mirrors/gotosocial
1
0
Fork 1
mirror of https://github.com/superseriousbusiness/gotosocial.git synced 2024-05-20 01:08:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

[docs] Clarify that reverse proxy setups need trusted-proxies (#1127)

Browse source 
* [docs] Clarify that reverse proxy setups need trusted-proxies

* Remove the jq usage
This commit is contained in:
dx 2022-11-23 16:10:56 +01:00 committed by GitHub
parent 5ba5fb3154
commit 8942a70856
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 40 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docs/installation_guide/apache-httpd.md
View file

@ -100,6 +100,8 @@ You should also change `http://localhost:8080` to the correct address and port o
`ProxyPreserveHost On` is essential: It guarantees that the proxy and the GoToSocial speak of the same Server name. If not, GoToSocial will build the wrong authentication headers, and all attempts at federation will be rejected with 401 Unauthorized.
By default, apache sets `X-Forwarded-For` in forwarded requests. To make this and rate limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../api/ratelimiting.md) and [general configuration](../configuration/general.md) docs
Save and close the config file.
Now we'll need to link the file we just created to the folder that Apache HTTP Server reads configurations for active sites from.

2
docs/installation_guide/caddy.md
View file

@ -77,6 +77,8 @@ example.org {
}
```
By default, caddy sets `X-Forwarded-For` in forwarded requests. To make this and rate limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../api/ratelimiting.md) and [general configuration](../configuration/general.md) docs
For advanced configuration check the [reverse_proxy directive](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) at the Caddy documentation.
Now check for configuration errors.

29
docs/installation_guide/docker.md
View file

@ -98,6 +98,35 @@ If you want to use [LetsEncrypt](../configuration/letsencrypt.md) for ssl certif
2. Remove the `#` before `- "80:80"` in the `ports` section.
3. (Optional) Set `GTS_LETSENCRYPT_EMAIL_ADDRESS` to a valid email address to receive certificate expiry warnings etc.
#### Reverse proxies
The default port bindings are for exposing GoToSocial directly and publicly. Remove the `#` in front the line that forwards `127.0.0.1:8080:8080` which makes port `8080` available only to the local host. Change that `127.0.0.1` if the reverse proxy is somewhere else.
To ensure [rate limiting](../api/ratelimiting.md) by IP works, remove the `#` in front of `GTS_TRUSTED_PROXIES` and set it to the IP the requests from the reverse proxy are coming from. That's usually the value of the `Gateway` field of the docker network.
```text
$ docker network inspect gotosocial_gotosocial
[
{
"Name": "gotosocial_gotosocial",
[...]
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.19.0.0/16",
"Gateway": "172.19.0.1"
}
]
},
[...]
```
In the example above, it would be `172.19.0.1`.
If unsure, skip the trusted proxies step, continue with the next sections, and once it's running get the `clientIP` from the docker logs.
### Start GoToSocial
With those small changes out of the way, you can now start GoToSocial with the following command:

2
docs/installation_guide/nginx.md
View file

@ -86,6 +86,8 @@ If you're running GoToSocial on another machine with the local ip of 192.168.178
**Note**: `client_max_body_size` is set to 40M in this example, which is the default max video upload size for GoToSocial. You can make this value larger or smaller if necessary. The nginx default is only 1M, which is rather too small.
**Note**: To make `X-Forwarded-For` and rate limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../api/ratelimiting.md) and [general configuration](../configuration/general.md) docs
Next we'll need to link the file we just created to the folder that nginx reads configurations for active sites from.
```bash

5
example/docker-compose/docker-compose.yaml
View file

@ -13,9 +13,14 @@ services:
GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db
GTS_LETSENCRYPT_ENABLED: "false"
GTS_LETSENCRYPT_EMAIL_ADDRESS: ""
## For reverse proxy setups:
# GTS_TRUSTED_PROXIES: "172.x.x.x"
ports:
- "443:8080"
## For letsencrypt:
#- "80:80"
## For reverse proxy setups:
#- "127.0.0.1:8080:8080"
volumes:
- ~/gotosocial/data:/gotosocial/storage
restart: "always"