this post was submitted on 13 Jul 2023
12 points (87.5% liked)

Selfhosted

40394 readers
214 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

This is a slow learning process for me and some of you already helped me a lot to figure out reverse proxies in general. However, I'm not there yet ... so:

How can I set up Lemmy (and Mastodon down the line) behind my existing reverse proxy? I'm trying to install from docker and the docker compose files come with templates for reverse proxy configuration, but these are (probably) only valid, if I'm installing on a dedicated server with nothing else running there.

I tried commenting out the stuff for the proxy configuration, but I can't seem to get it to work. The Lemmy install ends up with 5 docker containers (lemmy, lemmy-ui, ....) and I'm not sure which of them need to be adressed by my proxxy setup. Just getting the lemmy-ui container addressed by nginx didn't work out.

I'm probably way out of my league with what I'm trying here, but if any of you have some useful tips I'd be really grateful.

you are viewing a single comment's thread
view the rest of the comments
[–] ablackcatstail@lemmy.goblackcat.com 3 points 1 year ago* (last edited 1 year ago)

Here is a way to get working Mastodon working behind a reverse proxy that exists on a different machine. Basically, the NGINX server running on the Mastodon instance is configured to "lie" to the the streaming and web servers that the connection is happening over. This way you handle the SSL termination at the actual proxy server. So what you do is change the listen line to 80 and comment out all of the SSL related stuff. Then look for the @proxy section of the NGINX daemon running on the mastodon instance and change the X-Forwarded-Proto header to https as shown below.

server {
  #listen 443 ssl http2;
  #listen [::]:443 ssl http2;
  
  listen 80;
  server_name example.com;

  #ssl_protocols TLSv1.2 TLSv1.3;
  #ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  #ssl_prefer_server_ciphers on;
  #ssl_session_cache shared:SSL:10m;
  #ssl_session_tickets off;

  # Uncomment these lines once you acquire a certificate:
  #ssl_certificate     /etc/ssl/fullchain.pem;
  #ssl_certificate_key /etc/ssl/private/privkey.pem;

...

location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://backend;
    proxy_buffering on;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_cache CACHE;
    proxy_cache_valid 200 7d;
    proxy_cache_valid 410 24h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    add_header X-Cached $upstream_cache_status;

    tcp_nodelay on;
  }

If you have not yet created the reverse proxy server itself, check out NGINX Proxy Manager as it makes things stupidly easy. NGINX Proxy Manager runs in a dockerized container and makes setting up Let's Encrypt certs a breeze. Just be sure that when you define the