diff --git a/docs/installation_guide/apache-httpd.md b/docs/installation_guide/apache-httpd.md index 53f9ce25..c6e30b85 100644 --- a/docs/installation_guide/apache-httpd.md +++ b/docs/installation_guide/apache-httpd.md @@ -100,6 +100,8 @@ You should also change `http://localhost:8080` to the correct address and port o `ProxyPreserveHost On` is essential: It guarantees that the proxy and the GoToSocial speak of the same Server name. If not, GoToSocial will build the wrong authentication headers, and all attempts at federation will be rejected with 401 Unauthorized. +By default, apache sets `X-Forwarded-For` in forwarded requests. To make this and rate limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../api/ratelimiting.md) and [general configuration](../configuration/general.md) docs + Save and close the config file. Now we'll need to link the file we just created to the folder that Apache HTTP Server reads configurations for active sites from. diff --git a/docs/installation_guide/caddy.md b/docs/installation_guide/caddy.md index 0b1e9166..89fb5560 100644 --- a/docs/installation_guide/caddy.md +++ b/docs/installation_guide/caddy.md @@ -77,6 +77,8 @@ example.org { } ``` +By default, caddy sets `X-Forwarded-For` in forwarded requests. To make this and rate limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../api/ratelimiting.md) and [general configuration](../configuration/general.md) docs + For advanced configuration check the [reverse_proxy directive](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) at the Caddy documentation. Now check for configuration errors. diff --git a/docs/installation_guide/docker.md b/docs/installation_guide/docker.md index 4a59d7d2..aa98403e 100644 --- a/docs/installation_guide/docker.md +++ b/docs/installation_guide/docker.md @@ -98,6 +98,35 @@ If you want to use [LetsEncrypt](../configuration/letsencrypt.md) for ssl certif 2. Remove the `#` before `- "80:80"` in the `ports` section. 3. (Optional) Set `GTS_LETSENCRYPT_EMAIL_ADDRESS` to a valid email address to receive certificate expiry warnings etc. +#### Reverse proxies + +The default port bindings are for exposing GoToSocial directly and publicly. Remove the `#` in front the line that forwards `127.0.0.1:8080:8080` which makes port `8080` available only to the local host. Change that `127.0.0.1` if the reverse proxy is somewhere else. + +To ensure [rate limiting](../api/ratelimiting.md) by IP works, remove the `#` in front of `GTS_TRUSTED_PROXIES` and set it to the IP the requests from the reverse proxy are coming from. That's usually the value of the `Gateway` field of the docker network. + +```text +$ docker network inspect gotosocial_gotosocial +[ + { + "Name": "gotosocial_gotosocial", + [...] + "IPAM": { + "Driver": "default", + "Options": null, + "Config": [ + { + "Subnet": "172.19.0.0/16", + "Gateway": "172.19.0.1" + } + ] + }, + [...] +``` + +In the example above, it would be `172.19.0.1`. + +If unsure, skip the trusted proxies step, continue with the next sections, and once it's running get the `clientIP` from the docker logs. + ### Start GoToSocial With those small changes out of the way, you can now start GoToSocial with the following command: diff --git a/docs/installation_guide/nginx.md b/docs/installation_guide/nginx.md index 7beeff7a..7525d663 100644 --- a/docs/installation_guide/nginx.md +++ b/docs/installation_guide/nginx.md @@ -86,6 +86,8 @@ If you're running GoToSocial on another machine with the local ip of 192.168.178 **Note**: `client_max_body_size` is set to 40M in this example, which is the default max video upload size for GoToSocial. You can make this value larger or smaller if necessary. The nginx default is only 1M, which is rather too small. +**Note**: To make `X-Forwarded-For` and rate limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../api/ratelimiting.md) and [general configuration](../configuration/general.md) docs + Next we'll need to link the file we just created to the folder that nginx reads configurations for active sites from. ```bash diff --git a/example/docker-compose/docker-compose.yaml b/example/docker-compose/docker-compose.yaml index 88054868..42908893 100644 --- a/example/docker-compose/docker-compose.yaml +++ b/example/docker-compose/docker-compose.yaml @@ -13,9 +13,14 @@ services: GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db GTS_LETSENCRYPT_ENABLED: "false" GTS_LETSENCRYPT_EMAIL_ADDRESS: "" + ## For reverse proxy setups: + # GTS_TRUSTED_PROXIES: "172.x.x.x" ports: - "443:8080" + ## For letsencrypt: #- "80:80" + ## For reverse proxy setups: + #- "127.0.0.1:8080:8080" volumes: - ~/gotosocial/data:/gotosocial/storage restart: "always"