Completely private instance

I am interested in running various Mastodon instances but for my use cases they would need to keep the content completely hidden i.e. unauthenticated users could not access content in any way.

I have tried:

  1. Closed registration
  2. Public timeline disabled
  3. Posting as Unlisted

I know this would make some thing less valuable e.g. federation but having a simple discussion site for a family or a discussion site for a team/group would be extremely valuable.

Thoughts or suggestions?




Mastodon can be run in a firewalled mode, but we do not support it, since it runs counter to the principles of decentralization. The best way would be to block access at the nginx level (for example, using something like HTTP basic to authenticate access to mastodon itself) or at the application_controller level (using a custom before_action that requires authentication)

Thank you for the response. Seems like something I need to request as a new feature or similar. Fundamentally I think it aligns with decentralization i.e. everyone can decide how they want their network to run (internally, externally, public, some hybrid). Seems like a nice extension of web sites really.

Or maybe I need to brush up my coding and hosting skills :slight_smile:

1 Like


I’m interested in this as well, having just set up an instance for my family so we can finally ditch facebook.
It’s been a while since I’ve done ruby coding, so I really don’t know where to start anymore.

I’ve disabled public timeline and registrations, but people could still access the toots by URL or user timelines by some.fqdn/@username and I really want to prevent that without preventing logged in users from using the website or clients.


I have now implemented this in two steps:
Step 1a: Block access to all URLs starting with /@ on the webserver level
Step 1a: Block access to all URLs starting with /.well-known on the webserver level
Step 2: Edit app/models/domain_block.rblike this:

  def self.blocked?(domain)
    if domain != "my.mastodons.domain" then
      if !(where(domain: domain, severity: :suspend).exists?) then
        self.create(domain: domain, severity: :suspend)
    where(domain: domain, severity: :suspend).exists?

That essentially blocks every domain that’s not mine as well as access to profiles and toots on the webinterface.
Scrap that, #2 doesn’t work as intended.

This isn’t perfect yet, but at least it prevents others from finding and following you a bit.

Have you found a way to make Mastodon instance private?
I am also interested in doing so.

Sadly no. This is my biggest feature request so far.

1 Like

Why dont you look for another project? There is humhub, its great and kind of similar to facebook .


I am now moving my project to use Matrix Synapse.

That is an instant messenger not social network.

Thanks! HumHub rocks!

1 Like

I agree that it seems like it should be possible to host a private instance, or at the very least, make it so you can have a private account. That lines up quite well with decentralization (lots of cryptocurrencies pride themselves on being both wholly decentralized and wholly private–the two are definitely not incompatible).

Yeah its good for private usage, its hybrid network some features from Facebook some are from twitter. There friendship system is kind of broken means doesn’t have privacy option everything is just public.They said they are fixing it.

I want this too. I’m not entirely sure if this new Whitelist Mode feature in v3 will actually deliver this - Whitelist mode · Issue #11237 · tootsuite/mastodon · GitHub. Looks pretty close, and I guess we will find out very soon when v3 is released.

My usecase is for a family instance where we are not interested in federation, only want private ability to share posts and pics among a small number of users.


We recently wanted to do this with out server and modulo anything we missed I think the process is reasonably simple. Here is the diff. We run v3.1.3.

diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb
index 124393d62..bd950c3af 100644
--- a/app/controllers/accounts_controller.rb
+++ b/app/controllers/accounts_controller.rb
@@ -6,6 +6,7 @@ class AccountsController < ApplicationController
   include AccountControllerConcern
   include SignatureAuthentication
+  before_action :authenticate_user!
   before_action :set_cache_headers
   before_action :set_body_classes
diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb
index 4fa128303..a69fe851d 100644
--- a/app/controllers/statuses_controller.rb
+++ b/app/controllers/statuses_controller.rb
@@ -9,6 +9,7 @@ class StatusesController < ApplicationController
   layout 'public'
   before_action :require_signature!, only: :show, if: -> { request.format == :json && authorized_fetch_mode? }
+  before_action :authenticate_user!
   before_action :set_status
   before_action :set_instance_presenter
   before_action :set_link_headers