Using image proxies means that users make only secure requests. By allowing image requests to go straight to third-party servers, tracking pixels is allowed. Users can put invisible images in posts that logs time and location data for every user that views the post. An image proxy protects user privacy by eliminating this direct interaction with third-party servers.
Proxy servers also provide a layer of caching, and can be made faster and more reliable than third-party sites. This caching also helps preserve posts by protecting them from dead images.
You may alternatively use atmos/camo http proxy to route images through SSL:
Local Image Proxy¶
The local image proxy is enabled on the Mattermost server by default. When using the local image proxy, Mattermost apps will download external images through the Mattermost server itself.
With the local image proxy enabled, requests for images hosted on the local network are now affected by the
AllowUntrustedInternalConnections setting. See documentation for more information or if you are seeing unintentionally blocked images.
atmos/camo Image Proxy¶
The atmos/camo image proxy is a standalone image proxy that can be deployed separately from the Mattermost server. It provides additional configuration options over the built-in image proxy, and it can also be used if isolation between the Mattermost server and image proxy is desired.
This guide gives an example of how to set up an image proxy using
atmos/camo (https://github.com/atmos/camo) instance to image-proxy.mattermost.com and update the
configuration in System Console > Files > Storage. For example:
- Image Proxy Type:
- Remote Image Proxy URL:
- Remote Image Proxy Options:
CAMO_KEY, which is the secret string used for the sample
The URL will be replaced with something similar to the following: https://image-proxy.mattermost.com/d7b4022717e8d015440cd70183b81196298b9453/687474703a2f2f692e726564642e69742f36636f687964636b6b363530312e6a7067 (See https://github.com/atmos/camo).
Next, if you post a message with an image, you will get a proxied image in your post. This will ensure that every image is downloaded via HTTPS.