How to set up a separate image processing server (= avoid ImageMagick's many security vulnerabilities)

The ImageMagick library is well known for its never-ending chain of security vulnerabilities. It continues to provide attack surface and thus constitutes a weakness in every infrastructure.

It is therefor a good security practice to install ImageMagick on a separate server (NOT on the application server and/or NOT on the database server).

How do I set up/configure the Rails application (ideally using ActiveStorage) so that the image processing happens on a separate server? (Any pointers to helpful resources are welcome!)

1 Like

you could use vips which is the new default

Thank you!

Upon looking up the known Security vulnerabilities in Vips, I am flabbergasted:

1 single vulnerability for Vips (in 2010) against 628 vulnerabilities for ImageMagick.

(Could it be that Vips simply “has that much fewer eyeballs”/code reviews?)

You could use Imgproxy. For that, you will need to configure the external service using Docker, and then, add the gem to your app.

Or do it yourself following a pattern similar to that, but calling an external API, instead of calling an executable in the local machine.

Thank you!

Imgproxy looks awesome, I love the Rails integration!