From 3645de32d2c7a1af9603092138d3b18a6b0156da Mon Sep 17 00:00:00 2001 From: Bento Silveira Date: Sat, 22 Jul 2023 22:27:53 -0300 Subject: [PATCH] Made several improvements and changes to streamline install - unified the Nginx configuration into a single file - added SSL settings to Nginx - all hosts are configured using variables on the docker-compose file - changes on the main nginx.conf done by sed on a docker-entrypoint.d script - changes to the hardcoded URLs on the javascript done by a script in docker-entrypoint.d - nginx now exposes port 80 and 443, dispensing wit yet another proxy --- .gitignore | 2 - README.md | 6 +- {template => config}/config.properties | 16 ++-- config/piped.conf.template | 73 +++++++++++++++++++ config/piped.crt | 24 ++++++ config/piped.key | 28 +++++++ {template => config}/pipedapi.conf | 0 config/ssl.conf | 12 +++ {template => config}/ytproxy.conf | 21 +++--- ...er-compose.caddy.yml => docker-compose.yml | 55 +++++++------- entrypoint.d/host_replace.envsh | 4 + template/Caddyfile | 47 ------------ template/docker-compose.nginx.yml | 66 ----------------- template/nginx.conf | 33 --------- template/pipedfrontend.conf | 12 --- template/pipedproxy.conf | 14 ---- 16 files changed, 194 insertions(+), 219 deletions(-) rename {template => config}/config.properties (70%) create mode 100644 config/piped.conf.template create mode 100644 config/piped.crt create mode 100644 config/piped.key rename {template => config}/pipedapi.conf (100%) create mode 100644 config/ssl.conf rename {template => config}/ytproxy.conf (88%) rename template/docker-compose.caddy.yml => docker-compose.yml (56%) create mode 100755 entrypoint.d/host_replace.envsh delete mode 100644 template/Caddyfile delete mode 100644 template/docker-compose.nginx.yml delete mode 100644 template/nginx.conf delete mode 100644 template/pipedfrontend.conf delete mode 100644 template/pipedproxy.conf diff --git a/.gitignore b/.gitignore index f169fd9..8fce603 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1 @@ -config/ data/ -/docker-compose.yml diff --git a/README.md b/README.md index c5649a0..d70ef2c 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ # Piped-Docker -See https://piped-docs.kavin.rocks/docs/self-hosting/#docker-compose-caddy-aio-script +### Creating Self-signed certificate + +https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs#generating-ssl-certificates + + diff --git a/template/config.properties b/config/config.properties similarity index 70% rename from template/config.properties rename to config/config.properties index ef1686f..776faee 100644 --- a/template/config.properties +++ b/config/config.properties @@ -4,8 +4,14 @@ PORT: 8080 # The number of workers to use for the server HTTP_WORKERS: 2 -# Proxy -PROXY_PART: https://PROXY_HOSTNAME +# Public Frontend URL - You should set this on the docker-compose file +# FRONTEND_URL: https://FRONTEND_HOSTNAME + +# Public API URL - You should set this on the docker-compose file +# API_URL: https://BACKEND_HOSTNAME + +# Proxy - You should set this on the docker-compose file +# PROXY_PART: https://PROXY_HOSTNAME # Outgoing HTTP Proxy - eg: 127.0.0.1:8118 #HTTP_PROXY: 127.0.0.1:8118 @@ -14,12 +20,6 @@ PROXY_PART: https://PROXY_HOSTNAME CAPTCHA_BASE_URL: https://api.capmonster.cloud/ CAPTCHA_API_KEY: INSERT_HERE -# Public API URL -API_URL: https://BACKEND_HOSTNAME - -# Public Frontend URL -FRONTEND_URL: https://FRONTEND_HOSTNAME - # Enable haveibeenpwned compromised password API COMPROMISED_PASSWORD_CHECK: true diff --git a/config/piped.conf.template b/config/piped.conf.template new file mode 100644 index 0000000..2eabcd4 --- /dev/null +++ b/config/piped.conf.template @@ -0,0 +1,73 @@ +server { + listen *:80; + listen [::]:80; + server_name ${FRONTEND_HOSTNAME} ${BACKEND_HOSTNAME} ${PROXY_HOSTNAME}; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header 'Referrer-Policy' 'no-referrer'; + # enforce https + + location / { + return 301 https://$server_name$request_uri; + } +} + +server { + + listen *:443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${FRONTEND_HOSTNAME}; + + include snippets/ssl.conf; + + # Path to the root of your installation + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Connection "keep-alive"; + proxy_pass http://piped-frontend; + } +} + +proxy_cache_path /tmp/pipedapi_cache levels=1:2 keys_zone=pipedapi:4m max_size=2g inactive=60m use_temp_path=off; + +server { + + listen *:443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${BACKEND_HOSTNAME}; + + include snippets/ssl.conf; + + # Path to the root of your installation + location / { + proxy_cache pipedapi; + proxy_pass http://piped-backend:8080; + proxy_http_version 1.1; + proxy_set_header Connection "keep-alive"; + } +} + +server { + listen *:443 ssl http2; + listen [::]:443 ssl http2; + + server_name ${PROXY_HOSTNAME}; + + include snippets/ssl.conf; + + location ~ (/videoplayback|/api/v4/|/api/manifest/) { + include snippets/ytproxy.conf; + + add_header Cache-Control private always; + proxy_pass http://unix:/var/run/ytproxy/actix.sock; + } + + location / { + include snippets/ytproxy.conf; + + add_header Cache-Control "public, max-age=604800"; + proxy_pass http://unix:/var/run/ytproxy/actix.sock; + } +} diff --git a/config/piped.crt b/config/piped.crt new file mode 100644 index 0000000..7bebc3e --- /dev/null +++ b/config/piped.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID/zCCAuegAwIBAgIUdqkJshly/62rDQeqUUqyQiU5yJ8wDQYJKoZIhvcNAQEL +BQAwgY4xCzAJBgNVBAYTAkJSMQswCQYDVQQIDAJTUDESMBAGA1UEBwwJU2FvIFBh +dWxvMRAwDgYDVQQKDAdleGFtcGxlMRQwEgYDVQQLDAtkZXZlbG9wbWVudDEWMBQG +A1UEAwwNKi5leGFtcGxlLmNvbTEeMBwGCSqGSIb3DQEJARYPbWFpbC5leG1wbGUu +Y29tMB4XDTIzMDcyMjIxMzkzMloXDTI0MDcyMTIxMzkzMlowgY4xCzAJBgNVBAYT +AkJSMQswCQYDVQQIDAJTUDESMBAGA1UEBwwJU2FvIFBhdWxvMRAwDgYDVQQKDAdl +eGFtcGxlMRQwEgYDVQQLDAtkZXZlbG9wbWVudDEWMBQGA1UEAwwNKi5leGFtcGxl +LmNvbTEeMBwGCSqGSIb3DQEJARYPbWFpbC5leG1wbGUuY29tMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Q4tR+qHr5wNuFvp18+B5rLSrZWrqb/9zZaE +65mTk70J7Wfa5kt+8wf7N7590ecazXcbuCnFmCBIMZGdZNE02C/0AQvgKKCmORhj +XDRlWupilguS6dMXhffgisZ/Dent9cQjZIFkOJ0ZNILbarPkQBvhdkFrn302Nujc +uF4cYrHvUa3WmtoUZspWqPKkl0AluOPTYm2QLGdT1M+nmr8AZs7JplYrBzT65fy/ +Nvtl+VxVcGqRrTVDmsWJIO8Gx/NW/7wfK6GQxWYeUotXNZmBrr5jOB0YttMQrgUn +QydSpK6qrVWEBr8IaR+jS+eXJmWrEi0QBn6npwvx0+g+Jt5jWQIDAQABo1MwUTAd +BgNVHQ4EFgQU7+AGX4fm74vjDt4+9nyB0ElAIkgwHwYDVR0jBBgwFoAU7+AGX4fm +74vjDt4+9nyB0ElAIkgwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC +AQEAI4k5IYFkqMvmw1Nd53umzhSIayT+T54VHBz59ty5OR0m+6FpoZaon5+FnWlq +5otCrOjGG6jzhku+PMsaU8iBcgfAJpZASicuCFXBcc6yAGveTvnHFAwlhEoI5oI/ +95tkh1hMy3hDZmMvYCOGnvS7vVY2JqPCFvgfRaMAaoe8gnlPOTx97fnnn/8+Aazi +puny/PYud3vaIfCzLWA/8Zo+r47sRlLkQQ9hrgcjrRW7oT+PHmY/31SWP+mFxwF7 +v6FVArSABFRObkhgiFL3APKLnx34hWEA/8TpRryuYQdz7BYkUzJHpxzzn91KeLdm +492KHQ71tVy6zV5iB1aev8nVYw== +-----END CERTIFICATE----- diff --git a/config/piped.key b/config/piped.key new file mode 100644 index 0000000..b872708 --- /dev/null +++ b/config/piped.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVDi1H6oevnA24 +W+nXz4HmstKtlaupv/3NloTrmZOTvQntZ9rmS37zB/s3vn3R5xrNdxu4KcWYIEgx +kZ1k0TTYL/QBC+AooKY5GGNcNGVa6mKWC5Lp0xeF9+CKxn8N6e31xCNkgWQ4nRk0 +gttqs+RAG+F2QWuffTY26Ny4Xhxise9Rrdaa2hRmylao8qSXQCW449NibZAsZ1PU +z6eavwBmzsmmVisHNPrl/L82+2X5XFVwapGtNUOaxYkg7wbH81b/vB8roZDFZh5S +i1c1mYGuvmM4HRi20xCuBSdDJ1KkrqqtVYQGvwhpH6NL55cmZasSLRAGfqenC/HT +6D4m3mNZAgMBAAECggEAGaZVST0xDLFK7ZETPAodZ3rL5l4Ihq04jxG5+utIWxb9 +JPnF3sfkBrpFQlbKqwSZs3bNfYR553CrgFw5iLOvGv/a7m1RlVKR8HnBLI6aTTG+ +oLXQABqL0HMhM1PmY/Rv05DDegwh1rcDG9FNPTFfH2C76hLCNDdM2Zt7Ry79V9w/ +rfZPGJgQS1ji7whLEGmv+z8JFOpw4rxtgvMUG+M73v5bS9j6VWZ0FLMKoXChvQka +gTP4UtjW2sHPBHVPFVhba0UPzLPY87uvY2esvIqC11NhPLs0oXBv9EnlgDzi4/gF +zwY4TpByBJ+2LOEU3QC0ezW4wz3M/p5NQjDMu9I3IQKBgQD/2nUVynNccMlW7STH +zTihukg9paweCrElncSwluwf0jf3/0EizDbfCPRMBM5la5J8+mYEH/Lxa+XjpVhn +CSnfDCRa68iwr+1wyn6YA0hvTHARbSVw74P3UnUafVAdhDlF9WGqQ6HUnMDHArSD +u/x6q4J3daGegXn8EdLWUlB/JQKBgQDVLXCGtMjOkAUT+42uTavf+0PnogkX5KuY +VYXmwrF3MCDmefkfYnyJK2Luecag+nSoK9Sc553DkCAoGiyreDPNXKNIYLGxDPMo +d4hcrt6Ol9W7PTpzQoE3Lz8Bm2N3zuyblV0xRsGOOTQirMSz052CTD+nhlUkxvrl +EJnzVBoHJQKBgAMRianzPaL0L1X9jh1fVriJ1Wf33rKVij5bQAqmJLrU+Jre0tcp +/9Z48wUeYaNRwPYCwsp136IJmz45s2+46mmkaaM1hLipw31A0HfeQjYjgoyS9IoA +NWL3+DOTISzZcx5lrQAvw3cbUiyQ2b1iucp22B+6p2+ROfdN92tenVyJAoGANAqO +wOPbbcns427yrI2bmuddMWv2KlYRqfOe57G53y3pqjo2nfnOCzKDSVKDMgNSfUeN +9Ov6MKa7ou6Y3xdOFiE6X03zsxRFPCjKKk4qWMcqTzZoUYD3yIAJMpw7kSD71BOH +l6L9V3oRhzGEJ55OgmOY2o3JtVu6HjeKTcPHQt0CgYEAtpjb6sajZhM1sDlT2N/R +V9t+k+N9dRDy8acpGRxm5HGhqJMev6PTowGqCxex+F/meDioCoybNYa7JPAwwDvt +XzqUrgCIceQ2TLGETQLDgfu325aJo/WRQZrnrN0XY0Gc4wnI/GXUmz2VcVALLYfb +jmPy4nc4xejo/H+MyUc8Ksw= +-----END PRIVATE KEY----- diff --git a/template/pipedapi.conf b/config/pipedapi.conf similarity index 100% rename from template/pipedapi.conf rename to config/pipedapi.conf diff --git a/config/ssl.conf b/config/ssl.conf new file mode 100644 index 0000000..ac28bdb --- /dev/null +++ b/config/ssl.conf @@ -0,0 +1,12 @@ +ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + +ssl_certificate /etc/nginx/ssl/piped.crt; +ssl_certificate_key /etc/nginx/ssl/piped.key; + +add_header 'Referrer-Policy' 'no-referrer'; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; +add_header X-Content-Type-Options nosniff; +add_header X-XSS-Protection "1; mode=block"; +add_header X-Robots-Tag none; +add_header X-Download-Options noopen; +add_header X-Permitted-Cross-Domain-Policies none; diff --git a/template/ytproxy.conf b/config/ytproxy.conf similarity index 88% rename from template/ytproxy.conf rename to config/ytproxy.conf index 4fd36f1..04aebf7 100644 --- a/template/ytproxy.conf +++ b/config/ytproxy.conf @@ -1,18 +1,17 @@ -proxy_buffering on; -proxy_buffers 1024 16k; -proxy_set_header X-Forwarded-For ""; -proxy_set_header CF-Connecting-IP ""; -proxy_hide_header "alt-svc"; -sendfile on; -sendfile_max_chunk 512k; -tcp_nopush on; +access_log off; aio threads=default; aio_write on; directio 16m; +proxy_buffering on; +proxy_buffers 1024 16k; +proxy_hide_header "alt-svc"; proxy_hide_header Cache-Control; proxy_hide_header etag; proxy_http_version 1.1; -proxy_set_header Connection keep-alive; proxy_max_temp_file_size 32m; -access_log off; -proxy_pass http://unix:/var/run/ytproxy/actix.sock; +proxy_set_header CF-Connecting-IP ""; +proxy_set_header Connection keep-alive; +proxy_set_header X-Forwarded-For ""; +sendfile on; +sendfile_max_chunk 512k; +tcp_nopush on; diff --git a/template/docker-compose.caddy.yml b/docker-compose.yml similarity index 56% rename from template/docker-compose.caddy.yml rename to docker-compose.yml index ebb6637..4eec12c 100644 --- a/template/docker-compose.caddy.yml +++ b/docker-compose.yml @@ -1,50 +1,58 @@ version: "3" services: - pipedfrontend: + piped-frontend: image: 1337kavin/piped-frontend:latest + container_name: piped-frontend restart: unless-stopped depends_on: - - piped - container_name: piped-frontend - entrypoint: ash -c 'sed -i s/pipedapi.kavin.rocks/BACKEND_HOSTNAME/g /usr/share/nginx/html/assets/* && /docker-entrypoint.sh && nginx -g "daemon off;"' + - piped-backend + environment: + - BACKEND_HOSTNAME=backend-host.example.com + volumes: + - ./entrypoint.d/host_replace.envsh:/docker-entrypoint.d/99-host_replace.envsh piped-proxy: image: 1337kavin/piped-proxy:latest + container_name: piped-proxy restart: unless-stopped environment: - UDS=1 volumes: - - piped-proxy:/app/socket - container_name: piped-proxy - piped: + - piped-proxy:/app/socket:z + piped-backend: image: 1337kavin/piped:latest + container_name: piped-backend restart: unless-stopped + environment: + - FRONTEND_URL=https://frontend-host.example.com + - API_URL=https://backend-host.example.com + - PROXY_PART=https://proxy-host.example.com volumes: - ./config/config.properties:/app/config.properties:ro depends_on: - postgres - container_name: piped-backend nginx: image: nginx:mainline-alpine - restart: unless-stopped - volumes: - - ./config/nginx.conf:/etc/nginx/nginx.conf:ro - - ./config/pipedapi.conf:/etc/nginx/conf.d/pipedapi.conf:ro container_name: nginx - depends_on: - - piped - caddy: - image: caddy:2-alpine restart: unless-stopped ports: - "80:80" - "443:443" - - "443:443/udp" + environment: + - FRONTEND_HOSTNAME=frontend-host.example.com + - BACKEND_HOSTNAME=backend-host.example.com + - PROXY_HOSTNAME=proxy-host.example.com volumes: - - ./config/Caddyfile:/etc/caddy/Caddyfile:ro - - caddy_data:/data - - piped-proxy:/var/run/ytproxy - container_name: caddy + - ./config/piped.conf.template:/etc/nginx/templates/piped.conf.template:ro + - ./config/ytproxy.conf:/etc/nginx/snippets/ytproxy.conf:ro + - ./config/ssl.conf:/etc/nginx/snippets/ssl.conf + - ./config/piped.key:/etc/nginx/ssl/piped.key + - ./config/piped.crt:/etc/nginx/ssl/piped.crt + - piped-proxy:/var/run/ytproxy:z + depends_on: + - piped-backend + - piped-proxy + - piped-frontend postgres: image: postgres:15 restart: unless-stopped @@ -54,7 +62,6 @@ services: - POSTGRES_DB=piped - POSTGRES_USER=piped - POSTGRES_PASSWORD=changeme - container_name: postgres watchtower: image: containrrr/watchtower restart: always @@ -64,8 +71,6 @@ services: environment: - WATCHTOWER_CLEANUP=true - WATCHTOWER_INCLUDE_RESTARTING=true - container_name: watchtower - command: piped-frontend piped-backend piped-proxy nginx caddy postgres watchtower + command: piped-frontend piped-backend piped-proxy nginx postgres watchtower volumes: - caddy_data: null piped-proxy: null diff --git a/entrypoint.d/host_replace.envsh b/entrypoint.d/host_replace.envsh new file mode 100755 index 0000000..a22090c --- /dev/null +++ b/entrypoint.d/host_replace.envsh @@ -0,0 +1,4 @@ +#!/bin/sh + +sed -i 's/pipedapi.kavin.rocks/'$BACKEND_HOSTNAME'/g' /usr/share/nginx/html/assets/* +sed -i '/user/s/nginx/root' /etc/nginx/nginx.conf diff --git a/template/Caddyfile b/template/Caddyfile deleted file mode 100644 index b4c1ee1..0000000 --- a/template/Caddyfile +++ /dev/null @@ -1,47 +0,0 @@ -(global) { - header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() - - # enable HSTS - Strict-Transport-Security max-age=31536000; - - # keep referrer data off - Referrer-Policy no-referrer - - # prevent for appearing in search engine for private instances (option) - #X-Robots-Tag noindex - } -} - -FRONTEND_HOSTNAME { - reverse_proxy pipedfrontend:80 - import global -} - -BACKEND_HOSTNAME { - reverse_proxy nginx:80 - import global -} - -PROXY_HOSTNAME { - @ytproxy path /videoplayback* /api/v4/* /api/manifest/* - import global - - route { - header @ytproxy { - Cache-Control private always - } - - header / { - Cache-Control "public, max-age=604800" - } - - reverse_proxy unix//var/run/ytproxy/actix.sock { - header_up -CF-Connecting-IP - header_up -X-Forwarded-For - header_down -etag - header_down -alt-svc - } - } -} diff --git a/template/docker-compose.nginx.yml b/template/docker-compose.nginx.yml deleted file mode 100644 index a4be66b..0000000 --- a/template/docker-compose.nginx.yml +++ /dev/null @@ -1,66 +0,0 @@ -version: "3" - -services: - pipedfrontend: - image: 1337kavin/piped-frontend:latest - restart: unless-stopped - depends_on: - - piped - container_name: piped-frontend - entrypoint: ash -c 'sed -i s/pipedapi.kavin.rocks/BACKEND_HOSTNAME/g /usr/share/nginx/html/assets/* && /docker-entrypoint.sh && nginx -g "daemon off;"' - piped-proxy: - image: 1337kavin/piped-proxy:latest - restart: unless-stopped - environment: - - UDS=1 - volumes: - - piped-proxy:/app/socket - container_name: piped-proxy - piped: - image: 1337kavin/piped:latest - restart: unless-stopped - volumes: - - ./config/config.properties:/app/config.properties:ro - depends_on: - - postgres - container_name: piped-backend - nginx: - image: nginx:mainline-alpine - restart: unless-stopped - ports: - - "8080:80" - volumes: - - ./config/nginx.conf:/etc/nginx/nginx.conf:ro - - ./config/pipedapi.conf:/etc/nginx/conf.d/pipedapi.conf:ro - - ./config/pipedproxy.conf:/etc/nginx/conf.d/pipedproxy.conf:ro - - ./config/pipedfrontend.conf:/etc/nginx/conf.d/pipedfrontend.conf:ro - - ./config/ytproxy.conf:/etc/nginx/snippets/ytproxy.conf:ro - - piped-proxy:/var/run/ytproxy - container_name: nginx - depends_on: - - piped - - piped-proxy - - pipedfrontend - postgres: - image: postgres:15 - restart: unless-stopped - volumes: - - ./data/db:/var/lib/postgresql/data - environment: - - POSTGRES_DB=piped - - POSTGRES_USER=piped - - POSTGRES_PASSWORD=changeme - container_name: postgres - watchtower: - image: containrrr/watchtower - restart: always - volumes: - - /var/run/docker.sock:/var/run/docker.sock - - /etc/timezone:/etc/timezone:ro - environment: - - WATCHTOWER_CLEANUP=true - - WATCHTOWER_INCLUDE_RESTARTING=true - container_name: watchtower - command: piped-frontend piped-backend piped-proxy varnish nginx postgres watchtower -volumes: - piped-proxy: null diff --git a/template/nginx.conf b/template/nginx.conf deleted file mode 100644 index 2ba7091..0000000 --- a/template/nginx.conf +++ /dev/null @@ -1,33 +0,0 @@ -user root; -worker_processes auto; - -error_log /var/log/nginx/error.log notice; -pid /var/run/nginx.pid; - - -events { - worker_connections 1024; -} - - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - - server_names_hash_bucket_size 128; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nodelay on; - - keepalive_timeout 65; - - resolver 127.0.0.11 ipv6=off valid=10s; - - include /etc/nginx/conf.d/*.conf; -} diff --git a/template/pipedfrontend.conf b/template/pipedfrontend.conf deleted file mode 100644 index 50c7da2..0000000 --- a/template/pipedfrontend.conf +++ /dev/null @@ -1,12 +0,0 @@ -server { - listen 80; - server_name FRONTEND_HOSTNAME; - - set $backend "http://pipedfrontend:80"; - - location / { - proxy_pass $backend; - proxy_http_version 1.1; - proxy_set_header Connection "keep-alive"; - } -} diff --git a/template/pipedproxy.conf b/template/pipedproxy.conf deleted file mode 100644 index 4b04294..0000000 --- a/template/pipedproxy.conf +++ /dev/null @@ -1,14 +0,0 @@ -server { - listen 80; - server_name PROXY_HOSTNAME; - - location ~ (/videoplayback|/api/v4/|/api/manifest/) { - include snippets/ytproxy.conf; - add_header Cache-Control private always; - } - - location / { - include snippets/ytproxy.conf; - add_header Cache-Control "public, max-age=604800"; - } -}