How to serve images from Riak

Question

I have a bunch of markdown documents in Riak, which I'm exposing via a small Sinatra API with basic search functionality etc.

Each document has an associated image, also stored in Riak (in a different bucket). I'd like to have a client app display the documents alongside their associated images - so I need some way to make the images available, but as I'm only ever going to be requesting them by key it seems wasteful to serve them via a Sinatra app as I'm doing with the documents.

However I'm uneasy with serving them directly from Riak, because a) even using nginx to limit the acceptable requests, I worry about exposing more functionality than we want to and b) Riak throws a 403 for any request where the referrer is set, so by default using a direct-to-Riak url as the src of an img tag doesn't work.

So my question is - what's a good approach to take for serving the images? Add another endpoint to the Sinatra app? Direct from Riak using some Nginx wizardry that is currently beyond me? Or some other approach I haven't considered yet? This would ideally use Ruby as that's what the team I'm working with are more comfortable with.

Not sure if this question might be better suited to Server Fault - if so I'll move it over.

Answer 1

You're right to be concerned about exposing Riak to any direct connectivity. Until 2.0 arrives early next year, there is no security in the system (although the 403 for requests with a referrer is a security mechanism to protect against XSS), and even with security exposing any database directly to the Internet invites disaster.

I've not done anything with nginx, but all you'd really need to use it properly, I'd think, would be two features:

• Ability to restrict requests to GET
• Ability to restrict (or rewrite) requests to the proper bucket
• Ability to strip out all HTTP headers that Riak includes in its result (which, since nginx is a proxy server and not a straight load balancer, seems like it should be straightforward)

Assuming that your images are the only content in that bucket, nginx feels like a reasonable choice here.