I would prefer the option which allows lemm.ee to run in the most sustainable manner

Storing permanently locally doesn't sound like a good solution..

If you could adjust the length of time to keep cached/proxy'd images locally and increase it significantly, I'd think that would be the preferred solution.

Not a lemm.ee user, but here's my thoughts on #2 since it affects me via federation:

I am not a fan of how Lemmy chose to implement image proxying Specifically, federating the proxied URL.

That frequently prevents my instance from fetching a thumbnail locally (option 1 above). Which, ironically, increases the load on your server as my instance has to fetch it from your proxy every time instead of just once to generate a local copy here.

From a UI development standpoint, the proxied thumbnail URLs also make it harder to detect the image type (gif, static image, video) to handle rendering. It also complicates other proxying/caching methods I have in place. Ultimately, in the UI I develop, I've had to resort to passing thumbnail images through a function to un-proxy them so they can be handled sanely.

So I generally wish that admins avoid Lemmy's proxying until it no longer federates the proxied URL and does something sane like just return that for the local API calls.

I say option 3. Sure, it's annoying, but that's our problem. Your problem is keeping the server operational, safe, and low-cost.

Considering the vote:content ratio, it looks like most users spend most of their time spectating. The spectators feed our egos and determine the trends in content by singular positive or negative votes. The spectator experience seems far more important to me and it should be the onus of the contributors to ensure their own privacy, just like they do in avoiding doxxing themselves via text.

Option 2 certainly follows in the vein of improved performance, but if real-world implementation is proving too unstable or creating too much overhead, then I say "fuck it, option 3 sounds great."

No opinion for the moment, but thank you for the very detailed post

While I appreciate you trying to make it so, my privacy isn’t your responsibility. Option 3 is the way to go to keep your costs down, which is the long-term best solution.

It wasn’t one of the options, but from a user perspective a hybrid solution is best. Making a local copy that has a 24-48 hour cache keeps your storage down but still gives us the benefit of option 1. But it sounds like this would require some changes to how the server software works, which would be cool, but again you shouldn’t feel compelled to attempt.

Keep your costs and stress low wherever possible and thank you for everything you do.

I'd say option 3. Personally, I don't care if random websites get my IP among a list of hundreds of others, and if someone wants to keep their IP hidden from strangers, they should be using a VPN before browsing the net anyways. It'd also be nice not to have to open another instance when I come to a post with a broken image that I want to see, but that's not hugely important to me.

If it were an instance specifically for privacy enthusiasts, that'd be a different story, but this is a general-purpose instance, and option 3 seems to be what's best for both general users and the server itself.

2+3: Try to fetch image, if you get it proxy it, if your storage gets full use LRU eviction, once evicted or some amount of time has passed delete it and don't fetch again, ever. Fall back to pure 3 if there's ever any issues with anything, including you not particularly feeling like implementing smart caching: Our referrer privacy is not your responsibility.

I'm on a lot, and I scroll from All/Hot. I rarely see broken images. They do pop up, but not enough to ever bother me. The only option I'd avoid is method 1, because of that image debacle a few months ago. Regarding methods 2 and 3, they both seemed to work fine. I leave it to smarter minds than myself.

Good work on next, btw. Enjoy your weekend and thank you for everything you do!

Option 3 is the only one that seems sustainable long term. Donations will NEVER keep up with user growth, thus storage costs will balloon out of control.

Completely avoiding any chance of illegal content touching the servers should immediately have everyone agreeing on this option. I doubt anyone here is willing to foot legal bills and as such even minor legal actions would be the end of this instance.

Privacy is nice but ip logging is the simplest form to "protect" against with even a free VPN. If those claiming privacy concerns here aren't already using a VPN and are depending purely on lemme.ee's proxy then their internet hygiene needs an update.

As for usability, the image being deleted from external provider presents the same issue to the user between option 2 and 3. The cache from option 2 will inventually get cleared and it'll fail to pull a fresh copy if deleted from the external hosts.

Option 3, agree with others, there are other privacy focused instances.

I like 3 also. if you can't get a good user experience privacy matters less because there are no users, and anyone can spin up a super privacy enhanced instance if they want.

I was thinking however that a super stand alone image server would be a great thing for Lemmy, and pixelfed and the Fediverse in general.

Imgur blew up and was the go to for image hosting on Reddit for years, until Reddit realized it was leaking traffic and users to them and started their own. But hosting images has a lot of potential headaches like copyright violations and big corps suing you into oblivion, in addition to inadvertently hosting illegal stuff. The Fediverse will need some good image hosting servers and video hosting servers as part of the plan in the long run though.

I seem to agree with most other users in this thread.

Sure, the privacy aspect is nice; most people already share too much information with third parties unwillingly, but I think a good user experience should be prioritised. If option 3 is more likely to provide that, I would choose going that way.

Most people, especially those migrating from other sites, probably care more about the images loading than the privacy involved with proxying them.

It would maybe be nice to have an option to not load external resources automatically, or a black/whitelist for certain sites, if such an option doesn't already exist.

Option 3.

I'm in favour of Option 3, privacy concerns considered.

User experience is big for me here, the broken images are something of a frustration that I've been dealing with for a while now, so the option to combat that is a clear winner for me.

Also, I want to thank you for coming to us for feedback, yet another reason I'm glad I decided to settle here on Lemm.ee.

Whatever is most sustainable for you.

Definitely OK with either option 2 or 3. And I trust @sunaurus to choose what's best for this instance.

Thanks for your hard work as always.

I'm in favor of moving away from proxying. Too many images break and proxying in general is very wasteful, having to download images from potentially small servers constantly would definitely get you ratelimited.

Passing through external images is OK. Many people often post external links anyways to sites like imgur and catbox because of the file size limits anyways.

I think the end goal would always to store images locally though - or at least caching them for extended periods of time. Don't large instances like Lemmy World and huge Mastodon instances work this way? How do they manage the risk?

Have you thought about solving this issue in the front end? The client I’m using (Mlem) implemented a feature to directly access the image if the proxy fails. This feature can either be triggered automatically or by pressing a button on the failed image. This allows users the benefit of the proxy while also having the option to give up their IP if they want to see a broken image.

Although I value privacy, I value sustainability more. Choose an option you feel most comfortable with, option which puts the least burden on your shoulders.

I think it's important for us to be mindful of content retention for posterity's sake if we want Lemmy to compete with Reddit long-term. If possible, I'd hope we can avoid dead image links like we see with old forums and photobucket pics, for example.

Option 3.

Privacy concerns aside, which I am willing to bear, Option 3 is the most sustainable option.

Looking at our status page, the projected monthly expenses is greater than the revenues. If passing through external images allows us to reduce operational costs and ensure lemm.ee's sustainability despite the loss of a degree of privacy, then it's a tradeoff I'm willing to make.

Thanks, admins and mods, for everything that you do!

I would do option 3, both as a user and if I were to make my own service. I'd let a dedicated image service do it. I'm not worried about IP leakage and if I am I can use a VPN. If I want to be that concerned about it, I think the responsibility is on me, not on the service unless they promise that level of privacy.

I vote for what gives the best experience for users and makes running the service easier and cost effectivem

Option 2.5: Option 2 by default, by if the external server rejects our request (rate-limiting), we fall back to Option 3 by HTTP 302ing

I believe just passing through external images is the way to go, it's always the one I opt for if I can

Hosting those images is gonna get expensive and that kinda sucks for a donation run platform when that money could be far better spent elsewhere

I think also using external image sources is more in line with the idea of decentralisation, Lemmy isn't an image host it's a link aggregator and forum - I believe most image hosting sites will be far better at loading images quickly than Lemmy's implementation could ever be

Wow, thanks for the full transparency. You are awesome!

My opinion would be option 2 (proxy requests) , but with a higher cache TTL or simple a LRU (Least Recently Used) Cache.

If you're getting throttled, it could be mitigated by increasing the cache retention period (or improving the cache hits).

Another improvement : Would it be possible to change the proxy, so that if the proxied requests are throttled, it simply sends the user a http-302 to the origin (instead of a broken image)?

Regarding option 1 (full cache) : I greatly appreciate your desire to hide/protect your users ip, but it is outside the scope of what I expect from a Lemmy server. Maybe you could market and upsell this increased privacy as a subscription based feature. However, if I want privacy - I'll use a VPN.

Regarding option 3 (User fetches content from origin) : From a users perspective, I really don't want my Lemmy experience to be based on hitting a bunch of (potentially) unreliable services. When I, as a lemm.ee User, request a post from Lemmy.world (for example), lemm.ee will proxy and cache that post and the comments. This is the distributed nature of Lemmy (as far as I understand). Why restrict this caching to just posts/threads/comments and not include images (which, let's face it, are as meaningful as pure text - especially wrt memes).

I would pick image pass through because I'm not necessarily concerned about the image hoster logging my IP. I have been more frustrated with broken links, so I am very much opposed to the current method.

Option 3

Reasoning:

• Upside 2: 100% best for lemm.ee health; lowest legal risk, lower cost to run.
• Downside 1: I think it comes down to what lemm.ee is trying to provide as a user experience; in my use and expectation, it's not for masking my IP, making me anonymous or similar. It's for reading and interacting with people, looking at memes and reading lots of news stories. I have no expectation my IP is masked from remote sites - I open all external news links in a Private tab anyways (to stop cookies and other junk) so they're already getting my IP anyway. "why should images be any different, really?" There are other lemmy instances out there catering to extreme privacy.
• Downside 2: this could be, should be, whatever handles by better page loading threading in the code; the content surrounding an image is just HTML, the load of the image is a secondary task. If the rendering of the view of the page is reliant upon 200 OK image loads, that feels like a deficiency in design and it needs to be async threaded to "lazy load" and not block.

At a high level, many other solutions - Mastodon, even Nostr webapps and phone apps which is all about being anonymous for some folks - do direct content load from the source and do not proxy loading. The switch back to option 3 falls in line with what every other generic service/solution does in the social web space.

Images have been a bit problematic for me lately, for sure. If storing them locally is not a solid option, the question I would have is how much of the other requests are proxied? As in, what other stuff apart from images/media is not being proxied? If the clients are leaking IPs anyway, maybe it's okay to have them download the images, too. But if the server is proxying everything else then having some sort of a cache might not be that bad an idea

Can't you store them in a cache that keeps images that have been accessed in the last 48 hours (or whatever) and deletes others? Should someone request these images after that, cache them again for 48 hours.

I’d lean towards option 3. I view this site as an aggregator and I see plenty of broken images when scrollling through here. It’s not your job to host or proxy those images and working in infrastructure it lends to a lot lighter weight instance that’s easier for you to manage without having to worry about disk, or even worse, bandwidth costs.

The only way I would see option 2 being more beneficial is if it was truly a temporary cache solution where the image gets pulled in 1 time, served out to all lemm.ee users for a period of time (say 24 hours). This would reduce the chance that you end up rate limited, while allowing users to still see the image served via lemm.ee

The proxy on every request solution just seems poorly implemented to me for the reasons you say.

Proxy and Passthrough: give the option to the user and include a warning where it may expose your IP based on selection.

Shame that option #2 has these downsides. Personally, I'd probably prefer #2, and to live with some broken images.

That said, lemm.ee is one of, if not the largest Lemmy instance, and has a certain responsibility to prioritize usability as a sort of "sane default" choice for many people looking into the fediverse. As such.... yeah, I give it to option #3 here. If I (or others) was truly deeply moved by the privacy concern, there are an abundance of alternative options for that higher privacy standard, including full self-hosting.

I'd prefer proxying

I think proxying is very important else anyone can simply upload an iplogger or possibly more advanced fingerprinting image. This in combination with observing federated actions will make it very easy to deanonimise almost every single user who interacts in any way even upvoting.

Can u simply increase the time period that nginx caches images for to avoid some of the rate limiting issues? Otherwise perhaps using proxy lists to proxy requests from lemm.ee to the image hosts is doable (im not sure about the legality of this tho).

Have u emailed the image hosts letting them know what u do and asking if they can remove ur rate limit (idk if they would be receptive to this without a financial incentive).

Don't mean to clutter the thread but it sounds like option 3 is the best user experience. Hyper privacy focused users are probably more likely to make their own instance or use another smaller one.

Love the work you do, I appreciate it so much!

Option 3.

While it is a pain to upload to imgur and then post as a link, it's not that bad tbh. If there was some way to convert an uploaded image into an imgur link automatically to skip the middle man, that would be cool, but imgur might have something to say about that.

Of course there is the option to snail mail all our memes to sunaurus for them to scan and upload. That way if you wanna post something, it better be worth the printing, 10¢ of shipping, and 2 to 3 weeks of travel time. That would be a pretty solid filter system.

I would say option 2 (proxy with cache), where you only download requested images and try to cache them for a reasonable period of time that allows most users to see the post on the front page without much problems, and delete it afterwards (I’m not sure what value this would translate to, I’ve seen mentions of 48hours but that might be either too much or too little, I guess you know best what would work). I mostly use Lenny to browse new content, so that is most important to me. If I would ever go and explore older posts, I won’t mind older images possibly being broken.

The only issue I have is catbox being broken on my phone. If proxying fixes that then I'd support that one. We don't need to keep the image on our servers forever I think.

well written with a lot of useful information!

The end user in me says pass-through isn't the best experience but for specifically Lemm.ee I think it fits. let a smaller or alternative instance do the local caching and assume all legal risk. let this one grow but at some compromised expense. since this is a free service, it is perfectly fine to pass those compromises down to end users guilt free.

Option 3.

hmm maybe proxy or store it on a external cdn

I'm a fan of option 3. For my past few image posts I've been using other image hosting sites like imgchest because my images won't upload.

I am also in favor of option 3. Hosting images has a chance of hosting some csam and that might take you out.

Proxy

Frankly, one of the big reasons why I like the Fediverse is that you don't have to depend on the source keeping up their stuff - we get our own copies. That includes both the text (the posts) and the media (the images), and to me, that's one third of the point of the entire thing. If I wanted an image that can only be seen at the dumpster cage that is Twitter, I'd go over there shrug and move on.

Of course that's not always workable because storage is (despite everything) not cheap, medias grow large (I can eg.: understand saving pictures, but heaven forbid trying to save a video) and there's still not a good way to deal with """problematic""" storage. So, my recommendation and expectation would be something that functions like Option 2: Proxying Images. Basically, we download our own copy but only store it "while it matters".

How to Supplement Options

Now, maybe some proposals I would lift to have their feasibility studied. Any combination of one or more of these could, if implemented, help in enhancing or even supplantting the chosen method for storing remote media. I personally see them more as a means to enhance Option 2.

• Only save copies of images (perpetual or proxy) that are below certain thresholds: file size, resolution, trusted hosts, etc... Sure, that still means you have to download every image at least once to evaluate it, but at least we get some sort of automated guarantee that for "easy" stuff, we won't be filing more connections than necessary. The big win of this option is that lemm.ee is not paying for the larger resource cost of fetching larger images after their post is made. I'm guessing the main drawback would be the bikeshedding required to decide which images get saved locally.
• Related option to the above: only save (perpetual) thumbnails or smallened versions of images, never the real ones. Would pretty much instantly cover the case of eg.: most memes. The big drawback I can see to this is managing those images for deletions would be harder unless a Lemmy instance can keep a searchable map of hashes from each image to their thumbnail and vice versa.
• Require that any image is linked from an imagehost or filehost that is trustable for durability. Big drawback: notoriously more effort (and potential loss of privacy) for users means this actually disincentivizes posting rich content.
• Pool up resources and get some cooperative work going with some other instance(s) to set up a shared proxy agent that downloads the images for us, so that lemm.ee doesn't have to host the images but can have the clients fetch them without sacrificing privacy. I feel this one incentivizes posting rich content because you can get some level of assurance that it'll remain available and be "cheap" to access from across the Fediverse, but requires more instances to chip in.
• Images? Pfff. Text is where it's at.

Can you get around the rate limiter with something like proxy servers? https://dev.to/lordghostx/3-simple-ways-to-bypass-api-rate-limits-3de0

I am very privacy oriented, and I am fine with option 3. Thanks for all you do!

I am probably one of the power user on Lemm.ee who post a lot of Images.

I really like 1st option but It's not financially feasible. So, I am choosing 2nd option. I used to post on catbox.moe but lemm.ee get rate limited by catbox lately. So, I choose a paid image hoster. It's actually screenshot hoster but I am using it like a unlimited image hoster xD don't know if it's allowed or not. 3rd option can leak IP addresses. So, no.

TL;DR I like 2nd option. But whatever you do. I am with you.

Thank you for running a great instance. No notes. Except it would be nice if you could set the limit on how long a proxies image remains available. It would be nice if there was a time limit that could be shortened based on time. Or a combination of the first and second option.