8 files changed, 1098 insertions, 0 deletions

diff --git a/docs/apache2-example.md b/docs/apache2-example.md
new file mode 100644
index 0000000..09f5c1d
--- /dev/null
+++ b/docs/apache2-example.md
@@ -0,0 +1,195 @@
+# Sample Apache2 configuration
+This is the apache2 configuration file used on the 4get.ca official instance, in hopes that it's useful to you!
+
+Looking for the apache2 guide? <a href="https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/apache2.md">go here.</a>.
+
+```xml
+<VirtualHost *:443>
+	ServerName www.4get.ca
+	
+	SSLEngine On
+	SSLCertificateFile /etc/letsencrypt/live/4get.ca/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/4get.ca/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/4get.ca/chain.pem
+	
+	RedirectMatch 301 ^(.*)$ https://4get.ca$1
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName 4get.ca
+
+	ServerAdmin will@lolcat.ca
+	DocumentRoot /var/www/4get
+	
+	SSLEngine On
+	SSLOptions +StdEnvVars
+	
+	#ErrorLog ${APACHE_LOG_DIR}/error.log
+	
+	AddOutputFilterByType DEFLATE application/json
+	AddOutputFilterByType DEFLATE application/javascript
+	AddOutputFilterByType DEFLATE application/x-javascript
+	AddOutputFilterByType DEFLATE text/html
+	AddOutputFilterByType DEFLATE text/plain
+	AddOutputFilterByType DEFLATE text/css
+	
+	SSLCertificateFile /etc/letsencrypt/live/4get.ca/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/4get.ca/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/4get.ca/chain.pem
+	
+	<Directory /var/www/4get>
+		Options -MultiViews
+		AllowOverride All
+		Require all granted
+		
+		RewriteEngine On
+		RewriteCond %{REQUEST_FILENAME} !-d
+		RewriteCond %{REQUEST_FILENAME} !-f
+		RewriteRule ^([^\.]+)$ $1.php [NC,L]
+	</Directory>
+
+	# deny access to private resources
+	<Directory /var/www/4get/data/>
+		Order Deny,allow
+		Deny from all
+	</Directory>
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName www.lolcat.ca
+	
+	SSLEngine On
+	SSLCertificateFile /etc/letsencrypt/live/4get.ca/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/4get.ca/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/4get.ca/chain.pem
+	
+	RedirectMatch 301 ^(.*)$ https://lolcat.ca$1
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName lolcat.ca
+
+	ServerAdmin will@lolcat.ca
+	DocumentRoot /var/www/lolcat
+	
+	SSLEngine On
+	SSLOptions +StdEnvVars	
+	
+	#ErrorLog ${APACHE_LOG_DIR}/error.log
+	
+	AddOutputFilterByType DEFLATE application/json
+	AddOutputFilterByType DEFLATE application/javascript
+	AddOutputFilterByType DEFLATE application/x-javascript
+	AddOutputFilterByType DEFLATE text/html
+	AddOutputFilterByType DEFLATE text/plain
+	AddOutputFilterByType DEFLATE text/css
+
+	SSLCertificateFile /etc/letsencrypt/live/4get.ca/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/4get.ca/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/4get.ca/chain.pem
+
+	<Directory /var/www/lolcat>
+		Options -MultiViews
+		AllowOverride All
+		Require all granted
+		
+		RewriteEngine On
+		RewriteCond %{REQUEST_FILENAME} !-d
+		RewriteCond %{REQUEST_FILENAME} !-f
+		RewriteRule ^([^\.]+)$ $1.php [NC,L]
+	</Directory>
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName www.nyym.co
+	
+	SSLEngine On
+	SSLCertificateFile /etc/letsencrypt/live/nyym.co/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/nyym.co/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/nyym.co/chain.pem
+	
+	RedirectMatch 301 ^(.*)$ https://nyym.co$1
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName nyym.co
+
+	ServerAdmin will@lolcat.ca
+	DocumentRoot /var/www/nyym
+	
+	SSLEngine On
+	SSLOptions +StdEnvVars	
+	
+	#ErrorLog ${APACHE_LOG_DIR}/error.log
+	
+	AddOutputFilterByType DEFLATE application/json
+	AddOutputFilterByType DEFLATE application/javascript
+	AddOutputFilterByType DEFLATE application/x-javascript
+	AddOutputFilterByType DEFLATE text/html
+	AddOutputFilterByType DEFLATE text/plain
+	AddOutputFilterByType DEFLATE text/css
+
+	SSLCertificateFile /etc/letsencrypt/live/nyym.co/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/nyym.co/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/nyym.co/chain.pem
+	
+	<Directory /var/www/nyym>
+		Options -MultiViews
+		AllowOverride All
+		Require all granted
+		
+		RewriteEngine On
+		RewriteCond %{REQUEST_FILENAME} !-d
+		RewriteCond %{REQUEST_FILENAME} !-f
+		RewriteRule ^([^\.]+)$ $1.php [NC,L]
+	</Directory>
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName git.lolcat.ca
+
+	SSLEngine On
+	SSLOptions +StdEnvVars	
+	
+	#ErrorLog ${APACHE_LOG_DIR}/error.log
+	
+	AddOutputFilterByType DEFLATE application/json
+	AddOutputFilterByType DEFLATE application/javascript
+	AddOutputFilterByType DEFLATE application/x-javascript
+	AddOutputFilterByType DEFLATE text/html
+	AddOutputFilterByType DEFLATE text/plain
+	AddOutputFilterByType DEFLATE text/css
+
+	SSLCertificateFile /etc/letsencrypt/live/4get.ca/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/4get.ca/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/4get.ca/chain.pem
+
+	ProxyPreserveHost On
+	ProxyRequests off
+	AllowEncodedSlashes NoDecode
+	ProxyPass / http://localhost:3000/ nocanon
+</VirtualHost>
+
+<VirtualHost *:443>
+	ServerName live.lolcat.ca
+
+	ServerAdmin will@lolcat.ca
+	DocumentRoot /var/www/live
+	
+	SSLEngine On
+	SSLOptions +StdEnvVars	
+	
+	#ErrorLog ${APACHE_LOG_DIR}/error.log
+	
+	AddOutputFilterByType DEFLATE application/json
+	AddOutputFilterByType DEFLATE application/javascript
+	AddOutputFilterByType DEFLATE application/x-javascript
+	AddOutputFilterByType DEFLATE text/html
+	AddOutputFilterByType DEFLATE text/plain
+	AddOutputFilterByType DEFLATE text/css
+
+	SSLCertificateFile /etc/letsencrypt/live/4get.ca/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/4get.ca/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/4get.ca/chain.pem
+</VirtualHost>
+```
diff --git a/docs/apache2.md b/docs/apache2.md
new file mode 100644
index 0000000..1e79327
--- /dev/null
+++ b/docs/apache2.md
@@ -0,0 +1,216 @@
+# Install guide for Apache2 webserver
+Welcome to the new and revamped 4get install manual for apache2. Even if you already have services running on an existing installation of apache2, you should still be able to adapt this guide to your needs.
+
+For starters, login as `root`.
+
+Then, install the following dependencies:
+```sh
+apt update
+apt upgrade
+apt install php-mbstring apache2 certbot php-imagick imagemagick php-curl curl php-apcu git libapache2-mod-php
+```
+
+Enable the required modules:
+```sh
+a2enmod ssl
+a2enmod rewrite
+```
+
+And enable these optional ones, which might be useful to you later on. The `proxy` module is useful for setting up reverse proxies to services like gitea, and `headers` is useful to tweak global header values:
+```sh
+a2enmod proxy
+a2enmod headers
+```
+
+Now, restart apache2:
+```sh
+service apache2 restart
+```
+
+Just for good measure, please check if your webserver is running. Access it through HTTP, not HTTPS. You should see the apache2 default landing page.
+
+## 000-default.conf
+Now, edit the following file: `/etc/apache2/sites-available/000-default.conf`, remove everything and carefully add each rule specified here, while making sure to replace my domains with your own:
+
+1. The `VirtualHost` here instructs apache2 to redirect all **HTTP** traffic that specify an unknown `Host` header be redirected to a specific domain of your choice. Configuring this is not required but highly recommended.
+```xml
+<VirtualHost *:80>
+	# no domain = go to 4get.ca
+	RedirectMatch 301 ^(.*)$ https://4get.ca$1
+</VirtualHost>
+```
+
+2. This instruction tells apache2 to redirect all HTTP traffic on `Host` lolcat.ca to the HTTPS version of the site. You should add a rule like this for all of your services explicitly.
+```xml
+<VirtualHost *:80>
+	ServerName lolcat.ca
+	RedirectMatch 301 ^(.*)$ https://lolcat.ca$1
+</VirtualHost>
+```
+
+3. Subdomains won't be matched by the above rule, so I recommend you also add them to be more explicit:
+```xml
+<VirtualHost *:80>
+	ServerName www.lolcat.ca
+	RedirectMatch 301 ^(.*)$ https://lolcat.ca$1
+</VirtualHost>
+```
+
+... Etc, for every service you own.
+
+4. And finally, append this configuration if you wish to host a tor or i2p access point. This configuration should not be binded to SSL(443) as Let's Encrypt does not let you create certificates for onion sites:
+```xml
+<VirtualHost *:80>
+	# tor site
+	ServerName 4getwebfrq5zr4sxugk6htxvawqehxtdgjrbcn2oslllcol2vepa23yd.onion
+
+	# compress
+	AddOutputFilterByType DEFLATE application/json
+	AddOutputFilterByType DEFLATE application/javascript
+	AddOutputFilterByType DEFLATE application/x-javascript
+	AddOutputFilterByType DEFLATE text/html
+	AddOutputFilterByType DEFLATE text/plain
+	AddOutputFilterByType DEFLATE text/css
+
+	DocumentRoot /var/www/4get
+
+	Options -MultiViews
+	RewriteEngine On
+	RewriteCond %{REQUEST_FILENAME} !-d
+	RewriteCond %{REQUEST_FILENAME} !-f
+	RewriteRule ^([^\.]+)$ $1.php [NC,L]
+
+	# deny access to private resources
+	<Directory /var/www/4get/data/>
+		Order Deny,allow
+		Deny from all
+	</Directory>
+</VirtualHost>
+```
+To make the above snippet work, please refer to our <a href="https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/tor.md">tor site guide</a>.
+
+## default-ssl.conf
+Now, edit the file `/etc/apache2/sites-available/default-ssl.conf`, remove everything and, again, add each rule while modifying the relevant fields:
+
+First, append the following redirect rule to point traffic from `www.4get.ca` to `4get.ca`:
+```xml
+<VirtualHost *:443>
+	ServerName www.4get.ca
+	
+	SSLEngine On
+	SSLCertificateFile /etc/letsencrypt/live/4get.ca/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/4get.ca/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/4get.ca/chain.pem
+	
+	RedirectMatch 301 ^(.*)$ https://4get.ca$1
+</VirtualHost>
+```
+
+This ruleset tells apache2 where 4get is located (`/var/www/4get`), ensures that `4get.ca/settings` resolves to `4get.ca/settings.php` internally and that we deny access to `/data/*`, which may contain files you might want to keep private. `StdEnvVArs+` will make it so that PHP can view if the connection uses HTTPS, and which cipher was used. Useful for basic bot protection.
+
+Make sure to replace `4get.ca` with your own domain under the `SSLCertificate*` directives!
+```xml
+<VirtualHost *:443>
+	ServerName 4get.ca
+
+	ServerAdmin will@lolcat.ca
+	DocumentRoot /var/www/4get
+	
+	SSLEngine On
+	SSLOptions +StdEnvVars
+	
+	#ErrorLog ${APACHE_LOG_DIR}/error.log
+	
+	AddOutputFilterByType DEFLATE application/json
+	AddOutputFilterByType DEFLATE application/javascript
+	AddOutputFilterByType DEFLATE application/x-javascript
+	AddOutputFilterByType DEFLATE text/html
+	AddOutputFilterByType DEFLATE text/plain
+	AddOutputFilterByType DEFLATE text/css
+	
+	SSLCertificateFile /etc/letsencrypt/live/4get.ca/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/4get.ca/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/4get.ca/chain.pem
+	
+	<Directory /var/www/4get>
+		Options -MultiViews
+		AllowOverride All
+		Require all granted
+		
+		RewriteEngine On
+		RewriteCond %{REQUEST_FILENAME} !-d
+		RewriteCond %{REQUEST_FILENAME} !-f
+		RewriteRule ^([^\.]+)$ $1.php [NC,L]
+	</Directory>
+
+	# deny access to private resources
+	<Directory /var/www/4get/data/>
+		Order Deny,allow
+		Deny from all
+	</Directory>
+</VirtualHost>
+```
+
+By default, the first rule dictates where traffic should be redirected to in case the client specifies an unknown domain name. Don't forget your webserver's other rules! For a complete real-world example, please <a href="https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/apache2-example.md">check out my real-world config file I use on 4get.ca</a>.
+
+## security.conf
+If you enabled the `headers` module, you can head over to `/etc/apache2/conf-enabled/security.conf` and edit:
+```sh
+ServerTokens Prod # instead off Full
+```
+and
+```sh
+ServerSignature Off #instead of On
+```
+This will ensure that the `Server` header apache2 returns is minimal and doesn't leak information like your host system's OS or apache2 version.
+
+You can also uncomment `Header set X-Content-Type-Options: "nosniff"` and `Header set Content-Security-Policy "frame-ancestors 'self';"` respectively.
+
+## charset.conf
+Head over to `/etc/apache2/conf-enabled/charset.conf` and uncomment `AddDefaultCharset UTF-8`.
+
+## other-vhost-access-log.conf
+Since none of our configuration files contains any `CustomLog` directives, all we need to do to disable logging entirely is comment out the `CustomLog` directive located in `/etc/apache2/conf-enabled/other-vhost-access-log.conf`. Only error logs will remain if you configured them.
+
+## Symlink everything
+Now comes the most important part of the setup. Run
+```sh
+ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/default-ssl.conf
+```
+Otherwise apache2 will ignore our SSL configuration. Handy, huh?
+
+# Setup SSL
+Great, now we've configured the webserver, but we still don't have our security certificate. Let's generate one!
+
+First, stop `apache2`. 
+```sh
+service apache2 stop
+```
+
+Now, run `certbot`, and specify all of your domains by prepending `-d` every time. Make sure the first domain you specify is your main domain, and the same domain you specified in the configuration above! We use ECDSA encryption here as it's better than RSA.
+```sh
+certbot certonly --standalone --key-type ecdsa -d 4get.ca -d www.4get.ca -d lolcat.ca -d www.lolcat.ca
+```
+
+Certbot should ask you a few questions, just play along. At the end of the setup, certbot should tell you about the location of the certificates. Double check to make sure they correspond to the paths we specified in `default-ssl.conf`. Your certificates should now update every 2-3 months automatically.
+
+After this is complete, create a directory in `/var/www/4get`.
+
+Now, start `apache2`.
+```sh
+service apache2 start
+```
+
+Congratulations! You now have a... 404 error on your webserver, if everything went well. Now's the time to make sure all of our redirect rules work!
+
+# Import the fun junk
+Run these commands:
+```
+cd /var/www/4get
+git clone https://git.lolcat.ca/lolcat/4get
+chmod 777 -R icons/
+```
+
+... And try accessing your webserver. You should now have a working 4get instance!
+
+Please make sure to check out how to further <a href="https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/configure.md">configure 4get</a> to your liking!
diff --git a/docs/caddy.md b/docs/caddy.md
new file mode 100644
index 0000000..90f438c
--- /dev/null
+++ b/docs/caddy.md
@@ -0,0 +1,58 @@
+# Install guide for Caddy webserver
+
+1. Install dependencies:
+
+`sudo apt install caddy php8.2-dom php8.2-imagick imagemagick php8.2-curl curl php8.2-apcu git`
+
+2. Clone this repository where you want to host this from:
+
+`cd /var/www && sudo git clone https://git.konakona.moe/diowo/4get`
+
+3. Set permission on the `icons` directory inside `4get`
+
+`cd /var/www/4get/ && sudo chmod 777 -R icons/`
+
+4. Add an entry for 4get on your Caddyfile at `/etc/caddy/Caddyfile`
+
+```sh
+4get.konakona.moe {
+    root * /var/www/4get
+    file_server
+    encode gzip
+    php_fastcgi unix//var/run/php/php8.2-fpm.sock {
+        index index.php
+    }
+    redir /{path}.php{query} 301
+    try_files {path} {path}.php
+}
+```
+
+Caddy deals with SSL certificates automatically so you don't have to mess with anything. Also if needed, a sample of my Caddyfile can be found [here](https://git.konakona.moe/diowo/misc/src/branch/master/etc/caddy/Caddyfile).
+
+5. Restart Caddy
+
+`sudo systemctl restart caddy`
+
+# Encryption setup
+I'm schizoid (as you should) so I'm gonna setup 4096bit key encryption. To complete this step, you need a domain or subdomain in your possession. Make sure that the DNS shit for your domain has propagated properly before continuing, because certbot is a piece of shit that will error out the ass once you reach 5 attempts under an hour.
+
+## Encryption setup on Apache
+
+```sh
+certbot --apache --rsa-key-size 4096 -d www.yourdomain.com -d yourdomain.com
+```
+When it asks to choose a vhost, choose the option with "HTTPS" listed. Don't setup HTTPS for tor, we don't need it (it doesn't even work anyways with let's encrypt)
+
+Edit `000-default-le-ssl.conf`
+
+Add this at the end:
+```xml
+<Directory /var/www/html/4get>
+	RewriteEngine On
+	RewriteCond %{REQUEST_FILENAME}.php -f
+	RewriteRule (.*) $1.php [L]
+	Options Indexes FollowSymLinks
+	AllowOverride All
+	Require all granted
+</Directory>
+```
diff --git a/docs/configure.md b/docs/configure.md
new file mode 100644
index 0000000..4c49eb7
--- /dev/null
+++ b/docs/configure.md
@@ -0,0 +1,93 @@
+# 4get configuation options
+
+Welcome! This guide assumes that you have a working 4get instance. This will help you configure your instance to the best it can be!
+
+# Files location
+1. The main configuration file is located at `data/config.php`
+2. The proxies are located in `data/proxies/*.txt`
+3. The captcha imagesets are located in `data/captcha/your_image_set/*.png`
+4. The captcha font is located in `data/fonts/captcha.ttf`
+
+# Cloudflare bypass (TLS check)
+>These instructions have been updated to work with Debian 13 Trixie.
+
+**Note: this only allows you to bypass the browser integrity checks. Captchas & javascript challenges will not be bypassed by this program!**
+
+Configuring this lets you fetch images sitting behind Cloudflare and allows you to scrape the **Yep** search engine.
+
+To come up with this set of instructions, I used [this guide](https://github.com/lwthiker/curl-impersonate/blob/main/INSTALL.md#native-build) as a reference, but trust me you probably want to stick to what's written on this page.
+
+First, compile curl-impersonate (the firefox flavor).
+```sh
+git clone https://github.com/lwthiker/curl-impersonate/
+cd curl-impersonate
+sudo apt install build-essential pkg-config cmake ninja-build curl autoconf automake libtool python3-pip libnss3 libnss3-dev
+mkdir build
+cd build
+../configure
+make firefox-build
+sudo make firefox-install
+sudo ldconfig
+```
+
+Now, after compiling, you should have a `libcurl-impersonate-ff.so` sitting somewhere. Mine is located at `/usr/local/lib/libcurl-impersonate-ff.so`. Do some patch fuckery:
+
+```sh
+sudo su
+LD_PRELOAD=/usr/local/lib/libcurl-impersonate-ff.so
+CURL_IMPERSONATE=firefox117
+patchelf --set-soname libcurl.so.4 /usr/local/lib/libcurl-impersonate-ff.so
+ldconfig
+```
+
+From here, you will have a broken curl:
+```sh
+root@fuckedmachine:/# curl --version
+curl: /usr/local/lib/libcurl.so.4: no version information available (required by curl)
+curl: symbol lookup error: curl: undefined symbol: curl_global_trace, version CURL_OPENSSL_4
+```
+
+Or not... During testing, I've seen that sometimes curl still works for some reason. What really matters is the output of this command:
+```
+root@fuckedmachine:/# php -r 'print_r(curl_version());' | grep ssl_version
+    [ssl_version_number] => 0
+    [ssl_version] => NSS/3.92
+```
+
+It **MUST** say NSS, otherwise it didn't work. There's also the option of using the [forked project](https://github.com/lexiforest/curl-impersonate), but that garbage doesn't support NSS. I'm kind of against impersonating chrome cause you never know when Google is gonna add more fingerprinting bullshit.
+
+Appendix: If you want a functioning `curl` command line utility again in case it doesn't work anymore, you can do the following hack:
+
+```
+sudo apt remove curl
+sudo ln -s /usr/local/bin/curl-impersonate-ff /usr/bin/curl
+```
+
+# Robots.txt
+Make sure you configure this right to optimize your search engine presence! Head over to `/robots.txt` and change the 4get.ca domain to your own domain.
+
+# Server listing
+To be listed on https://4get.ca/instances , you must contact *any* of the people in the server list and ask them to add you to their list of instances in their configuration. The instance list is distributed, and I don't have control over it.
+
+If you see spammy entries in your instances list, simply remove the instance from your list that pushes the offending entries.
+
+# Proxies
+4get supports rotating proxies for scrapers! Configuring one is really easy.
+
+1. Head over to the **proxies** folder. Give it any name you want, like `myproxy`, but make sure it has the `txt` extension.
+2. Add your proxies to the file. Examples:
+	```conf
+	# format -> <protocol>:<address>:<port>:<username>:<password>
+	# protocol list:
+	# raw_ip, http, https, socks4, socks5, socks4a, socks5_hostname
+	socks5:1.1.1.1:juicy:cloaca00
+	http:1.3.3.7::
+	raw_ip::::
+	```
+3. Go to the **main configuration file**. Then, find which website you want to setup a proxy for.
+4. Modify the value `false` with `"myproxy"`, with quotes included and the semicolon at the end.
+
+Done! The scraper you chose should now be using the rotating proxies. When asking for the next page of results, it will use the same proxy to avoid detection!
+
+## Important!
+If you ever test out a `socks5` proxy locally on your machine and find out it works but doesn't on your server, try supplying the `socks5_hostname` protocol instead. Hopefully this tip can save you 3 hours of your life!
diff --git a/docs/docker.md b/docs/docker.md
new file mode 100644
index 0000000..6a94197
--- /dev/null
+++ b/docs/docker.md
@@ -0,0 +1,152 @@
+#### Install guide for Docker
+
+When using docker container any environment variables prefixed with `FOURGET_` will be added to the generated config located at `/var/www/html/4get/data/config.php`
+
+When lists of data is expected in [data/config.php](../data/config.php), such as `INSTANCES`, you can pass in a comma separated string via environment variable. 
+
+Example:
+`FOURGET_INSTANCES="https://4get.ca,https://domain.tld"`
+
+#### Special environment variables
+
+| Name              | value                          | Example                              |
+| -                 | -                              | -                                    |
+| FOURGET_PROTO     | "http" or "https"              | "https"                              |
+
+
+#### Important directories
+
+| Mountpoint                      | Description               |
+| -                               | -                         |
+| /etc/4get/certs                 | SSL certificate directory |
+| /var/www/html/4get/banner       | Custom Banners directory  |
+| /var/www/html/4get/data/captcha | Captcha dataset           |
+
+
+the certificate directory `/etc/4get/certs` expects files named `fullchain.pem` and `privkey.pem`
+
+The captcha dataset should have a subdirectory for each category. In each category, images should be named from 1.png to X.png, and be 100x100 in size.
+
+example directory structure:
+
+```
+captcha/
+  birds/
+    1.png
+    2.png
+    3.png
+ anime/
+    1.png
+    2.png
+```
+
+For more information on configuration view [data/config.php](../data/config.php)
+
+#### Usage
+
+You can start 4get with
+
+```
+docker run -d -p 80:80 -e FOURGET_SERVER_NAME="4get.ca" -e FOURGET_PROTO="http" luuul/4get:latest
+```
+
+...Or with SSL:
+
+```
+docker run -d -p 443:443 -e FOURGET_SERVER_NAME="4get.ca" -e FOURGET_PROTO="https" -v /etc/letsencrypt/live/domain.tld:/etc/4get/certs  luuul/4get:latest
+```
+
+
+#### With Docker Compose
+
+Replace relevant values and start with `docker compose up -d`
+
+##### HTTP
+
+```
+# docker-compose.yaml
+version: "3.7"
+
+services:
+  fourget:
+    image: luuul/4get:latest
+    restart: unless-stopped
+    environment:
+      - FOURGET_PROTO=http
+      - FOURGET_SERVER_NAME=4get.ca
+
+    ports:
+      - "80:80"
+```
+
+##### HTTPS
+
+```
+# docker-compose.yaml
+version: "3.7"
+
+services:
+  fourget:
+    image: luuul/4get:latest
+    restart: unless-stopped
+    environment:
+      - FOURGET_PROTO=https
+      - FOURGET_SERVER_NAME=4get.ca
+
+    ports:
+      - "80:80"
+      - "443:443"
+      
+    volumes:
+      - /etc/letsencrypt/live/domain.tld:/etc/4get/certs
+```
+
+##### Captcha Enabled
+
+Set `FOURGET_BOT_PROTECTION=1` and mount a directory containing captcha files to `/var/www/html/4get/data/captcha`
+
+
+```
+# docker-compose.yaml
+version: "3.7"
+
+services:
+  fourget:
+    image: luuul/4get:latest
+    restart: unless-stopped
+    environment:
+      - FOURGET_PROTO=http
+      - FOURGET_SERVER_NAME=4get.ca
+      - FOURGET_BOT_PROTECTION=1
+
+    ports:
+      - "80:80"
+      
+    volumes:
+      - ./captcha:/var/www/html/4get/data/captcha
+```
+
+##### Custom Banners
+
+```
+# docker-compose.yaml
+version: "3.7"
+
+services:
+  fourget:
+    image: luuul/4get:latest
+    restart: unless-stopped
+    environment:
+      - FOURGET_PROTO=http
+      - FOURGET_SERVER_NAME=4get.ca
+
+    ports:
+      - "80:80"
+      
+    volumes:
+      - ./banners:/var/www/html/4get/banner
+```
+
+##### Tor
+
+You can route incoming and outgoing requests through tor by following [docker tor documentation](./docker_tor.md)
diff --git a/docs/docker_tor.md b/docs/docker_tor.md
new file mode 100644
index 0000000..21ae698
--- /dev/null
+++ b/docs/docker_tor.md
@@ -0,0 +1,174 @@
+#### Overview
+
+This guide will walk you through using 4get in docker with tor running in
+another container. This guide covers how to make outgoing and incoming traffic
+go through tor.
+
+
+##### Starting tor
+
+This guide will use `luuul/tor` which is a simple image that installs and starts
+tor in an alpine container SocksPort set to 0.0.0.0:9050 
+
+For additional configuration you can mount your own `torrc` file to `/etc/tor/torrc` 
+Remember to set `SocksPort 0.0.0.0:9050` otherwise communication between containers won't work.
+
+You will see this warning `Other people on the Internet might find your computer and use it as an open proxy. Please don't allow this unless you have a good reason.`
+
+This setting is in the torrc of this `luuul/tor` image. If you mount your own torrc then that will be read instead.
+
+If you use `SocksPort 0.0.0.0:9050` anywhere make sure it is inaccessible to outside world.
+As long as you don't publish this port (-p or --publish) it shouldn't be accessible to outside world.
+
+
+Tor always starts a socks5 proxy on port 9050 by default.
+
+
+##### Route outgoing requests over tor
+
+create a folder named `proxies` and create a file in that folder named `onion.txt`
+this folder will be mounted to `/var/www/html/4get/data/proxies/`
+
+directory structure
+
+```
+proxies/
+  onion.txt
+```
+
+put the following content into `onion.txt`
+More information about this file available in [proxy documentation](./configure.md#Proxies).
+
+```
+# proxies/onion.txt
+# Note: "tor" is the service name of luuul/tor in docker-compose.yaml
+socks5:tor:9050::
+```
+
+create a file named `docker-compose.yaml` with the following content
+This docker compose file will run `luuul/tor` and `luuul/4get` and configure 4get to load `proxies/onion.txt` for outgoing requests.
+
+If you mount your own torrc make sure you include `SocksPort 0.0.0.0:9050`
+Read the warning in [starting tor](./docker_tor.md#Starting-tor)!
+
+```
+# docker-compose.yaml
+version: "3.7"
+
+services:
+  tor:
+    image: luuul/tor:latest
+    restart: unless-stopped
+    # Warning: Do not publish port 9050
+    
+  fourget:
+    image: luuul/4get:latest
+    restart: unless-stopped
+    environment:
+      - FOURGET_PROTO=http
+      - FOURGET_SERVER_NAME=4get.ca
+      # loads proxies/onion.txt
+      - FOURGET_PROXY_DDG="onion" 
+      - FOURGET_PROXY_BRAVE="onion"
+      - FOURGET_PROXY_FB="onion"
+      - FOURGET_PROXY_GOOGLE="onion"
+      - FOURGET_PROXY_QWANT="onion"
+      - FOURGET_PROXY_MARGINALIA="onion"
+      - FOURGET_PROXY_MOJEEK="onion"
+      - FOURGET_PROXY_SC="onion"
+      - FOURGET_PROXY_SPOTIFY="onion"
+      - FOURGET_PROXY_WIBY="onion"
+      - FOURGET_PROXY_CURLIE="onion"
+      - FOURGET_PROXY_YT="onion"
+      - FOURGET_PROXY_YEP="onion"
+      - FOURGET_PROXY_PINTEREST="onion"
+      - FOURGET_PROXY_SEZNAM="onion"
+      - FOURGET_PROXY_NAVER="onion"
+      - FOURGET_PROXY_GREPPR="onion"
+      - FOURGET_PROXY_CROWDVIEW="onion"
+      - FOURGET_PROXY_MWMBL="onion"
+      - FOURGET_PROXY_FTM="onion"
+      - FOURGET_PROXY_IMGUR="onion"
+      - FOURGET_PROXY_YANDEX_W="onion"
+      - FOURGET_PROXY_YANDEX_I="onion"
+      - FOURGET_PROXY_YANDEX_V="onion"
+
+    ports:
+      - "80:80"
+      
+    depends_on:
+     - tor
+     
+    volumes:
+      - ./proxies/:/var/www/html/4get/data/proxies/
+```
+
+You can now start both containers with `docker compose up -d`
+
+
+#### Route incoming requests over tor
+
+This will create a hidden service that will be accessible via an onion link.
+
+1. create a file named `torrc` with the following content
+
+```
+# torrc
+User root
+
+HiddenServiceDir /var/lib/tor/4get/
+HiddenServicePort 80 fourget:80
+
+```
+
+2. create a folder named "4get" which will contain your hidden service keys.
+
+Make sure it has permission `600` otherwise you will get an error
+
+> Permissions on directory /var/lib/tor/4get/ are too permissive.
+
+you can change permissions with 
+
+```
+chmod 600 4get
+```
+
+3. Create a folder named "data" that will contain your DataDirectory
+
+
+4. create a `docker-compose.yaml` with the following content
+
+```
+# docker-compose.yaml
+version: "3.7"
+
+services:
+  fourget:
+    image: luuul/4get:latest
+    restart: unless-stopped
+    environment:
+      - FOURGET_PROTO=http
+      - FOURGET_SERVER_NAME=4get.ca
+
+    depends_on:
+     - tor
+     
+  tor:
+    image: luuul/tor:latest
+    restart: unless-stopped
+    
+    volumes:
+      - ./torrc:/etc/tor/torrc
+      - ./4get:/var/lib/tor/4get
+      - ./data:/root/.tor
+```
+
+5. You can now start both with `docker compose up -d`
+
+6. print onion hostname with 
+
+```
+docker exec `docker ps -qf ancestor=luuul/tor:latest` sh -c "cat /var/lib/tor/4get/hostname"
+```
+
+or `cat ./4get/hostname`
diff --git a/docs/nginx.md b/docs/nginx.md
new file mode 100644
index 0000000..82fc434
--- /dev/null
+++ b/docs/nginx.md
@@ -0,0 +1,194 @@
+<h1 align=center>Installation of 4get in NGINX</h1>
+
+<div align=right>
+
+> NOTE: As the previous version stated, it is better to follow the <a href="https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/apache2.md">Apache2 guide</a> instead of the Nginx one.
+
+> NOTE: This is going to guess that you're using either a <abbr title="(Arch Linux, Artix Linux, Endeavouros, etc...) ">Arch-based system</abbr> or a <abbr title="(Debian, Ubuntu, Devuan, etc...)">Debian-based system</abbr>, although you can still follow it with minor issues.
+
+</div>
+
+1. Login as root.
+2. Upgrade your system:
+   * On Arch-based, run `pacman -Syu`.
+   * On Debian-based, run `apt update`, then `apt upgrade`.
+3. Install the following dependencies:
+   * `git`: So you can clone <a href="https://git.lolcat.ca/lolcat/4get">this</a> repository.
+   * `nginx`: So you can run Nginx.
+   * `php-fpm`: This is what allows Nginx to run *(and show)* PHP files.
+   * `php-imagick`, `imagemagick`: Image manipulation.
+   * `php-apcu`: Caching module.
+   * `php-curl`, `curl`:  Transferring data with URLs.
+   * `php-mbstring`: String utils.
+   * `certbot`, `certbot-nginx`: ACME client. Used to create SSL certificates.
+     * In Arch-based distributions:
+       * `pacman -S nginx certbot php-imagick certbot-nginx imagemagick curl php-apcu git`
+     * In Debian-based distributions:
+       * `apt install php-mbstring nginx certbot-nginx certbot php-imagick imagemagick php-curl curl php-apcu git`
+
+<div align=right>
+
+> IMPORTANT: `php-curl`, `php-mbstring` might be a Debian-only package, but this needs further fact checking.
+
+> IMPORTANT: If having issues with `php-apcu` or `libsodium`, go to [^1].
+
+</div>
+
+4. `cd` to `/etc/nginx` and make the `conf.d/` directory if it doesn't exist:
+   * Again, this guesses you're logged in as root.
+   ```sh
+   cd /etc/nginx
+   ls -l conf.d/ # If ls shows conf.d, then it means it exists.
+   # If it does not, run:
+   mkdir conf.d
+   ```
+5. Make a file inside `conf.d/` called `4get.conf` and place the following content:
+   * First run `touch conf.d/4get.conf` then `nano conf.d/4get.conf` to open the nano editor: *(Install it if it is not, or use another editor.)*
+    ```sh
+    server {
+        access_log /dev/null; # Search log file. Do you really need to?
+        error_log /dev/null;  # Error log file.
+
+        # Change this if you have 4get in another folder.
+        root /var/www/4get;
+        # Change 'yourdomain' to your domain.
+        server_name www.yourdomain.com yourdomain.com;
+        # Port to listen to.
+        listen 80;
+
+        location @php {
+            try_files $uri.php $uri/index.php =404;
+            # Change the unix socket address if it's different for you.
+            fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
+            fastcgi_index index.php;
+            # Change this to `fastcgi_params` if you use a debian based distribution.
+            include fastcgi.conf;
+            fastcgi_intercept_errors on;
+        }
+
+        location / {
+            try_files $uri @php;
+        }
+
+        location ~* ^(.*)\.php$ {
+            return 301 $1;
+        }
+
+    }
+    ```
+    * The above is a very basic configuration and thus will need tweaking to your personal needs. It should still work as-is, though. A 'real world' example is present in [^2].
+    * After saving the file, check that the `nginx.conf` file inside the main directory includes files inside `conf.d/`:
+      * It should be inside the the http block: *(The following is an example! Don't just Copy and Paste it!)*
+      ```sh
+      http {
+        include       mime.types;
+        include       conf.d/*.conf; 
+        types_hash_max_size 4096;
+        # ...
+      }
+      ```
+    * Now, test your configuration with `nginx -t`, if it says that everything is good, restart *(or start)* the Nginx daemon:
+      * This depends on the init manager, most distributions use `systemd`, but it's better practice to include most.
+      ```sh
+      # systemd
+      systemctl stop nginx
+      systemctl start nginxt
+      # or
+      systemctl restart nginx
+
+      # openrc
+      rc-service nginx stop
+      rc-service nginx start
+      # or
+      rc-service nginx restart
+
+      # runit
+      sv down nginx
+      sv up nginx
+      # or
+      sv restart nginx
+
+      # s6
+      s6-rc -d change nginx
+      s6-rc -u change nginx
+      # or
+      s6-svc -r /run/service/nginx
+
+      # dinit
+      dinitctl stop nginx
+      dinitctl start nginx
+      # or
+      dinitctl restart nginx
+      ```
+6. Clone the repository to `/var/www`:
+   * `git clone --depth 1 https://git.lolcat.ca/lolcat/4get 4get` - It clones the repository with the depth of one commit *(so it takes less time to download)* and saves the cloned repository as '4get'.
+7. That should be it! There are some extra steps you can take, but it really just depends on you.
+
+<h2 align=center>Encryption setup</h2>
+
+1. Generate a certificate for the domain you're using with:
+   * Note that `certbot-nginx` is needed.
+    ```sh
+    certbot --nginx --key-type ecdsa -d www.yourdomain.com -d yourdomain.com
+    ```
+2. After that, certbot will deploy the certificate automatically to your 4get conf file; It should be ready to use from there.
+
+<h2 align=center>Tor Setup</h2>
+
+<div align=right>
+
+> IMPORTANT: Tor onion addresses are very long compared to traditional domains, so, Before doing anything, edit `nginx.conf` and increase <abbr title="This setting in your Nginx configuration controls the internal data structure used to manage multiple server names (hostnames) associated with your web server. Each hostname requires a certain amount of memory within this structure. If the size is insufficient, Nginx will encounter errors."><code>server_names_hash_bucket_size</code></abbr> to your needs.
+
+</div>
+
+1. `cd` to `/etc/nginx` *(if you haven't)* and open your `nginx.conf` file.
+2. Find the line containing `# server_names_hash_bucket_size 64;` inside said file.
+3. Uncomment the line and adjust the value; start with 64, but if you encounter issues, incrementally increase it *(e.g., 128, 256)* until it accommodates your configuration.
+4. Open *(or duplicate the configuration)* and edit it:
+   * Example configuration, again:
+    ```sh
+    server {
+        access_log /dev/null; # Search log file. Do you really need to?
+        error_log /dev/null;  # Error log file.
+
+        # Change this if you have 4get in another folder.
+        root /var/www/4get;
+        # Change 'onionadress.onion' to your onion link.
+        server_name onionadress.onion;
+        # Port to listen to.
+        listen 80;
+
+        location @php {
+            try_files $uri.php $uri/index.php =404;
+            # Change the unix socket address if it's different for you.
+            fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
+            fastcgi_index index.php;
+            # Change this to `fastcgi_params` if you use a debian based distribution.
+            include fastcgi.conf;
+            fastcgi_intercept_errors on;
+        }
+
+        location / {
+            try_files $uri @php;
+        }
+
+        location ~* ^(.*)\.php$ {
+            return 301 $1;
+        }
+
+    }
+    ```
+    A real world example is present in [^2].
+5. Once done, check the configuration with `nginx -t`. If everything's fine and dandy, refer to <a href="https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/tor.md">the Tor guide</a> to setup your onion site.
+
+<h2 align=center>Other important things</h2>
+
+1. <a href="https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/configure.md">Configuration guide</a>: Things to do after setup.
+2. <a href="https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/apache2.md">Apache2 guide</a>: Fallback to this if you couldn't get something to work, or you don't know something.
+
+<h2 align=center>Known issues</h2>
+
+1. https://git.lolcat.ca/lolcat/4get/issues
+
+[^1]: lolcat/4get#40, If having issues with `libsodium`, or `php-apcu`.
+[^2]: <a href="https://git.nadeko.net/Fijxu/etc-configs/src/branch/selfhost/nginx/conf.d/4get.conf">git.nadeko.net</a> nadeko.net's 4get instance configuration.
\ No newline at end of file
diff --git a/docs/tor.md b/docs/tor.md
new file mode 100644
index 0000000..b29ac3d
--- /dev/null
+++ b/docs/tor.md
@@ -0,0 +1,16 @@
+# Tor setup
+This guide assumes that there is already a configured webserver sitting on port 80 waiting for localhost connections. The <a href="https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/apache2.md">apache2 guide</a> guides you through this.
+
+1. Login as `root`.
+2. Install `tor`.
+3. Edit `/etc/tor/torrc`
+4. Go to the line that contains `HiddenServiceDir` and `HiddenServicePort`, uncomment those 2 lines and set them like this: 
+	```
+	HiddenServiceDir /var/lib/tor/4get
+	HiddenServicePort 80 127.0.0.1:80
+	```
+5. Restart the tor service using `service tor restart`
+6. Wait for a while...
+7. Run `cat /var/lib/tor/4get/hostname`. That is your onion address!
+
+# Specify your own tor address