Various fixes and enhancements
This commit is contained in:
parent
fa8610156a
commit
c0957fabd4
|
@ -1,5 +1,7 @@
|
||||||
# Hide Invidious instance behind proxy server (for escaping DMCA requests)
|
# Hide Invidious instance behind proxy server (for escaping DMCA requests)
|
||||||
|
|
||||||
|
This tutorial has been writen by [unixfox](https://github.com/unixfox), owner of [yewtu.be](https://yewtu.be/)
|
||||||
|
|
||||||
## Synopsis
|
## Synopsis
|
||||||
|
|
||||||
This tutorial will explain how to hide your Invidious (public) instance behind another server, useful for escaping the DMCA requests.
|
This tutorial will explain how to hide your Invidious (public) instance behind another server, useful for escaping the DMCA requests.
|
||||||
|
@ -12,12 +14,13 @@ This proxy server will only redirect the [TCP](https://en.wikipedia.org/wiki/Tra
|
||||||
|
|
||||||
You need to proxy the HTTP protocol normally like you would already do with your current web server for invidious. But in this case from the proxy server to your existing infrastructure. Then also setup the certificates for HTTPS.
|
You need to proxy the HTTP protocol normally like you would already do with your current web server for invidious. But in this case from the proxy server to your existing infrastructure. Then also setup the certificates for HTTPS.
|
||||||
|
|
||||||
Then you optionally preserve the IP address of your clients using for example on NGINX set_real_ip_from and real_ip_header.
|
Then you optionally preserve the IP address of your clients using for example on NginX set_real_ip_from and real_ip_header.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
- Your main web server should support the proxy protocol, it's possible to do it without it (later on in the tutorial). Non-exhaustive list of web servers that support it:
|
- Your main web server should support the proxy protocol, it's possible to do it without it (later on in the tutorial). Non-exhaustive list of web servers that support it:
|
||||||
|
|
||||||
* NGINX (recommended web server for this tutorial)
|
* NginX (recommended web server for this tutorial)
|
||||||
* Traefik
|
* Traefik
|
||||||
* Apache ([doesn't come in the official version](https://www.scaleway.com/en/docs/tutorials/proxy-protocol-v2-load-balancer/#configuring-proxy-protocol-in-apache-web-server))
|
* Apache ([doesn't come in the official version](https://www.scaleway.com/en/docs/tutorials/proxy-protocol-v2-load-balancer/#configuring-proxy-protocol-in-apache-web-server))
|
||||||
* Caddy ([need to build with a custom module](https://github.com/mastercactapus/caddy2-proxyprotocol))
|
* Caddy ([need to build with a custom module](https://github.com/mastercactapus/caddy2-proxyprotocol))
|
||||||
|
@ -35,14 +38,14 @@ Here are some lists compiled from lowendtalk users:
|
||||||
- https://lowendtalk.com/discussion/181443/options-for-dmca-free-vps ([webarchive link](https://web.archive.org/web/20221007000624/https://lowendtalk.com/discussion/181443/options-for-dmca-free-vps))
|
- https://lowendtalk.com/discussion/181443/options-for-dmca-free-vps ([webarchive link](https://web.archive.org/web/20221007000624/https://lowendtalk.com/discussion/181443/options-for-dmca-free-vps))
|
||||||
- https://lowendtalk.com/discussion/179472/what-are-my-options-for-a-dmca-free-vps ([webarchive link](https://web.archive.org/web/20230217184607/https://lowendtalk.com/discussion/179472/what-are-my-options-for-a-dmca-free-vps))
|
- https://lowendtalk.com/discussion/179472/what-are-my-options-for-a-dmca-free-vps ([webarchive link](https://web.archive.org/web/20230217184607/https://lowendtalk.com/discussion/179472/what-are-my-options-for-a-dmca-free-vps))
|
||||||
|
|
||||||
I've personally chosen [BuyVM](https://buyvm.net) as it is close to my existing infrastructure and it is cheap, but please try to at least find another one, it's much better for the diversity, it's just a notice about which provider I did choose.
|
I personally chose [BuyVM](https://buyvm.net) as it's close to my existing infrastructure and it's cheap, but please try to at least find another one, it's much better to avoid the centralisation.
|
||||||
|
|
||||||
Here are the recommended requirements for this proxy server:
|
Here are the recommended requirements for this proxy server:
|
||||||
|
|
||||||
- At least 256MB of RAM in total if you are running Debian or 512MB with Ubuntu.
|
- At least 256MB of RAM in total if you are running Debian or 512MB with Ubuntu.
|
||||||
- The **outgoing** bandwidth limit/quota should be the same as the **outgoing** bandwidth consumption of your existing server that run Invidious.
|
- The **outgoing** bandwidth limit/quota should be the same as the **outgoing** bandwidth consumption of your existing server that run Invidious.
|
||||||
Later in the tutorial I'll explain you how to reduce the bandwidth consumption on the proxy server but this won't drastically reduce it by a lot.
|
Later in the tutorial I'll explain you how to reduce the bandwidth consumption on the proxy server but this won't drastically reduce it by a lot.
|
||||||
TLDR. If you have "unlimited" bandwidth limit it's much better.
|
TL;DR: If you have "unlimited" bandwidth limit it's much better.
|
||||||
- 1 CPU core.
|
- 1 CPU core.
|
||||||
|
|
||||||
??? note "You can monitor the bandwidth usage of your servers using vnStat."
|
??? note "You can monitor the bandwidth usage of your servers using vnStat."
|
||||||
|
@ -72,9 +75,9 @@ You don't need to setup a new port for the HTTP (cleartext) port as the proxy pr
|
||||||
|
|
||||||
But preserving the IP address is in my opinion essential for blocking bots, bad actors.
|
But preserving the IP address is in my opinion essential for blocking bots, bad actors.
|
||||||
|
|
||||||
#### NGINX
|
#### NginX
|
||||||
|
|
||||||
In the NGINX configuration file for Invidious, just after the line `listen 443 ssl` add this line:
|
In the NginX configuration file for Invidious, just after the line `listen 443 ssl` add this line:
|
||||||
```
|
```
|
||||||
listen 8443 ssl proxy_protocol;
|
listen 8443 ssl proxy_protocol;
|
||||||
set_real_ip_from PUBLIC_IPV4_ADDRESS_OF_ORIGINAL_SERVER/32;
|
set_real_ip_from PUBLIC_IPV4_ADDRESS_OF_ORIGINAL_SERVER/32;
|
||||||
|
@ -195,7 +198,7 @@ Unfortunately it only works for Firefox browsers as Chrome doesn't support the a
|
||||||
*I'll use the terminology `original server(s)` for the server(s) of your existing infrastructure, not the proxy server.*
|
*I'll use the terminology `original server(s)` for the server(s) of your existing infrastructure, not the proxy server.*
|
||||||
|
|
||||||
#### Requirement
|
#### Requirement
|
||||||
You need to have HTTP2 enabled on your web server, on NGINX it's as simple as adding `http2` in the `listen ssl` line.
|
You need to have HTTP2 enabled on your web server, on NginX it's as simple as adding `http2` in the `listen ssl` line.
|
||||||
You can check that in your config or here: https://tools.keycdn.com/http2-test
|
You can check that in your config or here: https://tools.keycdn.com/http2-test
|
||||||
|
|
||||||
#### Instructions
|
#### Instructions
|
||||||
|
@ -208,7 +211,7 @@ You can check that in your config or here: https://tools.keycdn.com/http2-test
|
||||||
alt-svc: h2="original.yourdomain.com:443"; ma=86400
|
alt-svc: h2="original.yourdomain.com:443"; ma=86400
|
||||||
```
|
```
|
||||||
Here is how to do it for:
|
Here is how to do it for:
|
||||||
- NGINX: `add_header alt-svc 'h2="original.yourdomain.com:443"; ma=86400';`
|
- NginX: `add_header alt-svc 'h2="original.yourdomain.com:443"; ma=86400';`
|
||||||
- Traefik (or [read the doc](https://doc.traefik.io/traefik/middlewares/http/headers/)): `traefik.http.middlewares.altsvc.headers.customresponseheaders.alt-svc=h2="original.yourdomain.com:443"; ma=86400`
|
- Traefik (or [read the doc](https://doc.traefik.io/traefik/middlewares/http/headers/)): `traefik.http.middlewares.altsvc.headers.customresponseheaders.alt-svc=h2="original.yourdomain.com:443"; ma=86400`
|
||||||
- Caddy: `header alt-svc h2="original.yourdomain.com:443"; ma=86400`
|
- Caddy: `header alt-svc h2="original.yourdomain.com:443"; ma=86400`
|
||||||
- Apache: `Header set alt-svc 'h2="original.yourdomain.com:443"; ma=86400'`
|
- Apache: `Header set alt-svc 'h2="original.yourdomain.com:443"; ma=86400'`
|
||||||
|
@ -223,7 +226,7 @@ You can check that in your config or here: https://tools.keycdn.com/http2-test
|
||||||
Different web servers that support HTTP3:
|
Different web servers that support HTTP3:
|
||||||
|
|
||||||
- Traefik, you can enable HTTP3: https://doc.traefik.io/traefik/routing/entrypoints/#http3
|
- Traefik, you can enable HTTP3: https://doc.traefik.io/traefik/routing/entrypoints/#http3
|
||||||
- NGINX, there is a tutorial here: https://www.nginx.com/blog/binary-packages-for-preview-nginx-quic-http3-implementation/
|
- NginX, there is a tutorial here: https://www.nginx.com/blog/binary-packages-for-preview-nginx-quic-http3-implementation/
|
||||||
- Caddy, it's already enabled by default
|
- Caddy, it's already enabled by default
|
||||||
|
|
||||||
1. Edit the previously added HTTP header by adapting it like this:
|
1. Edit the previously added HTTP header by adapting it like this:
|
||||||
|
|
Loading…
Reference in New Issue