View Documentation

Mask URLs:

This plugin adds the ability to mask or hide the actual file location of your pictures... Normally the delivered html contains <img> tags that can be read to find your photo locations and directory structure. As the photos are delivered via <img> tags, http access must be provided to the album folder (and subfolders). This allows curious (or malicious) users an easy opportunity to find your pictures and download them. But what if the delivered html looked like this:
  <img src="index.php?file=maskurl/displayimage&photokey=8dOgllfG1PqJQwj0%2BNuSOMuDNKC%2B14ABd6Rfn7nhZNXVaB9bn0V1IOUTZ%2FGw" ...>
Since the path to the albums directory is configurable (doesn't have to be 'albums/') and of course you can have any subfolder structure you want... the task of locating your pictures files is made harder... to near impossible (based on your choices configuring the plugin).

Options to 'mask' or 'encrypt' the path to photos are offered. These options appear to have similar results - but the algorithm used has quite different results. The masking can be decoded by anyone that can read/understand the PHP being used (access to this plugin's source). The encryption requires encryption keys and initialization vectors that would require access to specific fields in your Coppermine database in addition to the PHP code to be able to reverse. The encryption option will use more CPU resources - but provides better protection.
The choice is of course yours...

An additional benefit if masking/encrypting is that http access to the albums directory is no longer required... All CPG functions generating the picture URL drive this plugin, and all will be changed. As a result, a .htaccess file can be placed in the albums directory denying all access - providing additonal protecting for your photos. A sample .htaccess file is included in the plugin directory - named .htaccess.txt - this needs to be copied to the albums directory and named .htaccess if you wish to use it.
NOTE: If you disable this plugin and have the .htaccess file in place, you will be unable to view photos in your gallery!!

All filetypes permitted by CPG are supported (based on the contents of cpg15x_filetypes table). Proper additions to that table will be automatically recognized by the plugin and supported. The 'mime' type must be correctly specified in that table!

 

Installation:

Unzip the distribution files and upload the contents (including folder maskurl) to your plugins directory. In admin mode, select Plugin Manager, and click install next to this plugin.

 

Uninstall:

Select Plugin Manager, and click uninstall next to this plugin.
The normal plugin manager confirmation will be displayed - Click 'OK' to uninstall.

 

Configuration:

Select configure on this plugin from Plugin Manager.
Select appropriate check boxes, based on preferences.

config menu

Setting Descriptions:

  • Mask Picture URL
    Select the desired option based on level of security desired.
    • Clear Text - normal CPG processing - URLs contain the photo location in clear text
    • Mask URL - Mathematical functions used to obscure the URL - more protection than clear text, but can be reversed by someone willing to take the time and read/understand the code.
    • Encrypt URL - Uses mcrypt_cbc functions to encrypt the URL - offers more protection with higher resource usage (remember a thumbnail page will call this many times!) A low traffic gallery should see no issue. Verify your resource usage before/after on high traffic volume galleries.
    • Encrypt URL with Dynamic IV - Same encryption as above, but on each page load generates a new Initialization Vecto that gets sent as a cookie to the client. The cookie is retrieved by the plugins displayimage.php to combine with the database stored encryption key to decrypt and locate the image.
      Note this can cause issues with other display methods - including for plugins like EnlargeIt. See "Use 'external' URL format" below. A low traffic gallery should see no issue. Verify your resource usage before/after on high traffic volume galleries.
  • Encryption Algorithm
    Encryption algorithms installed on your webserver environment are listed to choose from. The default is 'rjindael-128' more commonly known as AES-128. Changing the encryption algorithm will force a refresh of the encryption keys to insure key and iv sizes are correct for the new selection.
    I have not tested all combinations of algorithms and modes - not all combinations may be valid or recommended. If unsure, leave the default values.
  • Encryption Mode
    Encryption modes installed on your webserver environment are listed to choose from. The default is 'cfb'. Changing the encryption algorithm will force a refresh of the encryption keys to insure key and iv sizes are correct for the new selection.
  • Refresh Encryption Keys
    Encryption keys are generated when plugin is installed and stored in the config table. Checking this box will refresh the keys - generating a new set. As the encrypted URL strings are not saved - they are used within seconds (or less) of being generated - these keys can be regenerated any time you like with no impact...
  • Is Webserver Windows OS
    If a Windows OS, and PHP is older than 5.3, different parameters/functions are needed to initialize the encryption keys. Checking this box will allow proper initialization. The correct value should be pre-selected for you.
    If PHP is greater or equal to 5.3 - it is_a no longer necessary (support was added to Windows to match other environments.
  • Use 'external' URL format
    By default the plugin with use a urldecode format that drives Coppermine Initialization. If using 'Encrypt URL with Dynamic IV', this can cause a problem for some plugins - like EnlargeIt - as driving Coppermine will recreate the Initialization Vector (IV) saved in clients cookie - and will no longer be able to decrypt the URLs previously generated and passed in_array by EnlargeIt.
    To address this - you can select an 'external' URL format - which will perform its own initialization of only the minimum needed for the decryption. This functions properly with EnlargeIT - but is a more 'non-standard' approach.

 
Once submitted, validated, your settings will be saved, and the configuration screen redisplayed with results.
A sample URL will be displayed in normal format - and using your current options to show the difference.

As part of validation, the plugin will verify encryption functions are available, and the requested encryption algorithm and mode is installed. The plugin will install in any event, but selection of 'Encrypt URL' will not be available. Additional messages will indicate the error - and provide the requested algorithm and mode, and those available in your installation.
Select 'Refresh Encryption Keys' to re-drive initialization.

 

Execution:

Plugin will be invoked (assuming Plugin API is active) anytime a picture url is generated by CPG.
You can see the effect of this plugin at http://gallery.gmcdesign.com running with a variation of this plugin set to encrypt urls and the .htaccess protection in place.

 
Your comments are welcome.
I hope you find this useful.
Greg (gmc on the CPG forum)