Pleroma proxy setup

Are you in the right place?

• If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. I have tried asking on Reddit: https://www.reddit.com/r/nginxproxymanager/comments/qlaam6/ However, I have received no answer as of yet. I replaced the

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you’re not using someone else’s docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug Hello there!

I have recently installed Pleroma on my Raspberry Pi and have now used a different Raspberry Pi to reverse proxy it using the Reverse Proxy Manager. However, the actual setup requires a much more complex and different setup than what the Nginx Reverse Proxy Manager can deliver via the user interface. I began using the reverse proxy manager because back then I didn’t understand anything about hosting and nginx, nowadays, I understand quite a bit, at least enough to be able to ssh into the server and edit a config file myself. Is there any way to do that with the Nginx Reverse Proxy Manager?

This is my complex Nginx setup that I need:

    # default nginx site config for Pleroma
    #
    # Simple installation instructions:
    # 1. Install your TLS certificate, possibly using Let's Encrypt.
    # 2. Replace 'example.tld' with your instance's domain wherever it appears.
    # 3. Copy this file to /etc/nginx/sites-available/ and then add a symlink to it
    #    in /etc/nginx/sites-enabled/ and run 'nginx -s reload' or restart nginx.
    
    proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cache:10m max_size=10g
                     inactive=720m use_temp_path=off;
    
    # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
    # and `localhost.` resolves to [::0] on some systems: see issue #930
    upstream phoenix {
        server 192.168.178.113:5000 max_fails=5 fail_timeout=60s;
    }
    
    server {
        server_name    social.uden.ai;
    
        listen         80;
        listen         [::]:80;
    
        # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
        # that the directory exists and that it is accessible by the webserver. If you followed
        # the guide, you already ran 'mkdir -p /var/lib/letsencrypt' to create the folder.
        # You may need to load this file with the ssl server block commented out, run certbot
        # to get the certificate, and then uncomment it.
        #
        # location ~ /\.well-known/acme-challenge {
        #     root /var/lib/letsencrypt/;
        # }
        location / {
          return         301 https://$server_name$request_uri;
        }
    }
    
    # Enable SSL session caching for improved performance
    ssl_session_cache shared:ssl_session_cache:10m;
    
    server {
        server_name social.uden.ai;
    
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;
    
        ssl_trusted_certificate   /etc/letsencrypt/live/example.tld/chain.pem;
        ssl_certificate           /etc/letsencrypt/live/example.tld/fullchain.pem;
        ssl_certificate_key       /etc/letsencrypt/live/example.tld/privkey.pem;
    
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_prefer_server_ciphers off;
        # In case of an old server with an OpenSSL version of 1.0.2 or below,
        # leave only prime256v1 or comment out the following line.
        ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
        ssl_stapling on;
        ssl_stapling_verify on;
    
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
    
        # the nginx default is 1m, not enough for large media uploads
        client_max_body_size 16m;
        ignore_invalid_headers off;
    
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    
        location / {
            proxy_pass http://phoenix;
        }
    
        location ~ ^/(media|proxy) {
            proxy_cache        pleroma_media_cache;
            slice              1m;
            proxy_cache_key    $host$uri$is_args$args$slice_range;
            proxy_set_header   Range $slice_range;
            proxy_cache_valid  200 206 301 304 1h;
            proxy_cache_lock   on;
            proxy_ignore_client_abort on;
            proxy_buffering    on;
            chunked_transfer_encoding on;
            proxy_pass         http://phoenix;
        }
    }

I like the fact that Nginx takes care of my SSL certificates. I like the fact that it “blocks common exploits” or “caches assets” however, I would really like for my service to work and this is the setup it will need for that.

This is how the file (in nginx/data/nginx/proxy\_host/28.conf) looks like:

    # ------------------------------------------------------------
    # social.uden.ai
    # ------------------------------------------------------------

    server {
      set $forward_scheme http;
      set $server         "192.168.178.113";
      set $port           5000;
    
      listen 80;
    listen [::]:80;
    
    listen 443 ssl http2;
    listen [::]:443;

      server_name social.uden.ai;

      # Let's Encrypt SSL
      include conf.d/include/letsencrypt-acme-challenge.conf;
      include conf.d/include/ssl-ciphers.conf;
      ssl_certificate /etc/letsencrypt/live/npm-73/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/npm-73/privkey.pem;

    # Asset Caching
      include conf.d/include/assets.conf;

      # Block Exploits
      include conf.d/include/block-exploits.conf;
    
      access_log /data/logs/proxy_host-28.log proxy;
    
    location /api/fedsocket/v1 {
            proxy_request_buffering off;
            proxy_pass http://192.168.178.113:5000/api/fedsocket/v1;
        }
    
        location / {
                proxy_pass http://192.168.178.113:5000;
        }
    
      # Custom
      include /data/nginx/custom/server_proxy[.]conf;
    }

This is what I added myself through the interface.

    location /api/fedsocket/v1 {
            proxy_request_buffering off;
            proxy_pass http://192.168.178.113:5000/api/fedsocket/v1;
        }
    
        location / {
                proxy_pass http://192.168.178.113:5000;
        }

It made some of the important features work, but sadly not the most important.

Obviously I could replace the SSL section with the one provided by the Nginx reverse proxy manager, right?

​

Please help me! You are my only hope. Any comment, question or help is appreciated!

Nginx Proxy Manager Version v2.8.1

To Reproduce Steps to reproduce the behavior:

1. SSH into your host machine
2. From wherever you installed nginx, go to /nginx/data/nginx/proxy_host
3. Go to the newest config file, or create a new one
4. Paste the configuration that I’ve specified above
5. See error

Expected behavior It should work and reverse proxy my Pleroma instance

Operating System I am on arm64 on my Raspberry Pi 4b 4GB.

Additional context I just need the exact configuration specified here: https://docs-develop.pleroma.social/backend/installation/otp_en/#edit-the-nginx-config to work on my system. However, Pleroma isn’t hosted on the same Raspberry Pi as is the Nginx Reverse Proxy Manager, so it needs some editions (localhost needs to be changed to an IP address, etc.)