• 1 Post
  • 4 Comments
Joined 1 year ago
cake
Cake day: June 10th, 2023

help-circle


  • Shouldn’t be any risk if it’s all local.

    For an internal domain you’ll need to set up your own internal CA to sign certs for your fqdns. The risk comes from any mishandling of that new CA since you’ll need to install it as a trusted root on all of your devices and if someone gets a hold of it nothing would stop them from creating a MITM attack for let’s say yourbank.com

    If you have the CA’s key under lock then you should be good.


  • Funny enough I already made a few changes to the traefik configs, I saw someone else’s post and if it’s safe to assume that any request with Accept header starting with application/ should be routed to the Lemmy server, the following would work as well:

    - traefik.http.routers.leddit-api.rule=Host(`leddit.social`) && (PathPrefix(`/api`, `/pictrs`, `/feeds`, `/nodeinfo`, `/.well-known`) || Method(`POST`) || HeadersRegexp(`Accept`, `^[Aa]pplication/.+`))
    

    I’ve also added caching policies to make sure none of the API responses are cached and having the UI be cached explicitly since it’s not done today.

    services:
      lemmy-server:
        deploy:
          labels:
            - traefik.http.routers.leddit-api.middlewares=no-cache
            - traefik.http.middlewares.no-cache.headers.customresponseheaders.Cache-Control=no-store
    ...
      lemmy-ui:
        deploy:
          labels:
            - traefik.http.routers.leddit-web.middlewares=cache-control
            - traefik.http.middlewares.cache-control.headers.customresponseheaders.Cache-Control=public, max-age=86400