Images

How to build on-the-fly image creation logic in a distributed system?

Greetings, %name%.
How to correctly build the logic of a secure mechanism for creating images on the fly?
In my architecture, all images are served from a separate domain.
For example img.site.com/user/ab/cd/abcd22352435245.jpg
You need to be able to get thumbnails of dynamic sizes.
In the course of reflection, I came up with this recipe:
1. In the link to the image, you can specify what we want.
For example: img.site.com/user/ab/cd/[email protected]
2. Next, Nginx tries to find the file, and if it doesn't find it, it redirects to the php handler.
3. The handler generates an image and gives it to the client after saving it to disk so that the next time php does not start.
But there is one drawback in all this - you can fill the server with copies of the image from the client.
Alternatively, you can allow only certain sizes to be generated. But I will not specify the allowed sizes for each picture.
It was also an idea when building an html response to collect all the paths of the images required on the page and from the server, before returning the html client, send an API request to the image server with the "Create these sizes" command. But this will greatly slow down the responses to the client.
The third option I consider is encryption in the name of the picture of data about its original and the required dimensions.
For example, there is a file: http://img.site.com/cache/{base64hash}.jpg
{base64hash} is a hash that says "/path/to/origin.jpg:100x100:salt"
If Nginx sees that there is no picture, it will transfer the work to php and the name will be decrypted there, we will understand what is required, create a file and give the picture. Will there be problems with the length of the file name?
How to solve this problem competently, taking into account all the nuances?