Mochify Docker Examples

This repository serves as a showcase and example configuration for deploying the mochify/mochify-lite container.

mochify-lite is a privacy-first, high-performance image optimization service built with C++ and the Drogon framework. It is designed for high-security infrastructure with a focus on zero-persistence and RAM-only processing.

🚀 Features

• Privacy-First: Zero-persistence design. Images are processed in RAM and never written to disk.
• High Performance: Built on the C++ Drogon framework for low-latency responses.
• Format Support: Optimized for JPEG and PNG (up to 10 MB per image).
• Secure by Default: Designed to run with a read-only filesystem, dropping all capabilities and using tmpfs for scratch space.
• Resource Efficient: Single-threaded design ideal for low-resource VPS or sidecar deployments.

🛠️ Getting Started with Docker Compose

A production-ready docker-compose.yml is included in this repository. It is pre-configured with security hardening measures appropriate for a public-facing microservice.

Hardening Configurations Explained

The provided compose file utilizes several advanced Docker security features:

• read_only: true: The container's root filesystem is locked and immutable.
• tmpfs: A 512MB RAM disk is mounted at /app/temp_ram_buffer for transient processing data. This ensures no data survives a container restart.
• security_opt: no-new-privileges: Prevents the process from gaining additional privileges.
• cap_drop: ALL: Drops all Linux capabilities for maximum isolation.
• user: 1000:1000: Runs the process as a non-root user.

Running the Service

docker-compose up -d

The service will start on port 5555.

🔒 Privacy & Speed with Nginx

We provide a recommended Nginx configuration in config/nginx.conf that aligns with the "Privacy Ethos" of Mochify.

If you are proxying traffic to Mochify, we strictly recommend disabling request buffering. Standard reverse proxies often buffer the entire request body (the image) to disk before sending it to the upstream server. This defeats the purpose of a RAM-only processing pipeline.

Key Nginx Optimizations provided:

1. Speed Ethos (No Disk I/O):

   proxy_request_buffering off;
   proxy_buffering off;

   This forces Nginx to stream the data directly to Mochify's RAM buffer, skipping the disk entirely and reducing latency. It also prevents a potential data leak on Nginx's side: since the container itself does not create temp files for uploads, this ensures the proxy doesn't undermine that privacy guarantee by writing request bodies to disk.

2. Privacy Ethos:

   • server_tokens off; to hide server version.
   • Strict headers to prevent sniffing or embedding.

3. Large Upload Support:

   • client_max_body_size 10M; to match the backend limit.

📡 Usage Example

Once the container is running, you can optimize images using a simple HTTP POST request.

Using curl:

curl -X POST "http://localhost:5555/v1/squish" \
     -H "Content-Type: image/jpeg" \
     --data-binary "@your-image.jpg" \
     --output optimized.jpg

Note: The Content-Type header must match the input file type (image/jpeg or image/png).

☁️ Mochify Cloud

Need more power or don't want to manage infrastructure?

Check out Mochify.xyz for our enterprise-grade managed service.

• Advanced Compression: Uses Jpegli for superior density and quality.
• More Formats: Support for AVIF, WebP, and JPEG XL (JXL).
• Higher Limits: Process uncompressed images larger than 20MB.
• High Availability: Global distribution with multi-threaded, AVX512-optimized processing.