From b3490ee566d773867696bd3819f529d3e084fa17 Mon Sep 17 00:00:00 2001
From: Eugene Burkov <e.burkov@adguard.com>
Date: Tue, 29 Aug 2023 20:21:48 +0300
Subject: [PATCH] Pull request 180: AG-25266 encryption

Merge in GO/adguard-home-wiki from AG-25266-encryption to master

Squashed commit of the following:

commit 92928fc7a07b529d3ae31ea648cdcc62fdfe4691
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Aug 29 20:17:37 2023 +0300

    all: imp fmt, add hdrs

commit 7445bd8d5af34d394803f7b5b90d1e271826848a
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Aug 29 19:50:53 2023 +0300

    Envryption: fix copies

commit 7008320fa75ec27fe5cd506fce7f7d00d1ab1bf3
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Aug 29 19:48:27 2023 +0300

    all: add hsts example
---
 Docker.md     |  2 +-
 Encryption.md | 33 ++++++++++++++++++++++++++-------
 FAQ.md        | 13 ++++++++-----
 VPS.md        | 10 +++++-----
 4 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/Docker.md b/Docker.md
index 41ceef2..70ea801 100644
--- a/Docker.md
+++ b/Docker.md
@@ -214,7 +214,7 @@ your machine:
     the `/etc/systemd/resolved.conf.d` directory if needed) and add the
     following content to it:
 
-    ```none
+    ```service
     [Resolve]
     DNS=127.0.0.1
     DNSStubListener=no
diff --git a/Encryption.md b/Encryption.md
index a9be85d..902062b 100644
--- a/Encryption.md
+++ b/Encryption.md
@@ -17,13 +17,14 @@ AdGuard Home.
 1.  [Install AdGuard Home on your server](#install)
 1.  [Register a domain name](#register)
 1.  [Get an SSL certificate](#certificate)
-     *  [Install CertBot](#certbot)
-     *  [Get a certificate using DNS challenge](#certbot-dnschallenge)
-     *  [Alternative to CertBot: Lego](#lego)
+     *  [Using CertBot](#certbot)
+         *  [Get a certificate using DNS challenge](#certbot-dnschallenge)
+     *  [Using Lego](#lego)
 1.  [Configure AdGuard Home](#configure-home)
 1.  [Using with reverse proxy](#reverse-proxy)
      *  [Nginx](#nginx)
      *  [Cloudflare CDN](#cf-cdn)
+     *  [Other Headers](#other-hdrs)
 1.  [Configure your devices](#configure-devices)
      *  [Android](#android)
      *  [iOS](#ios)
@@ -80,7 +81,7 @@ Security Research Group (ISRG).
 
 In this guide I'll explain how to get a certificate from them.
 
-   ###  <a href="#certbot" id="certbot" name="certbot">Install CertBot</a>
+   ###  <a href="#certbot" id="certbot" name="certbot">Using CertBot</a>
 
 Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt.
 
@@ -89,7 +90,7 @@ Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt
 1.  Follow the installation instructions, and stop there – don't get to the "Get
     Started" section.
 
-   ###  <a href="#certbot-dnschallenge" id="certbot-dnschallenge" name="certbot-dnschallenge">Get a certificate using DNS challenge</a>
+  ####  <a href="#certbot-dnschallenge" id="certbot-dnschallenge" name="certbot-dnschallenge">Get a certificate using DNS challenge</a>
 
 You have just got a domain name so I suppose using DNS challenge will be the
 easiest way to get a certificate.
@@ -111,7 +112,7 @@ Both will be necessary to configure AdGuard Home.
  >  You will need to use the very same procedure to renew the existing
  >  certificate.
 
-   ###  <a href="#lego" id="lego" name="lego">Alternative to CertBot: Lego</a>
+   ###  <a href="#lego" id="lego" name="lego">Using Lego</a>
 
 There's also a really nice and easy-to-use alternative to CertBot called
 [lego][lego-source].
@@ -186,7 +187,7 @@ their hostnames.
 For example, if the configuration of the reverse proxy server contains the
 following directives:
 
-```none
+```nginx
 location /dns-query {
    # …
    proxy_set_header Host $host;
@@ -210,6 +211,23 @@ inserted into `trusted_proxies` list directly.  An official Cloudflare's
 reference on restoring the original visitor's IP may be found
 [here][cloudflare-real-ip].
 
+   ###  <a href="#other-hdrs" id="other-hdrs" name="other-hdrs">Other Headers</a>
+
+Other HTTP headers may be supported by AdGuard Home in the future.  However, any
+headers-related feature requests should first be tried to be resolved by
+configuring the reverse proxy itself.
+
+For example, to implement the [HTTP Strict Transport Security][hsts] mechanism,
+something like the following piece of configuration might be used:
+
+```nginx
+location /dns-query {
+   # …
+   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+   # …
+}
+```
+
 
 
 [reverse-proxy-faq]:      https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#how-to-configure-a-reverse-proxy-server-for-adguard-home
@@ -217,6 +235,7 @@ reference on restoring the original visitor's IP may be found
 [cloudflare-headers]:     https://support.cloudflare.com/hc/en-us/articles/200170986
 [cloudflare-addresses]:   https://www.cloudflare.com/ips
 [cloudflare-real-ip]:     https://support.cloudflare.com/hc/en-us/articles/200170786
+[hsts]:                   https://datatracker.ietf.org/doc/html/rfc6797
 
 
 
diff --git a/FAQ.md b/FAQ.md
index 396ad58..74f6a04 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -344,9 +344,11 @@ If you're already running a web server and want to access the AdGuard Home
 dashboard UI from a URL like `http://YOUR_SERVER/aghome/`, you can use this
 configuration for your web server:
 
+
+
    ###  nginx
 
-```none
+```nginx
 location /aghome/ {
     proxy_cookie_path / /aghome/;
     proxy_pass http://AGH_IP:AGH_PORT/;
@@ -368,8 +370,8 @@ location /aghome/ {
 }
 ```
 
-Or, if you just want to serve AdGuard Home with automatic TLS, use
-a configuration similar to the example shown below:
+Or, if you just want to serve AdGuard Home with automatic TLS, use a
+configuration similar to the example shown below:
 
 ```none
 DOMAIN {
@@ -393,9 +395,10 @@ AdGuard Home respond to DoH requests without TLS encryption.
 
 **Since v0.107.0,** you can set the parameter `trusted_proxies` to the IP
 address(es) of your HTTP proxy to make AdGuard Home take the headers containing
-the real client IP address into account.  See the [configuration page][conf] for
-more information.
+the real client IP address into account.  See the [configuration][conf] and
+[encryption][encr] pages for more information.
 
+[encr]: https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption#reverse-proxy
 [conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration
 
 
diff --git a/VPS.md b/VPS.md
index 52035d6..f60a5cc 100644
--- a/VPS.md
+++ b/VPS.md
@@ -7,20 +7,20 @@ To run AdGuard Home on a VPS, you need a server with Debian 8 or 9, x64 or x32.
 ## Initial installation
 
 First let's ensure that your VPS has necessary minimal requirements, run this as root:
-```bash
+```sh
 apt-get install sudo nano bind9-host
 ```
 
 Go to [AdGuard Home page](https://github.com/AdguardTeam/AdGuardHome#installation) and download binaries for your architecture (64-bit Linux in this example).
 
 To download AdGuard Home and unpack it execute following commands:
-```bash
+```sh
 wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz
 tar xvf AdGuardHome_linux_amd64.tar.gz
 ```
 
 You can find out the directory where you've unpacked it to by running these commands:
-```bash
+```sh
 cd AdGuardHome
 pwd
 ```
@@ -36,12 +36,12 @@ Here are the other commands you might need to control the service.
 * `AdGuardHome -s status` - shows the current service status.
 
 You can verify that it's working properly by running this command:
-```bash
+```sh
 host doubleclick.net 127.0.0.1
 ```
 
 If everything works correctly, you will get this output:
-```
+```none
 Using domain server:
 Name: 127.0.0.1
 Address: 127.0.0.1#53