cross-posted from: https://indie-ver.se/post/20213
Hi again!
I am trying to improve the security for my website, but I am unsure of which paths federation and API traffic hits, and which paths should be exempt from e.g. Javascript challenges? Could somebody give me some insight into this?
You must log in or # to comment.
Basically the only thing you want to present with a challenge is the paths/virtual hosts for the web frontends.
Anything
/api/v3/is client-to-server API (i.e. how your client talk to your instance) and needs to be obstruction-free. Otherwise, clients/apps won’t be able to use the API. Same for/pictrssince that proxies through Lemmy and is a de-facto API endpoint (even though it’s a separate component).Federation traffic also needs to be exempt, but it’s not based on routes but by the HTTP
Acceptrequest header and request method.Looking at the Nginx proxy config, there’s this mapping which tells Nginx how to route inbound requests:
nginx_internal.conf: https://raw.githubusercontent.com/LemmyNet/lemmy-ansible/main/templates/nginx_internal.conf
map "$request_method:$http_accept" $proxpass { # If no explicit matches exists below, send traffic to lemmy-ui default "http://lemmy-ui:1234/"; # GET/HEAD requests that accepts ActivityPub or Linked Data JSON should go to lemmy. # # These requests are used by Mastodon and other fediverse instances to look up profile information, # discover site information and so on. "~^(?:GET|HEAD):.*?application\/(?:activity|ld)\+json" "http://lemmy:8536/"; # All non-GET/HEAD requests should go to lemmy # # Rather than calling out POST, PUT, DELETE, PATCH, CONNECT and all the verbs manually # we simply negate the GET|HEAD pattern from above and accept all possibly $http_accept values "~^(?!(GET|HEAD)).*:" "http://lemmy:8536/";This is very useful. Thanks!
