== Problem ==
There is no reason in the world to give Google the IP addresses of each of our visitors just to serve cute fonts.
== Solution ==
For privacy reasons we setup a Google Font reverse proxy cache with Apache's `mod_cache`.
This is a drop-in replacement of Google Font. For example you can update right now your URLs from `fonts.googleapis.com` to `google-font-proxy.reyboz.it`.
See it in action:
* https://fonts.googleapis.com/css?family=Open+Sans%3Aregular%2C700|Khand%3A500&subset=latin-ext%2Clatin-ext%2Clatin-ext%2Clatin-ext%2Clatin-ext%2Clatin-ext%2Clatin-ext%2Clatin-ext
* https://google-font-proxy.reyboz.it/css?family=Open+Sans%3Aregular%2C700|Khand%3A500&subset=latin-ext%2Clatin-ext%2Clatin-ext%2Clatin-ext%2Clatin-ext%2Clatin-ext%2Clatin-ext%2Clatin-ext
The nice part is that after the first request, fonts are then literally stored locally. We can do this because most of Google Fonts are under a Free license.
NOTE: Yes, different user agents should trigger different fonts. If this does not happen, feel free to file a Task.
WARNING: If you noticed a problem in the licenses, file a Task. There shouldn't be any because we use Free fonts.
== VirtualHost ===
```
apt install apache2
a2enmod cache
a2enmod substitute
```
```
name=/etc/apache2/sites-available/reyboz.google-font-proxy.conf
#
# See https://gitpull.it/T776
#
<VirtualHost *:80>
ServerName google-font-proxy.reyboz.it
Include /etc/apache2/my-includes/google-font-proxy.conf
</VirtualHost>
<VirtualHost *:443>
ServerName google-font-proxy.reyboz.it
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/google-font-proxy.reyboz.it/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/google-font-proxy.reyboz.it/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/google-font-proxy.reyboz.it/chain.pem
Include /etc/apache2/my-includes/google-font-proxy.conf
Include /etc/apache2/my-includes/ssl-hardening.conf
</VirtualHost>
```
```
name=/etc/apache2/my-includes/google-font-proxy.conf
#
# This is a shared Apache HTTPd configuration for a Google Font proxy
# License: public domain (CC 0)
# Author: Valerio Bozzolan (2021)
#
# https://gitpull.it/T776
#
# where you want to put a nice homepage
DocumentRoot /home/www-data/reyboz.it/google-font-proxy/www
#
# Your canonical domain
#
# useful to store same cache entries from different hostnames
# so, if you share this to multiple ServerName/ServerAlias, you save some kilobytes! asd
CacheKeyBaseURL "http://google-font-proxy.reyboz.it/"
# allow to proxy via https://
SSLProxyEngine On
# fix mod_cache for proxies
CacheQuickHandler off
# disable unuseful and slow features
<Location />
AllowOverride none
</Location>
# forward CSS requests to Google Fonts and cache locally
<Location /css>
# append the value "User-Agent" to the Vary HTTP header
# but only if the dont-vary environment is not set.
# don't know why we have to check the dont-vary env
Header append Vary User-Agent env=!dont-vary
# hi Google! Give me the CSS file
ProxyPass https://fonts.googleapis.com/css
ProxyPassReverse https://fonts.googleapis.com/css
#
# Replace some URLS to fonts.gstatic.com
#
# Note that Sobstitute will not work without the next line
# https://stackoverflow.com/questions/32603182/apache-httpd-substitute-wont-work
#
AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/css
Substitute "s|https://fonts.gstatic.com/s/|/s/|n"
# cache future requests
CacheEnable disk
</Location>
# forward static font files and cache locally
<Location /s>
# hi Google! Give me the font file
ProxyPass https://fonts.gstatic.com/s
ProxyPassReverse https://fonts.gstatic.com/s
# cache future requests
CacheEnable disk
</Location>
# remove "Link: <https://fonts.gstatic.com>; rel=preconnect; crossorigin"
Header unset Link
# cache even with Cache-Control: private
CacheStorePrivate On
# please cache also these cases or it will not work
CacheIgnoreNoLastMod On
CacheIgnoreCacheControl On
# add X-Cache with HIT or REVALIDATE or MISS
# useful for debug purposes
CacheHeader on
#
# Cache directory root
#
# no need to change the default cache pathname in Debian
#
# Check if the system is cleaning it with:
## systemctl status apache-htcacheclean
#
#CacheRoot /var/cache/apache2/mod_cache_disk
# eventually enable serious debug
#LogLevel debug
#CustomLog "/var/log/apache2/cached-requests.log" common env=cache-hit
#CustomLog "/var/log/apache2/uncached-requests.log" common env=cache-miss
#CustomLog "/var/log/apache2/revalidated-requests.log" common env=cache-revalidate
#CustomLog "/var/log/apache2/invalidated-requests.log" common env=cache-invalidate
#LogFormat "%{cache-status}e " cachelog
#CustomLog /var/log/apache2/cachelog.log cachelog
```
== Let's Encrypt ==
```
$ certbot certonly --webroot --webroot-path=/var/www/html -d google-font-proxy.reyboz.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for google-font-proxy.reyboz.it
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/google-font-proxy.reyboz.it/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/google-font-proxy.reyboz.it/privkey.pem
Your cert will expire on 2021-06-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
```
== Cache directory ==
Already created by Debian here:
```
/var/cache/apache2/mod_cache_disk
```
== Systemd service ==
This service is needed for a general cleanup of the cache directory to keep it at a maximum size.
It was already provided by Debian:
```
systemctl enable --now apache-htcacheclean
```