Update README to warn that when using Amazon CloudFront, query forwarding must be enabled

hanser created an issue. See original summary.

The module redirects all images.
From how i could see in the network traffic analyzation i see all elements like this:

GET image.png 301 Moved Permanently cdn.mysite.com
GET image.png 304 Not Modified mysite.com

So the images will loaded two times...

I use Apache and CloudFront cdn with Origin Pull.

Edit: if i try to enable "Far Future expiration" with .htaccess modifications, all images in my site are not loaded at all, and i see
GET image.png 301 Moved Permanently cdn.mysite.com
GET image.png 403 Forbidden mysite.com

Thanks for your reply Wim Leers.

The question is: what is pointing to www.mydomain.com/image.png? That is the real problem.
I didn't understand the question, how do i check this?

Never, if i search for the specified image in the html i only receive one element that point to the cdn.
<img src="http://www.cdn.mydomain.com/image.png">

Yeah, but tools.pingdom.com give me multiple of these:

Minimize redirects
Remove the following redirect chain if possible:
http://cdn.mydomain.com/image.png
http://www.mydomain.com/image.png

and in the firefox network monitoring i see multiple of these:

GET image.png 301 Moved Permanently cdn.mydomain.com
GET image.png 304 Not Modified mydomain.com

So... is this a normal behavior of this module if inspected with this tool and network monitoring ?

Thanks.

Ok i've finally fixed this issue(and not only this) by forwarding the ?itok security token in the CDN, that was introduced after drupal 7.20.
https://www.drupal.org/drupal-7.20-release-notes

I think that we need to add this in the documentation, because not all cdn services can forward the query urls, and in this case we need to completely disable them to make drupal able to work with cdn and images.

$conf['image_suppress_itok_output'] = TRUE;
$conf['image_allow_insecure_derivatives'] = TRUE;

(with all security risks)

I've yet to see one that does not. All CDNs I know of do this by default IIRC. Which CDN are you using?

Hi Win, i use Amazon CloudFront and query forwarding is not enabled by default, but can do it easily.

...but i think that some others or "custom" cdn may not do this easily.
I had trouble for some days to understanding that CloudFront need this settings for work with drupal.

As much as I hate ?itok=…, that's a dangerous recommendation.

Yeah, it's true, i just mentioned it for completeness of information.