Completely private instance


I am interested in running various Mastodon instances but for my use cases they would need to keep the content completely hidden i.e. unauthenticated users could not access content in any way.

I have tried:

  1. Closed registration
  2. Public timeline disabled
  3. Posting as Unlisted

I know this would make some thing less valuable e.g. federation but having a simple discussion site for a family or a discussion site for a team/group would be extremely valuable.

Thoughts or suggestions?




Mastodon can be run in a firewalled mode, but we do not support it, since it runs counter to the principles of decentralization. The best way would be to block access at the nginx level (for example, using something like HTTP basic to authenticate access to mastodon itself) or at the application_controller level (using a custom before_action that requires authentication)


Thank you for the response. Seems like something I need to request as a new feature or similar. Fundamentally I think it aligns with decentralization i.e. everyone can decide how they want their network to run (internally, externally, public, some hybrid). Seems like a nice extension of web sites really.

Or maybe I need to brush up my coding and hosting skills :slight_smile:



I’m interested in this as well, having just set up an instance for my family so we can finally ditch facebook.
It’s been a while since I’ve done ruby coding, so I really don’t know where to start anymore.

I’ve disabled public timeline and registrations, but people could still access the toots by URL or user timelines by some.fqdn/@username and I really want to prevent that without preventing logged in users from using the website or clients.


I have now implemented this in two steps:
Step 1a: Block access to all URLs starting with /@ on the webserver level
Step 1a: Block access to all URLs starting with /.well-known on the webserver level
Step 2: Edit app/models/domain_block.rb like this:

def self.blocked?(domain)
if domain != “my.mastodons.domain” then
if !(where(domain: domain, severity: :suspend).exists?) then
self.create(domain: domain, severity: :suspend)
where(domain: domain, severity: :suspend).exists?

That essentially blocks every domain that’s not mine as well as access to profiles and toots on the webinterface.
Scrap that, #2 doesn’t work as intended.

This isn’t perfect yet, but at least it prevents others from finding and following you a bit.