Find a file
2026-06-28 18:30:36 +02:00
index.mjs sussy 2026-06-28 09:12:35 +02:00
package.json sussy 2026-06-28 09:12:35 +02:00
README.md more words 2026-06-28 18:30:36 +02:00

fedifetch-filter

this program is a simple blocklist-based filter for signed HTTP requests, primarily intended to be used as a mechanism to prevent remote fedi servers from fetching your posts, while still allowing you to see theirs and interact with them.

upon receiving a request, it will look for a Signature header, and if one is present it will check the domain of the claimed identity against the blocklist (the signature is not checked), and if a match is found the request is rejected with error 403 Forbidden. in all other cases it will return error 421 Misdirected Request. the program is not a reverse-proxy.

deployment

daemon

the program operates as a daemon with a http/1.1 server listener. to run it, invoke Node.JS (node) with the path to a checkout of this repository as the first argument, the port number of the http listener as the second argument, and IP address as the third one. as there are no dependencies no npm invocations are necessary. example:

node . 23030 127.0.0.1

the IP address argument may be omitted, in which case the program will listen on all interfaces (which you probably don't want so don't omit the IP address argument unless you want this).

in the checkout of this directory, at the top-level, create a file named blocklist.txt. the file is a list of domains, one or less per line, optionally succeeded or preceeded by whitespace, which includes spaces, tabs as well as comments started with #. every domain in the list as well as all of its subdomains will be blocked by the program.

web gateway setup

this program filters requests in a manner similar to sigmawall or iocaine (web gateway passes client request to the program first, treats status code 421 as a signal to forward the request to the upstream, while returning any other status from the program as-is), as such the setup is similar. the intended way to set this up is to set the web gateway to filter requests to the endpoints that can be used by fedi servers to fetch posts from your fedi instance. as such, an example nginx configuration with Akkoma is going to look like the addition of this code to the server block that serves Akkoma in the nginx config:

location /objects/ {
	proxy_pass http://127.0.0.1:23030;
	proxy_intercept_errors on;
	error_page 421 = @akkobj;
}

location @akkobj {
	proxy_pass http://phoenix;
}

(assuming that this program is ran with the arguments 23030 127.0.0.1, and phoenix is Akkoma). Enabling authenticated fetch mode on your fedi instance is strongly recommended.