From eb62697497dad40694d0c4b5442435a8657451c7 Mon Sep 17 00:00:00 2001 From: FireMasterK <20838718+FireMasterK@users.noreply.github.com> Date: Sat, 25 Sep 2021 14:44:58 +0100 Subject: [PATCH] Add support for nginx without a TLS reverse proxy. --- configure-instance.sh | 6 +- template/Caddyfile | 120 +++++++++--------- ...r-compose.yml => docker-compose.caddy.yml} | 0 template/docker-compose.nginx.yml | 71 +++++++++++ template/nginx.conf | 31 +++++ template/pipedapi.conf | 10 ++ template/pipedfrontend.conf | 10 ++ template/pipedproxy.conf | 16 +++ template/ytproxy.conf | 23 ++++ 9 files changed, 225 insertions(+), 62 deletions(-) rename template/{docker-compose.yml => docker-compose.caddy.yml} (100%) create mode 100644 template/docker-compose.nginx.yml create mode 100644 template/nginx.conf create mode 100644 template/pipedapi.conf create mode 100644 template/pipedfrontend.conf create mode 100644 template/pipedproxy.conf create mode 100644 template/ytproxy.conf diff --git a/configure-instance.sh b/configure-instance.sh index 0c1eedb..68ddbf5 100755 --- a/configure-instance.sh +++ b/configure-instance.sh @@ -7,7 +7,11 @@ read backend echo "Enter a hostname for the Proxy (eg: pipedproxy.kavin.rocks):" read proxy +echo "Enter the reverse proxy you would like to use (either caddy or nginx):" +read reverseproxy + rm -rf config/ +rm -f docker-compose.yml cp -r template/ config/ @@ -15,4 +19,4 @@ sed -i "s/FRONTEND_HOSTNAME/$frontend/g" config/* sed -i "s/BACKEND_HOSTNAME/$backend/g" config/* sed -i "s/PROXY_HOSTNAME/$proxy/g" config/* -mv config/docker-compose.yml docker-compose.yml +mv config/docker-compose.$reverseproxy.yml docker-compose.yml diff --git a/template/Caddyfile b/template/Caddyfile index 0a7c15b..df6f47b 100644 --- a/template/Caddyfile +++ b/template/Caddyfile @@ -1,88 +1,86 @@ { - servers :443 { - protocol { - experimental_http3 - } - } + servers :443 { + protocol { + experimental_http3 + } + } } FRONTEND_HOSTNAME { - reverse_proxy pipedfrontend:80 - header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() + reverse_proxy pipedfrontend:80 + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() - # enable HSTS - Strict-Transport-Security max-age=31536000; + # enable HSTS + Strict-Transport-Security max-age=31536000; - # keep referrer data off - Referrer-Policy no-referrer + # keep referrer data off + Referrer-Policy no-referrer - # prevent for appearing in search engine for private instances (option) - #X-Robots-Tag noindex - } + # prevent for appearing in search engine for private instances (option) + #X-Robots-Tag noindex + } } BACKEND_HOSTNAME { - reverse_proxy varnish:80 - header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() + reverse_proxy varnish:80 + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() - # enable HSTS - Strict-Transport-Security max-age=31536000; + # enable HSTS + Strict-Transport-Security max-age=31536000; - # keep referrer data off - Referrer-Policy no-referrer + # keep referrer data off + Referrer-Policy no-referrer - # prevent for appearing in search engine for private instances (option) - #X-Robots-Tag noindex - } + # prevent for appearing in search engine for private instances (option) + #X-Robots-Tag noindex + } } PROXY_HOSTNAME { + @ytproxy path /videoplayback* /api/v4/* /api/manifest/* - @ytproxy path /videoplayback* /api/v4/* /api/manifest/* + @optionscall { + method OPTIONS + } - @optionscall { - method OPTIONS - } + header { + Access-Control-Allow-Origin * + Access-Control-Allow-Headers * - header { - Access-Control-Allow-Origin * - Access-Control-Allow-Headers * - - # disable FLoC tracking - Permissions-Policy interest-cohort=() + # disable FLoC tracking + Permissions-Policy interest-cohort=() - # enable HSTS - Strict-Transport-Security max-age=31536000; + # enable HSTS + Strict-Transport-Security max-age=31536000; - # keep referrer data off - Referrer-Policy no-referrer + # keep referrer data off + Referrer-Policy no-referrer - # prevent for appearing in search engine for private instances (option) - #X-Robots-Tag noindex - } + # prevent for appearing in search engine for private instances (option) + #X-Robots-Tag noindex + } - route { + route { + header @ytproxy { + Cache-Control private always + } - header @ytproxy { - Cache-Control private always - } + header / { + Cache-Control "public, max-age=604800" + } - header / { - Cache-Control "public, max-age=604800" - } + respond @optionscall 200 - respond @optionscall 200 - - reverse_proxy unix//var/run/ytproxy/http-proxy.sock { - header_up -CF-Connecting-IP - header_up -X-Forwarded-For - header_down -Access-Control-Allow-Origin - header_down -etag - header_down -alt-svc - } - } + reverse_proxy unix//var/run/ytproxy/http-proxy.sock { + header_up -CF-Connecting-IP + header_up -X-Forwarded-For + header_down -Access-Control-Allow-Origin + header_down -etag + header_down -alt-svc + } + } } diff --git a/template/docker-compose.yml b/template/docker-compose.caddy.yml similarity index 100% rename from template/docker-compose.yml rename to template/docker-compose.caddy.yml diff --git a/template/docker-compose.nginx.yml b/template/docker-compose.nginx.yml new file mode 100644 index 0000000..2cf0242 --- /dev/null +++ b/template/docker-compose.nginx.yml @@ -0,0 +1,71 @@ +services: + pipedfrontend: + image: 1337kavin/piped-frontend:latest + restart: unless-stopped + depends_on: + - piped + container_name: piped-frontend + entrypoint: ash -c 'sed -i s/pipedapi.kavin.rocks/BACKEND_HOSTNAME/g /usr/share/nginx/html/js/* && /docker-entrypoint.sh && nginx -g "daemon off;"' + ytproxy: + image: 1337kavin/ytproxy:latest + restart: unless-stopped + volumes: + - ytproxy:/app/socket + container_name: ytproxy + piped: + image: 1337kavin/piped:latest + restart: unless-stopped + volumes: + - ./config/config.properties:/app/config.properties:ro + depends_on: + - postgres + container_name: piped-backend + varnish: + image: varnish:7.0-alpine + restart: unless-stopped + volumes: + - ./config/default.vcl:/etc/varnish/default.vcl:ro + container_name: varnish + depends_on: + - piped + nginx: + image: nginx:mainline-alpine + restart: unless-stopped + ports: + - "8080:80" + volumes: + - ./config/nginx.conf:/etc/nginx/nginx.conf:ro + - ./config/pipedapi.conf:/etc/nginx/conf.d/pipedapi.conf:ro + - ./config/pipedproxy.conf:/etc/nginx/conf.d/pipedproxy.conf:ro + - ./config/pipedfrontend.conf:/etc/nginx/conf.d/pipedfrontend.conf:ro + - ./config/ytproxy.conf:/etc/nginx/snippets/ytproxy.conf:ro + - ytproxy:/var/run/ytproxy + container_name: nginx + depends_on: + - piped + - varnish + - ytproxy + - pipedfrontend + postgres: + image: postgres:13-alpine + restart: unless-stopped + volumes: + - ./data/db:/var/lib/postgresql/data + environment: + - POSTGRES_DB=piped + - POSTGRES_USER=piped + - POSTGRES_PASSWORD=changeme + container_name: postgres + watchtower: + image: containrrr/watchtower + restart: always + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /etc/timezone:/etc/timezone:ro + environment: + - WATCHTOWER_CLEANUP=true + - WATCHTOWER_INCLUDE_RESTARTING=true + container_name: watchtower + command: piped-frontend piped-backend ytproxy varnish nginx postgres watchtower +volumes: + ytproxy: diff --git a/template/nginx.conf b/template/nginx.conf new file mode 100644 index 0000000..28d54bf --- /dev/null +++ b/template/nginx.conf @@ -0,0 +1,31 @@ +user root; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + tcp_nodelay on; + + keepalive_timeout 65; + + gzip on; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/template/pipedapi.conf b/template/pipedapi.conf new file mode 100644 index 0000000..e039caf --- /dev/null +++ b/template/pipedapi.conf @@ -0,0 +1,10 @@ +server { + listen 80; + server_name BACKEND_HOSTNAME; + + location / { + proxy_pass http://varnish:80; + proxy_http_version 1.1; + proxy_set_header Connection "keep-alive"; + } +} diff --git a/template/pipedfrontend.conf b/template/pipedfrontend.conf new file mode 100644 index 0000000..8e3d442 --- /dev/null +++ b/template/pipedfrontend.conf @@ -0,0 +1,10 @@ +server { + listen 80; + server_name FRONTEND_HOSTNAME; + + location / { + proxy_pass http://pipedfrontend:80; + proxy_http_version 1.1; + proxy_set_header Connection "keep-alive"; + } +} diff --git a/template/pipedproxy.conf b/template/pipedproxy.conf new file mode 100644 index 0000000..9baba2e --- /dev/null +++ b/template/pipedproxy.conf @@ -0,0 +1,16 @@ +server { + listen 80; + server_name PROXY_HOSTNAME; + + location ~ (/videoplayback|/api/v4/|/api/manifest/) { + include snippets/ytproxy.conf; + add_header Cache-Control private always; + proxy_hide_header Access-Control-Allow-Origin; + } + + location / { + include snippets/ytproxy.conf; + add_header Cache-Control "public, max-age=604800"; + proxy_hide_header Access-Control-Allow-Origin; + } +} diff --git a/template/ytproxy.conf b/template/ytproxy.conf new file mode 100644 index 0000000..2062f64 --- /dev/null +++ b/template/ytproxy.conf @@ -0,0 +1,23 @@ +add_header Access-Control-Allow-Origin *; +add_header Access-Control-Allow-Headers *; +if ($request_method = OPTIONS ) { + return 200; +} +proxy_buffering on; +proxy_buffers 1024 16k; +proxy_set_header X-Forwarded-For ""; +proxy_set_header CF-Connecting-IP ""; +proxy_hide_header "alt-svc"; +sendfile on; +sendfile_max_chunk 512k; +tcp_nopush on; +aio threads=default; +aio_write on; +directio 16m; +proxy_hide_header Cache-Control; +proxy_hide_header etag; +proxy_http_version 1.1; +proxy_set_header Connection keep-alive; +proxy_max_temp_file_size 32m; +access_log off; +proxy_pass http://unix:/var/run/ytproxy/http-proxy.sock;