Skip to content

Commit

Permalink
initial writeup
Browse files Browse the repository at this point in the history
  • Loading branch information
@unixfox
unixfox committed Nov 10, 2024
1 parent 471046d commit e7c370d
Show file tree
Hide file tree
Showing 2 changed files with 60 additions and 90 deletions.
144 changes: 56 additions & 88 deletions docs/installation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,34 +26,13 @@ Ensure [Docker Engine](https://docs.docker.com/engine/install) and [Docker Compo

Note: Currently the repository has to be cloned, this is because the `init-invidious-db.sh` file and the `config/sql` directory have to be mounted to the postgres container (See the volumes section in the docker-compose file below). This "problem" will be solved in the future.

Make sure to run the newer Docker Compose V2: https://docs.docker.com/compose/install/linux/. It should already be installed if you can successfully run the command `docker compose` (with a space between the two words).

??? warning "About po_token and visitor_data identities"

po_token known as Proof of Origin Token. This is an attestation token generated by a complex anti robot verification system created by Google named BotGuard/DroidGuard. It is used to confirm that the request is coming from a genuine device.

These identity tokens (po_token and visitor_data) generated in this tutorial will make your entire Invidious session more easily traceable by YouTube because it is tied to a unique identifier.

There is currently no official automatic tool to periodically change these tokens. This is working in progress but, for the time being, this is the solution the Invidious team is offering.

If you want to be less traceable, you can always script the process by changing the identities every X hour.


1. Generate po_token and visitor_data identities for passing all verification checks on YouTube side:
```
docker run quay.io/invidious/youtube-trusted-session-generator
```
You have to run this command on the same public IP address as the one blocked by YouTube. Not necessarily the same machine, just the same public IP address.
You will need to copy these two parameters in the third step.
Subsequent usage of this same token will work on the same IP range or even the same ASN. The point is to generate this token on a blocked IP as "unblocked" IP addresses seems to not generate a token valid for passing the checks on a blocked IP.

2. Execute these commands:
1. Execute these commands:
```bash
git clone https://github.com/iv-org/invidious.git
cd invidious
```

3. Edit the docker-compose.yml with this content:
2. Edit the docker-compose.yml with this content:

```docker
version: "3"
Expand All @@ -77,9 +56,8 @@ Make sure to run the newer Docker Compose V2: https://docs.docker.com/compose/in
host: invidious-db
port: 5432
check_tables: true
signature_server: inv_sig_helper:12999
visitor_data: CHANGE_ME
po_token: CHANGE_ME
invidious_companion:
- http://invidious_companion:8282
# external_port:
# domain:
# https_only: false
Expand All @@ -97,16 +75,25 @@ Make sure to run the newer Docker Compose V2: https://docs.docker.com/compose/in
depends_on:
- invidious-db
inv_sig_helper:
image: quay.io/invidious/inv-sig-helper:latest
init: true
command: ["--tcp", "0.0.0.0:12999"]
invidious_companion:
image: quay.io/invidious/invidious-companion:latest
environment:
- RUST_LOG=info
- SERVER_HMAC_KEY=CHANGE_ME!!SAME_AS_HMAC_KEY_FROM_INVIDIOUS
- HOST=0.0.0.0
restart: unless-stopped
ports:
- "127.0.0.1:8282:8282"
logging:
options:
max-size: "1G"
max-file: "4"
cap_drop:
- ALL
read_only: true
user: 10001:10001
# cache for youtube library
volumes:
- /var/tmp/youtubei.js:/var/tmp/youtubei.js:rw
security_opt:
- no-new-privileges:true
Expand Down Expand Up @@ -152,35 +139,6 @@ docker-compose up

### Linux

#### Generate po_token and visitor_data identities

[Follow these instructions here on the official tool `youtube-trusted-session-generator`](https://github.com/iv-org/youtube-trusted-session-generator?tab=readme-ov-file#tutorial-without-docker)

These two parameters will be required for passing all verification checks on YouTube side and you will have to configure them in Invidious.

You have to run this command on the same public IP address as the one blocked by YouTube. Not necessarily the same machine, just the same public IP address.
You will need to copy these two parameters in the `config.yaml` file.
Subsequent usage of this same token will work on the same IP range or even the same ASN. The point is to generate this token on a blocked IP as "unblocked" IP addresses seems to not generate a token valid for passing the checks on a blocked IP.

??? warning "About po_token and visitor_data identities"

po_token known as Proof of Origin Token. This is an attestation token generated by a complex anti robot verification system created by Google named BotGuard/DroidGuard. It is used to confirm that the request is coming from a genuine device.

These identity tokens (po_token and visitor_data) generated in this tutorial will make your entire Invidious session more easily traceable by YouTube because it is tied to a unique identifier.

There is currently no official automatic tool to periodically change these tokens. This is working in progress but, for the time being, this is the solution the Invidious team is offering.

If you want to be less traceable, you can always script the process by changing the identities every X hour.


#### Run inv_sig_helper in background

[Follow these instructions here on the official tool `inv_sig_helper`](https://github.com/iv-org/inv_sig_helper?tab=readme-ov-file#building-and-running-without-docker) and run it in the background with systemd for example.

inv_sig_helper handle the "deciphering" of the video stream fetched from YouTube servers. As it is running untrusted code from Google themselves, make sure to isolate it by for example running it inside a LXC or locked down through systemd.

The following systemd service file can be used to run inv_sig_helper with systemd: https://github.com/iv-org/inv_sig_helper/blob/master/inv_sig_helper.service

#### Install Crystal

Follow the instructions for your distribution here: https://crystal-lang.org/install/
Expand Down Expand Up @@ -235,52 +193,42 @@ make
# Configure config/config.yml as you like
cp config/config.example.yml config/config.yml

# edit config.yaml to include po_token and visitor_data previously generated
# edit config.yaml to include invidious companion

edit config/config.yaml

add:
invidious_companion:
- http://127.0.0.1:8282

# Deploy the database
./invidious --migrate

exit
```

#### Systemd service
#### Systemd service for Invidious

```bash
cp /home/invidious/invidious/invidious.service /etc/systemd/system/invidious.service
systemctl enable --now invidious.service
```

### MacOS

#### Generate po_token and visitor_data identities

[Follow these instructions here on the official tool `youtube-trusted-session-generator`](https://github.com/iv-org/youtube-trusted-session-generator?tab=readme-ov-file#tutorial-without-docker)
#### Set up Invidious companion

These two parameters will be required for passing all verification checks on YouTube side and you will have to configure them in Invidious.

You have to run this command on the same public IP address as the one blocked by YouTube. Not necessarily the same machine, just the same public IP address.
You will need to copy these two parameters in the `config.yaml` file.
Subsequent usage of this same token will work on the same IP range or even the same ASN. The point is to generate this token on a blocked IP as "unblocked" IP addresses seems to not generate a token valid for passing the checks on a blocked IP.

??? warning "About po_token and visitor_data identities"

po_token known as Proof of Origin Token. This is an attestation token generated by a complex anti robot verification system created by Google named BotGuard/DroidGuard. It is used to confirm that the request is coming from a genuine device.

These identity tokens (po_token and visitor_data) generated in this tutorial will make your entire Invidious session more easily traceable by YouTube because it is tied to a unique identifier.

There is currently no official automatic tool to periodically change these tokens. This is working in progress but, for the time being, this is the solution the Invidious team is offering.

If you want to be less traceable, you can always script the process by changing the identities every X hour.

#### Run inv_sig_helper in background
```bash
wget https://github.com/iv-org/invidious-companion???

[Follow these instructions here on the official tool `inv_sig_helper`](https://github.com/iv-org/inv_sig_helper?tab=readme-ov-file#building-and-running-without-docker)
# or compile it using https://docs.deno.com/runtime/
git clone https://github.com/iv-org/invidious-companion.git
deno compile

inv_sig_helper handle the "deciphering" of the video stream fetched from YouTube servers. As it is running untrusted code from Google themselves, make sure to isolate it by for example running it inside Docker or a VM.
# create a new systemd service for running it
sudo wget https://github.com/iv-org/invidious-companion/raw/refs/heads/master/systemd.service -O /etc/systemd/systemd/invidious-companion.service
sudo systemctl enable --now invidious.service
```

Call for action: An example here is welcome, [if you want to contribute to one](https://github.com/iv-org/documentation/edit/master/docs/installation.md#macos).
### MacOS

#### Install the dependencies

Expand Down Expand Up @@ -322,9 +270,29 @@ make
# Configure config/config.yml as you like
cp config/config.example.yml config/config.yml

# edit config.yaml to include po_token and visitor_data previously generated
# edit config.yaml to include invidious companion

edit config/config.yaml

add:
invidious_companion:
- http://127.0.0.1:8282

# launch invidious
./invidious
```

#### Set up Invidious companion

```bash
wget https://github.com/iv-org/invidious-companion???

# or compile it using https://docs.deno.com/runtime/
git clone https://github.com/iv-org/invidious-companion.git
deno compile

# launch it
./invidious-companion
```

### Windows
Expand Down
6 changes: 4 additions & 2 deletions docs/youtube-errors-explained.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,11 +39,13 @@ YouTube is blocking the communication of Invidious to their servers.

### Solution(s)

First make sure that you are running the latest version of Invidious and you are using inv_sig_helper. Please see [the updated installation guide](/installation/).
First make sure that you are running the latest version of Invidious and you are using Invidious companion. Please see [the updated installation guide](/installation/).

After which you can try these solutions:

- Change your public IP address. Reboot your router or by configuring a proxy in Invidious: https://github.com/iv-org/invidious/blob/2150264d849771df8f15bab172ab6d87eeb80c55/config/config.example.yml#L176-L185
- Change your public IP address. Reboot your router or by configuring a proxy on Invidious companion: https://github.com/iv-org/invidious-companion/blob/be1f4bee39f4d01fe83c65855538dbaacbf6d0c0/config/default.toml#L14
- Configuring a YouTube account by enabling `oauth_enabled` in Invidious companion: https://github.com/iv-org/invidious-companion/blob/be1f4bee39f4d01fe83c65855538dbaacbf6d0c0/config/default.toml#L23.
**WARNING**: YouTube is known to ban accounts being used on non official YouTube clients, you have been warned. Do not use a personal account.
- If you have IPv6 on the computer hosting Invidious, you can try to rotate your IPv6 public address, tutorial available here: "[Rotate your IPv6 address for escaping YouTube blocking](/ipv6-rotator/)"

All of these options do not guarantee you to bring back Invidious to working conditions. These are just advices for trying to unblock your Invidious instance from YouTube. Make sure to always specify any modification being done to your Invidious when reporting issues.

0 comments on commit e7c370d

Please sign in to comment.