Dear fellow or potential fellow gotosocial instance admins,
I've come up with a novel way to set up a #gotosocial server behind a reverse proxy, which avoids the use of making new firewalling rules - both on a VPS, and creating port forwarding on one's home router. This method is ideal for minimizing the cost of running one's own #ActivityPub/#Mastodon server, in a way that leverages inexpensive fast storage on the backend (say, on a #RaspberryPi 5, 2GB of RAM, with an NVMe). As many valiant and praiseworthy Mastodon server admins might attest to, renting cloud VPS' can cost a lot, especially when storing many tens or hundreds of GB of user data.

My method avoids the need of forwarding ports 443 and 80 into one's home LAN, using DNAT (on the VPS) and port forwarding (on one's home router). In a nutshell, it's a novel use of #Wireguard, in conjunction with #nginx on the frontend, and gotosocial on the backend. This can save the cost of renting a dedicated VPS, to get the exclusive use of ports 443 and 80, in conjunction with static IPv4 and IPv6 addresses. My method optimizes on reliability and cheapness, but it's not the most secure - decryption and re-encryption happens on the VPS, before the data travels down the Wireguard tunnel. This exposes the data to any underlying hypervisor at one's hosting company. So full disclosure there.

I've run my method by the helpful gotosocial furries in their #Matrix Help chatroom (and I'm grateful for their help to debug subtle warts the method had), and got their blessing, at least to the technical soundness of the method.

I have a testing instance of gotosocial 0.21.0 set up with this new method: https://g.toque.im

I'm the user @owlG Toque, the Owl on that instance, should you wish to befriend me there.

I'll make a longer blog post on this in the days to come, and post it in a reply to this post. (This is a cross-post of the original:)
https://autistics.life/@d1/116142628225937092

#DevOps #Linux #infosec #SelfHosting #DataSovereignty #OpenSource