Hello all!

I finally got my Lemmy instance up and running yay!

It runs on a local machine, I have nginx installed and my website pointing onto it.

lemmy.mindoki.com => my_static_ip(port 80) => local_ip => nginx

In ngunx I just set up a hello world message, and it works out. lemmy.mindoki.com shows it.

Now, my Lemmy instance is accessible on 0.0.0.0:1236 but obviously only from inside the hosting machine itself.

I have tinkered a bit with the nginx.conf but I feel there is lot of things to do wrongly, especially as it’s ‘dynamic’, but also it seems like a schoolbook example (for Lemmy, so no hits on my favourite search engine), so maybe someone has a working nginx.conf file to spare for a basic setup like this?

Thanks a bunch!

  • Valmond@lemmy.mlOPEnglish
    1·
    1 year ago

    Hello, I’m back with more questions and clarifications!

    This is what I did to install Lemmy:

    Install a fresh Linux Mint on an old PC.

    Follow the ‘official’ docker install: https://join-lemmy.org/docs/administration/install_docker.html

    I continued with nginx, lets encrypt etc.

    I also installed PosgreSQL and added a user Lemmy.

    I forward a TCP connection from my fix public IP to the lemmy PC and pointed lemmy.mindoki.com with an A redirection onto that public IP:PORT.

    The only ‘exotic’ thing done was that I added these lines to /home/fediverse/.bashrc :

    export LEMMY_CONFIG_LOCATION=“/media/fediverse/Storage/lemmy/lemmy.hjson”

    EMMY_DATABASE_URL=“postgres://lemmy:redacted_password@localhost:5432/lemmy”

    . “$HOME/.cargo/env”

    I don’t think (but not completely sure) that the last line was added by me manually.

    Now I can access Lemmy locally on localhost:1236 and everything works (inscription, creations of ‘subs’ etc).

    I added the nginx.conf config file at the end of this message (some lines are commented out to make it work at all).

    Almost feels like I should have a very much shorter nginx config file 🙃

    Thanks again!

    Cheers

    .

    .

    .

    nginx.conf :

    worker_processes auto;

    events { worker_connections 1024; }

    http {

    limit_req_zone $binary_remote_addr zone=lemmy.mindoki.com_ratelimit:10m rate=1r/s;

server {
    listen 80;
    listen [::]:80;
    server_name lemmy.mindoki.com;
    # Hide nginx version
    server_tokens off;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name lemmy.mindoki.com;

    ssl_certificate /etc/letsencrypt/live/lemmy.mindoki.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/lemmy.mindoki.com/privkey.pem;


    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets on;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Hide nginx version
    server_tokens off;

    # Enable compression for JS/CSS/HTML bundle, for improved client load times.
    # It might be nice to compress JSON, but leaving that out to protect against potential
    # compression+encryption information leak attacks like BREACH.
    gzip on;
    gzip_types text/css application/javascript image/svg+xml;
    gzip_vary on;

    # Various content security headers
    add_header Referrer-Policy "same-origin";
    add_header X-Content-Type-Options "nosniff";
    add_header X-Frame-Options "DENY";
    add_header X-XSS-Protection "1; mode=block";


    location / {
      proxy_pass http://0.0.0.0:1236;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

access_log /var/log/nginx/access.log combined;



# We construct a string consistent of the "request method" and "http accept header"
# and then apply soem ~simply regexp matches to that combination to decide on the
# HTTP upstream we should proxy the request to.
#
# Example strings:
#
#   "GET:application/activity+json"
#   "GET:text/html"
#   "POST:application/activity+json"
#
# You can see some basic match tests in this regex101 matching this configuration
# https://regex101.com/r/vwMJNc/1
#
# Learn more about nginx maps here http://nginx.org/en/docs/http/ngx_http_map_module.html
map "$request_method:$http_accept" $proxpass {
    # If no explicit matches exists below, send traffic to lemmy-ui
    default "http://lemmy-ui";

    # GET/HEAD requests that accepts ActivityPub or Linked Data JSON should go to lemmy.
    #
    # These requests are used by Mastodon and other fediverse instances to look up profile information,
    # discover site information and so on.
    "~^(?:GET|HEAD):.*?application\/(?:activity|ld)\+json" "http://lemmy";

    # All non-GET/HEAD requests should go to lemmy
    #
    # Rather than calling out POST, PUT, DELETE, PATCH, CONNECT and all the verbs manually
    # we simply negate the GET|HEAD pattern from above and accept all possibly $http_accept values
    "~^(?!(GET|HEAD)).*:" "http://lemmy";
}

#upstream lemmy {
    # this needs to map to the lemmy (server) docker service hostname
#    server "lemmy:8536";
#}

#upstream lemmy-ui {
    # this needs to map to the lemmy-ui docker service hostname
#    server "lemmy-ui:1234";
#}

server {
    # this is the port inside docker, not the public one yet
    listen 1236;
    listen 8536;

    # change if needed, this is facing the public web
    server_name localhost;
    server_tokens off;

    gzip on;
    gzip_types text/css application/javascript image/svg+xml;
    gzip_vary on;

    # Upload limit, relevant for pictrs
    client_max_body_size 20M;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    # frontend general requests
    location / {
        proxy_pass $proxpass;

        rewrite ^(.+)/+$ $1 permanent;

        # Send actual client IP upstream
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # backend
    location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
        proxy_pass "https://lemmy";

        # proxy common stuff
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Send actual client IP upstream
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

    }

    • Valmond@lemmy.mlOPEnglish
      1·
      1 year ago

      EDIT: The site itself works now, so I “only” need help with nginx :-)

      EDIT: DISCARD THE FOLLOWING LINES (Strike-through doesn’t seem to work):

      ~~BTW, I get a handful of errors when I start Lemmy :

      thread ‘main’ panicked at 'Error connecting to postgres://lemmy:thepassword@postgres:5432/lemmy: could not connect to server: Connection refused

      lemmy_1 | Is the server running on host “postgres” (172.18.0.2) and accepting

      lemmy_1 | TCP/IP connections on port 5432?

      I do not know at all where that 172.18.0.2 address comes from sweating :-D~~