Image Access
IIPImage allows you to protect your original images as they do not need to be directly accessible to a user via the web server (Apache, Lightttpd etc). A public user does not need to have download access to the full resolution image file – only the IIPImage server needs to. Images, therefore, do not need to be in the web server document root or in any subdirectory of it. The images can be stored in any directory (or even remote directory mounted via NFS or Samba etc) on the machine on which the IIPImage server iipsrv executable runs. You can also use the operating system’s access control to grant read access permission to the iipsrv process for specific directories or images only.
iipsrv also has configuration parameters that can further improve security. The FILESYSTEM_PREFIX and FILESYSTEM_SUFFIX environment parameters allow you to specify a prefix to the image path and a suffix to the file name. It is, therefore, possible to store the images at a file system location such as: /images/tiffs/
and set FILESYSTEM_PREFIX to this path, which allows public image requests to be made without any directory path. For example, for an image in /images/tiffs/image1.tif, a resulting IIIF request would simply:
http://your.server/iiif/image1.tif/full/500,/0/default.jpg
If you also set FILESYSTEM_SUFFIX to “.tif”, you will be able to simplify the request even further:
http://your.server/iiif/image1/full/500,/0/default.jpg
Proxying
The IIPImage instance can run on a separate machine to that hosting the web server front-end, adding a further level of security and, indeed, potentially improving performance. Most web servers are able to forward FCGI requests to another host. For example, to configure Apache to forward FCGI requests to the standard FCGI port on a iipsrv running on another server:
ProxyPass "/fcgi-bin/iipsrv.fcgi" "fcgi://iipsrv.host:9000/"
Note that it is only necessary to forward FCGI connections, not the full HTTP request. For more details of how to proxy, see the proxy section of the server documentation.
Dynamic Watermarking
The IIPImage server is able to perform dynamic watermarking without the need to modify the source image. The watermark is dynamically added server-side to each tile that is streamed to the client with user-defined levels of transparency. It’s also possible to set a level of probability that a particular tile will have a watermark applied to it if you do not wish to have a watermark applied to every single tile. You can see a demo of dynamic watermarking in action on the demo page.
The server supports three watermarking related parameters:
WATERMARK TIFF image to use as watermark file.
WATERMARK_PROBABILITY The probability that a particular tile will have a watermark applied to it. 0 means never, 1 means always.
WATERMARK_OPACITY The opacity (between 0 and 1) applied to the watermark image.
The watermark file must be a TIFF image which can be greyscale or color, either 8 or 16 bit and can optionally include an alpha channel. The watermark should be not bigger than the tile size used for the source TIFF or JPEG2000 tiling (typically 256 pixels for both width and height). If bigger, the watermark will simply be cropped to the image tile size. If the watermark is smaller, the watermark will be positioned randomly within the available space. This randomness adds an extra level of security, making any automated watermark removal far more difficult. The watermark is simply added pixel by pixel to the image data, taking into account the WATERMARK_OPACITY parameter and any alpha channel included in the watermark. Thus, the watermarked image for a given pixel i:
output image[i] = source image[i] +
( watermark image[i] * alpha channel[i] * watermark opacity parameter )
Thus, you should avoid using white backgrounds in your watermark, unless you have a suitable alpha channel. Furthermore, your watermark logo or text should not be black (pixel value = 0) as the pixel values are added to the output. If you have trouble creating your watermark, you can download an example watermark file here.
