When imgix receives a request for an asset that is not cached, we'll first try to retrieve the asset from your Source's origin. Because of this, it's important to ensure that imgix has unrestricted and unobstructed access to your origin files.

Asset Availability

The asset should be available as soon as it has been completely uploaded to the Origin. If imgix sees that the asset is not available, it will return a 404 and cache the response. By default, the error cached TTL is 5 minutes. imgix will cache error responses according to the error cache TTL set in your Source settings.

Once the asset has been served, it can take up to an hour for numbers to update in your Dashboard Analytics. Analytics for any error codes will show up once the asset causing the error code has been served successfully.

Identifying requests from imgix

In order to ensure requests succeed from imgix to your origin, you may first need to identify which requests to your origin are actually coming from imgix. You can ID these requests by looking for either our user-agent or IP address range.

Every request made from imgix to your origin will include the user-agent imgix/* in the header of the request.

Additionally, imgix uses these IP ranges for making requests to your origin:

  • 104.129.144.0/22
  • 194.38.4.0/22

These IP addresses are current as of April 02, 2021, though they are expected to change in the future. Any future changes will be reflected and updated in this document.

If you are using these IP addresses to allow imgix to access your origin assets, you can subscribe using this form to be alerted of any scheduled changes to the IP addresses.

This information can be used in a few different ways, such as putting imgix on an allowlist or setting up different security rules for requests coming from imgix.

Allowlisting imgix

Some customers prefer that their origin servers are not publicly accessible. In the case of S3, Azure and GCS Sources, imgix is able to successfuly retrieve assets from those protected buckets by using valid credentials entered on the Source configuration page. However, in the case of Web Folder and Web Proxy Sources, such security settings can prevent imgix from being able to retrieve assets. If the service is unable to retrieve an asset from the origin, then we will return a 403 error.

The best method of making sure imgix can pull assets from your origin is by allowlisting our user agent. Since our user-agent is not expected to change anytime in the future, this is the recommended method of allowlisting for future compatibility.

However, allowlisting by user-agent is not as secure as allowlisting by IP address. This is because the user-agent is easy to spoof, while the IP address is not.

Most origins have the ability to put imgix's user-agent or IP address on an allowlist.

Disable Rate Limits

It's common to have some security measures against a large number of synchronous requests to different URLs on your origin. This often manifests as an error being returned from your origin once the number of requests have reached a threshold from the same IP address.

With imgix, there is a low chance of this issue occurring since requests will often hit our cache more often than it will hit your origin. However, in cases where a large number of URLs are added or when a new Source is exposed to a large amount of traffic, it's not uncommon for your origin to impose a rate limit against imgix.

Such issues are often temporary. Regardless, if you have any rate limits in place, you may want look into exempting imgix from those limits.

Foreign Characters and Character Encoding

When file names use foreign characters, imgix will encode the file name and attempt to retrieve it at the encoded path. As a result, if that encoded path returns a 404​, imgix will also return the asset as a 404. Ideally, the origin should automatically route the request to the encoded filepath.

Additionally, assets that are served using encoded characters instead of the original characters can result in issues with purging. For example, assets that are served with /%2f instead of / will be recognized as two different asset URLs due to RFC spec 3.2.3 concerning URI comparisons. As a result, purging the asset that uses encoded characters may not purge their non-encoded variants depending on whether or not URL unsafe characters are used.

AWS S3 supported regions

Amazon's Storage Service (S3) allows storing data at a specific geographical region. An imgix AWS S3 Source can connect to a bucket in one of the supported regions listed in the table below.

Region Name S3 Region
US East N. Virginia us-east-1
US East Ohio us-east-2
US West N. California us-west-1
US West Oregon us-west-2
Asia Pacific Hong Kong ap-east-1
Asia Pacific Mumbai ap-south-1
Asia Pacific Tokyo ap-northeast-1
Asia Pacific Seoul ap-northeast-2
Asia Pacific Osaka ap-northeast-3
Asia Pacific Singapore ap-southeast-1
Asia Pacific Sydney ap-southeast-2
Canada Central ca-central-1
EU Frankfurt eu-central-1
EU Ireland eu-west-1
EU London eu-west-2
EU Paris eu-west-3
EU Stockholm eu-north-1
South America Sao Paulo sa-east-1
Middle East Bahrain me-south-1

Known Issues for Specific Origins

There are some known compability issues when fetching from certain Web Folder or Web Proxy Origins, which we have documented below.

Imperva

Imperva is a well-known security platform that is commonly used to protect access to online assets.

One of their security features is to block and prevent access to assets by bots. This is done by sending a "garbage" cookie header value which prevents the bot from completing a request.

Unfortunately, this security feature also blocks the imgix rendering service from accessing files from an Imperva-fronted Origin. Unless it is properly configured, requests to an imgix Source using an Imperva Origin can return a 503 error.

To prevent this issue, we recommend either:

  • Bypassing Imperva by connecting your imgix Source directly to the Origin
  • Allowlisting imgix so the imgix rendering service can access assets through Imperva
  • Contacting Imperva support to turn off the security feature which blocks bot access

IPFS

IPFS stands for Interplanetary File System, and is a decentralized file system that relies on a peer-to-peer hypermedia protocol.

Due to the nature of IPFS, timeout errors can be be observed for a small number of Origin fetches to an IPFS Origin depending on which peer is returning the file. These errors are related to the timing response and availability of a file as we fetch the file from the Origin, and is expected to succeed on subsequent retries as long as the file is available.

Once a file is fetched, it will be cached in the imgix rendering service for some time, reducing the chances of timeout errors and the number of calls to the IPFS Origin.

You can reduce the number of requests to IPFS Origins and therefore increase your deliverability success rate by optimizing your caching settings in your imgix Source. The suggested value for cache TTL is 1 year.