Update docker compose file

.gitignore

@@ -16,3 +16,8 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+# Certificates!
+*.pem
+*.cer
+*.key

docker-compose.yml

@@ -12,10 +12,11 @@ services:
     # ports:
     #   - "0.0.0.0:8443:8443/tcp" # HTTP/2
     #   - "0.0.0.0:8443:8443/udp" # HTTP/3 (QUIC)
+    # Make sure that the key and the certificate files exist!
     volumes:
-      - ./key.key:/app/key.key
-      - ./fullchain.cer:/app/fullchain.cer
-    command: "./http3-ytproxy -l 0.0.0.0 -p 8443 -https -tls-key ./key.key -tls-cert ./fullchain.cer"
+      - ./key.key:/data/key.key:ro
+      - ./fullchain.pem:/data/cert.pem:ro
+    command: "./http3-ytproxy -l 0.0.0.0 -p 8443 -https"
     depends_on:
       - gluetun
 

httppaths.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"bytes"
+	"fmt"
 	"io"
 	"log"
 	"net/http"
@@ -12,6 +13,16 @@ import (
 	"time"
 )
 
+func forbiddenChecker(resp *http.Response, w http.ResponseWriter) error {
+	if resp.StatusCode == 403 {
+		w.WriteHeader(403)
+		io.WriteString(w, "Forbidden 403\n")
+		io.WriteString(w, "Maybe Youtube blocked the IP of this proxy?\n")
+		return fmt.Errorf("%s returned %d", resp.Request.Host, resp.StatusCode)
+	}
+	return nil
+}
+
 func videoplayback(w http.ResponseWriter, req *http.Request) {
 	q := req.URL.Query()
 	expire, err := strconv.ParseInt(q.Get("expire"), 10, 64)
@@ -95,11 +106,9 @@ func videoplayback(w http.ResponseWriter, req *http.Request) {
 		log.Panic(err)
 	}
 
-	if resp.StatusCode == 403 {
+	if err := forbiddenChecker(resp, w); err != nil {
 		atomic.AddInt64(&stats_.RequestsForbidden.Videoplayback, 1)
 		metrics.RequestForbidden.Videoplayback.Inc()
-		io.WriteString(w, "Forbidden 403\n")
-		io.WriteString(w, "Maybe Youtube blocked the IP of this proxy?\n")
 		return
 	}
 
@@ -176,11 +185,9 @@ func vi(w http.ResponseWriter, req *http.Request) {
 		log.Panic(err)
 	}
 
-	w.WriteHeader(resp.StatusCode)
-	if resp.StatusCode == 403 {
+	if err := forbiddenChecker(resp, w); err != nil {
 		atomic.AddInt64(&stats_.RequestsForbidden.Vi, 1)
 		metrics.RequestForbidden.Vi.Inc()
-		io.WriteString(w, "Forbidden 403")
 		return
 	}
 
@@ -188,6 +195,7 @@ func vi(w http.ResponseWriter, req *http.Request) {
 
 	NoRewrite := strings.HasPrefix(resp.Header.Get("Content-Type"), "audio") || strings.HasPrefix(resp.Header.Get("Content-Type"), "video")
 	copyHeaders(resp.Header, w.Header(), NoRewrite)
+	w.WriteHeader(resp.StatusCode)
 
 	io.Copy(w, resp.Body)
 }
@@ -216,11 +224,9 @@ func ggpht(w http.ResponseWriter, req *http.Request) {
 		log.Panic(err)
 	}
 
-	w.WriteHeader(resp.StatusCode)
-	if resp.StatusCode == 403 {
+	if err := forbiddenChecker(resp, w); err != nil {
 		atomic.AddInt64(&stats_.RequestsForbidden.Ggpht, 1)
 		metrics.RequestForbidden.Ggpht.Inc()
-		io.WriteString(w, "Forbidden 403")
 		return
 	}
 
@@ -228,6 +234,7 @@ func ggpht(w http.ResponseWriter, req *http.Request) {
 
 	NoRewrite := strings.HasPrefix(resp.Header.Get("Content-Type"), "audio") || strings.HasPrefix(resp.Header.Get("Content-Type"), "video")
 	copyHeaders(resp.Header, w.Header(), NoRewrite)
+	w.WriteHeader(resp.StatusCode)
 
 	io.Copy(w, resp.Body)
 }

main.go

@@ -3,8 +3,8 @@ package main
 import (
 	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"flag"
-	"fmt"
 	"io"
 	"log"
 	"net"
@@ -242,8 +242,8 @@ func root(w http.ResponseWriter, req *http.Request) {
 	const msg = `
 	HTTP youtube proxy for https://inv.nadeko.net
 	https://git.nadeko.net/Fijxu/http3-ytproxy
-	
-	Routes: 
+
+	Routes:
 	/stats
 	/health`
 	io.WriteString(w, msg)
@@ -336,6 +336,7 @@ func beforeProxy(next http.HandlerFunc) http.HandlerFunc {
 		w.Header().Set("Access-Control-Allow-Headers", "*")
 		w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
 		w.Header().Set("Access-Control-Max-Age", "1728000")
+		w.Header().Set("Strict-Transport-Security", "max-age=86400")
 		// } else {
 		// 	w.WriteHeader(401)
 		// 	io.WriteString(w, "Only requests coming from inv.nadeko.net are allowed.")
@@ -378,18 +379,23 @@ func main() {
 	var https bool
 	var h3c bool
 
-	ua = os.Getenv("USER_AGENT")
 	https = os.Getenv("HTTPS") == "1"
 	h3c = os.Getenv("H3C") == "1"
 	h3s = os.Getenv("H3S") == "1"
 	ipv6 = os.Getenv("IPV6_ONLY") == "1"
+	// ua = os.Getenv("USER_AGENT")
+	// tls_cert = os.Getenv("TLS_CERT")
+	// tls_key = os.Getenv("TLS_KEY")
+	// sock = os.Getenv("SOCK_PATH")
+	// port = os.Getenv("PORT")
+	// host = os.Getenv("HOST")
 
 	flag.BoolVar(&https, "https", false, "Use built-in https server (recommended)")
 	flag.BoolVar(&h3s, "h3c", false, "Use HTTP/3 for client requests (high CPU usage)")
-	flag.BoolVar(&h3s, "h3s", true, "Use HTTP/3 for server requests")
+	flag.BoolVar(&h3s, "h3s", true, "Use HTTP/3 for server requests, (requires HTTPS)")
 	flag.BoolVar(&ipv6_only, "ipv6_only", false, "Only use ipv6 for requests")
-	flag.StringVar(&tls_cert, "tls-cert", "", "TLS Certificate path")
-	flag.StringVar(&tls_key, "tls-key", "", "TLS Certificate Key path")
+	flag.StringVar(&tls_cert, "tls-cert", "/data/cert.pem", "TLS Certificate path")
+	flag.StringVar(&tls_key, "tls-key", "/data/key.key", "TLS Certificate Key path")
 	flag.StringVar(&sock, "s", "/tmp/http-ytproxy.sock", "Specify a socket name")
 	flag.StringVar(&port, "p", "8080", "Specify a port number")
 	flag.StringVar(&host, "l", "0.0.0.0", "Specify a listen address")
@@ -403,13 +409,11 @@ func main() {
 
 	if https {
 		if len(tls_cert) <= 0 {
-			fmt.Println("tls-cert argument is missing, you need a TLS certificate for HTTPS")
-			os.Exit(1)
+			log.Fatal("tls-cert argument is missing, you need a TLS certificate for HTTPS")
 		}
 
 		if len(tls_key) <= 0 {
-			fmt.Println("tls-key argument is missing, you need a TLS key for HTTPS")
-			os.Exit(1)
+			log.Fatal("tls-key argument is missing, you need a TLS key for HTTPS")
 		}
 	}
 
@@ -486,40 +490,47 @@ func main() {
 	socket_listener, err := net.Listen("unix", sock)
 
 	if err != nil {
-		fmt.Println("Failed to bind to UDS, please check the socket name")
-		fmt.Println(err.Error())
+		log.Println("Failed to bind to UDS, please check the socket name", err.Error())
 	} else {
 		defer socket_listener.Close()
 		// To allow everyone to access the socket
 		err = os.Chmod(sock, 0777)
 		if err != nil {
-			fmt.Println("Error setting permissions:", err)
+			log.Println("Failed to set socket permissions to 777:", err.Error())
 			return
 		} else {
-			fmt.Println("Setting socket permissions to 777")
+			log.Println("Setting socket permissions to 777")
 		}
 
 		go srv.Serve(socket_listener)
-		fmt.Println("Unix socket listening at:", string(sock))
+		log.Println("Unix socket listening at:", string(sock))
 
 		if https {
-			fmt.Println("Serving HTTPS at port", string(port))
+			if _, err := os.Open(tls_cert); errors.Is(err, os.ErrNotExist) {
+				log.Panicf("Certificate file does not exist at path '%s'", tls_cert)
+			}
+
+			if _, err := os.Open(tls_key); errors.Is(err, os.ErrNotExist) {
+				log.Panicf("Key file does not exist at path '%s'", tls_key)
+			}
+
+			log.Println("Serving HTTPS at port", string(port)+"/tcp")
 			go func() {
 				if err := srv.ServeTLS(ln, tls_cert, tls_key); err != nil {
-					log.Fatal(err)
+					log.Fatal("Failed to server HTTP/2", err.Error())
 				}
 			}()
 			if h3s {
-				fmt.Println("Serving HTTPS via QUIC at port", string(port))
+				log.Println("Serving HTTP/3 (HTTPS) via QUIC at port", string(port)+"/udp")
 				go func() {
 					if err := srvh3.ListenAndServeTLS(tls_cert, tls_key); err != nil {
-						log.Fatal(err)
+						log.Fatal("Failed to serve HTTP/3:", err.Error())
 					}
 				}()
 			}
 			select {}
 		} else {
-			fmt.Println("Serving HTTP at port", string(port))
+			log.Println("Serving HTTP at port", string(port))
 			if err := srv.Serve(ln); err != nil {
 				log.Fatal(err)
 			}