this post was submitted on 04 Feb 2024
10 points (91.7% liked)

Selfhosted

40041 readers
687 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I hope this is the right place for this.

So, here is the thing: my lemmy instance is accessible in the browser via its domain, everything is fine, but no other communities are shown. When I test federation with "curl -H "Accept: application/activity+json" https://my-instance.com/u/some-local-user" I get a SSL certificate error.

So I figured that it has something to do with my reverse proxy and modified the nginx.conf like described in the documentation.

But the error persists.

This is my nginx.config in /etc/nginx/sites-enables/:

" limit_req_zone $binary_remote_addr zone={{ my_domain }}_ratelimit:10m rate=1r/s;

server { listen 80; listen [::]:80; server_name {{ my_domain }}; # Hide nginx version server_tokens off; location / { return 301 https://$host$request_uri; } }

server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ my_domain }};

# Replace these lines with your own certificate and key paths
ssl_certificate /etc/ssl/certs/{{ my_certs }};
ssl_certificate_key /etc/ssl/certs/{{ my_keys }};

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers {{ cipher_encrypt }};
ssl_session_timeout  10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;

# Hide nginx version
server_tokens off;

# Upload limit, relevant for pictrs
client_max_body_size 20M;

# Enable compression for JS/CSS/HTML bundle, for improved client load times.
gzip on;
gzip_types text/css application/javascript image/svg+xml;
gzip_vary on;

# Various content security headers
add_header Referrer-Policy "same-origin";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block";

#location / {
#  proxy_pass http://0.0.0.0:1236;
#  proxy_http_version 1.1;
#  proxy_set_header Upgrade $http_upgrade;
#  proxy_set_header Connection "upgrade";
#  proxy_set_header X-Real-IP $remote_addr;
#  proxy_set_header Host $host;
#  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#}


location / {
  set $proxy_pass "http://0.0.0.0:1236";
  if ($http_accept = "application/activity+json") {
      set $proxy_pass "http://0.0.0.0:8536";
  }
  if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
      set $proxy_pass "http://0.0.0.0:8536";
  }
  proxy_pass $proxy_pass;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

}

access_log /var/log/nginx/access.log combined;

"(end of file)

Maybe, someone has an idea how to solve this. I'm really at the end of my wits here :(

you are viewing a single comment's thread
view the rest of the comments
[–] SirMaple_@lemmy.sirmaple.ca 2 points 9 months ago* (last edited 9 months ago)

Nah don't use those. Get your own direct from Let's Encrypt. Less hoops to go through when its time to renew. Acme with a crontab entry takes care of renewals automatically. Don't forget to add to the crontab line to restart nginx right after the renewal so that the new certs are used.

Edit: spelling