Setup with existing nginx reverse proxy on another host?

zaggynl · 2 years ago

Setup with existing nginx reverse proxy on another host?

zaggynl · 2 years ago

So if I make the bind variable in lemmy.hjson anything else than 0.0.0.0, the lemmy container keeps restarting with the mentioned error.

zaggynl · edit-2 2 years ago

Made some progress, lemmy instance now runs but I’m running into websocket errors:

Firefox can’t establish a connection to the server at wss://lemmy.zaggy.nl/api/v3/ws.

docker-compose.yml:

version: '2.2'

services:
  postgres:
    image: postgres:12-alpine
    environment:
      - POSTGRES_USER=lemmy
      - POSTGRES_PASSWORD=DB PASSWORD
      - POSTGRES_DB=lemmy
    volumes:
      - ./volumes/postgres:/var/lib/postgresql/data
    restart: always

  lemmy:
    image: dessalines/lemmy:0.16.7
    ports:
      - "LAN IP:8536:8536"
      - "127.0.0.1:6669:6669"
    restart: always
    environment:
      - RUST_LOG="warn,lemmy_server=info,lemmy_api=info,lemmy_api_common=info,lemmy_api_crud=info,lemmy_apub=info,lemmy_db_schema=info,lemmy_db_views=info,lemmy_db_views_actor=info,lemm>
    volumes:
      - ./lemmy.hjson:/config/config.hjson
    depends_on:
      - postgres
      - pictrs

  lemmy-ui:
    image: dessalines/lemmy-ui:0.16.7
    ports:
      - "192.168.1.243:1235:1234"
    restart: always
    environment:
      - LEMMY_INTERNAL_HOST=LAN IP:8536
      - LEMMY_EXTERNAL_HOST=lemmy.zaggy.nl:8536
      - LEMMY_HTTPS=true
    depends_on:
      - lemmy

  pictrs:
    image: asonix/pictrs:0.3.1
    ports:
      - "LAN IP:8537:8080"
      - "127.0.0.1:6670:6669"
    user: 991:991
    volumes:
      - ./volumes/pictrs:/mnt
    restart: always

lemmy hjson:

{
  # for more info about the config, check out the documentation
  # https://join-lemmy.org/docs/en/administration/configuration.html

  setup: {
    # username for the admin user
    admin_username: "lemmy"
    # password for the admin user
    admin_password: ADMIN PW
    # name of the site (can be changed later)
    site_name: "lemmy.zaggy.nl"
  }

  opentelemetry_url: "http://otel:4137"

  # the domain name of your instance (eg "lemmy.ml")
  hostname: "lemmy.zaggy.nl"
  # address where lemmy should listen for incoming requests
  bind: "0.0.0.0"
  # port where lemmy should listen for incoming requests
  port: 8536
  # settings related to the postgresql database
  # address where pictrs is available
  pictrs_url: "http://pictrs:8080"
  database: {
    # name of the postgres database for lemmy
    database: "lemmy"
    # username to connect to postgres
    user: "lemmy"
    # password to connect to postgres
    password: DB PW
    # host where postgres is running
    host: "postgres"
    # port where postgres can be accessed
    port: 5432
    # maximum number of active sql connections
    pool_size: 5
  }
  slur_filter:
    '''
    (*removed*(g|got|tard)?\b|cock\s?sucker(s|ing)?|ni((g{2,}|q)+|[gq]{2,})[e3r]+(s|z)?|*removed*?s?|*removed*?|\bspi(c|k)s?\b|\bchinks?|*removed*?|*removed*(es|ing|y)?|whor(es?|ing)|\btr(a|@)nn?(y|ies?)|>
    '''
#  # optional: email sending configuration
#  email: {
#    # hostname and port of the smtp server
#    smtp_server: ""
#    # login name for smtp server
#    smtp_login: ""
#    # password to login to the smtp server
#    smtp_password: ""
#    # address to send emails from, eg "noreply@your-instance.com"
#    smtp_from_address: ""
#    # whether or not smtp connections should use tls
#    use_tls: true
#  }
}

nginx bit:

      server {
          listen 80;
          server_name  lemmy.zaggy.nl;
          rewrite ^ https://$http_host$request_uri? permanent;  # force redirect http to https

       }
       server {
           listen       443 ssl;
           server_name  lemmy.zaggy.nl;
           proxy_cache cache;
           proxy_cache_lock on;
           proxy_cache_valid 200 1s;
           proxy_cache_use_stale updating;
           ssl_protocols TLSv1.2 TLSv1.3;#disable ssl3 to prevent POODLE
           ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
           ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
           ssl_prefer_server_ciphers on;
           ssl_session_cache shared:SSL:10m;
           ssl_dhparam /etc/letsencrypt/live/www.zaggy.nl-0001/dhparam.pem;
           ssl_certificate /etc/letsencrypt/live/zaggy.nl/fullchain.pem;
           ssl_certificate_key /etc/letsencrypt/live/zaggy.nl/privkey.pem;
           ssl_session_cache shared:SSL:10m;
           ssl_session_tickets off;
           ssl_stapling on;
           ssl_stapling_verify on;

          # Hide nginx version
           server_tokens off;


# Enable compression for JS/CSS/HTML bundle, for improved client load times.
   # It might be nice to compress JSON, but leaving that out to protect against potential
   # compression+encryption information leak attacks like BREACH.
   gzip on;
   gzip_types text/css application/javascript image/svg+xml;
   gzip_vary on;

   # Only connect to this site via HTTPS for the two years
   add_header Strict-Transport-Security "max-age=63072000";

   # Various content security headers
   add_header Referrer-Policy "same-origin";
   add_header X-Content-Type-Options "nosniff";
   add_header X-Frame-Options "DENY";
   add_header X-XSS-Protection "1; mode=block";

   # Upload limit for pictrs
   client_max_body_size 20M;

   # frontend
   location / {
          #restricting external access  until I fix lemmy/create admin user
          allow LAN RANGE;
          allow VPN RANGE;
          deny all;


     # The default ports:
     # lemmy_ui_port: 1235
     # lemmy_port: 8536

     set $proxpass "http://LAN IP:1235";
     if ($http_accept ~ "^application/.*$") {
       set $proxpass "http://LAN IP:8536";
     }
     if ($request_method = POST) {
       set $proxpass "http://LAN IP:8536";
     }
     proxy_pass $proxpass;

     rewrite ^(.+)/+$ $1 permanent;

     # Send actual client IP upstream
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }

   # backend
   location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
     proxy_pass http://LAN IP:8537;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";



     # Add IP forwarding headers
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   }


   # Redirect pictshare images to pictrs
   location ~ /pictshare/(.*)$ {
     return 301 /pictrs/image/$1;
   }

}

Dessalines · 2 years ago

Looks like we need to update our installation instructions, these are using an old version of lemmy.

zaggynl · edit-2 2 years ago

ahhh, that could have saved me some time! Will try with the 17.2 release then, git version appears broken #0 155.7 error: failed to run custom build command for lemmy_utils v0.17.1 (/app/crates/utils)

Edit: this uses a built in nginx container which also does letsencrypt, not what I need I’ll try rebuilding the docker-compose so I can use this with my existing nginxm, tomorrow.

Dessalines · 2 years ago

I apologize for our install docs not being up to date, I’m getting those fixed now.

The manual install probably isn’t going ta work well right now, so i’d suggest ansible or docker.

PicoBlaanket · edit-2 2 years ago

Hey Zaggy,

When you say - “lemmy instance now runs”, what do you mean?

You see the Lemmy UI?
Or it’s just showing activity in the docker logs?

[when I visit lemmy.zaggy.nl - I get nginx 403 Forbidden (maybe because you’re testing something right now)]

zaggynl · edit-2 2 years ago

it will show the ‘Lemmy Instance Setup’, but any other action results in websocket errors or a page with broken CSS, I’ve removed the deny all rule since lemmy.zaggy.nl is broken anyway. edit: nvm have to rework the docker-compose of release as it already has nginx