Last night I moved my #GoToSocial server into the homelab from a test VPS I had it on. I thought things were going well, but then I quickly got rate limiting errors.

I use a VPS in the cloud to get a static IP to be able to proxy into my small #homelab.

For users who cannot or will not get an ISP that gets them a static IP at home, I think it is one of the best and most reliable solutions out there.

But I don't want to pay much for it so I am using a cheap VPS from a vendor that I don't trust all that much, which means I don't want to terminate TLS there and have all of my traffic run through that VPS unencrypted.

So that host only runs nginx and nothing else and I just stream TCP back over wireguard to my homelab where TLS is terminated on a local VM and then routed on from there.

This is all fine and good except that all IP addresses were getting masked as my VPS IP which meant that I was getting rate limited by the reasonable but somewhat conservative GtS ruleset.

Stream doesn't carry headers containing the chain of ip addresses that ferried your data to the ingress VM in your homelab and so,
proxy_set_header X-Forwarded-For $remote_addr; won't do you much good if $remote_addr is just the IP of your VPS and nothing else.

To fix this you need to swap to a more capable protocol.

The steps are pretty straight forward going from nginx-to-nginx: Enable proxy_protocol on the bastion host, and then add proxy_protocol as a protocol to the listener on the internal VM.

For the final touch, add proxy_set_header X-Forwarded-For $proxy_protocol_addr; to your internal VM and then GoToSocial will start to log the actual external ip addresses and can then rate limit appropriately.