Setup Google Font reverse proxy with Apache's `mod_cache` for privacy reasons.
== Systemd service ==
```
name=/etc/systemd/system/apache-htcacheclean-gfont.service
[Unit]
Description=Disk Cache Cleaning Daemon for Apache HTTP Server for the Google Font cache
After=apache2.service
Documentation=https://gitpull.it/T776
[Service]
Type=forking
User=www-data
Environment=HTCACHECLEAN_SIZE=300M
Environment=HTCACHECLEAN_DAEMON_INTERVAL=120
Environment=HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk_gfont
Environment=HTCACHECLEAN_OPTIONS=-n -t
ExecStart=/usr/bin/htcacheclean -d $HTCACHECLEAN_DAEMON_INTERVAL -p $HTCACHECLEAN_PATH -l $HTCACHECLEAN_
[Install]
WantedBy=multi-user.target
```
```
systemctl enable --now apache-htcacheclean-gfont
```
End.
Note: that was inherited from from:
```
systemctl cat apache-htcacheclean.service
```
== Cache directory ==
Create the cache directory like `/var/cache/apache2/mod_cache_disk`:
```
mkdir /var/cache/apache2/mod_cache_disk_gfont
chown www-data: /var/cache/apache2/mod_cache_disk_gfont
```
== VirtualHost ===
```
#
# See https://gitpull.it/T776
#
<VirtualHost *:80>
ServerName google-font-proxy.reyboz.it
DocumentRoot /home/www-data/reyboz.it/google-font-proxy/www
SSLProxyEngine On
CacheQuickHandler off
# disable unuseful features
<Location />
AllowOverride none
</Location>
<Location /css>
# append the value "User-Agent" to the Vary HTTP header
# but only if the dont-vary environment is not set.
# don't know why we have to check the dont-vary env
Header append Vary User-Agent env=!dont-vary
ProxyPass https://fonts.googleapis.com/css
ProxyPassReverse https://fonts.googleapis.com/css
CacheEnable disk
</Location>
# cache even with Cache-Control: private
CacheStorePrivate On
CacheIgnoreNoLastMod On
CacheIgnoreCacheControl On
# add X-Cache with HIT|REVALIDATE|MISS for debug purposes
CacheHeader on
CacheRoot /var/cache/apache2/mod_cache_disk_gfont
#LogLevel debug
#CustomLog "/var/log/apache2/cached-requests.log" common env=cache-hit
#CustomLog "/var/log/apache2/uncached-requests.log" common env=cache-miss
#CustomLog "/var/log/apache2/revalidated-requests.log" common env=cache-revalidate
#CustomLog "/var/log/apache2/invalidated-requests.log" common env=cache-invalidate
#LogFormat "%{cache-status}e " cachelog
#CustomLog /var/log/apache2/cachelog.log cachelog
</VirtualHost>
```
== Let's Encrypt ==
```
$ certbot certonly --webroot --webroot-path=/var/www/html -d google-font-proxy.reyboz.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for google-font-proxy.reyboz.it
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/google-font-proxy.reyboz.it/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/google-font-proxy.reyboz.it/privkey.pem
Your cert will expire on 2021-06-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
```