This is a slow learning process for me and some of you already helped me a lot to figure out reverse proxies in general. However, I’m not there yet … so:

How can I set up Lemmy (and Mastodon down the line) behind my existing reverse proxy? I’m trying to install from docker and the docker compose files come with templates for reverse proxy configuration, but these are (probably) only valid, if I’m installing on a dedicated server with nothing else running there.

I tried commenting out the stuff for the proxy configuration, but I can’t seem to get it to work. The Lemmy install ends up with 5 docker containers (lemmy, lemmy-ui, …) and I’m not sure which of them need to be adressed by my proxxy setup. Just getting the lemmy-ui container addressed by nginx didn’t work out.

I’m probably way out of my league with what I’m trying here, but if any of you have some useful tips I’d be really grateful.

  • Meow.tar.gz@lemmy.goblackcat.com
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    Here is a way to get working Mastodon working behind a reverse proxy that exists on a different machine. Basically, the NGINX server running on the Mastodon instance is configured to “lie” to the the streaming and web servers that the connection is happening over. This way you handle the SSL termination at the actual proxy server. So what you do is change the listen line to 80 and comment out all of the SSL related stuff. Then look for the @proxy section of the NGINX daemon running on the mastodon instance and change the X-Forwarded-Proto header to https as shown below.

    server {
      #listen 443 ssl http2;
      #listen [::]:443 ssl http2;
      
      listen 80;
      server_name example.com;
    
      #ssl_protocols TLSv1.2 TLSv1.3;
      #ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
      #ssl_prefer_server_ciphers on;
      #ssl_session_cache shared:SSL:10m;
      #ssl_session_tickets off;
    
      # Uncomment these lines once you acquire a certificate:
      #ssl_certificate     /etc/ssl/fullchain.pem;
      #ssl_certificate_key /etc/ssl/private/privkey.pem;
    
    ...
    
    location @proxy {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Proxy "";
        proxy_pass_header Server;
    
        proxy_pass http://backend;
        proxy_buffering on;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    
        proxy_cache CACHE;
        proxy_cache_valid 200 7d;
        proxy_cache_valid 410 24h;
        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
        add_header X-Cached $upstream_cache_status;
    
        tcp_nodelay on;
      }
    

    If you have not yet created the reverse proxy server itself, check out NGINX Proxy Manager as it makes things stupidly easy. NGINX Proxy Manager runs in a dockerized container and makes setting up Let’s Encrypt certs a breeze. Just be sure that when you define the