyway.

So yeah, consider that please, I liked this feature :x

[BobbyWibowo]

Actually, it was only due to a simple reason of me not wanting anybody else to be aware of my server's IP.

It's probably a bit silly, but I have the belief that as long as attackers are unaware of the server's IP, they won't be able to do direct DDoS attacks or something along that line.

Security-wise I feel like the server is already secure enough, but I'm just not confident it can handle brute attacks like DDoS.

I figure not everyone are able to just casually commit such attacks, so I may appear somewhat paranoid, but man, lol

I mean yeah, DDG proxy was completely redundant, if not for the sole reason of me wanting to hide the server's IP.

[Pizzacus]

Wait, so you're protecting yourself with the CloudFlare thingy right?

So what you can do is reject any connections that do not come from CloudFlare, so even if attackers have your IP, it would be very unlikely they could DDOS you as all their attempts would be rejected. It's also very convenient for that purpose that CloudFlare's IPs are extremely well documented

A DDOS could still happen with a TON of computers, but if they really had this many machines, they may as well try to DDOS something more worthwhile xD. Attacking a machine that keeps rejecting all connections is very very hard.

Alternatively, if your VPS provider lets you change IP, you could always try to enable it and if you ever get DDOS'ed, you can just disable it and change the IP.

I think it would be very unlikely anyone would ever DDOS you as you aren't an interesting target at all, far more disruption could be caused by DDOSing some bigger Pomf-like websites because I don't think those run on hardware that is any more powerful than yours in the end.

[BobbyWibowo]

I thought about it at one point, but when it comes to whitelisting my own IP, I'm troubled since I have dynamic IPs. I couldn't be sure how dynamic it is as it seems to only change after rebooting router though.

As for DDoS attacks, I also thought at first that small websites shouldn't even be bothered to even think about that possibility, but a site that I hosted about 2 or 3 years ago got attacked once, yet it was even smaller than the safe (and it wasn't even a controversial site or anything). People are weird.. Its firewall was also setup to automatically blacklist IPs that have massive concurrent connections, but it just couldn't handle the load in general.

[Pizzacus]

OH MY GOD I JUST REMEMBERED THE NAME OF THE WEBSITE I WANTED TO ADVISE YOU TO USE IF YOU REALLY WANTED A PROXY

I have been trying to remember it for like 30 minutes and I FOUND IT

https://images.weserv.nl/

That is a public image proxy, pretty cool huh?

Now I would still recommend you to credit them, and they also have a Privacy Policy so you may wanna write it as

Upload from URL is powered by images.weserv.nl, by using this feature, you agree to their Privacy Policy.

Or if you wanna be absolutely clear:

Upload from URL is powered by images.weserv.nl, as stated in their Privacy Policy, the link you uploaded the image from may be logged on their server for up to 7 days and be handled by third-party Service Providers.

Anyway, this might be it if you want to handle third-party images absolutely securely. I would recommend you to upgrade to a robust server one day tho, but I can understand you may just not have enough money for it.

---

You can also reduce traffic by avoiding to serve static elements with your server and instead, using hosters like the excellent Netlify that I personally use a LOT :D

I love Netlify because it does pretty cool stuff, like running any build scripts on their server, syncing the website with GitHub to keep it up to date, and they have really fast servers, with free HTTPS and HTTP/2.0 support.

But of course it doesn't work as soon as you have dynamic stuff xD Their free plan is amazing for static websites but terrible to run dynamic scripts (even if they support AWS Lambdas it's limited to like 100k calls a month which is like nothing)

But that can be another way of reducing traffic to your server, or even completely remove it if you can make the entire website be static, which is becoming increasingly simpler.

I know Netlify can't work for lolisafe, but maybe it could for some of your other websites.

https://netlify.com

^{i know this may sound very promotional, but no, I do not work at Netlify}

[BobbyWibowo]

Thanks for the suggestions, I'll definitely look into them in the next few days.

Netlify is especially interesting, even more for my blog. At the moment I'm using GitHub Pages to serve locally built Hexo blog, but this Netlify thing seems to be able to take it a step further by building the thing by itself. Looking very neat.

[Pizzacus]

Yeah I actually used to use Github Pages until I found out about it, to me it was a huge improvement, I use it to serve https://satania.moe

Actually here is a fun anecdote, someone REALLY wanted me to serve satania.moe over HTTPS, but Github Pages didn't support HTTPS on custom domains back then.

And that guy got so triggered he gave me money to purchase an $8 SSL certificate, and that was great and all but I still had no way of applying it since Github Pages didn't allow SSL even if you paid for the certificate.

So I looked into my options of static website hosters that supported SSL, and there was Netlify! :D

But they offer free certificates from Let's Encrypt, so actually, I still have this $8 certificate on my Namecheap account, ready to be activated whenever xD

The guy said he doesn't mind as long as the website is on HTTPS now. I guess some people really go to great lengths to get websites on HTTPS...

I thought that was a relevant fun fact since that's how I found out about Netlify. ^-^

Anyway, have a good christmas! :christmas_tree: And thanks for considering my suggestion :heart:

[BobbyWibowo]

Configuration for URL uploads are now even more flexible with this commit https://github.com/BobbyWibowo/lolisafe/commit/d723c0f562a9e11306b583a0203dc15ac8db19f2, which basically allows site owners to use any URL proxy they want, having a specific extensions filter for URL uploads, and heck, even a customizable disclaimer message underneath the upload form. The sample config file uses images.weserv.nl.

With that said, it's now live at https://safe.fiery.me, so do give it a try.

I think you are aware of this, but images.weserv.nl will compress the images regardless. So yeah, I didn't add any other options, be it resize or whatever, but it will still compress.

[Pizzacus]

Okay I just tried it, and yes! It works great!

Compressing is most likely fine, actually maybe even desirable if it's absolutely lossless.

Anyway thanks a lot for implementing this so fast! :+1: I think we can close the issue now :ok_hand: :heart: