Comments (5)
dessalines
commented on July 19, 2024
Ever since @sam365724 correctly created a sandboxed version of our dev and prod dockerfiles, we have yet to add a simple nginx reverse proxy that works with it. Its really as simple as:
server_name your_domain;
location / {
proxy_pass http://localhost:LEMMY_PORT;
include proxy_params;
}
from lemmy-docs.
ahribellah
commented on July 19, 2024
@dessalines I'm having this same issue. Can I get a bit more clear of an answer about how to fix it? I'm using this config and cannot seem to get it to work. Turning off nginx during docker-compose doesn't fix it either, as I just end up with a 502 gateway error.
from lemmy-docs.
dessalines
commented on July 19, 2024
@ahribellah How did you install lemmy? Post the rest of your config files.
from lemmy-docs.
ahribellah
commented on July 19, 2024
@ahribellah How did you install lemmy? Post the rest of your config files.
I installed through Docker. I'm having issues now because Docker is doing this (apparently common) thing where it's binding nginx.conf as a folder and erroring out when building the container. My attempts to fix that are resulting in empty files and I don't have a lot of experience with Docker, so I'm not 100% sure whether it will actually work afterwards. It's probably my fault, as I tried stripping out the proxy manually and then rebuilt normally afterwards, but clearing the cache hasn't helped. Either way, I got around it by using the command touch nginx.conf.
I deliberately used my.domain.com because it's being hosted on a subdomain.
Anyways, here are my actual configs with sensitive info stripped out.
docker-compose.yml:
version: "3.3"
networks:
# communication to web and clients
lemmyexternalproxy:
# communication between lemmy services
lemmyinternal:
driver: bridge
internal: true
services:
proxy:
image: nginx:1-alpine
networks:
- lemmyinternal
- lemmyexternalproxy
ports:
# only ports facing any connection from outside
- 80:80
- 443:443
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
# setup your certbot and letsencrypt config
- ./certbot:/var/www/certbot
- ./letsencrypt:/etc/letsencrypt/live
restart: always
depends_on:
- pictrs
- lemmy-ui
lemmy:
image: dessalines/lemmy:0.17.2
hostname: lemmy
networks:
- lemmyinternal
restart: always
environment:
- RUST_LOG="warn,lemmy_server=info,lemmy_api=info,lemmy_api_common=info,lemmy_api_crud=info,lemmy_apub=info,lemmy_db_schema=info,lemmy_db_views=info,lemmy_db_views_actor=info,lemmy_db_views_moderator=info,lemmy_routes=info,lemmy_utils=info,lemmy_websocket=info"
volumes:
- ./lemmy.hjson:/config/config.hjson
depends_on:
- postgres
- pictrs
lemmy-ui:
image: dessalines/lemmy-ui:0.17.2
networks:
- lemmyinternal
environment:
# this needs to match the hostname defined in the lemmy service
- LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536
# set the outside hostname here
- LEMMY_UI_LEMMY_EXTERNAL_HOST=my.domain.com
- LEMMY_UI_HTTPS=true
- LEMMY_HTTPS=true
depends_on:
- lemmy
restart: always
pictrs:
image: asonix/pictrs:0.3.1
# this needs to match the pictrs url in lemmy.hjson
hostname: pictrs
# we can set options to pictrs like this, here we set max. image size and forced format for conversion
# entrypoint: /sbin/tini -- /usr/local/bin/pict-rs -p /mnt -m 4 --image-format webp
networks:
- lemmyinternal
environment:
- PICTRS__API_KEY=API_KEY
user: 991:991
volumes:
- ./volumes/pictrs:/mnt
restart: always
postgres:
image: postgres:15-alpine
# this needs to match the database host in lemmy.hson
hostname: postgres
networks:
- lemmyinternal
environment:
- POSTGRES_USER=lemmy
- POSTGRES_PASSWORD=password
- POSTGRES_DB=lemmy
volumes:
- ./volumes/postgres:/var/lib/postgresql/data
restart: alwayslemmy.hjson (I don't remember where I saw to add :1235 to hostname, but I've tried without the port explicitly added, as well, and had no luck - still a 502 bad gateway error):
{
# for more info about the config, check out the documentation
# https://join-lemmy.org/docs/en/administration/configuration.html
# This is a minimal lemmy config for the dev / main branch. Do not use for a
# release / stable version.
setup: {
admin_username: "admin"
admin_password: "password"
site_name: "Lemmy"
admin_email: "[email protected]"
}
database: {
user: "lemmy"
password: "password"
host: postgres
port: 5432
database: "lemmy"
pool_size: 5
}
hostname: "my.domain.com:1235"
bind: "0.0.0.0"
port: 8536
tls_enabled: true
federation: {
enabled: true
}
pictrs: {
url: "http://localhost:8080/"
api_key: "api_key"
}
#opentelemetry_url: "http://otel:4137"
}
lemmy.conf (under /etc/nginx/sites-enabled):
limit_req_zone $binary_remote_addr zone=my.domain.com_ratelimit:10m rate=1r/s;
server {
if ($host = my.domain.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name my.domain.com;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name my.domain.com;
ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem; # managed by Certbot
# Various TLS hardening settings
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets on;
ssl_stapling on;
ssl_stapling_verify on;
# Hide nginx version
server_tokens off;
# Enable compression for JS/CSS/HTML bundle, for improved client load times.
# It might be nice to compress JSON, but leaving that out to protect against potential
# compression+encryption information leak attacks like BREACH.
gzip on;
gzip_types text/css application/javascript image/svg+xml;
gzip_vary on;
# Only connect to this site via HTTPS for the two years
add_header Strict-Transport-Security "max-age=63072000";
# Various content security headers
add_header Referrer-Policy "same-origin";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block";
# Upload limit for pictrs
client_max_body_size 20M;
# frontend
location / {
# The default ports:
# lemmy_ui_port: 1235
# lemmy_port: 8536
set $proxpass "http://0.0.0.0:1235";
if ($http_accept ~ "^application/.*$") {
set $proxpass "http://0.0.0.0:8536";
}
if ($request_method = POST) {
set $proxpass "http://0.0.0.0:8536";
}
proxy_pass $proxpass;
include proxy_params;
rewrite ^(.+)/+$ $1 permanent;
# Send actual client IP upstream
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# backend
location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {
proxy_pass http://0.0.0.0:8536;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Rate limit
limit_req zone=my.domain.com_ratelimit burst=30 nodelay;
# Add IP forwarding headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Redirect pictshare images to pictrs
location ~ /pictshare/(.*)$ {
return 301 /pictrs/image/$1;
}
}
# Anonymize IP addresses
# https://www.supertechcrew.com/anonymizing-logs-nginx-apache/
map $remote_addr $remote_addr_anon {
~(?P<ip>\d+\.\d+\.\d+)\. $ip.0;
~(?P<ip>[^:]+:[^:]+): $ip::;
127.0.0.1 $remote_addr;
::1 $remote_addr;
default 0.0.0.0;
}
access_log /var/log/nginx/access.log combined;
EDIT: Ah, right, this one error shows when I run docker-compose logs:
lemmy_1 | thread 'main' panicked at 'Error connecting to postgres://lemmy:password@postgres:5432/lemmy', crates/db_schema/src/utils.rs:157:56
lemmy_1 | note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
lemmy_1 | thread 'main' panicked at 'Error connecting to postgres://lemmy:password@postgres:5432/lemmy', crates/db_schema/src/utils.rs:157:56
lemmy_1 | note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
lemmy_1 | thread 'main' panicked at 'Error connecting to postgres://lemmy:password@postgres:5432/lemmy', crates/db_schema/src/utils.rs:157:56
lemmy_1 | note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
However, it's then followed by successful PostgreSQL init and startup, so I've attributed that to the database not being initialized and online when it attempts to connect, as it ends with the following loine:
postgres_1 | 2023-04-05 22:32:02.924 UTC [1] LOG: database system is ready to accept connections
from lemmy-docs.
dessalines
commented on July 19, 2024
Your server nginx only needs to be the one referenced in this comment
I apologize our docs aren't updated to account for this.
from lemmy-docs.
Related Issues (20)
- [Request] Podman Install HOT 3
- Add sources to back up "History of Lemmy"
- [Bug]: embed pictrs doesn't work HOT 1
- administration/configuration.html has a faulty link to 'defaults.hjson'
- Contributor local development postgreSQL missing a step HOT 1
- Theming section is outdated
- The client contributer example for Rust is wrong HOT 1
- Document that high db pool size requires increased shared memory for postgres HOT 4
- Suggested backup script is somewhat dangerous HOT 3
- Lemmy migration from a domain name to another HOT 2
- `docker-compose.yml` linked for manual docker install contain ansible if-statements HOT 6
- Introducing Elestio as one-click deployment option with others
- From scratch installation instructions not working HOT 10
- Json Objects in the doc are not loaded in correctly HOT 3
- [Bug]: Incorrect pathing in copy binary command in "from scratch" doc HOT 3
- Object Storage for embedded pict-rs on from scratch install? HOT 7
- Missing pg_format install instructions
- Document how to delete images (pict-rs) HOT 4
- `pnpm translations:generate` is missing in lemmy-ui local development instructions HOT 1
- Dependency Dashboard
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lemmy-docs.