Various fixes and enhancements

This commit is contained in:
TheFrenchGhosty 2023-02-17 23:08:24 +01:00
parent fa8610156a
commit c0957fabd4
No known key found for this signature in database
GPG Key ID: 4E616F0FFE25B75B
1 changed files with 12 additions and 9 deletions

View File

@ -1,5 +1,7 @@
# Hide Invidious instance behind proxy server (for escaping DMCA requests)
This tutorial has been writen by [unixfox](https://github.com/unixfox), owner of [yewtu.be](https://yewtu.be/)
## Synopsis
This tutorial will explain how to hide your Invidious (public) instance behind another server, useful for escaping the DMCA requests.
@ -12,12 +14,13 @@ This proxy server will only redirect the [TCP](https://en.wikipedia.org/wiki/Tra
You need to proxy the HTTP protocol normally like you would already do with your current web server for invidious. But in this case from the proxy server to your existing infrastructure. Then also setup the certificates for HTTPS.
Then you optionally preserve the IP address of your clients using for example on NGINX set_real_ip_from and real_ip_header.
Then you optionally preserve the IP address of your clients using for example on NginX set_real_ip_from and real_ip_header.
## Requirements
- Your main web server should support the proxy protocol, it's possible to do it without it (later on in the tutorial). Non-exhaustive list of web servers that support it:
* NGINX (recommended web server for this tutorial)
* NginX (recommended web server for this tutorial)
* Traefik
* Apache ([doesn't come in the official version](https://www.scaleway.com/en/docs/tutorials/proxy-protocol-v2-load-balancer/#configuring-proxy-protocol-in-apache-web-server))
* Caddy ([need to build with a custom module](https://github.com/mastercactapus/caddy2-proxyprotocol))
@ -35,14 +38,14 @@ Here are some lists compiled from lowendtalk users:
- https://lowendtalk.com/discussion/181443/options-for-dmca-free-vps ([webarchive link](https://web.archive.org/web/20221007000624/https://lowendtalk.com/discussion/181443/options-for-dmca-free-vps))
- https://lowendtalk.com/discussion/179472/what-are-my-options-for-a-dmca-free-vps ([webarchive link](https://web.archive.org/web/20230217184607/https://lowendtalk.com/discussion/179472/what-are-my-options-for-a-dmca-free-vps))
I've personally chosen [BuyVM](https://buyvm.net) as it is close to my existing infrastructure and it is cheap, but please try to at least find another one, it's much better for the diversity, it's just a notice about which provider I did choose.
I personally chose [BuyVM](https://buyvm.net) as it's close to my existing infrastructure and it's cheap, but please try to at least find another one, it's much better to avoid the centralisation.
Here are the recommended requirements for this proxy server:
- At least 256MB of RAM in total if you are running Debian or 512MB with Ubuntu.
- The **outgoing** bandwidth limit/quota should be the same as the **outgoing** bandwidth consumption of your existing server that run Invidious.
Later in the tutorial I'll explain you how to reduce the bandwidth consumption on the proxy server but this won't drastically reduce it by a lot.
TLDR. If you have "unlimited" bandwidth limit it's much better.
TL;DR: If you have "unlimited" bandwidth limit it's much better.
- 1 CPU core.
??? note "You can monitor the bandwidth usage of your servers using vnStat."
@ -72,9 +75,9 @@ You don't need to setup a new port for the HTTP (cleartext) port as the proxy pr
But preserving the IP address is in my opinion essential for blocking bots, bad actors.
#### NGINX
#### NginX
In the NGINX configuration file for Invidious, just after the line `listen 443 ssl` add this line:
In the NginX configuration file for Invidious, just after the line `listen 443 ssl` add this line:
```
listen 8443 ssl proxy_protocol;
set_real_ip_from PUBLIC_IPV4_ADDRESS_OF_ORIGINAL_SERVER/32;
@ -195,7 +198,7 @@ Unfortunately it only works for Firefox browsers as Chrome doesn't support the a
*I'll use the terminology `original server(s)` for the server(s) of your existing infrastructure, not the proxy server.*
#### Requirement
You need to have HTTP2 enabled on your web server, on NGINX it's as simple as adding `http2` in the `listen ssl` line.
You need to have HTTP2 enabled on your web server, on NginX it's as simple as adding `http2` in the `listen ssl` line.
You can check that in your config or here: https://tools.keycdn.com/http2-test
#### Instructions
@ -208,7 +211,7 @@ You can check that in your config or here: https://tools.keycdn.com/http2-test
alt-svc: h2="original.yourdomain.com:443"; ma=86400
```
Here is how to do it for:
- NGINX: `add_header alt-svc 'h2="original.yourdomain.com:443"; ma=86400';`
- NginX: `add_header alt-svc 'h2="original.yourdomain.com:443"; ma=86400';`
- Traefik (or [read the doc](https://doc.traefik.io/traefik/middlewares/http/headers/)): `traefik.http.middlewares.altsvc.headers.customresponseheaders.alt-svc=h2="original.yourdomain.com:443"; ma=86400`
- Caddy: `header alt-svc h2="original.yourdomain.com:443"; ma=86400`
- Apache: `Header set alt-svc 'h2="original.yourdomain.com:443"; ma=86400'`
@ -223,7 +226,7 @@ You can check that in your config or here: https://tools.keycdn.com/http2-test
Different web servers that support HTTP3:
- Traefik, you can enable HTTP3: https://doc.traefik.io/traefik/routing/entrypoints/#http3
- NGINX, there is a tutorial here: https://www.nginx.com/blog/binary-packages-for-preview-nginx-quic-http3-implementation/
- NginX, there is a tutorial here: https://www.nginx.com/blog/binary-packages-for-preview-nginx-quic-http3-implementation/
- Caddy, it's already enabled by default
1. Edit the previously added HTTP header by adapting it like this: