Ubuntu
camo package

Merge lp:~ianchou821/ubuntu/utopic/camo/bug-1355443 into lp:ubuntu/utopic/camo

Utopic (14.10)
bug-1355443
Merge into utopic

Proposed by Yu-Cheng Chou on 2014-09-02

Status:

Work in progress

Proposed branch:

lp:~ianchou821/ubuntu/utopic/camo/bug-1355443

Merge into:

lp:ubuntu/utopic/camo

Diff against target:

1357 lines (+726/-243)

24 files modified

.gitignore (+1/-0)
.pc/0001-Don-t-use-bundle-in-the-test-suite.patch/Rakefile (+0/-31)
.pc/applied-patches (+0/-1)
.travis.yml (+12/-0)
LICENSE (+0/-20)
LICENSE.md (+20/-0)
README.md (+24/-9)
Rakefile (+4/-16)
app.json (+51/-0)
debian/changelog (+6/-0)
debian/patches/0001-Don-t-use-bundle-in-the-test-suite.patch (+13/-14)
debian/rules (+1/-1)
mime-types.json (+44/-0)
package.json (+2/-2)
server.coffee (+108/-105)
server.js (+312/-0)
test.gemfile (+1/-1)
test.gemfile.lock (+1/-7)
test/app_test.rb (+12/-0)
test/proxy_test.rb (+99/-25)
test/proxy_test_server.rb (+0/-11)
test/servers/crash_request.ru (+3/-0)
test/servers/ok.ru (+5/-0)
test/servers/redirect_without_location.ru (+7/-0)

To merge this branch:

bzr merge lp:~ianchou821/ubuntu/utopic/camo/bug-1355443

Wishlist

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu branches		2014-09-02	Pending
Review via email: mp+233033@code.launchpad.net

Description of the change

new upstream(2.1.0) release

lp:~ianchou821/ubuntu/utopic/camo/bug-1355443 updated on 2014-09-02

4. By Yu-Cheng Chou on 2014-09-02: update rules

Revision history for this message

Robie Basak (racb) wrote on 2014-09-25:

Thank you for your work.

I haven't reviewed this in detail, but have a few comments, mainly about process.

First, Utopic entered feature freeze on 21 August (see https://wiki.ubuntu.com/UtopicUnicorn/ReleaseSchedule) so updating camo in Utopic now needs to either wait until the next cycle or needs a feature freeze exception. See https://wiki.ubuntu.com/FeatureFreeze and https://wiki.ubuntu.com/FreezeExceptionProcess for details).

Second, please try and submit this update to Debian first - I've linked the Debian bug from the Launchpad bug - so that Ubuntu doesn't diverge from Debian needlessly. So if this is going to go in next cycle, there might well be enough time for Debian to upload the new version so that Ubuntu can just sync.

Final, minor point: if we did upload this to Ubuntu ahead of Debian, the version 2.1.0-1ubuntu1 would be incorrect. It must be 2.1.0-0ubuntu1 in that case so that we can later update to a future version published by Debian.

Unmerged revisions

4. By Yu-Cheng Chou on 2014-09-02: update rules
3. By Yu-Cheng Chou on 2014-09-02: New upstream release. (LP: #1355443)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Ubuntu branches

Yu-Cheng Chou

 === modified file '.gitignore'
 --- .gitignore	2013-11-26 13:45:34 +0000
 +++ .gitignore	2014-09-02 12:26:21 +0000
@@ -1,3 +1,4 @@
  node_modules
  tmp/camouflage.pid
  tmp/camo.pid
++.node-version
 === removed directory '.pc/0001-Don-t-use-bundle-in-the-test-suite.patch'
 === removed file '.pc/0001-Don-t-use-bundle-in-the-test-suite.patch/Rakefile'
 --- .pc/0001-Don-t-use-bundle-in-the-test-suite.patch/Rakefile	2013-11-26 13:45:34 +0000
 +++ .pc/0001-Don-t-use-bundle-in-the-test-suite.patch/Rakefile	1970-01-01 00:00:00 +0000
@@ -1,31 +0,0 @@
--file 'server.js' => 'server.coffee' do
--  sh "coffee -c -o . server.coffee"
--end
--task :build => 'server.js'
--
--task :bundle do
--  system("bundle install --gemfile test.gemfile")
--end
--
--namespace :test do
--  desc "Start test server"
--  task :server do |t|
--    $SERVER_PID = Process.spawn("ruby test/proxy_test_server.rb")
--  end
--
--  desc "Run the tests against localhost"
--  task :check do |t|
--    system("BUNDLE_GEMFILE=test.gemfile bundle exec ruby test/proxy_test.rb")
--  end
--
--  desc "Kill test server"
--  task :kill_server do |t|
--    Process.kill(:QUIT, $SERVER_PID) && Process.wait
--  end
--end
--
--task :default => [:build, :bundle, "test:server", "test:check", "test:kill_server"]
--
--Dir["tasks/*.rake"].each do |f|
--  load f
--end
 === removed file '.pc/applied-patches'
 --- .pc/applied-patches	2013-11-26 13:45:34 +0000
 +++ .pc/applied-patches	1970-01-01 00:00:00 +0000
@@ -1,1 +0,0 @@
--0001-Don-t-use-bundle-in-the-test-suite.patch
 === added file '.travis.yml'
 --- .travis.yml	1970-01-01 00:00:00 +0000
 +++ .travis.yml	2014-09-02 12:26:21 +0000
@@ -0,0 +1,12 @@
++language: ruby
++rvm:
++- 2.1.0
++gemfile: test.gemfile
++before_install:
++- npm install -g coffee-script
++- gem install rake
++before_script:
++- node --version
++- npm --version
++- coffee server.coffee &
++script: rake
 === removed file 'LICENSE'
 --- LICENSE	2013-11-26 13:45:34 +0000
 +++ LICENSE	1970-01-01 00:00:00 +0000
@@ -1,20 +0,0 @@
--Copyright (c) 2010 Corey Donohoe, Rick Olson
--
--Permission is hereby granted, free of charge, to any person obtaining
--a copy of this software and associated documentation files (the
--"Software"), to deal in the Software without restriction, including
--without limitation the rights to use, copy, modify, merge, publish,
--distribute, sublicense, and/or sell copies of the Software, and to
--permit persons to whom the Software is furnished to do so, subject to
--the following conditions:
--
--The above copyright notice and this permission notice shall be
--included in all copies or substantial portions of the Software.
--
--THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
--EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
--MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
--NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
--LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
--OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
--WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 === added file 'LICENSE.md'
 --- LICENSE.md	1970-01-01 00:00:00 +0000
 +++ LICENSE.md	2014-09-02 12:26:21 +0000
@@ -0,0 +1,20 @@
++Copyright (c) 2010-2014 Corey Donohoe, Rick Olson
++
++Permission is hereby granted, free of charge, to any person obtaining
++a copy of this software and associated documentation files (the
++"Software"), to deal in the Software without restriction, including
++without limitation the rights to use, copy, modify, merge, publish,
++distribute, sublicense, and/or sell copies of the Software, and to
++permit persons to whom the Software is furnished to do so, subject to
++the following conditions:
++
++The above copyright notice and this permission notice shall be
++included in all copies or substantial portions of the Software.
++
++THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
++EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
++MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
++NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
++LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
++OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
++WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 === modified file 'README.md'
 --- README.md	2013-11-26 13:45:34 +0000
 +++ README.md	2014-09-02 12:26:21 +0000
@@ -1,24 +1,26 @@
--![camo](http://farm5.static.flickr.com/4116/4857328881_fefb8e2134_z.jpg)
++# camo [![Build Status](https://travis-ci.org/atmos/camo.svg?branch=master)](https://travis-ci.org/atmos/camo)
  Camo is all about making insecure assets look secure.  This is an SSL image proxy to prevent mixed content warnings on secure pages served from [GitHub](https://github.com).
--We want to allow people to keep embedding images in comments/issues/READMEs/google charting.
++![camo](https://f.cloud.github.com/assets/38/2496172/f558bbb4-b312-11e3-88e9-646b77e47e6e.gif)
++
++We want to allow people to keep embedding images in comments/issues/READMEs.
  [There's more info on the GitHub blog](https://github.com/blog/743-sidejack-prevention-phase-3-ssl-proxied-assets).
  Using a shared key, proxy URLs are encrypted with [hmac](http://en.wikipedia.org/wiki/HMAC) so we can bust caches/ban/rate limit if needed.
--Camo currently runs on node version 0.10.13 at GitHub on [heroku](http://heroku.com).
++Camo currently runs on node version 0.10.26 at GitHub on [heroku](http://heroku.com).
++
++[![Launch on Heroku](https://www.herokucdn.com/deploy/button.png)](https://www.heroku.com/deploy/?template=https://github.com/atmos/camo)
  Features
  --------
--* Proxy google charts
--* Proxy images under 5 MB
--* Follow redirects to a configurable depth
--* Proxy remote images with a content-type of `image/*`
++* Max size for proxied images
++* Follow redirects to a certain depth
++* Restricts proxied images content-types to a whitelist
  * 404s for anything other than a 200, 301, 302, 303, 304 or 307 HTTP response
--* Disallows proxying to private IP ranges
  At GitHub we render markdown and replace all of the `src` attributes on the `img` tags with the appropriate URL to hit the proxies.  There's example code for creating URLs in [the tests](https://github.com/atmos/camo/blob/master/test/proxy_test.rb).
@@ -36,6 +38,19 @@
  In the second format, each byte of the `<image-url>` should be hex encoded such
  that the resulting value includes only characters `[0-9a-f]`.
++## Configuration
++
++Camo is configured through environment variables.
++
++* `PORT`: The port number Camo should listen on. (default: 8081)
++* `CAMO_HEADER_VIA`: The string for Camo to include in the `Via` and `User-Agent` headers it sends in requests to origin servers. (default: `Camo Asset Proxy <version>`)
++* `CAMO_KEY`: The shared key used to generate the HMAC digest.
++* `CAMO_LENGTH_LIMIT`: The maximum `Content-Length` Camo will proxy. (default: 5242880)
++* `CAMO_LOGGING_ENABLED`: The logging level used for reporting debug or error information. Options are `debug` and `disabled`. (default: `disabled`)
++* `CAMO_MAX_REDIRECTS`: The maximum number of redirects Camo will follow while fetching an image. (default: 4)
++* `CAMO_SOCKET_TIMEOUT`: The maximum number of seconds Camo will wait before giving up on fetching an image. (default: 10)
++* `CAMO_TIMING_ALLOW_ORIGIN`: The string for Camo to include in the [`Timing-Allow-Origin` header](http://www.w3.org/TR/resource-timing/#cross-origin-resources) it sends in responses to clients. The header is omitted if this environment variable is not set. (default: not set)
++
  ## Testing Functionality
  ### Bundle Everything
@@ -58,7 +73,7 @@
  ### Deployment
--You can see an example [god config](https://gist.github.com/675038) here.
++You should run this on heroku.
  To enable useful line numbers in stacktraces you probably want to compile the server.coffee file to native javascript when deploying.
 === modified file 'Rakefile'
 --- Rakefile	2013-11-26 13:45:34 +0000
 +++ Rakefile	2014-09-02 12:26:21 +0000
@@ -7,24 +7,12 @@
    system("bundle install --gemfile test.gemfile")
  end
--namespace :test do
--  desc "Start test server"
--  task :server do |t|
--    $SERVER_PID = Process.spawn("ruby test/proxy_test_server.rb")
--  end
--
--  desc "Run the tests against localhost"
--  task :check do |t|
--    system("ruby test/proxy_test.rb")
--  end
--
--  desc "Kill test server"
--  task :kill_server do |t|
--    Process.kill(:QUIT, $SERVER_PID) && Process.wait
--  end
++desc "Run the tests against localhost"
++task :test do
++  system("BUNDLE_GEMFILE=test.gemfile bundle exec ruby test/proxy_test.rb")
  end
--task :default => [:build, :bundle, "test:server", "test:check", "test:kill_server"]
++task :default => [:build, :bundle, :test]
  Dir["tasks/*.rake"].each do |f|
    load f
 === added file 'app.json'
 --- app.json	1970-01-01 00:00:00 +0000
 +++ app.json	2014-09-02 12:26:21 +0000
@@ -0,0 +1,51 @@
++{
++  "name": "camo",
++  "logo": "https://camo.githubusercontent.com/4d04abe0044d94fefcf9af21332239dbebf01ded/68747470733a2f2f662e636c6f75642e6769746875622e636f6d2f6173736574732f33382f323439363137322f66353538626262342d623331322d313165332d383865392d3634366237376534376536652e676966",
++  "description": "Camo is all about making insecure image assets look secure.",
++
++  "keywords": [
++    "ssl",
++    "image",
++    "proxy",
++    "github",
++    "anonymous"
++  ],
++
++  "website": "http://github.com/atmos/camo",
++  "repository": "https://github.com/atmos/camo",
++  "success_url": "/stats",
++
++  "env": {
++    "CAMO_HOSTNAME": {
++      "description": "The hostname for the camo server."
++    },
++    "CAMO_KEY": {
++      "description": "The fully qualified domain name for camo to run on.",
++      "generator": "secret"
++    },
++    "CAMO_LENGTH_LIMIT": {
++      "description": "The maximum Content-Length that camo will proxy in bytes",
++      "value": "5242880",
++      "required": true
++    },
++    "CAMO_LOGGING_ENABLED": {
++      "description": "Toggle whether or not to log verbosely('debug' or disabled')."
++    },
++    "CAMO_MAX_REDIRECTS": {
++      "description": "The number of redirects that camo should follow",
++      "value": "4"
++    },
++    "CAMO_SOCKET_TIMEOUT": {
++      "description": "The number of seconds to wait for socket connection errors",
++      "value": "10"
++    },
++    "RAILS_ENV": {
++      "description": "The RAILS environment for this installation",
++      "value": "production"
++    }
++  },
++
++  "scripts": {
++    "postdeploy": "bundle exec rake db:migrate"
++  }
++}
 === modified file 'debian/changelog'
 --- debian/changelog	2013-11-26 13:45:34 +0000
 +++ debian/changelog	2014-09-02 12:26:21 +0000
@@ -1,3 +1,9 @@
++camo (2.1.0-1ubuntu1) utopic; urgency=low
++
++  * New upstream release. (LP: #1355443)
++
++ -- Yu-Cheng Chou <ianchou821@gmail.com>  Tue, 02 Sep 2014 19:38:36 +0800
++
  camo (1.3.0+dfsg-1) unstable; urgency=low
    * Initial release (Closes: #721731)
 === modified file 'debian/patches/0001-Don-t-use-bundle-in-the-test-suite.patch'
 --- debian/patches/0001-Don-t-use-bundle-in-the-test-suite.patch	2013-11-26 13:45:34 +0000
 +++ debian/patches/0001-Don-t-use-bundle-in-the-test-suite.patch	2014-09-02 12:26:21 +0000
@@ -10,17 +10,16 @@
   Rakefile |    2 +-
 file changed, 1 insertion(+), 1 deletion(-)
--diff --git a/Rakefile b/Rakefile
--index c82f435..fea80b1 100644
----- a/Rakefile
--+++ b/Rakefile
--@@ -15,7 +15,7 @@ namespace :test do
--
--   desc "Run the tests against localhost"
--   task :check do |t|
---    system("BUNDLE_GEMFILE=test.gemfile bundle exec ruby test/proxy_test.rb")
--+    system("ruby test/proxy_test.rb")
--   end
--
--   desc "Kill test server"
----
++Index: camo/Rakefile
++===================================================================
++--- camo.orig/Rakefile
+++++ camo/Rakefile
++@@ -9,7 +9,7 @@ end
++
++ desc "Run the tests against localhost"
++ task :test do
++-  system("BUNDLE_GEMFILE=test.gemfile bundle exec ruby test/proxy_test.rb")
+++  system("ruby test/proxy_test.rb")
++ end
++
++ task :default => [:build, :bundle, :test]
 === modified file 'debian/rules'
 --- debian/rules	2013-11-26 13:45:34 +0000
 +++ debian/rules	2014-09-02 12:26:21 +0000
@@ -30,7 +30,7 @@
  	rake --trace build
  override_dh_auto_test:
  	nodejs server.js &
--	rake --trace test:check
++	rake --trace test
  	pkill -KILL -xf "nodejs server.js"
  override_dh_auto_clean:
 === added file 'mime-types.json'
 --- mime-types.json	1970-01-01 00:00:00 +0000
 +++ mime-types.json	2014-09-02 12:26:21 +0000
@@ -0,0 +1,44 @@
++[
++  "image/bmp",
++  "image/cgm",
++  "image/g3fax",
++  "image/gif",
++  "image/ief",
++  "image/jp2",
++  "image/jpeg",
++  "image/pict",
++  "image/png",
++  "image/prs.btif",
++  "image/svg+xml",
++  "image/tiff",
++  "image/vnd.adobe.photoshop",
++  "image/vnd.djvu",
++  "image/vnd.dwg",
++  "image/vnd.dxf",
++  "image/vnd.fastbidsheet",
++  "image/vnd.fpx",
++  "image/vnd.fst",
++  "image/vnd.fujixerox.edmics-mmr",
++  "image/vnd.fujixerox.edmics-rlc",
++  "image/vnd.microsoft.icon",
++  "image/vnd.ms-modi",
++  "image/vnd.net-fpx",
++  "image/vnd.wap.wbmp",
++  "image/vnd.xiff",
++  "image/webp",
++  "image/x-cmu-raster",
++  "image/x-cmx",
++  "image/x-icon",
++  "image/x-macpaint",
++  "image/x-pcx",
++  "image/x-pict",
++  "image/x-portable-anymap",
++  "image/x-portable-bitmap",
++  "image/x-portable-graymap",
++  "image/x-portable-pixmap",
++  "image/x-quicktime",
++  "image/x-rgb",
++  "image/x-xbitmap",
++  "image/x-xpixmap",
++  "image/x-xwindowdump"
++]
 === modified file 'package.json'
 --- package.json	2013-11-26 13:45:34 +0000
 +++ package.json	2014-09-02 12:26:21 +0000
@@ -1,9 +1,9 @@
+ {
    "name": "camo",
--  "version": "1.3.0",
++  "version": "2.1.0",
    "dependencies": {
    },
    "engines": {
--    "node": ">=0.10.21"
++    "node": "^0.10.29"
+   }
+ }
 === modified file 'server.coffee'
 --- server.coffee	2013-11-26 13:45:34 +0000
 +++ server.coffee	2014-09-02 12:26:21 +0000
@@ -1,12 +1,14 @@
  Fs          = require 'fs'
--Dns         = require 'dns'
++Path        = require 'path'
  Url         = require 'url'
++Path        = require 'path'
  Http        = require 'http'
++Https       = require 'https'
  Crypto      = require 'crypto'
  QueryString = require 'querystring'
--port            = parseInt process.env.PORT        || 8081
--version         = "1.3.0"
++port            = parseInt process.env.PORT        || 8081, 10
++version         = require(Path.resolve(__dirname, "package.json")).version
  shared_key      = process.env.CAMO_KEY             || '0x24FEEDFACEDEADBEEFCAFE'
  max_redirects   = process.env.CAMO_MAX_REDIRECTS   || 4
  camo_hostname   = process.env.CAMO_HOSTNAME        || "unknown"
@@ -14,6 +16,11 @@
  logging_enabled = process.env.CAMO_LOGGING_ENABLED || "disabled"
  content_length_limit = parseInt(process.env.CAMO_LENGTH_LIMIT || 5242880, 10)
++accepted_image_mime_types = JSON.parse(Fs.readFileSync(
++  Path.resolve(__dirname, "mime-types.json"),
++  encoding: 'utf8'
++))
++
  debug_log = (msg) ->
    if logging_enabled == "debug"
      console.log("--------------------------------------------")
@@ -24,15 +31,28 @@
    unless logging_enabled == "disabled"
      console.error("[#{new Date().toISOString()}] #{msg}")
--RESTRICTED_IPS = /^((10\.)|(127\.)|(169\.254)|(192\.168)|(172\.((1[6-9])|(2[0-9])|(3[0-1]))))/
--
  total_connections   = 0
  current_connections = 0
  started_at          = new Date
++default_security_headers =
++  "X-Frame-Options": "deny"
++  "X-XSS-Protection": "1; mode=block"
++  "X-Content-Type-Options": "nosniff"
++  "Content-Security-Policy": "default-src 'none'; style-src 'unsafe-inline'"
++  "Strict-Transport-Security" : "max-age=31536000; includeSubDomains"
++
  four_oh_four = (resp, msg, url) ->
    error_log "#{msg}: #{url?.format() or 'unknown'}"
--  resp.writeHead 404
++  resp.writeHead 404,
++    expires: "0"
++    "Cache-Control": "no-cache, no-store, private, must-revalidate"
++    "X-Frame-Options"           : default_security_headers["X-Frame-Options"]
++    "X-XSS-Protection"          : default_security_headers["X-XSS-Protection"]
++    "X-Content-Type-Options"    : default_security_headers["X-Content-Type-Options"]
++    "Content-Security-Policy"   : default_security_headers["Content-Security-Policy"]
++    "Strict-Transport-Security" : default_security_headers["Strict-Transport-Security"]
++
    finish resp, "Not Found"
  finish = (resp, str) ->
@@ -40,73 +60,30 @@
    current_connections  = 0 if current_connections < 1
    resp.connection && resp.end str
--# A Transform Stream that limits the piped data to the specified length
--Stream = require('stream')
--class LimitStream extends Stream.Transform
--  constructor: (length) ->
--    super()
--    @remaining = length
--
--  _transform: (chunk, encoding, cb) ->
--    if @remaining > 0
--      if @remaining < chunk.length
--        chunk = chunk.slice(0, @remaining)
--      @push(chunk)
--      @remaining -= chunk.length
--      if @remaining <= 0
--        @emit('length_limited')
--        @end()
--    cb()
--
--  write: (chunk, encoding, cb) ->
--    if @remaining > 0
--      super
++process_url = (url, transferredHeaders, resp, remaining_redirects) ->
++  if url.host?
++    if url.protocol is 'https:'
++      Protocol = Https
++    else if url.protocol is 'http:'
++      Protocol = Http
      else
--      false
--
--process_url = (url, transferred_headers, resp, remaining_redirects) ->
--  if !url.host?
--    return four_oh_four(resp, "Invalid host", url)
--
--  if url.protocol == 'https:'
--    error_log("Redirecting https URL to origin: #{url.format()}")
--    resp.writeHead 301, {'Location': url.format()}
--    finish resp
--    return
--  else if url.protocol != 'http:'
--    four_oh_four(resp, "Unknown protocol", url)
--    return
--
--  Dns.lookup url.hostname, (err, address, family) ->
--    if err
--      return four_oh_four(resp, "No host found: #{err}", url)
--
--    if address.match(RESTRICTED_IPS)
--      return four_oh_four(resp, "Hitting excluded IP", url)
--
--    fetch_url address, url, transferred_headers, resp, remaining_redirects
--
--  fetch_url = (ip_address, url, transferred_headers, resp, remaining_redirects) ->
--    src = Http.createClient url.port || 80, url.hostname
--
--    src.on 'error', (error) ->
--      four_oh_four(resp, "Client Request error #{error.stack}", url)
--
--    query_path = url.pathname
++      four_oh_four(resp, "Unknown protocol", url)
++      return
++
++    queryPath = url.pathname
      if url.query?
--      query_path += "?#{url.query}"
--
--    transferred_headers.host = url.host
--
--    debug_log transferred_headers
--
--    srcReq = src.request 'GET', query_path, transferred_headers
--
--    srcReq.setTimeout (socket_timeout * 1000), ()->
--      srcReq.abort()
--      four_oh_four resp, "Socket timeout", url
--
--    srcReq.on 'response', (srcResp) ->
++      queryPath += "?#{url.query}"
++
++    transferredHeaders.host = url.host
++    debug_log transferredHeaders
++
++    requestOptions =
++      hostname: url.hostname
++      port: url.port
++      path: queryPath
++      headers: transferredHeaders
++
++    srcReq = Protocol.get requestOptions, (srcResp) ->
        is_finished = true
        debug_log srcResp.headers
@@ -118,10 +95,26 @@
          four_oh_four(resp, "Content-Length exceeded", url)
        else
          newHeaders =
--          'content-type'           : srcResp.headers['content-type']
--          'cache-control'          : srcResp.headers['cache-control'] || 'public, max-age=31536000'
--          'Camo-Host'              : camo_hostname
--          'X-Content-Type-Options' : 'nosniff'
++          'content-type'              : srcResp.headers['content-type']
++          'cache-control'             : srcResp.headers['cache-control'] || 'public, max-age=31536000'
++          'Camo-Host'                 : camo_hostname
++          'X-Frame-Options'           : default_security_headers['X-Frame-Options']
++          'X-XSS-Protection'          : default_security_headers['X-XSS-Protection']
++          'X-Content-Type-Options'    : default_security_headers['X-Content-Type-Options']
++          'Content-Security-Policy'   : default_security_headers['Content-Security-Policy']
++          'Strict-Transport-Security' : default_security_headers['Strict-Transport-Security']
++
++        if eTag = srcResp.headers['etag']
++          newHeaders['etag'] = eTag
++
++        if expiresHeader = srcResp.headers['expires']
++          newHeaders['expires'] = expiresHeader
++
++        if lastModified = srcResp.headers['last-modified']
++          newHeaders['last-modified'] = lastModified
++
++        if origin = process.env.CAMO_TIMING_ALLOW_ORIGIN
++          newHeaders['Timing-Allow-Origin'] = origin
          # Handle chunked responses properly
          if content_length?
@@ -140,23 +133,24 @@
          switch srcResp.statusCode
            when 200
--            if newHeaders['content-type'] && newHeaders['content-type'].slice(0, 5) != 'image'
--              srcResp.destroy()
--              four_oh_four(resp, "Non-Image content-type returned", url)
++            contentType = newHeaders['content-type']
++
++            unless contentType?
++              srcResp.destroy()
++              four_oh_four(resp, "No content-type returned", url)
++              return
++
++            contentTypePrefix = contentType.split(";")[0]
++
++            unless contentTypePrefix in accepted_image_mime_types
++              srcResp.destroy()
++              four_oh_four(resp, "Non-Image content-type returned '#{contentTypePrefix}'", url)
                return
              debug_log newHeaders
              resp.writeHead srcResp.statusCode, newHeaders
--
--            limit = new LimitStream(content_length_limit)
--            srcResp.pipe(limit)
--            limit.pipe(resp)
--
--            limit.on 'length_limited', ->
--              srcResp.destroy()
--              error_log("Killed connection at content_length_limit: #{url.format()}")
--
++            srcResp.pipe resp
            when 301, 302, 303, 307
              srcResp.destroy()
              if remaining_redirects <= 0
@@ -171,7 +165,7 @@
                  newUrl.protocol = url.protocol
                debug_log "Redirected to #{newUrl.format()}"
--              process_url newUrl, transferred_headers, resp, remaining_redirects - 1
++              process_url newUrl, transferredHeaders, resp, remaining_redirects - 1
            when 304
              srcResp.destroy()
              resp.writeHead srcResp.statusCode, newHeaders
@@ -179,10 +173,12 @@
              srcResp.destroy()
              four_oh_four(resp, "Origin responded with #{srcResp.statusCode}", url)
--    srcReq.on 'error', ->
--      finish resp
++    srcReq.setTimeout (socket_timeout * 1000), ->
++      srcReq.abort()
++      four_oh_four resp, "Socket timeout", url
--    srcReq.end()
++    srcReq.on 'error', (error) ->
++      four_oh_four(resp, "Client Request error #{error.stack}", url)
      resp.on 'close', ->
        error_log("Request aborted")
@@ -191,6 +187,8 @@
      resp.on 'error', (e) ->
        error_log("Request error: #{e}")
        srcReq.abort()
++  else
++    four_oh_four(resp, "No host found " + url.host, url)
  # decode a string of two char hex digits
  hexdec = (str) ->
@@ -202,13 +200,13 @@
  server = Http.createServer (req, resp) ->
    if req.method != 'GET' || req.url == '/'
--    resp.writeHead 200
++    resp.writeHead 200, default_security_headers
      resp.end 'hwhat'
    else if req.url == '/favicon.ico'
--    resp.writeHead 200
++    resp.writeHead 200, default_security_headers
      resp.end 'ok'
    else if req.url == '/status'
--    resp.writeHead 200
++    resp.writeHead 200, default_security_headers
      resp.end "ok #{current_connections}/#{total_connections} since #{started_at.toString()}"
    else
      total_connections   += 1
@@ -216,13 +214,15 @@
      url = Url.parse req.url
      user_agent = process.env.CAMO_HEADER_VIA or= "Camo Asset Proxy #{version}"
--    transferred_headers =
--      'Via'                    : user_agent
--      'User-Agent'             : user_agent
--      'Accept'                 : req.headers.accept ? 'image/*'
--      'Accept-Encoding'        : req.headers['accept-encoding']
--      'x-forwarded-for'        : req.headers['x-forwarded-for']
--      'x-content-type-options' : 'nosniff'
++    transferredHeaders =
++      'Via'                     : user_agent
++      'User-Agent'              : user_agent
++      'Accept'                  : req.headers.accept ? 'image/*'
++      'Accept-Encoding'         : req.headers['accept-encoding']
++      "X-Frame-Options"         : default_security_headers["X-Frame-Options"]
++      "X-XSS-Protection"        : default_security_headers["X-XSS-Protection"]
++      "X-Content-Type-Options"  : default_security_headers["X-Content-Type-Options"]
++      "Content-Security-Policy" : default_security_headers["Content-Security-Policy"]
      delete(req.headers.cookie)
@@ -247,20 +247,23 @@
      if url.pathname? && dest_url
        hmac = Crypto.createHmac("sha1", shared_key)
--      hmac.update(dest_url, 'utf8')
++
++      try
++        hmac.update(dest_url, 'utf8')
++      catch error
++        return four_oh_four(resp, "could not create checksum")
        hmac_digest = hmac.digest('hex')
        if hmac_digest == query_digest
          url = Url.parse dest_url
--        process_url url, transferred_headers, resp, max_redirects
++        process_url url, transferredHeaders, resp, max_redirects
        else
          four_oh_four(resp, "checksum mismatch #{hmac_digest}:#{query_digest}")
      else
        four_oh_four(resp, "No pathname provided on the server")
--console.log "SSL-Proxy running on #{port} with pid:#{process.pid}."
--console.log "Using the secret key #{shared_key}"
++console.log "SSL-Proxy running on #{port} with pid:#{process.pid} version:#{version}."
  server.listen port
 === added file 'server.js'
 --- server.js	1970-01-01 00:00:00 +0000
 +++ server.js	2014-09-02 12:26:21 +0000
@@ -0,0 +1,312 @@
++// Generated by CoffeeScript 1.7.1
++(function() {
++  var Crypto, Fs, Http, Https, Path, QueryString, Url, accepted_image_mime_types, camo_hostname, content_length_limit, current_connections, debug_log, default_security_headers, error_log, finish, four_oh_four, hexdec, logging_enabled, max_redirects, port, process_url, server, shared_key, socket_timeout, started_at, total_connections, version,
++    __indexOf = [].indexOf || function(item) { for (var i = 0, l = this.length; i < l; i++) { if (i in this && this[i] === item) return i; } return -1; };
++
++  Fs = require('fs');
++
++  Path = require('path');
++
++  Url = require('url');
++
++  Path = require('path');
++
++  Http = require('http');
++
++  Https = require('https');
++
++  Crypto = require('crypto');
++
++  QueryString = require('querystring');
++
++  port = parseInt(process.env.PORT || 8081, 10);
++
++  version = require(Path.resolve(__dirname, "package.json")).version;
++
++  shared_key = process.env.CAMO_KEY || '0x24FEEDFACEDEADBEEFCAFE';
++
++  max_redirects = process.env.CAMO_MAX_REDIRECTS || 4;
++
++  camo_hostname = process.env.CAMO_HOSTNAME || "unknown";
++
++  socket_timeout = process.env.CAMO_SOCKET_TIMEOUT || 10;
++
++  logging_enabled = process.env.CAMO_LOGGING_ENABLED || "disabled";
++
++  content_length_limit = parseInt(process.env.CAMO_LENGTH_LIMIT || 5242880, 10);
++
++  accepted_image_mime_types = JSON.parse(Fs.readFileSync(Path.resolve(__dirname, "mime-types.json"), {
++    encoding: 'utf8'
++  }));
++
++  debug_log = function(msg) {
++    if (logging_enabled === "debug") {
++      console.log("--------------------------------------------");
++      console.log(msg);
++      return console.log("--------------------------------------------");
++    }
++  };
++
++  error_log = function(msg) {
++    if (logging_enabled !== "disabled") {
++      return console.error("[" + (new Date().toISOString()) + "] " + msg);
++    }
++  };
++
++  total_connections = 0;
++
++  current_connections = 0;
++
++  started_at = new Date;
++
++  default_security_headers = {
++    "X-Frame-Options": "deny",
++    "X-XSS-Protection": "1; mode=block",
++    "X-Content-Type-Options": "nosniff",
++    "Content-Security-Policy": "default-src 'none'; style-src 'unsafe-inline'",
++    "Strict-Transport-Security": "max-age=31536000; includeSubDomains"
++  };
++
++  four_oh_four = function(resp, msg, url) {
++    error_log("" + msg + ": " + ((url != null ? url.format() : void 0) || 'unknown'));
++    resp.writeHead(404, {
++      expires: "0",
++      "Cache-Control": "no-cache, no-store, private, must-revalidate",
++      "X-Frame-Options": default_security_headers["X-Frame-Options"],
++      "X-XSS-Protection": default_security_headers["X-XSS-Protection"],
++      "X-Content-Type-Options": default_security_headers["X-Content-Type-Options"],
++      "Content-Security-Policy": default_security_headers["Content-Security-Policy"],
++      "Strict-Transport-Security": default_security_headers["Strict-Transport-Security"]
++    });
++    return finish(resp, "Not Found");
++  };
++
++  finish = function(resp, str) {
++    current_connections -= 1;
++    if (current_connections < 1) {
++      current_connections = 0;
++    }
++    return resp.connection && resp.end(str);
++  };
++
++  process_url = function(url, transferredHeaders, resp, remaining_redirects) {
++    var Protocol, queryPath, requestOptions, srcReq;
++    if (url.host != null) {
++      if (url.protocol === 'https:') {
++        Protocol = Https;
++      } else if (url.protocol === 'http:') {
++        Protocol = Http;
++      } else {
++        four_oh_four(resp, "Unknown protocol", url);
++        return;
++      }
++      queryPath = url.pathname;
++      if (url.query != null) {
++        queryPath += "?" + url.query;
++      }
++      transferredHeaders.host = url.host;
++      debug_log(transferredHeaders);
++      requestOptions = {
++        hostname: url.hostname,
++        port: url.port,
++        path: queryPath,
++        headers: transferredHeaders
++      };
++      srcReq = Protocol.get(requestOptions, function(srcResp) {
++        var contentType, contentTypePrefix, content_length, eTag, expiresHeader, is_finished, lastModified, newHeaders, newUrl, origin;
++        is_finished = true;
++        debug_log(srcResp.headers);
++        content_length = srcResp.headers['content-length'];
++        if (content_length > content_length_limit) {
++          srcResp.destroy();
++          return four_oh_four(resp, "Content-Length exceeded", url);
++        } else {
++          newHeaders = {
++            'content-type': srcResp.headers['content-type'],
++            'cache-control': srcResp.headers['cache-control'] || 'public, max-age=31536000',
++            'Camo-Host': camo_hostname,
++            'X-Frame-Options': default_security_headers['X-Frame-Options'],
++            'X-XSS-Protection': default_security_headers['X-XSS-Protection'],
++            'X-Content-Type-Options': default_security_headers['X-Content-Type-Options'],
++            'Content-Security-Policy': default_security_headers['Content-Security-Policy'],
++            'Strict-Transport-Security': default_security_headers['Strict-Transport-Security']
++          };
++          if (eTag = srcResp.headers['etag']) {
++            newHeaders['etag'] = eTag;
++          }
++          if (expiresHeader = srcResp.headers['expires']) {
++            newHeaders['expires'] = expiresHeader;
++          }
++          if (lastModified = srcResp.headers['last-modified']) {
++            newHeaders['last-modified'] = lastModified;
++          }
++          if (origin = process.env.CAMO_TIMING_ALLOW_ORIGIN) {
++            newHeaders['Timing-Allow-Origin'] = origin;
++          }
++          if (content_length != null) {
++            newHeaders['content-length'] = content_length;
++          }
++          if (srcResp.headers['transfer-encoding']) {
++            newHeaders['transfer-encoding'] = srcResp.headers['transfer-encoding'];
++          }
++          if (srcResp.headers['content-encoding']) {
++            newHeaders['content-encoding'] = srcResp.headers['content-encoding'];
++          }
++          srcResp.on('end', function() {
++            if (is_finished) {
++              return finish(resp);
++            }
++          });
++          srcResp.on('error', function() {
++            if (is_finished) {
++              return finish(resp);
++            }
++          });
++          switch (srcResp.statusCode) {
++            case 200:
++              contentType = newHeaders['content-type'];
++              if (contentType == null) {
++                srcResp.destroy();
++                four_oh_four(resp, "No content-type returned", url);
++                return;
++              }
++              contentTypePrefix = contentType.split(";")[0];
++              if (__indexOf.call(accepted_image_mime_types, contentTypePrefix) < 0) {
++                srcResp.destroy();
++                four_oh_four(resp, "Non-Image content-type returned '" + contentTypePrefix + "'", url);
++                return;
++              }
++              debug_log(newHeaders);
++              resp.writeHead(srcResp.statusCode, newHeaders);
++              return srcResp.pipe(resp);
++            case 301:
++            case 302:
++            case 303:
++            case 307:
++              srcResp.destroy();
++              if (remaining_redirects <= 0) {
++                return four_oh_four(resp, "Exceeded max depth", url);
++              } else if (!srcResp.headers['location']) {
++                return four_oh_four(resp, "Redirect with no location", url);
++              } else {
++                is_finished = false;
++                newUrl = Url.parse(srcResp.headers['location']);
++                if (!((newUrl.host != null) && (newUrl.hostname != null))) {
++                  newUrl.host = newUrl.hostname = url.hostname;
++                  newUrl.protocol = url.protocol;
++                }
++                debug_log("Redirected to " + (newUrl.format()));
++                return process_url(newUrl, transferredHeaders, resp, remaining_redirects - 1);
++              }
++              break;
++            case 304:
++              srcResp.destroy();
++              return resp.writeHead(srcResp.statusCode, newHeaders);
++            default:
++              srcResp.destroy();
++              return four_oh_four(resp, "Origin responded with " + srcResp.statusCode, url);
++          }
++        }
++      });
++      srcReq.setTimeout(socket_timeout * 1000, function() {
++        srcReq.abort();
++        return four_oh_four(resp, "Socket timeout", url);
++      });
++      srcReq.on('error', function(error) {
++        return four_oh_four(resp, "Client Request error " + error.stack, url);
++      });
++      resp.on('close', function() {
++        error_log("Request aborted");
++        return srcReq.abort();
++      });
++      return resp.on('error', function(e) {
++        error_log("Request error: " + e);
++        return srcReq.abort();
++      });
++    } else {
++      return four_oh_four(resp, "No host found " + url.host, url);
++    }
++  };
++
++  hexdec = function(str) {
++    var buf, i, _i, _ref;
++    if (str && str.length > 0 && str.length % 2 === 0 && !str.match(/[^0-9a-f]/)) {
++      buf = new Buffer(str.length / 2);
++      for (i = _i = 0, _ref = str.length; _i < _ref; i = _i += 2) {
++        buf[i / 2] = parseInt(str.slice(i, +(i + 1) + 1 || 9e9), 16);
++      }
++      return buf.toString();
++    }
++  };
++
++  server = Http.createServer(function(req, resp) {
++    var dest_url, encoded_url, error, hmac, hmac_digest, query_digest, transferredHeaders, url, url_type, user_agent, _base, _ref, _ref1;
++    if (req.method !== 'GET' || req.url === '/') {
++      resp.writeHead(200, default_security_headers);
++      return resp.end('hwhat');
++    } else if (req.url === '/favicon.ico') {
++      resp.writeHead(200, default_security_headers);
++      return resp.end('ok');
++    } else if (req.url === '/status') {
++      resp.writeHead(200, default_security_headers);
++      return resp.end("ok " + current_connections + "/" + total_connections + " since " + (started_at.toString()));
++    } else {
++      total_connections += 1;
++      current_connections += 1;
++      url = Url.parse(req.url);
++      user_agent = (_base = process.env).CAMO_HEADER_VIA || (_base.CAMO_HEADER_VIA = "Camo Asset Proxy " + version);
++      transferredHeaders = {
++        'Via': user_agent,
++        'User-Agent': user_agent,
++        'Accept': (_ref = req.headers.accept) != null ? _ref : 'image/*',
++        'Accept-Encoding': req.headers['accept-encoding'],
++        "X-Frame-Options": default_security_headers["X-Frame-Options"],
++        "X-XSS-Protection": default_security_headers["X-XSS-Protection"],
++        "X-Content-Type-Options": default_security_headers["X-Content-Type-Options"],
++        "Content-Security-Policy": default_security_headers["Content-Security-Policy"]
++      };
++      delete req.headers.cookie;
++      _ref1 = url.pathname.replace(/^\//, '').split("/", 2), query_digest = _ref1[0], encoded_url = _ref1[1];
++      if (encoded_url = hexdec(encoded_url)) {
++        url_type = 'path';
++        dest_url = encoded_url;
++      } else {
++        url_type = 'query';
++        dest_url = QueryString.parse(url.query).url;
++      }
++      debug_log({
++        type: url_type,
++        url: req.url,
++        headers: req.headers,
++        dest: dest_url,
++        digest: query_digest
++      });
++      if (req.headers['via'] && req.headers['via'].indexOf(user_agent) !== -1) {
++        return four_oh_four(resp, "Requesting from self");
++      }
++      if ((url.pathname != null) && dest_url) {
++        hmac = Crypto.createHmac("sha1", shared_key);
++        try {
++          hmac.update(dest_url, 'utf8');
++        } catch (_error) {
++          error = _error;
++          return four_oh_four(resp, "could not create checksum");
++        }
++        hmac_digest = hmac.digest('hex');
++        if (hmac_digest === query_digest) {
++          url = Url.parse(dest_url);
++          return process_url(url, transferredHeaders, resp, max_redirects);
++        } else {
++          return four_oh_four(resp, "checksum mismatch " + hmac_digest + ":" + query_digest);
++        }
++      } else {
++        return four_oh_four(resp, "No pathname provided on the server");
++      }
++    }
++  });
++
++  console.log("SSL-Proxy running on " + port + " with pid:" + process.pid + " version:" + version + ".");
++
++  server.listen(port);
++
++}).call(this);
 === modified file 'test.gemfile'
 --- test.gemfile	2013-11-26 13:45:34 +0000
 +++ test.gemfile	2014-09-02 12:26:21 +0000
@@ -1,4 +1,4 @@
  source 'https://rubygems.org'
++gem 'rack'
  gem 'rest-client', '~>1.3'
  gem 'addressable', '~>2.3'
--gem 'thin'
 \ No newline at end of file
 === modified file 'test.gemfile.lock'
 --- test.gemfile.lock	2013-11-26 13:45:34 +0000
 +++ test.gemfile.lock	2014-09-02 12:26:21 +0000
@@ -2,21 +2,15 @@
    remote: https://rubygems.org/
    specs:
      addressable (2.3.4)
--    daemons (1.1.9)
--    eventmachine (1.0.3)
      mime-types (1.23)
      rack (1.5.2)
      rest-client (1.6.7)
        mime-types (>= 1.16)
--    thin (1.5.1)
--      daemons (>= 1.0.9)
--      eventmachine (>= 0.12.6)
--      rack (>= 1.0.0)
  PLATFORMS
    ruby
  DEPENDENCIES
    addressable (~> 2.3)
++  rack
    rest-client (~> 1.3)
--  thin
 === added file 'test/app_test.rb'
 --- test/app_test.rb	1970-01-01 00:00:00 +0000
 +++ test/app_test.rb	2014-09-02 12:26:21 +0000
@@ -0,0 +1,12 @@
++require 'rubygems'
++require 'json'
++require 'test/unit'
++
++class CamoAppTest < Test::Unit::TestCase
++  def test_heroku_app_json
++    app_file = File.expand_path("../../app.json", __FILE__)
++    assert_nothing_raised do
++      JSON.parse(File.read(app_file))
++    end
++  end
++end
 === modified file 'test/proxy_test.rb'
 --- test/proxy_test.rb	2013-11-26 13:45:34 +0000
 +++ test/proxy_test.rb	2014-09-02 12:26:21 +0000
@@ -4,7 +4,6 @@
  require 'openssl'
  require 'rest_client'
  require 'addressable/uri'
--require 'thin'
  require 'test/unit'
@@ -14,10 +13,41 @@
        'host' => ENV['CAMO_HOST'] || "http://localhost:8081" }
    end
++  def spawn_server(path)
++    port = 9292
++    config = "test/servers/#{path}.ru"
++    host = "localhost:#{port}"
++    pid = fork do
++      STDOUT.reopen "/dev/null"
++      STDERR.reopen "/dev/null"
++      exec "rackup", "--port", port.to_s, config
++    end
++    sleep 2
++    begin
++      yield host
++    ensure
++      Process.kill(:TERM, pid)
++      Process.wait(pid)
++    end
++  end
++
++  def test_proxy_localhost_test_server
++    spawn_server(:ok) do |host|
++      response = RestClient.get("http://#{host}/octocat.jpg")
++      assert_equal(200, response.code)
++
++      response = request("http://#{host}/octocat.jpg")
++      assert_equal(200, response.code)
++    end
++  end
++
    def test_proxy_survives_redirect_without_location
--    assert_raise RestClient::ResourceNotFound do
--      request('http://localhost:9292')
++    spawn_server(:redirect_without_location) do |host|
++      assert_raise RestClient::ResourceNotFound do
++        request("http://#{host}")
++      end
      end
++
      response = request('http://media.ebaumsworld.com/picture/Mincemeat/Pimp.jpg')
      assert_equal(200, response.code)
    end
@@ -27,16 +57,54 @@
      assert_equal(200, response.code)
    end
++  def test_doesnt_crash_with_non_url_encoded_url
++    assert_raise RestClient::ResourceNotFound do
++      RestClient.get("#{config['host']}/crashme?url=crash&url=me")
++    end
++  end
++
++  def test_always_sets_security_headers
++    ['/', '/status'].each do |path|
++      response = RestClient.get("#{config['host']}#{path}")
++      assert_equal "deny", response.headers[:x_frame_options]
++      assert_equal "default-src 'none'; style-src 'unsafe-inline'", response.headers[:content_security_policy]
++      assert_equal "nosniff", response.headers[:x_content_type_options]
++      assert_equal "max-age=31536000; includeSubDomains", response.headers[:strict_transport_security]
++    end
++
++    response = request('http://dl.dropbox.com/u/602885/github/soldier-squirrel.jpg')
++    assert_equal "deny", response.headers[:x_frame_options]
++    assert_equal "default-src 'none'; style-src 'unsafe-inline'", response.headers[:content_security_policy]
++    assert_equal "nosniff", response.headers[:x_content_type_options]
++    assert_equal "max-age=31536000; includeSubDomains", response.headers[:strict_transport_security]
++  end
++
    def test_proxy_valid_image_url
      response = request('http://media.ebaumsworld.com/picture/Mincemeat/Pimp.jpg')
      assert_equal(200, response.code)
    end
++  def test_svg_image_with_delimited_content_type_url
++    response = request('https://saucelabs.com/browser-matrix/bootstrap.svg')
++    assert_equal(200, response.code)
++  end
++
++  def test_png_image_with_delimited_content_type_url
++    response = request('http://uploadir.com/u/cm5el1v7')
++    assert_equal(200, response.code)
++  end
++
    def test_proxy_valid_image_url_with_crazy_subdomain
      response = request('http://27.media.tumblr.com/tumblr_lkp6rdDfRi1qce6mto1_500.jpg')
      assert_equal(200, response.code)
    end
++  def test_strict_image_content_type_checking
++    assert_raise RestClient::ResourceNotFound do
++      request("http://calm-shore-1799.herokuapp.com/foo.png")
++    end
++  end
++
    def test_proxy_valid_google_chart_url
      response = request('http://chart.apis.google.com/chart?chs=920x200&chxl=0:%7C2010-08-13%7C2010-09-12%7C2010-10-12%7C2010-11-11%7C1:%7C0%7C0%7C0%7C0%7C0%7C0&chm=B,EBF5FB,0,0,0&chco=008Cd6&chls=3,1,0&chg=8.3,20,1,4&chd=s:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&chxt=x,y&cht=lc')
      assert_equal(200, response.code)
@@ -48,6 +116,16 @@
      assert_nil(response.headers[:content_length])
    end
++  def test_proxy_https_octocat
++    response = request('https://octodex.github.com/images/original.png')
++    assert_equal(200, response.code)
++  end
++
++  def test_proxy_https_gravatar
++    response = request('https://1.gravatar.com/avatar/a86224d72ce21cd9f5bee6784d4b06c7')
++    assert_equal(200, response.code)
++  end
++
    def test_follows_redirects
      response = request('http://cl.ly/1K0X2Y2F1P0o3z140p0d/boom-headshot.gif')
      assert_equal(200, response.code)
@@ -64,6 +142,14 @@
      end
    end
++  def test_404s_on_request_error
++    spawn_server(:crash_request) do |host|
++      assert_raise RestClient::ResourceNotFound do
++        request("http://#{host}/cats.png")
++      end
++    end
++  end
++
    def test_404s_on_infinidirect
      assert_raise RestClient::ResourceNotFound do
        request('http://modeselektor.herokuapp.com/')
@@ -94,32 +180,12 @@
      end
    end
--  def test_404s_on_10_0_ip_range
++  def test_404s_on_connect_timeout
      assert_raise RestClient::ResourceNotFound do
        request('http://10.0.0.1/foo.cgi')
      end
    end
--  16.upto(31) do |i|
--    define_method :"test_404s_on_172_#{i}_ip_range" do
--      assert_raise RestClient::ResourceNotFound do
--        request("http://172.#{i}.0.1/foo.cgi")
--      end
--    end
--  end
--
--  def test_404s_on_169_254_ip_range
--    assert_raise RestClient::ResourceNotFound do
--      request('http://169.254.0.1/foo.cgi')
--    end
--  end
--
--  def test_404s_on_192_168_ip_range
--    assert_raise RestClient::ResourceNotFound do
--      request('http://192.168.0.1/foo.cgi')
--    end
--  end
--
    def test_404s_on_environmental_excludes
      assert_raise RestClient::ResourceNotFound do
        request('http://iphone.internal.example.org/foo.cgi')
@@ -127,7 +193,7 @@
    end
    def test_follows_temporary_redirects
--    response = request('http://d.pr/i/rr7F+')
++    response = request('http://bit.ly/1l9Fztb')
      assert_equal(200, response.code)
    end
@@ -137,6 +203,14 @@
        response = request( uri )
      end
    end
++
++  def test_404s_send_cache_headers
++    uri = request_uri("http://example.org/")
++    response = RestClient.get(uri){ |response, request, result| response }
++    assert_equal(404, response.code)
++    assert_equal("0", response.headers[:expires])
++    assert_equal("no-cache, no-store, private, must-revalidate", response.headers[:cache_control])
++  end
  end
  class CamoProxyQueryStringTest < Test::Unit::TestCase
 === removed file 'test/proxy_test_server.rb'
 --- test/proxy_test_server.rb	2013-11-26 13:45:34 +0000
 +++ test/proxy_test_server.rb	1970-01-01 00:00:00 +0000
@@ -1,11 +0,0 @@
--require 'thin'
--
--class ProxyTestServer
--  def call(env)
--    [302, {"Content-Type" => "image/foo"}, "test"]
--  end
--end
--
--Thin::Server.start('127.0.0.1', 9292) do
--	run ProxyTestServer.new
--end
 \ No newline at end of file
 === added directory 'test/servers'
 === added file 'test/servers/crash_request.ru'
 --- test/servers/crash_request.ru	1970-01-01 00:00:00 +0000
 +++ test/servers/crash_request.ru	2014-09-02 12:26:21 +0000
@@ -0,0 +1,3 @@
++run lambda { |env|
++  raise "b00m"
++}
 === added file 'test/servers/octocat.jpg'
 Binary files test/servers/octocat.jpg	1970-01-01 00:00:00 +0000 and test/servers/octocat.jpg	2014-09-02 12:26:21 +0000 differ
 === added file 'test/servers/ok.ru'
 --- test/servers/ok.ru	1970-01-01 00:00:00 +0000
 +++ test/servers/ok.ru	2014-09-02 12:26:21 +0000
@@ -0,0 +1,5 @@
++run lambda { |env|
++  path = File.expand_path('../octocat.jpg', __FILE__)
++  data = File.read(path)
++  [200, {'Content-Type' => 'image/jpeg'}, [data]]
++}
 === added file 'test/servers/redirect_without_location.ru'
 --- test/servers/redirect_without_location.ru	1970-01-01 00:00:00 +0000
 +++ test/servers/redirect_without_location.ru	2014-09-02 12:26:21 +0000
@@ -0,0 +1,7 @@
++class ProxyTestServer
++  def call(env)
++    [302, {"Content-Type" => "image/foo"}, "test"]
++  end
++end
++
++run ProxyTestServer.new

Ubuntucamo package