Pull request 180: AG-25266 encryption

Merge in GO/adguard-home-wiki from AG-25266-encryption to master Squashed commit of the following: commit 92928fc7a07b529d3ae31ea648cdcc62fdfe4691 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Aug 29 20:17:37 2023 +0300 all: imp fmt, add hdrs commit 7445bd8d5af34d394803f7b5b90d1e271826848a Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Aug 29 19:50:53 2023 +0300 Envryption: fix copies commit 7008320fa75ec27fe5cd506fce7f7d00d1ab1bf3 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Aug 29 19:48:27 2023 +0300 all: add hsts example
2023-08-29 20:21:48 +03:00 · 2023-08-29 20:21:48 +03:00 · b3490ee566
parent 83a59f6bf8
commit b3490ee566
4 changed files with 40 additions and 18 deletions
--- a/Docker.md
+++ b/Docker.md
@ -214,7 +214,7 @@ your machine:
    the `/etc/systemd/resolved.conf.d` directory if needed) and add the
    following content to it:

-    ```none
+    ```service
    [Resolve]
    DNS=127.0.0.1
    DNSStubListener=no
--- a/Encryption.md
+++ b/Encryption.md
@ -17,13 +17,14 @@ AdGuard Home.
 1.  [Install AdGuard Home on your server](#install)
 1.  [Register a domain name](#register)
 1.  [Get an SSL certificate](#certificate)
-     *  [Install CertBot](#certbot)
-     *  [Get a certificate using DNS challenge](#certbot-dnschallenge)
-     *  [Alternative to CertBot: Lego](#lego)
+     *  [Using CertBot](#certbot)
+         *  [Get a certificate using DNS challenge](#certbot-dnschallenge)
+     *  [Using Lego](#lego)
 1.  [Configure AdGuard Home](#configure-home)
 1.  [Using with reverse proxy](#reverse-proxy)
     *  [Nginx](#nginx)
     *  [Cloudflare CDN](#cf-cdn)
+     *  [Other Headers](#other-hdrs)
 1.  [Configure your devices](#configure-devices)
     *  [Android](#android)
     *  [iOS](#ios)
@ -80,7 +81,7 @@ Security Research Group (ISRG).

 In this guide I'll explain how to get a certificate from them.

-   ###  <a href="#certbot" id="certbot" name="certbot">Install CertBot</a>
+   ###  <a href="#certbot" id="certbot" name="certbot">Using CertBot</a>

 Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt.

@ -89,7 +90,7 @@ Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt
 1.  Follow the installation instructions, and stop there – don't get to the "Get
    Started" section.

-   ###  <a href="#certbot-dnschallenge" id="certbot-dnschallenge" name="certbot-dnschallenge">Get a certificate using DNS challenge</a>
+  ####  <a href="#certbot-dnschallenge" id="certbot-dnschallenge" name="certbot-dnschallenge">Get a certificate using DNS challenge</a>

 You have just got a domain name so I suppose using DNS challenge will be the
 easiest way to get a certificate.
@ -111,7 +112,7 @@ Both will be necessary to configure AdGuard Home.
 >  You will need to use the very same procedure to renew the existing
 >  certificate.

-   ###  <a href="#lego" id="lego" name="lego">Alternative to CertBot: Lego</a>
+   ###  <a href="#lego" id="lego" name="lego">Using Lego</a>

 There's also a really nice and easy-to-use alternative to CertBot called
 [lego][lego-source].
@ -186,7 +187,7 @@ their hostnames.
 For example, if the configuration of the reverse proxy server contains the
 following directives:

-```none
+```nginx
 location /dns-query {
   # …
   proxy_set_header Host $host;
@ -210,6 +211,23 @@ inserted into `trusted_proxies` list directly.  An official Cloudflare's
 reference on restoring the original visitor's IP may be found
 [here][cloudflare-real-ip].

+   ###  <a href="#other-hdrs" id="other-hdrs" name="other-hdrs">Other Headers</a>
+
+Other HTTP headers may be supported by AdGuard Home in the future.  However, any
+headers-related feature requests should first be tried to be resolved by
+configuring the reverse proxy itself.
+
+For example, to implement the [HTTP Strict Transport Security][hsts] mechanism,
+something like the following piece of configuration might be used:
+
+```nginx
+location /dns-query {
+   # …
+   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+   # …
+}
+```
+


 [reverse-proxy-faq]:      https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#how-to-configure-a-reverse-proxy-server-for-adguard-home
@ -217,6 +235,7 @@ reference on restoring the original visitor's IP may be found
 [cloudflare-headers]:     https://support.cloudflare.com/hc/en-us/articles/200170986
 [cloudflare-addresses]:   https://www.cloudflare.com/ips
 [cloudflare-real-ip]:     https://support.cloudflare.com/hc/en-us/articles/200170786
+[hsts]:                   https://datatracker.ietf.org/doc/html/rfc6797



--- a/FAQ.md
+++ b/FAQ.md
@ -344,9 +344,11 @@ If you're already running a web server and want to access the AdGuard Home
 dashboard UI from a URL like `http://YOUR_SERVER/aghome/`, you can use this
 configuration for your web server:

+
+
   ###  nginx

-```none
+```nginx
 location /aghome/ {
    proxy_cookie_path / /aghome/;
    proxy_pass http://AGH_IP:AGH_PORT/;
@ -368,8 +370,8 @@ location /aghome/ {
 }
 ```

-Or, if you just want to serve AdGuard Home with automatic TLS, use
-a configuration similar to the example shown below:
+Or, if you just want to serve AdGuard Home with automatic TLS, use a
+configuration similar to the example shown below:

 ```none
 DOMAIN {
@ -393,9 +395,10 @@ AdGuard Home respond to DoH requests without TLS encryption.

 **Since v0.107.0,** you can set the parameter `trusted_proxies` to the IP
 address(es) of your HTTP proxy to make AdGuard Home take the headers containing
-the real client IP address into account.  See the [configuration page][conf] for
-more information.
+the real client IP address into account.  See the [configuration][conf] and
+[encryption][encr] pages for more information.

+[encr]: https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption#reverse-proxy
 [conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration


--- a/VPS.md
+++ b/VPS.md
@ -7,20 +7,20 @@ To run AdGuard Home on a VPS, you need a server with Debian 8 or 9, x64 or x32.
 ## Initial installation

 First let's ensure that your VPS has necessary minimal requirements, run this as root:
-```bash
+```sh
 apt-get install sudo nano bind9-host
 ```

 Go to [AdGuard Home page](https://github.com/AdguardTeam/AdGuardHome#installation) and download binaries for your architecture (64-bit Linux in this example).

 To download AdGuard Home and unpack it execute following commands:
-```bash
+```sh
 wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz
 tar xvf AdGuardHome_linux_amd64.tar.gz
 ```

 You can find out the directory where you've unpacked it to by running these commands:
-```bash
+```sh
 cd AdGuardHome
 pwd
 ```
@ -36,12 +36,12 @@ Here are the other commands you might need to control the service.
 * `AdGuardHome -s status` - shows the current service status.

 You can verify that it's working properly by running this command:
-```bash
+```sh
 host doubleclick.net 127.0.0.1
 ```

 If everything works correctly, you will get this output:
-```
+```none
 Using domain server:
 Name: 127.0.0.1
 Address: 127.0.0.1#53