feat: Add media proxy for Luma and Mastodon so that nothing reaches out to external services

pojntfx · pojntfx · commit 6761c27632cf · 2026-04-02T00:40:36.000-07:00
Signed-off-by: Felicitas Pojtinger &lt;felicitas@pojtinger.com&gt;
diff --git a/assets/js/event-detail-modal.js b/assets/js/event-detail-modal.js
@@ -124,7 +124,7 @@ customElements.define(
 
         const cover = $("cover");
         if (data.cover_url) {
-          cover.src = proxyImageUrl(data.cover_url, api, "luma");
+          cover.src = proxyImageUrl(data.cover_url, api);
           cover.alt = data.name;
         } else {
           cover.remove();
diff --git a/assets/js/events.js b/assets/js/events.js
@@ -1,3 +1,8 @@
+export const proxyImageUrl = (url, api) => {
+  if (!url) return "";
+  return `${api}/image?url=${encodeURIComponent(url)}`;
+};
+
 export const formatEvent = (evt, api) => {
   const start = new Date(evt.start_at);
   const days = Math.ceil((start - new Date()) / 86400000);
@@ -27,7 +32,7 @@ export const formatEvent = (evt, api) => {
       ? `https://luma.com/${encodeURI(evt.url)}`
       : "https://luma.com/vanlug",
     location: evt.location || "",
-    coverUrl: evt.cover_url,
+    coverUrl: proxyImageUrl(evt.cover_url, api),
   };
 };
 
diff --git a/assets/js/mastodon-feed.js b/assets/js/mastodon-feed.js
@@ -1,4 +1,5 @@
 import DOMPurify from "dompurify";
+import { proxyImageUrl } from "./events.js";
 
 const tootTemplate = document.createElement("template");
 tootTemplate.innerHTML = `
@@ -12,7 +13,7 @@ tootTemplate.innerHTML = `
     </div>
   </a>`;
 
-const renderToot = (toot, data, { isFirst, isLast, inDrawer, profile }) => {
+const renderToot = (toot, data, { isFirst, isLast, inDrawer, profile, api }) => {
   const clone = tootTemplate.content.cloneNode(true);
   const $ = (s) => clone.querySelector(`[data-slot="${s}"]`);
   const item = clone.querySelector("a");
@@ -37,7 +38,7 @@ const renderToot = (toot, data, { isFirst, isLast, inDrawer, profile }) => {
   const mediaSlot = $("media");
   for (const m of toot.media?.slice(0, 1) ?? []) {
     const el = document.createElement(m.isVideo ? "video" : "img");
-    el.src = m.url;
+    el.src = proxyImageUrl(m.url, api);
     if (m.isVideo) el.controls = true;
     else el.alt = m.altText || "";
     el.className = "pf-v6-u-w-100";
@@ -49,7 +50,7 @@ const renderToot = (toot, data, { isFirst, isLast, inDrawer, profile }) => {
   if (!mediaSlot.children.length) mediaSlot.remove();
 
   const avatar = $("avatar");
-  avatar.src = data.userProfilePictureURL;
+  avatar.src = proxyImageUrl(data.userProfilePictureURL, api);
   avatar.alt = data.userDisplayName;
 
   $("timestamp").textContent = new Date(toot.timestamp).toLocaleDateString(
@@ -105,6 +106,7 @@ customElements.define(
               isLast: i === data.toots.length - 1,
               inDrawer,
               profile,
+              api,
             }),
           );
         }
diff --git a/content/privacy.md b/content/privacy.md
@@ -32,7 +32,7 @@ When accessing our website, the following information is processed for the reaso
 
 #### 3.2 Luma Event Data
 
-Our home page and events page fetch event data from Luma's API via our API proxy on Railway. Your browser connects to our proxy, not directly to Luma. No data is sent to Luma from your browser. We also provide a RSS/Atom feed of upcoming events via the same proxy; when you subscribe to it, your feed reader connects to our proxy, which fetches event listings and per-event descriptions from Luma's API on your behalf.
+Our home page and events page fetch event data from Luma's API and images from Luma's CDN via our proxy on Railway. Your browser connects to our proxy, not directly to Luma. No data is sent to Luma from your browser. We also provide the RSS/Atom feed of upcoming events and their images via the same proxy.
 
 Luma, Inc.\
 548 Market St PMB 36143\
@@ -42,7 +42,7 @@ Privacy policy: [https://luma.com/privacy-policy](https://luma.com/privacy-polic
 
 #### 3.3 Mastodon Feed Data
 
-Our home page fetches recent posts from our Mastodon account via our API proxy on Railway. Your browser connects to our proxy, not directly to [thecanadian.social](https://thecanadian.social). No data is sent to [thecanadian.social](https://thecanadian.social) from your browser. We also link to the public Mastodon RSS feed at `thecanadian.social/@vanlug.rss`; if you subscribe to it, your feed reader connects directly to [thecanadian.social](https://thecanadian.social).
+Our home page fetches recent posts and media from our Mastodon account via our proxy on Railway. Your browser connects to our proxy, not directly to [thecanadian.social](https://thecanadian.social). No data is sent to [thecanadian.social](https://thecanadian.social) from your browser. We also link to the public Mastodon RSS feed at `thecanadian.social/@vanlug.rss`; if you subscribe to it, your feed reader connects directly to [thecanadian.social](https://thecanadian.social).
 
 The Canadian ([thecanadian.social](https://thecanadian.social))\
 Kelowna and Burnaby, British Columbia\
diff --git a/main.go b/main.go
@@ -21,10 +21,6 @@ func Handler(w http.ResponseWriter, r *http.Request) {
 	handlers.NextEventHandler(w, r, defaultLumaAPIBase)
 }
 
-func FeedHandler(w http.ResponseWriter, r *http.Request) {
-	handlers.EventsFeedHandler(w, r, defaultLumaAPIBase, defaultLumaEventDetailBase, defaultLumaBase, defaultMapBase, "https://vanlug.ca/")
-}
-
 func main() {
 	port := os.Getenv("PORT")
 	if port == "" {
@@ -61,6 +57,11 @@ func main() {
 		siteURL = "https://vanlug.ca/"
 	}
 
+	apiURL := os.Getenv("API_URL")
+	if apiURL == "" {
+		apiURL = "http://localhost:" + port
+	}
+
 	mastodonServer := os.Getenv("MASTODON_SERVER")
 	if mastodonServer == "" {
 		mastodonServer = "https://thecanadian.social"
@@ -127,7 +128,7 @@ func main() {
 			}
 		}()
 
-		handlers.EventsFeedHandler(w, r, apiBase, eventDetailBase, lumaBase, mapBase, siteURL)
+		handlers.EventsFeedHandler(w, r, apiBase, eventDetailBase, lumaBase, mapBase, siteURL, apiURL)
 	}))
 
 	mux.HandleFunc("/events/detail", cors(func(w http.ResponseWriter, r *http.Request) {
@@ -144,6 +145,20 @@ func main() {
 		handlers.EventDetailHandler(w, r, eventDetailBase, lumaBase, mapBase)
 	}))
 
+	mux.HandleFunc("/image", cors(func(w http.ResponseWriter, r *http.Request) {
+		defer func() {
+			if err := recover(); err != nil {
+				log.Println("Error occured in image proxy:", err)
+
+				http.Error(w, "Error occured in image proxy", http.StatusInternalServerError)
+
+				return
+			}
+		}()
+
+		handlers.ImageProxyHandler(w, r)
+	}))
+
 	mux.HandleFunc("/mastodon", cors(func(w http.ResponseWriter, r *http.Request) {
 		defer func() {
 			if err := recover(); err != nil {
diff --git a/pkg/handlers/images.go b/pkg/handlers/images.go
@@ -0,0 +1,53 @@
+package handlers
+
+import (
+	"io"
+	"net/http"
+	"net/url"
+)
+
+var allowedImageHosts = map[string]bool{
+	"images.lumacdn.com":             true,
+	"s3.us-west-000.backblazeb2.com": true,
+}
+
+func ImageProxyHandler(w http.ResponseWriter, r *http.Request) {
+	upstream := r.URL.Query().Get("url")
+	if upstream == "" {
+		http.Error(w, "missing url query parameter", http.StatusBadRequest)
+		return
+	}
+
+	parsed, err := url.Parse(upstream)
+	if err != nil || parsed.Scheme != "https" {
+		http.Error(w, "invalid url", http.StatusBadRequest)
+		return
+	}
+
+	if !allowedImageHosts[parsed.Host] {
+		http.Error(w, "host not allowed", http.StatusForbidden)
+		return
+	}
+
+	resp, err := http.Get(upstream)
+	if err != nil {
+		http.Error(w, "failed to fetch media", http.StatusBadGateway)
+		return
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		http.Error(w, "upstream error", resp.StatusCode)
+		return
+	}
+
+	if ct := resp.Header.Get("Content-Type"); ct != "" {
+		w.Header().Set("Content-Type", ct)
+	}
+	w.Header().Set("Cache-Control", "public, max-age=86400")
+	if cl := resp.Header.Get("Content-Length"); cl != "" {
+		w.Header().Set("Content-Length", cl)
+	}
+
+	io.Copy(w, resp.Body)
+}
diff --git a/pkg/handlers/luma.go b/pkg/handlers/luma.go
@@ -452,7 +452,7 @@ func EventDetailHandler(w http.ResponseWriter, r *http.Request, eventDetailBase
 	fmt.Fprintf(w, "%v", string(j))
 }
 
-func EventsFeedHandler(w http.ResponseWriter, r *http.Request, apiBase string, eventDetailBase string, lumaBase string, mapBase string, siteURL string) {
+func EventsFeedHandler(w http.ResponseWriter, r *http.Request, apiBase string, eventDetailBase string, lumaBase string, mapBase string, siteURL string, apiURL string) {
 	items, err := lumaFetchItems(r, apiBase, "20")
 	if err != nil {
 		w.Write([]byte(err.Error()))
@@ -493,6 +493,10 @@ func EventsFeedHandler(w http.ResponseWriter, r *http.Request, apiBase string, e
 	for i, item := range items {
 		data := buildEntryData(item, descriptions[i], lumaBase, mapBase)
 
+		if data.CoverURL != "" {
+			data.CoverURL = apiURL + "/image?" + url.Values{"url": {data.CoverURL}}.Encode()
+		}
+
 		published := now
 		if t, err := time.Parse(time.RFC3339, item.StartAt); err == nil {
 			published = t
@@ -518,10 +522,9 @@ func EventsFeedHandler(w http.ResponseWriter, r *http.Request, apiBase string, e
 			Content:     buf.String(),
 		}
 
-		if item.CoverURL != "" {
+		if data.CoverURL != "" {
 			feedItem.Enclosure = &feeds.Enclosure{
-				Url:  item.CoverURL,
-				Type: "image/jpeg",
+				Url: data.CoverURL,
 			}
 		}
 
