| index.mjs | ||
| package.json | ||
| README.md | ||
fedifetch-filter
this program is a simple blocklist-based filter for signed HTTP requests, primarily intended to be used as a mechanism to prevent remote fedi servers from fetching your posts, while still allowing you to see theirs and interact with them.
upon receiving a request, it will look for a Signature header, and if one is present it will check the domain of the claimed identity against the blocklist (the signature is not checked), and if a match is found the request is rejected with error 403 Forbidden. in all other cases it will return error 421 Misdirected Request. the program is not a reverse-proxy.
deployment
daemon
the program operates as a daemon with a http/1.1 server listener. to run it,
invoke Node.JS (node) with the path to a checkout of this repository as the
first argument, the port number of the http listener as the second argument,
and IP address as the third one. as there are no dependencies no npm
invocations are necessary. example:
node . 23030 127.0.0.1
the IP address argument may be omitted, in which case the program will listen on all interfaces (which you probably don't want so don't omit the IP address argument unless you want this).
in the checkout of this directory, at the top-level, create a file named
blocklist.txt. the file is a list of domains, one or less per line,
optionally succeeded or preceeded by whitespace, which includes spaces, tabs as
well as comments started with #. every domain in the list as well as all of
its subdomains will be blocked by the program.
web gateway setup
this program filters requests in a manner similar to
sigmawall or
iocaine
(web gateway passes client request to the program first, treats status code 421
as a signal to forward the request to the upstream, while returning any other
status from the program as-is), as such the setup is similar. the intended way
to set this up is to set the web gateway to filter requests to the endpoints
that can be used by fedi servers to fetch posts from your fedi instance. as
such, an example nginx configuration with Akkoma is going to look like the
addition of this code to the server block that serves Akkoma in the nginx
config:
location /objects/ {
proxy_pass http://127.0.0.1:23030;
proxy_intercept_errors on;
error_page 421 = @akkobj;
}
location @akkobj {
proxy_pass http://phoenix;
}
(assuming that this program is ran with the arguments 23030 127.0.0.1, and
phoenix is Akkoma). Enabling authenticated fetch mode on your fedi instance
is strongly recommended.