Deploy and Host imgproxy on Railway

imgproxy is a fast, secure image processing server. Resize, crop, and transform images on-the-fly by simply changing the URL—no need to pre-generate thumbnails or store multiple sizes.

About Hosting imgproxy

Deploying imgproxy on Railway gives you an image processing API that transforms images in real-time. Point it at any image URL and get back resized, cropped, or converted versions. It supports WebP/AVIF conversion, smart cropping, watermarks, and more. imgproxy is written in Go and designed for high throughput with minimal memory usage.

Common Use Cases

• Generate thumbnails on-the-fly without storing multiple sizes
• Convert images to modern formats (WebP, AVIF) for faster loading
• Resize user-uploaded images before serving
• Add watermarks to images dynamically

Dependencies for imgproxy Hosting

• None (standalone Go binary)

Deployment Dependencies

• imgproxy GitHub Repository
• imgproxy Documentation

Environment Variables

You must generate and set your own key and salt to secure your instance:

Generate your own key and salt:

# Run this twice - once for key, once for salt
echo $(xxd -g 2 -l 64 -p /dev/random | tr -d '\n')

How Key & Salt Signing Works

The key and salt prevent unauthorized use of your imgproxy instance. Without them, anyone who discovers your endpoint could use your server to process arbitrary images—consuming your CPU and bandwidth.

With signing enabled:

1. Your backend generates signed URLs using the secret key and salt
2. The signature is embedded in the URL
3. imgproxy validates the signature before processing
4. Invalid signatures get rejected with 403 Forbidden

What this prevents:

• Bad actors using your server to process their images
• URL tampering (changing resize dimensions, source image)
• Bandwidth/CPU abuse

What attackers can still do:

• Reuse exact signed URLs they've seen (same image, same parameters)

Example flow:

Your Backend (knows key+salt)
       │
       │ Generates: /signature123/rs:fit:300:200/base64url
       ▼
   Frontend (no secrets)
       │
       │ Uses URL in <img> tag
       ▼
   imgproxy (knows key+salt)
       │
       │ Validates signature → processes if valid
       ▼
   Resized image returned

URL Format:

https://your-imgproxy.up.railway.app/{signature}/{options}/plain/{source_url}

Unsigned (insecure mode - use _ as signature):

https://your-imgproxy.up.railway.app/_/rs:fit:800:600/plain/https://example.com/photo.jpg

Common options:

rs:fit:800:600     → Resize to fit within 800x600
rs:fill:400:400    → Crop to exactly 400x400
f:webp             → Convert to WebP
q:80               → Quality 80%

Signing example (Node.js):

const crypto = require('crypto');

const key = Buffer.from(process.env.IMGPROXY_KEY, 'hex');
const salt = Buffer.from(process.env.IMGPROXY_SALT, 'hex');

function signUrl(sourceUrl, options = 'rs:fit:300:200') {
  const path = `/${options}/plain/${sourceUrl}`;

  const hmac = crypto.createHmac('sha256', key);
  hmac.update(salt);
  hmac.update(path);
  const signature = hmac.digest('base64url');

  return `https://your-imgproxy.up.railway.app/${signature}${path}`;
}

// Usage
const signedUrl = signUrl('https://example.com/photo.jpg', 'rs:fit:800:600');

Why Deploy imgproxy on Railway?

Railway is a singular platform to deploy your infrastructure stack. Railway will host your infrastructure so you don't have to deal with configuration, while allowing you to vertically and horizontally scale it.

By deploying imgproxy on Railway, you are one step closer to supporting a complete full-stack application with minimal burden. Host your servers, databases, AI agents, and more on Railway.