jort.link ๐Ÿ‘–๐Ÿ”—


jort.link is a URL redirector hosted by Jortage, to solve an issue in the Fediverse where a poor design decision in Mastodon (carried over to Pleroma and Akkoma) means simply linking something on the Fediverse will cause that URL to receive hundreds of requests over a short period. This is enough to take small servers or expensive endpoints offline. This has been documented multiple times — here's a list of the ones I know of in no particular order:

Using jort.link is simple — just prefix the domain of a URL with jort.link/. For example, https://jortage.com turns into https://jort.link/jortage.com. Requests to this URL will permanent-redirect to the given link. However, if the requester is any known fediverse software, instead a cached copy of the page will be served by us — absorbing the unnecessary load. Such cached pages include a canonical Link header, and the outgoing request has a user agent of Mozilla/5.0 (jort.link shield; +https://jort.link). A best-effort attempt is made to rewrite card metadata to also go through jort.link, but this is not foolproof.

You can also use x.jort.link (eXclude) instead of jort.link to return a blank page to fedi servers, without touching the original URL at all. This is useful if you know there's no preview card or rel="me" data at the URL that is being looked for, and the link is only useful for actual users to click on.

If you need an insecure HTTP URL instead of HTTPS, use h.jort.link. This can be combined with the above x subdomain as hx.jort.link.


Caveats & notes

Using jort.link to "guard" big sites like Twitter, GitHub, et al is the opposite of helpful. Those sites more than have enough brunt to take on the load of a fedi request flood. jort.link is to protect small websites from this design flaw, and by using it to "guard" big sites you only impose load onto jort.link for no reason. If you do this anyway, the caching layer will not engage and jort.link will only perform redirects.

Using this service requires you to trust the Jortage project. A lack of trust is the source of the original Mastodon design flaw, and is the reason it's excused as non-optional and is not (and likely never will be) fixed. jort.link allows you to assign a trusted party to cache the link preview for you.

URL shortening is not and will not be provided. URL shortening obscures the destination of a link, and causes major issues if the host goes down or expires old tokens. Besides, fedi software (the intended place to use this service) all impose a fixed character penalty for all URLs, regardless of how long they are.

All logging for this service is anonymised. Target URLs may be monitored for abuse, but IPs are not collected and no cookies are set.

Responses larger than 8M will not be cached. This is to keep our own costs and load under control.

HTML pages will be rewritten. Inline images, inline SVGs, inline CSS, and some other things will get stripped outright. The content attribute on any meta elements will be rewritten to go through jort.link. This will be signalled by a response code of 203 Non-Authoritative Content, as in the HTTP standard.

This service is run as a best-effort and is provided AS-IS with no warranties or guarantees. I'm one sysadmin involved in the fediverse, not a global ops team.


On the other side

If you host a site that's getting hammered by Mastodon, then you can redirect to jort.link when you see fedi software UAs, rather than blocking them outright as many have taken to doing — this is only slightly more expensive than outright blocking requests, as the user agent match is the hard part. For example, you can do this with nginx:

if ($http_user_agent ~ "^(http\.rb/\S+\s\(Mastodon|Pleroma\s|Akkoma\s|Misskey/|gotosocial)") {
	return 307 https://fedi.jort.link/$http_host$request_uri;
}

Or, the equivalent with Apache:

BrowserMatch "^(http\.rb/\S+\s\(Mastodon|Pleroma\s|Akkoma\s|Misskey/|gotosocial)" fediverse_instance

#<LocationMatch ^/whatever>
<If "reqenv('fediverse_instance')">
  Redirect 307 "https://fedi.jort.link/%{HTTP_HOST}%{REQUEST_URI}"
</If>
#</LocationMatch>

We're happy to take on your request load on behalf of the fediverse to keep link previews and the like working. If you don't have any link previews or anything, then you can of course just block fedi software.


But how does it work!?

The software powering jort.link is open source under the AGPLv3, available at github.com/jortage/jort.link. Previously, it was a hack composed of nginx, dnsmasq, and bunny.net edge rules stapled together, but now it's a self-contained Java program.


jort.link - Copyright © 2022-2023 Una Thompson (unascribed)