Page MenuHomeGitPull.it

Setup Google Font reverse proxy cache for privacy reasons - with Apache's mod_cache at http://google-font-proxy.reyboz.it
Closed, ResolvedPublic3 Points

Description

Problem

There is no reason in the world to give Google the IP addresses of each of our visitors just to serve cute fonts.

Solution

For privacy reasons we setup a Google Font reverse proxy cache with Apache's mod_cache.

This is a drop-in replacement of Google Font. For example you can update right now your URLs from fonts.googleapis.com to google-font-proxy.reyboz.it.

See it in action:

The nice part is that after the first request, fonts are then literally stored locally. We can do this because most of Google Fonts are under a Free license.

NOTE: Yes, different user agents should trigger different fonts. If this does not happen, feel free to file a Task.
WARNING: If you noticed a problem in the licenses, file a Task. There shouldn't be any because we use Free fonts.

VirtualHost

apt install apache2
a2enmod cache
/etc/apache2/sites-available/reyboz.google-font-proxy.conf
#
# See https://gitpull.it/T776
#

<VirtualHost *:80>

	ServerName google-font-proxy.reyboz.it

	Include /etc/apache2/my-includes/google-font-proxy.conf

</VirtualHost>

<VirtualHost *:443>

	ServerName google-font-proxy.reyboz.it

	SSLEngine on
	SSLCertificateFile      /etc/letsencrypt/live/google-font-proxy.reyboz.it/cert.pem
	SSLCertificateKeyFile   /etc/letsencrypt/live/google-font-proxy.reyboz.it/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/google-font-proxy.reyboz.it/chain.pem

	Include /etc/apache2/my-includes/google-font-proxy.conf
	Include /etc/apache2/my-includes/ssl-hardening.conf
</VirtualHost>
/etc/apache2/my-includes/google-font-proxy.conf
	DocumentRoot /home/www-data/reyboz.it/google-font-proxy/www

	# allow to proxy via https://
	SSLProxyEngine On

	# fix mod_cache for proxies
	CacheQuickHandler off

	# disable unuseful features
	<Location />
		AllowOverride none
	</Location>

	# forward uncached request to Google Fonts
	<Location /css>
		# append the value "User-Agent" to the Vary HTTP header
		# but only if the dont-vary environment is not set.
		# don't know why we have to check the dont-vary env
		Header append Vary User-Agent env=!dont-vary

		ProxyPass        https://fonts.googleapis.com/css
		ProxyPassReverse https://fonts.googleapis.com/css
		CacheEnable disk
	</Location>

	# store same cache from different hostnames
	CacheKeyBaseURL "http://google-font-proxy.reyboz.it/"

	# cache even with Cache-Control: private
	CacheStorePrivate On

	CacheIgnoreNoLastMod    On
	CacheIgnoreCacheControl On

	# add X-Cache with HIT|REVALIDATE|MISS for debug purposes
	CacheHeader on

	# use the default
	#CacheRoot /var/cache/apache2/mod_cache_disk

	#LogLevel debug

	#CustomLog "/var/log/apache2/cached-requests.log" common env=cache-hit
	#CustomLog "/var/log/apache2/uncached-requests.log" common env=cache-miss
	#CustomLog "/var/log/apache2/revalidated-requests.log" common env=cache-revalidate
	#CustomLog "/var/log/apache2/invalidated-requests.log" common env=cache-invalidate

	#LogFormat "%{cache-status}e " cachelog
	#CustomLog /var/log/apache2/cachelog.log cachelog

Let's Encrypt

$ certbot certonly --webroot --webroot-path=/var/www/html -d google-font-proxy.reyboz.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for google-font-proxy.reyboz.it
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/google-font-proxy.reyboz.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/google-font-proxy.reyboz.it/privkey.pem
   Your cert will expire on 2021-06-29. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Cache directory

Already created by Debian here:

/var/cache/apache2/mod_cache_disk

Systemd service

This service is needed for a general cleanup of the cache directory to keep it at a maximum size.

It was already provided by Debian:

systemctl enable --now apache-htcacheclean

Event Timeline

valerio.bozzolan created this task.
valerio.bozzolan renamed this task from Setup Google Font reverse proxy with mod_cache for privacy reasons to Setup Google Font reverse proxy with mod_cache for privacy reasons at http://google-font-proxy.reyboz.it.Wed, Mar 31, 07:59
valerio.bozzolan closed this task as Resolved.
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan set the point value for this task to 3.
valerio.bozzolan renamed this task from Setup Google Font reverse proxy with mod_cache for privacy reasons at http://google-font-proxy.reyboz.it to Setup Google Font reverse proxy cache for privacy reasons - with Apache's mod_cache at http://google-font-proxy.reyboz.it.Thu, Apr 1, 12:37
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan updated the task description. (Show Details)