Blog on Crony Akatsuki's Website https://cronyakatsuki.xyz/blog/ Recent content in Blog on Crony Akatsuki's Website Hugo -- gohugo.io en-us Wed, 27 Sep 2023 00:00:00 +0000 Setup dns with adblock and dot/doh with pi-hole and unbound https://cronyakatsuki.xyz/blog/setup-dns-pihole-unbound/ 27-09-2023 https://cronyakatsuki.xyz/blog/setup-dns-pihole-unbound/ <p>Just another day I seted up my own private dns server that has adblocking ( and other stuff ) using pihole and uses unbound as a resolver. To safelly connect to the dns server I&rsquo;m using DNS over HTTPS for my browser&rsquo;s and HTTPS over TLS for stuffy for my whole desktop and private dns in android ( Android has DoH support but only for google and cloudflare right now). Let&rsquo;s get on to setting everything up</p> <!-- raw HTML omitted --> <h2 id="1-pihole">1. Pihole</h2> <p>Let&rsquo;s start with setting up pihole. I will be installing it with their script on a debian system for easier unbound integration ( unbound doesn&rsquo;t have an official docker container ).</p> <p>I recommend to read up on the pihole&rsquo;s docs on exactly how to install it since pihole get&rsquo;s frequent updates. <a href="https://docs.pi-hole.net/main/basic-install/">DOCS</a></p> <p>I recommend you to install the admin page for easier managmenet and ability to change the upstream dns server ( needed for changing it to unbound later on ). To be able to access the admin page I use an nginx configuration like this one.</p> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server_name</span> <span style="color:#a6d189">example.com</span> <span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">location</span> <span style="color:#a6d189">/</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">return</span> 403<span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">location</span> <span style="color:#a6d189">/admin</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_pass</span> <span style="color:#a6d189">http://127.0.0.1:8185/admin</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_set_header</span> <span style="color:#a6d189">Host</span> <span style="color:#babbf1">$host</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># If you want to log user activity, comment these </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">access_log</span> <span style="color:#a6d189">/dev/null</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">error_log</span> <span style="color:#a6d189">/dev/null</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> <span style="color:#a6d189">[::]:443</span> <span style="color:#a6d189">ssl</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">listen</span> 443 <span style="color:#a6d189">ssl</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">ssl_certificate</span> <span style="color:#a6d189">/etc/letsencrypt/live/example.com/fullchain.pem</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">ssl_certificate_key</span> <span style="color:#a6d189">/etc/letsencrypt/live/example.com/privkey.pem</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">include</span> <span style="color:#a6d189">/etc/letsencrypt/options-ssl-nginx.conf</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">ssl_dhparam</span> <span style="color:#a6d189">/etc/letsencrypt/ssl-dhparams.pem</span><span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span><span style="color:#c6d0f5">}</span> </span></span><span style="display:flex;"><span><span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">if</span> <span style="color:#a6d189">(</span><span style="color:#babbf1">$host</span> <span style="color:#c6d0f5">=</span> <span style="color:#a6d189">example.com)</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">return</span> 301 <span style="color:#a6d189">https://</span><span style="color:#babbf1">$host$request_uri</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span> <span style="color:#626880;font-style:italic"># managed by Certbot </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server_name</span> <span style="color:#a6d189">example.com</span> <span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> 80<span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> <span style="color:#a6d189">[::]:80</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">return</span> 404<span style="color:#c6d0f5">;</span> <span style="color:#626880;font-style:italic"># managed by Certbot </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span><span style="color:#c6d0f5">}</span> </span></span></code></pre></div><p>The main point of this config is the <code>/admin</code> location that you need to pass the lighttpd port to acces the website, you can just do it on your main website also. Also to make lighttpd work with nginx listening on port 80 you need to edit the <code>server.port</code> to port you wan&rsquo;t to use in lighttpd config file located at <code>/etc/lighttpd/lighttpd.conf</code> and then just restart lighttpd</p> <h2 id="2-unbound">2. Unbound</h2> <p>For this part I will just link the pi-hole&rsquo;s unbound documentation because it is the most correct one and updated as things change regulary. <a href="https://docs.pi-hole.net/guides/dns/unbound/">Pi-hole unbound docs</a></p> <h2 id="3-dns-over-tls">3. DNS over TLS</h2> <p>For dns over tls you need to first have a ssl certificate. I recommend on using certbot to generate one with this command <code>certbot --nginx -d dot.example.com</code>.</p> <p>Next you will need a reverse proxy, in my case I use nginx. You will need to add this configuration to your main nginx config located at <code>/etc/nginx/nginx.conf</code>. <strong>Make sure to add this outside of the http block and change example.com to your domain</strong></p> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#ca9ee6">stream</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">log_format</span> <span style="color:#a6d189">basic</span> <span style="color:#a6d189">&#39;</span><span style="color:#babbf1">$remote_addr</span> <span style="color:#a6d189">[</span><span style="color:#babbf1">$time_local]</span> <span style="color:#babbf1">$protocol</span> <span style="color:#babbf1">$status</span> <span style="color:#babbf1">$bytes_sent</span> <span style="color:#babbf1">$bytes_received</span> <span style="color:#babbf1">$session_time</span> <span style="color:#babbf1">$upstream_addr&#39;</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">upstream</span> <span style="color:#a6d189">dns</span> </span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">zone</span> <span style="color:#a6d189">dns</span> 64k<span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server</span> <span style="color:#babbf1">127.0.0.1</span><span style="color:#c6d0f5">:</span>53<span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> 853 <span style="color:#a6d189">ssl</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">access_log</span> <span style="color:#a6d189">/var/log/nginx/dot-access.log</span> <span style="color:#a6d189">basic</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">error_log</span> <span style="color:#a6d189">/var/log/nginx/dot-error.log</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_certificate</span> <span style="color:#a6d189">/etc/letsencrypt/live/dot.example.com/fullchain.pem</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_certificate_key</span> <span style="color:#a6d189">/etc/letsencrypt/live/dot.example.com/privkey.pem</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_protocols</span> <span style="color:#a6d189">TLSv1.2</span> <span style="color:#a6d189">TLSv1.3</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_ciphers</span> <span style="color:#a6d189">HIGH:!aNULL:!MD5</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_handshake_timeout</span> <span style="color:#a6d189">10s</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_session_cache</span> <span style="color:#a6d189">shared:SSL:20m</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_session_timeout</span> <span style="color:#a6d189">4h</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_pass</span> <span style="color:#a6d189">dns</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_responses</span> 1<span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_timeout</span> <span style="color:#a6d189">1s</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span> </span></span><span style="display:flex;"><span><span style="color:#c6d0f5">}</span> </span></span></code></pre></div><p>Also make sure to enable port 853, example ufw command is <code>ufw allow 853/tcp</code>. Then restart nginx, to test if this configuration is working you can use your android phone by setting the private dns address to <code>dot.example.com</code> and then visit the website<a href="https://dnsleaktest.com">dnsleaktest</a></p> <h2 id="4-dns-over-https">4. DNS over HTTPS</h2> <p>For using dns over https we will be installing additional package called dnsdinst. On debian systems just run <code>apt install dnsdinst</code>. Next you will need to setup dnsdinst config and restart it. Make sure to change example.com.</p> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-conf" data-lang="conf"><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">dnsdist</span> <span style="color:#babbf1">configuration</span> <span style="color:#babbf1">file</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">an</span> <span style="color:#babbf1">example</span> <span style="color:#babbf1">can</span> <span style="color:#babbf1">be</span> <span style="color:#babbf1">found</span> <span style="color:#babbf1">in</span> <span style="color:#e78284">/</span><span style="color:#babbf1">usr</span><span style="color:#e78284">/</span><span style="color:#babbf1">share</span><span style="color:#e78284">/</span><span style="color:#babbf1">doc</span><span style="color:#e78284">/</span><span style="color:#babbf1">dnsdist</span><span style="color:#e78284">/</span><span style="color:#babbf1">examples</span><span style="color:#e78284">/</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">disable</span> <span style="color:#babbf1">security</span> <span style="color:#babbf1">status</span> <span style="color:#babbf1">polling</span> <span style="color:#babbf1">via</span> <span style="color:#babbf1">DNS</span> </span></span><span style="display:flex;"><span><span style="color:#99d1db">setSecurityPollSuffix</span><span style="color:#c6d0f5">(</span><span style="color:#a6d189">&#34;&#34;</span><span style="color:#c6d0f5">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">fix</span> <span style="color:#babbf1">up</span> <span style="color:#babbf1">possibly</span> <span style="color:#babbf1">badly</span> <span style="color:#babbf1">truncated</span> <span style="color:#babbf1">answers</span> <span style="color:#babbf1">from</span> <span style="color:#babbf1">pdns</span> <span style="color:#babbf1">2.9.22</span> </span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#99d1db">truncateTC</span><span style="color:#c6d0f5">(</span><span style="color:#ca9ee6;font-style:italic">true</span><span style="color:#c6d0f5">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">Answer</span> <span style="color:#babbf1">to</span> <span style="color:#babbf1">only</span> <span style="color:#babbf1">clients</span> <span style="color:#babbf1">from</span> <span style="color:#babbf1">this</span> <span style="color:#e5c890">subnet</span> </span></span><span style="display:flex;"><span><span style="color:#99d1db">setACL</span><span style="color:#c6d0f5">(</span><span style="color:#a6d189">&#34;127.0.0.1/8&#34;</span><span style="color:#c6d0f5">)</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">Define</span> <span style="color:#babbf1">upstream</span> <span style="color:#babbf1">DNS</span> <span style="color:#99d1db">server</span> <span style="color:#c6d0f5">(</span><span style="color:#babbf1">Pi-hole</span><span style="color:#c6d0f5">)</span> </span></span><span style="display:flex;"><span><span style="color:#99d1db">newServer</span><span style="color:#c6d0f5">({</span><span style="color:#babbf1">address</span><span style="color:#99d1db">=</span><span style="color:#a6d189">&#34;127.0.0.1&#34;</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">name</span><span style="color:#99d1db">=</span><span style="color:#a6d189">&#34;Pi-hole&#34;</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">checkName</span><span style="color:#99d1db">=</span><span style="color:#a6d189">&#34;example.com&#34;</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">checkInterval</span><span style="color:#99d1db">=</span><span style="color:#babbf1">60</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">mustResolve</span><span style="color:#99d1db">=</span><span style="color:#ca9ee6;font-style:italic">true</span><span style="color:#c6d0f5">})</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#babbf1">--</span> <span style="color:#babbf1">Create</span> <span style="color:#babbf1">local</span> <span style="color:#babbf1">DOH</span> <span style="color:#babbf1">server</span> <span style="color:#babbf1">listener</span> <span style="color:#babbf1">in</span> <span style="color:#babbf1">DNS</span> <span style="color:#babbf1">over</span> <span style="color:#babbf1">HTTP</span> <span style="color:#babbf1">mode</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">otherwise</span> <span style="color:#babbf1">the</span> <span style="color:#babbf1">information</span> <span style="color:#babbf1">coming</span> <span style="color:#babbf1">from</span> <span style="color:#babbf1">nginx</span> <span style="color:#babbf1">won</span><span style="color:#e78284">&#39;</span><span style="color:#babbf1">t</span> <span style="color:#babbf1">be</span> <span style="color:#babbf1">processed</span> <span style="color:#babbf1">well</span> </span></span><span style="display:flex;"><span><span style="color:#99d1db">addDOHLocal</span><span style="color:#c6d0f5">(</span><span style="color:#a6d189">&#34;127.0.0.1:5300&#34;</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">nil</span><span style="color:#c6d0f5">,</span> <span style="color:#babbf1">nil</span><span style="color:#c6d0f5">,</span> <span style="color:#a6d189">&#34;/dns-query&#34;</span><span style="color:#c6d0f5">,</span> <span style="color:#c6d0f5">{</span> <span style="color:#babbf1">reusePort</span><span style="color:#99d1db">=</span><span style="color:#ca9ee6;font-style:italic">true</span> <span style="color:#c6d0f5">})</span> </span></span></code></pre></div><p>Next we will need another ssl certificate for the doh domain, for that we will once again using certbot with this command <code>certbot --nginx -d doh.example.com</code>after that add this configuratin to nginx either in sites-available and linking it to sites enabled or in http block in main nginx configuration.</p> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Proxy Cache storage - so we can cache the DoH response from the upstream </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span><span style="color:#ca9ee6">proxy_cache_path</span> <span style="color:#a6d189">/var/run/doh_cache</span> <span style="color:#a6d189">levels=1:2</span> <span style="color:#a6d189">keys_zone=doh_cache:10m</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> 80<span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server_name</span> <span style="color:#a6d189">doh.example.com</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">return</span> 301 <span style="color:#a6d189">https://doh.example.com/</span><span style="color:#babbf1">$request_uri</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span><span style="color:#c6d0f5">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># This virtual server accepts HTTP/2 over HTTPS </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span><span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> 443 <span style="color:#a6d189">ssl</span> <span style="color:#a6d189">http2</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server_name</span> <span style="color:#a6d189">doh.example.com</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">access_log</span> <span style="color:#a6d189">/var/log/nginx/doh.access</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">error_log</span> <span style="color:#a6d189">/var/log/nginx/doh.error</span> <span style="color:#a6d189">error</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_certificate</span> <span style="color:#a6d189">/etc/letsencrypt/live/doh.example.com/fullchain.pem</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_certificate_key</span> <span style="color:#a6d189">/etc/letsencrypt/live/doh.example.com/privkey.pem</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># DoH may use GET or POST requests, Cache both </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">proxy_cache_methods</span> <span style="color:#a6d189">GET</span> <span style="color:#a6d189">POST</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># Return 404 to all responses, except for those using our published DoH URI </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">location</span> <span style="color:#a6d189">/</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">try_files</span> <span style="color:#babbf1">$uri</span> <span style="color:#babbf1">$uri/</span> <span style="color:#c6d0f5">=</span>404<span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">ssl_protocols</span> <span style="color:#a6d189">TLSv1.2</span> <span style="color:#a6d189">TLSv1.3</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_ssl_ciphers</span> <span style="color:#a6d189">HIGH:!aNULL:!MD5</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># This is our published DoH URI </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">location</span> <span style="color:#a6d189">/dns-query</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># Proxy HTTP/1.1, clear the connection header to enable Keep-Alive </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">proxy_http_version</span> 1<span style="color:#a6d189">.1</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_set_header</span> <span style="color:#a6d189">Connection</span> <span style="color:#a6d189">&#34;&#34;</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># Enable Cache, and set the cache_key to include the request_body </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">proxy_cache</span> <span style="color:#a6d189">doh_cache</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_cache_key</span> <span style="color:#babbf1">$scheme$proxy_host$uri$is_args$args$request_body</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># proxy pass to dnsdist </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">proxy_pass</span> <span style="color:#a6d189">http://127.0.0.1:5300</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#626880;font-style:italic"># proxy pass address </span></span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"></span> <span style="color:#ca9ee6">proxy_set_header</span> <span style="color:#a6d189">X-Forwarded-For</span> <span style="color:#babbf1">$proxy_add_x_forwarded_for</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span> </span></span><span style="display:flex;"><span><span style="color:#c6d0f5">}</span> </span></span></code></pre></div><p>After restarting nginx with this configuration you can it to your web browser as a DNS over HTTPS resolver and once again checkout <a href="https://dnsleaktest.com">dnsleaktest</a> website and check if it is all working.</p> <p>Hope this has been helpfull and if anybody has any way on how to make this guied better you can open a pull request or make an issue on the website&rsquo;s <a href="https://code.cronyakatsuki.xyz/crony/website">repo</a>.</p> Piped videos not loading https://cronyakatsuki.xyz/blog/piped-video-not-loading/ 26-02-2023 https://cronyakatsuki.xyz/blog/piped-video-not-loading/ <p>Recently I have received and experienced an issue of videos not loading on my personal <a href="https://piped.cronyakatsuki.xyz">piped</a> instance and on the official instance. But I have found a fix and a way to watch the videos even without the fix.</p> <!-- raw HTML omitted --> <h2 id="what-creates-the-issue">What creates the issue?</h2> <p>From what I have been able to find on the issues over on the <a href="https://github.com/TeamPiped/Piped">piped github</a> it seems to be an lbry issue of the videos not loading mostly on firefox, the issue seems to not happen on the chromium browsers.</p> <h3 id="how-to-fix-the-issue">How to fix the issue</h3> <p>To fix the issue you just have to enable an option in the instance settings called <code>disable lbry for streaming</code>. This will disable loading of lbry for videos and the issue will mostly just be bypassed.</p> <h3 id="fun-way-to-also-watch-the-videos">Fun way to also watch the videos</h3> <p>If you are like me and bored you can also watch the videos without using the fix by opening the firefox debug console, and in the errors you will see the link of the video that the frontend wasn&rsquo;t able to embed. Just click the link and you will be able to watch the video or it will say that the content isn&rsquo;t reachable and then you will need to do the fix otherwise it&rsquo;s a no no to watch that video otherwise.</p> miniflux setup on debian https://cronyakatsuki.xyz/blog/miniflux-setup/ 30-11-2022 https://cronyakatsuki.xyz/blog/miniflux-setup/ <p>Looking for a minimal self-hosted feed reader I found <a href="https://miniflux.app/">miniflux</a>. But trying to set it up I found my self trying to set it up for 3 freaking hours since I only recently started to self-host things. So here I will try to explaing it in the most easy way how to set it up on a debian server with https using certbot and nginx.</p> <!-- raw HTML omitted --> <p>For this tutorial I expect that you already have a server seted up with nginx and certbot. To set up this things check out <a href="https://landchad.net">landchad</a></p> <h2 id="installing-needed-packages">Installing needed packages</h2> <p>You will first need to setup miniflux apt repository to install it on your system.</p> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#c6d0f5;font-style:italic">echo</span> <span style="color:#a6d189">&#34;deb [trusted=yes] https://repo.miniflux.app/apt/ /&#34;</span> <span style="color:#c6d0f5">|</span> sudo tee /etc/apt/sources.list.d/miniflux.list &gt; /dev/null </span></span><span style="display:flex;"><span>apt update </span></span></code></pre></div><p>Then just install the needed packages.</p> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>apt install miniflux postgresql </span></span></code></pre></div><h2 id="setting-up-postgres-database-and-miniflux">Setting up postgres database and miniflux</h2> <p>Here I will detail steps to create the postgres database.</p> <h3 id="initial-postgres-setup">Initial postgres setup</h3> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Switch to the postgres user</span> </span></span><span style="display:flex;"><span>$ su - postgres </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Creating a miniflux user, enter a safe and secure password</span> </span></span><span style="display:flex;"><span>$ createuser -P miniflux </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Create a database for miniflux that belongs to our user</span> </span></span><span style="display:flex;"><span>$ createdb -O miniflux miniflux </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Create a database for miniflux that belongs to our user</span> </span></span><span style="display:flex;"><span>$ createdb -O miniflux miniflux </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Creating extension hstore as superuser</span> </span></span><span style="display:flex;"><span>$ psql miniflux -c <span style="color:#a6d189">&#39;create extension hstore&#39;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Managing the miniflux database</span> </span></span><span style="display:flex;"><span>$ psql <span style="color:#babbf1">$MINIFLUX_DATABASE</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Giving miniflux user all privileges</span> </span></span><span style="display:flex;"><span>&gt; alter user miniflux with superuser<span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Exit the postgres database</span> </span></span><span style="display:flex;"><span>&gt; <span style="color:#8caaee">\q</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Exit postgres user</span> </span></span><span style="display:flex;"><span>$ <span style="color:#c6d0f5;font-style:italic">exit</span> </span></span></code></pre></div><h3 id="miniflux-configuration-file">Miniflux configuration file</h3> <p>Open the miniflux configuration file in path <code>/etc/miniflux.conf</code> and edit it like this.</p> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># See https://miniflux.app/docs/configuration.html</span> </span></span><span style="display:flex;"><span><span style="color:#babbf1">LISTEN_ADDR</span><span style="color:#99d1db">=</span>127.0.0.1:8080 </span></span><span style="display:flex;"><span><span style="color:#babbf1">DATABASE_URL</span><span style="color:#99d1db">=</span><span style="color:#babbf1">user</span><span style="color:#99d1db">=</span>miniflux <span style="color:#babbf1">password</span><span style="color:#99d1db">=</span>PASSWORD_HERE <span style="color:#babbf1">dbname</span><span style="color:#99d1db">=</span>miniflux <span style="color:#babbf1">sslmode</span><span style="color:#99d1db">=</span>disable </span></span><span style="display:flex;"><span><span style="color:#babbf1">RUN_MIGRATIONS</span><span style="color:#99d1db">=</span>1 </span></span></code></pre></div><h3 id="migrating-the-database-and-removing-superuser-privileges-in-postgres">Migrating the database and removing superuser privileges in postgres</h3> <p>Now we will migrate the database and remove unneded superuser privileges, since it is reccomended in the miniflux documentation.</p> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Migrating the database</span> </span></span><span style="display:flex;"><span>$ miniflux -c /etc/miniflux.conf -migrate </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Creating miniflux admin user</span> </span></span><span style="display:flex;"><span>$ miniflux -c /etc/miniflux.conf -create-admin </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Restarting the systemctl service</span> </span></span><span style="display:flex;"><span>$ systemctl restart miniflux </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Entering postgres database user</span> </span></span><span style="display:flex;"><span>$ su - postgres </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Entering miniflux database</span> </span></span><span style="display:flex;"><span>$ psql <span style="color:#babbf1">$MINIFLUX_DATABASE</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Removing unneded superuser privileges from miniflux user</span> </span></span><span style="display:flex;"><span>&gt; alter user miniflux with nosuperuser<span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Exit the postgres database</span> </span></span><span style="display:flex;"><span>&gt; <span style="color:#8caaee">\q</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#626880;font-style:italic"># Exit postgres user</span> </span></span><span style="display:flex;"><span>$ <span style="color:#c6d0f5;font-style:italic">exit</span> </span></span></code></pre></div><h2 id="nginx-and-certbot-setup">Nginx and certbot setup</h2> <p>Make sure to have a domain to use for your miniflux setup.</p> <p>Create and open a nginx config with path <code>/etc/nginx/sites-available/miniflux.conf</code> and add this</p> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#ca9ee6">server</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">server_name</span> <span style="color:#a6d189">your.domain.ext</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> 80<span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">listen</span> <span style="color:#a6d189">[::]:80</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">location</span> <span style="color:#a6d189">/</span> <span style="color:#c6d0f5">{</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_pass</span> <span style="color:#a6d189">http://127.0.0.1:8080</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_redirect</span> <span style="color:#e5c890">off</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_set_header</span> <span style="color:#a6d189">Host</span> <span style="color:#babbf1">$host</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_set_header</span> <span style="color:#a6d189">X-Real-IP</span> <span style="color:#babbf1">$remote_addr</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_set_header</span> <span style="color:#a6d189">X-Forwarded-For</span> <span style="color:#babbf1">$proxy_add_x_forwarded_for</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#ca9ee6">proxy_set_header</span> <span style="color:#a6d189">X-Forwarded-Proto</span> <span style="color:#babbf1">$scheme</span><span style="color:#c6d0f5">;</span> </span></span><span style="display:flex;"><span> <span style="color:#c6d0f5">}</span> </span></span><span style="display:flex;"><span><span style="color:#c6d0f5">}</span> </span></span></code></pre></div><p>Now just link the config to enabled sites and restart nginx service.</p> <div class="highlight"><pre tabindex="0" style="color:#ef9f76;background-color:#303446;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ ln -s /etc/nginx/sites-available/miniflux.conf /etc/nginx/sites-enabled/miniflux.conf </span></span><span style="display:flex;"><span>$ systemctl restart nginx </span></span></code></pre></div><p>To get https on your domain you just need to run <code>certbot --nginx</code> same as in this <a href="https://landchad.net/basic/certbot/">tutorial</a></p> <h2 id="finishing-words">Finishing words</h2> <p>I hope that this wasn&rsquo;t hard to follow and shouldn&rsquo;t take hours like it took me first time I tried to set this all up.</p>