imgproxy
diff --git a/‎docs/configuration/options.mdx‎
Lines changed: 4 additions & 3 deletions b/‎docs/configuration/options.mdx‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎docs/features/cache_amazon_s3.mdx‎
Lines changed: 72 additions & 0 deletions b/‎docs/features/cache_amazon_s3.mdx‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎docs/features/cache_azure_blob_storage.mdx‎
Lines changed: 60 additions & 0 deletions b/‎docs/features/cache_azure_blob_storage.mdx‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎docs/features/cache_google_cloud_storage.mdx‎
Lines changed: 33 additions & 0 deletions b/‎docs/features/cache_google_cloud_storage.mdx‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎docs/features/cache_local_filesystem.mdx‎
Lines changed: 29 additions & 0 deletions b/‎docs/features/cache_local_filesystem.mdx‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎docs/features/cache_openstack_swift.mdx‎
Lines changed: 35 additions & 0 deletions b/‎docs/features/cache_openstack_swift.mdx‎
Lines changed: 35 additions & 0 deletions
@@ -50,6 +50,7 @@ echo $(xxd -g 2 -l 64 -p /dev/random | tr -d '\n')
 * [`IMGPROXY_USE_ETAG`]: when set to `true`, enables using the [ETag](https://en.wikipedia.org/wiki/HTTP_ETag) HTTP header for HTTP cache control. Default: `false`
 * [`IMGPROXY_ETAG_BUSTER`]: change this to change ETags for all the images. Default: blank
 * [`IMGPROXY_USE_LAST_MODIFIED`]: when set to `true`, enables using the [Last-Modified](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Last-Modified) HTTP header for HTTP cache control. Default: `false`
+* [`IMGPROXY_LAST_MODIFIED_BUSTER`]: a Unix timestamp used to globally invalidate `Last-Modified`-based caches. imgproxy compares it with incoming `If-Modified-Since` and outgoing `Last-Modified` values to force stale caches to refetch when needed. Default: `0`
 * [`IMGPROXY_CUSTOM_REQUEST_HEADERS`]: ((pro)) list of custom headers that imgproxy will send while requesting the source image, divided by `\;` (can be redefined by `IMGPROXY_CUSTOM_HEADERS_SEPARATOR`). Example: `X-MyHeader1=Lorem\;X-MyHeader2=Ipsum`
 * [`IMGPROXY_CUSTOM_RESPONSE_HEADERS`]: ((pro)) a list of custom response headers, separated by `\;` (can be redefined by `IMGPROXY_CUSTOM_HEADERS_SEPARATOR`). Example: `X-MyHeader1=Lorem\;X-MyHeader2=Ipsum`
 * [`IMGPROXY_CUSTOM_HEADERS_SEPARATOR`]: ((pro)) a string that will be used as a custom header separator. Default: `\;`
@@ -445,9 +446,9 @@ Read the [Object Classification guide](../features/object_classification.mdx) fo
 
 imgproxy can cache processed images in various storage backends to improve performance and reduce processing overhead.
 
-* [`IMGPROXY_CACHE_USE`]: ((pro)) the cache storage adapter to use. Can be `filesystem`, `s3`, `gcs`, `abs` (Azure Blob Storage), or `swift`. When blank, the cache is disabled. Default: blank
+* [`IMGPROXY_CACHE_USE`]: ((pro)) the cache storage adapter to use. Can be `filesystem`, `s3`, `gcs`, `abs` (Azure Blob Storage), or `swift` (OpenStack Swift). When blank, the cache is disabled. Default: blank
 * [`IMGPROXY_CACHE_PATH_PREFIX`]: ((pro)) a path prefix for the cache files. This can be useful to organize cache files in a specific directory structure. Default: blank
-* [`IMGPROXY_CACHE_BUCKET`]: ((pro)) the bucket name for cloud storage adapters (S3, GCS, ABS, Swift). When using filesystem adapter, this can be used as an additional path component. Default: blank
+* [`IMGPROXY_CACHE_BUCKET`]: ((pro)) the bucket name for cloud storage adapters (S3, GCS, ABS, OpenStack Swift). When using filesystem adapter, this can be used as an additional path component. Default: blank
 * [`IMGPROXY_CACHE_KEY_HEADERS`]: ((pro)) a comma-separated list of HTTP request headers to include in the cache key. This allows caching different versions of the same image based on request headers. Default: blank
 * [`IMGPROXY_CACHE_KEY_COOKIES`]: ((pro)) a comma-separated list of HTTP request cookies to include in the cache key. This allows caching different versions of the same image based on cookies. Default: blank
 * [`IMGPROXY_CACHE_REPORT_ERRORS`]: ((pro)) when `true`, imgproxy will report cache errors instead of silently falling back to processing without cache. Default: `false`
@@ -505,7 +506,7 @@ imgproxy can store cached images in OpenStack Object Storage (Swift). To use Swi
 * [`IMGPROXY_CACHE_SWIFT_TIMEOUT_SECONDS`]: ((pro)) the data channel timeout in seconds for cache operations. Default: 60
 * [`IMGPROXY_CACHE_SWIFT_CONNECT_TIMEOUT_SECONDS`]: ((pro)) the connect channel timeout in seconds for cache operations. Default: 10
 
-Read the [Cache guide](../features/cache.mdx) for more info.
+Read the [Internal cache guide](../features/internal_cache.mdx) for more info.
 
 ## Fallback image
 
 
@@ -0,0 +1,72 @@
+---
+description: Learn about how to configure Amazon S3 cache in imgproxy
+---
+
+# Cache storage: Amazon S3
+
+imgproxy can store cached images in Amazon S3 buckets or S3-compatible storage. To use S3 cache, do the following:
+
+1. Set `IMGPROXY_CACHE_USE` environment variable to `s3`.
+2. [Set up the necessary credentials](#set-up-credentials) to grant access to your cache bucket.
+3. _(optional)_ Specify the AWS region with `IMGPROXY_CACHE_S3_REGION`. Default: `us-west-1`
+4. _(optional)_ Specify the cache bucket name with `IMGPROXY_CACHE_BUCKET`.
+5. _(optional)_ Specify the S3 endpoint with `IMGPROXY_CACHE_S3_ENDPOINT`. You can also set `IMGPROXY_CACHE_S3_ENDPOINT_USE_PATH_STYLE=false` to use the virtual host style for the endpoint.
+6. _(optional)_ Specify the AWS IAM Role to Assume with `IMGPROXY_CACHE_S3_ASSUME_ROLE_ARN`.
+7. _(optional)_ Specify the External ID that needs to be passed in along with the AWS IAM Role to Assume with `IMGPROXY_CACHE_S3_ASSUME_ROLE_EXTERNAL_ID`. This will have no effect if the assume role ARN is not specified.
+
+### Configuration
+
+* `IMGPROXY_CACHE_USE`: set to `s3` to enable S3 cache.
+* `IMGPROXY_CACHE_BUCKET`: the S3 bucket name for cache storage. Default: blank
+* `IMGPROXY_CACHE_S3_REGION`: the S3 region for the cache bucket. Default: blank
+* `IMGPROXY_CACHE_S3_ENDPOINT`: a custom S3 endpoint for the cache. Useful for S3-compatible services like MinIO, Cloudflare R2, DigitalOcean Spaces, etc. Default: blank
+* `IMGPROXY_CACHE_S3_ENDPOINT_USE_PATH_STYLE`: controls how the S3 bucket endpoint is constructed. When `true`, the endpoint will be constructed using the path style (`https://your-endpoint.com/%bucket`). When `false`, the endpoint will be constructed using the virtual host style (`https://%bucket.your-endpoint.com`). Default: `true`
+* `IMGPROXY_CACHE_S3_ASSUME_ROLE_ARN`: the ARN of an IAM role to assume for cache access. Default: blank
+* `IMGPROXY_CACHE_S3_ASSUME_ROLE_EXTERNAL_ID`: the external ID required to assume the IAM role for cache access. Default: blank
+* `IMGPROXY_CACHE_PATH_PREFIX`: a path prefix for the cache files. Default: blank
+* `IMGPROXY_CACHE_KEY_HEADERS`: a comma-separated list of HTTP request headers to include in the cache key. Default: blank
+* `IMGPROXY_CACHE_KEY_COOKIES`: a comma-separated list of HTTP request cookies to include in the cache key. Default: blank
+* `IMGPROXY_CACHE_REPORT_ERRORS`: when `true`, imgproxy will report cache errors instead of silently falling back to processing without cache. Default: `false`
+
+### Set up credentials
+
+There are three ways to specify your AWS credentials. The credentials need to have read/write rights for the cache bucket:
+
+#### IAM Roles
+
+If you're running imgproxy on an Amazon Web Services platform, you can use IAM roles to get the security credentials to make calls to AWS S3.
+
+* **Elastic Container Service (ECS):** Assign an [IAM role to a task](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html).
+* **Elastic Kubernetes Service (EKS):** Assign a [service account to a pod](https://docs.aws.amazon.com/eks/latest/userguide/pod-configuration.html).
+* **Elastic Beanstalk:** Assign an [IAM role to an instance](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/iam-instanceprofile.html).
+
+#### Environment variables
+
+You can specify an AWS Access Key ID and a Secret Access Key by setting the standard `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables.
+
+```bash
+AWS_ACCESS_KEY_ID=my_access_key AWS_SECRET_ACCESS_KEY=my_secret_key imgproxy
+
+# same for Docker
+docker run -e AWS_ACCESS_KEY_ID=my_access_key -e AWS_SECRET_ACCESS_KEY=my_secret_key -it ghcr.io/imgproxy/imgproxy
+```
+
+#### Shared credentials file
+
+Alternatively, you can create the `.aws/credentials` file in your home directory with the following content:
+
+```ini
+[default]
+aws_access_key_id = %access_key_id
+aws_secret_access_key = %secret_access_key
+```
+
+#### Cross-Account Access
+
+Cache S3 access credentials may be acquired by assuming a role using STS. To do so specify the IAM Role arn with the `IMGPROXY_CACHE_S3_ASSUME_ROLE_ARN` environment variable. Additionally, if you require an external ID to be passed when assuming a role, specify the `IMGPROXY_CACHE_S3_ASSUME_ROLE_EXTERNAL_ID` environment variable. This approach still requires you to provide initial AWS credentials by using one of the ways described above. The provided credentials role should allow assuming the role with provided ARN.
+
+### Choosing the AWS region
+
+The AWS region specified with the `IMGPROXY_CACHE_S3_REGION` environment variable determines the S3 endpoint used by imgproxy for the initial request to the bucket. If AWS reports that the bucket is in a different region, imgproxy will remember this, retry the request, and use the new region for all subsequent requests for this bucket.
+
+This allows imgproxy to access buckets in any region. However, the initial request to the bucket in a different region than the one specified in the environment variable may add some latency.
@@ -0,0 +1,60 @@
+---
+description: Learn about how to configure Azure Blob Storage cache in imgproxy
+---
+
+# Cache storage: Azure Blob Storage
+
+imgproxy can store cached images in Azure Blob Storage containers. To use Azure cache, do the following:
+
+1. Set `IMGPROXY_CACHE_USE` environment variable to `abs`.
+2. Set `IMGPROXY_CACHE_ABS_NAME` to your Azure account name.
+3. [Set up the necessary credentials](#set-up-credentials).
+4. _(optional)_ Specify the cache container name with `IMGPROXY_CACHE_BUCKET`.
+5. _(optional)_ Specify the Azure Blob Storage endpoint with `IMGPROXY_CACHE_ABS_ENDPOINT`.
+
+### Configuration
+
+* `IMGPROXY_CACHE_USE`: set to `abs` to enable Azure Blob Storage cache.
+* `IMGPROXY_CACHE_ABS_NAME`: the Azure account name for cache storage. Default: blank
+* `IMGPROXY_CACHE_BUCKET`: the Azure container name for cache storage. Default: blank
+* `IMGPROXY_CACHE_ABS_KEY`: the Azure account key for cache storage. Default: blank
+* `IMGPROXY_CACHE_ABS_ENDPOINT`: a custom Azure Blob Storage endpoint for cache. Default: blank
+* `IMGPROXY_CACHE_PATH_PREFIX`: a path prefix for the cache files. Default: blank
+* `IMGPROXY_CACHE_KEY_HEADERS`: a comma-separated list of HTTP request headers to include in the cache key. Default: blank
+* `IMGPROXY_CACHE_KEY_COOKIES`: a comma-separated list of HTTP request cookies to include in the cache key. Default: blank
+* `IMGPROXY_CACHE_REPORT_ERRORS`: when `true`, imgproxy will report cache errors instead of silently falling back to processing without cache. Default: `false`
+
+### Set up credentials
+
+#### Leverage Azure Managed Identity or Service Principal
+
+Microsoft encourages the use of a Managed Identity or Service Principal when accessing resources on an Azure Storage Account.
+Both of these authentication pathways are supported out of the box.
+
+##### Managed Identity
+
+There is no additional configuration required so long as the resource that imgproxy is running on has a Managed Identity assigned to it.
+
+##### Service Principal
+
+Please, refer to the [following documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) on the creation of a service principal before proceeding.
+
+Once that step is completed, the following environment variables must be configured depending on which option was chosen.
+
+For secret authentication:
+
+* `AZURE_CLIENT_ID`: the client ID for your application registration
+* `AZURE_TENANT_ID`: the tenant ID for your application registration
+* `AZURE_CLIENT_SECRET`: the client secret for your application registration
+
+For certificate authentication:
+
+* `AZURE_CLIENT_ID`: the client ID for your application registration
+* `AZURE_TENANT_ID`: the tenant ID for your application registration
+* `AZURE_CLIENT_CERTIFICATE_PATH`: the path to a PFX or PEM-encoded certificate including private key
+* `AZURE_CLIENT_CERTIFICATE_PASSWORD`: _(optional)_ the password protecting the certificate file (PFX (PKCS12))
+* `AZURE_CLIENT_CERTIFICATE_CHAIN`: _(optional)_ send certificate chain in x5c header to support subject name / issuer-based authentication
+
+#### Using Storage Account Key
+
+Alternatively, you can set `IMGPROXY_CACHE_ABS_KEY` to your Azure Blob Storage account key. See the [Manage storage account access keys](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage) guide for more info.
@@ -0,0 +1,33 @@
+---
+description: Learn about how to configure Google Cloud Storage cache in imgproxy
+---
+
+# Cache storage: Google Cloud Storage
+
+imgproxy can store cached images in Google Cloud Storage buckets. To use GCS cache, do the following:
+
+1. Set `IMGPROXY_CACHE_USE` environment variable to `gcs`.
+2. [Set up credentials](#setup-credentials) to grant access to your cache bucket.
+3. _(optional)_ Specify the cache bucket name with `IMGPROXY_CACHE_BUCKET`.
+4. _(optional)_ Specify the Google Cloud Storage endpoint with `IMGPROXY_CACHE_GCS_ENDPOINT`.
+
+### Configuration
+
+* `IMGPROXY_CACHE_USE`: set to `gcs` to enable Google Cloud Storage cache.
+* `IMGPROXY_CACHE_BUCKET`: the GCS bucket name for cache storage. Default: blank
+* `IMGPROXY_CACHE_GCS_KEY`: the Google Cloud JSON key for cache access. When running inside Google Cloud infrastructure, imgproxy will try to use the default service account credentials if this is not set. Default: blank
+* `IMGPROXY_CACHE_GCS_ENDPOINT`: a custom Google Cloud Storage endpoint for cache. Default: blank
+* `IMGPROXY_CACHE_PATH_PREFIX`: a path prefix for the cache files. Default: blank
+* `IMGPROXY_CACHE_KEY_HEADERS`: a comma-separated list of HTTP request headers to include in the cache key. Default: blank
+* `IMGPROXY_CACHE_KEY_COOKIES`: a comma-separated list of HTTP request cookies to include in the cache key. Default: blank
+* `IMGPROXY_CACHE_REPORT_ERRORS`: when `true`, imgproxy will report cache errors instead of silently falling back to processing without cache. Default: `false`
+
+### Setup credentials
+
+If you run imgproxy inside Google Cloud infrastructure (Compute Engine, Kubernetes Engine, App Engine, and Cloud Functions, etc), and you have granted access to your cache bucket to the service account, you probably don't need to do anything here. imgproxy will try to use the credentials provided by Google.
+
+Otherwise, set `IMGPROXY_CACHE_GCS_KEY` environment variable to the content of Google Cloud JSON key. Get more info about JSON keys: [https://cloud.google.com/iam/docs/creating-managing-service-account-keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys).
+
+:::warning
+For security reasons, imgproxy accepts only service account keys for Google Cloud Storage cache integration.
+:::
@@ -0,0 +1,29 @@
+---
+description: Learn about how to configure local filesystem cache in imgproxy
+---
+
+# Cache storage: Local filesystem
+
+imgproxy can store cached images on the local filesystem. To use filesystem cache, do the following:
+
+1. Set `IMGPROXY_CACHE_USE` environment variable to `filesystem`.
+2. Set `IMGPROXY_CACHE_LOCAL_FILESYSTEM_ROOT` to your cache directory path.
+3. _(optional)_ Specify a path prefix for cache files with `IMGPROXY_CACHE_PATH_PREFIX`.
+
+### Configuration
+
+* `IMGPROXY_CACHE_USE`: set to `filesystem` to enable local filesystem cache.
+* `IMGPROXY_CACHE_LOCAL_FILESYSTEM_ROOT`: the root directory for filesystem cache. Default: blank
+* `IMGPROXY_CACHE_PATH_PREFIX`: a path prefix for the cache files. This can be useful to organize cache files in a specific directory structure. Default: blank
+* `IMGPROXY_CACHE_BUCKET`: when using filesystem adapter, this can be used as an additional path component. Default: blank
+* `IMGPROXY_CACHE_KEY_HEADERS`: a comma-separated list of HTTP request headers to include in the cache key. This allows caching different versions of the same image based on request headers. Default: blank
+* `IMGPROXY_CACHE_KEY_COOKIES`: a comma-separated list of HTTP request cookies to include in the cache key. This allows caching different versions of the same image based on cookies. Default: blank
+* `IMGPROXY_CACHE_REPORT_ERRORS`: when `true`, imgproxy will report cache errors instead of silently falling back to processing without cache. Default: `false`
+
+### Example
+
+Assume you want to cache processed images in `/var/cache/imgproxy`. Run imgproxy with `IMGPROXY_CACHE_LOCAL_FILESYSTEM_ROOT` set to your cache directory:
+
+```bash
+IMGPROXY_CACHE_USE=filesystem IMGPROXY_CACHE_LOCAL_FILESYSTEM_ROOT=/var/cache/imgproxy imgproxy
+```
@@ -0,0 +1,35 @@
+---
+description: Learn about how to configure OpenStack Object Storage cache in imgproxy
+---
+
+# Cache storage: OpenStack Object Storage ("Swift")
+
+imgproxy can store cached images in OpenStack Object Storage, also known as Swift. To use Swift cache, do the following:
+
+1. Set `IMGPROXY_CACHE_USE` environment variable to `swift`.
+2. Configure Swift authentication with the following environment variables:
+   * `IMGPROXY_CACHE_SWIFT_USERNAME`: the username for Swift API access for cache. Default: blank
+   * `IMGPROXY_CACHE_SWIFT_API_KEY`: the API key for Swift API access for cache. Default: blank
+   * `IMGPROXY_CACHE_SWIFT_AUTH_URL`: the Swift Auth URL for cache. Default: blank
+   * `IMGPROXY_CACHE_SWIFT_AUTH_VERSION`: the Swift auth version for cache, set to 1, 2 or 3 or leave at 0 for autodetect. Default: 0
+   * `IMGPROXY_CACHE_SWIFT_TENANT`: the tenant name for cache (optional, v2 auth only). Default: blank
+   * `IMGPROXY_CACHE_SWIFT_DOMAIN`: the Swift domain name for cache (optional, v3 auth only). Default: blank
+
+3. _(optional)_ Specify the cache container name with `IMGPROXY_CACHE_BUCKET`.
+
+### Configuration
+
+* `IMGPROXY_CACHE_USE`: set to `swift` to enable Swift cache.
+* `IMGPROXY_CACHE_BUCKET`: the Swift container name for cache storage. Default: blank
+* `IMGPROXY_CACHE_SWIFT_USERNAME`: the username for Swift API access for cache. Default: blank
+* `IMGPROXY_CACHE_SWIFT_API_KEY`: the API key for Swift API access for cache. Default: blank
+* `IMGPROXY_CACHE_SWIFT_AUTH_URL`: the Swift Auth URL for cache. Default: blank
+* `IMGPROXY_CACHE_SWIFT_AUTH_VERSION`: the Swift auth version for cache. Set to 1, 2 or 3 or leave at 0 for autodetect. Default: 0
+* `IMGPROXY_CACHE_SWIFT_TENANT`: the tenant name for cache (optional, v2 auth only). Default: blank
+* `IMGPROXY_CACHE_SWIFT_DOMAIN`: the Swift domain name for cache (optional, v3 auth only). Default: blank
+* `IMGPROXY_CACHE_SWIFT_TIMEOUT_SECONDS`: the data channel timeout in seconds for cache operations. Default: 60
+* `IMGPROXY_CACHE_SWIFT_CONNECT_TIMEOUT_SECONDS`: the connect channel timeout in seconds for cache operations. Default: 10
+* `IMGPROXY_CACHE_PATH_PREFIX`: a path prefix for the cache files. Default: blank
+* `IMGPROXY_CACHE_KEY_HEADERS`: a comma-separated list of HTTP request headers to include in the cache key. Default: blank
+* `IMGPROXY_CACHE_KEY_COOKIES`: a comma-separated list of HTTP request cookies to include in the cache key. Default: blank
+* `IMGPROXY_CACHE_REPORT_ERRORS`: when `true`, imgproxy will report cache errors instead of silently falling back to processing without cache. Default: `false`