Conversation

Notices

1. thegreatape (thegreatape@thechimp.zone)'s status on Sunday, 19-Feb-2023 09:20:27 JST thegreatape
   For the people who hate cloudflare with a passion I got a question:
   
   I'm literally only using it to proxy my IP since I host my instance out of my house. Now, I read that I shouldn't even care about this, since it is my 'public' ip after all. But I wouldn't mind people not knowing my general geolocation either.
   
   Is reverse proxying through a cloud VPS a viable alternative? I'm willing to fork over some shekels/month to give myself a lil bit more privacy.
   • Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 09:20:26 JST Moon

     in reply to
     @thegreatape your instance is sending messages to other servers from your home public ip not cloudflare so you already have no privacy. if you set up a VPS you can configure it so that both incoming and outgoing traffic are from the VPS and you are actually private.
     Disinformation Purveyor :verified_think: likes this.
   • Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 09:21:31 JST Moon

     in reply to
     @thegreatape I can give you some hints even if i won't do the actual work. You can set up an nginx server on a VPS, then in the server config you reverse proxy it to your home IP. Then, for outgoing messages, you configure a socks5 proxy on your VPS, you open your firewall to only your home IP address for it, then you configure Pleroma to use it:
     
     https://docs-develop.pleroma.social/backend/configuration/howto_proxy/
   • Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Sunday, 19-Feb-2023 09:21:31 JST Disinformation Purveyor :verified_think:

     in reply to

     • Moon
     @Moon @thegreatape why not use wireguard?
   • thegreatape (thegreatape@thechimp.zone)'s status on Sunday, 19-Feb-2023 09:21:32 JST thegreatape

     in reply to

     • Moon
     @Moon KING SHIT. Yeah I'm definitely not a network expert by any means, I can only imagine there's a LOT I'm not doing that makes using CF pointless anyways 😂
   • Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 09:22:16 JST Moon

     in reply to

     • Disinformation Purveyor :verified_think:
     @thatguyoverthere @thegreatape wireguard is a perfectly acceptable alternative way to do this
     Disinformation Purveyor :verified_think: likes this.
   • Matty-kun :Christmas_kitty_bell: (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 09:22:32 JST Matty-kun :Christmas_kitty_bell:

     in reply to

     • :btrfly: anime graf mays 🛰️🪐
     Does this also work with instances directly communicating with each other? That seems a bit more simple.
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 19-Feb-2023 09:22:32 JST :btrfly: anime graf mays 🛰️🪐

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     @matty @thegreatape you mean forward proxying? you can do what we do and use wireguard, http or socks5 (using something like tinyproxy) and set up http proxy in pleroma for forward proxying
     Disinformation Purveyor :verified_think: likes this.
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 19-Feb-2023 09:22:33 JST :btrfly: anime graf mays 🛰️🪐

     in reply to

     @thegreatape you can just move your nginx config to a VPS and point the phoenix proxy_pass to your home IP providing its static

     with that VPS you can also use IPtables (or nginx reverse proxy) to forward traffic to any other port, too. so if you wanted to host a minecraft server at home and hide it, you can do that too.

     https://my.esecuredata.com/index.php?/knowledgebase/article/49/how-to-redirect-an-incoming-connection-to-a-different-ip-address-on-a-specific-port-using-iptables/

   • Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Sunday, 19-Feb-2023 09:25:16 JST Disinformation Purveyor :verified_think:

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     • :btrfly: anime graf mays 🛰️🪐
     @matty @graf @thegreatape You need a way to route traffic from pleroma to your public proxy server and nginx won't handle that for you. wireguard is actually very easy to use and built into the kernel. You just need to install wg-quick to configure it. Also very light weight.
   • Matty-kun :Christmas_kitty_bell: (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 09:25:17 JST Matty-kun :Christmas_kitty_bell:

     in reply to

     • :btrfly: anime graf mays 🛰️🪐
     This isn't something you can do with NGINX huh. I only ask because I do not know what any of that shit is
   • Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Sunday, 19-Feb-2023 09:27:20 JST Disinformation Purveyor :verified_think:

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     • :btrfly: anime graf mays 🛰️🪐
     @matty @graf @thegreatape wireguard is simple and then you just tell pleroma to only listen on the WG interface
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 19-Feb-2023 09:27:21 JST :btrfly: anime graf mays 🛰️🪐

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     @matty @thegreatape you would have to setup a wireguard server on the VPS you have nginx on and connect the pleroma instance to that via wireguard but yea you can do that
   • Matty-kun :Christmas_kitty_bell: (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 09:27:21 JST Matty-kun :Christmas_kitty_bell:

     in reply to

     • :btrfly: anime graf mays 🛰️🪐
     Interesting. Setting up a forward proxy seems like a huge pain in the ass.
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 19-Feb-2023 09:27:22 JST :btrfly: anime graf mays 🛰️🪐

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     @matty @thegreatape nginx only does reverse proxy aka incoming connections. you are asking for intercommunication which is forward (outgoing) proxying which you need VPN (like wireguard or openvpn), http or socks5 proxy to achieve
   • Matty-kun :Christmas_kitty_bell: (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 09:27:22 JST Matty-kun :Christmas_kitty_bell:

     in reply to

     • :btrfly: anime graf mays 🛰️🪐
     Ah I see. In that case you could use the same server as both the reverse proxy and forward proxy, correct? You'd just have to set up the forward proxy on the reverse proxy server
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 19-Feb-2023 09:27:38 JST :btrfly: anime graf mays 🛰️🪐

     in reply to

     • Matty-kun :Christmas_kitty_bell:

     @matty @thegreatape not really. you can, for example spawn a digitalocean droplet (dont do this) and run this script and have wireguard installed and config’d in less than 5 minutes. install nginx and copy your pleroma nginx config to that VPS, change proxy_pass to your actual IP and get an SSL cert and you’re done. 15 minutes maybe

     Disinformation Purveyor :verified_think: likes this.
   • Matty-kun :Christmas_kitty_bell: (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 09:28:59 JST Matty-kun :Christmas_kitty_bell:

     in reply to

     • :btrfly: anime graf mays 🛰️🪐
     • Disinformation Purveyor :verified_think:
     So do you self host wireguard or is it like any other VPN service?
     Disinformation Purveyor :verified_think: likes this.
   • Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Sunday, 19-Feb-2023 09:28:59 JST Disinformation Purveyor :verified_think:

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     • :btrfly: anime graf mays 🛰️🪐
     @matty @graf @thegreatape it's built into the kernel on your nginx reverse proxy. Nothing but the CLI tools to install. It's like any other VPN as far as possible uses.
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 19-Feb-2023 09:29:20 JST :btrfly: anime graf mays 🛰️🪐

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     • Disinformation Purveyor :verified_think:

     @matty @thatguyoverthere @thegreatape i linked you to the script that installs wireguard. it’s self hosted. but a lot of VPN providers offer it, like torguard (code jannyduty for 50% off for life)

     Disinformation Purveyor :verified_think: likes this.
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 19-Feb-2023 09:31:45 JST :btrfly: anime graf mays 🛰️🪐

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     • Disinformation Purveyor :verified_think:
     @thatguyoverthere @matty @thegreatape to clarify that script installs wg-quick and configures wireguard and creates user accounts
     Disinformation Purveyor :verified_think: likes this.
   • Moon (moon@shitposter.club)'s status on Sunday, 19-Feb-2023 09:32:05 JST Moon

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     • :btrfly: anime graf mays 🛰️🪐
     • Disinformation Purveyor :verified_think:
     @thatguyoverthere @matty @graf @thegreatape can confirm that setting up Wireguard is easier and safer than setting up a socks5 server like Dante. I suggested socks5 proxy for a couple reasons but mainly inertia, I'm just used to doing that way.
     Disinformation Purveyor :verified_think: likes this.
   • Matty-kun :Christmas_kitty_bell: (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 09:46:55 JST Matty-kun :Christmas_kitty_bell:

     in reply to

     • :btrfly: anime graf mays 🛰️🪐
     • Disinformation Purveyor :verified_think:
     Huh if this is the case I wonder if I can use a dedicated NGINX server to pull a little extra load off of my Pleroma server.
     Disinformation Purveyor :verified_think: likes this.
   • Disinformation Purveyor :verified_think: (thatguyoverthere@shitposter.club)'s status on Sunday, 19-Feb-2023 09:48:14 JST Disinformation Purveyor :verified_think:

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     • :btrfly: anime graf mays 🛰️🪐
     • Phoenix
     @matty @Phoenix @graf @thegreatape you probably dont even need a pattern match if the path is /emojis/ just set that is location.
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 19-Feb-2023 09:48:15 JST :btrfly: anime graf mays 🛰️🪐

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     • Disinformation Purveyor :verified_think:
     • Phoenix
     @matty @thatguyoverthere @thegreatape if you want to 'pull' extra load off pleroma, stop forwarding everything to @Phoenix and set up dedicated nginx location blocks for your media and emojis. there's no reason you need to have phoenix process your emojis every time someone opens it. this allows you to cache them and also speed up delivery. start with that before you add more shit into the mix
   • Matty-kun :Christmas_kitty_bell: (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 09:48:15 JST Matty-kun :Christmas_kitty_bell:

     in reply to

     • :btrfly: anime graf mays 🛰️🪐
     • Disinformation Purveyor :verified_think:
     • Phoenix

     Okay okay I’ll work on that now. This would essentially just be like this, right?

     location ~ (/emoji|/emoji/*) { root (path to emoji directory); try_files $uri =404; }
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 19-Feb-2023 09:48:37 JST :btrfly: anime graf mays 🛰️🪐

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     • Disinformation Purveyor :verified_think:
     • Phoenix

     @matty @thatguyoverthere @thegreatape if you used the default pleroma you already have something similar

     location ~ ^/(media|proxy) { proxy_cache pleroma_media_cache; slice 1m; proxy_cache_key $host$uri$is_args$args$slice_range; proxy_set_header Range $slice_range; proxy_cache_valid 200 206 301 304 1h; proxy_cache_lock on; proxy_ignore_client_abort on; proxy_buffering on; chunked_transfer_encoding on; proxy_pass http://phoenix; }

     remove media from that, copy it and set the location as location ~ ^/media { and location ~ ^/emoji { then replace proxy_pass with try_files $uri @phoenix;

     location @Phoenix { proxy_pass http://phoenix; }

     this is very basic, you will have to tweak it but thats more or less what you need

     Disinformation Purveyor :verified_think: likes this.
   • :btrfly: anime graf mays 🛰️🪐 (graf@poa.st)'s status on Sunday, 19-Feb-2023 18:59:08 JST :btrfly: anime graf mays 🛰️🪐

     in reply to

     • Matty-kun :Christmas_kitty_bell:
     • Disinformation Purveyor :verified_think:
     • Phoenix
     @matty @Phoenix @thatguyoverthere @thegreatape if I were you I'd be commenting everything out rather than removing them but no. these are supplemental. ^/emoji, ^/media and ^/proxy are all their location blocks at the end of our config (before our rate limit directive on the api)
     
     we have them configured individually because each requires different shit. media caching is permanent vs emoji which may not be, for example
     Disinformation Purveyor :verified_think: likes this.
   • Matty-kun :Christmas_kitty_bell: (matty@nicecrew.digital)'s status on Sunday, 19-Feb-2023 18:59:09 JST Matty-kun :Christmas_kitty_bell:

     in reply to

     • :btrfly: anime graf mays 🛰️🪐
     • Disinformation Purveyor :verified_think:
     • Phoenix

     Should I remove the location / { proxy_pass http://phoenix; } directive then?