2020-10-30 14:08:56 -04:00
---
2021-10-06 14:12:19 -04:00
stage: Manage
2022-01-26 22:14:06 -05:00
group: Authentication and Authorization
2020-11-26 01:09:20 -05:00
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2020-10-30 14:08:56 -04:00
---
2021-06-13 17:10:11 -04:00
# Proxying assets **(FREE SELF)**
2019-09-10 10:43:14 -04:00
2021-06-13 17:10:11 -04:00
A possible security concern when managing a public-facing GitLab instance is
2021-12-05 22:13:43 -05:00
the ability to steal a user's IP address by referencing images in issues and comments.
2019-02-20 18:51:55 -05:00
For example, adding `![Example image](http://example.com/example.png)` to
2020-12-07 10:09:49 -05:00
an issue description causes the image to be loaded from the external
2019-09-10 10:43:14 -04:00
server in order to be displayed. However, this also allows the external server
2019-02-20 18:51:55 -05:00
to log the IP address of the user.
One way to mitigate this is by proxying any external images to a server you
2019-09-10 10:43:14 -04:00
control.
2019-10-09 08:06:13 -04:00
GitLab can be configured to use an asset proxy server when requesting external images/videos/audio in
2021-06-13 17:10:11 -04:00
issues and comments. This helps ensure that malicious images do not expose the user's IP address
2019-09-10 10:43:14 -04:00
when they are fetched.
We currently recommend using [cactus/go-camo ](https://github.com/cactus/go-camo#how-it-works )
2019-10-09 08:06:13 -04:00
as it supports proxying video, audio, and is more configurable.
2019-09-10 10:43:14 -04:00
## Installing Camo server
A Camo server is used to act as the proxy.
To install a Camo server as an asset proxy:
1. Deploy a `go-camo` server. Helpful instructions can be found in
2020-10-06 20:08:24 -04:00
[building cactus/go-camo ](https://github.com/cactus/go-camo#building ).
2019-09-10 10:43:14 -04:00
1. Make sure your instance of GitLab is running, and that you have created a private API token.
Using the API, configure the asset proxy settings on your GitLab instance. For example:
2020-01-30 10:09:15 -05:00
```shell
2020-01-09 07:08:03 -05:00
curl --request "PUT" "https://gitlab.example.com/api/v4/application/settings?\
asset_proxy_enabled=true& \
asset_proxy_url=https://proxy.gitlab.example.com& \
asset_proxy_secret_key=< somekey > " \
--header 'PRIVATE-TOKEN: < my_private_token > '
```
The following settings are supported:
| Attribute | Description |
|:-------------------------|:-------------------------------------------------------------------------------------------------------------------------------------|
2022-05-13 14:08:33 -04:00
| `asset_proxy_enabled` | Enable proxying of assets. If enabled, requires: `asset_proxy_url` . |
2020-01-09 07:08:03 -05:00
| `asset_proxy_secret_key` | Shared secret with the asset proxy server. |
| `asset_proxy_url` | URL of the asset proxy server. |
2022-05-13 14:08:33 -04:00
| `asset_proxy_whitelist` | (Deprecated: Use `asset_proxy_allowlist` instead) Assets that match these domains are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically allowed. |
| `asset_proxy_allowlist` | Assets that match these domains are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically allowed. |
2019-09-10 10:43:14 -04:00
1. Restart the server for the changes to take effect. Each time you change any values for the asset
proxy, you need to restart the server.
## Using the Camo server
2019-10-09 08:06:13 -04:00
Once the Camo server is running and you've enabled the GitLab settings, any image, video, or audio that
2020-12-07 10:09:49 -05:00
references an external source are proxied to the Camo server.
2019-02-20 18:51:55 -05:00
2019-09-10 10:43:14 -04:00
For example, the following is a link to an image in Markdown:
2019-02-20 18:51:55 -05:00
2019-09-10 10:43:14 -04:00
```markdown
![logo ](https://about.gitlab.com/images/press/logo/jpg/gitlab-icon-rgb.jpg )
```
2019-02-20 18:51:55 -05:00
2019-09-10 10:43:14 -04:00
The following is an example of a source link that could result:
2019-02-20 18:51:55 -05:00
2020-05-19 23:08:04 -04:00
```plaintext
2019-09-10 10:43:14 -04:00
http://proxy.gitlab.example.com/f9dd2b40157757eb82afeedbf1290ffb67a3aeeb/68747470733a2f2f61626f75742e6769746c61622e636f6d2f696d616765732f70726573732f6c6f676f2f6a70672f6769746c61622d69636f6e2d7267622e6a7067
```