search

dimkr / tootik

A federated nanoblogging service with a Gemini frontend.
gemini://hd.206267.xyz
Apache License 2.0
95 stars 3 forks source link

Run alongside another HTTPS server? #44

Closed oschettler closed 4 months ago

oschettler commented 5 months ago

Hi, I have set up tootik on my home server. However, there already is an NGINX running on port 443. I have tried to set up tootik with -addr 8443.

curl -v https://schettler.net:8443 returns plausible communication with a "location: gemini://schettler.net" in the end. However, Firefox complains that the connection is not encrypted. Maybe I have messed up the Letsencrypt certificates?

I can access the Gemini interface and follow some people. However, I never receive any posts by them. I am not sure if the two problems are related.

What would be a recommended setup to run tootik alongside an existing HTTPS server?

dimkr commented 5 months ago

However, Firefox complains that the connection is not encrypted. Maybe I have messed up the Letsencrypt certificates?

Maybe something wrong with your Firefox, because it works fine with mine (browser shows an "open gemini:// URL with ..." dialog).

I can access the Gemini interface and follow some people. However, I never receive any posts by them. I am not sure if the two problems are related.

Probably not, gemini://schettler.net/stats says:

## Failed Outgoing Post Deliveries Per Day

2024-02-06 00:00 ████████ 21

You'll need to look at the logs to find the errors, maybe something like:

journalctl -u tootik -S '24 hours ago' | cut -f 4- -d : | grep '^ {' | grep \"error\": | jq .error | sort | uniq -c | sort -n

Make sure you wait some time after installation if this is a new server, because maybe DNS records haven't propagated yet so other servers can't initiate outgoing requests to your server, and can't validate your server's outgoing requests (they fail to fetch your user's key).

If you're unsure, follow the setup guide (https://github.com/dimkr/tootik/wiki/Quick-setup-guide) step by step: get federation to work in both directions, then proceed to persistent installation of tootik.

What would be a recommended setup to run tootik alongside an existing HTTPS server?

Two options:

  1. Set up a subdomain that points to the same server, run tootik with -addr 8080 -plain and make your existing web server reverse proxy requests to this subdomain to 127.0.0.1:8080, or
  2. Exactly as you did - specify -addr and make tootik listen on a port other than the one used by your existing web server

It should work just fine but in general - I wouldn't recommend putting tootik on the same machine as something else, just in case fedi spam causes unexpected load or your server's IP becomes blacklisted due to spam and offensive posts that reach your instance.

dimkr commented 5 months ago

Forgot to mention: if you run tootik with -port 8443 and that's the port other servers use to talk to your instance (i.e. you don't have a reverse proxy from 443 to 8443), you must also pass -domain schettler.net:8443 instead of -domain schettler.net.

dimkr commented 5 months ago

@oschettler ping

oschettler commented 5 months ago

Hi & thank you for your detailed answer. I have since completely removed the database and set up a subdomain social.schettler.net with the following command line in /etc/systemd/system/tootik.service : 

ExecStart=/usr/local/bin/tootik -domain social.schettler.net -addr :9876 -plain -gemaddr :1965 -gopheraddr :70 -fingeraddr :79 -blocklist /opt/tootik/etc/gardenfence-mastodon.csv -closed -cert /opt/tootik/etc/https-cert.pem -key /opt/tootik/etc/https-key.pem -gemcert /opt/tootik/etc/gemini-cert.pem -gemkey /opt/tootik/etc/gemini-key.pem -db /opt/tootik/data/db.sqlite3

In addition, I have configured a virtual server in NGINX to proxy from https://social.schettler.net to localhost:9876

Unfortunately, although I have followed several users, "My radio" remains empty.

I don't want to bother you with my particular setup. I understand that it may not be a good idea to run tootik alongside other services. However, I haven't made up my mind to acquire a separate server yet.

dimkr commented 5 months ago

@oschettler The stats page looks much better now. Can you share the logs?

oschettler commented 5 months ago

@oschettler The stats page looks much better now. Can you share the logs?

Thank you for your persistence :) Here is the unfiltered log. There are some entries with "msg":"Failed to receive request","error":"EOF"

tootik.log

dimkr commented 5 months ago

Log looks good, no errors but I also see very little activity (very few incoming requests). Are you sure that users you follow posted anything after you started following them?

In addition, check if your server is able to send outgoing requests, because I'm getting 401s from https://social.schettler.net/inbox/olav. ~It probably~ Maybe it fails to fetch https://hd.206267.xyz/user/dimkr to verify my key, then denies incoming requests.

This can also happen if your proxy is not configured to pass headers to tootik, specifically the Signature header.

There are some entries with "msg":"Failed to receive request","error":"EOF"

This is harmless and normal, this is usually the result of port scanning of public IPv4 addresses.

dimkr commented 5 months ago

@oschettler Please check if your proxy passes Signature to tootik.