From c0957fabd499493e865ba7f44fe3065ca5b08b0e Mon Sep 17 00:00:00 2001 From: TheFrenchGhosty Date: Fri, 17 Feb 2023 23:08:24 +0100 Subject: [PATCH] Various fixes and enhancements --- docs/hide-instance-behind-proxy-server.md | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/docs/hide-instance-behind-proxy-server.md b/docs/hide-instance-behind-proxy-server.md index 9eb2e9f..1d7de6b 100644 --- a/docs/hide-instance-behind-proxy-server.md +++ b/docs/hide-instance-behind-proxy-server.md @@ -1,5 +1,7 @@ # Hide Invidious instance behind proxy server (for escaping DMCA requests) +This tutorial has been writen by [unixfox](https://github.com/unixfox), owner of [yewtu.be](https://yewtu.be/) + ## Synopsis This tutorial will explain how to hide your Invidious (public) instance behind another server, useful for escaping the DMCA requests. @@ -12,12 +14,13 @@ This proxy server will only redirect the [TCP](https://en.wikipedia.org/wiki/Tra You need to proxy the HTTP protocol normally like you would already do with your current web server for invidious. But in this case from the proxy server to your existing infrastructure. Then also setup the certificates for HTTPS. - Then you optionally preserve the IP address of your clients using for example on NGINX set_real_ip_from and real_ip_header. + Then you optionally preserve the IP address of your clients using for example on NginX set_real_ip_from and real_ip_header. ## Requirements + - Your main web server should support the proxy protocol, it's possible to do it without it (later on in the tutorial). Non-exhaustive list of web servers that support it: - * NGINX (recommended web server for this tutorial) + * NginX (recommended web server for this tutorial) * Traefik * Apache ([doesn't come in the official version](https://www.scaleway.com/en/docs/tutorials/proxy-protocol-v2-load-balancer/#configuring-proxy-protocol-in-apache-web-server)) * Caddy ([need to build with a custom module](https://github.com/mastercactapus/caddy2-proxyprotocol)) @@ -35,14 +38,14 @@ Here are some lists compiled from lowendtalk users: - https://lowendtalk.com/discussion/181443/options-for-dmca-free-vps ([webarchive link](https://web.archive.org/web/20221007000624/https://lowendtalk.com/discussion/181443/options-for-dmca-free-vps)) - https://lowendtalk.com/discussion/179472/what-are-my-options-for-a-dmca-free-vps ([webarchive link](https://web.archive.org/web/20230217184607/https://lowendtalk.com/discussion/179472/what-are-my-options-for-a-dmca-free-vps)) -I've personally chosen [BuyVM](https://buyvm.net) as it is close to my existing infrastructure and it is cheap, but please try to at least find another one, it's much better for the diversity, it's just a notice about which provider I did choose. +I personally chose [BuyVM](https://buyvm.net) as it's close to my existing infrastructure and it's cheap, but please try to at least find another one, it's much better to avoid the centralisation. Here are the recommended requirements for this proxy server: - At least 256MB of RAM in total if you are running Debian or 512MB with Ubuntu. - The **outgoing** bandwidth limit/quota should be the same as the **outgoing** bandwidth consumption of your existing server that run Invidious. Later in the tutorial I'll explain you how to reduce the bandwidth consumption on the proxy server but this won't drastically reduce it by a lot. - TLDR. If you have "unlimited" bandwidth limit it's much better. + TL;DR: If you have "unlimited" bandwidth limit it's much better. - 1 CPU core. ??? note "You can monitor the bandwidth usage of your servers using vnStat." @@ -72,9 +75,9 @@ You don't need to setup a new port for the HTTP (cleartext) port as the proxy pr But preserving the IP address is in my opinion essential for blocking bots, bad actors. -#### NGINX +#### NginX -In the NGINX configuration file for Invidious, just after the line `listen 443 ssl` add this line: +In the NginX configuration file for Invidious, just after the line `listen 443 ssl` add this line: ``` listen 8443 ssl proxy_protocol; set_real_ip_from PUBLIC_IPV4_ADDRESS_OF_ORIGINAL_SERVER/32; @@ -195,7 +198,7 @@ Unfortunately it only works for Firefox browsers as Chrome doesn't support the a *I'll use the terminology `original server(s)` for the server(s) of your existing infrastructure, not the proxy server.* #### Requirement -You need to have HTTP2 enabled on your web server, on NGINX it's as simple as adding `http2` in the `listen ssl` line. +You need to have HTTP2 enabled on your web server, on NginX it's as simple as adding `http2` in the `listen ssl` line. You can check that in your config or here: https://tools.keycdn.com/http2-test #### Instructions @@ -208,7 +211,7 @@ You can check that in your config or here: https://tools.keycdn.com/http2-test alt-svc: h2="original.yourdomain.com:443"; ma=86400 ``` Here is how to do it for: - - NGINX: `add_header alt-svc 'h2="original.yourdomain.com:443"; ma=86400';` + - NginX: `add_header alt-svc 'h2="original.yourdomain.com:443"; ma=86400';` - Traefik (or [read the doc](https://doc.traefik.io/traefik/middlewares/http/headers/)): `traefik.http.middlewares.altsvc.headers.customresponseheaders.alt-svc=h2="original.yourdomain.com:443"; ma=86400` - Caddy: `header alt-svc h2="original.yourdomain.com:443"; ma=86400` - Apache: `Header set alt-svc 'h2="original.yourdomain.com:443"; ma=86400'` @@ -223,7 +226,7 @@ You can check that in your config or here: https://tools.keycdn.com/http2-test Different web servers that support HTTP3: - Traefik, you can enable HTTP3: https://doc.traefik.io/traefik/routing/entrypoints/#http3 -- NGINX, there is a tutorial here: https://www.nginx.com/blog/binary-packages-for-preview-nginx-quic-http3-implementation/ +- NginX, there is a tutorial here: https://www.nginx.com/blog/binary-packages-for-preview-nginx-quic-http3-implementation/ - Caddy, it's already enabled by default 1. Edit the previously added HTTP header by adapting it like this: