Image Camo extension

Author: JadedBlueEyes

xExtension-ImageCamo/LICENSE

@@ -0,0 +1,44 @@
+# Image Camo Proxy Extension for FreshRSS
+
+This extension allows FreshRSS to proxy images through a Camo server (eg. [go-camo](https://github.com/cactus/go-camo)), providing secure image delivery without mixed content warnings on HTTPS sites and without running an open proxy.
+
+## Features
+
+- Proxy HTTP and/or HTTPS images through go-camo
+- Support for both Base64 and Hex URL encoding (go-camo compatible)
+- Configurable scheme handling for protocol-relative URLs
+- Preserves original URLs in data attributes for FreshRSS compatibility
+- Supports responsive images with srcset attributes
+
+## Requirements
+
+- A running camo server instance (eg. go-camo)
+- HMAC key configured in camo server
+
+## Configuration
+
+1. **Camo Proxy URL**: The base URL of your camo server (e.g., `https://your-camo-instance.example.com`)
+2. **HMAC Key**: The shared secret key used to sign URLs (must match your camo server configuration)
+3. **URL Encoding**: Choose between Base64 (recommended, shorter URLs) or Hex encoding
+4. **Proxy HTTP images**: Enable/disable proxying of HTTP images
+5. **Proxy HTTPS images**: Enable/disable proxying of HTTPS images (usually disabled for performance)
+6. **Proxy protocol-relative URLs**: How to handle URLs starting with `//`
+7. **Include http*:// in URL**: Whether to include the protocol scheme in the proxied URL
+
+## How it works
+
+1. The extension intercepts image URLs in RSS feed content
+2. For each image URL that matches the configured criteria:
+   - Generates an HMAC-SHA1 signature using the configured key
+   - Encodes both the signature and URL (Base64 or Hex)
+   - Constructs a go-camo compatible URL: `{camo-url}/{signature}/{encoded-url}`
+3. The original URLs are preserved in data attributes
+
+## Security Considerations
+
+- Keep your HMAC key secret and secure
+- Use a strong, random HMAC key
+
+## Based on
+
+This extension is based on the [xExtension-ImageProxy](https://github.com/FreshRSS/Extensions/tree/master/xExtension-ImageProxy) extension but specifically designed for go-camo compatibility.

xExtension-ImageCamo/README.md

@@ -0,0 +1,89 @@
+<?php
+	declare(strict_types=1);
+	/** @var ImageCamoExtension $this */
+?>
+<div class="gocamo-security-notice">
+	<span class="icon">⚠️</span>
+	<strong><?= _t('ext.imagecamo.security_notice_title') ?>:</strong>
+	<?= _t('ext.imagecamo.security_notice_text') ?>
+</div>
+
+<form action="<?= _url('extension', 'configure', 'e', urlencode($this->getName())) ?>" method="post">
+	<input type="hidden" name="_csrf" value="<?= FreshRSS_Auth::csrfToken() ?>" />
+
+	<div class="form-group">
+		<label class="group-name" for="camo_proxy_url"><?= _t('ext.imagecamo.proxy_url') ?></label>
+		<div class="group-controls">
+			<input type="url" name="camo_proxy_url" id="camo_proxy_url"
+				value="<?= htmlspecialchars(FreshRSS_Context::userConf()->attributeString('camo_proxy_url') ?? '', ENT_COMPAT, 'UTF-8') ?>"
+				placeholder="https://your-camo-instance.example.com" required>
+			<div class="gocamo-help"><?= _t('ext.imagecamo.proxy_url_help') ?></div>
+		</div>
+	</div>
+
+	<div class="form-group">
+		<label class="group-name" for="camo_hmac_key"><?= _t('ext.imagecamo.hmac_key') ?></label>
+		<div class="group-controls">
+			<input type="password" name="camo_hmac_key" id="camo_hmac_key"
+				value="<?= htmlspecialchars(FreshRSS_Context::userConf()->attributeString('camo_hmac_key') ?? '', ENT_COMPAT, 'UTF-8') ?>"
+				placeholder="Your HMAC key for the camo server" required>
+			<div class="gocamo-help"><?= _t('ext.imagecamo.hmac_key_help') ?></div>
+		</div>
+	</div>
+
+	<div class="form-group">
+		<label class="group-name" for="camo_encoding"><?= _t('ext.imagecamo.encoding') ?></label>
+		<div class="group-controls">
+			<select name="camo_encoding" id="camo_encoding">
+				<option value="base64" <?= (FreshRSS_Context::userConf()->attributeString('camo_encoding') === 'base64') ? 'selected' : '' ?>>Base64 (<?= _t('ext.imagecamo.encoding_base64_desc') ?>)</option>
+				<option value="hex" <?= (FreshRSS_Context::userConf()->attributeString('camo_encoding') === 'hex') ? 'selected' : '' ?>>Hex (<?= _t('ext.imagecamo.encoding_hex_desc') ?>)</option>
+			</select>
+			<div class="gocamo-help"><?= _t('ext.imagecamo.encoding_help') ?></div>
+		</div>
+	</div>
+
+	<div class="form-group">
+		<label class="group-name" for="camo_scheme_http"><?= _t('ext.imagecamo.scheme_http') ?></label>
+		<div class="group-controls">
+			<input type="checkbox" name="camo_scheme_http" id="camo_scheme_http" value="1"
+				<?= FreshRSS_Context::userConf()->attributeBool('camo_scheme_http') ? 'checked' : '' ?>>
+		</div>
+	</div>
+
+	<div class="form-group">
+		<label class="group-name" for="camo_scheme_https"><?= _t('ext.imagecamo.scheme_https'); ?></label>
+		<div class="group-controls">
+			<input type="checkbox" name="camo_scheme_https" id="camo_scheme_https" value="1"
+				<?= FreshRSS_Context::userConf()->attributeBool('camo_scheme_https') ? 'checked' : '' ?>>
+		</div>
+	</div>
+
+	<div class="form-group">
+		<label class="group-name" for="camo_scheme_default"><?= _t('ext.imagecamo.scheme_default'); ?></label>
+		<div class="group-controls">
+			<select name="camo_scheme_default" id="camo_scheme_default">
+				<option value="<?= htmlspecialchars(FreshRSS_Context::userConf()->attributeString('camo_scheme_default') ?? '', ENT_COMPAT, 'UTF-8') ?>" selected="selected"><?=
+					htmlspecialchars(FreshRSS_Context::userConf()->attributeString('camo_scheme_default') ?? '', ENT_COMPAT, 'UTF-8') ?></option>
+				<option value="-">-</option>
+				<option value="auto">auto</option>
+				<option value="http">http</option>
+				<option value="https">https</option>
+			</select>
+		</div>
+	</div>
+
+	<div class="form-group">
+		<label class="group-name" for="camo_scheme_include"><?= _t('ext.imagecamo.scheme_include'); ?></label>
+		<div class="group-controls">
+			<input type="checkbox" name="camo_scheme_include" id="camo_scheme_include" value="1"
+				<?= FreshRSS_Context::userConf()->attributeBool('camo_scheme_include') ? 'checked' : '' ?>>
+		</div>
+	</div>
+
+	<div class="form-group form-actions">
+		<div class="group-controls">
+			<button type="submit" class="btn btn-important"><?= _t('gen.action.submit') ?></button>
+			<button type="reset" class="btn"><?= _t('gen.action.cancel') ?></button>
+		</div>
+	</div>
+</form>

xExtension-ImageCamo/configure.phtml

@@ -0,0 +1,228 @@
+<?php
+
+declare(strict_types=1);
+
+final class ImageCamoExtension extends Minz_Extension {
+	// Defaults
+	private const DEFAULT_CAMO_URL = 'https://your-camo-instance.example.com';
+	private const DEFAULT_HMAC_KEY = '';
+	private const DEFAULT_SCHEME_HTTP = true;
+	private const DEFAULT_SCHEME_HTTPS = false;
+	private const DEFAULT_SCHEME_DEFAULT = 'auto';
+	private const DEFAULT_SCHEME_INCLUDE = false;
+	private const DEFAULT_ENCODING = 'base64'; // base64 or hex
+
+	/**
+	 * @throws FreshRSS_Context_Exception
+	 */
+	#[\Override]
+	public function init(): void {
+		if (!FreshRSS_Context::hasSystemConf()) {
+			throw new FreshRSS_Context_Exception('System configuration not initialised!');
+		}
+		$this->registerHook('entry_before_display', [self::class, 'setImageProxyHook']);
+
+		// Initialize defaults if not set
+		$save = false;
+		if (FreshRSS_Context::userConf()->attributeString('camo_proxy_url') == null) {
+			FreshRSS_Context::userConf()->_attribute('camo_proxy_url', self::DEFAULT_CAMO_URL);
+			$save = true;
+		}
+		if (FreshRSS_Context::userConf()->attributeString('camo_hmac_key') == null) {
+			FreshRSS_Context::userConf()->_attribute('camo_hmac_key', self::DEFAULT_HMAC_KEY);
+			$save = true;
+		}
+		if (FreshRSS_Context::userConf()->attributeBool('camo_scheme_http') === null) {
+			FreshRSS_Context::userConf()->_attribute('camo_scheme_http', self::DEFAULT_SCHEME_HTTP);
+			$save = true;
+		}
+		if (FreshRSS_Context::userConf()->attributeBool('camo_scheme_https') === null) {
+			FreshRSS_Context::userConf()->_attribute('camo_scheme_https', self::DEFAULT_SCHEME_HTTPS);
+			$save = true;
+		}
+		if (FreshRSS_Context::userConf()->attributeString('camo_scheme_default') === null) {
+			FreshRSS_Context::userConf()->_attribute('camo_scheme_default', self::DEFAULT_SCHEME_DEFAULT);
+			$save = true;
+		}
+		if (FreshRSS_Context::userConf()->attributeBool('camo_scheme_include') === null) {
+			FreshRSS_Context::userConf()->_attribute('camo_scheme_include', self::DEFAULT_SCHEME_INCLUDE);
+			$save = true;
+		}
+		if (FreshRSS_Context::userConf()->attributeString('camo_encoding') === null) {
+			FreshRSS_Context::userConf()->_attribute('camo_encoding', self::DEFAULT_ENCODING);
+			$save = true;
+		}
+		if ($save) {
+			FreshRSS_Context::userConf()->save();
+		}
+	}
+
+	/**
+	 * @throws FreshRSS_Context_Exception
+	 */
+	#[\Override]
+	public function handleConfigureAction(): void {
+		$this->registerTranslates();
+
+		if (Minz_Request::isPost()) {
+			FreshRSS_Context::userConf()->_attribute('camo_proxy_url', Minz_Request::paramString('camo_proxy_url', plaintext: true) ?: self::DEFAULT_CAMO_URL);
+			FreshRSS_Context::userConf()->_attribute('camo_hmac_key', Minz_Request::paramString('camo_hmac_key', plaintext: true) ?: self::DEFAULT_HMAC_KEY);
+			FreshRSS_Context::userConf()->_attribute('camo_scheme_http', Minz_Request::paramBoolean('camo_scheme_http'));
+			FreshRSS_Context::userConf()->_attribute('camo_scheme_https', Minz_Request::paramBoolean('camo_scheme_https'));
+			FreshRSS_Context::userConf()->_attribute('camo_scheme_default', Minz_Request::paramString('camo_scheme_default', plaintext: true) ?: self::DEFAULT_SCHEME_DEFAULT);
+			FreshRSS_Context::userConf()->_attribute('camo_scheme_include', Minz_Request::paramBoolean('camo_scheme_include'));
+			FreshRSS_Context::userConf()->_attribute('camo_encoding', Minz_Request::paramString('camo_encoding', plaintext: true) ?: self::DEFAULT_ENCODING);
+			FreshRSS_Context::userConf()->save();
+		}
+	}
+
+	/**
+	 * Generate camo signed URL
+	 * @throws FreshRSS_Context_Exception
+	 */
+	public static function getImageCamoUri(string $url): string {
+		$parsed_url = parse_url($url);
+		$scheme = $parsed_url['scheme'] ?? '';
+
+		// Check if we should proxy this scheme
+		if ($scheme === 'http') {
+			if (!FreshRSS_Context::userConf()->attributeBool('camo_scheme_http')) {
+				return $url;
+			}
+		} elseif ($scheme === 'https') {
+			if (!FreshRSS_Context::userConf()->attributeBool('camo_scheme_https')) {
+				return $url;
+			}
+		} elseif ($scheme === '') {
+			// Handle protocol-relative URLs
+			$schemeDefault = FreshRSS_Context::userConf()->attributeString('camo_scheme_default');
+			if ($schemeDefault === 'auto') {
+				$autoScheme = ((is_string($_SERVER['HTTPS'] ?? null) && strtolower($_SERVER['HTTPS']) !== 'off') ? 'https:' : 'http:');
+				if (FreshRSS_Context::userConf()->attributeBool('camo_scheme_include')) {
+					$url = $autoScheme . $url;
+				}
+			} elseif (str_starts_with($schemeDefault ?? '', 'http')) {
+				if (FreshRSS_Context::userConf()->attributeBool('camo_scheme_include')) {
+					$url = $schemeDefault . ':' . $url;
+				}
+			} else {
+				// Do not proxy unschemed URLs
+				return $url;
+			}
+		} else {
+			// Unknown/unsupported scheme
+			return $url;
+		}
+
+		$hmacKey = FreshRSS_Context::userConf()->attributeString('camo_hmac_key');
+		$camoUrl = FreshRSS_Context::userConf()->attributeString('camo_proxy_url');
+		$encoding = FreshRSS_Context::userConf()->attributeString('camo_encoding') ?: 'base64';
+
+		if (empty($hmacKey) || empty($camoUrl)) {
+			return $url; // Return original URL if configuration is incomplete
+		}
+
+		// Generate HMAC signature and encode URL according to camo format
+		if ($encoding === 'hex') {
+			return self::generateHexCamoUrl($hmacKey, $camoUrl, $url);
+		} else {
+			return self::generateBase64CamoUrl($hmacKey, $camoUrl, $url);
+		}
+	}
+
+	/**
+	 * Generate Base64 encoded camo URL
+	 */
+	private static function generateBase64CamoUrl(string $hmacKey, string $camoUrl, string $imageUrl): string {
+		// Generate HMAC-SHA1
+		$hmac = hash_hmac('sha1', $imageUrl, $hmacKey, true);
+
+		// Base64 encode without padding (camo style)
+		$b64Hmac = rtrim(strtr(base64_encode($hmac), '+/', '-_'), '=');
+		$b64Url = rtrim(strtr(base64_encode($imageUrl), '+/', '-_'), '=');
+
+		return rtrim($camoUrl, '/') . '/' . $b64Hmac . '/' . $b64Url;
+	}
+
+	/**
+	 * Generate Hex encoded camo URL
+	 */
+	private static function generateHexCamoUrl(string $hmacKey, string $camoUrl, string $imageUrl): string {
+		// Generate HMAC-SHA1 in hex
+		$hexHmac = hash_hmac('sha1', $imageUrl, $hmacKey);
+		$hexUrl = bin2hex($imageUrl);
+
+		return rtrim($camoUrl, '/') . '/' . $hexHmac . '/' . $hexUrl;
+	}
+
+	/**
+	 * @param array<string> $matches
+	 * @throws FreshRSS_Context_Exception
+	 */
+	public static function getSrcSetUris(array $matches): string {
+		return str_replace($matches[1], self::getImageCamoUri($matches[1]), $matches[0]);
+	}
+
+	/**
+	 * @throws FreshRSS_Context_Exception
+	 */
+	public static function swapUris(string $content): string {
+		if ($content === '') {
+			return $content;
+		}
+
+		$doc = new DOMDocument();
+		libxml_use_internal_errors(true); // prevent tag soup errors from showing
+		$content = mb_convert_encoding($content, 'HTML-ENTITIES', 'UTF-8');
+		if (!is_string($content)) {
+			return '';
+		}
+		$doc->loadHTML($content);
+		$imgs = $doc->getElementsByTagName('img');
+		foreach ($imgs as $img) {
+			if (!($img instanceof DOMElement)) {
+				continue;
+			}
+			if ($img->hasAttribute('src')) {
+				$src = $img->getAttribute('src');
+				$newSrc = self::getImageCamoUri($src);
+				/*
+				Due to the URL change, FreshRSS is not aware of already rendered enclosures.
+				Adding data-xextension-imagecamo-original-src / srcset ensures that original URLs are present in the content for the renderer check FreshRSS_Entry->containsLink.
+				*/
+				$img->setAttribute('data-xextension-imagecamo-original-src', $src);
+				$img->setAttribute('src', $newSrc);
+			}
+			if ($img->hasAttribute('srcset')) {
+				$srcSet = $img->getAttribute('srcset');
+				$newSrcSet = preg_replace_callback('/(?:([^\s,]+)(\s*(?:\s+\d+[wx])(?:,\s*)?))/', fn (array $matches) => self::getSrcSetUris($matches), $srcSet);
+				if ($newSrcSet != null) {
+					$img->setAttribute('data-xextension-imagecamo-original-srcset', $srcSet);
+					$img->setAttribute('srcset', $newSrcSet);
+				}
+			}
+		}
+
+		$body = $doc->getElementsByTagName('body')->item(0);
+
+		$output = $doc->saveHTML($body);
+		if ($output === false) {
+			return '';
+		}
+
+		$output = preg_replace('/^<body>|<\/body>$/', '', $output) ?? '';
+
+		return $output;
+	}
+
+	/**
+	 * @throws FreshRSS_Context_Exception
+	 */
+	public static function setImageProxyHook(FreshRSS_Entry $entry): FreshRSS_Entry {
+		$entry->_content(
+			self::swapUris($entry->content())
+		);
+
+		return $entry;
+	}
+}

xExtension-ImageCamo/extension.php

@@ -0,0 +1,20 @@
+<?php
+
+return array(
+	'imagecamo' => array(
+		'proxy_url' => 'Camo Proxy URL',
+		'proxy_url_help' => 'The base URL of your camo server (e.g., https://camo.example.com)',
+		'hmac_key' => 'HMAC Key',
+		'hmac_key_help' => 'The shared secret key used to sign URLs (must match your camo server configuration)',
+		'encoding' => 'URL Encoding',
+		'encoding_help' => 'Choose the URL encoding format supported by your camo server',
+		'encoding_base64_desc' => 'recommended, shorter URLs',
+		'encoding_hex_desc' => 'longer URLs, case insensitive',
+		'scheme_http' => 'Proxy HTTP images',
+		'scheme_https' => 'Proxy HTTPS images',
+		'scheme_default' => 'Proxy protocol-relative URLs',
+		'scheme_include' => 'Include http*:// in URL',
+		'security_notice_title' => 'Security Notice',
+		'security_notice_text' => 'Keep your HMAC key secret and secure. Use a strong, random key that matches your camo server configuration.'
+	),
+);