Recent change: open proxy deprecation

As part of our ethos to build a better web, our team always strive to do what’s best for both our service and others. Therefore, Netlify have recently deprecated the ability to create open proxies.

What is an open proxy, I hear you ask, and what’s (possibly) so bad about them? Well, rather than reinvent the wheel, here’s the Wikipedia definition!

Who is impacted?

Odds are, you are not impacted. We identified only a few dozen customers who had configured an open proxy, whether intentionally or by accident. All customers with an open proxy configured, and a custom domain, have already been contacted directly.

To clarify, this blog post details how an open proxy at Netlify looks, and this is the behaviour which will be deprecated: Setup a CORS Proxy With Netlify - Jim Nielsen’s Blog

An open proxy redirect rule allows for a URL to be passed through as part of a path, such as:

/proxy/* :splat 200

How to mitigate

Proxying to external services, like this – using a rule such as /proxy/* https://api.example.com/:splat 200 – is still permitted and this behaviour is not impacted.

As always, if you have questions, please do reach out :point_down: in the comments!

4 Likes

:wave: author of the post specifically called out above.

I noticed that this functionality all of the sudden stopped working and was wondering why.

I never heard from anyone at Netlify about this. Was there any kind of communication suggesting a better workarounds to this?

Hi there, @jimniels :wave:

Thanks so much for reaching out. My apologies for the suboptimal experience here. Our team sent our communication with the above information to customers who were impacted via email, but it appears as though we did not send one to you. My apologies for the oversight-- I have shared this feedback with my team.

If you have any further questions at this time, I would be happy to answer them or loop in someone else who can.

@hillary Mostly I was wondering if the “communication” that was sent was merely a deprecation notice? Or did it have additional information as to suggested workaround(s) for the deprecation?

If it had suggested workarounds, I’d love to hear them if you could find and forward me that comm? Otherwise, at least I know about the deprecation now and will have to try and figure out something on my own.

Hi @jimniels,

This was the workaround shared in one the communications we had:

1 Like

Thanks for sharing.

FWIW: my use case is a bit more sophisticated, because I want the serverless function to basically proxy back anything requested: text, images, etc.

The previous solution using Netlify’s rewrite/redirects engine handled this very elegantly:

/proxy/* :splat 200 would proxy a request for anything right back to me. I could ask for anything—PNG, JSON, HTML—and it was almost like I was querying the resource itself.

But using a serverless function requires me to have to think about this all a bit more and be more explicit. At least that’s what I’m finding.

For anyone coming across this thread, this is (in essence) the hacked together method I’m trying now:

exports.handler = async function (event, context) {

  // Get the `url` from the `event`

  return fetch(url).then((res) => {
      // If content is "image/*" return the image
      const contentType = res.headers.get("content-type");
      if (contentType.startsWith("image")) {
        return res.buffer().then((img) => ({
          statusCode: 200,
          body: img.toString("base64"),
          isBase64Encoded: true,
          headers: {
            "Content-type": contentType,
          },
        }));
      }

      // Otherwise guess that you want text
      return res.text().then((body) => ({
        statusCode: 200,
        body,
      }));
    });
};

Which is exactly why it was discontinued as it could have been easily abused by anyone to bypass CORS restrictions set by a server. It’s probably still possible, but we wanted to avoid letting anyone do it using our systems as it’s our systems that would take the impact.

1 Like

Makes perfect sense. The power of the thing was also its weakness :slight_smile:

Thanks for the context—and I’m glad I found this thread and got to the root of the problem I was seeing. Thanks!