All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
You might NOT need a DMCA-ignored server... My custom solution explained
Guide: How to run a DMCA-ignored site without "bulletproof" servers
1. Intro and motivation
Note: This post is adapted from this Anna's Archive wiki entry.
I very often see people coming here looking for DMCA ignored servers and getting ripped off. So I decided to write this guide for the people.
It is designed to be as newbie-friendly as possible, if you are a more advanced user you can skip to step 4.
2. Server providers & Hosting options
- Any reputed seller from this forum who doesn't advertise as "DMCA ignored" or "bulletproof"
- leaseweb/vultr/hetzner
- https://lowendtalk.com
- https://bitcoin-vps.com/
- https://fmhy.net/developer-tools#hosting-tools
Consider if you need S3 or dedicated servers - S3 is often way cheaper if you only want to serve files. You can also selfhost your own S3 server using tools like MinIO.
As a last option, you can also host the data at home. But beware for ISP letters/service interruptions if you suddenly start sending out insane amounts of traffic, a reverse proxy will not protect you from that.
3. Getting a web domain
The weakest point of any copyright-breaking website is the domain. There are many deceitful and low quality providers, and tons of misinformation posted online.
There are only 2 DMCA resistant domain providers that I know of: Flokinet.is (recommended) and Njalla. If you know any others which are better, please let me know below.
WARNING
Njalla bans domains at their own discretion and you need to wait a year to recover them. Support is basically useless. They resell Tucows, which is US-based.
.su (sold at tcinet.ru) and .st (sold at nic.st) domains are known for being strong, but that doesn't mean they are copyright resistant. Use at your own risk.
4. Deployment: Reverse proxy, VPN and Docker
Next, you will need to build a DMCA resistant reverse proxy. There are 2 ways to achieve this:
- Option 1 - offshore servers: https://vpspricetracker.com/search?dmca_ignore=true (You will need to set up Nginx manually, and it is easier to fuck up.)
- Option 2: Cloudflare + VPN (We will be illustrating this option below)
Note: While Option 2 is cheaper and easier for less experienced users, it isn't failproof. Although it can't ban your server, Cloudflare will comply with court orders to stop serving traffic to your website on a certain country, and you will have to resort to Option 1.
The key ideas are:
- Host the data on a cheap provider (see above).
- Place the VPN interface in front of Cloudflare. It should NEVER get your real server IP.
- You need a strong VPN. There are only 5 good ones: Mullvad, IVPN, Cryptostorm, Xeovo, LNVPN.
- Any others (including Proton) range from mediocre to trash. More info here: https://kycnot.me/?categories=vpn&max-kyc=0.
- WireGuard support is required.
- Port forwarding is not required.
- Bear in mind, we are not evaluating the privacy policy of these VPNs. What matters is, if they will ban you after receiving a DMCA notice from Cloudflare.
4.1. Reverse proxy using Cloudflare Tunnel
Note: Cloudflare Tunnel CANNOT be used for video streaming of any kind. You WILL get banned for it. If you want to stick with Cloudflare, you NEED to serve the video assets from R2 or use Stream with the Enterprise plan, which will cost you extra $$.
If you want to run a movie piracy site, you need to use an alternative method, which maybe I will cover in another post. But the main idea is this: NEVER, and I mean NEVER, host your data on so-called "bulletproof" providers. Use them only for reverse proxying from your regular server.
Pro Tip: Don't be dumb by hosting some CP or other disgusting shit using this method. Expect a visit if you do. Cloudflare can see all your traffic in plaintext, and they are known to be friends with the feds.
First, go to Cloudflare dashboard, sign up for an account (Make a disposable email account for this. Using temp mail is a bad idea because it could expire or get hijacked), and add your domain to Cloudflare.
Once done, go to Zero Trust dashboard and complete registration for the Free plan. You'll need to use a virtual card for it. Finally navigate to Networks > Tunnels, and create one.
Now you will see a screen like this:
Ignore those instructions, we will not be using them. You ONLY need to copy the token from one of the commands.
Finally, make sure to link the correct localhost address and port, as well as your desired host, on "Public Hostnames" inside the tunnel configuration. You can change that later.
4.2. VPN - Wireguard configuration
On this example we will be using Mullvad, but the procedure is similar for other providers.
Go to https://mullvad.net and register.
Then navigate to "Wireguard configuration": https://mullvad.net/en/account/wireguard-config
Click "generate key", then scroll down and choose whatever VPN server is closer to the location of your data server. The closer it is, the less latency users will get.
Download the file and save it on your data server for later use.
At the time of writing and based on my own experience, IPv6 can cause some issues on the Docker image for Wireguard, so it is advised to click "Advanced settings" and choose "Only IPv4" for Tunnel traffic.
If your VPN provider doesn't show this option, just double-check the downloaded .conf file and delete any IPv6 values.
4.3. Deployment with Docker
There are several ways of doing this, but the sake of simplicity, we will use Docker. Docker is a containerizing software with an endless amount of features, most notably networking. While you can technically do this with linux namespaces alone, it's much easier (and safer) to let Docker handle it.
Although Docker docs claim that Compose file v3 is deprecated, the truth is that it's used pretty much everywhere and it works great, so we will stick with that. So the tool you need to use on your server is docker-compose (with hyphen) and NOT docker compose.
You will need:
- The tunnel token from 4.1
- The wireguard .conf file from 4.2
For any service you want to add, you will need to set network_mode: "service:wireguard" (or container:wireguard if you want to deploy it on a different compose file). That way, it will share namespace with the wireguard proxy, and all the traffic will go through it, hence allowing you to serve directly on localhost and get Cloudflare to proxy that traffic without having to open any port, while at the same time staying safe from copyright takedowns, since Cloudflare will get the VPN's IP as the source IP and forward the DMCAs there.
If any of your docker services have a ports entry, then you are doing something wrong. This works out of the box with no ports open.
services:
wireguard:
image: linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
network_mode: "bridge"
volumes:
#### replace with whatever your .conf is called
- ./your-vpn-wg-config.conf:/config/wg0.conf
sysctls:
net.ipv4.conf.all.src_valid_mark: 1
net.ipv4.ip_forward: 1
restart: unless-stopped
cloudflared:
image: cloudflare/cloudflared
container_name: cloudflared
###############
# get the token from Cloudflare Zero Trust dashboard > Networks > Tunnels
command: tunnel run --token YOUR_TUNNEL_TOKEN --protocol http2
# don't forget this or CF will see your server IP !!!
network_mode: "service:wireguard"
###############
restart: unless-stopped
your-other-containers:
network_mode: "service:wireguard"
# your other stuff here
Of course, this can get as complex as you like. The above example shows a minimal config with just 1 server and a compose file.
4.4. Hardening Docker containers (compose file) - Optional
Despite Docker providing some isolation, some security practices need to be implemented to minimize the risk of being breached.
1. Run containers as non-root user:
user: "99:100" # user "nobody", group "users"
# or
user: "1000:1000" # First non-root user in the system
2. Disable interactive terminals:
tty: false
stdin_open: false
3. Mount filesystem as read-only:
YMMV. Often, this will cause issues because the container needs to write data.
read_only: true
4. Mount volumes as read-only:
Same as before
volumes:
- /mnt/vol1:/remote1:ro
5. Prevent privilege escalation:
security_opt:
- no-new-privileges:true
6. Drop all capabilities and add only those explicitly needed:
cap_drop:
- ALL
Example (drop high-risk capabilities):
cap_drop:
- NET_RAW
- SYS_ADMIN
- ALL
7. Secure /tmp mount with execution restrictions and size limits:
tmpfs:
- /tmp:rw,noexec,nosuid,nodev,size=512m
8. Applying resource limits (PID, memory, CPU):
pids_limit: 512
mem_limit: 3g
cpus: 3
9. Limit logging:
logging:
driver: json-file
options:
max-size: "50m"
max-file: "3"
Feel free to reply or message me if you have any questions.
Comments
Not bad but too complicated, just host it and ignore emails.
Or, alternatively, if you hate your life and have a lot of money, you could buy an AlexHost dedi
@nghialele these emails will be sent not only to you, but also to the server provider. Many of them will cut your service or delete your files upon receiving a Cloudflare DMCA notice, sadly.
The aim of this post is to provide a working solution that keeps a low budget.
I assume your goal here is to share copyrighted content via HTTP? If you just want to torrent, couldn't you just roll your own wireguard tunnel between onshore and offshore?
You are right. This post is mainly for running websites, it wouldn't work for torrent at all. For torrenting, there are solutions like a seedbox or port forwarding VPN, or what you just suggested.
What are you trying to host here?
I don't find myself in any use cases that going to have my server deleted by some providers.
A piracy website that doesn't share video content, but rather files. For example something like Anna's Archive, which is where I got this guide from.
Other usecases are privacy frontends like Redlib/Piped/etc that very often get DMCA'd as well.
why wouldn't either of these options work for torrenting? obviously not cloudflare but using an offshore provider proxy or VPN?
Sorry yeah I might have misworded it, I meant the solution I posted wouldn't work for torrenting since it's tailored for HTTP, his solution with wireguard and offshore servers definitely would.
Do most providers only care when they get DMCA notices versus the traffic being identifiable as torrent/P2P? Seems like the whole crux of this is that the IP can be identifiable and get complaints. I'm wondering if this would be overkill in the case of say a seedbox on private trackers with no external frontend or an internal network running Redlib/Piped/etc
As an aside can anyone recommend VPNs that would be safe to use? It looks like Windscribe prohibits VPN use in a datacenter environment so be aware of that if anyone was thinking of using that
Honestly I am not too much of an expert in the P2P/torrent field so I can't really tell. But yes, the main thing is the IP being identified by Cloudflare which is in this case the reverse proxy provider.
Whether the server providers scan for types of traffic, I do not know, but with Wireguard obfuscation you are more than safe, that is for sure. I also don't get why you keep comparing it with trackers or seedboxes, those use UDP and my post is about HTTP. Cloudflare Tunnel cannot proxy UDP in the way you are thinking.
The solution I posted is battle-tested and worry-free (and cheap!), perhaps you might think it is an overkill, but it is really just a reverse HTTP proxy with a VPN in front, deployed in Docker. I just made a detailed walkthrough.
Sorry for the bad communication I know that for sure cloudflare/HTTP traffic is different but the general idea with VPS or an offshore server that acts as the exit point for traffic still holds. I'm glad you posted this because I agree a lot of people spend way too much money to host everything on the offshore server when it's not necessary.
Are there any VPN providers you used personally for this?
Can ai turn this into a script
Mullvad, IVPN, Cryptostorm, Xeovo, LNVPN.
These 5 ones will surely ignore any complaints. I have tried Mullvad and IVPN. Whether there are other VPNs outside this list that might work and ignore complaints too, I don't know.
And coming back to torrents (unrelated), AirVPN, since it supports port forward.
Depends. Docker part, for sure. For Cloudflare, if the account is fully new, adding a card will have to be done by hand on the billing panel, before being able to use the Tunnel function. The rest can be done via the API.
As for the VPN provider, mainly depends on whether they have an API and your automation efforts if they don't.
Overall I think it's not really worth it.
I'm less worried about complaints as many VPNs are set up with p2p severs etc, and more worried because I've found out Windscribe doesn't permit use in datacenters. I wasn't sure how common that was. I could see VPN providers claiming that it's not for personal use anymore as Windscribe does and flagging use like this to basically serve a website
Windscribe is known to be problematic and I would stay very very far away from it, it is a Canadian company and there's been security issues before. Plus, if they block connecting from datacenters it means they log connecting IPs, something which is a huge fucking red flag.
The ones I mentioned don't have any such restriction and you can use them on datacenter IPs or anywhere else.
Sigh thanks for the update. I only just started to read more concerning things about Windscribe recently like blocking accounts and such because the use wasn't considered "personal use" but some kind of abuse that they won't quantify directly on the site. I thought I read about them trying to arrest the owner and get logs and they couldn't last time I heard so I thought that was a good sign. I hadn't thought of the fact that they'd only be able to differentiate data center use based on the IP and no that is not a good sign at all. Glad to see that this "datacenter use disallowed" thing is NOT industry standard
thanks for the post
however, obviously you are not in the pirate business, so there are some mistakes in the post
If you're open to the sophistication this post... encourages, you can chain one.one.one.one to connecting to wndscrb to 'circumvent' this, that is what I do.
I have to say: naive, if you expect any VPN service not to attempt to curve abuse less that can ignore the legal threats from said abuse. Country of incorporation is key there.
Can you go into more detail about how to do this and how it helps things? I'm still unclear what windscribe is doing behind the scenes to determine if it's datacenter use or what and I dont love that. I guess nothing is stopping me from picking up a junk lifetime VPN on stacksocial to test something out
All large piracy websites do something like this. The most dependable way is to buy a high bandwidth server from (insert whatever provider people use instead of Ecatel now) and just tunnel the traffic directly. Your origin server must be setup to only accept traffic from the proxy.
Whatever IP you're serving the content from needs to be entirely separate from where the content is physically stored.
This shit is also why low end providers see so much abuse... High bandwidth, minimum specs, and cheap enough a week's service pays for itself.
There are several ways of doing this. Cloudflare WARP provides Wireguard configs, and Windscribe (paid) too, so you'd have to route one's traffic through another. Bear in mind though, this will considerably increase the latency compared to simply using 1 of them.
I actually am lol... could you pinpoint which mistakes you saw?
A lot of them use novogara now which is basically the rebranded Ecatel.
This guy comes for spam.
Who? Me?
https://annas-archive.li/blog/how-to-run-a-shadow-library.html
Yep that is the source, further explained here as I said above.