Hello all!

I finally got my Lemmy instance up and running yay!

It runs on a local machine, I have nginx installed and my website pointing onto it.

lemmy.mindoki.com => my_static_ip(port 80) => local_ip => nginx

In ngunx I just set up a hello world message, and it works out. lemmy.mindoki.com shows it.

Now, my Lemmy instance is accessible on 0.0.0.0:1236 but obviously only from inside the hosting machine itself.

I have tinkered a bit with the nginx.conf but I feel there is lot of things to do wrongly, especially as it’s ‘dynamic’, but also it seems like a schoolbook example (for Lemmy, so no hits on my favourite search engine), so maybe someone has a working nginx.conf file to spare for a basic setup like this?

Thanks a bunch!

  • Valmond@lemmy.mlOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    Hello, I’m back with more questions and clarifications!

    This is what I did to install Lemmy:

    Install a fresh Linux Mint on an old PC.

    Follow the ‘official’ docker install: https://join-lemmy.org/docs/administration/install_docker.html

    I continued with nginx, lets encrypt etc.

    I also installed PosgreSQL and added a user Lemmy.

    I forward a TCP connection from my fix public IP to the lemmy PC and pointed lemmy.mindoki.com with an A redirection onto that public IP:PORT.

    The only ‘exotic’ thing done was that I added these lines to /home/fediverse/.bashrc :

    export LEMMY_CONFIG_LOCATION=“/media/fediverse/Storage/lemmy/lemmy.hjson”

    EMMY_DATABASE_URL=“postgres://lemmy:redacted_password@localhost:5432/lemmy”

    . “$HOME/.cargo/env”

    I don’t think (but not completely sure) that the last line was added by me manually.

    Now I can access Lemmy locally on localhost:1236 and everything works (inscription, creations of ‘subs’ etc).

    I added the nginx.conf config file at the end of this message (some lines are commented out to make it work at all).

    Almost feels like I should have a very much shorter nginx config file 🙃

    Thanks again!

    Cheers

    .

    .

    .

    nginx.conf :

    worker_processes auto;

    events { worker_connections 1024; }

    http {

    limit_req_zone $binary_remote_addr zone=lemmy.mindoki.com_ratelimit:10m rate=1r/s;
    
    server {
        listen 80;
        listen [::]:80;
        server_name lemmy.mindoki.com;
        # Hide nginx version
        server_tokens off;
        location /.well-known/acme-challenge/ {
            root /var/www/certbot;
        }
        location / {
            return 301 https://$host$request_uri;
        }
    }
    
    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name lemmy.mindoki.com;
    
        ssl_certificate /etc/letsencrypt/live/lemmy.mindoki.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/lemmy.mindoki.com/privkey.pem;
    
    
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_session_timeout  10m;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets on;
        ssl_stapling on;
        ssl_stapling_verify on;
    
        # Hide nginx version
        server_tokens off;
    
        # Enable compression for JS/CSS/HTML bundle, for improved client load times.
        # It might be nice to compress JSON, but leaving that out to protect against potential
        # compression+encryption information leak attacks like BREACH.
        gzip on;
        gzip_types text/css application/javascript image/svg+xml;
        gzip_vary on;
    
        # Various content security headers
        add_header Referrer-Policy "same-origin";
        add_header X-Content-Type-Options "nosniff";
        add_header X-Frame-Options "DENY";
        add_header X-XSS-Protection "1; mode=block";
    
    
        location / {
          proxy_pass http://0.0.0.0:1236;
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "upgrade";
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
    
    access_log /var/log/nginx/access.log combined;
    
    
    
    # We construct a string consistent of the "request method" and "http accept header"
    # and then apply soem ~simply regexp matches to that combination to decide on the
    # HTTP upstream we should proxy the request to.
    #
    # Example strings:
    #
    #   "GET:application/activity+json"
    #   "GET:text/html"
    #   "POST:application/activity+json"
    #
    # You can see some basic match tests in this regex101 matching this configuration
    # https://regex101.com/r/vwMJNc/1
    #
    # Learn more about nginx maps here http://nginx.org/en/docs/http/ngx_http_map_module.html
    map "$request_method:$http_accept" $proxpass {
        # If no explicit matches exists below, send traffic to lemmy-ui
        default "http://lemmy-ui";
    
        # GET/HEAD requests that accepts ActivityPub or Linked Data JSON should go to lemmy.
        #
        # These requests are used by Mastodon and other fediverse instances to look up profile information,
        # discover site information and so on.
        "~^(?:GET|HEAD):.*?application\/(?:activity|ld)\+json" "http://lemmy";
    
        # All non-GET/HEAD requests should go to lemmy
        #
        # Rather than calling out POST, PUT, DELETE, PATCH, CONNECT and all the verbs manually
        # we simply negate the GET|HEAD pattern from above and accept all possibly $http_accept values
        "~^(?!(GET|HEAD)).*:" "http://lemmy";
    }
    
    #upstream lemmy {
        # this needs to map to the lemmy (server) docker service hostname
    #    server "lemmy:8536";
    #}
    
    #upstream lemmy-ui {
        # this needs to map to the lemmy-ui docker service hostname
    #    server "lemmy-ui:1234";
    #}
    
    server {
        # this is the port inside docker, not the public one yet
        listen 1236;
        listen 8536;
    
        # change if needed, this is facing the public web
        server_name localhost;
        server_tokens off;
    
        gzip on;
        gzip_types text/css application/javascript image/svg+xml;
        gzip_vary on;
    
        # Upload limit, relevant for pictrs
        client_max_body_size 20M;
    
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
    
        # frontend general requests
        location / {
            proxy_pass $proxpass;
    
            rewrite ^(.+)/+$ $1 permanent;
    
            # Send actual client IP upstream
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    
        # backend
        location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
            proxy_pass "https://lemmy";
    
            # proxy common stuff
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
            # Send actual client IP upstream
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
    

    }

    • Valmond@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      EDIT: The site itself works now, so I “only” need help with nginx :-)

      EDIT: DISCARD THE FOLLOWING LINES (Strike-through doesn’t seem to work):

      ~~BTW, I get a handful of errors when I start Lemmy :

      thread ‘main’ panicked at 'Error connecting to postgres://lemmy:thepassword@postgres:5432/lemmy: could not connect to server: Connection refused

      lemmy_1 | Is the server running on host “postgres” (172.18.0.2) and accepting

      lemmy_1 | TCP/IP connections on port 5432?

      I do not know at all where that 172.18.0.2 address comes from sweating :-D~~