Serve Image with PHP Script VS Direct Loading an Image

Serve image with PHP script vs direct loading an image

You must set the content type:

header("Content-type: image/jpeg");

Then you load the image and output it like this:

$image=imagecreatefromjpeg($_GET['img']);
imagejpeg($image);

Which is faster? Serving the image using PHP or the direct file?

you can resize image in php, and cache result of resized image to use in next use

Signed URL vs serve through script for serving images or files

Using PHP (or any other language) is a good option here with no much overhead. What I would do:

using Nginx or other webserver with X-forward capabilities (see e.g. mod_xsendfile on Apache)
using the hash in GET parameter not be able to sniffed on a https channel (e.g.: http://mydomain.tld/image?hash=<randomhash>)
on page load PHP can check if the given hash is right (even without a database with a simple file_exists call to the <hash>.png/jpeg/etc.) and give back the required headers with the X-forwarded image
delete/remove unneeded images from protected folder after duration of time

What is an efficient way to serve images (PHP)?

The most obvious efficient way it to forgo PHP and let it be served directly by Apache, with caching. Is there any reason you have to keep track of images in this way you can't do with just parsing access_log's after the fact? And why no caching, I assume a new image gets a new unique id, not a rehashed old one?

That being said: if you do need database retrieval & serve it with php, it is about as efficient as you can get, although be very war of folders named by usernames, a possible security issue. Maybe cache the query result somewhere in memcached or the like, that's about it.

Serving images directly from server with getting path from PHP script

If you have mod_xsendfile installed in your Apache, you can do exactly what you need without the client seeing the path they are redirected to.

header("X-Sendfile: /path/to/your/filename");
header("Content-type: image/jpeg");

See a background article here

Alternatively, if the client is allowed to see the new URL, I don't see why using a 302 header wouldn't work:

header("Location: http://example.com/path/to/your/imagefile.jpg");
die();

Is there any significant performance hit, for serving file with PHP

The more processes involved, the more performance will suffer. So you can expect some performance hit, but how much you will need to measure and then decide if that is worth it for your auth checks. In my experience, the cost is marginal.

One thing, don't forget scaling performance: when you're tying up your PHP processes streaming files you're reducing the total number of processes available to serve other requests.

If you're worried about scale and performance, do everything you can to serve this content up-stream. For example:

Perform the auth check in PHP, then issue a redirect to a CDN with a sufficiently large keyspace (eg UUID) -- you might have to rotate files in this keyspace periodically if you're worried about people reusing these URL.
Require the auth have been performed already and have the load balancers check the auth tokens against an IdP.

When you implement it in PHP, make sure to use something like readfile with output buffering disabled. Otherwise, you're increasing the size of your web service process by the size of the content, which could cause out of memory exceptions.