In most setups I have seen, the nginx instance provided by Lemmy is used due to the routing needed between lemmy/lemmy-ui being handled in nginx. Your reverse proxy can then point to the nginx instance to expose lemmy.
Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
Which domain name should I put in the nginx configuration from Lemmy? My intended domain (like lemmy.my-domain.tld) or do I put some internal IP (e.g. 172.20.0.1) and point to that IP from my host nginx?
Mastodon is not hard to get working behind a reverse proxy. I'm about to go to sleep, but when I wake up, I'll share my configs.
You can point your frontend reverse proxy to the docker reverse proxy.
Here is a way to get working Mastodon working behind a reverse proxy that exists on a different machine. Basically, the NGINX server running on the Mastodon instance is configured to "lie" to the the streaming and web servers that the connection is happening over. This way you handle the SSL termination at the actual proxy server. So what you do is change the listen line to 80 and comment out all of the SSL related stuff. Then look for the @proxy section of the NGINX daemon running on the mastodon instance and change the X-Forwarded-Proto header to https as shown below.
server {
#listen 443 ssl http2;
#listen [::]:443 ssl http2;
listen 80;
server_name example.com;
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
#ssl_prefer_server_ciphers on;
#ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
# Uncomment these lines once you acquire a certificate:
#ssl_certificate /etc/ssl/fullchain.pem;
#ssl_certificate_key /etc/ssl/private/privkey.pem;
...
location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_pass http://backend;
proxy_buffering on;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_cache CACHE;
proxy_cache_valid 200 7d;
proxy_cache_valid 410 24h;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
add_header X-Cached $upstream_cache_status;
tcp_nodelay on;
}
If you have not yet created the reverse proxy server itself, check out NGINX Proxy Manager as it makes things stupidly easy. NGINX Proxy Manager runs in a dockerized container and makes setting up Let's Encrypt certs a breeze. Just be sure that when you define the
Think of the NGINX proxy in Lemmy's docker-compose.yml
file as the entry point to Lemmy from outside the Docker network. For instance, I don't have any ports mapped for the individual services except for the NGINX service. The NGINX proxy in this docker-compose file will access the other services through the internal docker network, so it isn't a problem if you set up your nginx.conf
file with the service's names. With that done, you could map any port you want for the NGINX service from the host, then point your internet-facing reverse proxy to that.
I also plan on setting up a Mastodon server, but I haven't gotten to it yet. So I don't have anything specific to add other than it will work similarly by using docker's port mapping or service names depending on whether each service needs to be internet-facing or only communicate internally.
In the configuration of the docker proxxy, do I define my domain name (like lemmy.my-domain.tld) or will I define some local IP (like 172.20.0.1) and let nginx proxy manager point to that?
You can use the FQDN of your Lemmy instance in the nginx.conf
file. I've uploaded my files to a gist here as an example.
You should be able just to replace any mention of lemmy.mydomain.com
with your FQDN of your Lemmy instance and replace any your-postgres-password
with your real Postgres password. You must also set your SMTP provider settings in the email
section of config.hjson
(I use Brevo). In the docker-compose.yml
file, you can change which port you want to map from the host; I used 8976
in mine. Then just point your internet-facing reverse proxy to the host and whichever port you chose.
I'm not using Ansible to automate it at all. I'm just updating the files manually, as needed, and doing docker compose
commands. I'm using Docker volumes to persist the data on them, so feel free to change any of those basic things you want.
thanx! I got it running now, not sure yet if federation is working, but at least I have my instance up and could register admin + standard user :)
Take a look at the Ansible playbook for Lemmy as it Does exactly this. Installing one Nginx on the host system and using one in docker. You can probably pull configuration examples from it.
My Nginx is pointing to the "proxy" container (the one with port 1236 in your docker compose).
My Nginx location looks something like the below. Obviously there is more for SSL termination etc. Let me know if this doesn't make any sense.
TIP: I'm using 0.0.0.0 since 127.0.0.1 won't work (I can explain this further if needs be).
location / {
proxy_pass http://0.0.0.0:1236;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Depends a lot on your existing reverse proxy.
You can read the nginx config that the defaults include and it’s some basic rules to route incoming requests to either lemmy or lemmy-ui. If your existing reverse proxy is nginx you could just incorporate the rules in there.
It also depends on why you need it behind the existing proxy, and how you’ll choose to route your traffic, and where you traffic is coming from in general.
I’d start with taking a look at the default nginx config to see if you can move those rules to your existing reverse proxy, or just forward everything coming in that’s for lemmy straight to the lemmy reverse proxy, although that might be more complicated in correctly preserving the incoming requests.