Running a Self Hosted Mastodon Instance Through Cloudflare

Migrating Mastodon server to Homelab using Cloudflare Tunnels

I was getting charged around $3 a day to host my mastodon server on Azure. I read up on Cloudflare Tunnels. Here are the benefits:

  • You don’t have to open any ports, just install a client on your web server
  • It’s proxied behind cloudflare so my home IP isn’t exposed

Steps I followed:

Migrating Mastodon
  • Spin up a Ubuntu Server in Proxmox
  • Use this guide to build, but read through this documentation first for important steps.
  • IMPORTANT - Make sure your mastodon versions match. If they don’t, run a git checkout to the right version. I was running 4.4.7, so I had to run git checkout v4.4.7 and you can list versions by running git fetch --tags && git tag -l
  • After you install everything, make sure the mastodon user has access to www-data group and vice versa.
  • Change the ownership of your mastodon home folder so www-data can see by running sudo chown mastodon:www-data /home/mastodon and sudo chmod 0710 -v /home/mastodon
  • If everything went well, you should see an error 400 or 403 when visiting locally.
  • Now we need to get mastodon ready to accept connections from Cloudflare, add this to your mastodon user’s ~/.bashrc file at the end:
export TRUSTED_PROXY_IP="103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,127.0.0.1/8,::1/128,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,fc00::/7"
Cloudflare Tunnel Setup

We will need to set up an SSL cert from cloudflare on our mastodon server:

  • Go to Cloudflare > SSL/TLS > Overview > Configure and set Custom SSL/TLS to Full (Strict)
  • Go to Cloudflare > SSL/TLS > Origin Server
  • Click Create Certificate
  • Combine the public/private keys to a fullchain.pem file
  • Put the private key in a privkey.pem file
  • Put those 2 files onto your web server and point to those files from your nginx configuration file.
    • ssl_certificate should point to fullchain.pem
    • ss_certificate_key should point to privkey.pem
    • Restart your nginx server and make sure it’s working sudo systemctl restart nginx, if you get an error, run sudo nginx -t to read it.

Now we need a tunnel. Note, you will need to make sure your DNS is set to Cloudflare

  • Go to Cloudflare > Zero Trust > Networking > Tunnels (if this is your first time, you’ll be prompted to put in a credit card. It’s free, for now, but you still need a credit card.)
  • Create a tunnel, call it mastodon
  • Add your hostname (this is where you want your mastodon server to point to)
  • Service will be https pointed to localhost:443
  • Follow the steps in the Overview to install the tunnel on your web server
  • You should see a “healthy” status next to your tunnel

Now that the tunnel is up:

  • Click on the tunnel and click Edit
  • Go to Published application routes
  • Use the same hostname, but this time point the service to http and localhost:80
  • Edit the localhost:443 service, go down to Additional application settings
  • Click TLS > and add the Origin Server Name to match the Origin Server SSL certificate you set up earlier.

Optional, if you need SSH access to your server:

  • Add another Published application route as a different hostname like mastodonssh
  • For service, add SSH as the service pointed to localhost:22
  • To access it from your client PC, you’ll have to install cloudflared from their documentation
  • On your client PC, add this to ~/.ssh/config
Host mastodonssh.example.com
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h

And that’s it, you should now be able to navigate to the hostname you set up above. It should load your mastodon server. It should have the valid SSL certificate set up, and you should be good to go.

Reference: