Home » Blog

Hosting Mastodon identities at your own domain

 · Max Jonas Werner

(Photo by Ashim D’Silva on Unsplash)

Discuss this post

EDIT January 11, 2022: In previous versions of this article I advertised the try_files directive which made the solution vulnerable to path traversal attacks. Using the return directive and sending a 301 redirect fixed this. Thanks to Penple for making me aware of this vulnerability.

With Mastodon being all the rage right now and people massively moving over, new opportunities arise. One of these is that Mastodon allows you to take ownership of your identity using the WebFinger protocol. This way you can have an identitiy like me@example.org without actually having to host your own Mastodon server (or instance in Mastodon lingo).

Maarten Balliauw has already posted on how to achieve this but with a little caveat:

“this approach works much like a catch-all e-mail address. @anything@yourdomain.com will match, unless you add a bit more scripting to only show a result for resources you want to be discoverable.”

I went ahead and solved this by tweaking the nginx configuration of one of my servers slightly (caveat here is you need access to the web server’s configuration):

server {
    listen 80;

    location = /.well-known/webfinger {
        absolute_redirect off;
        return 301 $uri/$arg_resource;
    }

A WebFinger requests URL looks similar to this: https://home.e13.dev/.well-known/webfinger?resource=acct:makkes@home.e13.dev. Now whenever a request comes in at that URL nginx sends an HTTP 301 redirect pointing to /.well-known/webfinger/acct:makkes@home.e13.dev which in turn returns the contents of the requested file (if it exists). So the only thing to do is to create that file with the WebFinger details in it and store it at that location in nginx’s web root.

This mitigates the “catch-all” limitation and only serves the identity or identities you want it to.