Adding an optional anubis config by dessalines · Pull Request #285 · LemmyNet/lemmy-ansible
github.com
This adds an optional anubis, which stands in front of lemmy-ui only. It doesn't block or impede federation, or apps, only the lemmy-ui front end. I tested this via a fresh server, and it worked.

I’ve recently added anubis to lemmy.ml, and it seems to be working well.

I have a PR to add anubis to lemmy-ansible (our main installation method), and I could use some help tweaking / optimizing its botPolicy.yaml config, for federated services.

Anyone with experience running anubis, this would be much appreciated.

  • julian@activitypub.space
    5·
    1 day ago

    Sure. I have found that the default botPolicy works fine for blocking the AI bots, but blocks federation.

    At the reverse proxy level:

    if ($request_method = POST) {
    proxy_pass http://nodebb/; 
}

    Because Anubis can’t filter by HTTP method, unless I am mistaken. This just broadly allows all incoming activities. If you want to get specific, limit it to your shared inbox or individual user inboxes via regular expression or something. I didn’t find that it was necessary.

    As for botPolicies.yaml

      # Allow /inbox
  - name: allow-ap-headers
    headers_regex:
      Accept: application/ld\+json; profile="https://www.w3.org/ns/activitystreams"
      Accept: application/activity\+json
    action: ALLOW

  - name: allow-assets
    path_regex: /assets
    action: ALLOW

    The former allows those specific AP headers (it is naive, some AP impls. send slight variations of those two headers.

    The latter allows our uploads.

    • Dessalines@lemmy.mlOPEnglish
      4·
      1 day ago

      Lemmy has a separated UI and backend hosted on different ports, so its trivial for us to just only use anubis for the front end. We couldn’t put it in front of everything due to apps also.