This commit is contained in:
Jim Tittsler 2024-10-31 11:13:38 +00:00 committed by GitHub
commit ae39703958
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -2,9 +2,9 @@
## Requirements
For this guide you will need [Caddy 2](https://caddyserver.com/), there are no other dependencies. Caddy manages Lets Encrypt certificates and renewal for them.
For this guide, you will need [Caddy 2](https://caddyserver.com/), there are no other dependencies. Caddy manages Let's Encrypt certificates and their renewal.
Caddy is in the most popular package managers, or you can get a static binary. For all latest installation guides, refer to [their manual](https://caddyserver.com/docs/install).
Caddy is in the most popular package managers, or you can get a static binary. For all the latest installation guides, refer to [their manual](https://caddyserver.com/docs/install).
### Debian, Ubuntu, Raspbian
@ -45,15 +45,15 @@ If GoToSocial is already running, stop it.
```bash
sudo systemctl stop gotosocial
```
In your GoToSocial config turn off Lets Encrypt by setting `letsencrypt-enabled` to `false`.
In your GoToSocial config, turn off Lets Encrypt by setting `letsencrypt-enabled` to `false`.
If you we running GoToSocial on port 443, change the `port` value back to the default `8080`.
If you are running GoToSocial on port 443, change the `port` value back to the default `8080`.
If the reverse proxy will be running on the same machine, set the `bind-address` to `"localhost"` so that the GoToSocial server is only accessible via loopback. Otherwise it may be possible to bypass your proxy by connecting to GoToSocial directly, which might be undesirable.
If the reverse proxy will be running on the same machine, set the `bind-address` to `"localhost"` so that the GoToSocial server is only accessible via loopback. Otherwise, it may be possible to bypass your proxy by connecting to GoToSocial directly, which might be undesirable.
## Set up Caddy
We will configure Caddy 2 to use GoToSocial on our main domain example.org. Since Caddy takes care of obtaining the Lets Encrypt certificate, we only need to configure it properly once.
We will configure Caddy 2 to use GoToSocial on our main domain example.org. Since Caddy takes care of obtaining the Let's Encrypt certificate, we only need to configure it properly once.
In most simple use cases Caddy defaults to a file called Caddyfile. It can reload on changes, or can be configured through an HTTP API for zero downtime, but this is out of our current scope.
@ -73,17 +73,17 @@ example.org {
# The actual proxy configuration to port 8080 (unless you've chosen another port number)
reverse_proxy * http://127.0.0.1:8080 {
# Flush immediatly, to prevent buffered response to the client
# Flush immediately, to prevent buffered response to the client
flush_interval -1
}
}
```
By default, caddy sets `X-Forwarded-For` in forwarded requests. To make this and rate limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../../api/ratelimiting.md) and [general configuration](../../configuration/general.md) docs
By default, caddy sets `X-Forwarded-For` in forwarded requests. To make this and rate-limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../../api/ratelimiting.md) and [general configuration](../../configuration/general.md) docs
For advanced configuration check the [reverse_proxy directive](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) at the Caddy documentation.
For advanced configuration, check the [reverse_proxy directive](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) at the Caddy documentation.
Now check for configuration errors.
Now, check for configuration errors.
```bash
sudo caddy validate
@ -105,4 +105,4 @@ sudo systemctl start gotosocial
## Results
You should now be able to open the splash page for your instance in your web browser, and will see that it runs under HTTPS!
You should now be able to open the splash page for your instance in your web browser and will see that it runs under HTTPS!