this post was submitted on 11 Jul 2023
26 points (90.6% liked)

Selfhosted

40183 readers
579 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I want to self-host lemmy and participate in federation. However, I wonder whether it's possible to have a setup where only I, and trusted users, are allowed to browse federated-content.

Basically, guests should not be allowed to use my instance to browse other federated content. So requests to "mydomain.tld/c/whatever@otherdomain.tld" should not be possible. Only users, logged-in on my instance, should be able to do that.

Despite that, guests should be allowed to see posts of communities posted on my instance, and users of other instances should be allowed to comment.

I know I can choose with which other instances mine should link with, but this would make the experience inconvenient to me. Because then I would need to adjust the config if I want to subscribe to a community on an instance I have not yet linked with.

Is such setup possible? Could not find the answer in the docs unfortunately

The only thing I can think of is something like blocking UI requests, and allow them only from localhost (so I would create a "ssh -L" tunnel on the server). Federation API endpoints would not be blocked. But this seems shaky, does Lemmy support a cleaner, built-in solution?

you are viewing a single comment's thread
view the rest of the comments
[–] qazwsxedcrfv000@lemmy.unknownsys.com 7 points 1 year ago* (last edited 1 year ago) (8 children)

The simplest way is to add a Basic auth to the lemmy-ui, say via the reverse proxy.

[–] macgyver@federation.red 1 points 1 year ago (3 children)

Not OP, but I do feel dumb for not thinking of that assuming it would defederate me. Oh well, got a cool domain out of it

[–] qazwsxedcrfv000@lemmy.unknownsys.com 5 points 1 year ago* (last edited 1 year ago) (1 children)

It would not affect federation as the endpoints are still open. But a word of caution. This only protects the lemmy-ui from being accessed without the basic auth credentials. If someone tries to access your instance via API, it will still work.

[–] raphael@lemmy.mararead.com 2 points 1 year ago

You could also route any calls to /api through authentication. However I am not sure if that can cause any problems. Is there a list of endpoints that need to be reachable for federation to work?

load more comments (1 replies)
load more comments (5 replies)