Activity - Here is a way to get working Mastodon working behind a reverse proxy that exists...

ablackcatstail, 11 months ago

Here is a way to get working Mastodon working behind a reverse proxy that exists on a different machine. Basically, the NGINX server running on the Mastodon instance is configured to “lie” to the the streaming and web servers that the connection is happening over. This way you handle the SSL termination at the actual proxy server. So what you do is change the listen line to 80 and comment out all of the SSL related stuff. Then look for the @proxy section of the NGINX daemon running on the mastodon instance and change the X-Forwarded-Proto header to https as shown below.

<pre style="background-color:#ffffff;">
<span style="color:#323232;">server {
</span><span style="color:#323232;">  #listen 443 ssl http2;
</span><span style="color:#323232;">  #listen [::]:443 ssl http2;
</span><span style="color:#323232;">  
</span><span style="color:#323232;">  listen 80;
</span><span style="color:#323232;">  server_name example.com;
</span><span style="color:#323232;">
</span><span style="color:#323232;">  #ssl_protocols TLSv1.2 TLSv1.3;
</span><span style="color:#323232;">  #ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
</span><span style="color:#323232;">  #ssl_prefer_server_ciphers on;
</span><span style="color:#323232;">  #ssl_session_cache shared:SSL:10m;
</span><span style="color:#323232;">  #ssl_session_tickets off;
</span><span style="color:#323232;">
</span><span style="color:#323232;">  # Uncomment these lines once you acquire a certificate:
</span><span style="color:#323232;">  #ssl_certificate     /etc/ssl/fullchain.pem;
</span><span style="color:#323232;">  #ssl_certificate_key /etc/ssl/private/privkey.pem;
</span><span style="color:#323232;">
</span><span style="color:#323232;">...
</span><span style="color:#323232;">
</span><span style="color:#323232;">location @proxy {
</span><span style="color:#323232;">    proxy_set_header Host $host;
</span><span style="color:#323232;">    proxy_set_header X-Real-IP $remote_addr;
</span><span style="color:#323232;">    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
</span><span style="color:#323232;">    #proxy_set_header X-Forwarded-Proto $scheme;
</span><span style="color:#323232;">    proxy_set_header X-Forwarded-Proto https;
</span><span style="color:#323232;">    proxy_set_header Proxy "";
</span><span style="color:#323232;">    proxy_pass_header Server;
</span><span style="color:#323232;">
</span><span style="color:#323232;">    proxy_pass http://backend;
</span><span style="color:#323232;">    proxy_buffering on;
</span><span style="color:#323232;">    proxy_redirect off;
</span><span style="color:#323232;">    proxy_http_version 1.1;
</span><span style="color:#323232;">    proxy_set_header Upgrade $http_upgrade;
</span><span style="color:#323232;">    proxy_set_header Connection $connection_upgrade;
</span><span style="color:#323232;">
</span><span style="color:#323232;">    proxy_cache CACHE;
</span><span style="color:#323232;">    proxy_cache_valid 200 7d;
</span><span style="color:#323232;">    proxy_cache_valid 410 24h;
</span><span style="color:#323232;">    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
</span><span style="color:#323232;">    add_header X-Cached $upstream_cache_status;
</span><span style="color:#323232;">
</span><span style="color:#323232;">    tcp_nodelay on;
</span><span style="color:#323232;">  }
</span>

If you have not yet created the reverse proxy server itself, check out NGINX Proxy Manager as it makes things stupidly easy. NGINX Proxy Manager runs in a dockerized container and makes setting up Let’s Encrypt certs a breeze. Just be sure that when you define the