The Nihilism Blog
Previous Page

root@Datura - 2023-08-23

proxitok Setup

In this tutorial we're going to setup proxitok, a privacy front-end for tik tok (one of the most anti privacy services to ever exist.

Initial Setup

Git clone the repo and run the docker-compose.yml file:


[ nowhere.moe ] [ /dev/pts/8 ] [/srv]
→  git clone https://github.com/pablouser1/ProxiTok/ ; cd ProxiTok

Then configure the docker-compose.yml file (comment the init line because it's not supported)


[ nowhere.moe ] [ /dev/pts/8 ] [/srv/ProxiTok]
→ vim docker-compose.yml

[ nowhere.moe ] [ /dev/pts/8 ] [/srv/ProxiTok]
→ cat docker-compose.yml
version: '3'

services:
  web:
    container_name: proxitok-web
    image: ghcr.io/pablouser1/proxitok:master
    ports:
      - 8083:8080
    environment:
      - LATTE_CACHE=/cache
      - API_CACHE=redis
      - REDIS_HOST=proxitok-redis
      - REDIS_PORT=6379
      - API_SIGNER=remote
      - API_SIGNER_URL=http://proxitok-signer:8080/signature
    volumes:
      - proxitok-cache:/cache
    depends_on:
      - redis
      - signer
    networks:
      - proxitok
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID

  redis:
    container_name: proxitok-redis
    image: redis:7-alpine
    command: redis-server --save 60 1 --loglevel warning
    restart: unless-stopped
    networks:
      - proxitok
    user: nobody
    read_only: true
    security_opt:
      - no-new-privileges:true
    tmpfs:
      - /data:size=10M,mode=0770,uid=65534,gid=65534,noexec,nosuid,nodev
    cap_drop:
      - ALL

  signer:
    container_name: proxitok-signer
    image: ghcr.io/pablouser1/signtok:master
        #init: true
    networks:
      - proxitok
    user: nobody
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

volumes:
  proxitok-cache:

networks:
  proxitok:

[ nowhere.moe ] [ /dev/pts/8 ] [/srv/ProxiTok]
→ APP_URL='https://cringe.nowhere.moe' docker-compose up
ERROR: yaml.scanner.ScannerError: while scanning for the next token
found character '\t' that cannot start any token
  in "./docker-compose.yml", line 51, column 1

[ nowhere.moe ] [ /dev/pts/8 ] [/srv/ProxiTok]
→ vim docker-compose.yml

[ nowhere.moe ] [ /dev/pts/8 ] [/srv/ProxiTok]
→ APP_URL='https://cringe.nowhere.moe' docker-compose up

Creating network "proxitok_proxitok" with the default driver
Creating volume "proxitok_proxitok-cache" with default driver
Pulling redis (redis:7-alpine)...
7-alpine: Pulling from library/redis
7264a8db6415: Pull complete
a28817da73be: Pull complete
536ccaebaffb: Pull complete
f54d1871dea6: Pull complete
4d190b4b6472: Pull complete
33fcc95c965f: Pull complete
Digest: sha256:fd5de2340bc46cbc2241975ab027797c350dec6fd86349e3ac384e3a41be6fee
Status: Downloaded newer image for redis:7-alpine
Pulling signer (ghcr.io/pablouser1/signtok:master)...
master: Pulling from pablouser1/signtok
ca7dd9ec2225: Pull complete
55371e6747e8: Pull complete
694d6b1b2d1b: Pull complete
71f41f5ff77d: Pull complete
50e5da009459: Pull complete
72e659781711: Pull complete
ef54da1b8443: Pull complete
620d81797357: Pull complete
5edc5725490e: Pull complete
Digest: sha256:b03fe2d10dfd6bed717c0f4a7d253908963a5e7f7ea9bf48855a3f74c924f3a7
Status: Downloaded newer image for ghcr.io/pablouser1/signtok:master
Pulling web (ghcr.io/pablouser1/proxitok:master)...
master: Pulling from pablouser1/proxitok
8a49fdb3b6a5: Pull complete
496a743ca17d: Pull complete
9e309b5f32ab: Pull complete
bf36d90371de: Pull complete
f110ea7c70c4: Pull complete
5ee30eaa9898: Pull complete
d8373ae76156: Pull complete
c349c3fbbecc: Pull complete
207a66f83a7e: Pull complete
30774e576bfe: Pull complete
9ef258ce6026: Pull complete
d72ddb753b3d: Pull complete
48271c7b9504: Pull complete
1a38beda4bc2: Pull complete
14893ea479a0: Pull complete
83ebfcff9ece: Pull complete
Digest: sha256:0a775a0933f86d83614e33e20995b4f3c75483e11a2fe466ac0d45ab80ead061
Status: Downloaded newer image for ghcr.io/pablouser1/proxitok:master
Creating proxitok-redis  ... done
Creating proxitok-signer ... done
Creating proxitok-web    ... done
Attaching to proxitok-signer, proxitok-redis, proxitok-web
proxitok-redis | 1:C 23 Aug 2023 10:27:06.333 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
proxitok-signer | App listening on port: 8080
proxitok-web | 2023-08-23 10:27:06,854 INFO supervisord started with pid 1
proxitok-web | 2023-08-23 10:27:07,856 INFO spawned: 'nginx' with pid 7
proxitok-web | 2023-08-23 10:27:07,857 INFO spawned: 'php-fpm' with pid 8
proxitok-web | [23-Aug-2023 10:27:07] NOTICE: fpm is running, pid 8
proxitok-web | [23-Aug-2023 10:27:07] NOTICE: ready to handle connections
proxitok-web | 2023-08-23 10:27:08,883 INFO success: nginx entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
proxitok-web | 2023-08-23 10:27:08,883 INFO success: php-fpm entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)

Then configure the reverse nginx proxy:


[ nowhere.moe ] [ /dev/pts/9 ] [/etc/nginx/sites-available]
→ vim cringe.nowhere.moe.conf

[ nowhere.moe ] [ /dev/pts/9 ] [/etc/nginx/sites-available]
→ cat cringe.nowhere.moe.conf
server {
        listen 443 ssl;
        server_name cringe.nowhere.moe;

        ssl_certificate /etc/acme/certs/cringe.nowhere.moe/cringe.nowhere.moe.cer;
    ssl_certificate_key /etc/acme/certs/cringe.nowhere.moe/cringe.nowhere.moe.key;

    ######## TOR CHANGES ########
    listen 4443;
    listen [::]:4443;
    server_name cringe.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
    add_header Onion-Location "http://cringe.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
    ######## TOR CHANGES ########


        ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
        ssl_ecdh_curve secp384r1;
        ssl_session_timeout  10m;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;
        #ssl_stapling on;
        ssl_stapling_verify on;

        # Security Headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; media-src 'self' blob: video.twimg.com; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options DENY;
        add_header X-XSS-Protection "1; mode=block";

        location / {
                proxy_pass http://localhost:8083;
        }

        location = /robots.txt {
                add_header Content-Type text/plain;
                return 200 "User-agent: *\nDisallow: /\n";
        }
}

	

[ nowhere.moe ] [ /dev/pts/10 ] [/srv/ProxiTok]
→ systemctl stop nginx

[ nowhere.moe ] [ /dev/pts/10 ] [/srv/ProxiTok]
→ bash
root@Datura /srv/ProxiTok #  acme.sh --issue --standalone -d cringe.nowhere.moe -k 4096


[ nowhere.moe ] [ /dev/pts/10 ] [/srv/ProxiTok]
→ systemctl start nginx

[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ ln -s /etc/nginx/sites-available/cringe.nowhere.moe.conf /etc/nginx/sites-enabled

[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ nginx -s reload
2023/08/23 12:41:58 [notice] 3931966#3931966: signal process started

Then check if it works:

And that's it! Now to update it just have this cronjob run every day:


[ nowhere.moe ] [ /dev/pts/10 ] [/etc/nginx/sites-available]
→ crontab -e ; cronitor select

✔ docker-compose -f /srv/ProxiTok/docker-compose.yml stop ; git -C /srv/ProxiTok/ pull ; docker-compose -f /srv/ProxiTok/docker-compose.yml pull ; docker-compose -f /srv/ProxiTok/docker-compose.yml up -d
----► Running command: docker-compose -f /srv/ProxiTok/docker-compose.yml stop ; git -C /srv/ProxiTok/ pull ; docker-compose -f /srv/ProxiTok/docker-compose.yml pull ; docker-compose -f /srv/ProxiTok/docker-compose.yml up -d

Stopping proxitok-web    ... done
Stopping proxitok-signer ... done
Stopping proxitok-redis  ... done
Already up to date.
Pulling redis  ... done
Pulling signer ... done
Pulling web    ... done
Starting proxitok-redis  ... done
Starting proxitok-signer ... done
Starting proxitok-web    ... done

----► ✔ Command successful    Elapsed time 10.492s

And then to contribute to the ecosystem, create a github issue to get listed on the official list of instances here.

Nihilism

Until there is Nothing left.



Creative Commons Zero: No Rights Reserved

My Links

RSS Feed
SimpleX Chat

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8


Contact: nihilist@contact.nowhere.moe (PGP)