Network Configuration
December 15, 2022
Back to Self-Hosted Mastodon Project Description
Server Environment/Architecture
I have two machines, and have two planned purposes for each:
Basic HTTP/S - handle simple static sites and proxy to other services in my network - Importantly, this means that all SSL certs are handled here
More intensive Web apps, such as Mastodon - I want to try and set this up as similarly as possible to what other guides/documentation say. This means that it will likely need to be running nginx
Network
I'm poor and have a basic residential ISP. aka a dynamic IP address. That's not great for running sites and web apps.
I use a Dynamic DNS service - noip.com - to accommodate changing external IP addresses My Synology RackStation supports automatic updating, which I am happy to use!
This gives me a stable URL that I can reliably use to point to my network: bpettis.hopto.org
In most cases, I use my domain registrar (in my case, name.com) to edit the DNS records for any domain I have. I create a CNAME record (though sometimes an ANAME record, which is a name.com specific thing) from my domain name to bpettis.hopto.org
As an example, I have a stupid little side project at https://musklesstwitter.com - its DNS is as follows:
; <<>> DiG 9.10.6 <<>> musklesstwitter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28805
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;musklesstwitter.com. IN A
;; ANSWER SECTION:
musklesstwitter.com. 300 IN CNAME bpettis.hopto.org.
bpettis.hopto.org. 60 IN A 24.240.108.201
;; Query time: 87 msec
;; SERVER: 192.168.0.2#53(192.168.0.2)
;; WHEN: Mon Dec 12 20:45:25 CST 2022
;; MSG SIZE rcvd: 95My
immediate reaction was "oh shit I need to hide my IP address" - as if I
hadn't just given all the information that you would need to dig for that information yourself...
My router (EdgeRouterX) is configured to block most outside requests. All HTTP and HTTPS traffic (e.g. port 80 or port 443) is sent to Machine #1 (as outlined above)
From there, we use virtual host routing to direct the request to the appropriate location--whether that's a local directory with static files, another box, or a VM elsewhere on the network.
Planned Domain Names
My plan is to do something similar for Mastodon:
- Use mastodon.benpettis.ninja as the instance URL
- Use benpettis.ninja as the display username - e.g. @bpettis@benpettis.ninja
Per the mastodon docs, this is possible by setting the LOCAL_DOMAIN and WEB_DOMAIN values (https://docs.joinmastodon.org/admin/config/#local_domain)
Planned Request Routing
- continue to direct all HTTPS traffic to machine #1
- Use Apache's Proxy and Virtual Host routing on machine #1 to send all traffic for
mastodon.benpettis.ninjato machine #2 - On Machine #2, use nginx to send traffic to specific localhost ports:
- :3000 - presumably for puma / ruby on rails
- :4000 - presumably for node
- to the public/static files
Dealing with redirects
BUT - I want to continue to have benpettis.ninja redirect to benpettis.com
in most cases. Because this will be an instance just for me (and my
silly lil bots), I don't really need to have as obvious of a
public-facing URL. Plus I think I have this URL in a few other random
sites and can't be asked to fix it all. This might be possible
Currently benpettis.ninja is pointed at bpettis.hopto.org, and machine #1 is redirecting those requests back to the .com site.
<VirtualHost *:80>
ServerName benpettis.ninja
ServerAlias www.benpettis.ninja
Redirect / https://benpettis.com
</VirtualHost>For Mastodon, we will need to handle requests to https://benpettis.ninja/.well-known/webfinger - and make sure that they go to machine #2
I think this certainly should be doable using a similar redirect setup in the Apache config
**Note to self: I will definitely need to figure out what's going on with www.benpettis.ninja. Currently, there is no DNS record for www at all. And maybe it should stay this way.
This site (https://discourse.joinmastodon.org/t/nginx-reverse-proxy-on-another-server/485) has a useful overview of something similar to what I'm hoping to set up.