PSA: You CAN'T use bunny.net as DDoS protection for Mastodon/Fediverse servers.
Their reverse proxy implementation quietly breaks Mastodon request signing, and support just got back to me and said it's intentional and they won't fix it.
https://github.com/mastodon/mastodon/issues/38119
I'm disappointed.
@lina Field names are case-insensitive, and RFC9110 allows a proxy to transform the message as long as its semantic meaning is unchanged.
So to me what they're doing is legal and reasonable.
Seems to me that Mastodon should be normalizing (including ordering, for example) before signing and before validating.
It's not modifying the field name. It's modifying the field value (adding a space). The name being lowercased is fine (that's just an HTTP/2 thing AIUI).
The ActivityPub spec is here:
https://swicg.github.io/activitypub-http-signature/
And it references:
https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12
And that explicitly calls out proxies, but does not call out any specific headers that are problematic.
Unfortunately, since the servers that do the signing are the remote servers, this is not going to be fixed across the ecosystem any time soon. So regardless of who is "wrong" here, the status quo is Bunny is not usable for this purpose.
Ordering is already normalized and only a subset of headers are signed. The problem here is a header value is being modified.
@lina You're totally right, my bad. I misread the report and thought it was calling out their normalization to lowercase names. Modifying the value is not acceptable.
I was trying to figure out if I was hitting this, because I'm pretty sure Caddy also normalizes to lowercase header names.
Hoshino Lina (ζδΉγͺγ) π©΅ 3D Yuri Wedding 2026!!!
Keenan Tims