2022-04-24 11:04:26 +02:00
# Reverse proxy with NGINX
2021-12-26 13:58:15 +01:00
## Requirements
2022-04-24 11:04:26 +02:00
For this you will need [Certbot ](https://certbot.eff.org/ ), the Certbot NGINX plugin and of course [NGINX ](https://www.nginx.com/ ) itself.
2021-12-26 13:58:15 +01:00
These are popular packages so your distro will probably have them.
### Ubuntu
```bash
sudo apt install certbot python3-certbot-nginx nginx
```
### Arch
```bash
sudo pacman -S certbot certbot-nginx nginx
```
### OpenSuse
```bash
sudo zypper install nginx python3-certbot python3-certbot-nginx
```
## Configure GoToSocial
2022-04-24 11:04:26 +02:00
If GoToSocial is already running, stop it.
2021-12-26 13:58:15 +01:00
```bash
2022-04-24 11:04:26 +02:00
sudo systemctl stop gotosocial
2021-12-26 13:58:15 +01:00
```
2022-04-24 11:04:26 +02:00
Or if you don't have a systemd service just stop it manually.
2021-12-26 13:58:15 +01:00
2022-04-24 11:04:26 +02:00
In your GoToSocial config turn off letsencrypt by setting `letsencrypt-enabled` to `false` .
2021-12-26 13:58:15 +01:00
2022-04-24 11:04:26 +02:00
If you we running GoToSocial on port 443, change the `port` value back to the default `8080` .
2021-12-26 13:58:15 +01:00
2022-04-24 11:04:26 +02:00
## Set up NGINX
2021-12-26 13:58:15 +01:00
2022-04-24 11:04:26 +02:00
First we will set up NGINX to serve GoToSocial as unsecured http and then use Certbot to automatically upgrade it to serve https.
2021-12-26 13:58:15 +01:00
2022-04-24 11:04:26 +02:00
Please do not try to use it until that's done or you'll risk transmitting passwords over clear text, or breaking federation.
2021-12-26 13:58:15 +01:00
2022-04-24 11:04:26 +02:00
First we'll write a configuration for NGINX and put it in `/etc/nginx/sites-available` .
2021-12-26 13:58:15 +01:00
```bash
2022-04-24 11:04:26 +02:00
sudo mkdir -p /etc/nginx/sites-available
2021-12-26 13:58:15 +01:00
sudoedit /etc/nginx/sites-available/yourgotosocial.url.conf
```
2022-04-24 11:04:26 +02:00
In the above commands, replace `yourgotosocial.url` with your actual GoToSocial host value. So if your `host` is set to `example.org` , then the file should be called `/etc/nginx/sites-available/example.org.conf`
The file you're about to create should look like this:
2021-12-26 13:58:15 +01:00
```nginx.conf
server {
listen 80;
2022-01-30 14:35:23 +01:00
listen [::]:80;
2022-04-24 11:04:26 +02:00
server_name example.org;
2021-12-26 13:58:15 +01:00
location / {
2022-04-24 11:04:26 +02:00
proxy_pass http://localhost:8080/;
2021-12-26 13:58:15 +01:00
proxy_set_header Host $host;
2022-04-24 11:04:26 +02:00
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
2021-12-26 13:58:15 +01:00
}
}
```
2022-04-24 11:04:26 +02:00
Change `proxy_pass` to the ip and port that you're actually serving GoToSocial on and change `server_name` to your own domain name.
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
If your domain name is `example.org` then `server_name example.org;` would be the correct value.
2022-01-30 14:35:23 +01:00
2021-12-26 13:58:15 +01:00
If you're running GoToSocial on another machine with the local ip of 192.168.178.69 and on port 8080 then `proxy_pass http://192.168.178.69:8080;` would be the correct value.
2022-04-24 11:04:26 +02:00
**Note**: You can remove the line `listen [::]:80;` if your server is not ipv6 capable.
**Note**: `proxy_set_header Host $host;` is essential. It guarantees that the proxy and GoToSocial use the same server name. If not, GoToSocial will build the wrong authentication headers, and all attempts at federation will be rejected with 401.
**Note**: The `Connection` and `Upgrade` headers are used for WebSocket connections. See the [WebSocket docs ](./websocket.md ).
2021-12-26 13:58:15 +01:00
Next we'll need to link the file we just created to the folder that nginx reads configurations for active sites from.
```bash
2022-04-24 11:04:26 +02:00
sudo mkdir -p /etc/nginx/sites-enabled
2021-12-26 13:58:15 +01:00
sudo ln -s /etc/nginx/sites-available/yourgotosocial.url.conf /etc/nginx/sites-enabled/
```
2022-04-24 11:04:26 +02:00
Again, replace `yourgotosocial.url` with your actual GoToSocial host value.
2021-12-26 13:58:15 +01:00
Now check for configuration errors.
```bash
sudo nginx -t
```
If everything is fine you should get this as output:
2022-01-30 14:35:23 +01:00
```text
2021-12-26 13:58:15 +01:00
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
```
Everything working? Great! Then restart nginx to load your new config file.
```bash
sudo systemctl restart nginx
```
## Setting up SSL with certbot
You should now be able to run certbot and it will guide you through the steps required to enable https for your instance.
```bash
sudo certbot --nginx
```
After you do, it should have automatically edited your configuration file to enable https.
2022-04-24 11:04:26 +02:00
Reload NGINX one last time:
2021-12-26 13:58:15 +01:00
```bash
sudo systemctl restart nginx
```
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
Now start GoToSocial again:
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
```bash
sudo systemctl start gotosocial
```
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
## Results
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
You should now be able to open the splash page for your instance in your web browser, and will see that it runs under https!
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
If you open the NGINX config again, you'll see that Certbot added some extra lines to it.
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
**Note**: This may look a bit different depending on the options you chose while setting up Certbot, and the NGINX version you're using.
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
```nginx.conf
server {
server_name example.org;
location / {
proxy_pass http://localhost:8080/;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
server {
if ($host = example.org) {
return 301 https://$host$request_uri;
} # managed by Certbot
2022-04-18 17:45:43 +02:00
2022-04-24 11:04:26 +02:00
listen 80;
listen [::]:80;
server_name example.org;
return 404; # managed by Certbot
2022-04-18 17:45:43 +02:00
}
```
2022-04-24 11:04:26 +02:00
## Extra Hardening
If you want to harden up your NGINX deployment with advanced configuration options, there are many guides online for doing so ([for example](https://beaglesecurity.com/blog/article/nginx-server-security.html)). Try to find one that's up to date. Mozilla also publishes best-practice ssl configuration [here ](https://ssl-config.mozilla.org/ ).