mirrors
/
AdGuardHome
mirror of https://github.com/AdguardTeam/AdGuardHome.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Pull request 180: AG-25266 encryption 

Merge in GO/adguard-home-wiki from AG-25266-encryption to master

Squashed commit of the following:

commit 92928fc7a07b529d3ae31ea648cdcc62fdfe4691
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Aug 29 20:17:37 2023 +0300

    all: imp fmt, add hdrs

commit 7445bd8d5af34d394803f7b5b90d1e271826848a
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Aug 29 19:50:53 2023 +0300

    Envryption: fix copies

commit 7008320fa75ec27fe5cd506fce7f7d00d1ab1bf3
Author: Eugene Burkov <E.Burkov@AdGuard.COM>
Date:   Tue Aug 29 19:48:27 2023 +0300

    all: add hsts example
Eugene Burkov 2023-08-29 20:21:48 +03:00
parent 83a59f6bf8
commit b3490ee566
4 changed files with 40 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Docker.md

@ -214,7 +214,7 @@ your machine:
the `/etc/systemd/resolved.conf.d` directory if needed) and add the the `/etc/systemd/resolved.conf.d` directory if needed) and add the
following content to it: following content to it:
```none ```service
[Resolve] [Resolve]
DNS=127.0.0.1 DNS=127.0.0.1
DNSStubListener=no DNSStubListener=no

33
Encryption.md

@ -17,13 +17,14 @@ AdGuard Home.
1. [Install AdGuard Home on your server](#install) 1. [Install AdGuard Home on your server](#install)
1. [Register a domain name](#register) 1. [Register a domain name](#register)
1. [Get an SSL certificate](#certificate) 1. [Get an SSL certificate](#certificate)
* [Install CertBot](#certbot) * [Using CertBot](#certbot)
* [Get a certificate using DNS challenge](#certbot-dnschallenge) * [Get a certificate using DNS challenge](#certbot-dnschallenge)
* [Alternative to CertBot: Lego](#lego) * [Using Lego](#lego)
1. [Configure AdGuard Home](#configure-home) 1. [Configure AdGuard Home](#configure-home)
1. [Using with reverse proxy](#reverse-proxy) 1. [Using with reverse proxy](#reverse-proxy)
* [Nginx](#nginx) * [Nginx](#nginx)
* [Cloudflare CDN](#cf-cdn) * [Cloudflare CDN](#cf-cdn)
* [Other Headers](#other-hdrs)
1. [Configure your devices](#configure-devices) 1. [Configure your devices](#configure-devices)
* [Android](#android) * [Android](#android)
* [iOS](#ios) * [iOS](#ios)
@ -80,7 +81,7 @@ Security Research Group (ISRG).
In this guide I'll explain how to get a certificate from them. In this guide I'll explain how to get a certificate from them.
### <a href="#certbot" id="certbot" name="certbot">Install CertBot</a> ### <a href="#certbot" id="certbot" name="certbot">Using CertBot</a>
Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt. Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt.
@ -89,7 +90,7 @@ Certbot is an easy-to-use client that fetches a certificate from Lets Encrypt
1. Follow the installation instructions, and stop there don't get to the "Get 1. Follow the installation instructions, and stop there don't get to the "Get
Started" section. Started" section.
### <a href="#certbot-dnschallenge" id="certbot-dnschallenge" name="certbot-dnschallenge">Get a certificate using DNS challenge</a> #### <a href="#certbot-dnschallenge" id="certbot-dnschallenge" name="certbot-dnschallenge">Get a certificate using DNS challenge</a>
You have just got a domain name so I suppose using DNS challenge will be the You have just got a domain name so I suppose using DNS challenge will be the
easiest way to get a certificate. easiest way to get a certificate.
@ -111,7 +112,7 @@ Both will be necessary to configure AdGuard Home.
> You will need to use the very same procedure to renew the existing > You will need to use the very same procedure to renew the existing
> certificate. > certificate.
### <a href="#lego" id="lego" name="lego">Alternative to CertBot: Lego</a> ### <a href="#lego" id="lego" name="lego">Using Lego</a>
There's also a really nice and easy-to-use alternative to CertBot called There's also a really nice and easy-to-use alternative to CertBot called
[lego][lego-source]. [lego][lego-source].
@ -186,7 +187,7 @@ their hostnames.
For example, if the configuration of the reverse proxy server contains the For example, if the configuration of the reverse proxy server contains the
following directives: following directives:
```none ```nginx
location /dns-query { location /dns-query {
# … # …
proxy_set_header Host $host; proxy_set_header Host $host;
@ -210,6 +211,23 @@ inserted into `trusted_proxies` list directly. An official Cloudflare's
reference on restoring the original visitor's IP may be found reference on restoring the original visitor's IP may be found
[here][cloudflare-real-ip]. [here][cloudflare-real-ip].
### <a href="#other-hdrs" id="other-hdrs" name="other-hdrs">Other Headers</a>
Other HTTP headers may be supported by AdGuard Home in the future. However, any
headers-related feature requests should first be tried to be resolved by
configuring the reverse proxy itself.
For example, to implement the [HTTP Strict Transport Security][hsts] mechanism,
something like the following piece of configuration might be used:
```nginx
location /dns-query {
# …
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# …
}
```
[reverse-proxy-faq]: https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#how-to-configure-a-reverse-proxy-server-for-adguard-home [reverse-proxy-faq]: https://github.com/AdguardTeam/AdGuardHome/wiki/FAQ#how-to-configure-a-reverse-proxy-server-for-adguard-home
@ -217,6 +235,7 @@ reference on restoring the original visitor's IP may be found
[cloudflare-headers]: https://support.cloudflare.com/hc/en-us/articles/200170986 [cloudflare-headers]: https://support.cloudflare.com/hc/en-us/articles/200170986
[cloudflare-addresses]: https://www.cloudflare.com/ips [cloudflare-addresses]: https://www.cloudflare.com/ips
[cloudflare-real-ip]: https://support.cloudflare.com/hc/en-us/articles/200170786 [cloudflare-real-ip]: https://support.cloudflare.com/hc/en-us/articles/200170786
[hsts]: https://datatracker.ietf.org/doc/html/rfc6797

13
FAQ.md

@ -344,9 +344,11 @@ If you're already running a web server and want to access the AdGuard Home
dashboard UI from a URL like `http://YOUR_SERVER/aghome/`, you can use this dashboard UI from a URL like `http://YOUR_SERVER/aghome/`, you can use this
configuration for your web server: configuration for your web server:
### nginx ### nginx
```none ```nginx
location /aghome/ { location /aghome/ {
proxy_cookie_path / /aghome/; proxy_cookie_path / /aghome/;
proxy_pass http://AGH_IP:AGH_PORT/; proxy_pass http://AGH_IP:AGH_PORT/;
@ -368,8 +370,8 @@ location /aghome/ {
} }
``` ```
Or, if you just want to serve AdGuard Home with automatic TLS, use Or, if you just want to serve AdGuard Home with automatic TLS, use a
a configuration similar to the example shown below: configuration similar to the example shown below:
```none ```none
DOMAIN { DOMAIN {
@ -393,9 +395,10 @@ AdGuard Home respond to DoH requests without TLS encryption.
**Since v0.107.0,** you can set the parameter `trusted_proxies` to the IP **Since v0.107.0,** you can set the parameter `trusted_proxies` to the IP
address(es) of your HTTP proxy to make AdGuard Home take the headers containing address(es) of your HTTP proxy to make AdGuard Home take the headers containing
the real client IP address into account. See the [configuration page][conf] for the real client IP address into account. See the [configuration][conf] and
more information. [encryption][encr] pages for more information.
[encr]: https://github.com/AdguardTeam/AdGuardHome/wiki/Encryption#reverse-proxy
[conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration [conf]: https://github.com/AdguardTeam/AdGuardHome/wiki/Configuration

10
VPS.md

@ -7,20 +7,20 @@ To run AdGuard Home on a VPS, you need a server with Debian 8 or 9, x64 or x32.
## Initial installation ## Initial installation
First let's ensure that your VPS has necessary minimal requirements, run this as root: First let's ensure that your VPS has necessary minimal requirements, run this as root:
```bash ```sh
apt-get install sudo nano bind9-host apt-get install sudo nano bind9-host
``` ```
Go to [AdGuard Home page](https://github.com/AdguardTeam/AdGuardHome#installation) and download binaries for your architecture (64-bit Linux in this example). Go to [AdGuard Home page](https://github.com/AdguardTeam/AdGuardHome#installation) and download binaries for your architecture (64-bit Linux in this example).
To download AdGuard Home and unpack it execute following commands: To download AdGuard Home and unpack it execute following commands:
```bash ```sh
wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz wget https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz
tar xvf AdGuardHome_linux_amd64.tar.gz tar xvf AdGuardHome_linux_amd64.tar.gz
``` ```
You can find out the directory where you've unpacked it to by running these commands: You can find out the directory where you've unpacked it to by running these commands:
```bash ```sh
cd AdGuardHome cd AdGuardHome
pwd pwd
``` ```
@ -36,12 +36,12 @@ Here are the other commands you might need to control the service.
* `AdGuardHome -s status` - shows the current service status. * `AdGuardHome -s status` - shows the current service status.
You can verify that it's working properly by running this command: You can verify that it's working properly by running this command:
```bash ```sh
host doubleclick.net 127.0.0.1 host doubleclick.net 127.0.0.1
``` ```
If everything works correctly, you will get this output: If everything works correctly, you will get this output:
``` ```none
Using domain server: Using domain server:
Name: 127.0.0.1 Name: 127.0.0.1
Address: 127.0.0.1#53 Address: 127.0.0.1#53