this post was submitted on 11 Jul 2023
26 points (90.6% liked)

Selfhosted

39161 readers
382 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud
Loki
CannaVet
devve
HybridSarcasm
[email protected]
26
Self-hosted lemmy without serving arbitrary federated content? (reddthat.com)
submitted 1 year ago by [email protected] to c/selfhosted
22 comments fedilink hide all child comments
 

I want to self-host lemmy and participate in federation. However, I wonder whether it's possible to have a setup where only I, and trusted users, are allowed to browse federated-content.

Basically, guests should not be allowed to use my instance to browse other federated content. So requests to "mydomain.tld/c/[email protected]" should not be possible. Only users, logged-in on my instance, should be able to do that.

Despite that, guests should be allowed to see posts of communities posted on my instance, and users of other instances should be allowed to comment.

I know I can choose with which other instances mine should link with, but this would make the experience inconvenient to me. Because then I would need to adjust the config if I want to subscribe to a community on an instance I have not yet linked with.

Is such setup possible? Could not find the answer in the docs unfortunately

The only thing I can think of is something like blocking UI requests, and allow them only from localhost (so I would create a "ssh -L" tunnel on the server). Federation API endpoints would not be blocked. But this seems shaky, does Lemmy support a cleaner, built-in solution?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 1 year ago (2 children)

Wouldn't this do basically nothing to prevent a 3rd party client from browsing your instance without authentication? I don't know that there's much that can really be done about this because you need open APIs for other instances to be able to access the content of your instance in order to make federation possible. That said, it's an important consideration that anybody running a single person instance should consider. If you run a single person instance, people can learn a lot about you just by seeing which communities are available on your instance. The only way to obfuscate your actual interests is to have a dummy account subscribe to all the top communities on the biggest instances. (Which, honestly, this isn't a bad strategy to employ anyway if you're wanting a fresh All feed).

[–] [email protected] 4 points 1 year ago

Yes the basic auth way I suggested only protects the lemmy-ui from being accessed which is the lowest hanging fruit in the equation. That's also why I call it the "simplest way". "Interested parties" can still access your instance via API if they know their way.

[–] [email protected] 3 points 1 year ago (1 children)

open APIs for other instances to be able to access the content of your instance in order to make federation possible.

the federation API is independent of the front-end client API. You can run headless, without lemmy-ui, and federation still works. The API structure for federation is standardized, the front-end client API is unique to Lemmy.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago)

You can run headless or do what the person I was responding to recommended and put it behind an authenticated portal, but that's not really going to stop other instances and clients from accessing the same resources that op is hoping to limit access to except in the most basic case of people casually browsing op's Lemmy instance through op's own lemmy-ui.

Edit, but to be clear, what I was responding to and my response didn't directly address op's specific concern (which I kind of misunderstood myself before just now rereading) that outside/guest users shouldn't be able to search for communities from other instances and I think it's a fair concern because just searching for a community from another instance brings in posts and could be a vector for spam/abuse.