Q: Lemmy and Mastodon instances behind existing reverse proxy

This is a slow learning process for me and some of you already helped me a lot to figure out reverse proxies in general. However, I’m not there yet … so:

How can I set up Lemmy (and Mastodon down the line) behind my existing reverse proxy? I’m trying to install from docker and the docker compose files come with templates for reverse proxy configuration, but these are (probably) only valid, if I’m installing on a dedicated server with nothing else running there.

I tried commenting out the stuff for the proxy configuration, but I can’t seem to get it to work. The Lemmy install ends up with 5 docker containers (lemmy, lemmy-ui, …) and I’m not sure which of them need to be adressed by my proxxy setup. Just getting the lemmy-ui container addressed by nginx didn’t work out.

I’m probably way out of my league with what I’m trying here, but if any of you have some useful tips I’d be really grateful.

ablackcatstail,
@ablackcatstail@lemmy.goblackcat.com avatar

Here is a way to get working Mastodon working behind a reverse proxy that exists on a different machine. Basically, the NGINX server running on the Mastodon instance is configured to “lie” to the the streaming and web servers that the connection is happening over. This way you handle the SSL termination at the actual proxy server. So what you do is change the listen line to 80 and comment out all of the SSL related stuff. Then look for the @proxy section of the NGINX daemon running on the mastodon instance and change the X-Forwarded-Proto header to https as shown below.

<pre style="background-color:#ffffff;">
<span style="color:#323232;">server {
</span><span style="color:#323232;">  #listen 443 ssl http2;
</span><span style="color:#323232;">  #listen [::]:443 ssl http2;
</span><span style="color:#323232;">  
</span><span style="color:#323232;">  listen 80;
</span><span style="color:#323232;">  server_name example.com;
</span><span style="color:#323232;">
</span><span style="color:#323232;">  #ssl_protocols TLSv1.2 TLSv1.3;
</span><span style="color:#323232;">  #ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
</span><span style="color:#323232;">  #ssl_prefer_server_ciphers on;
</span><span style="color:#323232;">  #ssl_session_cache shared:SSL:10m;
</span><span style="color:#323232;">  #ssl_session_tickets off;
</span><span style="color:#323232;">
</span><span style="color:#323232;">  # Uncomment these lines once you acquire a certificate:
</span><span style="color:#323232;">  #ssl_certificate     /etc/ssl/fullchain.pem;
</span><span style="color:#323232;">  #ssl_certificate_key /etc/ssl/private/privkey.pem;
</span><span style="color:#323232;">
</span><span style="color:#323232;">...
</span><span style="color:#323232;">
</span><span style="color:#323232;">location @proxy {
</span><span style="color:#323232;">    proxy_set_header Host $host;
</span><span style="color:#323232;">    proxy_set_header X-Real-IP $remote_addr;
</span><span style="color:#323232;">    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
</span><span style="color:#323232;">    #proxy_set_header X-Forwarded-Proto $scheme;
</span><span style="color:#323232;">    proxy_set_header X-Forwarded-Proto https;
</span><span style="color:#323232;">    proxy_set_header Proxy "";
</span><span style="color:#323232;">    proxy_pass_header Server;
</span><span style="color:#323232;">
</span><span style="color:#323232;">    proxy_pass http://backend;
</span><span style="color:#323232;">    proxy_buffering on;
</span><span style="color:#323232;">    proxy_redirect off;
</span><span style="color:#323232;">    proxy_http_version 1.1;
</span><span style="color:#323232;">    proxy_set_header Upgrade $http_upgrade;
</span><span style="color:#323232;">    proxy_set_header Connection $connection_upgrade;
</span><span style="color:#323232;">
</span><span style="color:#323232;">    proxy_cache CACHE;
</span><span style="color:#323232;">    proxy_cache_valid 200 7d;
</span><span style="color:#323232;">    proxy_cache_valid 410 24h;
</span><span style="color:#323232;">    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
</span><span style="color:#323232;">    add_header X-Cached $upstream_cache_status;
</span><span style="color:#323232;">
</span><span style="color:#323232;">    tcp_nodelay on;
</span><span style="color:#323232;">  }
</span>

If you have not yet created the reverse proxy server itself, check out NGINX Proxy Manager as it makes things stupidly easy. NGINX Proxy Manager runs in a dockerized container and makes setting up Let’s Encrypt certs a breeze. Just be sure that when you define the

matt,
@matt@lemmy.piperservers.net avatar

Think of the NGINX proxy in Lemmy’s docker-compose.yml file as the entry point to Lemmy from outside the Docker network. For instance, I don’t have any ports mapped for the individual services except for the NGINX service. The NGINX proxy in this docker-compose file will access the other services through the internal docker network, so it isn’t a problem if you set up your nginx.conf file with the service’s names. With that done, you could map any port you want for the NGINX service from the host, then point your internet-facing reverse proxy to that.

I also plan on setting up a Mastodon server, but I haven’t gotten to it yet. So I don’t have anything specific to add other than it will work similarly by using docker’s port mapping or service names depending on whether each service needs to be internet-facing or only communicate internally.

Solvena,

In the configuration of the docker proxxy, do I define my domain name (like lemmy.my-domain.tld) or will I define some local IP (like 172.20.0.1) and let nginx proxy manager point to that?

matt,
@matt@lemmy.piperservers.net avatar

You can use the FQDN of your Lemmy instance in the nginx.conf file. I’ve uploaded my files to a gist here as an example.

You should be able just to replace any mention of lemmy.mydomain.com with your FQDN of your Lemmy instance and replace any your-postgres-password with your real Postgres password. You must also set your SMTP provider settings in the email section of config.hjson (I use Brevo). In the docker-compose.yml file, you can change which port you want to map from the host; I used 8976 in mine. Then just point your internet-facing reverse proxy to the host and whichever port you chose.

I’m not using Ansible to automate it at all. I’m just updating the files manually, as needed, and doing docker compose commands. I’m using Docker volumes to persist the data on them, so feel free to change any of those basic things you want.

Solvena,

thanx! I got it running now, not sure yet if federation is working, but at least I have my instance up and could register admin + standard user :)

ablackcatstail,
@ablackcatstail@lemmy.goblackcat.com avatar

Mastodon is not hard to get working behind a reverse proxy. I’m about to go to sleep, but when I wake up, I’ll share my configs.

Letus,

Take a look at the Ansible playbook for Lemmy as it Does exactly this. Installing one Nginx on the host system and using one in docker. You can probably pull configuration examples from it.

dudeami0,
@dudeami0@lemmy.dudeami.win avatar

In most setups I have seen, the nginx instance provided by Lemmy is used due to the routing needed between lemmy/lemmy-ui being handled in nginx. Your reverse proxy can then point to the nginx instance to expose lemmy.

Solvena,

Which domain name should I put in the nginx configuration from Lemmy? My intended domain (like lemmy.my-domain.tld) or do I put some internal IP (e.g. 172.20.0.1) and point to that IP from my host nginx?

MajinBlayze, (edited )

You can point your frontend reverse proxy to the docker reverse proxy.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • uselessserver093
  • Food
  • aaaaaaacccccccce
  • [email protected]
  • test
  • CafeMeta
  • testmag
  • MUD
  • RhythmGameZone
  • RSS
  • dabs
  • Socialism
  • KbinCafe
  • TheResearchGuardian
  • oklahoma
  • feritale
  • SuperSentai
  • KamenRider
  • All magazines
    •