I wonder what are suitable methods to protect a Lemmy instance against DDOS attacks.

For example, can we use Cloudflare? Or it could break the federation?

Any ideas/suggestions?


Unless your VPS host has good DDOS protection, there really isn’t a good answer. Cloudflare should never be considered as they are a man in the middle, who gets every web form post ( think username and passwords ), unencrypted.


Passwords should never go unencrypted, shouldn’t they? For example, my mail password doesn’t travel unencrypted using using tls, etc. Nor my passwords travelling using https, do they?

So, are Lemmy passwords traveling unencrypted??

Arthur Besse

When a website uses cloudlfare, TLS encrypts the connection (including passwords, etc) from your web browser to cloudflare - not from your browser all the way to the actual site you’re logging in to. (Then, if the request can’t be satisfied by cloudflare’s cache, there is another TLS connection from cloudflare to the “origin server”.)

In either case, Cloudflare sees everything sent to hostnames hosted by them.

Some sites might have your password sent to a different hostname that isn’t hosted by cloudflare, in which case they wouldn’t see your password, but, they would typically still see the resulting session cookie which allows someone to log in as you.

Cloudflare is like any other machine-in-the-middle attack except instead of being something everyone knows they should avoid, it somehow is a service that some people actually pay for (perhaps because they like to imagine that their website might one day be so popular that their VPS would insufficient to serve it).

In case you actually do need a CDN (and I’d guess 99.9% of cloudflare sites don’t), the correct way to do it is to use the CDN only for static content like images and video. Ideally the CDN shouldn’t need (or have) any cookies, and, if you don’t want to give the CDN (or malicious parties acting under their authority) the ability to hijack your users accounts, then you shouldn’t rely on them for hosting javascript either.


Websites usually use transport encryption but the password itself isn’t encrypted. There are authentication schemes that won’t send plaintext passwords (by involving some kind of challenge) but they won’t work without javascript (except http digest access authentication but thats no good) and you shouldn’t ask web-developers to implement them since they will find a way to fuck it up.

Lemmy Administration

    Anything about running your own Lemmy instance. Including how to install it, maintain and customise it.

    Be sure to check out the docs: https://dev.lemmy.ml/docs/administration.html

    If you have any problems, describe them here and we will try to help you fixing them.

    • 0 users online
    • 1 user / day
    • 1 user / week
    • 1 user / month
    • 1 user / 6 months
    • 1 subscriber
    • 8 Posts
    • Modlog